Govt bans VPN, cloud services for employees

New Delhi: The government has barred its employees from using third-party virtual private networks (VPN) and anonymisation services offered by companies such as Nord VPN, ExpressVPN and Tor.

The mandate comes just days after ExpressVPN, Surfshark and NordVPN said they would stop offering their services in the country following a directive by the Indian Computer Emergency Response Team (Cert-In) on how VPN companies should operate in India

The directive also urges government employees not to save “any internal, restricted or confidential government data files on any non-government cloud service such as Google Drive or Dropbox.”

The National Informatics Centre (NIC), which is under the Ministry of Electronics and Information Technology, said it had put out the guidelines to improve the “security posture” of the government.

“In order to sensitize the government employees and contractual/outsourced resources and build awareness amongst them on what to do and what not to do from a cyber security perspective, these guidelines have been compiled,” NIC said in an internal document, titled Cyber Security Guidelines for Government Employees. ET has reviewed a copy of the document.

The NIC has also asked government employees to not ‘jailbreak’ or ‘root’ their mobile phones or use any external mobile app-based scanner services such as CamScanner to scan “internal government documents”

CamScanner was among several Chinese apps banned by the government in July 2020, citing national security concerns following border hostilities with the northern neighbour but continues to be operational through some versions.

“By following uniform cyber security guidelines in government offices across the country, the security posture of the government can be improved,” the directive added.

The IT ministry did not respond to ET’s specific queries on the intent behind the directive.

“All government employees, including temporary, contractual/outsourced resources are required to strictly adhere to the guidelines mentioned in this document. Any non-compliance may be acted upon by the respective CISOs/Department heads,” according to the internal document.

Cert-In, India’s nodal cyber security agency, had on April 28 mandated that VPN companies operating in India must maintain a log of their customers’ details, including names, addresses, and the purpose for which the VPN service was being used.

Despite a push back from stakeholder companies, cybersecurity experts, and business advisory groups against the Cert-In directive, the government remained firm on its stance, with Minister of State for Electronics and IT Rajeev Chandrasekhar making clear companies that did not wish to follow the norms were “free to leave India”.

India has also taken a similar stance against VPN companies at a recently concluded meeting of the UN Ad Hoc Committee which debated a comprehensive international convention on countering the use of information and communications technologies for criminal purposes.

ET had reported on Thursday that the Indian delegation has asked UN Ad Hoc Committee members to counter the use of technologies including virtual private networks, end-to-end encrypted messaging services and blockchain-based technologies such as cryptocurrency as these provided anonymity, scale, speed and scope to terrorists thereby increasing the possibility of their remaining untraceable to law enforcement agencies.

India’s suggestions to the UN Ad Hoc committee are in line with its regulatory approach at home. On several occasions, senior ministers as well as officials from the Ministry of Electronics and Information Technology have reiterated their stand that technology giants must not hide behind the “excuse” of anonymity when such requests for traceability are made by law enforcement agencies.

At a recent press conference on the Cert-In guidelines, Chandrasekhar told reporters that the government would adopt a “zero-tolerance” policy on anonymity being a cover for online crimes, and that production of evidence was an “unambiguous obligation" on VPN service providers, social media intermediaries, and instant messaging platforms.