Express VPN, SurfShark Shuts Down India Servers
VPN services like ExpressVPN and SurfShark have announced the shutdown of servers in India. This comes in the aftermath of recent cybersecurity regulations. presented by the country’s cyber security agency CERT-In. The guidelines require VPN providers to store user data for a period of five years.
VPN services are essentially used to maintain a layer of privacy . Many turn to virtual proxy networks that allow users to stay free from website trackers that can track data such as a user’s location. However, it seems that VPN services and providers are not in line with India’s position against proxy services. Here we explain what happened so far.
New VPN Policies Announced
On April 26, CERT-In, a wing of the Ministry of Electronics and Information Technologies, issued directives requiring VPN service providers to keep details such as the validated names of customers, the period for which they contracted the service, addresses IPs assigned to them, their email addresses, timestamps, etc. This information must be stored by VPN providers for five years or more, according to the new guidelines.
While the government said that these details will help fight cybercrime. On the other hand, privacy is the main selling point of VPN services.
According to the directives, failure to comply with the requirements of the Ministry of Electronics and Information Technology could carry a prison sentence of up to one year. In particular, companies are also required to track and maintain user logs even after a user has canceled their subscription to the service. The new laws are expected to take effect within 60 days of being issued, meaning they could take effect as early as July 27, 2022.
As soon as the directives were passed, several policy experts raised concerns about the guidelines, stating that the guideline results in less privacy and with the data recorded, it would be possible to track browsing and download history. The Internet Freedom Foundation (IFF) issued a statement calling this directive a serious violation of privacy and affecting VPN companies operating in India.
Prasanth Sugathan, Chief Legal Officer of SFLC.in, noted that some providers may even choose to leave India before adhering to such strict guidelines that they go against the data minimization principle espoused by most VPN services. A Reuters report citing sources revealed that in a closed-door meeting, many executives from technology and social media companies discussed strategies to urge New Delhi to suspend the rules.
Refusing to put the rules on hold, the government issued a stern warning to VPN service providers on May 18. India’s Union Minister of State’s IT Minister Rajeev Chandrasekhar said there will be no change despite the concerns, saying tech companies have an obligation to know who is using their services.
f you’re a VPN that wants to hide and be anonymous about who’s using VPNs and you don’t want to follow these rules, then if you want to leave (the country), frankly, that’s the only chance you’ll have. It will have to retire,” said Minister of State for Electronics and IT Rajeev Chandrashekhar.
However, Chandrasekhar said India was being generous as some countries require immediate reports.
ExpressVPN, SurfShark remove servers
ExpressVPN became the first virtual private network to reject the new government rules and decided to move its servers out of India.
ExpressVPN described the cybersecurity rules as “broad” and “excessive”. “The law also goes too far and is so broad that it opens the window for possible abuse. We believe that the harm caused by the potential misuse of this type of law far outweighs any benefits lawmakers claim would be derived from it,” ExpressVPN said.
ExpressVPN users will still be able to use their service through “virtual” Indian servers located in Singapore and the UK. “We will never collect logs of user activity, including logging of browsing history, traffic destination, data content, or DNS queries. We also do not store connection logs, which means no logs of IP addresses, outgoing VPN IP addresses, connection timestamps, or session duration,” the company said.
Surfshark VPN followed suit and announced the closure of its servers in India. The company said that VPN providers leaving India are “not good for its burgeoning IT sector”.
“In response to new data regulation laws in India, Surfshark is shutting down its servers in India. The new laws require VPN providers to record and retain customer records for 180 days, as well as collect and retain excess customer data for five years,” the company said in a blog post on Tuesday.
Meanwhile, another VPN provider at NordVPN is also considering removing its servers from India. Only time will tell if more VPN providers follow suit.