The Indian government is no longer content with merely blocking illegal websites; it is now targeting the tools people use to reach them. In a high-stakes move to curb the rampant exposure of citizen data, the Ministry of Electronics and Information Technology (MeitY) has issued a directive that places Virtual Private Network (VPN) providers squarely within the ambit of national security and privacy enforcement.
The advisory, which began circulating after being flagged by a senior ministry official, targets a specific category of so-called “leak-hosting” portals. Websites such as proxyearth.org and leak-data.org have reportedly transformed personal privacy into a searchable commodity. On these platforms, entering an Indian mobile number can allegedly reveal sensitive personal details, including full names, residential addresses, and private email IDs, collected and displayed without the consent or knowledge of the individuals concerned.
Closing the “VPN Loophole”
Historically, government action against such sites followed a familiar pattern. Once blocked at the Internet Service Provider (ISP) level, access could easily be restored by switching on a VPN and routing traffic through foreign servers. MeitY’s latest directive seeks to disrupt this cycle by addressing what it sees as a critical enforcement gap.
By instructing VPN providers to make “reasonable efforts” to block access to identified leak-hosting domains, the government is effectively asking privacy-focused services to act as digital gatekeepers. MeitY Secretary S. Krishnan underscored that the move was prompted by the discovery of Indian citizens’ personal data being hosted on servers located well beyond India’s legal jurisdiction. Since shutting down overseas servers is often impractical, authorities have opted to make those platforms inaccessible from within Indian borders.
The End of “Safe Harbour”?
This directive carries significant legal implications, striking at the heart of the long-standing “Safe Harbour” protections enjoyed by intermediaries under Section 79 of the Information Technology Act. Traditionally, this provision has shielded platforms and service providers from liability for user actions, provided they remained neutral and complied with lawful takedown requests. VPN providers, in particular, have operated comfortably within this framework, presenting themselves as passive conduits rather than active participants in online activity.
However, MeitY’s advisory makes it clear that this protection is conditional, not absolute. By explicitly warning that non-compliance could result in the withdrawal of Safe Harbour status, the government is signalling that intermediaries can no longer plead ignorance when harmful or illegal activity is known and persistent. The reference to possible criminal liability under the Bharatiya Nyaya Sanhita, 2023 further raises the stakes and marks a decisive shift from regulatory caution to punitive enforcement.
In practical terms, VPN providers that fail to take reasonable steps to restrict access to flagged data-leak platforms may find themselves exposed to legal action. This represents a fundamental recalibration of intermediary liability in India’s digital ecosystem, moving away from passive immunity and toward proactive accountability.
A Shifting Legal Landscape
Legal and technology experts view this move as part of a broader transformation in India’s approach to digital governance. According to Sandeep K. Shukla, director at IIIT Hyderabad, the advisory is less about technical blocking and more about strategic pressure. By placing responsibility on VPN providers, the government is effectively outsourcing enforcement to private entities that control access pathways.
This development blurs the line between neutral infrastructure providers and facilitators of access. If a VPN knowingly enables entry to platforms that trade in illegally obtained personal data, authorities may now interpret that role as facilitative rather than incidental. In legal terms, this reframing has the potential to reclassify VPNs as accountable actors rather than invisible intermediaries.
The move also reflects a broader regulatory trend that focuses on adapting existing legal frameworks to evolving technologies instead of waiting for entirely new legislation. As data becomes one of the most valuable and vulnerable assets in India’s expanding digital economy, policymakers appear increasingly willing to reinterpret old laws to address new harms.
The Privacy Debate
While the stated objective, protecting citizens from identity theft and data exploitation, is widely supported, the method has sparked debate. VPNs are built on the promise of privacy, anonymity, and an open internet. Critics argue that compelling these services to filter content undermines their core purpose and sets a precedent that could pave the way for wider internet controls.
Supporters, however, contend that absolute anonymity cannot come at the cost of systemic abuse. As India’s Digital Personal Data Protection framework begins to take shape, the country finds itself navigating a delicate balance, safeguarding personal data without eroding the tools designed to protect digital freedom. For now, the government appears convinced that limiting access to known sources of harm is a price worth paying to secure the privacy of millions.
