The new law requires service providers to store users’ web usage patterns, designated IP addresses, etc. for the past five years and hand it over to CERT India.
Last month Hackread.com reported about the new law in India passed under the Information Technology Act 2000 provisions of sub-section (6) of section 70B, making it compulsory for VPNs and other internet service providers to collect sensitive user data.
The new law has garnered the Indian Computer Emergency Response Team (CERT-In) immense criticism for limiting user privacy. As per the new directions, all internet service providers will collect/store user data for the past five years and hand it over to the agency. This includes VPN service providers, data centers, body corporate, and intermediaries however, ExpressVPN has rejected the new law.
ExpressVPN Removed its Servers in India
VPN service providers view the new directions as a direct violation of a VPN service. ExpressVPN, now owned Kape Technologies, claims that the directions are “incompatible” with the core purpose of using VPNs, designed exclusively to retain users’ online privacy. Hence, the company has removed its servers from India.
The VPN vendor stated that this isn’t just a policy-based decision, and there’s another factor involved. Its servers aren’t structured to store user logs, so data centers cannot facilitate the Indian government’s new requirements.
Not only is it our policy that we would not accept logging, but we have also specifically designed our VPN servers to not be able to log, including by running in RAM. Data centers are unlikely to be able to accommodate this policy and our server architecture under this new regulation, and thus we will move forward without physical servers in India.
ExpressVPN – Blog post
The company also disagreed with CERT-IN’s new directions citing them as “overarching” and “broad.” Therefore, the company refused to participate in the Indian government’s attempt to restrict internet freedom.
Can Indians Still Access ExpressVPN?
ExpressVPN has confirmed that users can still connect to its servers and access the internet as if they are located in India. The company confirmed that users would be assigned Indian IP addresses, and there will be a minimal difference.
Our users will still be able to connect to VPN servers that will give them Indian IP addresses and allow them to access the internet as if they were located in India. These “virtual” India servers will instead be physically located in Singapore and the UK.
Anyone trying to connect to an Indian server would select the VPN server location India via Singapore or India via the UK to use the service.
Mounting Disapproval Among VPN Service Providers
Reportedly, ProtonVPN, PureVPN, and Surfshark are also among those vendors voicing concern over the new cybersecurity rules passed by the Indian government. The Netherlands-based Surfshark VPN stated that it is also exploring its options and wants to challenge the new directives legally.
After being criticized overwhelmingly, the Indian government revised its earlier, staunch stance, claiming that these rules won’t apply to corporate and enterprise VPNs.
Meanwhile, the country’s Minister of State for Electronics and Information Technology, Rajeev Chandrasekhar, has categorically told other VPN providers to follow directions or terminate their businesses in India.