Are VPNs Legal in India in 2023? How the Laws Threaten Privacy
India has a complicated relationship with the internet and virtual private networks (VPNs). The country is second only to China in its number of internet users, but it’s behind many nations when it comes to online freedom. Over the past few years, the Indian government has also tried multiple tactics to either restrict or monitor VPN service use. So, are VPNs legal in India?
In this article, we will look at the various Indian VPN laws and bans in place so that you understand the murky answer and how you can navigate the situation if you need to use a VPN server in India.
Is India going to ban VPNs?There is currently no active ban on VPNs in India, but with the increasing regulation of VPN companies, citizens are unsure of how the government’s stance will change in the future.
Should you use a VPN in India?Yes, you can and should still use a VPN in India to protect your privacy, but do not use Indian servers, as user data will be collected on those. Choose instead other country servers or a virtual server for India.
Are VPNs Legal in India?
Yes, VPNs are legal in India, but they are legal in a way that defeats the purpose of a VPN, where your VPN activity is logged and could be inspected by the government.
VPNs are services that hide your IP address and make it appear that you’re connecting from a different region. They’re often used to bypass internet censorship and get access to information and content around the world.
For example, if you’re in India and want to watch a movie on Netflix U.S., a VPN can help you get around geoblocks by connecting you through an American server. It also encrypts your traffic so that the internet service provider — or government agencies — can’t see what you do online.
However, the Indian government has recently tried to reduce the function of using a VPN. In September 2021, the Indian government tried to ban VPNs because cybercriminals can use these tools to bypass restrictions and access the dark web.
However, the government ultimately decided not to ban all VPNs, but it did move forward with plans to track and monitor VPN use: the CERT-IN law.
I’ll go into more details about both the suggested ban and the new surveillance law in the next sections. In short, though, right now VPNs are completely legal in India — but legal, as in “I’m OK with all my information being given to the Indian government if I use Indian servers.”
Why Enact New VPN Rules & Online Restrictions?
The monitoring of VPNs is part of an attempt by the Indian government to make internet censorship laws easier to enforce.
The first step by the Indian government was to restrict online freedom through the Information Technology Act. For example, the government hopes to prevent people from using secure communication apps like WhatsApp due to users spreading misinformation on political subjects.
The second step is to enact rules on Indian-based servers, forcing VPN providers to keep user logs and divulge those logs when requested by law enforcement. I’ll detail both parts in the following sections.
The Information Technology Act
The Indian government has increasingly cracked down on the electronic freedom of its citizens — especially through social media platforms — through various laws such as the Information Technology Act.
- Banning TikTok, one among many Chinese apps previously accessible in the country, due to the mounting tensions between the two countries and the apps perceived as a national threat.
- Banning over 2 million WhatsApp accounts, allegedly to prevent spam and harmful behavior on the social messaging platform.
- Battling allegations of “violation of informational privacy” against WhatsApp in Supreme Court cases as the government seeks to curb the spread of misinformation by mandating WhatsApp to provide traceability of messages to its original sender.
- Blocking 22 YouTube channels over security concerns.
- Increasing social media control over platforms like Twitter and Facebook.
Getting around censorship is nothing new. People have always found ways to access content that restrictive governments don’t want them to see. Of course, the best tool for this is using a VPN.
New VPN Rules From the Indian Government
In April 2022, the Ministry of Electronics and Information Technology mandated that all VPN companies must keep track of customer names, physical addresses, IP addresses, usage logs and other identifying information — and submit that data to the Indian Computer Emergency Response Team (CERT-In) upon request.
Providers (and users) that go against this could face up to a year of jail time.
It gets worse. The VPN companies have to keep a customer’s data even after that customer cancels their subscription or deletes their account. Additionally, VPNs have to report on their users’ “unauthorized access to social media accounts,” probably hinting at TikTok, which is banned in India.
This may make operating in India virtually impossible for providers, like ExpressVPN, which run the VPN services through RAM-only servers, which automatically deletes any stored data every 15 minutes. Such providers purposely don’t have the capacity to log extensive volumes of customer data. By continuing to operate in India, they would be breaking the new law.
