Indian Government Sued Over VPN Logging Orders

A hosting company has sued the government of India, challenging newly implemented orders that target virtual private networks. As reported earlier Wednesday by Entrackr's Aroon Deep, Pune-based SnTHostings argued in its petition to the Delhi High Court that the new government directives undermine the fundamental operation of VPNs by requiring companies to track and store user data. 

Read more: India Orders VPN Companies to Collect and Hand Over User Data

Though the VPN services are still operating remotely for India's users, SnTHosting's lawyers pointed to the withdrawal of in-country VPN servers by major providers such as ExpressVPN, NordVPN and Surfshark. The firm said the order from India's Computer Emergency Response Team, known as CERT-in, not only defeats the point of VPNs altogether, but also contradicts legal precedents protecting online privacy and violates the country's constitutionally protected business rights. 

"VPN services anonymize outgoing traffic by encrypting online activity. This ensures that financial details such as bank account, credit card (and) debit card details are not accessible to third parties and, thus, furthers cybersecurity," the company's lawyers said in the 33-page suit. 

Read more: Casual vs. Critical: When Your VPN Is a Matter of Life or Death, Here's How to Pick One

Other VPN companies have continued to remove servers from within India's borders in response to the CERT-in directive, including providers PureVPN and ProtonVPN. The latter has offered a surveillance countermeasure called Indian Smart Routing, which issues the user an Indian IP address from servers physically located in Singapore. 

India's Ministry of Electronics and IT has said that the order to track and store user data is intended to help it deal with "certain gaps" that hinder it from responding to unspecified "cyber incidents and interactions with the constituency."  

SnTHosting's suit is scheduled to be taken up on Dec. 9.