SUMMARY
In a blogpost published on Thursday (June 2), the foreign VPN service provider wrote, “ExpressVPN refuses to participate in the Indian government’s attempts to limit internet freedom”
While other VPN service providers also slammed the government’s decision mandating storing users’ data earlier and were exploring options of exiting India, ExpressVPN becomes the first company to officially disclose its India exit plans
Meanwhile, NordVPN said that it operates under a different jurisdiction and will consider removing all its presence from India
With just 24 days left before the new directives around Virtual Private Network (VPN) services become effective in India, ExpressVPN has decided to remove its India-based servers.
In a blogpost published on Thursday (June 2), the foreign VPN service provider wrote, “ExpressVPN refuses to participate in the Indian government’s attempts to limit internet freedom.”
“As a company focused on protecting privacy and freedom of expression online, we will continue to fight to keep users connected to the open and free internet with privacy and security, no matter where they are located,” it added.
The move comes after India’s Computer Emergency Response Team (CERT-In), monitored by the Ministry of Electronics and Information Technology (MeitY), introduced new directions in April that mandated all private VPN service providers, cloud service providers and more such organisations to collect their user data and store them for five years or more. Legal debates have been on since then on user privacy, data protection and VPN losing its basic foundation but the government has maintained its stance on introducing the mandate.
While other VPN service providers also slammed the government’s decision mandating storing users’ data earlier and were exploring India exit options, ExpressVPN becomes the first company to officially disclose its India exit plans.
However, the company said that its India-based users would still be able to connect to VPN servers that are physically located in Singapore and the UK but provide Indian IP addresses, allowing them to access the internet as if they were located in India.
In terms of the user experience, there would be minimal difference in using the servers in this manner.
“Virtual server locations are not new to ExpressVPN; in fact, we have been operating our “India (via UK)” server location for several years,” said the company. “Virtual locations are used, where necessary, to provide faster, more reliable connections,” it added.
Users trying to connect to an Indian server that is physically located in other countries would have to select the VPN server location ‘India (via Singapore)or ‘India (via UK)’, ExpressVPN said.
“As for internet users based in India, they can use ExpressVPN confident that their online traffic is not being logged or stored, and that it’s not being monitored by their government,” the company assured.
Inc42 has reached out to ExpressVPN for further clarification and would update the article if there is an addition.
Meanwhile, Laura Tyrylyte, head of public relations at Nord Security told Inc42, “We have no way, with 100% accuracy, to identify customers from India. NordVPN also operates under a different jurisdiction and if it comes to it, we will consider removing all the presence from India whatsoever.”
As per Tyrylyte, NordVPN’s service is developed in a way where no other information except those stated in its Terms of Service and Privacy Policy are collected and stored. Hence, any additional changes would mean a ‘compromise’ of its service, which would lead to an increased risk to its Indian customers’ privacy and security.
“We strongly believe that no positive outcome will come from that, therefore we will keep looking for options to provide the service without compromising our users,” she said. “NordVPN continues to stand for digital freedom and privacy, which is one of the fundamental digital human rights.”
The VPN Saga Since April
After the Indian government put out a release on April 28 regarding the new directions, a large number of experts that Inc42 spoke to opined that such a law was detrimental to the security of internet users, their internet freedom, and is also vague.
Tejasi Panjiar, Capstone Fellow, Internet Freedom Foundation also hinted that the new mandates have the potential to enable state-sponsored mass surveillance, commercial profiling and censorship.
Clarifying its new cyber security directions, CERT-In said last month that the rules to maintain customer logs would not be applicable to enterprise and corporate VPNs.
It also clarified that the term VPN service provider refers to the entity that provides ‘Internet proxy like services’ through the use of VPN technologies, standard or proprietary, to general Internet subscribers/users.
Meanwhile, VPN service providers like Nord Security and Surfshark had already started releasing their preliminary statements about the new directions.
Gytis Malinauskas, head of legal department at Surfshark, had earlier said that the company was trying to understand the new regulations and their implications, but the overall aim is to continue providing no-logs services to all of its users.
Tyrylyte had also told Inc42 earlier that while Nord Security was looking into the new law, the company would be required to make fundamental changes within its infrastructure, policies and values, and called it difficult to see such a scenario coming to life.
With further clarifications of the new directions coming in last month, it was clear that the Indian government would continue to remain strong in its decision to impose the rules.
Minister of State for Electronics and IT Rajeev Chandrasekhar made it further clear that VPN service providers would have to follow the latest directions or terminate their businesses in India.
CERT-In’s new cyber security directions are expected to be in effect from June 27. Section 70 B (7) of the IT Act, 2020 states that non-compliance to the direction under sub-section (6) will lead to punishment for a term, which may extend to one year, or with a fine, which may extend to INR 1 Lakh or both.
