ExpressVPN has announced removal of its India-based servers, days before the new data storage directions by Indian Computer Emergency Response Team (CERT-In) pertaining to virtual private network (VPN) providers come into effect. Saying that it “has made the very straightforward decision” to close its Indian servers, the company lambasted the upcoming VPN policy for being “overreaching”, with a window for potential abuse.
Listing the changes that will come with the decision, ExpressVPN assures that its Indian users can avail of the service “confident that their online traffic is not being logged or stored, and that it’s not being monitored by their government.”
“As countries’ data retention laws shift, we frequently find ourselves adjusting our infrastructure to best protect our users’ privacy and security. In this case, that has meant ending operations in India,” ExpressVPN says.
The new VPN rule notified by CERT-In is scheduled to come into effect on June 27, 2022. It mandates companies to store users’ real names, IP addresses assigned to them, usage patterns, and other identifying data for at least five years.
“The law is also overreaching and so broad as to open up the window for potential abuse. We believe the damage done by potential misuse of this kind of law far outweighs any benefit that lawmakers claim would come from it,” says the company, adding that it “refuses to participate in the Indian government’s attempts to limit internet freedom.”
The reason for closing Indian servers was the cumbersome changes to server architecture needed to accommodate the policy change, ExpressVPN says, as its VPN servers are not designed to store any user data.
“We will never collect logs of user activity, including no logging of browsing history, traffic destination, data content, or DNS queries. We also never store connection logs, meaning no logs of IP addresses, outgoing VPN IP addresses, connection timestamps, or session durations,” it says.
“Not only is it our policy that we would not accept logging, but we have also specifically designed our VPN servers to not be able to log, including by running in RAM. Data centers are unlikely to be able to accommodate this policy and our server architecture under this new regulation, and thus we will move forward without physical servers in India,” the company further says.
ExpressVPN further confirmed that users will still be able to connect to VPN servers that will give them Indian IP addresses. This will be done through virtual Indian servers that will be physically located in Singapore and the United Kingdom. Users wanting to connect to an Indian server can select the VPN server location India (via Singapore) or India (via UK) to receive Indian IP addresses.
The British Virgin Islands-based VPN service provider has been running its virtual India (via UK) server location for several years now. Virtual server locations generate IP addresses that match the country users intend to connect to while being physically located in a different country. VPN service providers use virtual locations to provide faster, stable connections as and when required.
However, this does not put ExpressVPN, or other VPN service providers who choose to remove their India-based servers, beyond the ambit of CERT-In’s directions. As clarified by the Indian cyber security agency, the rules apply even to service providers not located in India, but are catering to Indian users.