VPN services such as ExpressVPN, NordVPN and SurfShark have announced shutting down India servers. This comes in the aftermath of the recent cybersecurity rules introduced by the country’s cyber security agency CERT-In. The guidelines require VPN providers to store user data for a period of five years.
VPN services are essentially used to maintain a layer of privacy. Many resort to virtual proxy networks that allow users to stay free of website trackers that can keep track of data like a user’s location. However, it seems that VPN services and providers are not in line with India’s stand against proxy services. Here’s we explain what happened so far.
New VPN directives announced
On April 26, CERT-In, a wing of the Ministry of Electronics and Information Technology issued directives requiring VPN service providers to maintain details such as validated names of customers, the period for which they hired the service, the IP addresses allotted to them, their email addresses, time stamps, etc. This information has to be stored by VPN providers for five years or longer, as per the new guidelines.
While the government said that these details will help fight cybercrime. On the other hand, privacy is the main selling point of VPN services.
According to the directives, failing to meet the Ministry of Electronics and IT’s demands could lead to imprisonment of up to a year. Notably, companies are also required to keep track of and maintain user records even after a user has cancelled his/her subscription to the service. The new laws are expected to come into action within 60 days of being issued, which means they could kick in from July 27, 2022.
Backlash
As soon as the directives were pushed out, several policy experts raised concerns about the guidelines, stating that the guideline translates to lesser privacy and with data being logged, it would be possible to track browsing and download history. The Internet Freedom Foundation (IFF) put out a statement calling this directive in serious privacy violation and impacting VPN companies operating in India.
Prasanth Sugathan, Legal Director, SFLC.in noted that some providers may even choose to exit India than comply with such stringent guidelines that go against the principle of data minimisation adopted by most VPN services. A report by Reuters citing sources revealed that in a closed-door meeting many social media and tech company executives discussed strategies to urge New Delhi to put the rules on hold.
The warning
Declining on putting the rules on hold, the government issued a stark warning to VPN service providers on May 18. India’s Union Minister of State IT minister Rajeev Chandrasekhar said there will be no changes despite the worries, saying tech companies have an obligation to know who is using their services.
“If you’re a VPN that wants to hide and be anonymous about those who use VPNs and you don’t want to go by these rules, then if you want to pull out (from the country), frankly, that is the only opportunity you will have. You will have to pull out,” Minister of State for Electronics and IT Rajeev Chandrashekhar said.
Chandrasekhar, however, said India was being generous, as some countries mandate immediate reporting.
ExpressVPN, SurfShark, NordVPN remove servers
ExpressVPN become the first virtual private networks to reject the government’s new rules and decided to move out its servers out of India.
ExpressVPN described the cybersecurity rules as “broad” and “overreaching”. “The law is also overreaching and so broad as to open up the window for potential abuse. We believe the damage done by potential misuse of this kind of law far outweighs any benefit that lawmakers claim would come from it,” ExpressVPN said.
Indian users of ExpressVPN will still be able to use its service via “virtual” India servers located in Singapore and the UK. “We will never collect logs of user activity, including no logging of browsing history, traffic destination, data content, or DNS queries. We also never store connection logs, meaning no logs of IP addresses, outgoing VPN IP addresses, connection timestamps, or session duration,” the company said.
Surfshark VPN followed suit and announced shutting down its servers in India. The company said that VPN providers leaving India “isn’t good for its burgeoning IT sector”.
“In response to the new Indian data regulation laws, Surfshark is shutting down its servers in India. The new laws require VPN providers to record and keep customers’ logs for 180 days as well as collect and keep excessive customer data for five years,” the company said in a blog post on Tuesday.
Meanwhile, one more VPN provider in NordVPN too is contemplating removing its India servers. NordVPN become the third VPN provider to remove its servers from India in response to the country’s cybersecurity directive. “In the past, similar regulations were typically introduced by authoritarian governments in order to gain more control over their citizens,” NordVPN said in a statement. “If democracies follow the same path, it has the potential to affect people’s privacy as well as their freedom of speech. One way or another, this law will likely have a negative impact on people’s privacy and digital security.”
!function(f,b,e,v,n,t,s)
{if(f.fbq)return;n=f.fbq=function(){n.callMethod?
n.callMethod.apply(n,arguments):n.queue.push(arguments)};
if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version=’2.0′;
n.queue=[];t=b.createElement(e);t.async=!0;
t.src=v;s=b.getElementsByTagName(e)[0];
s.parentNode.insertBefore(t,s)}(window, document,’script’,
‘https://connect.facebook.net/en_US/fbevents.js’);
fbq(‘init’, ‘444470064056909’);
fbq(‘track’, ‘PageView’);
.
