Another VPN quits India, as government proposes social media censorship powers

New Delhi now fighting criticism of eroding free speech and privacy with two proposed regulations


India's tech-related policies continue to create controversy, with fresh objections raised to a pair of proposed regulation packages.

One of those regulations is the infosec reporting and logging requirements introduced by India's Computer Emergency Response Team (CERT-In) in late April. That package requires VPN, cloud, and numerous other IT services providers to collect customers' personal information and log their activity, then surrender that info to Indian authorities on demand. One VPN provider, ExpressVPN, last week quit India on grounds that its local servers are designed not to record any logs so compliance would be impossible. ExpressVPN will soon route customers' traffic outside India.

On Tuesday, another VPN – Surfshark – announced it would do likewise.

The company announced its decision in a post that labelled CERT-In's rules "radical action that highly impacts the privacy of millions of people living in India."

India's government decide what millions of Indians can or cannot say online.

CERT-In's rules have also been criticized by The Internet Society, the nonprofit that advocates for an open internet.

In an Impact Brief [PDF] that assesses the impact of CERT-In's rules, the Society rates the requirement to sync with India-controlled network time protocol servers as creating a dangerous single point of failure. The Brief also takes issue with the rules' requirement to collect user data, as India lacks data privacy and data protection laws. The Society also suggests that CERT-In is not the appropriate body to collect data, as it is not a law enforcement agency.

Those criticisms come on top of similar suggestions from BSA The Software Alliance and ten other tech-related lobby groups, all of whom suggest the rules make India a less attractive destination for foreign investment.

Glutton for punishment?

India's government has so far shrugged off that criticism, but has earned itself more of the same at home by revising the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules that it introduced in 2021. Those rules saw social media companies push back on grounds that the regulations required them to identify users and could restrict free speech.

On Monday India's Ministry of Electronics and Information Technology (MeitY) published proposed amendments [PDF] to the Rules that, among other things, propose the creation of a government-run committee that would consider citizens' grievances about content posted to social media. That committee would have the power to override social networks' content moderation decisions.

That's scary, given that Indian police last year visited Twitter's local office to inquire why the microblogging service chose to label posts by a government spokesperson as "manipulated media."

India's Internet Freedom Foundation characterised the proposed committee's powers as follows:

Complicating perceptions of the proposed amendments is that MeitY published them last week, but then took down the file. An identical proposal re-appeared on Monday.

India's IT minister Rajeev Chandrasekhar has said the amended Rules add "more effective grievance addressal ensuring constitutional rights of citizens are respected" and will have "no impact on Indian Startups."

Many nations have laws that give local authorities the power to compel social media to remove content under specific circumstances.

India's proposed amendments allow citizens to seek takedown orders whenever they feel aggrieved.

The Register will be surprised if the proposed amendments don't generate another wave of letters from international lobby groups protesting India's plans. ®

Broader topics


Other stories you might like

Biting the hand that feeds IT © 1998–2022