Update: the Indian government has decided to delay the rules going into effect by 3 months. This is to give VPN companies and cloud services time to implement the customer logging requirements. The rules are now set to go into effect on September 25. In the meantime several leading VPN companies are pulling out of India.
Here is a full list of VPN services that have removed servers from India along with links to their respective blog posts or tweets:
If you notice any companies missing from the list please let us know we can keep it up to date.
The Indian Computer Emergency Response Team (CERT-In) released their latest set of cybersecurity rules in late April. In part, they plan to require VPN providers to keep customer information on hand. Rajeev Chandrashekhar, the Minister of State for Electronics and IT, has made it clear that VPNs along with the data centers their servers are held in must abide by the new rules. This is a big issue for a number of VPNs like ExpressVPN, NordVPN, and Proton VPN that do not keep logs. While the VPN companies are banding together to try and influence the policy changes, the only short term decision seems to be whether or not to continue hosting servers in India.
We’re not trying to bash the Indian government. We understand that they are trying to combat cybercrime, but in doing so they are putting users privacy at risk. The rules are set to go into effect on June 27,2022. At that time VPN providers will be required to track the IP address and usage patterns of their users along with other information. This extends to the data centers and cloud providers that host the VPN servers as well.
ExpressVPN Removes Servers from India on June 2
ExpressVPN is the first VPN service to announce their decision to remove all their physical servers from India. This may seem like a drastic move to some, but it is 100% necessary to ensure the privacy of their users. ExpressVPN made clear in a blog post that they will be happy to return to India if the rules are changed. In the meantime, users can connect to virtual servers to obtain IP addresses in India. This will allow you to access local Indian content and protect your privacy knowing that no logs are being kept.
We applaud the ExpressVPN team for stepping up and being the first VPN provider to take action in India. It potentially puts a target on their back but is necessary and will likely draw other VPNs into taking the same actions. ExpressVPN makes it clear that they will never log user activity for any reason. This includes your public IP address, browsing history, DNS queries, and more. The privacy of their users is the top priority and they have shown their willingness to stand up and take action.
NordVPN Removes Servers from India on June 26
In early May, NordVPN expressed their concern over the new CERT-In rules and stated that they were considering all options. This includes the removal of all servers from India. The latest update was from a Fortune India article dated June 9. According to Laura Tyrylyte, the head of public relations for Nord Security, the company plans to remove their servers from India unless the government changes their position prior to the June 27 deadline.
Update: NordVPN announced they were pulling all physical servers from India on June 26. It is unclear whether or not they have virtual servers in place to continue giving customers access to Indian IP addresses.
Surfshark Shuts Down Servers in India on June 7
Surfshark made the decision to shut down the servers they host in India in response to the new law. As they state in the related blog post “In response to the new Indian data regulation laws, Surfshark is shutting down its servers in India. The new laws require VPN providers to record and keep customers’ logs for 180 days as well as collect and keep excessive customer data for five years.”
Surfshark is the second VPN provider to announce their removing servers from India. Customer will still be able to get an IP address in India by connecting to virtual servers in Singapore and London. Since Surfshark merged with NordVPN earlier this year we expect to see a similar move from Nord in the near future.
Proton VPN Releases Guidelines to Help Users
Proton VPN was quick to publish a helpful guide customers in using the proper VPN server in high-risk countries. While this has typically been necessary in countries like China, North, Korea, and Russia, However, with the new laws set to go into effect later this month, India can also be added to that list.
You should definitely read the post linked in the Proton VPN tweet in its entirety. It provides you with guidelines for how to use VPN in high-risk VPN countries and the risks involved in doing so. Their team has committed to leaving countries when necessary and we would expect this will happen in India. In the meantime we suggest using their Secure Core VPN which will send your traffic through a server in a country wit strong privacy protection before routing it through a server in India. While the connection will be slower, the traffic can only be traced to the Secure Core server.
PureVPN Moves to Virtual Servers on June 27
According to a post on the PureVPN blog, the company is migrating to virtual servers to keep everything in agreement with their no-log policy. The PureVPN team will continue to offer Indian IP addresses via virtual servers in Singapore. This is already in place so customers will not notice any downtime for the transition.
Ivacy Removes Physical Servers from India on June 29
We received confirmation from Ivacy on Wednesday, June 29 that they have pulled all their physical servers from India. They will no longer be offering access to physical servers in the country. Instead they have virtual servers up and running in Singapore that will provide users with Indian IP addresses. This will help ensure that users can continue to unblock websites in the region without putting their privacy at risk.
Indian Government Invites VPNs to Discuss CERT-In Rules
Perhaps the quick move by ExpressVPN and Surfshark has caused the Indian government to reconsider their position on the new CERT-In rules. That’s probably wishful thinking but we’re happy to see the possibility of a dialog between them. The meeting is expected to be led by Rajeev Chandrasekhar, the Minister of State for Electronics and Information Technology. Several groups including the US-India Business Council and US Chamber of Commerce have expressed their concerns that the new rules will risk people/s privacy. This is undoubtedly true since it will force VPN services to log and keep customer data for at least five years.
More Information to Come
This post was written on June 2nd which is more than three weeks from the June 27 date that the new law is to go in effect. This gives VPNs some time to take action and share their decisions. We will update the post daily with the latest developments.