ExpressVPN has removed its virtual private network (VPN) servers in India in response to recent government directions that make it mandatory for service providers to keep user data for at least five years and share records, when required, with the authorities. The company, based in the British Virgin Islands, said the directions from Computer Emergency Response Team (CERT-In) that come into effect from June 27 were “incompatible with the purpose of VPNs”.
As a result, ExpressVPN will no longer have Indian-based VPN servers. However, users will still be able to connect to VPN servers that give them Indian IP addresses, the company said in a blog post. These ‘virtual’ India VPN servers will be physically located in Singapore and the UK.
It said in the blog post: “As for Internet users based in India, they can use ExpressVPN confident that their online traffic is not being logged or stored, and that it’s not being monitored by their government.”
The company said the government’s order, released in late April, was “overreaching and so broad as to open up the window for potential abuse”.
While issuing the directive, CERT-In had said it aimed to help limit cybercrimes in the country. However, ExpressVPN dismissed those claims and said the law was “incompatible with the purpose of VPNs, which are designed to keep users’ online activity private”.
“We believe the damage done by potential misuse of this kind of law far outweighs any benefit that lawmakers claim would come from it,” ExpressVPN said.
The company also assured that it would never collect user activity logs, including browsing history, data content, traffic destination, or DNS queries. The service provider said it never stored connection logs, including logs of IP addresses, connection timestamps, outgoing VPN IP addresses, or session durations.
The government wants VPN service providers to store these data for a minimum five-year period.
“Data centres are unlikely to be able to accommodate this policy and our server architecture under this new regulation, and thus we will move forward without physical servers in India,” the company said.
ExpressVPN said it had been operating its ‘India (via UK)’ server location for several years. These virtual locations use a registered IP address, matching the country users have chosen to connect to, while the physical server is located in another country.
ExpressVPN said virtual locations were used to provide faster and more reliable connections over traditional Internet connections.
Apart from ExpressVPN, other service providers such as Surfshark, NordVPN-parent Nord Security, and ProtonVPN have raised similar concerns over the government’s directive. Nord Security has also hinted at removing its servers from India if it exhausts all other options.