Government Proposes Stricter VPN Rules in India

GOVERNMENT PROPOSES STRICTER REGULATIONS FOR VPN PROVIDERS

Why in the News?

  • New Legal Framework: The Central Government is considering a new legal framework requiring Virtual Private Network (VPN) providers to establish a local presence in India and appoint compliance officials.
  • Regulatory Objective: The move aims to strengthen enforcement against the misuse of VPNs to bypass government restrictions on online content and applications.

Government Proposes Stricter VPN Rules in India

VIRTUAL PRIVATE NETWORK (VPN)

  • Definition: A Virtual Private Network (VPN) is a technology that creates an encrypted connection between a user’s device and a remote server, enhancing online privacy and security.
  • Working Mechanism: VPNs route internet traffic through remote servers, masking the user’s Internet Protocol (IP) address and encrypting transmitted data.
  • Legitimate Uses: VPNs are widely used for secure remote access, protection on public Wi-Fi, safeguarding sensitive communications, and accessing enterprise networks.
  • Government Concerns: Authorities have expressed concerns that VPNs can be used to bypass geo-restrictions, evade lawful content blocking, and conceal digital identities.
  • Proposed Measures: The proposed framework may require VPN providers to establish offices in India, appoint compliance officers, and respond to lawful government directions.

CERT-IN DIRECTIONS, 2022

  • Issuing Authority: The directions were issued by the Indian Computer Emergency Response Team (CERT-In) under the Ministry of Electronics and Information Technology (MeitY).
  • Data Retention: VPN providers, cloud service providers, and data centres were directed to retain specified customer information for five years, including names, contact details, and IP addresses.
  • Cybersecurity Objective: The rules were introduced to strengthen incident response, cybercrime investigations, and national cybersecurity.
  • Industry Response: Several global VPN providers removed their physical servers from India instead of complying with the data retention requirements.
  • Legal Basis: The directions were issued under the Information Technology Act, 2000, empowering CERT-In to issue cybersecurity-related directives.

INDIAN COMPUTER EMERGENCY RESPONSE TEAM (CERT-In)

  Establishment: CERT-In was established in 2004 as the national agency for responding to cybersecurity incidents.

  Administrative Ministry: It functions under the Ministry of Electronics and Information Technology (MeitY).

  Functions: CERT-In collects, analyses, and disseminates information on cyber incidents, issues security advisories, coordinates incident response, and promotes cybersecurity best practices.

  Legal Status: It derives statutory powers under the Information Technology Act, 2000, particularly after amendments strengthening cyber incident reporting and response.

  UPSC Relevance: The topic is important under Cyber Security, Internal Security, Information Technology, Digital Governance, and Data Protection.