Virtual Private Network (VPN) companies are removing their physical servers from India as a new law in that country takes effect. As of Sunday, September 25, the Indian Computer Emergency Response Team is requiring VPN operators to retain customer data for at least five years, even after customers have cancelled their accounts.
Note
- Individual countries each have to establish their own societal balance between law enforcement/intelligence agency access to citizen communications and citizen privacy rights. The difference between this current wave and previous privacy vs. surveillance waves (such as when telephone audio services first went digital) is that many services do not have to have physical presence in-county to succeed, so providers can fight back by moving offshore. For most companies, this law is a high risk to customer privacy unless stringent judicial release procedures are defined.
- Moving services out of a country whose privacy laws, or other regulations, you can’t comply with is a good idea. In this case the India rules don’t mesh well with the anonymous browsing model many VPNs offer. NordVPN, Proton VPN, Surfshark, Hide.me and ExpressVPN are all shutting down their servers in India. Read the fine print on alternatives which may still provide an Indian IP while not in the country. Expect India to take steps to apply their requirements to this or other perceived bypass scenarios.
- If India wants a Bluffdale, it should build it and pay for it itself. To require VPN service providers to do it will so decrease their revenues and increase their costs as to destroy the business model. The citizen will be the loser.
Read more in