As of June 28, Indian authorities have extended the deadline for VPNs to end or change their logging practices to September 25 (opens in a new tab) (link opens in The Indian Express).
All VPN services with servers in India must comply with the new data law that has officially come into effect.
Under the new CERT-In regulations, security software companies are legally required to retain user data β such as IP addresses, real names and usage patterns β for up to five years. Companies must also provide this information to the authorities upon request.
Since the government’s announcement on April 28, internet users, privacy advocates and cybersecurity experts have expressed concern about how these regulations could negatively impact people’s privacy.
This has led to some of the best VPN providers taking drastic steps to ensure that privacy values ββare not compromised and to protect user anonymity.
Although the laws and regulations of other countries may change, the priority of protecting users’ privacy is not diminished. Therefore, in view of India’s upcoming Data Collection Directive, we are decommissioning our servers located in India. Indian users can still access our services. June 23, 2022
Why is India’s new data retention law controversial?
A VPN, short for Virtual Private Network, is a security software that hides users’ IP addresses and decrypts their data.
All of the most secure VPN services have strict no-logging policies to ensure anonymity for users. This means that user data cannot be stored, leaked or shared. ExpressVPN has stated that the requirement to keep customer logs is incompatible with the purpose of VPNs (opens in a new window).
What’s more, India’s new data retention law doesn’t just affect VPNs. The new CERT-In rules cover cloud storage services as well as virtual private servers (VPS), data centers and cryptocurrency exchanges.
This is a bid to reduce the prevalence of cybercrime. India ranked third in the world for data breaches in 2021 with over 86 million (opens in new window) data breaches.
Surfshark said in a public statement (opens new tab) that excessive data collection in the Indian jurisdiction could lead to more data breaches across the country.
Meanwhile, India was found responsible for 106,180 internet shutdowns imposed in 2021 (opens in a new tab), according to digital rights advocate Access Now. Media freedom has also slowed, and the Indian government is said to have used Pegasus technology to spy on politicians, activists and lawyers.
With these accomplishments, it’s easy to see why citizens and experts are concerned that authorities could abuse this data collection to encourage mass surveillance that is intrusive and infringes on civil liberties.
However, it’s not just privacy that’s at risk. India’s new data law could hamper the growth of the country’s IT sector. As Sudip Saha, COO of Future Market Insights, told TechRadar, “Bans on VPNs primarily harm corporate interests by acting as a deterrent to investment and business in India.”
How VPN providers are planning to protect users’ privacy
Many VPN providers have opposed the Indian government’s decision by expressing their corporate values.
Some have chosen to go virtual to protect their privacy. How? They created virtual locations so that Indians can still connect to a fake Indian IP. It’s the same as a VPN, but users’ data is secure because their connection is routed to servers that are physically located outside the country’s borders.
Providers currently offering virtual India locations include ExpressVPN, Surfshark, CyberGhost, Private Internet Access (PIA), and PureVPN.
IPVanish is one example of a company that could offer something similar in the near future. However, at the time of writing, the virtual locations in India have not yet been announced.
Others claim that they have no intention of deploying fake locations even after shutting down the Indian servers. These include AtlasVPN, Hide.me, and NordVPN.
Laura Tyrylyte of NordVPN told us, “We believe we will discover a way to meet the needs of all our customers, regardless of their location.”
ProtonVPN also expressed its displeasure with the new CERT-In regulations. It suggested secure ways to connect to VPN servers in high-risk countries (opens a new tab). This involves using one of its Secure Core servers for an extra layer of security.
Windscribe also said it plans to keep its Indian servers “unless our Indian hosting provider forces us to leave”
Chiara is a multimedia journalist with an eye for cybersecurity issues and trends. He is a future staff writer with an interest in VPNs. He writes features and news for TechRadar and Tom’s Guide on privacy and digital rights, data protection online censorship, digital rights. He is obsessed with digital storytelling in all its forms and loves podcasting, photography video editing and podcasting. He is originally from Milan, Italy and lives in Bristol, UK as of 2018.
Chiara is a multimedia journalist who keeps a close eye on the latest developments and issues in cyber security. He is a staff writer for the future, focusing on VPNs. He writes articles and news about data privacy online censorship, TechRadar digital rights, Tom’s Guide and T3. Passionate about digital storytelling in all its forms, he is also a fan of video making, photography and podcasting. He was born in Milan, Italy and lives in Bristol, UK as of 2018.