According to the ministry, the VPN logging law is meant to help prevent “cyber incidents and interactions with the constituency.” But this case isn’t a simple one; VPN providers have already begun closing their servers in India rather than comply.
What Does the New Logging Law Mean for VPN Service Providers?
The most controversial aspect of the new VPN rules is related to logging user data. The new regulations state that VPN companies must hold customer data for a period of at least five years. This includes the phone numbers, email IDs and IP addresses used.
While this may sound like a reasonable thing to ask when you’re trying to crack down on cybercrime, it’s a huge violation of online privacy for the 850 million internet users in India. Plus, providers like ExpressVPN run all RAM-servers, making data logging impossible.
Many VPN providers have spoken up against the Indian government’s mandate, deeming it a step back in the fight for internet freedom.
How Top VPN Providers Have Responded to the New VPN Rules
Unfortunately, though, VPN service providers have no choice but to comply with these laws — otherwise, the only other option is to close servers in the country. Here’s how some providers have responded.
ExpressVPN is the best premium VPN provider for security, privacy and many other uses. It uses RAM-based servers, which makes it impossible for the VPN service to keep ongoing logs of any user data.
Since the new VPN logging law, ExpressVPN confirmed shutting down its physical Indian servers, rather than comply with the law. However, it is providing virtual servers for India through servers based in Singapore and the U.K., so you can still access an Indian IP address through the service. Read my full ExpressVPN review for more information on the VPN.
NordVPN is another top VPN provider, offering extensive security features like multihop servers and obfuscation servers. Like ExpressVPN, NordVPN decided to shut down its servers in India rather than comply with the laws.
This must have been a big decision for NordVPN because the service does not offer virtual servers. This means the service no longer offers users the ability to use Indian IP addresses. Read my full NordVPN review for more information on the service.
Windscribe is one of the most popular free VPN providers and offers two servers in India, one in Mumbai and one in Pune. This Canadian company has expressed its discontent toward the new policy, describing it as a “massive overreach on behalf of a so-called democratic government.” Windscribe has also shut down its Indian VPN servers. Read our full Windscribe review.
What Do the New Rules Mean for VPN Users?
You’re probably wondering why internet users like you should care about the new Indian policy.
The first thing to note is this policy affects any user with the intention of connecting to Indian-based VPN servers; i.e. if you ever need to use an Indian IP address. The law states that all VPN companies must store user data of those accessing such servers for at least five years and hand it to the government when asked.
To combat this, some providers, like ExpressVPN, will have virtual servers in nearby regions to spoof the Indian locations.
It’s also important to acknowledge that the Indian government has so far said it only targets “illicit” content in its cyber surveillance efforts. But what exactly is illicit? The vagueness of that term leaves plenty of cause for concern.
Users who continue to use Indian VPN servers will have to be comfortable with the following information potentially being provided to the government:
- Customer names, their physical and email address and contact numbers
- The reason for each customer’s use, the dates of use and “ownership pattern”
- The IP address used for registration and the time of registration
- All IP addresses used by a customer during VPN sessions and a comprehensive list of all available IP addresses to the Indian customer base in general
Should You Still Use VPN Servers in India?
The good news is you can still technically use a VPN in India without consequence. It’s still legal to have a VPN connection up and running for your online activities. But be wary of what you use it for.
With this new regulation, the Indian government intends to crack down on VPN usage for illicit activities. While this national directive appeals to the desire to curb illegal activities, some believe the new law is a violation of the right to online privacy. A future, more totalitarian government could decide what counts as “illicit,” cracking down on any speech and activity that opposed its rule.
My suggestion is to avoid using VPN servers based physically in India. If you need an Indian IP address, use a VPN with virtual servers for India, like ExpressVPN.
It’s not new for countries to have internet censorship policies. It’s unfortunate that India’s new policy moves it closer to the ranks of restrictive regimes, like North Korea, Cuba, Saudi Arabia, Syria and Russia, and away from supporting internet freedom.
The policy has been criticized by those who say the government is violating its citizens’ right to privacy. Although VPNs are often misused, they are also a useful tool that helps people protect their privacy online.
It remains to be seen what lasting impact the new directive will have on the industry.
What is your take on the Indian government’s new policy? Drop a word in the comments, and as always, thank you for reading.
Leave a Reply