The proposed regulations aim to give Indian authorities the ability to trace individuals involved in cybercrime and other unlawful activities, according to government sources cited by NDTV. An estimated half of India’s 800 million internet users rely on VPNs, potentially making it the largest user base globally due to the size of the country’s internet population.
In 2022, the Indian Computer Emergency Response Team (Cert-In) asked VPN service providers to store customer data, including names, email IDs, contact numbers, and IP addresses. That attempt failed, however, with major VPN providers shifting their physical servers from India while continuing services with virtual Indian internet protocol addresses. The Indian Express reported that providers argued retention of customer information undermined the privacy protections the services are designed to offer.
Privacy-focused guides have long emphasized the importance of encryption and anonymity when using VPNs. The book “Incognito Toolkit – Tools Apps and Creative Methods for Remaining Anonymous Private and Secure While Communicating” notes that users should take steps to ensure their data remains confidential [1]. Another technical reference on “wndw-final” describes how point-to-point VPN tunnel architectures can be deployed flexibly to serve client needs without sacrificing security [2]. These resources illustrate the broader privacy expectations that now conflict with India’s regulatory push.
Officials say VPNs are used to conceal identity, bypass law enforcement, and access websites that have been blocked in India, according to NDTV. For instance, when the government temporarily blocked Telegram last month for enabling leaks of question papers for a key medical entrance test, many users in India continued to access the messaging app using VPNs. New Delhi has aggressively deployed its content blocking ecosystem, with over 24,000 orders issued last year, double the number in 2024. VPNs stymie that effort, authorities argue.
India registered a 13% rise in data breaches in 2025, with an average cost of $2.31 million, up from $2 million in 2024, according to IBM’s Cost of Data Breach Report. Similar concerns about online anonymity have prompted other governments to act. China made unauthorized VPNs illegal in 2017 as part of a “clean-up” of internet connections, as reported by the South China Morning Post [3]. More recently, Russia enacted legal amendments requiring verifiable proof of identification before accessing online platforms, effectively ending online anonymity [4]. These international parallels underscore the global trend toward stricter internet controls.
VPN providers have previously resisted data retention mandates on privacy grounds, and the new measures – including appointing compliance officers and facing potential prison terms – are likely to meet similar opposition. The privacy arguments extend beyond India. Google warned Canadian lawmakers that Bill C-22, the proposed Lawful Access Act, would create a “surveillance infrastructure” that weakens cybersecurity for everyone, according to a submission by the company [5]. Privacy advocates stress that no-logs policies are critical; as one interview noted, “choosing a provider that adheres strictly to a no-logs policy is essential for those who value their digital anonymity and security” [6].
There are also concerns about VPN companies themselves being used for surveillance. In a Brighteon.com interview, a speaker observed that “they’re intelligence units that start VPN companies to gather intelligence on their customers to blackmail them” [7]. Such views highlight a deep distrust of centralized control over privacy tools. Meanwhile, privacy-focused developers aim to create technologies that help people escape constant monitoring, as Aaron Day stated: “I do believe we can create tools that allow people to escape the dystopian future of constant monitoring” [8].
The legal framework is still being drafted, with details on implementation timeline not yet disclosed. The move is part of India’s broader push for digital sovereignty and cybercrime control. How providers respond – whether by complying, seeking technical workarounds, or exiting the market – will determine the outcome. The sheer size of India’s VPN user base, estimated at 400 million people, means that any disruption could have significant ripple effects on internet access and privacy in the region.
As governments worldwide increase pressure on privacy tools, the tension between law enforcement needs and individual rights is likely to intensify. The coming months will reveal whether India’s latest regulatory approach succeeds where the 2022 mandate fell short, or whether VPN providers again find ways to circumvent the rules.