Express VPN and SurfShark have announced their decision to shut down Indian servers before the controversial Indian law takes effect starting July 27. There were rumors few months back that India could ban VPNs entirely but it could affect WFH professionals. The recent cybersecurity rules introduced by India’s cyber security agency CERT-In on April 26 have mandated VPN providers to store user data for a period of five years. The new laws mandate companies to maintain customer logs for 180 days and collect excessive customer data for five years.
As per the new rule, VPN service providers are required to maintain details such as validated names of customers, the period for which they hired the service, the IP addresses allotted to them, their email addresses, time stamps and other related information. The relevant VPN provider companies should store the data for five years.
The harsh rule is that failure to comply with the directions could lead to imprisonment of up to one year. The claim of the Government is that the details will help law enforcement agencies to fight cybercrime. The Government has not asked for any details but will ask in case of any compromise in National security. Moreover, companies should also main user records even after a user cancelled the subscription to the services.
The policy experts in India have expressed grave concerns about the guidelines stating privacy issues. The Government could track web browsing and download history from the stored data. The Internet Freedom Foundation (IFF) has put out a statement stating that the new policy not only cause serious privacy violation but also impacts VPN companies operating in India.
Prasanth Sugathan who works as a Legal director with SFLC had predicted that service providers could exit Indian market because they will be unable to comply with the stringent guidelines, which goes against the VPN services mechanism. The unconfirmed sources revealed that a closed-door meeting of several social media executives was held to pressurize New Delhi to put the new rules on hold.
Meanwhile, Modi Government issued a sharp warning to VPN service providers on May 18 declining to put the laws on hold. Rajeev Chandrasekhar who is in charge of Information technology disclosed that tech companies have an obligation to understand and reveal the identities of users who work with their services. Rajeev categorically stated that if companies are not willing to share information when requested, then it’s better for them to pull from India. This is regarded as one of the strong statements made by a Union Minister. However, he added that Indian is more generous when compare with countries that demand immediate reporting.
According to ExpressVPN, the new cybersecurity rules are overreaching, board, and could lead to the misuse of data by abusers. The damage done by potential misuse far outweighs any benefit that lawmakers claim could derive from it. You can continue to use ExpressVPN via Virtual India servers located in Singapore and UK. The company will migrate all accounts from Indian servers to UK or Singapore.
It remains to be seen as to whether other VPN service providers will also pull their plug from India. The Government has cited that national security is of utmost importance and there can be no compromises.