VPN Providers Flee India as a New Data Law Takes Hold
Ahead of the deadline to comply with the Indian government’s new data-collection rules, VPN companies from across the globe have pulled their servers out of the country in a bid to protect their users’ privacy.
Starting today, the Indian Computer Emergency Response Team, or CERT—a body appointed by the Indian government to deal with cybersecurity and threats—will require VPN operators to collect and maintain customer information including names, email addresses, and IP addresses for at least five years, even after they have canceled their subscription or account.
In April, CERT said it needed to implement these rules because “the requisite information is not found available” with the security provider during investigations into cybersecurity threats, thereby thwarting inquiries. The new rules, CERT claims, will “strengthen cyber security in India” and are “in the interest of sovereignty or integrity of India.” VPN companies and privacy experts believe this move impacts user privacy and freedom of speech, and defeats the sole purpose of using VPNs, which encrypt users’ internet activity and mask their locations and identities.