The Ministry of Electronics and Information Technology [“MeitY”] issued an advisory early this month, addressed to Virtual Private Network [“VPN”] providers [“Advisory”]. This advisory was issued against the backdrop of the increasing number of websites scraping, aggregating, or otherwise publishing personal information [such as names, phone numbers, addresses and other identifiers] of Indian citizens. The advisory specifically singles out the websites <proxyearth.org> and <leakdata.org>, which purportedly allow access to the personal information of Indians, merely by entering the phone number of the person[s]. The information allegedly disclosed includes names, addresses, alternate phone numbers and email IDs, all without the consent or knowledge of the concerned person[s].
The situation becomes more concerning because access to such websites may continue through VPNs, making it harder to block access to them through ordinary means. This creates a significant risk of threats to privacy [including identity theft, fraud, harassment and mass misuse of personal data] and other cybercrimes.
It, therefore, serves as a clear reminder that intermediaries are not passive bystanders. Under the Information Technology Act, 2000 [“IT Act”] and the Information Technology [Intermediary Guidelines and Digital Media Ethics Code] Rules, 2021 [“2021 Rules”], intermediaries, including VPN service providers, have a legal duty to exercise due diligence.
Therefore, if a platform or service knowingly allows access to websites that illegally expose personal data, it fails to meet its basic legal responsibility.
WHAT THE ADVISORY CONTAINS – THE ROLE OF INTERMEDIARIES
This advisory has been issued to all VPN service providers and other intermediaries [such as telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, and other such intermediaries defined under the IT Act].
Interestingly, VPN service providers have been mentioned specifically and significantly. This can be explained by the sensitive position they occupy: VPNs usually tunnel traffic over encrypted tunnels and typically claim a little or no logging policy. However, most also run DNS [Domain Name System] resolvers, exit gateways, or content filtering layers, and as such, can perform domain-level blocks or filter known bad hosts. So, while VPNs serve legitimate purposes such as cybersecurity and privacy protection, they can also be misused to bypass safeguards and access unlawful content.
By explicitly mentioning VPN providers, MeitY is signalling that VPN services cannot be used as shields for unlawful data exposure. The intermediaries are now expected to make reasonable efforts to restrict access, falling in line with current global standards, where intermediaries are increasingly expected to act proactively, especially when the harm is clear and ongoing.
In light of this, the Advisory highlights the “due diligence” obligation of all intermediaries under the IT Act and 2021 Rules, which includes:
i. To prohibit the hosting of information that belongs to another person and to which the user does not have any right or is invasive of another’s privacy, or affects public order, security of the state or sovereignty and integrity of India, or violates any law for the time being in force, and
ii. To take immediate and effective actions to ensure that no user is allowed to host any such information.
The advisory also stresses that the “safe harbour” protection would fail if the due diligence obligations are not followed.
Finally, the advisory also highlights the obligation of the intermediaries [including VPN service providers] under the IT Act to co-operate with authorised Government agencies. This includes providing information or assistance for the prevention of cyber incidents, identity verification, and the investigation and prosecution of offences, as well as for cybersecurity incidents. This has been explained in detail below.
Failure to cooperate within the specified timelines can lead to significant penalties. This reinforces the expectation of responsible participation by private digital actors in maintaining public safety online.
LEGAL BASIS
A. SECTION 79 OF THE IT ACT
One of the most important parts of the advisory is its warning regarding Section 79 of the IT Act, which shields intermediaries from liability for third-party content by offering them “safe harbour” protection. This protection can be understood as conditional immunity available for intermediaries against liability for information, data or communication links contained on their platform that are made available or hosted on their platform, as long as they are acting as mere intermediaries and are exercising due diligence under the IT Act and Rules.
The Advisory reiterated that intermediaries have to make systems that can act promptly once they are informed that a privacy-breaching piece of information has appeared. If an intermediary directly or indirectly helps, encourages, or supports unlawful activities, or fails to take timely action, the legal protection under Section 79 of the IT Act [the “safe harbour” protection] no longer applies.
B. THE IT RULES, 2021
VPN providers and other intermediaries must adhere to the due diligence duties outlined in the IT Rules, 2021, particularly Rule 3, to maintain their legal protection under Section 79. These Rules require them to act responsibly by preventing unlawful content, informing users where required, and cooperating with government authorities. The recent focus on VPN providers makes it clear that if they fail to comply, they can lose safe harbour protection and face penalties and other legal action under the IT Act.
1. Rule 3[1]: Due Diligence by an Intermediary
Rule 3[1][b] compels the intermediaries to disclose to users using their terms of service that they will not host, display, upload, edit, publish, transmit, store, update or share information that infringes any patent, trademark, copyright or other proprietary right or is otherwise intrusive of the privacy of another. Rule 3[1][d] also imposes on intermediaries the obligation to take down or block access to such content after gaining actual knowledge [in the form of a court order or notification from the government.]
2. Rule 3[2]: Grievance Mechanism
Under Rule 3[2], the intermediaries are expected to establish a clear and functioning grievance system. This includes appointing a grievance officer or establishing a round-the-clock contact point wherein complaints are acknowledged within twenty-four hours and resolved within fifteen days of being received. Users should have an easy way to report unlawful or harmful content. Serious and sensitive complaints, such as those involving sexual abuse, must be acted upon immediately, within twenty-four hours.
COMPLIANCE FOR INTERMEDIARIES
To ensure strict compliance with the Advisory, the first step should be to determine whether the specific domains mentioned in the advisory are directly or indirectly reachable by the intermediaries through their infrastructure. This can be achieved by examining DNS resolvers, URL filtering lists, hosting accounts, and caching policies.
If accessible by the intermediaries, access to these domains must be denied to users in India. They should, then, be blocked according to the internal escalation and approval procedures, and suitable logging of the access should be done to allow an audit trail.
After this, the immediate short-term plans include:
• Reviewing the terms of service, privacy policies, and user guidelines to ensure that they clearly prohibit the use of the service to publish or access websites that illegally disclose personal information, with a specific reference to adherence to government notifications.
• Revising the processes of notice and takedown to ensure the takedown of privacy-intruding content.
• Developing or revising a risk-based monitoring system to identify trends that may indicate their infrastructure is being abused to continue accessing or encouraging known sites that have leaked sensitive data, such as by reporting abuse, traffic spikes, or the frequency of domain requests
In the long term, due diligence must be maintained before hosting any such user/content that belongs to another person, or otherwise invades another’s privacy, or affects public order, the security of the state, or the sovereignty and integrity of India, or can be used for cyber-attacks.
By integrating these steps, the intermediaries can ensure that they are not only adhering to the current advisory but also building a resilient framework against future data-related risks.
SIGNIFICANCE
The MeitY Advisory addresses a new and significant threat: the commercialisation and open publication of personal data obtained through hacking and scraping, which could be used to commit attacks against user privacy and other cyberattacks. Through this advisory, it has definitely been made clear that intermediaries can no longer remain passive parties. Instead, they will be held liable for hosting user content that facilitates such crimes if they fail to exercise proper due diligence. Consequently, platforms are required to implement preventive measures, such as blocking mirror or duplicate sites, and to establish efficient grievance mechanisms.
Simultaneously, caution should be exercised to ensure that blocking powers are applied on a specific, case-by-case basis and in a transparent manner. This is vital to prevent privacy protection from being used as an excuse to over-block websites or to remove encryption and anonymity tools. Establishing a clear set of criteria to identify data leaks, maintaining smaller, regularly reviewed lists, and providing affected organisations with the option to appeal will go a long way toward ensuring privacy and freedom of speech.
