I’ve been writing about India’s demands to VPN providers to keep and provide data to the Indian Government on what Indian VPN users are doing, and how VPN operators are thinking twice about being in the country as a result. The Indian Government has even said do what we want you to do or get out. Well, ExpressVPN has decided to get out:
In a blog post, the British Virgin Island-based company said that with the introduction of the new cybersecurity rules by the Indian Computer Emergency Response Team (CERT-In), it has made a “very straightforward decision to remove our Indian-based VPN servers.” While ExpressVPN is the first to pull its services from India, other VPN providers like NordVPN have also taken a similar stance.
The guidelines, released by CERT-In on April 26, asked VPN service providers along with data centers and cloud service providers, to store information such as names, e-mail IDs, contact numbers, and IP addresses (among other things) of their customers for a period of five years. The government said it wants these details to fight cybercrime, but the industry argues that privacy is the main selling points of VPN services, and such a move would be in breach of the privacy cover provided by VPN platforms.
ExpressVPN described the cybersecurity rules as “broad” and “overreaching.” “The law is also overreaching and so broad as to open up the window for potential abuse. We believe the damage done by potential misuse of this kind of law far outweighs any benefit that lawmakers claim would come from it,” ExpressVPN said. It added that while CERT-In’s rules are intended to fight cybercrime, they are “incompatible with the purpose of VPNs, which are designed to keep users’ online activity private.” Indian users of ExpressVPN will still be able to use its service via “virtual” India servers located in Singapore and the UK. “We will never collect logs of user activity, including no logging of browsing history, traffic destination, data content, or DNS queries. We also never store connection logs, meaning no logs of IP addresses, outgoing VPN IP addresses, connection timestamps, or session durations,” the company said.
I really don’t get why India is so hell bent on this rather stupid and ill advised VPN law. If they really wanted to make a difference in terms of cybercrime, they would spend more time cracking down on its internal cybercrime and world-leading fraudulent call center and scamming activities. But they won’t because the scammers and fraudsters clearly have the Indian Government in their pockets. In the meantime, expect to see more VPN providers do some version of what Express VPN has done. Which means that the Indian Government won’t be winning this fight.
NordVPN And SurfShark To India: We’re Outta Here!
Posted in Commentary with tags India on June 14, 2022 by itnerdFrequent readers will recall that India brought in strict new laws that require VPN operators to retain data on who uses their services, or else, and VPN companies considering their options including leaving the company. Which is the route that ExpressVPN took. And now it seems others are joining them in exiting the country. Starting with NordVPN:
“Moreover, we are committed to protecting the privacy of our customers. Therefore, we are no longer able to keep servers in India,” Laura Tyrylyte, head of public relations at NordVPN, told TechCrunch.
“Our Indian servers will remain until 26 June 2022. In order to ensure that our users are aware of this decision, we will send notifications with the full information via the NordVPN app starting 20 June. As digital privacy and security advocates, we are concerned about the possible effect this regulation may have on people’s data. From what it seems, the amount of stored private information will be drastically increased throughout hundreds or maybe thousands of different companies. It is hard to imagine that all, especially small and medium enterprises, will have the proper means to ensure the security of such data,” she added.
Joining them in heading to the exits is SurfShark:
Surfshark’s physical servers in India will be shut down before the new law comes into power. Up until then, users will be able to connect to servers in India as usual. After the new regulations come into effect, we’ll introduce our virtual Indian servers – which will be physically located in Singapore and London. Users will be able to find them in our regular list of servers.
Virtual servers are functionally identical to physical ones – the main difference is that they’re not located in the stated country. They still provide the same functionality – in this case, getting an Indian IP.
Users in India who don’t use Indian servers will not notice any differences – they will still be able to connect to whichever server outside the country they please. Meanwhile, Surfshark will continue to closely monitor the government’s attempts to limit internet freedom and encourage discussions intended to persuade the government to hear the arguments of the tech industry.
This isn’t really going well for India as I think they expected VPN companies to roll over and comply. But that’s not happening. And the fact that some VPN companies are pulling their servers from the company, it will encourage other VPN companies to do the same. That makes India look rather lame. And it may make them rethink this rather than lose face. Though I can see a scenario where India barrels ahead to make a point. We’ll have to see which direction that they decide to go in.
Leave a comment »