VPN, Cloud Services Banned By NIC For Government Employees: All You Need To Know

New Delhi: Days after virtual private networks (VPN) such as ExpressVPN, Surfshark, and NordVPN pulled their servers from India, the government announced that its employees are barred from using third-party VPNs and anonymisation services offered by such firms. In May, the Indian Computer Emergency Response Team (CERT-In) had shared a directive on how VPN companies should operate in the country. The National Informatics Centre (NIC), which falls under the Ministry of Electronics and Information Technology (MeitY) has now come forward with a new set of guidelines.

Apart from barring government employees from using external VPNs, the NIC directive also urges workers to not save “any internal, restricted, or confidential government data files on any non-government cloud service such as Google Drive or Dropbox,” as reported by The Economic Times.

NIC’s internal document, titled “Cyber Security Guidelines for Government Employees,” stated, “In order to sensitise the government employees and contractual/outsourced resources and build awareness amongst them on what to do and what not to do from a cyber security perspective, these guidelines have been compiled.”

As per the NIC, the new guidelines are put into place to strengthen the government’s “security posture.”

Employees are also asked by the NIC not to root or jailbreak their phones. They are barred from using third-party scanner services such as CamScanner to scan internal government documents on their phones.

The directives are applicable to all government employees, “including temporary, contractual/outsourced resources are required to strictly adhere to the guidelines mentioned in the document.”

NIC also added, “Any non-compliance may be acted upon by the respective CISOs/Department heads.”

ALSO SEE: Will New CERT-In Rules Affect Users And VPN Players? Here's What NordVPN And Experts Say

In May, CERT-In asked VPN companies to collect and store extensive user data for at least five years, as it aims to reduce the gaps in responding to cybersecurity incidents. VPN providers will be required to collect and turn over user data that includes IP addresses assigned to users.

Earlier this month, ExpressVPN announced on Twitter, "ExpressVPN removes VPN servers in India. Users will still be able to connect to VPN server locations that will give them Indian IP addresses."