VPNs Explained: How They Work and the Policy Status in India

Ayndri
Ayndri
Research Analyst - Policy & Advocacy, CyberPeace
PUBLISHED ON
Mar 26, 2025
10

What Is a VPN and its Significance 

A Virtual Private Network (VPN) creates a secure and reliable network connection between a device and the internet. It hides your IP address by rerouting it through the VPN’s host servers. For example, if you connect to a US server, you appear to be browsing from the US, even if you’re in India. It also encrypts the data being transferred in real-time so that it is not decipherable by third parties such as ad companies, the government, cyber criminals, or others.

All online activity leaves a digital footprint that is tracked for data collection, and surveillance, increasingly jeopardizing user privacy. VPNs are thus a powerful tool for enhancing the privacy and security of users, businesses, governments and critical sectors. They also help protect users on public Wi-Fi networks ( for example, at airports and hotels), journalists, activists and whistleblowers, remote workers and businesses, citizens in high-surveillance states, and researchers by affording them a degree of anonymity. 

What VPNs Do and Don’t 

  •  What VPNs Can Do:
    • Mask your IP address to enhance privacy.
    • Encrypt data to protect against hackers, especially on public Wi-Fi.
    • Bypass geo-restrictions (e.g., access streaming content blocked in India).
  •  What VPNs Cannot Do:
    • Make you completely anonymous and protect your identity (websites can still track you via cookies, browser fingerprinting, etc.).
    • Protect against malware or phishing.
    • Prevent law enforcement from tracing you if they have access to VPN logs.
    • Free VPNs usually even share logs with third parties. 

VPNs in the Context of India’s Privacy Policy Landscape 

In April 2022, CERT-In (Computer Emergency Response Team- India) released Directions under Section 70B (6) of the Information Technology (“IT”) Act, 2000, mandating VPN service providers to store customer data such as “validated names of subscribers/customers hiring the services, period of hire including dates, IPs allotted to / being used by the members, email address and IP address and time stamp used at the time of registration/onboarding, the purpose for hiring services, validated address and contact numbers, and the ownership pattern of the subscribers/customers hiring services” collected as part of their KYC (Know Your Customer) requirements, for a period of five years, even after the subscription has been cancelled. While this directive was issued to aid with cybersecurity investigations, it undermines the core purpose of VPNs- anonymity and privacy. It also gave operators very little time to carry out compliance measures. 

Following this, operators such as NordVPN, ExpressVPN, ProtonVPN, and others pulled their physical servers out of India, and now use virtual servers hosted abroad (e.g., Singapore) with Indian IP addresses. While the CERT-In Directions have extra-territorial applicability, virtual servers are able to bypass them since they physically operate from a foreign jurisdiction. This means that they are effectively not liable to provide user information to Indian investigative agencies, beating the whole purpose of the directive. To counter this, the Indian government could potentially block non-compliant VPN services in the future. Further, there are concerns about overreach since the Directions are unclear about how long CERT-In can retain the data it acquires from VPN operators, how it will be used and safeguarded, and the procedure of holding VPN operators responsible for compliance. 

Conclusion: The Need for a Privacy-Conscious Framework

The CERT-In Directions reflect a governance model which, by prioritizing security over privacy, compromises on safeguards like independent oversight or judicial review to balance the two. The policy design renders a lose-lose situation because virtual VPN services are still available, while the government loses oversight. If anything, this can make it harder for the government to track suspicious activity.  It also violates the principle of proportionality established in the landmark privacy judgment, Puttaswamy v. Union of India (II) by giving government agencies the power to collect excessive VPN data on any user. These issues underscore the need for a national-level, privacy-conscious cybersecurity framework that informs other policies on data protection and cybercrime investigations. In the meantime, users who use VPNs are advised to choose reputable providers, ensure strong encryption, and follow best practices to maintain online privacy and security.

References 

PUBLISHED ON
Mar 26, 2025
Category
TAGS
No items found.

Related Blogs

#FactCheck – Debunked: Dhoni's Viral Picture Misinterpreted as Political Support
#FactCheck – Debunked: Dhoni's Viral Picture Misinterpreted as Political Support
10
April 25, 2024

Executive Summary:

The picture that went viral with the false story that Dhoni was supporting the Congress party, actually shows his joy over Chennai Super Kings' victory in the achievement of 6 million followers on X (formerly known as Twitter) in 2020. Dhoni's gesture was misinterpreted by many, which resulted in the spread of false information. The Research team of CyberPeace did an in-depth investigation of the photo's roots and confirmed its authenticity through a reverse image search, highlighting how news outlets and CSK's official social media channels shared it. The case illustrates the value of fact verification and the role of real information in preventing the fake news epidemic.

