Relevance: GS-3: Science and Technology- developments and their applications and effects in everyday life.

Relevance: GS-2: Government policies and interventions for development in various sectors and issues arising out of their design and implementation.

Key Phrases: Virtual private networks, Cybercrime, Data Privacy, Ministry of Electronics and Information Technology, Encrypted Connection, IP address, Computer Emergency Response Team, Personal Data Protection Bill, Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.

Context:

• The Ministry of Electronics and Information Technology’s (MeitY) directions to virtual private network (VPN) service providers are significant. They say that VPN providers should store data of Indian users for up to five years.
• This reinforces the importance of striking a balance between the need to protect user privacy and the government’s legitimate requirement to access data for cyber security.

Virtual Private Network

• VPN or “virtual private network” is a service that helps internet users stay private online by hiding their IP addresses. VPN establishes an encrypted connection between the user’s computer and the internet, providing a private tunnel for their data, making them anonymous and blocking anyone from tracking their movements like where they are going or what they are doing.
• It is the IP address i.e. a special number of unique user’s internet network, that helps websites, law enforcement agencies, cybercriminals or anyone else looking into an individual’s internet activities and track down their accurate location. Without a VPN, the user’s IP address is visible to the web. VPNs obscure the user’s internet usage by jumping the signal off multiple servers.

Benefits of Virtual Private Network:

• VPN is used to hide location as well as encrypt information being transferred between the sender and receiver. This can be the data of an enterprise sent over a cloud network and storage, or two individuals exchanging files. On the one hand, this service is extremely useful for users accessing the Internet over public Wi-Fi systems.
• VPN also helps companies, government agencies, and individuals encrypt data transmitted over the internet. It prevents any snooping and information tapping by external sources while the data is in transit.

Concerns Related to Virtual Private Network:

• The big worry for security agencies across the world is that VPNs allow criminals to transmit data without the fear of getting their IP addresses traced. For example, law enforcement agencies in Europe banned a VPN service provider last year after it was discovered that cybercriminals were using the platform.
• This also has commercial ramifications for businesses like Netflix and other content providers that have geographical restrictions. For example, a user in India can use VPN and pretend to be a Netflix subscriber in the US to watch content that may be restricted in this country.
• Last year the Parliamentary Standing Committee on Home Affairs had even suggested banning VPN in India to counter cyber threats and other nefarious activities.

VPN New Regulations

• According to a directive from the Ministry of Electronics and Information Technology’s cyber arm Computer Emergency Response Team (CERT-In), details must include names, addresses, contact numbers, and email addresses of customers hiring the services, period of hire, IPs allotted to them, the time stamp used at the time of registration, the purpose for hiring services and ownership pattern of the customers.
• The mandate applies to Virtual Private Server (VPS) providers, VPN service providers, cloud service providers, and data centres.
• The order from CERT-In, which serves as the national agency that analyses cyber threats, will become effective after 60 days and the service providers may face action if they fail to provide users' information.
• In addition to that, the government is also asking VPN providers to keep a record of users’ IP addresses and their email used to register the service, along with the timestamp of registration.
• Further, VPN providers are also required to maintain a list of all IP addresses issued to a customer and the IP addresses that their customers generally use.

Why Government Brought These Regulations?

• One of the main reasons that Cert-In provided for seeking these details is that it will help to effectively trace anti-social elements and cybercriminals indulging in various nefarious activities online.
• These details are necessary to prevent incitement or commission of any “cognisable offence using computer resources or for handling of any cyber incident” which may lead to any disturbance in the “sovereignty or integrity of India, defence of India, security of the state, friendly relations with foreign states or public order”.

Way Forward:

• While the government’s security needs are understandable, banning VPN services is not good. Asking VPN service providers to store user data may not be desirable either, especially since the proposed Personal Data Protection Bill is yet to be passed by the Parliament.
• The Centre can, however, take other measures to ensure that cybercriminals do not hide behind a VPN platform. This can be done through a consultative process with VPN players and global law enforcement agencies. Rules can be framed that put the onus on VPN service providers to keep their platforms safe.
• For instance, The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 ( IT rules) announced in February 2021 puts in a framework that brings in transparency in terms of the responsibilities and duties of the internet intermediaries including Twitter and Facebook. VPN companies should cooperate with lawmakers in building up such a framework.

Source: The Hindu BL

Mains Question:

Q. What is the Virtual Private Network? Why do VPN providers believe new rules will undermine users’ privacy? Critically Examine.