ExpressVPN pulls servers out of India over cybersecurity law, and others may follow
Several virtual private network (VPN) services said they are considering moving operations out of India following ExpressVPN’s announcement this week that it plans to remove servers from the country in light of new and controversial cybersecurity rules.
On April 28, the Indian government updated section 70B of the Information Technology (IT) Act, 2000 to add several measures. Service providers, intermediaries, data centers, companies and government organizations have six hours to report a range of intrusions to CERT-IN, an agency tasked with organizing the government’s response to computer intrusions.
The new rules, which take effect in June, caused outrage among tech companies across the globe. Many argued the rules would be cumbersome and provide hackers with readily-available pools of data to steal from.
A technology trade group that represents Apple, Google, Microsoft and other tech giants came out forcefully against the new directive, but Indian officials have refused to back down.
The rules were heavily criticized by VPN companies that make a point of not storing the kind of user data now required by the new rules in India. In response to the complaints, Minister of State for Electronics and Information Technology Rajeev Chandrasekhar said companies are “free to leave” the country if they will not follow the new rules.
“If you don’t have the logs, start maintaining the logs. If you are a VPN that wants to hide and be anonymous about those who use VPNs to do business in India and do not want to go by these rules, then frankly, pull out of India. That is the only opportunity you have,” Chandrasekhar said at an event on May 22 about the new rules.
On Thursday, ExpressVPN released a blog post explaining that it will remove its Indian-based VPN servers in response to the new rules.
ExpressVPN is one of the world’s most popular VPN services alongside SurfShark, NordVPN, ProtonVPN and others.
The company said users in India will still be able to connect to VPN servers that will give them Indian IP addresses and allow them to access the internet as if they were located in India through virtual servers physically located in Singapore and the UK.
“Under India’s new VPN rule, which is set to come into effect on June 27, 2022, companies will be required to store users’ real names, IP addresses assigned to them, usage patterns, and other identifying data,” the company said.
“The new data law initiated by India’s Computer Emergency Response Team (CERT-In), intended to help fight cybercrime, is incompatible with the purpose of VPNs, which are designed to keep users’ online activity private. The law is also overreaching and so broad as to open up the window for potential abuse. We believe the damage done by potential misuse of this kind of law far outweighs any benefit that lawmakers claim would come from it.”
The company went on to say that it “refuses to participate in the Indian government’s attempts to limit internet freedom” and will “never collect logs of user activity, including no logging of browsing history, traffic destination, data content, or DNS queries.”
They pledged to never store connection logs, logs of IP addresses, outgoing VPN IP addresses, connection timestamps, or session durations. The company has built its VPN servers so that they are not able to log or store data on users.
‘Ready to pull the plug’
When contacted for comment by The Record, several other leading VPN service providers said they are considering similar actions.
Laura Tyrylyte, head of public relations at Nord Security, said that if the current Indian government’s position does not change in the next couple of weeks, they will also remove their servers “as there will be no other way to stay in India while preserving the privacy of our customers and integrity of our service.”
“That said, we don’t see any reason to remove our infrastructure earlier than necessary. We also aim to reach out to our customers and inform them about upcoming changes. We believe that the right to privacy is essential and encourage regulators not to rush into decisions that may negatively affect fundamental digital rights,” Tyrylyte said.
A spokesperson for ProtonVPN went further, saying India’s new regulations around VPN services will “erode civil liberties and make it harder for people to protect their data online.”
“ProtonVPN is monitoring the situation, but ultimately we remain committed to our no-logs policy and preserving our users’ privacy,” the spokesperson said.
A SurfShark spokesperson made similar comments, saying the company is not shutting down its servers in India yet but is “always ready to pull the plug if the environment we have operations in becomes unfavorable.”
“As the new regulation goes against the nature of VPNs’ services – which seek to protect users’ privacy, our team remains committed to providing no-logs services to Indian users. If implemented, the new law will significantly impact users’ data privacy,” the SurfShark spokesperson said.
The new rules have been a lightning rod for controversy since they were released in late April. While cybersecurity experts have lauded the country for taking a firm stance on cybersecurity, some privacy advocates have questioned whether the Indian government is overstepping.
Kurt Opsahl, deputy executive director and general counsel for the Electronic Frontier Foundation, told The Record that the rules “pose huge problems for free expression and Internet users’ privacy, including dangerous requirements for platforms to identify the origins of messages and pre-screen content, which fundamentally breaks strong encryption for messaging tools.”
“EFF understands and respects ExpressVPNs decision to pull out of India over India’s draconian cybersecurity and IT rules,” Opsahl said.