A change to India’s cybersecurity laws has sent VPN providers running from the country ahead of the slated June 27 start date for the new terms.
The new rules essentially undermine the business model of VPN providers, requiring them to log the contact information of customers (including names, email addresses and IP addresses), store it for five years and provide it to the government when requested as part of a legal investigation. Some VPN providers are having customers in India connect to servers outside the country going forward, while others have discussed pulling their business from the country entirely.
“Non-compliant” VPN providers chased out of country by Minister of State
The new rules were first proposed on April 26. Minister of State for Electronics and Information and Technology Rajeev Chandrashekhar bluntly warned VPN providers that they would have to either comply with the terms or exit the country. It seems that most of the big names, at minimum, have opted to pull physical servers out of the country in response.
The laws represent what is likely an unacceptable breach of privacy to the customers of VPN providers, who are paying for the service primarily for absolute protection from the snooping of both governments and adtech companies. A government backdoor essentially defeats the purpose of subscribing, particularly when records are required to be maintained even after the customer cancels the service.
India has an estimated 270 million VPN customers, and the market is valued at over $30 billion; VPN providers naturally do not want to abandon it entirely. ExpressVPN, one of the world’s largest providers, has already announced that it is taking an approach that others are likely to follow: it will simply remove any servers from India and route those customers to alternate servers located in Singapore and the United Kingdom. The new servers will assign Indian IP addresses to the impacted customers so that they do not have any issues with domestic services or websites.
NordVPN has also recently announced a similar plan; the company had previously issued a statement saying that since it is headquartered outside of the country it has no obligation to comply with the new rules if it does not have a physical presence there. SurfShark has also announced it will be pulling all physical servers from India before June 27 and that, like ExpressVPN, it will route customers through Singapore and the UK instead.
In addition to privacy impact, VPN providers note data breach risks of forced logging of customers
SurfShark additionally pointed out that the Indian government’s new rules impose an added data breach risk, and it may not even take outside hackers to exploit it. The country has had issues with insiders in government going rogue with access to personal data, with the most prominent example being the breach of its Aadhaar biometric identification system in 2018.
ExpressVPN has noted that it does not log the contact information of users and does not have an internal process in place for it, storing necessary information in RAM that is immediately flushed after user sessions. Some VPN companies would have to set up an entirely new process just to comply with India’s regulations, likely introducting internal vulnerabilities in the process.
SurfShark notes that since 2004, when the concept of large-scale internet data breaches became a phenomenon, of the 14.9 billion accounts that have had credentials leaked about one out of six belongs to someone in India. While some of the bigger VPN providers can simply move Indian traffic to another country, others may abandon the country entirely and leave its residents with reduced options for protecting themselves online.
It remains to be seen how hard the Indian government will press the VPN providers that have opted to pull servers out but still do business in the country via virtual Indian IP addresses. CERT-In has issued an update stating that the new rules apply to VPN providers that serve Indian customers even if the connection is made outside of the country. But while the government is free to make declarations of this nature, enforcing them is another matter. There are few practical options other than extreme ones that would likely generate tremendous public backlash, such as banning the VPN providers from doing business in the country or criminalizing users of services that route traffic overseas to evade the logging requirements.
The new rules are prompting pushback not just from trade groups (such as the The Information Technology Industry Council), but may also raise the ire of international privacy organizations given that whistleblowers, journalists and human rights activists often make use of VPN providers to protect themselves online. The Modi government has already been criticized by these groups for an assortment of issues, ranging from intimidation of journalists to the use of the Pegasus spyware to target critics.