vpn: government bans VPNs and cloud services for employees

New Delhi: The government has banned its employees from using third-party virtual private networks (VPNs) and anonymization services offered by companies such as Nord VPN, ExpressVPN and Tor.

The mandate comes just days after ExpressVPN, Surfshark and NordVPN said they would stop offering their services in the country following a directive from India’s Computer Emergency Response Team (Cert-In) on how VPN companies should operate in India.

The directive also urges government employees not to save “any internal, restricted or confidential government data file to a non-government cloud service such as Google Drive or Dropbox.”


The National Computing Center (NIC), which falls under the Department of Electronics and Information Technology, said it had issued guidelines to improve the government’s “security posture”.

“In order to educate government employees and contracted/outsourced resources and sensitize them on the do’s and don’ts from a cybersecurity perspective, these guidelines have been compiled,” the NIC said in a statement. internal document, titled Cyber ​​Security. Guidelines for government employees. ET reviewed a copy of the document.

Discover the stories that interest you

The NIC also instructed government employees not to “jailbreak” or “root” their cellphones or use external mobile app-based scanner services such as CamScanner to scan “internal government documents”.

CamScanner was among several Chinese apps banned by the government in July 2020, citing national security concerns following border hostilities with the northern neighbor, but continues to operate through some releases.

“By following uniform cybersecurity guidelines in government offices across the country, the government’s security posture can be improved,” the directive adds.

The IT Department did not respond to specific questions from ET about the intent behind the directive.

“All government employees, including temporary, contract/outsourced resources, are required to strictly adhere to the guidelines mentioned in this document. Any non-compliance can be followed up by the respective CISOs/heads of departments,” according to the internal document.

Cert-In, India’s nodal cybersecurity agency, had on April 28 asked VPN companies operating in India to keep a log of their customers’ details, including names, addresses and the purpose for which the VPN service was used. .

Despite the backlash from corporate stakeholders, cybersecurity experts and business advisory groups against the Cert-In directive, the government has stood firm on its position, Minister of State for Electronics and Computing Rajeev Chandrasekhar made it clear to companies that did not wish to follow the directive the standards were “free to leave India”.

India also took a similar stance against VPN companies at a recently concluded meeting of the United Nations Ad Hoc Committee which discussed a comprehensive international convention on combating the use of information technology and communications for criminal purposes.

ET had reported on Thursday that the Indian delegation had asked members of the United Nations Ad Hoc Committee to counter the use of technologies such as virtual private networks, end-to-end encrypted messaging services and blockchain-based technologies such as than cryptocurrency, as these provided anonymity, scale, speed, and reach for terrorists, increasing the possibility of them remaining untraceable to law enforcement.

India’s suggestions to the UN ad hoc committee are in line with its regulatory approach in its country. On several occasions, senior ministers as well as officials from the Ministry of Electronics and Information Technology have reiterated their position that tech giants should not hide behind the “excuse” of anonymity. when such traceability requests are made by law enforcement.

At a recent press conference on the Cert-In guidelines, Chandrasekhar told reporters that the government would adopt a “zero tolerance” policy on anonymity as a cover for online crimes, and that the production of evidence was an “unambiguous obligation” on the VPN service. providers, social media intermediaries and instant messaging platforms.

Stay on top of tech news and the startups that matter. Subscribe to our daily newsletter for the latest must-have tech news, delivered straight to your inbox.

Comments are closed.