Update: As of June 28, Indian authorities have extended the deadline for VPNs to leave or amend logging practices to September 25 (link heads to The Indian Express).
All VPN services running servers in India must now comply with a new data law that has now officially come into force.
According to new CERT-In regulations, security software companies are legally obligated to store users' data - like IP addresses, real names and usage patterns - for up to five years. They will also be required to hand this information over to authorities upon request.
Since the government announcement was released on April 28, internet users, privacy advocacy and cybersecurity experts have been expressing concerns on how these regulations will have a negative impact on people's privacy.
All this has led to some of the best VPN services taking drastic measures in order not to compromise privacy values and to continue safeguarding the anonymity of their users.
While countries' laws and legislations change, our priority to safeguard user privacy remains. Therefore, in light of India's upcoming data collection directive, we'll be removing our India-based servers. Despite this, users in India will be able to continue using our services.June 23, 2022
Why is India's new data retention law controversial?
Short for virtual private network, a VPN is security software that protects people's privacy by masking their real IP location while securing their data inside an encrypted tunnel.
For safeguarding users' anonymity, the most private VPN services around all enforce strict no-log policies. This means that no user data can be stored, leaked or shared. This is exactly the reason why an obligation to retain customers' logs is, as ExpressVPN described, 'incompatible with the purpose of VPNs.'
What's more, India's new data retention law doesn't affect only VPNs. Cloud storage services, virtual private servers (VPS), data centers, and cryptocurrency exchanges are all targets of the new CERT-In regulations.
The move comes in an effort to clamp down on ever-growing incidence of cybercrime. With more than 86 million data breaches in 2021, India was the third most affected nation worldwide last year.
However, as Surfshark explained in an official statement: "Collecting excessive amounts of data within Indian jurisdiction without robust protection mechanisms could lead to even more breaches nationwide."
At the same time, India has been found responsible for 106 out of 180 internet shutdowns executed in 2021 - according to digital rights campaigner Access Now. Not to mention backsliding media freedom and the allegations that the Indian government used Pegasus technology to spy on activists, politicians and lawyers.
With such a track record, it's not difficult to understand why citizens and experts fear that authorities might abuse this data-grab to foster intrusive mass surveillance practices and undermine civil liberties.
Not just privacy is at risk, though. India's new data law might damage the IT sector's growth in the country. As Future Market Insights COO Sudip Saha told TechRadar: "Bans on VPNs will primarily hurt corporate interests by acting as a disincentive to investments and doing business in India."
How VPN providers are planning to protect users' privacy
Many VPN providers have taken a stand against the Indian government's decision, expressing their commitment in their company's values.
Some of those have decided to go virtual to protect the privacy of users. How? They set up virtual locations so that people in India can still connect to a spoofed Indian IP. These offers the same functionality, but users' data will be safe as their connection will be rerouted to servers physically located outside the country's borders.
Providers that are now offering virtual India locations include ExpressVPN, Surfshark, CyberGhost, Private Internet Access (PIA) and PureVPN.
Some, like IPVanish, are thinking of offering something similar in the future. However, at the time of writing, Indian virtual locations haven't been announced yet.
Others, despite shutting down their Indian servers, claim not to have any plans to introduce fake locations. These include NordVPN, Hide.me and AtlasVPN.
As Laura Tyrylyte from NordVPN told us: "We believe that we are going to find a way to meet the requirements of all of our customers, regardless of their location.”
ProtonVPN also expressed its dissent over new CERT-In regulations, suggesting secure ways of connecting to VPN servers in high-risk countries. These include the use of one of its Secure Core servers to benefit of an extra layer of encryption.
At the same time, Windscribe said that it is planning to keep its Indian servers, 'unless our Indian hosting providers force us to vacate.'
