24,000 Blocking Orders and the Tunnel Around Them: India Moves on VPNs
UPSC-standard MCQs with explanations, trap analysis, and approach guide. Answer after the test — not before.
1
Easy
1
Medium
1
Hard
Practice this set
3 questions · full analysis after submission · no sign-up required
Article summary
Officials confirmed on 3 July 2026 that India is developing a legal framework to regulate virtual private network providers, four years after a CERT-In directive requiring five-year retention of subscriber data was met not with compliance but with departure. The proposed framework would require VPN operators to establish physical offices in India, appoint resident compliance officers as government liaisons, retain subscriber records — names, addresses, contact details and IP addresses — for five years, and would expose non-compliant personnel to criminal penalties including imprisonment. The obligations mirror those already applying to significant social media intermediaries under the IT Rules, 2021. The enforcement problem the framework addresses is concrete: the government issued more than 24,000 content-blocking orders in 2025, up from more than 12,000 in 2024, and VPN traffic is precisely what allows users to route around them. When Telegram was briefly blocked before a NEET-UG retest, Proton VPN reported a 120 per cent spike in daily sign-ups from India. The 2022 experience is the reason officials are now considering a physical-presence requirement: after the original deadline was extended from June to September 2022, Proton VPN, NordVPN, ExpressVPN and Surfshark relocated servers out of India rather than store subscriber data, and Proton has publicly said it does not intend to comply this time either.
What this tests
Sample questions — answers revealed after test
Q1. With reference to the constitutional framework governing data retention mandates in India, which one of the following statements is correct?
Q2. The government issued more than 24,000 content-blocking orders in 2025, up from more than 12,000 in 2024, and is now moving to regulate VPN providers. Which one of the following best explains the connection between the two?
Q3. Consider the following statements: 1. The 2022 CERT-In directions required five-year retention of subscriber data, and the compliance deadline was extended from June to 25 September 2022. 2. Several major VPN providers, including Proton VPN, NordVPN, ExpressVPN and Surfshark, relocated servers out of India rather than comply with those directions. 3. Because those providers withdrew their servers, Indian users were left unable to access VPN services, which is why a fresh regulatory proposal became necessary. Which of the statements given above are correct?