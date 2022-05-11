International virtual private network (VPN) companies say they may have to pull out of India over new rules requiring them to collect extensive customer data.

On April 28, India's central cyber-security agency published a new directive mandating, among other things, that from June 27, all VPN providers, data centres and cloud service providers will be required to record a range of customer details.

These include usernames, physical addresses, e-mail addresses, phone numbers, the Internet Protocol (IP) addresses they were allotted, and their ownership patterns.

VPN companies have to hold the data for at least five years, even after a user cancels his subscription. Non-compliance is punishable with a jail term of up to a year and a fine of 100,000 rupees (S$1,800).

A VPN allows a user to browse the Internet privately by concealing his IP address and geographical location, and encrypting his data.

Service providers often advertise their products by bragging about how little user data they maintain.

For example, ExpressVPN, an industry leader, says on its website: "ExpressVPN does not and will never log traffic data, DNS (domain name system) queries, or anything that could be used to identify you."

NordVPN maintains a "strict no-logs policy", claiming: "We don't track, collect or share your private data. It's none of our business."

VPN providers say the Indian government's new rules strike at the heart of their business.

An ExpressVPN representative told Wired magazine that India's new move was "a worrying attempt to infringe on the digital rights of its citizens".

ProtonVPN tweeted that the regulations were "an assault on privacy and threaten to put citizens under a microscope of surveillance".

PureVPN's chief executive Uzair Gadit told technology website CNet: "We are quite astonished at this policy move by the world's largest democracy, which is on the brink of becoming the world's largest police state."

A NordVPN statement said: "We are committed to protecting the privacy of our customers; therefore, we may remove our servers from India if no other options are left."

The Indian government has argued that threats to cyber security are a serious law enforcement concern. More than 1.4 million cyber-security incidents were recorded last year, Minister for Information Technology Rajeev Chandrasekhar told Parliament last month.

But digital rights activists fear the new rules will end up being abused to violate privacy. The Internet Freedom Foundation, a Delhi-based non-profit, warned that excessive data retention could infringe on individual fundamental rights. The new requirements, it said, "raise severe concerns of state-sponsored mass surveillance".

Internet freedom and privacy are touchy issues in India. Last year, the Pegasus Project, an international journalistic investigation, said that the Indian government had used Israeli-made spyware to hack the devices of prominent journalists, activists and opposition politicians. India's Supreme Court has appointed a committee to look into the allegations.

Global digital rights group Access Now records that India shut down the Internet at least 106 times last year, more times than any other country. Myanmar came second, with 15 shutdowns. India's most commonly cited justification was "national security".

New Internet rules introduced by Prime Minister Narendra Modi's government last year could also end up undermining end-to-end encryption in messaging platforms like WhatsApp. The government has also had frequent run-ins with social media companies over encryption, traceability demands and blocking accounts of dissenters.

By one industry estimate, more than 19 million Indians had their data breached in 2020. India has more than 740 million Internet users but does not yet have a data protection law.