ExpressVPN rejects CERT-In directions, removes its India servers

While slamming the April 29 directions of the Indian Computer Emergency Response Team (CERT-In), virtual private network (VPN) service provider ExpressVPN announced that it has removed its Indian-based VPN servers.

Under the new directions, service providers will have to store users’ names, IP addresses assigned to them, usage patterns and other data. ExpressVPN said that the directions are “incompatible with the purpose of VPNs, which are designed to keep users’ online activity private”.

However, the reason behind the removal of the India-based servers is not just a policy-based decision for ExpressVPN. The VPN service said that their servers are specifically designed to not store logs. “Data centers are unlikely to be able to accommodate this policy and our server architecture under this new regulation, and thus we will move forward without physical servers in India,” the VPN service provider said in a blogpost.

This decision by ExpressVPN comes after several (VPN) service providers criticised CERT-In’s recent directions. Netherlands-based virtual private network (VPN) provider Surfshark even said that it is exploring the possibility of legally challenging directions.

Following the criticisms, the Union government came out with clarifications, wherein it stated that the directions will not apply to enterprise and corporate VPNs. Also, the criticisms did not sit well with the Indian government, and Minister of State for Electronics and Information Technology Rajeev Chandrasekhar had warned VPN providers that if they do not follow the directions then they are free to terminate their businesses in the country.

Indian users will still have access

The British Virgin Island-based VPN clarified that removing its India-based servers will not mean that Indian users will not be able to access its services.

“Rest assured, our users will still be able to connect to VPN servers that will give them Indian IP addresses and allow them to access the internet as if they were located in India. These “virtual” India servers will instead be physically located in Singapore and the UK,” ExpressVPN said in a blog.

ExpressVPN also clarified that users will experience ‘minimal difference’ because of this change. “In terms of the user experience, there is minimal difference. For anyone wanting to connect to an Indian server, simply select the VPN server location “India (via Singapore)” or “India (via UK),” ExpressVPN said.

Directions can be abused

While reasoning the removal of the India servers, ExpressVPN said it disagreed with CERT-In directions as it is ‘overarching’ and ‘so broad that it can be abused’.

“We believe the damage done by potential misuse of this kind of law far outweighs any benefit that lawmakers claim would come from it,” the VPN service provider said.

“ExpressVPN refuses to participate in the Indian government’s attempts to limit internet freedom,” it added.

ExpressVPN assures privacy

ExpressVPN said that when a user chooses a virtual location, the registered IP address matches the country a user chooses to connect, while the server is physically located in another country. “Virtual locations are used, where necessary, to provide faster, more reliable connections,” it said.

“As for internet users based in India, they can use ExpressVPN confident that their online traffic is not being logged or stored, and that it’s not being monitored by their government,” the VPN service provider added.

The continued, “We will never collect logs of user activity, including no logging of browsing history, traffic destination, data content, or DNS queries. We also never store connection logs, meaning no logs of IP addresses, outgoing VPN IP addresses, connection timestamps, or session durations.”

Will this put ExpressVPN outside ambit of directions?

It is unlikely that ExpressVPN or other VPN service providers who have removed or may remove their India servers in the future, will be outside the ambit of the CERT-In directions because they have removed or will remove their presence in India.

That is because, in the FAQs on the directions that was released in May, CERT-In had clarified that the directions “are applicable to any entity whatsoever, in the matter of cyber incidents and cyber security incidents”. In another FAQ on whether the directions are applicable to service providers who are not located in India but are catering to Indian users, CERT-In had reiterated the same.

Stiff opposition

The April 29 CERT-In directions has garnered a lot of controversy and has been facing a lot of criticism as many of its provisions, apart from having privacy concerns will put additional compliance requirements for all body corporates.

This was reiterated recently in a joint letter written to the director general of CERT-In by 11 lobby groups and industry associations who represent major companies across the world.

In the letter, US Chamber of Commerce (USCC), US-India Business Council (USIBC), The Software Alliance (BSA) and others asked CERT-In to delay the implementation of the directions as it will have “significant adverse impact on organisations that operate in India”.