Several leading virtual private networks (VPNs) that offer encrypted Internet services have shut down their servers in India because of tough new rules being introduced on Sunday that will require them to keep the names of all users for five years.
Proton AG, a Switzerland-based service, has become the latest to announce that it is withdrawing its servers from India before the Sunday, September 25 deadline for keeping all user records. The company said it is, “removing its physical servers from India in response to a regressive new surveillance law.”
The company’s founder and CEO Andy Yen told the Wall Street Journal: “It’s going to have a chilling effect. I find it really sad that the world’s largest democracy is taking this path.” He pointed out that India’s new rules are similar to those in force in China and Russia and added: “On paper India is supposedly taking a different path.”
Other companies which have withdrawn their servers from India in recent months include Canada-based Tunnelbear, Nord VPN, SurfShark, ExpressVPN and IPVanish. ExpressVPN withdrew in June, saying, “There is no path forward other than to no longer have physical VPN servers in India.”
Most of the VPN companies say Indian users will be able to use their services via servers based in other countries.
CERT compliance deadline
India’s Computer Emergency Response Team (CERT) had issued the new rules on storing information but extended time for compliance by six months till September 25. VPNs like SurfShark and ExpressVPN had withdrawn their servers from the country soon afterwards. Nord VPN shut its India servers on June 26. CERT comes under the Ministry of Electronics and Information Technology (MEITY).
Proton’s CEO Yen was sharply critical of the new rules, saying: “Government surveillance and censorship is a growing threat around the world and we are deeply concerned about any trends towards restricting privacy and freedoms for citizens, especially this latest move from India. Proton has no intention of ever complying with this or any other mass surveillance law.”
Similarly, ExpressVPN CEO Harold Li said at the time the company withdrew that: “With the recent data law introduced in India requiring all VPN providers to store user information for at least five years, ExpressVPN made the straightforward decision to remove our Indian-based VPN servers. We refuse to ever put out users’ data at risk.”
Five-year record timeline
Under the new rules, the VPNs will have to maintain records for five years about usernames, their physical and email addresses and their phone numbers. Besides that, the VPNs will have to store additional details about why customers are using the service, the dates the service is used and the “ownership pattern” of users.
The VPNs will also have to keep details about the IP and email addresses that the customer used to register into the service. They will also have to store all IP addresses used generally by customers.
Proton said today that its withdrawal from India marked another move in its longstanding commitment to “defending user rights”. It pointed out that it has in recent years pulled out from Belarus, Myanmar and also Hong Kong because of user restrictions.
'Actively fought freedom of expression'
The company added: “Proton has actively fought for freedom of expression around the world, maintaining secure internet access, and protecting journalists and activists.” It also pointed out that it had, “raised more than $1 million for causes that protect privacy and freedom.”
Proton has just unveiled its new “Smart Routing” servers based in Singapore which will enable people using Indian IP addresses to access the Indian internet securely, “but from servers physically located outside the jurisdiction of the Indian government and therefore not subject to logging rules”. It added that the servers would also enable users abroad to “securely consume Indian content”.
Proton says it has 1,700 VPN servers around the world.