Claims:

An image of former Indian Cricket captain Mahendra Singh Dhoni, showed him urging people to vote for the Congress party,  wearing the Chennai Super Kings (CSK) jersey and showing his right palm visible and gesturing the number 'one' with his left index finger. In reality he is celebrating Chennai Super Kings' milestone achievement on X (formerly Twitter) in 2020. Many people are sharing the misinterpretation knowingly or unknowingly over social media platforms.

Post link
       Post link
Post link

Fact Check:

After receiving the post, we ran a reverse image search of the image and found a news article published by NDTV. According to the news outlet, Dhoni and his teammates were celebrating CSK's milestone of reaching six million followers on X (formerly known as Twitter) in the photos.

Website link

In the image it is written as a tweet of @chennaiipl, to get an idea we dig into the official account of Chennai Super Kings on X (formerly known as Twitter). And Voila! we found the exact post which surfaced on the X (formerly known as Twitter) on 5th October 2020.

    Post link

Additionally, we found a video posted on the X (formerly known as Twitter) handle of CSK, featuring other cricketers celebrating the Six Million Followers milestone for which they are thanking the audience for their support. Again, it was posted on Oct 05, 2020. The caption of the video is written as “Chennai Super #SixerOnTwitter! A big thanks to all the super fans for each and every bouquet and brickbat throughout the last decade. All the #yellove to you. #WhistlePodu”

Post link

Therefore it is easy to conclude that the viral image of MS Dhoni supporting Congress is wrong and misleading.

Conclusion:

The information that circulated online media regarding a picture of Mahendra Singh Dhoni supporting the Congress Party has been proven to be untrue. The actual photograph was of Dhoni congratulating the Chennai Super Kings for having six million followers on social media in the year 2020. This highlights the need for checking the facts of any news circulating online.

  • Claim: A photo allegedly depicting former Indian cricket captain Mahendra Singh Dhoni encouraging people to support the Congress party in elections surfaced online.
  • Claimed on: X (Formerly known as Twitter) 
  • Fact Check: Fake & Misleading
#FactCheck – Debunking False Claim: Free ₹749 Recharge Deception Linked to Ram Mandir Celebration
#FactCheck – Debunking False Claim: Free ₹749 Recharge Deception Linked to Ram Mandir Celebration
10
January 28, 2024

Executive Summary:

In the end of January 2024, India sees an inauguration of Ram Mandir that is a historical event to which people came culturally and spiritually. All communities in the world acknowledge this point of life as a victory and also understand how it unites people. In the midst of this genuine joy over success, there has been a disconcerting increase in malpractices designed to exploit people’s enthusiasm. This report aims at providing awareness and guidelines on how one can avoid the fraud activities that could be circulating as a celebration of Ram Mandir inauguration. An example cited here is on scams that give fake free recharge to users making them connect with the Prime Minister of India and UP Chief Minister Yogi Adityanath.

False Claim:

According to the message passed in WhatsApp, as a commemoration of the inauguration of Ram Mandir  in Ayodhya in January 2024, free Rs.749 mobile recharge for three months would be offered to all Indians across India by both the PM and UP CM. The message prompts the recipients to click on the blue link provided and then recharge their numbers.

The Deceptive Scheme:

We have been informed of a circulating link (https://mahacashhback[.]in/#1705296887543) stating that it offers ₹719 recharge in honor of the Ram Mandir inauguration. It is worth mentioning that this link does not belong to any legitimate movement concerning the inauguration; public excitement and trust were used for personal gain. 

Analyzing the Fraudulent Campaign:

  • Exploiting Emotional Significance:Scammers are using the cultural and religious significance of Ram mandir inauguration as a cover to fool people into participating in its fraudulent scheme. 
  • Fake Recharge Offers:The broadcasted link is offering a recharge pretending that they celebrate it’s inauguration. Such offers should be handled with care and established through authorized avenues.
  • Bogus Landing Pages and Comments:The landing page linked to the link typically shows images of Ram Mandir and fake comments succeeding in a make-believe appearance. Legitimate projects linked to major events rely on official and trustworthy communication mechanisms. 
  • Data Collection Attempts:However, users may be asked for personal details like mobile numbers under the false pretext of winning a fake recharge. Legitimate organizations practice secure protocols for data collection and communication. 
  • Sharing for Activation:After the data entry, users are prompted to share a link in other people’s posts; it is said that this will help “activate” recharge. This is a popular trick among swindlers to keep the fraud going on due to sending misleading messages. 

What do we Analyze?

