India’s VPN crackdown demonstrates a growing focus on mass surveillance

On April 28, the Narendra Modi–led government directed the companies offering virtual private network (VPN) services to collect and store users’ data — names, addresses, contact numbers, email, and IP addresses — for up to five years. Under the new directive, VPN companies will need to hand over this information to the government if asked, and companies that do not comply with the rules can face a fine or their officials can be imprisoned. The government said the move was an effort to “coordinate response activities as well as emergency measures with respect to cyber security incidents” and help it fill “certain gaps” that cause hindrance in handling cyber threats.

This directive does not only defeat the purpose of VPNs but is also possibly aimed at state-sponsored surveillance, cybersecurity experts said. At least five cybersecurity experts and digital rights activists who spoke to Rest of World said the new rule could violate citizens’ privacy. They expressed concern over the data security and how it may be misused under the new directive and in the absence of a data protection framework.

“If the government says it will increase cybersecurity, they must come up with a justification and explanation. At the moment, it looks like an excessive data retention policy that is going to lead to state-sponsored mass surveillance, that too, in the absence of a data protection law,” Tejasi Panjiar, Capstone Fellow at Internet Freedom Foundation (IFF), a New Delhi–based digital rights advocacy group, told Rest of World.

A VPN allows a user to browse the internet while protecting their information by masking their device’s IP address, encrypting their data, and routing it through secure networks in other states or countries. VPNs are often used by journalists and activists to bypass government censorship and safely browse the internet. People also use VPNs when they are using public or unsecured networks. In India, one of the most common uses of VPNs is to access pornographic websites, many of which were banned by the Modi government in 2019.

Srinivas Kodali, a researcher with the advocacy organization Free Software Movement of India, suspects that the government is getting VPN service providers to collect and store data, which “could eventually be used for targeted surveillance of journalists, lawyers, and activists.”

The Modi government’s focus on surveillance is nothing new. A 2019 study by the U.K.-based research firm Comparitech found that India was among the top three countries with governments actively surveilling their citizens. Last year, the Pegasus Project, an investigation by a consortium of international journalists, revealed that the Indian government had been spying on some 300 people, including prominent journalists, activists, and politicians.

In addition, the Indian government has deployed systems to gather biometric data, such as facial recognition technology. In the aftermath of civilian killings in Indian-administered Kashmir, the administration ordered business owners in Srinagar to install surveillance cameras. A 2019 study showed that New Delhi has about 33 closed-circuit TV cameras for every 1,000 people. The Indian government has also been using GPS tracking of sanitation workers and health workers, raising serious questions over employees’ privacy.

Meanwhile, Indians’ use of VPNs has been on the rise in the country. A 2021 analysis by global VPN provider Atlas VPN showed that prior to 2021, the VPN penetration rate in India was a little over 3%. The numbers exploded in the first half of 2021 with VPN installs reaching a staggering 348.7 million, representing a growth of 671% over 2020.

The recent rule might make India unattractive to VPN service providers, as it will mean a significant increase in operational costs. NordVPN, one of the world’s largest VPN providers, may pull out of India due to the new guidelines, news website Entrackr reported. Other service providers, including ExpressVPN, Surfshark, and ProtonVPN, may not comply with the Indian government’s regulations, according to a report in Wired that quoted ProtonVPN’s spokesperson as saying that they are monitoring the situation and would “remain committed to our no-logs policy and preserving our users’ privacy.”

Whether VPNs comply with the new rule or exit the country, “it is the user whose privacy will be at stake,” Prateek Waghre, policy director at IFF, told Rest of World.