Telegram Group Join Now
Relevance: GS-II Govt Policies & Regulation; GS-III Cyber Security & Communication Networks Source: Government policy reports, July 2026

Hiding Your Tracks: Why the Government Wants Stricter Rules for VPNs

1 · What exactly happened?

The Indian Government is working on tough new rules for Virtual Private Network (VPN) companies. Under these proposed rules, VPN firms might have to set up a physical office in India, hire local compliance officers to answer to the police, and could even face jail time if they don’t follow the law.

Why now? VPNs allow people to hide their internet location and access blocked websites. The government feels that its older 2022 CERT-In rule (which asked companies to store user data) wasn’t enough to control them, so they are pushing for a stronger legal net.

2 · The big debate: Security vs. Privacy

How does a VPN work? It hides your real internet address (IP) and bounces your connection through a server in another country. This gives you anonymity. But here is the problem: the same tool that protects a whistleblower’s privacy can also help a cybercriminal hide from the police.
The New Plan
Holding them accountable
The government wants local offices and officers who can be questioned. This is very similar to the IT Rules of 2021, which forced big social media companies to have officers in India.
The Security Threat
Anonymity helps criminals
Fraudsters use VPNs to run scams, bypass blocked sites, and spread illegal content without being traced. The police want a reliable way to track them down.
The 2022 Lesson
The rule that backfired
In 2022, CERT-In asked VPNs to keep user data for 5 years and report cyber attacks within 6 hours. Instead of agreeing, many top VPNs simply packed up and moved their servers out of India.
Finding a Balance
Target criminals, not everyone
Experts suggest the government shouldn’t track every innocent citizen. Instead, they should use legal treaties to target specific suspects while respecting the new Data Protection law.
  • The Privacy Angle: VPNs protect ordinary users from being tracked by corporations or hackers. Forcing VPNs to keep logs directly clashes with their “no-log” promise and might violate the Right to Privacy (declared a fundamental right in the Puttaswamy case, 2017).
  • Recent Crackdown: In April 2026, the government (MeitY) ordered VPNs to actively block banned gambling and betting websites, no matter where their servers are located.
  • The Great Exit: After the strict 2022 rules, big players like ExpressVPN and NordVPN removed their physical servers from India. They now route Indian users through “virtual servers” located in countries like Singapore or the UK, keeping data out of Indian police reach.
  • The Global Picture: Countries like China, Russia, and the UAE heavily restrict or completely ban VPNs. India hasn’t banned them, but is rapidly tightening the leash.
UPSC Prelims Quick Facts
CERT-In The Indian Computer Emergency Response Team. It handles national cyber threats under Section 70B of the IT Act, 2000.
2022 Directive A rule that required VPNs and crypto firms to store user data for 5 years and report cyber attacks within 6 hours.
IT Rules, 2021 Forced large social media companies to appoint local officers (Compliance, Nodal, and Grievance officers) in India.
Puttaswamy Case (2017) A landmark Supreme Court judgment that made the Right to Privacy a fundamental right under Article 21.
DPDP Act, 2023 The Digital Personal Data Protection Act, which sets rules on how personal data should be legally handled in India.
No-log VPN A VPN service that promises not to record or save your browsing history.
MCQ Practice Question
Q. With reference to cyber security regulation in India, consider the following statements:

  1. CERT-In, the national agency for responding to cyber security incidents, is empowered under Section 70B of the Information Technology Act, 2000.
  2. The Right to Privacy was recognised as a fundamental right under Article 21 in the K.S. Puttaswamy judgment (2017).
  3. Under the 2022 CERT-In directive, VPN providers must report cyber security incidents within 24 hours of detection.

Which of the statements given above is/are correct?
(a) 1 and 2 only    (b) 2 and 3 only    (c) 1 and 3 only    (d) 1, 2 and 3

Answer: (a) 1 and 2 only

  • Statement 1 — Correct: CERT-In operates legally under Section 70B of the IT Act, 2000.
  • Statement 2 — Correct: The Supreme Court ruled in the Puttaswamy case (2017) that privacy is a fundamental right under Article 21.
  • Statement 3 — Incorrect: Beware the trap! The reporting window for cyber incidents is 6 hours, not 24 hours.

Start Yours at Ajmal IAS – with Mentorship StrategyDisciplineClarityResults that Drives Success

Your dream deserves this moment — begin it here.