ExpressVPN has pulled its servers out of India, making it the first major virtual private network (VPN) provider to do so in the wake of the country’s cybersecurity agency’s new regulations. The regulations mandate that VPN companies keep customer data for a period of five years. “ExpressVPN refuses to assist in the Indian government’s efforts to impede internet freedom,” the company stated.
The British Virgin Islands-based business claimed in a blog post that it made the “quite easy choice to deactivate our Indian-based VPN servers” after the Indian Computer Emergency Response Team (CERT-In) introduced new cybersecurity standards. While ExpressVPN was the first to withdraw its services from India, other VPN companies, such as NordVPN, have followed suit.
The company’s move comes after Rajeev Chandrashekhar, Minister of State for Electronics and Information Technology, cautioned VPN businesses that if they do not follow the rules, they are free to leave the country. “If you’re a VPN that wants to conceal and be anonymous about those who use VPNs and you don’t want to follow these guidelines, then if you want to pull out (of the nation), basically, that is the only option you will have,” he said last month. You’ll have to back up.”
On April 26, CERT-In issued recommendations requiring VPN service providers, as well as data centres and cloud service providers, to keep information such as names, e-mail IDs, contact numbers, and IP addresses (among other things) for a period of five years. The government claims it needs these facts to fight cybercrime, but the industry claims that anonymity is one of VPN services’ primary selling factors, and that such a move would violate VPN companies’ privacy policies.
The cybersecurity requirements, according to ExpressVPN, are “broad” and “overreaching.”
“The law is likewise overreaching and overbroad, creating the potential for misuse.” “We feel the harm caused by the potential misuse of this type of law far surpasses any advantage claimed by politicians,” ExpressVPN added.
While CERT-restrictions In’s are meant to combat cybercrime, they are “incompatible with the purpose of VPNs, which are supposed to keep users’ online behaviour secret,” according to the report.
ExpressVPN users in India will still be able to connect to the service using “virtual” India servers in Singapore and the United Kingdom.
“We will never collect user activity records, including browsing history, traffic destination, data content, or DNS queries,” says the company. “We never maintain connection records, which means we don’t keep track of IP addresses, outgoing VPN IP addresses, connection timestamps, or session durations,” the business added.