Large paid VPN firms like ExpressVPN and NordVPN shifted their “India” servers to Singapore, buying Internet Protocol (IP) blocks associated with India while serving traffic from the city state. Image for representational purposes.
| Photo Credit: Getty Images
The Ministry of Electronics and Information Technology (MeitY) warned Virtual Private Network (VPN) providers late Thursday evening to block sites leaking Indian user data, and to comply with Indian regulations on VPNs. The missive cited a website that appeared to allow users to track Indians’ locations using their phone number or address, apparently relying on leaked data. The URL now redirects to a repository on GitHub, a Microsoft-owned platform for coders.
VPNs are tools that allow users to access the internet from a remote location, often with added encryption and without website blocking implemented by Indian internet providers. India has frowned at the idea of internet users using the web anonymously, arguing that this lets them commit cybercrimes anonymously. In 2022, the Computer Emergency Response Team, India (CERT-in) published directions that required VPN providers to maintain logs of Indian users.
VPN providers, who market their services specifically as a way to avoid such tracking of their browsing online, balked at the request, and refused to comply. Large paid VPN firms like ExpressVPN and NordVPN shifted their “India” servers to Singapore, buying Internet Protocol (IP) blocks associated with India while serving traffic from the city state. They largely continue to be available to Indian users, though, who can route their traffic through several countries.
GitHub did not respond to a query on whether it has received a request to take the repository containing the code to replicate the websites named by the Ministry.
“It has come to the notice of this Ministry that few websites … operating in violation of law are disclosing personal details of several individuals in India such as name, mobile number and addresses,” the IT Ministry’s advisory said. “Users can allegedly enter any Indian mobile number on this website to access information, including full name, address, alternate numbers, and email IDs. Accordingly, it is being noticed that this website poses a significant risk to Indian users on the internet as the website permits public access to personal information of users without their authorisation. Furthermore, there is a possibility of such websites being available for access by use of VPN service providers.”
“In this regard, it should be noted that intermediaries have a due diligence obligation under the Information Technology Act, 2000 (IT Act) and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 to not host information that belongs to another person and to which the user does not have any right or is invasive of another’s privacy, or affects public order, security of the state or sovereignty and integrity of India, or violates any law for the time being in force.”
The Ministry noted, “with heightened emphasis,” that if VPN providers don’t block these URLs, “they shall be liable for consequential action as provided under any law including the IT Act and the Bharatiya Nyaya Sanhita 2023”.
A senior official told The Hindu that this was not necessarily a precursor to a VPN ban, and questioned the need for these platforms to operate anonymously.
Published – December 12, 2025 10:04 pm IST
