Virtual private networks need regulation to check cyber crime, but not at the expense of data privacy
The Ministry of Electronics and Information Technology’s (MeitY) directions to virtual private network (VPN) service providers are significant. They say that VPN providers should store data of Indian users for up to five years; this reinforces the importance of striking a balance between the need to protect user privacy and the government’s legitimate requirement to access data for cyber security. VPN is used to hide location as well as encrypt information being transferred between the sender and receiver. This can be the data of an enterprise sent over a cloud network and storage, or two individuals exchanging files. On the one hand, this service is extremely useful for users accessing the Internet over public Wi-Fi systems but on the other hand, the end-to-end encryption makes it a lethal weapon in the hands of cybercriminals. The big worry for security agencies across the world is that VPNs allow criminals to transmit data without the fear of getting their IP addresses traced.
For example, law enforcement agencies in Europe banned a VPN service provider last year after it was discovered that cybercriminals were using the platform. This also has commercial ramifications for businesses like Netflix and other content providers that have geographical restrictions. For example, a user in India can use VPN and pretend to be a Netflix subscriber in the US to watch content that may be restricted in this country. Last year the Parliamentary Standing Committee on Home Affairs had even suggested banning VPN in India to counter cyber threats and other nefarious activities. However, VPN also helps companies, government agencies, and individuals encrypt data transmitted over the internet. It prevents any snooping and information tapping by external sources while the data is in transit.
The Centre itself had liberalised rules last year for the IT industry to enable them to work from home using VPN platforms. VPN adoption has jumped manifold in India in the first half of 2021 as companies moved to secure communication networks as more employees worked from home. The number of VPN installations soared to 348.7 million as at June-end 2021 against 45.24 million as at December-end 2020, according to Atlas VPN’s Global VPN Adoption Index. India ranked fourth among 85 countries in the VPN penetration rate for H1 2021. While the government’s security needs are understandable, banning VPN services is not a good idea. Asking VPN service providers to store user data may not be desirable either, especially since the proposed Personal Data Protection Bill is yet to be passed by the Parliament. The Centre can, however, take other measures to ensure that cybercriminals do not hide behind a VPN platform. This can be done through a consultative process not just with VPN players but also with global law enforcement agencies. Rules can be framed that puts the onus on VPN service providers for keeping their platforms safe. For instance, The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 ( IT rules) announced in February 2021 puts in a framework that brings in transparency in terms of the responsibilities and duties of the internet intermediaries including Twitter and Facebook. VPN companies should cooperate with lawmakers in building up such a framework.
Published on May 12, 2022