VPN providers have specifically been directed to store validated customer names, their physical addresses, email IDs, phone numbers, and the reason a customer is using the VPN as part of CERT-In directives. They also have to log the user’s “ownership pattern” and the dates when they use the VPN, along with a record of the time-stamp for when a user registered, and every IP address that the VPN assigns to the user. VPN providers who provide “no-logging” services cannot do so if they comply with such rules, which is why they’re withdrawing servers to leave the Indian government’s jurisdiction.
How does removal of servers affect users?
VPN providers install their servers in a country to achieve two purposes—to be close to their users and to increase the number of locations they can provide. Removing servers from India, in theory, affects the overall speed that a VPN can provide, though this will hardly make a difference for those using VPNs simply to browse the web by spoofing their location. On the location front, experts note that privacy and content access rules in India will anyway make users abroad reluctant to use a VPN to change their location to India, and hence it shouldn’t be a problem for the companies either.
Which VPNs have removed servers from India?
At the moment, three big players—NordVPN, Surfshark and ExpressVPN—have confirmed that they will remove servers from India, although users can still access their services from the country. ProtonVPN, run by Swiss firm Proton AG famed for the privacy-focused email service ProtonMail, has also indicated that they plan to continue their no-logs policy.
Can the government still access data?
This is where it gets murky. Lawyers note that the government is showing intent to access VPN data and may ask companies to comply even if they have no physical presence in India, as their “computer systems” are operating within Indian cyberspace. But they add that the Information Technology Act of 2000 is meant to regulate Indian cyberspace and should not have extra-territorial reach. On 19 May, Rajeev Chandrashekhar, MoS IT, warned VPN providers to comply with the rules or shut India operations.
Is the industry complying?
Industry stakeholders and civil society members are seeking changes to CERT-In rules. The IT ministry also held a consultation with some stakeholders on 10 June, where it reportedly agreed to relax some non-VPN related aspects of CERT-In rules. Another industry consultation is being planned with Sanjay Bahl, director general of CERT-In on 21 June by a cyber awareness organization. The new rules take effect on 27 June, and the industry’s asks include an easing of cybersecurity incidents reporting time.