Virtual private network (VPN) service provider ExpressVPN on Thursday said that it has pulled out its servers from India as it is not possible for it to comply with the new CERT-In directive, which mandates storage of user data for five years. The company, however, said in a blog that it would continue to offer services to Indian customers through its servers located in Singapore and the UK.
Analysts and legal experts said that by continuing to serve Indian customers through its servers in Singapore and UK, the company cannot be penalised for not following Indian laws. Even currently there are scores of VPNs which are located outside India but provide services to Indian customers. Such customers need an internet connection and by using VPN connections their identity is masked, which means that their IP addresses cannot be tracked. In such instances, if users are viewing sites which have been banned by the government, tracking them becomes difficult.
To check such practices, the Indian Computer Emergency Response Team (CERT-In) had come with a directive on April 28, which mandated all VPNs, cloud service providers, government & private agencies, intermediaries, data centres among others to store data of users like real names, IP addresses assigned to them, usage patterns, and other identifying data for a period of five years. Apart from storing data, CERT-In also asked for mandatorily reporting cyber security breach incidents to it within six hours of noticing them. These directives will come into effect from June 27.
However, these directives are not applicable to VPNs like AT&T, BT, Verizon, etc who serve enterprise customers as they already maintain such logs. The directives are aimed at VPNs which serve retail customers.
“With a recent data law introduced in India requiring all VPN providers to store user information for at least five years, ExpressVPN has made the very straightforward decision to remove our Indian-based VPN servers,” the VPN provider said in a blog. The company further said its users will still be able to connect to VPN servers (located in Singapore and UK) that will give them Indian IP addresses and allow them to access the internet as if they were located in India.
“As countries’ data retention laws shift, we frequently find ourselves adjusting our infrastructure to best protect our users’ privacy and security. In this case, that has meant ending operations in India. The law is also overreaching and so broad as to open up the window for potential abuse. We believe the damage done by potential misuse of this kind of law far outweighs any benefit that lawmakers claim would come from it,” ExpressVPN said.
The government, however, had asserted that the new CERT-In directive has to be followed by everybody and in case anyone does not want to abide by the rules, they were free to pull out from the country.