Virtual private network (VPN) service ExpressVPN announced on June 2 that it would withdraw its servers from India. The reason ? New guidelines, titled Cyber Security Directions, against cloud service providers and VPN operators. The latter will have to keep the names and IP addresses of their customers for five years. It’s the end of anonymity on the Indian Internet.
ExpressVPN leaves Indian Territory
The Indian government wants to be able to consult, in the event of an emergency, the personal data held by technology companies on its territory. These rules are proposed by the Indian Computer Emergency Response Team (CERT-In), a public agency under the Indian Ministry of Electronics and Information Technology. They will come into effect from June 27.
Japan designs the fastest internet connection yet
For ExpressVPN, this is “ incompatible with the very principle of VPNs, which are designed to preserve the confidentiality of their users’ online activities “. The company reassures nevertheless his clients and explains that he ” will still be possible to connect to VPN servers that will offer an Indian IP address “. The only difference lies in the location of said servers which will now be located in Singapore and the United Kingdom.
Since the statements of the VPN service, the Cert-In agency has clarified (PDF) that these new rules do not apply to virtual private networks for businesses. It only concerns proxy-type services, serving as an intermediary with subscribers or customers.
India tightens its control over the Internet
These directives, announced at the end of May, are presented as a means of combating cybercrime. Companies will now be required to report security breaches, cyberattacks, personal data breaches to the authorities within six hours. According to Rajeev Chandrasekhar, India’s IT Minister, these guidelines will not be subject to public consultation, a common practice in the country when developing a new project or discussing new rules.
A worrying decision when these directives very directly threaten anonymity on the Internet. For the Indian NGO Freedom Foundation, ” in the absence of sufficient oversight and a framework to protect data against abuse, these requirements can allow mass surveillance “.