More VPN Providers To Follow After ExpressVPN’s India Exit?
In a bold move, ExpressVPN decided to shut down its Indian servers in a show of resistance to the country's new directives that force VPN providers to store user information for at least five years. The response from one of the largest VPN providers in India has got the debate going on the major shift in data retention laws of the country that has thrown a large shadow on internet privacy.
On April 28, 2022, the Indian government issued fresh cybersecurity directives that required the VPN providers to retain information of their users for a minimum duration of five years – even if a user cancels their registration from the VPN provider. According to this new rule, the VPN service providers will have to store:
The pretext of such a sweeping regulation is that cybercriminals under the cover of VPNs are flying under the radar and contributing to the increase in the number of cyber incidents in India.
In a recent report published by the Internet Crime Complaint Center (IC3), a branch of the FBI that investigates cybercrime in the US and worldwide, India ranked fourth behind the US, UK, and Canada when it comes to the number of cybercrime victims in 2021.
What Does It Mean for VPN Providers and Users?
The new regulation is a hard pill to swallow for the VPN providers who deliver privacy through end-to-end encryption and masking user location. Making companies maintain user logs completely defeats the purpose of VPN at an elemental level.
"As the world rapidly moves towards digitalization, a reliable VPN service has become the need of the hour. It's important to safeguard one's user identity as cybercriminals are constantly conspiring to capitalize on the slightest opportunity to leverage user vulnerability," said Girish Linganna, Director of ADD Engineering.
VPN is a proven way of protecting oneself from identity theft. It creates an encrypted tunnel that allows user data to be sent and received – out of the reach of cybercriminals. Most people are unaware that hackers and cyber-thugs can easily track their browsing and downloading activity. They can also intercept e-mails, which could be, in turn, mined for personal data such as online banking details, card details, or even all-important OTPs. Logging onto a VPN protects a user from all of these, and it makes being online relatively safe.
But the Indian government is choosing to look at VPN services from a singular perspective of cybercriminals, who can get bolder under the protection of masking.
Supporting the government's directive, Dr. H S Srivatsa, Professor at M. S. Ramaiah University of Applied Sciences, opined: "The government has not banned VPN services from operating in India but has only mandated VPN servers located in our country to furnish user data when requested for. Security of citizens of our country is more important than data privacy being demanded by VPN service providers."
When multiple VPN providers expressed their concerns over the new rules earlier this month, MeitY's Minister of State Rajeev Chandrasekhar had asked them to comply or leave the country. While other VPN providers have stayed on to explore alternatives and perhaps wait – for the government's change of heart, ExpressVPN chose to exit India by shutting its servers in the country, miffed by the new rules.
"The law is also overreaching and so broad as to open up the window for potential abuse. We believe the damage done by potential misuse of this kind of law far outweighs any benefit that lawmakers claim would come from it," wrote ExpressVPN on its blog. Further, the company also stated that the Indian government is attempting to limit internet freedom.
What do the users think? "If we take 'Private' out of the Virtual Private Network (VPN), it ultimately defeats its purpose. And if the government still wishes to pursue the matter of tracking VPN users, there is no doubt that VPN companies and the users will easily find ways to circumvent these restrictions," Prashanth, a Network Engineer at a large multi-national.
But unbeknownst to most, the government directive also requires the VPN providers to perform a KYC ('know your customer') on their users and maintain usage logs – which would make circumventing rules impossible and obliterate any possibility of privacy.
"The recent rules passed by Cert-In to support the government in the case of cybercrimes is a classic case of state's interest versus private companies' interest. The state wants to know as much information as possible to investigate cybercrime cases, and companies want to protect their users' privacy as much as possible. There would be some fallouts out of this, and ExpressVPN is an example of this," explained Sivakumar Vondivillu, CTO of Zaggle.
"It doesn't mean either party is wrong. Most companies would try to comply with these laws. But what would help is to probably give these new rules for discussion among industry peers and experts before passing as laws – so that it doesn't come as a surprise to the industry," he added.
The new set of rules pertaining to VPNs will be enforced from June 27. It will be interesting to see if the government changes or softens its stance in the coming weeks. If not, some more VPN providers are bound to exit India.
_20240701175159_original_image_19.webp)