Government Proposes Stricter VPN Rules in India
GOVERNMENT PROPOSES STRICTER REGULATIONS FOR VPN PROVIDERS
Why in the News?
- New Legal Framework: The Central Government is considering a new legal framework requiring Virtual Private Network (VPN) providers to establish a local presence in India and appoint compliance officials.
- Regulatory Objective: The move aims to strengthen enforcement against the misuse of VPNs to bypass government restrictions on online content and applications.
VIRTUAL PRIVATE NETWORK (VPN)
- Definition: A Virtual Private Network (VPN) is a technology that creates an encrypted connection between a user’s device and a remote server, enhancing online privacy and security.
- Working Mechanism: VPNs route internet traffic through remote servers, masking the user’s Internet Protocol (IP) address and encrypting transmitted data.
- Legitimate Uses: VPNs are widely used for secure remote access, protection on public Wi-Fi, safeguarding sensitive communications, and accessing enterprise networks.
- Government Concerns: Authorities have expressed concerns that VPNs can be used to bypass geo-restrictions, evade lawful content blocking, and conceal digital identities.
- Proposed Measures: The proposed framework may require VPN providers to establish offices in India, appoint compliance officers, and respond to lawful government directions.
CERT-IN DIRECTIONS, 2022
- Issuing Authority: The directions were issued by the Indian Computer Emergency Response Team (CERT-In) under the Ministry of Electronics and Information Technology (MeitY).
- Data Retention: VPN providers, cloud service providers, and data centres were directed to retain specified customer information for five years, including names, contact details, and IP addresses.
- Cybersecurity Objective: The rules were introduced to strengthen incident response, cybercrime investigations, and national cybersecurity.
- Industry Response: Several global VPN providers removed their physical servers from India instead of complying with the data retention requirements.
- Legal Basis: The directions were issued under the Information Technology Act, 2000, empowering CERT-In to issue cybersecurity-related directives.
INDIAN COMPUTER EMERGENCY RESPONSE TEAM (CERT-In)● Establishment: CERT-In was established in 2004 as the national agency for responding to cybersecurity incidents. ● Administrative Ministry: It functions under the Ministry of Electronics and Information Technology (MeitY). ● Functions: CERT-In collects, analyses, and disseminates information on cyber incidents, issues security advisories, coordinates incident response, and promotes cybersecurity best practices. ● Legal Status: It derives statutory powers under the Information Technology Act, 2000, particularly after amendments strengthening cyber incident reporting and response. ● UPSC Relevance: The topic is important under Cyber Security, Internal Security, Information Technology, Digital Governance, and Data Protection. |

