Indian users, however, will still be able to "connect to VPN servers that will give them Indian IP addresses" through virtual servers that are located in Singapore and the UK.
Representative image of an ExpressVPN app. Illustration: The Wire
Listen to this article:
New Delhi: The Indian government’s new rules for VPN (virtual private network) providers have claimed their first victim.
Well-known company ExpressVPN has announced that it will remove all of its “Indian-based VPN servers” in response to the new regulations, calling them “overreaching” and “so broad as to open up the window for potential abuse”.
“With a recent data law introduced in India requiring all VPN providers to store user information for at least five years, ExpressVPN has made the very straightforward decision to remove our Indian-based VPN servers,” the firm said in a statement.
Indian users, however, will still be able to “connect to VPN servers that will give them Indian IP addresses”.
“Rest assured, our users will still be able to connect to VPN servers that will give them Indian IP addresses and allow them to access the internet as if they were located in India. These ‘virtual’ India servers will instead be physically located in Singapore and the UK,” the statement noted.
The company also noted that the “damage done by potential misuse of this kind of law far outweighs any benefit that lawmakers claim would come from it”.
“ExpressVPN refuses to participate in the Indian government’s attempts to limit internet freedom. As a company focused on protecting privacy and freedom of expression online, we will continue to fight to keep users connected to the open and free internet with privacy and security, no matter where they are located.”
New directive
In April 2022, the Indian Computer Emergency Response Team (CERT-In), which serves as the national agency for performing various functions in the area of cyber security, announced that a wide range of technology companies including VPN providers would be required to store user data so as to “facilitate incident response measures”.
According to the directive, the following categories of information will need to be logged:
Validated names of subscribers/customers hiring the services
Period of hire including dates
IPs allotted to/being used by the members
Email address and IP address and time stamp used at the time of registration/on-boarding
Purpose for hiring services
Validated address and contact numbers
Ownership pattern of the subscribers/customers hiring services
As The Wire reported, this move sparked criticism from most major VPN companies, who typically do not store such data in the interest of protecting their customers’ privacy.
In response to this criticism, minister of state for electronics and information technology Rajeev Chandrasekhar said that VPN service providers that do not follow the new rules are “free to leave India”.
ExpressVPN will maintain virtual servers
According to the statement, users wanting to connect to an Indian server can do so through “India (via Singapore)” or “India (via UK)”.
“Virtual server locations are not new to ExpressVPN; in fact, we have been operating our “India (via UK)” server location for several years. With virtual locations, the registered IP address matches the country you have chosen to connect to, while the server is physically located in another country. Virtual locations are used, where necessary, to provide faster, more reliable connections,” the company noted.
…and if the Indian Government will allow VPNs to operate without logging in future, we will gladly reestablish physical VPN servers in India. [2/2]
— ExpressVPN (@expressvpn) June 2, 2022
“As for internet users based in India, they can use ExpressVPN confident that their online traffic is not being logged or stored, and that it’s not being monitored by their government… As countries’ data retention laws shift, we frequently find ourselves adjusting our infrastructure to best protect our users’ privacy and security. In this case, that has meant ending operations in India.”