Virtual Private Network provider ExpressVPN announced that they are removing Indian-based servers in response to a new cybersecurity directive issued by the Indian Computer Emergency Response Team (CERT-In).
The company assured that the users will still be able to connect to VPN servers that will give them Indian IP addresses and allow them to access the internet as if they were located in India. However, these ‘virtual’ India servers will instead be physically located in Singapore and the U.K.
The CERT-In has enforced new controversial data retention requirements which will come to effect on June 27, 2022, and it requires VPN service providers to store subscribers’ real names, contact details, and IP addresses assigned to them for at least five years.
CERT-In highlighted that the logged user data will only be requested for the purposes of “cyber incident response, protective and preventive actions related to cyber incidents.”
The agency has clarified that this rule does not apply to corporate and enterprise VPN solutions and are only aimed at those operators who provide proxy-like services to “general Internet subscribers/users.”
The new data law has been initiated in order to help fight cybercrime and is incompatible with the purpose of VPNs, which are designed to keep users’ online activity private. The law is also overreaching and so broad as to open up the window for potential abuse.
The rules, dubbed Cyber Security Directions, also requires the firms to report cyber security incidents such as data breaches and ransomware attacks within six hours of noticing them.