Sundar Balasubramanian: The security guidelines for VPN providers and government staff signal a heightened understanding and focus on cyber security

The government has given 3 months breather to VPN service providers in the country. In April this year, the government’s nodal cyber security agency CERT-IN had announced new rules for VPN service providers. These rules have not gone with the players in the industry and they have been up in arms since then. Many, including NordVPN and ExpressVPN, have threatened to leave the country. TOI Tech-Gadgets Now spoke to Sundar Balasubramanian, managing director, India, and SAARC, Check Point Software Technologies, on the new rules. Here are excerpts from the interaction.
What do VPN providers moving to ‘virtual servers’ mean for users in India?
In light of the new rules and regulations for VPN service announced by the government, the global companies providing VPN services are finding it a bit difficult to continue providing hosting services in India. Some have even explained how the new Computer Emergency Response Team (CERT-In) regulations run against the whole benefits of VPN.
As an alternate to this, they are moving to a “virtual server”, which means a server for users in India that is hosted abroad and so will not come under the purview of Indian government regulations. The users from India will continue to use VPN service as usual and will also be able to keep their identity anonymous. While the virtual server provides an alternate way for the users to continue using VPN service, it adds delay and latency since the server would be physically located out of India’s geographical boundary.
How different are the new India VPN rules vis-a-vis those in the EU and US?
The CERT-In has released a set of guidelines on using VPN services in India for private operators. According to the directive, virtual private server (VPS) providers and ‘VPN service providers’ will be required to maintain logs including names of customers, their IP and email addresses, addresses and contact numbers and more, for a period of five years.
According to the document released by CERT-In, the term ‘VPN service providers’ will just apply to entities that provide internet proxy-like services through the use of VPN technologies, standard or proprietary, to general internet subscribers. The clarifications also states that the directions will also apply to foreign firms.
Following CERT-In’s cyber security guidelines, the National Informatics Centre (NIC) too recently issued similar set of 20 ‘dos and don’ts’ for government employees, that include from changing passwords at least once every 45 day to not using the same password in multiple services/websites and apps. All these actions signal a heightened understanding of and focus on cyber security and the risks associated with cyberattacks.
When looking at these new VPN rules, it has been reported that in other regions such as the EU and the US, VPNs are relatively unrestricted. Providers enjoy free reign though there have been instances where they could be prosecuted by law enforcement authorities in select circumstances, mainly involving security of the country or in instances of law and order.
How do the VPN services offered by Google differ from those of NordVPN and others?
Google offers VPN services under the solution Google One. While Google One is available in many countries across the globe, the VPN by Google one is not available in India. The new regulatory restrictions from CERT-in does not affect Google.
Additionally, Google’s VPN services are relative new entrant in the VPN market, only joining the industry back in October 2020 with the VPN having fewer capabilities as part of the Google One cloud storage premium plans. Users must purchase at least 2TB of Google One cloud storage, priced at $99 per year or $9.99 per month, to gain access to the VPN. This is not sold separately.