After a change to the country’s laws that greatly reduces the privacy of VPN users, service providers are packing up their servers and leaving India. The VPN providers are not totally abandoning the country, but users in India will now have to route their traffic through special servers in countries such as the United Kingdom and Singapore that provide them with Indian IP addresses.
Government tells Indian VPN providers to give up contact information or hit the road
The new rules in India are set to go into effect June 27. When they do, VPN providers in the country will be forced to log a range of contact information from all of their customers that can be connected to their real name and internet activity. The VPN providers must turn this information over to investigating authorities, and must also store it for five years (even if the customer cancels their service).
There was some confusion about how VPN providers would respond to these new terms, which were first declared in April and threaten to undermine their entire business. Even though the Indian government has said that the laws still apply to customers in the country connecting to foreign servers, the VPN providers appear to mostly be taking servers out of the country but will continue to provide service to India via other countries in defiance of the rules.
The Indian government appears to be willing to lose the business of VPN providers, flatly declaring that they must comply or leave the country when the rules were announced some months ago. The government says that the terms are necessary for cyber crime investigations, but the ruling government has established a history of spying on critics and political opposition and may not care for the difficulties that VPNs generate.
Continuing to provide service (mostly routed through the UK and Singapore, according to announcement from the bigger providers) in defiance of the rules or completely giving up on the Indian market were essentially the only two choices for VPN providers, as remaining in India and complying with the rules would mean delivering a compromised product that would likely see a mass exodus of customers. VPNs have become very popular in India in recent years as the government has taken a heavier hand in censorship and tracking of dissidents, with an estimated 270 million customers in the country spending about $30 billion every year.
Major VPN providers raise concerns about privacy and security
Companies that have already declared their intent to flout the law include SurfShark, ExpressVPN and NordVPN. In addition to the serious concerns about customer privacy, some have noted that the new rules create both an added business burden on them and an unacceptable risk of data breach.
The Indian government has little option for enforcing the rules if the servers are outside of the country, particularly with major trade and privacy groups applying pressure over the rules. It would have to take extreme measures such as banning the offending VPN providers from the country entirely.