Cyber Security – CERTs, Policy, etc

India’s new VPN Rules


From UPSC perspective, the following things are important :

Prelims level: VPN, Cert-In

Mains level: Cyber security challenges for India

On April 28, Computer Emergency Response Team (CERT-In) passed a rule mandating VPN (virtual private network) providers to record and keep their customers’ logs for 180 days.

What is VPN?

  • VPN describes the opportunity to establish a protected network connection when using public networks.
  • It encrypts internet traffic and disguise a user’s online identity.
  • This makes it more difficult for third parties to track your activities online and steal data.
  • The encryption takes place in real time.

How does a VPN work?

  • A VPN hides your IP address by letting the network redirect it through a specially configured remote server run by a VPN host.
  • This means that if you surf online with a VPN, the VPN server becomes the source of your data.
  • This means your Internet Service Provider (ISP) and other third parties cannot see which websites you visit or what data you send and receive online.
  • A VPN works like a filter that turns all your data into “gibberish”. Even if someone were to get their hands on your data, it would be useless.

Why do people use VPN?

  • Secure encryption: A VPN connection disguises your data traffic online and protects it from external access. Unencrypted data can be viewed by anyone who has network access and wants to see it. With a VPN, hackers and cyber criminals can’t decipher this data.
  • Disguising whereabouts: VPN servers essentially act as your proxies on the internet. Because the demographic location data comes from a server in another country, your actual location cannot be determined.
  • Data privacy is held: Most VPN services do not store logs of your activities. Some providers, on the other hand, record your behaviour, but do not pass this information on to third parties. This means that any potential record of your user behaviour remains permanently hidden.
  • Access to regional content: Regional web content is not always accessible from everywhere. Services and websites often contain content that can only be accessed from certain parts of the world.
  • Secure data transfer: If you work remotely, you may need to access important files on your company’s network. For security reasons, this kind of information requires a secure connection. To gain access to the network, a VPN connection is often required.

What does the new CERT-IN directive say?

  • VPN providers will need to store validated customer names, their physical addresses, email ids, phone numbers, and the reason they are using the service, along with the dates they use it and their “ownership pattern”.
  • In addition, Cert is also asking VPN providers to keep a record of the IP and email addresses that the customer uses to register the service, along with the timestamp of registration.
  • Most importantly, however, VPN providers will have to store all IP addresses issued to a customer and a list of IP addresses that its customers generally use.

What does this mean for VPN providers?

  • VPN services are in violation of Cert’s rules by simply operating in India.
  • That said, it is worth noting that ‘no logs’ does not mean zero logs.
  • VPN services still need to maintain some logs to run their service efficiently.

Does this mean VPNs will become useless?

  • The Indian government has not banned VPNs yet, so they can still be used to access content that is blocked in an area, which is the most common usage of these services.
  • However, journalists, activists, and others who use such services to hide their internet footprint will have to think twice about them.

Why such move?

  • Crime control: For law enforcement agencies, a move like this will make it easier to track criminals who use VPNs to hide their internet footprint.
  • Curbing dark-net activities: Users these days are shifting towards the dark and deep web, which are much tougher to police than VPN services.

Back2Basics: Indian Computer Emergency Response Team (CERT-IN)

  • CERT-IN is an office within the Ministry of Electronics and Information Technology.
  • It is the nodal agency to deal with cyber security threats like hacking and phishing. It strengthens the security-related defense of the Indian Internet domain.
  • It was formed in 2004 by the Government of India under the Information Technology Act, 2000 Section (70B) under the Ministry of Communications and Information Technology.


UPSC 2023 countdown has begun! Get your personal guidance plan now! (Click here)

Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024

Attend Now

Notify of
1 Comment
Newest Most Voted
Inline Feedbacks
View all comments
User Avatar
1 year ago

Hello! I hasten to warn you: do not believe the reviews posted on official sites. After all, the webmaster put them there. Look for reviews on regular sites, forums, discussions and tips. This way you will get the opinion of ordinary people who have tried using the VPN service and found advantages or disadvantages. Thanks to such reviews, I found this site with a good VPN app.


Join us across Social Media platforms.

💥Mentorship New Batch Launch
💥Mentorship New Batch Launch