Indian Government Sued Over VPN Logging Orders

Responding to orders requiring virtual private networks to collect user data, a hosting company is suing India's government.

Rae Hodge Former senior editor
Rae Hodge was a senior editor at CNET. She led CNET's coverage of privacy and cybersecurity tools from July 2019 to January 2023. As a data-driven investigative journalist on the software and services team, she reviewed VPNs, password managers, antivirus software, anti-surveillance methods and ethics in tech. Prior to joining CNET in 2019, Rae spent nearly a decade covering politics and protests for the AP, NPR, the BBC and other local and international outlets.
Rae Hodge
2 min read
Use a VPN for better online security
James Martin/CNET

A hosting company has sued the government of India, challenging newly implemented orders that target virtual private networks. As reported earlier Wednesday by Entrackr's Aroon Deep, Pune-based SnTHostings argued in its petition to the Delhi High Court that the new government directives undermine the fundamental operation of VPNs by requiring companies to track and store user data. 

Read moreIndia Orders VPN Companies to Collect and Hand Over User Data

Though the VPN services are still operating remotely for India's users, SnTHosting's lawyers pointed to the withdrawal of in-country VPN servers by major providers such as ExpressVPN, NordVPN and Surfshark. The firm said the order from India's Computer Emergency Response Team, known as CERT-in, not only defeats the point of VPNs altogether, but also contradicts legal precedents protecting online privacy and violates the country's constitutionally protected business rights. 

"VPN services anonymize outgoing traffic by encrypting online activity. This ensures that financial details such as bank account, credit card (and) debit card details are not accessible to third parties and, thus, furthers cybersecurity," the company's lawyers said in the 33-page suit

Read more: Casual vs. Critical: When Your VPN Is a Matter of Life or Death, Here's How to Pick One

Other VPN companies have continued to remove servers from within India's borders in response to the CERT-in directive, including providers PureVPN and ProtonVPN. The latter has offered a surveillance countermeasure called Indian Smart Routing, which issues the user an Indian IP address from servers physically located in Singapore. 

India's Ministry of Electronics and IT has said that the order to track and store user data is intended to help it deal with "certain gaps" that hinder it from responding to unspecified "cyber incidents and interactions with the constituency."  

SnTHosting's suit is scheduled to be taken up on Dec. 9.