vpn: Govt bans VPN, cloud services for employees

New Delhi: The government has barred its employees from using third-party virtual private networks (VPN) and anonymisation services offered by companies such as Nord VPN, ExpressVPN and Tor.

The mandate comes just days after ExpressVPN, Surfshark and NordVPN said they would stop offering their services in the country following a directive by the Indian Computer Emergency Response Team (Cert-In) on how VPN companies should operate in India

The directive also urges government employees not to save “any internal, restricted or confidential government data files on any non-government cloud service such as Google Drive or Dropbox.”


The National Informatics Centre (NIC), which is under the Ministry of Electronics and Information Technology, said it had put out the guidelines to improve the “security posture” of the government.

“In order to sensitize the government employees and contractual/outsourced resources and build awareness amongst them on what to do and what not to do from a cyber security perspective, these guidelines have been compiled,” NIC said in an internal document, titled Cyber Security Guidelines for Government Employees. ET has reviewed a copy of the document.

Discover the stories of your interest

The NIC has also asked government employees to not ‘jailbreak’ or ‘root’ their mobile phones or use any external mobile app-based scanner services such as CamScanner to scan “internal government documents”

CamScanner was among several Chinese apps banned by the government in July 2020, citing national security concerns following border hostilities with the northern neighbour but continues to be operational through some versions.

“By following uniform cyber security guidelines in government offices across the country, the security posture of the government can be improved,” the directive added.

The IT ministry did not respond to ET’s specific queries on the intent behind the directive.

“All government employees, including temporary, contractual/outsourced resources are required to strictly adhere to the guidelines mentioned in this document. Any non-compliance may be acted upon by the respective CISOs/Department heads,” according to…