Tunneling through restrictions: The double-edged sword of VPNs in India
Info Nuggets
Unlock Exclusive Insights with The Tribune Premium
Take your experience further with Premium access. Thought-provoking Opinions, Expert Analysis, In-depth Insights and other Member Only Benefits
Advertisement
A VPN stands for Virtual Private Network — it’s like a secure, private tunnel through the internet.
How it works
Advertisement
- Encryption: When you connect to a VPN, all your internet traffic is scrambled (encrypted) so others can’t read it.
- Server in between: Instead of going directly to websites, your data first goes to a VPN server (which can be anywhere in the world).
- New IP Address: Websites see the VPN server’s IP, not yours, hiding your real location.
Why people use VPNs
- Privacy: Stops your Internet Service Provider (ISP), hackers, or even public Wi-Fi snoopers from tracking your activity
- Security: Protects sensitive data like passwords or banking info
- Bypass restrictions: Lets you access region-locked websites, streaming content, or apps
- Avoid tracking: Makes online advertisers’ job harder
Limitations
- A VPN doesn’t make you completely anonymous — websites can still track you through cookies or your logged-in accounts
- Speed might be slower due to encryption and distance to the VPN server
- You must trust the VPN provider, because they can see your traffic if it’s not end-to-end encrypted.
In short: A VPN is like mailing a letter in a locked box that only you and the receiver can open — and the post office (internet) doesn’t know what’s inside or who really sent it.
Advertisement
VPN & regulation in India (2025)
- Policy background: CERT-In Directives (April 2022)
In April 2022, India’s cyber security arm CERT-In issued new directions under the IT Act, requiring VPN providers (alongside data centers, cloud services, VPS providers and crypto exchanges) to maintain detailed customer logs for five years, including:
- Name, address, email, contact
- IP addresses used (registration & usage)
- Duration and purpose of VPN use
- Ownership pattern, timestamps, usage logs (180-day rolling logs)
Corporate in-house VPNs (i.e., those that serve only employees without registration or billing) are exempt, but third-party/consumer VPNs are under the mandate .
- Implementation timeline & industry response
Implementation delayed: Originally due June 2022, deadlines were extended to September 25, 2022.
VPN Exodus: Major providers like ExpressVPN, NordVPN, and Surfshark pulled out their physical servers from India, opting for virtual servers (e.g., “India via Singapore/UK”) to continue providing Indian IPs while avoiding compliance .
Privacy advocates flagged this as a major erosion of civil liberties and a dangerous precedent toward mass surveillance .
- Government justification
CERT-In argued the logging directive is essential to strengthen cybersecurity and close gaps in incident analysis, enabling swift response to cyber threats .
- Current status
As of 2023–2025, CERT-In continues to issue compliance notices to VPN service providers to ascertain if the mandates are adhered to .
In January 2025, the government reportedly asked Apple and Google to remove certain VPN apps from Indian app stores—further tightening control and access to VPN services .
UPSC-relevant insights and sample answer framework
a) Importance of VPNs in cybersecurity & governance
- Ensures data encryption, identity masking, and secure access to sensitive systems—vital during remote government operations or when accessing institutional networks
- Crucial for journalistic confidentiality, protection of whistleblowers, and dissent in digital spaces
b) Policy balance: Privacy vs security
- Privacy concerns: Mandatory logs undermine the very premise of VPNs; storing personal data for five years raises risk of misuse or breach (right to privacy under Article 21)
- Security rationale: Logs aid in tracing cyber incidents, especially when VPN usage masks source IPs—improving forensic capabilities
c) Consequences & industry reactions
- Exodus of VPN servers from India: Indicates global providers resist compromising privacy
- Use of virtual servers outside jurisdiction highlights a workaround but may degrade user experience slightly
- App removal from stores hinders user access—users may turn to alternate tools like Tor, self-hosted VPNs, or browser-based privacy tools
Advertisement
Advertisement