GOVERNMENT PROPOSES STRICTER REGULATIONS FOR VPN PROVIDERS
Why in the News?
● New Legal Framework: The Central Government is considering a new legal framework requiring Virtual Private Network (VPN) providers to establish a local presence in India and appoint compliance officials.
● Regulatory Objective: The move aims to strengthen enforcement against the misuse of VPNs to bypass government restrictions on online content and applications.

VIRTUAL PRIVATE NETWORK (VPN)
● Definition: A Virtual Private Network (VPN) is a technology that creates an encrypted connection between a user’s device and a remote server, enhancing online privacy and security.
● Working Mechanism: VPNs route internet traffic through remote servers, masking the user’s Internet Protocol (IP) address and encrypting transmitted data.
● Legitimate Uses: VPNs are widely used for secure remote access, protection on public Wi-Fi, safeguarding sensitive communications, and accessing enterprise networks.
● Government Concerns: Authorities have expressed concerns that VPNs can be used to bypass geo-restrictions, evade lawful content blocking, and conceal digital identities.
● Proposed Measures: The proposed framework may require VPN providers to establish offices in India, appoint compliance officers, and respond to lawful government directions.
CERT-IN DIRECTIONS, 2022
● Issuing Authority: The directions were issued by the Indian Computer Emergency Response Team (CERT-In) under the Ministry of Electronics and Information Technology (MeitY).
● Data Retention: VPN providers, cloud service providers, and data centres were directed to retain specified customer information for five years, including names, contact details, and IP addresses.
● Cybersecurity Objective: The rules were introduced to strengthen incident response, cybercrime investigations, and national cybersecurity.
● Industry Response: Several global VPN providers removed their physical servers from India instead of complying with the data retention requirements.
● Legal Basis: The directions were issued under the Information Technology Act, 2000, empowering CERT-In to issue cybersecurity-related directives.
| INDIAN COMPUTER EMERGENCY RESPONSE TEAM (CERT-In) ● Establishment: CERT-In was established in 2004 as the national agency for responding to cybersecurity incidents. ● Administrative Ministry: It functions under the Ministry of Electronics and Information Technology (MeitY). ● Functions: CERT-In collects, analyses, and disseminates information on cyber incidents, issues security advisories, coordinates incident response, and promotes cybersecurity best practices. ● Legal Status: It derives statutory powers under the Information Technology Act, 2000, particularly after amendments strengthening cyber incident reporting and response. ● UPSC Relevance: The topic is important under Cyber Security, Internal Security, Information Technology, Digital Governance, and Data Protection. |
