ADVERTISEMENTREMOVE AD

ExpressVPN Removes Its Servers From India: Why? What Happens to Users?

ExpressVPN became the first major Virtual Private Network (VPN) provider to remove its servers from India.

Published
story-hero-img
i
Aa
Aa
Small
Aa
Medium
Aa
Large

ExpressVPN became the first major Virtual Private Network (VPN) provider to remove its servers from India – after the government came up with rules that force Virtual Private Network (VPN) providers, cloud service providers and crypto exchanges to maintain user logs for five years.

“ExpressVPN refuses to participate in the Indian government’s attempts to limit internet freedom," it said.

The rules, issued by Indian Computer Emergency Response Team (CERT-In), also require tech companies to report data breaches within six hours of noticing them.

Why did is ExpressVPN remove its servers? Here's all you need to know.

ADVERTISEMENTREMOVE AD

Why has ExpressVPN removed its servers?

"With a recent data law introduced in India requiring all VPN providers to store user information for at least five years, ExpressVPN has made the very straightforward decision to remove our India-based VPN servers," ExpressVPN said in a blog post.

Electronics and Information Technology Minister Rajeev Chandrasekhar had earlier said that the service providers who want to "hide and be anonymous about those who use VPNs" and don't want to follow the new rules will have no choice but to pull out from the country.

“If you’re a VPN that wants to hide and be anonymous about those who use VPNs and you don’t want to go by these rules, then if you want to pull out (from the country), frankly, that is the only opportunity you will have. You will have to pull out.”
Rajeev Chandrasekhar, Electronics and Information Technology Minister

What happens to Indian users of ExpressVPN?

Indian users of ExpressVPN will still be able to use the services but via India servers located in Singapore or the UK.

“We will never collect logs of user activity, including no logging of browsing history, traffic destination, data content, or DNS queries. We also never store connection logs, meaning no logs of IP addresses, outgoing VPN IP addresses, connection timestamps, or session durations,” the company said.

Who all are required to maintain user logs for five years?

Data centres, virtual private server (VPS) providers, cloud service providers and virtual private network (VPN) providers, will be required to maintain user logs for a period of five years.

However, this rule won't apply to corporate and enterprise VPNs, only to "internet proxy like services" being used by "general internet subscribers or users".

The new rules will kick in from late June – exactly 60 days from the date of issuance, which was 28 April.

What information will they keep with them?

  • Validated names of subscribers or customers

  • Period of hire, including dates

  • IPs allotted to or being used by the members

  • Email address, IP address, and time stamp used at the time of registration or on-boarding

  • Purpose for hiring services

  • Validated address and contact numbers

  • Ownership pattern of the subscribers or customers

ADVERTISEMENTREMOVE AD

Can the government access the logged data?

Yes, the new rules require all the aforementioned service providers and tech companies to provide the logged data in a specified format, whenever CERT-In asks for it.

CERT-In says it will only ask for the data for the purposes of "cyber
incident response, protective and preventive actions related to cyber
incidents".

(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)

Speaking truth to power requires allies like you.
Become a Member
×
×