In the latest chapter in India's ongoing battle against online privacy software, government employees are no longer allowed to use third-party VPN services.
The new directive follows the decision by some of the best VPNs to shut down their Indian servers due to privacy concerns related to the new data law. So far, ExpressVPN, Surfshark, and NordVPN have all announced that they will be physically leaving the country before the CERT-in guidelines go into effect on June 27.
The Indian government also urges employees to avoid storing internal or sensitive information on non-government cloud services like Google Drive and Dropbox. Using an external mobile app-based scanner like CamScanner, which was actually banned in 2020, is also strongly discouraged.
"By following uniform cyber security guidelines in government offices across the country, the government's security posture can be improved," the National Information Center (NIC) wrote in an internal document reviewed by The Economic Times.
“All government employees, including temporary, contracted or subcontracted resources, must strictly adhere to the guidelines mentioned in this document. Any non-compliance may be sanctioned by the respective CISOs/Heads of Department”, adds the new directive.
ExpressVPN removes VPN servers in India. Users will still be able to connect to VPN server locations that will provide them with Indian IP addresses. More information: https://t.co/JpCWXW1Dcb June 2, 2022
Read more
Why are VPNs leaving India?
Cybersecurity experts and privacy advocates have raised many concerns about India's new data law since it was announced on April 28.
India's Computer Emergency Response Team (CERT-In), which comes into effect on June 27, will force VPN and VPS providers, data centers, cloud storage services and crypto exchanges to the currency to keep sensitive user data stored for up to five years. and share it with authorities when requested.
Although the new law tries to curb the rising rate of cybercrime (India was the third country in the world with the most data breaches in 2021), VPN providers say that these regulations go against the grain of the current security software infrastructure.
Short for Virtual Private Network, a VPN is software designed to protect the privacy and anonymity of users online. How? Hiding your real IP address and securing all data in transit within an encrypted tunnel.
That's why ExpressVPN wrote in a blog post (opens in a new tab) that the new CERT-In guidelines are "inconsistent with the purpose of VPNs."
Also, a strict no-logs policy is a standard feature among most private VPN services. This ensures that none of the users' sensitive data can be stored, disclosed or shared.
As Hide.me explained when announcing its decision to take its Indian servers offline, India's new data retention law "makes it impossible to operate a VPN without logs."
Despite the backlash, the Indian authorities appear to be adamant in their decision to go ahead and implement the new guidelines by the end of the month. On this point, Minister of State for Electronics and Information Technology Rajeev Chandrasekhar said that providers who do not wish to comply with the rules are "free to leave India (opens in a new tab)".
At the same time, Laura Tyrell, head of public relations at Nord Security, told us: "One way or another, this will have a negative impact on people's privacy and digital security."
Compare the best Indian VPN services right now: