Indian Hosting Company Sues Government Over VPN Rules


Pune-based hosting provider SnTHostings has sued the Indian government, challenging rules that would require VPN companies to keep records of their users’ data. The Internet Freedom Foundation, which is assisting the company in the lawsuit, announcement News of the Delhi High Court petition in a blog post on Wednesday. SnTHostings CEO Harsh Jain declined to comment on the matter, citing ongoing legal proceedings.

The Delhi High Court issued an opinion to the government on Wednesday. The case will be resumed on December 9.

In the 33-page lawsuit, attorneys for SnTHostings requested that portions of the CERT-in instructions (which we reported here) that require VPN providers to retain user data be set aside. The company argued that requiring VPN companies to keep logs defeats the purpose of these companies and that the right to remain anonymous online is established by precedent.

“The contested instructions are ultra-vires Section 70B(6) of the Computers Act 2000, as they require the petitioner to collect information which he would not otherwise have collected,” the petition states. “Under threat of punitive action, the impugned instructions require the Petitioner to collect logs that record customer activities as well as personal information of its customers.”

He further argued that the instructions violated the constitutional right to do business and did not constitute “reasonable restraints.” He pointed to a letter sent by industry giants like Microsoft and Adobe that pointed out that “global threat actors” might start targeting logs that CERT-in has ordered VPN providers to keep.

SnTHostings had previously sent a legal notice to the government on the rules. The government has not responded to the notice, dated June 10, said a person familiar with the lawsuit. Coach.

The petition, however, makes a few questionable claims: First, it says that “In June 2022, ExpressVPN, Surfshark, and NordVPN – all global market leaders – suspended operations in India indefinitely.” These services remain available in India, but the Indian servers they used to use are no longer available.

“VPN services anonymize outgoing traffic by encrypting online activity. This ensures that financial details such as bank account/credit card/debit card details are not accessible to third parties and therefore enhances cybersecurity,” the petition continues.

However, the majority of popular websites these days offer encrypted connections to users and provide limited information to ISPs and other intermediaries between a user and a server. “The reality is that web security has improved so much in recent years that VPN services, which charge monthly subscription fees that cost as much as Netflix, provide unnecessary protection for most privacy-conscious people” , said the New York Times. reportedquoting security researchers.

This is especially true for conventional financial transactions, as payment gateways often use standardized and constantly updated encryption standards, such as PCI-DSS, which can make it difficult to intercept payment information, even over networks. unsecured open.

In addition to the privacy risks that arise from VPN companies storing data, the instructions have already had business implications for Indian companies that partner with global VPN providers. These companies “could opt to shut down their physical servers in India,” said Richa Babbar, director of edge & ecosystem development at Web Werks. Coach in a statement emailed in June. “That way, the data centers hosting these servers will lose business.”

According to PeeringDB data reviewed by Coach, Web Werks has a peering agreement with Edgoo Networks, which appears to facilitate connectivity to Indian servers for NordVPN. As NordVPN no longer offers Indian servers to its customers, Web Werks and other such hosting providers in India have likely been affected by the exodus of VPN companies from India.

Coach first reported that NordVPN was consider shooting his Indian servers, which he ended up doing. Other providers like ExpressVPN have followed suit. It continued, with the company behind Protonmail also announcing that it was firing Indian servers this month.

It is unclear what the ultimate goal of the government is with these controversial orientations and its refusal to reconsider their provisions. In an RTI response provided to Coach, a clue has emerged that the government may not be content with VPN providers simply taking down servers from India. “The guidelines apply to any VPN service provider offering services to users in India,” the government told us.

This could potentially be used as a pretext to ban VPN services that do not keep user logs, which could limit options for Indian internet users to browse the web anonymously. The SntHostings petition cited part of the 2017 Supreme Court judgment upholding privacy as a fundamental right to underscore the overbreadth this approach can be.

“[U]Under the guise of preventing money laundering or black money, there cannot be such a sweeping provision that targets every resident of the country as a suspicious person,” the Supreme Court had said, reversing the requirement to link every Indian bank account to Aadhar. “The presumption of criminality is treated as disproportionate and arbitrary.”

While the government’s efforts to track user information have been predictable so far, the fact remains that most of the measures taken recently seem to ignore the unintended effects they might have on broader issues of security. confidentiality or ecosystem in this case. So far, it has had more wins than not, thanks to the importance of the Indian market, as we have seen with social media platforms. But when it comes to paid services, the Indian market may seem big, but it’s actually only as big as a mid-sized European country in terms of revenue, which means many companies might choose to exit instead. than to bend. VPN exits are a clear indicator of this and the future risks of such policies.

Previous Duquette Consulting is pleased to announce a new strategic partner Klear-View Camera, IP Integrated & Fused Camera Technology
Next Different career paths in design and technology