ANALYSIS: Following the passage of a new rule in India mandating them to gather customer data and preserve it for at least five years, virtual private network (VPN) operators are digging in their heels.
The country’s Computer Emergency Response Team (CERT-In) has issued a new regulation (PDF) requiring VPN providers to maintain records and logs of client names, physical addresses, and phone numbers, all of which must be validated, as well as email and IP addresses.
The “period of hiring” (the timestamp used at registration), the goal of the agreement, and the customer’s “ownership pattern” must also be collected and maintained by service providers.
At the end of June, the restrictions will go into force, and anyone found in violation of them faces the possibility of jail or a fine of 100,000 ($1,300).
The restrictions are not negotiable, according to Rajeev Chandrasekhar, the Indian minister of state for electronics and IT.
He said, “Start preserving the logs if you don’t have them already.”
“In all honesty, that is your only option if you’re a VPN that wants to remain hidden and anonymous about people who use VPNs and want to conduct business in India but don’t want to compl mass migration?
ExpressVPN is responding by actually carrying out that action. It has shut down its two physical servers in India as of last week. It claims that it would still run its two virtual server facilities in India.
These enable users to connect with Indian IP addresses and are geographically situated in Singapore and the UK. Indian customers would still be able to use the company’s apps normally.
ExpressVPN vice president Harold Li declares that the company “definitely will not assist in the Indian government’s attempts to restrict internet freedom.”y or follow these guidelines. You must withdraw.”
“As a result, we have made the simple choice to deactivate our VPN servers with an Indian location. We will never jeopardise the data of our users.”
The company’s VPN servers, he claims, have been specially created to prevent generating logs, including by operating in memory.
The only option, according to him, is to stop having physical VPN servers in India since “data centres are unlikely to be able to support this policy and our server design under this new rule.”
Liberties have “eroded”
Different VPN providers with operations in India have a different approach.
For instance, despite its reservations over the new Indian legislation, Proton VPN intends to continue operating normally.
According to a spokeswoman, “India’s new VPN restrictions would weaken civil rights and make it more difficult for consumers to secure their data online.”
“Proton VPN is keeping an eye on the issue, but in the end, we remain dedicated to upholding our no-logs policy and protecting the privacy of our users.”
By going against the grain, VPN service provider Surfshark is adopting a similar stance, saying in a statement that “we remain committed to providing no-logs services to our clients, including those living in India,” as the new regulation “goes against the nature of the VPNs industry — which seeks to protect customers’ privacy.”
India has a history of Internet control disputes; according to a recent Access Now study, India has consistently been the world’s worst offender for internet shutdowns over the past four years.
The content of communications must be reviewed by social media platforms, and authorities must be allowed to seek the interception or surveillance of conversations, according to new regulations passed last year.
According to Mozilla’s Udbhav Tiwari, senior manager of global public policy, The Daily Swig: “Despite their good intentions, the new regulations have far stricter data retention requirements than standard in the industry. Without a robust data protection regulation, forcing private parties to gather this information puts typical users’ privacy at danger.
To reconcile the interests of the state with the basic right to privacy provided to every Indian, Tiwari determined that the regulations should be reevaluated in accordance with the principles of necessity and proportionality.”
 has issued a new regulation (PDF) requiring VPN providers.){kind=link}