The Indian Computer Emergency Response Team (CERT-In) in April asked the VPN service providers to restructure their business practices while complying with the newly drafted rules. After the notification, while many service providers expressed discomfort, it now looks like in the US also such service providers are about to face some challenging situations.
Two Democratic lawmakers in the US have asked the Federal Trade Commission to prohibit VPN companies from engaging in deceptive activities that mislead users into believing their services are secure, as they noted that the industry is “extremely opaque” and many service providers “exploit, mislead, and take advantage of unwitting consumers”.
The lawmakers, in a letter to the FTC, urge the agency to crackdown on the consumer VPN business for deceptive marketing claims and unscrupulous data practices.
They point to the impact of the Supreme Court’s decision to overturn Roe v Wade, which has already led to abortion bans in several US states. Legislators are now concerned that abortion seekers may rush to VPNs, assuming the services will protect their digital privacy.
According to the letter, the issue is that customers have no method of verifying VPN providers’ data protection claims, especially if they actually adhere to a ‘no-logs’ policy while processing user data. For the uninitiated, ‘no-logs’ VPNs are those that don’t store any data related to a user’s online connections or activities, as well as personal details, payment information and search history.
However, the letter states: “It’s extremely difficult for someone to decipher which VPN service to trust, especially for those in crisis situations. There are hundreds, if not thousands, of VPN services available to download, yet there is a lack of practical tools or independent research to audit VPN providers’ security claims.”
Although people can use review sites and blogs to identify a reputable provider, the lawmakers note that there are several VPN review websites which are owned by firms that also offer VPN services, while bloggers can also benefit from a partnership with the VPN provider.
While explaining the information shared by service providers on their websites, the lawmakers stated that many of them provide inaccurate details as found in consumer reports from last year.
The report highlighted that 12 of the 16 reviewed VPN services either misrepresented their goods and technology or made exaggerated or overly general claims about the types of security they offer their customers. The US lawmakers also highlighted that VPN service providers might sell access to consumer data to marketers or covertly reveal customer data to law authorities in response to subpoenas.
They stated that “it’s nearly impossible to verify their claims” as in several cases, VPN providers that advertise a strict ‘no-log’ policy have handed over user activity logs to law enforcement.
So it is understood that while the use of dubious marketing strategies and exaggerated claims by VPN providers has made it difficult for customers to determine which ones are reliable, in the US, the industry may therefore benefit from a regulatory jolt from an FTC crackdown.
However, since the abortion law has been a very sensitive issue in the US for years, the lawmakers urged FTC to “develop a brochure for abortion-seekers on how best to protect their data, including a clear outline of the risks and benefits of VPN usage”.
What Is Happening in India
Earlier this year, CERT-In asked that VPN service providers keep records of their clients’ verified names, the duration of their use of the service, the IP addresses assigned to them, their email addresses, and the timestamps used during registration for the service for at least five years.
Additionally, it urged VPN service providers to keep track of information about users’ ownership patterns, the reason they utilised their services, and their verified addresses and phone numbers.
But the VPN sector has criticised the new regulations, claiming that such onerous legislation is incompatible with the fundamental goal and guiding principles of VPNs and as a result, many VPN service providers have taken down their actual Indian servers.
But recently, Pavan Duggal, Supreme Court lawyer, founder, and chairman of the International Commission on Cyber Security Law told Financial Express that these laws would ultimately increase cyber security and resilience in the sector.
However, the new rules were supposed to go into force 60 days after they were announced, on July 27. According to a CERT-In update, the deadline has been extended by three months to September 25 this year.
Countries with Strict VPN Laws
Though what US lawmakers are demanding currently is different from the rules recently introduced in India, in both cases, it is all about regulating the sector, something which is concerning for such service providers.
Cybersecurity expert and Co-Founder of Instasafe Technologies, Sandip Kumar Panda, told News18: “With hundreds of personal VPN players in the market, there are concerns on how they are handling customer data.”
According to Panda: “Often, few of these companies mishandle customer data by selling user data to third parties. Some other concerns with VPN players include government bodies across countries that are facing the challenge of cybercriminals and malicious hackers who use VPNs to mask their identity and pose risks to national security.”
“So with rising cyber cases, all governments have the tough task of dealing with the situation. In fact, we will see similar actions to follow by various other countries on regulating and doing quality checks on these personal VPN players,” he added.
It is noteworthy that many countries and governments either have banned them completely or have imposed strict regulations.
Russia
All internet service providers in Russia are required by the System of Operational-Investigatory Measures to employ gear that is provided by the Federal Security Service, allowing the organisation to track all user web browsing, email traffic and phone calls.
In 2017, the government passed legislation outlawing the use of VPNs to access banned content. The regulation, however, does not prohibit the usage of VPNs, instead, it merely bars using the software to access information that is blocked in the country.
Additionally, foreign VPN providers in the country have also been instructed to ban sites mandated by the government.
China
The Chinese government has prohibited its citizens from accessing a significant number of international websites and applications such as Facebook and search giant Google.
Since using a VPN may essentially get around these restrictions, China has outlawed the use of VPNs altogether, with the exception of companies that have received government approval. These are typically neighbourhood service providers who report to the government.
Bypassing is possible but due to the Great Firewall, which evolves very quickly, it is impossible to suggest a VPN service that will function trustworthily there.
Iran
In Iran, the construction, replication, or distribution of VPN and proxy services is punishable by up to two years in prison under Article 20 of the proposed Protection Bill. It should be noted that Article 4 of the Bill calls for the adoption of “legal VPNs”.
Gabriele Racaityte, Head of Public Relations at VPN business Surfshark, expressed particular concern about sections of the bill that bring Iran’s gateways under the jurisdiction of the Secure Gateway Taskforce, which will include representatives from the General Staff of the Armed Forces, the Intelligence Organization of the Islamic Revolutionary Guards Corps, the Ministry of Intelligence, the Ministry of Information and Communications Technology, the Passive Defense Organization, the Police Force and the office of Prosecutor General.
UAE
VPN can be used for internal purposes by corporations, institutions, and banks in the UAE. The usage of such services is not unlawful in the UAE if done in accordance with the Telecommunications and Digital Government Regulatory Authority’s standards. However, misuse might result in a severe penalty, including imprisonment, for violating local cyber legislation.
According to Article 1 of the Amended UAE Cyber Law, a violator can be punished by temporary imprisonment and a fine not less than Dh500,000 and not in excess of Dh2 million.
However, there are other countries like North Korea, Belarus, Turkmenistan, Uganda, Iraq, Turkey and Oman where VPN services are tightly regulated or blocked.
Read all the Latest News, Breaking News, watch Top Videos and Live TV here.
Comments
0 comment