This article is more than 1 year old
ExpressVPN moves servers out of India to escape customer data retention law
Privacy service will keep working, just beyond the reach of India's government
Virtual private network operator ExpressVPN will pull its servers from India, citing the impossibility of complying with the nation's incoming requirement to record users' identities and activities.
ExpressVPN offers software that routes traffic through servers that load their operating systems entirely into RAM and therefore leave no trace of users' activities on persistent media. The outfit suggests that's a point of difference to other VPN providers.
ExpressVPN refuses to participate in attempts to limit internet freedom.
But that design is a problem given India's recently introduced requirement that VPN providers verify customers' identity, retain their contact details, and store five years worth of data describing their "ownership pattern".
In a blog post, ExpressVPN states its all-RAM design makes compliance with India's rules impossible because it doesn't store any logs of users' activites.
The company also dislikes India's rules, which it has described as "incompatible with the purpose of VPNs."
"The law is also overreaching and so broad as to open up the window for potential abuse," the post adds. "We believe the damage done by potential misuse of this kind of law far outweighs any benefit that lawmakers claim would come from it."
"ExpressVPN refuses to participate in the Indian government's attempts to limit internet freedom."
The company's remedy is to offer its Indian users servers located in Singapore and the UK as alternatives. Those servers will be named "India (via Singapore)" or "India (via UK)."
The latter is already up and running and has been for several years. ExpressVPN offered the via UK option because it has found that offshore servers can sometimes be faster and more reliable than in-country offerings.
- India probes ZTE and Vivo over finances, sparking Chinese protests
- Indian authorities issue conflicting advice about biometric ID card security
- Indian stock markets given ten day deadline to file infosec report, secure board signoff
India's new rules have been widely criticized as impractical and for impinging on privacy.
In response to such criticism, minster for Information Technology Rajeev Chandrasekhar said that if VPN providers don't like the rules, they can leave India.
ExpressVPN has called that bluff by continuing to offer its service while attempting to put itself beyond the reach of Indian authorities – which is not what India wanted when it introduced its infosec reporting requirements. ®