ExpressVPN became the first major Virtual Private Network (VPN) provider to remove its servers from India – after the government came up with rules that force Virtual Private Network (VPN) providers, cloud service providers and crypto exchanges to maintain user logs for five years.
“ExpressVPN refuses to participate in the Indian government’s attempts to limit internet freedom," it said.
The rules, issued by Indian Computer Emergency Response Team (CERT-In), also require tech companies to report data breaches within six hours of noticing them.
Why did is ExpressVPN remove its servers? Here's all you need to know.
Why has ExpressVPN removed its servers?
"With a recent data law introduced in India requiring all VPN providers to store user information for at least five years, ExpressVPN has made the very straightforward decision to remove our India-based VPN servers," ExpressVPN said in a blog post.
Electronics and Information Technology Minister Rajeev Chandrasekhar had earlier said that the service providers who want to "hide and be anonymous about those who use VPNs" and don't want to follow the new rules will have no choice but to pull out from the country.
“If you’re a VPN that wants to hide and be anonymous about those who use VPNs and you don’t want to go by these rules, then if you want to pull out (from the country), frankly, that is the only opportunity you will have. You will have to pull out.”Rajeev Chandrasekhar, Electronics and Information Technology Minister
What happens to Indian users of ExpressVPN?
Indian users of ExpressVPN will still be able to use the services but via India servers located in Singapore or the UK.
“We will never collect logs of user activity, including no logging of browsing history, traffic destination, data content, or DNS queries. We also never store connection logs, meaning no logs of IP addresses, outgoing VPN IP addresses, connection timestamps, or session durations,” the company said.
Who all are required to maintain user logs for five years?
Data centres, virtual private server (VPS) providers, cloud service providers and virtual private network (VPN) providers, will be required to maintain user logs for a period of five years.
However, this rule won't apply to corporate and enterprise VPNs, only to "internet proxy like services" being used by "general internet subscribers or users".
The new rules will kick in from late June – exactly 60 days from the date of issuance, which was 28 April.
What information will they keep with them?
Validated names of subscribers or customers
Period of hire, including dates
IPs allotted to or being used by the members
Email address, IP address, and time stamp used at the time of registration or on-boarding
Purpose for hiring services
Validated address and contact numbers
Ownership pattern of the subscribers or customers
Can the government access the logged data?
Yes, the new rules require all the aforementioned service providers and tech companies to provide the logged data in a specified format, whenever CERT-In asks for it.
CERT-In says it will only ask for the data for the purposes of "cyber
incident response, protective and preventive actions related to cyber
incidents".
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)