Update: As of June 28, Indian authorities have extended the deadline for VPNs to leave or change logging practices to September 25th (opens in new tab) (link to The Indian Express).
All VPN services running servers in India must now comply with a new data law that has now officially come into effect.
Under the new CERT-In regulations, security software companies are legally required to store user data – such as IP addresses, real names and usage patterns – for up to five years. They will also be required to hand over this information to authorities upon request.
Since the government’s announcement was released on April 28, internet users, privacy advocates and cybersecurity experts have expressed concern about how these regulations will have a negative impact on people’s privacy.
All of this has led some of the best VPN services to take drastic measures to not compromise on privacy values and continue to safeguard the anonymity of their users.
Although country laws and legislation change, our priority to protect user privacy remains. Therefore, in light of the upcoming data collection directive from India, we will be removing our servers based in India. Despite this, users in India will be able to continue using our services.June 23, 2022
Why is India’s new data retention law controversial?
Short for virtual private network, a VPN is security software that protects people’s privacy by masking their real IP location while protecting their data inside an encrypted tunnel.
To protect users’ anonymity, most private VPN services enforce strict no-logs policies. This means that no user data can be stored, leaked or shared. This is exactly why the obligation to retain client logs is, as described by ExpressVPN, ‘incompatible with the purpose of VPNs (opens in new tab).’
Also, India’s new data retention law doesn’t just affect VPNs. Cloud storage services, virtual private servers (VPS), data centers and cryptocurrency exchanges are all targets of the new CERT-In regulations.
The move comes in an effort to crack down on the growing incidence of cybercrime. With over 86 million data breaches in 2021, India was the third most affected country worldwide (opens in new tab) last year.
However, as Surfshark explained in an official statement (opens in new tab): “Collecting excessive amounts of data within Indian jurisdiction without robust protection mechanisms could lead to even more breaches across the country.”
At the same time, India was held responsible for 106 out of 180 Internet shutdowns performed in 2021 (opens in new tab) – according to digital rights activist Access Now. Not to mention the backlash on press freedom and allegations that the Indian government used Pegasus technology to spy on activists, politicians and lawyers.
With such a track record, it is not difficult to understand why citizens and experts fear that authorities could abuse this data collection to promote intrusive mass surveillance practices and undermine civil liberties.
Not only is privacy at risk, however. India’s new data law could hamper the growth of the country’s IT sector. As Future Market Insights COO Sudip Saha said : “VPN bans will primarily harm corporate interests, acting as a disincentive to invest and do business in India.”
How VPN Providers Are Planning to Protect Users’ Privacy
Many VPN providers took a stand against the Indian government’s decision, expressing their commitment to their company’s values.
Some of them have decided to go virtual to protect users’ privacy. As? They set up virtual locations so that people in India can still connect to a spoofed Indian IP. They offer the same functionality, but users’ data will be safe as their connection will be redirected to servers physically located outside the country’s borders.
Providers now offering virtual locations in India include ExpressVPN, Surfshark, CyberGhost, Private Internet Access (PIA) and PureVPN.
Some, like IPVanish, are considering offering something similar in the future. However, at the time of writing, Indian virtual locations have yet to be announced.
Others, despite shutting down their Indian servers, claim they have no plans to introduce fake locations. These include NordVPN, Hide.me and AtlasVPN.
As NordVPN’s Laura Tyrylyte told us, “We believe we will find a way to meet the requirements of all our customers, regardless of their location.”
ProtonVPN also expressed its disagreement with the new CERT-In regulations, suggesting safe ways to connect to VPN servers in high-risk countries. (opens in new tab). This includes using one of their Secure Core servers to benefit from an extra layer of encryption.
At the same time, Windscribe said it plans to keep its Indian servers, “unless our Indian hosting providers force us to vacate.”