The VPN controvery continues to rage. In a fresh directive, the government has reportedly barred its employees from using third-party virtual private networks (VPN) and anonymisation services offered by companies such as NordVPN, ExpressVPN, Surfshark and Tor. The directive comes days after after these VPN service providers threatened to remove their servers from India in protest against the new rules announced by India’s cyber security agency Computer Emergency Response Team (Cert-In). Here’s what the directive says and more:
* The guidelines have been issued by National Informatics Centre (NIC), which is under the Ministry of Electronics and Information Technology. The document is titled Cyber Security Guidelines for Government Employees. The document, seen by Economic Times, aims to sensitize the government employees and contractual/outsourced resources and build awareness amongst them on what to do and what not to do from a cyber security perspective.
* The document asks all government employees, including temporary, contractual/outsourced resources to strictly adhere to the guidelines mentioned. Any non-compliance may be acted upon by the respective CISOs/Department heads.
* The directive asks government employees not to save “any internal, restricted or confidential government data files on any non-government cloud service such as Google Drive or Dropbox.”
* It asks government employees not to ‘jailbreak’ or ‘root’ their mobile phones.
* Not to use any external mobile app-based scanner services such as CamScanner to scan “internal government documents”.
* On April 28, Cert-In had issued a set of rules that mandate VPN companies operating in India to maintain a log of their customers’ details, including names, addresses, and the purpose for which the VPN service was being used. The rules, however, do not apply to corporate VPNs.
* Despite protest from companies and industry bodies, the government so far has remained firm on its stand. The minister of state for electronics and IT Rajeev Chandrasekhar said during an interaction with media earlier this month that the companies who do not wish to follow the norms are “free to leave India”. The minister told reporters that the government would adopt a “zero-tolerance” policy on anonymity being a cover for online crimes, and that production of evidence was an “unambiguous obligation” on VPN service providers, social media intermediaries and instant messaging platforms.