  • It is important to note that at this particular point, there has not been any official declaration or a proper confirmation of such offers on any official channel.
  • The campaign is hosted on a third party domain instead of any official Government Website, this raised suspicion. Also the domain has been registered in very recent times.
  • Domain Name: mahacashhback[.]in
  • Registry Domain ID: D1FCF1B5751244310A2FA723B62CE83E9-IN
  • Registrar URL: https://publicdomainregistry[.]com/
  • Registrar: Endurance Digital Domain Technology LLP
  • Registrar IANA ID: 801217
  • Updated Date: 2024-01-18T08:09:00Z
  • Creation Date: 2023-05-27T12:01:17Z
  • Registry Expiry Date: 2024-05-27T12:01:17Z
  • Registrant Organization: Sachin Kumar
  • Registrant State/Province: Bihar
  • Name Server: ns2.suspended-domain[.]com
  • Name Server: ns1.suspended-domain[.]com

CyberPeace Advisory and Best Practices:

  • Verify Authenticity:Authenticate any offers or promotions linked to the Ram Mandir inauguration through official channels. 
  • Exercise Caution with Links:Do not engage with questionable URLs, in particular those without secure encryption (HTTPS). Official announcements and initiatives are disseminated through secure outlets.
  • Protect Personal Information:Do not provide personal information and do not respond to unsolicited offers on nonofficial platforms. Genuine organizations employ safe and official routes for communication.
  • Report Fraudulent Activity:When you see scams or fraudulent activities, immediately report them to authorities and platforms so that no one falls into their trap.

Conclusion:

In the coming days, let us be cautious from such cheating strategies which would be misutilized or create false situations. Individuals should stay informed, verify sources and defend their personal information to ensure a safer world wide web. Official and secure channels are used to communicate authentic initiatives linked with notable events. When an offer sounds too favorable or attractive, exercise due caution and check its genuineness to avoid being defrauded. Thus by undertaking the research we found this campaign to be fake.

#FactCheck - Edited Video of ‘India-India’ Chants at Republican National Convention
#FactCheck - Edited Video of ‘India-India’ Chants at Republican National Convention
10
July 29, 2024

Executive Summary:

A video online alleges that people are chanting "India India" as Ohio Senator J.D. Vance meets them at the Republican National Convention (RNC). This claim is not correct. The CyberPeace Research team’s investigation showed that the video was digitally changed to include the chanting. The unaltered video was shared by “The Wall Street Journal” and confirmed via the YouTube channel of “Forbes Breaking News”, which features different music performing while Mr. and Mrs. Usha Vance greeted those present in the gathering. So the claim that participants chanted "India India" is not real.

Claims:

A video spreading on social media shows attendees chanting "India-India" as Ohio Senator J.D. Vance and his wife, Usha Vance greet them at the Republican National Convention (RNC).

Post link

Post link

Fact Check:

Upon receiving the posts, we did keyword search related to the context of the viral video. We found a video uploaded by The Wall Street Journal on July 16, titled "Watch: J.D. Vance Is Nominated as Vice Presidential Nominee at the RNC," at the time stamp 0:49. We couldn’t hear any India-India chants whereas in the viral video, we can clearly hear it. 

We also found the video on the YouTube channel of Forbes Breaking News. In the timestamp at 3:00:58, we can see the same clip as the viral video but no “India-India” chant could be heard.

Hence, the claim made in the viral video is false and misleading.

Conclusion:

The viral video claiming to show "India-India" chants during Ohio Senator J.D. Vance's greeting at the Republican National Convention is altered. The original video, confirmed by sources including “The Wall Street Journal” and “Forbes Breaking News” features different music without any such chants. Therefore, the claim is false and misleading.

Claim: A video spreading on social media shows attendees chanting "India-India" as Ohio Senator J.D. Vance and his wife, Usha Vance greet them at the Republican National Convention (RNC).

Claimed on: X 

Fact Check: Fake & Misleading

Become a part of our vision to make the digital world safe for all!

Numerous avenues exist for individuals to unite with us and our collaborators in fostering  global cyber security

Awareness

Stay Informed: Elevate Your Awareness with Our Latest Events and News Articles Promoting Cyber Peace and Security.

CyberPeace Corps Induction Workshop
The Missing Link Trust to combat online child trafficking
Cyber Safety Carnival
Safer Internet Day 2023
1.6 Crore Customer Records of HDFC Life being sold on Dark Web: CyberPeace
India Post scam exposed! Experts share cyber protection tips
The Territorial Army launches Terrier Cyber Quest 2024
Impact of Cybersecurity in Circular Economy

Engagement

Your institution or organization can partner with us in any one of our initiatives or policy research activities and complement the region-specific resources and talent we need.

Discover ways to collaborate
Request for Proposals

Play your part for CyberPeace

Donate to us directly to help us build more pioneering initiatives.

Donate Now