Ahead of the deadline to comply with the Indian government’s new data-collection rules, VPN companies from across the globe have pulled their servers out of the country in a bid to protect their users’ privacy.
Starting today, the Indian Computer Emergency Response Team, or CERT—a body appointed by the Indian government to deal with cybersecurity and threats—will require VPN operators to collect and maintain customer information including names, email addresses, and IP addresses for at least five years, even after they have canceled their subscription or account.
In April, CERT said it needed to implement these rules because “the requisite information is not found available” with the security provider during investigations into cybersecurity threats, thereby thwarting inquiries. The new rules, CERT claims, will “strengthen cyber security in India” and are “in the interest of sovereignty or integrity of India.”
VPN companies and privacy experts believe this move impacts user privacy and freedom of speech, and defeats the sole purpose of using VPNs, which encrypt users’ internet activity and mask their locations and identities.
“As digital privacy and security advocates, we are concerned about the possible effect this regulation may have on not only our users but people’s data in general,” says NordVPN spokesperson Laura Tyrylyte. “From what it seems, the amount of stored private information will be drastically increased throughout hundreds or maybe thousands of different companies.” She adds that similar regulations have been “typically introduced by authoritarian governments in order to gain more control over their citizens.”
Last year, India became the country with the highest rate of growth in the use of VPN services worldwide. During the first half of 2021, 348.7 million VPNs were installed, showing a 671 percent jump in growth when compared to the same period in 2020, according to a 2021 analysis by Atlas VPN. This massive growth can be attributed to continuous internet shutdowns, a rise in digital scams, and the need for Indians to protect themselves online.
“VPNs by nature can be a privacy advancing tool and can be capable of protecting information security in multiple ways, being used by individuals and companies to secure confidential information,” says Tejasi Panjiar, associate policy counsel at the Internet Freedom Foundation. “They also help secure digital rights under the constitution, especially for journalists and whistleblowers, because the nature of information that’s transferred over VPNs is primarily encrypted, which allows them not only to secure confidential information but also to safeguard their own identity, protecting them from surveillance and censorship.”
The government defended its rules, saying it will not violate user privacy as information would be sought only on a case-by-case basis. This claim ignores the Indian government’s track record of surveilling critics, politicians, and activists. In August, an official investigation into whether Indians were spied on by the government using Israeli spyware Pegasus revealed that at least five phones of victims contained malware, but refused to disclose the report. Instead, the country’s top court recommended that existing surveillance laws incorporate the right to privacy and introduce mechanisms for citizens to raise complaints against illegal surveillance.
CERT did not respond to WIRED’s request for comment.
After CERT first announced the rules in April, it caused a flurry of panic among VPN companies. It then gave them a three-month window to comply with the rules. But most global VPN providers used this time to pull physical servers out of the country. “India has ordered all VPN providers in the country to start logging user activity and storing it for five years. This is incompatible with our commitment to user privacy, so we made the straightforward decision to stop operating VPN servers within India,” says Harold Li, vice president of ExpressVPN, one of the first companies to pull servers out of India. Li said in an email to WIRED in July that ExpressVPN “will never collect logs of user activity, including no logging of browsing history, traffic destination, data content, or DNS queries.”
Proton VPN is also pulling its servers from India, the Wall Street Journal reports. Meanwhile, other VPN companies are looking for solutions that have minimal impact on their users while also maintaining their privacy. Enter: virtual servers.
Spokespeople of ExpressVPN, based in the British Virgin Islands; Private Internet Access, based in the US; and Surfshark VPN, based in Lithuania, tell WIRED that they have set up virtual servers outside India for users who want to use an Indian IP address. ExpressVPN users who want to use Indian IP addresses can do it through their “India (via Singapore) or India (via UK)” virtual server location.
“Virtual locations are functionally identical to physical ones—the main difference is that they’re not located in the stated country,” says Gabriele Racaityte-Krasauske, a Surfshark spokesperson. “They still provide the same functionality–in this case, getting an Indian IP.”
