What are the new rules? What is ExpressVPN's response? Here's all you need to know.
ExpressVPN became the first major Virtual Private Network (VPN) provider to remove its servers from India – after the recent cybersecurity rules removed by the country.
While the rules require the service providers to store data for a period of five years, the Indian government does not want to, citing "internet freedom."
Why has ExpressVPN removed its servers?
ExpressVPN, in a blog post, said that with the introduction of the new cybersecurity rules by the Indian Computer Emergency Response Team (CERT-In), has directed a “very straightforward decision to remove our Indian-based VPN servers.”
Electronics and Information Technology Minister Rajeev Chandrasekhar had earlier said that the service providers who want to "hide and be anonymous about those who use VPNs" and don't want to follow the new rules will have no choice but to pull out from the country.
What happens to Indian users of ExpressVPN?
Indian users of ExpressVPN will still be able to use the services. But via India servers located in Singapore or the UK.
“We will never collect logs of user activity, including no logging of browsing history, traffic destination, data content, or DNS queries. We also never store connection logs, meaning no logs of IP addresses, outgoing VPN IP addresses, connection timestamps, or session durations,” the company said, in the blog post.
Who all are required to maintain user logs for five years?
Data centres, virtual private server (VPS) providers, cloud service providers and virtual private network (VPN) providers, will be required to maintain user logs for a period of five years.
However, this rule won't apply to corporate and enterprise VPNs, only to "internet proxy like services" being used by "general internet subscribers or users".
The new rules will kick in from late June – exactly 60 days from the date of issuance, which was 28 April.
What information will they keep with them?
Validated names of subscribers or customers
Period of hire, including dates
IPs allotted to or being used by the members
Email address, IP address, and time stamp used at the time of registration or on-boarding
Purpose for hiring services
Validated address and contact numbers
Ownership pattern of the subscribers or customers
Can the government access the logged data?
Yes, the new rules require all the aforementioned service providers and tech companies to provide the logged data in a specified format, whenever CERT-In asks for it.
CERT-In says it will only ask for the data for the purposes of "cyber
incident response, protective and preventive actions related to cyber
incidents".
