VPN provider Proton VPN has announced it will remove its physical servers from India in response to the new Computer Emergency Response Team (CERT-In) directives announced on April 28, which come into force starting September 25.
“To protect the privacy of the Proton community, we are removing our VPN servers physically located in India,” the company said in a statement.
The company will however continue to offer its services in India through its international servers and its newly launched Smart Routing servers for India.
The company said that the Smart Routing servers "will give you an Indian IP address and behave just as our physical servers in India did. The only difference is that, in reality they are based in Singapore.”
The Smart Routing servers will continue to offer the Proton community a private, no-logs VPN service with an Indian IP address. “We have no intention of complying with this invasive mass surveillance law, leaving us no choice but to remove our VPN servers from Indian jurisdiction,” the company said.
VPN providers are required to store user data for 5 years
CERT-In's new directive requires all VPN providers, data centers, and cloud service providers operating in India to collect and report extensive and accurate data from their users for five years.
Under the directive, Indian VPN providers and data centers are expected to log details of user names, physical addresses, email addresses and phone numbers. It also requires the IP address used to register on a VPN, along with the timestamp. VPN providers will also need to report the reason for using the VPN. This data has to be provided to CERT-In to aid investigations of cybersecurity incidents.
The directive comes into effect on September 25 and failure to comply can lead to imprisonment for a year.
However, many VPN services are fleeing the country as the directive goes against the core business of VPN players that follow a no-log policy. VPN service providers conceal a user’s internet usage by using multiple servers.
Multiple VPN players exit India
After the announcement of the new directives, there was a major backlash from VPN vendors. However, when CERT-In decided not to budge on its decision, several VPN vendors decided to exit their physical VPN servers located in India and reroute their users through servers in other countries.
Companies such as Express VPN, Surfshark, and NordVPN have already announced their exit from India.
The government claims that the new rules will no impact on business viability, but experts say the directives contradict the nature of services that VPNs provide.
“As the Indian economy is pacing towards a digital economy the government presents it as their unrelenting duty and goal of ensuring that the internet remains open, secure, and accountable and to fulfil these goals it is claimed to be beneficial with the release of these guidelines, as it is aimed to restrict the use of VPN to commit criminal activities,” said Jaspreet Singh, clients and markets leader at accounting and advisory firm Grant Thornton.
“However, adhering to these guidelines will be in contradiction to the nature of service of VPN providers and the way their services are designed to prevent user privacy. Moreover, many organizations may not have the technical means and know-how to implement these guidelines, leaving them with no other options than to quit India operations,” Singh added.