Rejecting new data law, VPN provider removes servers in India

ExpressVPN refuses to participate in the Indian government’s attempts to limit internet freedom.

With a recent data law introduced in India requiring all Virtual private networks (VPN) providers to store user information for at least five years, ExpressVPN has decided to remove their Indian-based VPN servers.

The company announced their decision on Thursday in a statement that says, “ExpressVPN refuses to participate in the Indian government’s attempts to limit internet freedom.”

The company also clarified that users will still be able to connect to VPN servers that will give them “Indian IP addresses and allow them to access the internet as if they were located in India.”

These “virtual” India servers will instead be physically located in Singapore and the UK.

Under India’s new VPN rule, which is set to come into effect on June 27, 2022, VPN companies will be required to store users’ real names, IP addresses assigned to them, usage patterns, and other identifying data. VPN providers must also retain user data and IP addresses for at least five years – even after clients stop using the service.

VPNs that encrypt data and provide users with anonymity online have seen a surge in use in India in recent years.

ExpressVPN slams new Data law

“The new data law initiated by India’s Computer Emergency Response Team (CERT-In), intended to help fight cybercrime, is incompatible with the purpose of VPNs, which are designed to keep users’ online activity private,” reads the statement.

“The law is also overreaching and so broad as to open up the window for potential abuse. We believe the damage done by potential misuse of this kind of law far outweighs any benefit that lawmakers claim would come from it.”

India ranks among the top 20 countries in VPN adoption, according to AtlasVPN’s global index, with users surging in 2020 and 2021 – as they did worldwide – as companies secured their networks with more people working from home amid the pandemic.

The new order, issued by the Indian Computer Emergency Response Team (CERT-In) in April, also requires companies to report data breaches within six hours of noticing them and maintain IT and communications logs for six months.

Failing to do so could be punishable by prison sentences.

Tech firms and digital rights organisations have raised concerns about the compliance burden and reporting timeline, but officials have said there will be no changes to the rules.

Indian authorities have declined to say whether the government had purchased Pegasus spyware for surveillance.

“We will never collect private data”

“We will never collect logs of user activity, including no logging of browsing history, traffic destination, data content, or DNS queries. We also never store connection logs, meaning no logs of IP addresses, outgoing VPN IP addresses, connection timestamps, or session duration.”

Essentially, we do not store or collect any data that could identify an individual and their online activity. We outline this in our highly detailed and transparent Privacy Policy.

“Not only is it our policy that we would not accept logging, but we have also specifically designed our VPN servers to not be able to log, including by running in RAM. Data centers are unlikely to be able to accommodate this policy and our server architecture under this new regulation, and thus we will move forward without physical servers in India,” it added.

India has tightened regulation of Big Tech firms in recent years and ordered content takedowns. Dozens of lawyers, journalists and activists were also found to have been hacked by the Pegasus spyware last year.