Amid concerns over Pakistan’s telecom regulator’s plan to crack down on Virtual Private Networks (VPNs), a proposal has surfaced from the IT community suggesting that VPN providers should be required to register locally and monitor users’ data to address “national security concerns”.
In a recent television interview, Sajjad Mustafa Syed, chairman of the Pakistan Software Houses Association (P@SHA), claimed that many developed countries follow this practice, citing examples such as the European Union (EU), India, United States (US), Philippines, Bangladesh, Vietnam, and Ireland.
The claim is misleading. Experts confirm that such a policy is not common in democratic nations, with India being an exception.
Claim
On December 5, during an appearance on a private television channel, Syed proposed that the Pakistani government follow the example of countries like the US, EU, and India in requiring VPN providers to set up operations locally. He argued this would address national security concerns related to online activities.
Syed said: “We have two global paths to follow. One is the path followed by North Korea, Iran, and Turkmenistan. The other is the path being followed by the US, India, Philippines. We are suggesting [to the government] that the countries we trade with like EU or US or the countries we compete with like India, Bangladesh, Philippines, Vietnam, and Ireland. We should follow their methodology. The method is that rather than whitelisting VPNs, you reverse it. Get VPN service providers to set up their businesses in Pakistan. Then you get them to monitor [users]” and have them implement your national security concerns.
Watch the interview here at 29:00.
Fact
The claim that requiring VPN providers to register locally and share user data is a standard practice in democratic countries is misleading and mostly untrue. In reality, such policies are not common in democratic nations, except in India, where it is highly controversial.
Christian Dawson, co-founder and executive director of the US-based Internet Infrastructure Coalition (i2Coalition), explained to Geo Fact Check that most democratic countries do not require VPN providers to register locally or monitor user data systematically.
Dawson provided a breakdown of the regulatory landscape in the countries mentioned by Syed:
European Union (EU): There is no unified requirement across EU member states for VPN providers to register locally or routinely share user data with governments. On the contrary, strict privacy regulations, such as the General Data Protection Regulation (GDPR), limit data sharing, including with authorities, unless specific legal conditions are met.
United States: There is no federal mandate requiring VPN providers to register or share user data systematically. However, providers can be subject to lawful requests, such as subpoenas or warrants, under frameworks like the Patriot Act or the CLOUD Act.
The Philippines, Bangladesh, Vietnam, Ireland: The regulatory landscape varies significantly. For example, Vietnam enforces strict data localisation laws that indirectly impact VPN operations, while other countries may require compliance with cybersecurity frameworks that could include limited government access to data.
However, India stands out as an exception.
India’s recent laws require VPN providers to maintain logs and share them with the government upon request. This move has been met with resistance and sparked privacy concerns, causing many premium VPN providers to exit the Indian market.
Dawson added, “It’s worth noting that many non-democratic countries, such as Myanmar and China, impose strict VPN registration and monitoring as a tool for control and surveillance. This highlights the significant contrast with most democracies, which generally prioritise personal freedoms and privacy rights.”
This was corroborated by Shruti Narayan, the Asia Pacific Policy Counsel for Access Now, a US-based digital rights group, confirmed that India is the only country on Syed’s list where VPN providers are legally required to store user data and hand it over to authorities if needed.
Narayan also pointed out that this move has been criticised as a violation of privacy rights protected by India’s constitution. In June 2022, Access Now released a press statement calling the Indian government’s decision a violation of the right to privacy which the Indian constitution protected.
The statement can be read here.
Narayan further said that such measures are not in line with democratic values.
“Mandating registration, monitoring, and data collection and sharing as a rule is not compliant with the principles of privacy and free speech in a democracy. We believe that VPN registration does not serve legitimate security interests, and is done to enable surveillance and authoritarian control,” she added.
Verdict: The suggestion that many developed countries require VPN providers to register locally and share user data is largely misleading. While India has adopted such a policy, it has faced widespread criticism for infringing on privacy rights. In contrast, most democratic nations prioritise personal freedoms and privacy and do not mandate VPN registration or data sharing.
Follow us on @GeoFactCheck on X (formerly Twitter) and @geo_factcheck on Instagram. If you spot any errors, reach out to us at [email protected]