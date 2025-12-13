The Ministry of Electronics and Information Technology (MeitY) has issued an advisory directing virtual private network (VPN) service providers and other intermediaries to immediately block access to websites leaking personal information of Indian citizens. MeitY advisory to VPN providers to block sites

The advisory, dated December 11 and first posted by a MeitY official on LinkedIn, flags sites such as proxyearth.org and leakdata.org for allegedly exposing names, mobile numbers, addresses and other details without consent. It said the websites are also allowing users to “enter any Indian mobile number… to access information, including full name, address, alternate numbers, and email IDs.” A senior MeitY official confirmed the advisory’s authenticity to HT.

In its advisory, the government warns that such websites, “pose a significant risk to Indian users… as the website permits public access to personal information of users without their authorisation.” The ministry adds that these sites may still be reachable through VPN services, making action by VPN providers essential.

The advisory reminds intermediaries of their obligations under the Information Technology (IT) Act, 2000 and the IT Rules, 2021, including the requirement to take “immediate and effective action” to ensure that unlawful or privacy-violating content is not hosted or shared on their platforms. Failure to comply could cost companies their safe-harbour protections under Section 79 of the IT Act, and violations may attract action under the IT Act and the Bharatiya Nyaya Sanhita, 2023.

Citing the “serious nature of the situation,” MeitY has “reiterated, with heightened emphasis,” that VPN services and intermediaries must “make reasonable efforts to not permit the access” of such websites. The advisory also reiterates that intermediaries must provide information or assistance to law-enforcement and cyber-security agencies “well within the stipulated timeframes.”

MeitY believes current frameworks, including the IT Rules, CERT-In procedures and the Digital Personal Data Protection Act are sufficient to prevent large-scale leaks. As to why the advisory was issued, MeitY secretary S Krishnan said they learnt that personal data of Indians was being made available on some websites outside India.

Recent years have seen several major data breaches impacting people in India. In 2025, Zoomcar reported a breach affecting about 8.4 million users, exposing personal details. That same year, a breach of the Adda housing-society app exposed data of over 18 lakh users. Also in 2025, the Indian Council of Agricultural Research (ICAR) suffered a cyberattack that disrupted recruitment and research systems.

A cybersecurity expert said the government’s move is not just about technically blocking access to such leak-hosting websites but about shifting legal responsibility onto intermediaries. “That is why the ministry is not just banning these sites but reminding intermediaries such as ISPs and VPN service providers that if such services are hosted by them then they will be liable,” said Sandeep K Shukla, director at IIIT Hyderabad.

According to him, this amounts to a rule-based ban rather than a purely technology-based one. A tech-only approach would require ISPs and VPNs to block specific URLs. But, he noted, “rule based ban means these service providers will be held responsible if they don’t block any site of the same nature including those mirroring these.” This is meant to tackle the way such websites frequently resurface through mirrors and backups.

He added that this effectively places a tall order on ISPs and VPN providers, who typically do not vet the content of websites they host. “Usually such intermediaries don’t vet the content of sites they host but now for this kind of content they have to… in the same way they are obligated to check if sites they host is serving CSAM or similar content,” he said.