New Delhi: ExpressVPN has decided to remove their Indian-based VPN servers after a recent data law introduced in India requiring all Virtual private networks (VPN) providers to store user information for at least five years.
The company announced their decision in a statement that says, “ExpressVPN refuses to participate in the Indian government’s attempts to limit internet freedom.”
The company also clarified that users will still be able to connect to VPN servers that will give them “Indian IP addresses and allow them to access the internet as if they were located in India.”
These “virtual” India servers will instead be physically located in Singapore and the UK.
Under India’s new VPN rule, which is set to come into effect on June 27, 2022, VPN companies will be required to store users’ real names, IP addresses assigned to them, usage patterns, and other identifying data. VPN providers must also retain user data and IP addresses for at least five years – even after clients stop using the service.
VPNs that encrypt data and provide users with anonymity online have seen a surge in use in India in recent years.
“The new data law initiated by India’s Computer Emergency Response Team (CERT-In), intended to help fight cybercrime, is incompatible with the purpose of VPNs, which are designed to keep users’ online activity private,” reads the statement.
“The law is also overreaching and so broad as to open up the window for potential abuse. We believe the damage done by potential misuse of this kind of law far outweighs any benefit that lawmakers claim would come from it.”
India ranks among the top 20 countries in VPN adoption, according to AtlasVPN’s global index, with users surging in 2020 and 2021 – as they did worldwide – as companies secured their networks with more people working from home amid the pandemic.
The new order, issued by the Indian Computer Emergency Response Team (CERT-In) in April, also requires companies to report data breaches within six hours of noticing them and maintain IT and communications logs for six months.
Failing to do so could be punishable by prison sentences.
Tech firms and digital rights organisations have raised concerns about the compliance burden and reporting timeline, but officials have said there will be no changes to the rules.
Indian authorities have declined to say whether the government had purchased Pegasus spyware for surveillance. Web Desk
