VPN services such as ExpressVPN and SurfShark announced the shutdown of Indian servers. It comes in the following recent cybersecurity rules introduced by the national cybersecurity agency CERT-In. The guidelines require VPN providers to store user data for a period of five years.
VPN services are basically used to maintain a layer of privacy. Many use virtual proxy networks that keep users safe from website trackers that can track data such as a user’s location. However, it seems that VPN services and providers are not in line with India’s stance against proxy services. Here we explain what has happened so far.
New VPN Guidelines Announced
On April 26, CERT-In, a wing of the Ministry of Electronics and Information Technologies issued guidelines requiring VPN service providers to maintain details such as validated names of customers, the period for which they have subscribed to the service, the IP addresses assigned to them, their email addresses, timestamps, etc. This information must be stored by VPN providers for five years or more, according to the new guidelines.
While the government said these details will help in the fight against cybercrime. On the other hand, privacy is the main selling point of VPN services.
The best of Express Premium
According to the guidelines, failure to comply with Ministry of Electronics and Computing requirements could result in a jail term of up to one year. Notably, companies are also required to track and retain user records even after a user has canceled their subscription to the service. The new laws are expected to come into force within 60 days of their publication, which means they could come into force from July 27, 2022.
As soon as the directives were pushed back, several political pundits have raised concerns on the directives, stating that the directive results in less privacy and that since the data is logged, it would be possible to track browsing and downloading history. The Internet Freedom Foundation (IFF) released a statement calling the directive a serious breach of privacy and affecting VPN companies operating in India.
Prasanth Sugathan, Legal Director, SFLC.in noted that some providers may even choose to leave India rather than comply with such strict guidelines which go against the data minimization principle adopted by most services. vpn. A Reuters report citing sources said that in a closed-door meeting, numerous social media and tech company executives discussed strategies to urge New Delhi to suspend the rules.
Refusing to suspend the rules, the government issued a stern warning to VPN service providers May 18. Indian Union IT Minister Rajeev Chandrasekhar said there would be no change despite concerns, saying tech companies have an obligation to know who is using their services.
“If you’re a VPN who wants to hide and be anonymous about who is using VPNs and you don’t want to follow these rules, then if you want to opt out (of the country), frankly, that’s the only opportunity You will have to step down,” said Minister of State for Electronics and Computing, Rajeev Chandrashekhar.
Chandrasekhar, however, said India was generous as some countries require immediate reporting.
ExpressVPN, SurfShark remove servers
ExpressVPN has become the first virtual private network to reject new government rules and decided to move its servers out of India.
ExpressVPN described the cybersecurity rules as “broad” and “exaggerated”. “The law is also too broad and so broad that it opens the door to potential abuse. We believe that the harm caused by potential misuse of this type of law far outweighs any benefit lawmakers claim to derive from it,” ExpressVPN said.
Indian users of ExpressVPN will still be able to use its service through “virtual” Indian servers located in Singapore and the UK. “We will never collect user activity logs, including browsing history, traffic destination, data content, or DNS queries. We also never store connection logs, which means that there are no IP address logs, outbound VPN IP addresses, connection timestamps, or session duration,” the company said.
Surfshark VPN followed suit and announced the closure of its servers in India. The company said VPN providers leaving India “are not good for its booming IT sector”.
“In response to India’s new data regulation laws, Surfshark is shutting down its servers in India. The new laws require VPN providers to record and retain customer logs for 180 days, and collect and retain excessive customer data for five years,” the company said in a blog post Tuesday.
Meanwhile, another NordVPN VPN provider is also planning to remove its Indian servers. Only time will tell if other VPN providers will follow suit.