A change in India’s cybersecurity laws sent VPN providers out of the country ahead of the expected June 27 start date for the new terms.
The new rules essentially undermine the business model of VPN providers, requiring them to log customer contact information (including names, email addresses, and IP addresses), store it for five years, and provide it to the government upon request under a legal agreement. investigation. Some VPN providers have customers in India connecting to servers outside the country in the future, while others have considered pulling their business out of the country entirely.
‘Non-compliant’ VPN providers kicked out of country by Minister of State
The new rules were first proposed on April 26. Minister of State for Electronics, Information and Technology Rajeev Chandrashekhar has bluntly warned VPN providers that they should either comply with the terms or leave the country. It seems most of the big names, at a minimum, have opted to pull physical servers out of the country in response.
The laws represent what is likely an unacceptable invasion of privacy for customers of VPN providers, who pay for the service primarily for absolute protection from snooping by governments and adtech companies. A government backdoor essentially defeats the purpose of subscription, especially when records must be retained even after the customer has canceled the service.
India has approximately 270 million VPN customers and the market is valued at over $30 billion; VPN providers naturally don’t want to give it up completely. ExpressVPN, one of the largest providers in the world, has already announced that it is taking an approach that others are likely to follow: it will simply remove all servers from India and route those customers to other servers located in Singapore and the UK. The new servers will assign Indian IP addresses to affected customers so they won’t have any issues with domestic services or websites.
NordVPN also recently announced a similar plan; the company previously released a statement saying that since it is headquartered outside the country, it has no obligation to comply with the new rules if it has no physical presence there. SurfShark also announced that it will remove all physical servers from India by June 27 and, like ExpressVPN, it will route customers through Singapore and the UK instead.
In addition to privacy impact, VPN providers note data breach risks from forced customer logging
SurfShark also pointed out that the Indian government’s new rules impose an additional risk of data breaches, and it may not even take outside hackers to exploit it. The country has had problems with government insiders who have been guilty of access to personal data, the most prominent example being the breach of its Aadhaar biometric identification system in 2018.
ExpressVPN noted that it does not log user contact information and has no internal process in place for this, storing the necessary information in RAM which is immediately flushed after user sessions. Some VPN companies would have to implement an entirely new process just to comply with Indian regulations, likely introducing internal vulnerabilities into the process.
SurfShark notes that since 2004, when the concept of large-scale internet data breaches became a phenomenon, of the 14.9 billion accounts whose credentials have been leaked, about one in six belong to someone in India. While some of the larger VPN providers may simply shift Indian traffic to another country, others may ditch the country altogether and leave its residents with reduced options for protecting themselves online.
It remains to be seen how much pressure the Indian government will put on VPN providers who have chosen to take down the servers but continue to do business in the country via virtual Indian IP addresses. CERT-In has released an update stating that the new rules apply to VPN providers serving Indian customers even if the connection is made outside the country. But while the government is free to make statements of this nature, enforcing them is another matter. There are few practical options other than the extremes that would likely generate a huge public backlash, such as banning VPN providers from doing business in the country or criminalizing service users who route traffic overseas to evade the logging requirements.
The new rules are prompting a backlash not only from trade groups (such as the Information Technology Industry Council), but may also draw ire from international privacy organizations given that launchers alert, journalists and human rights activists often use VPN providers to protect themselves. on line. The Modi government has previously come under fire from these groups for an assortment of issues, from intimidating journalists to using the Pegasus spyware to target critics.