ExpressVPN moves servers out of India to escape customer data retention law

Privacy service will keep working, just beyond the reach of India's government


Virtual private network operator ExpressVPN will pull its servers from India, citing the impossibility of complying with the nation's incoming requirement to record users' identities and activities.

ExpressVPN offers software that routes traffic through servers that load their operating systems entirely into RAM and therefore leave no trace of users' activities on persistent media. The outfit suggests that's a point of difference to other VPN providers.

ExpressVPN refuses to participate in attempts to limit internet freedom.

But that design is a problem given India's recently introduced requirement that VPN providers verify customers' identity, retain their contact details, and store five years worth of data describing their "ownership pattern".

In a blog post, ExpressVPN states its all-RAM design makes compliance with India's rules impossible because it doesn't store any logs of users' activites.

The company also dislikes India's rules, which it has described as "incompatible with the purpose of VPNs."

"The law is also overreaching and so broad as to open up the window for potential abuse," the post adds. "We believe the damage done by potential misuse of this kind of law far outweighs any benefit that lawmakers claim would come from it."

"ExpressVPN refuses to participate in the Indian government's attempts to limit internet freedom."

The company's remedy is to offer its Indian users servers located in Singapore and the UK as alternatives. Those servers will be named "India (via Singapore)" or "India (via UK)."

The latter is already up and running and has been for several years. ExpressVPN offered the via UK option because it has found that offshore servers can sometimes be faster and more reliable than in-country offerings.

India's new rules have been widely criticized as impractical and for impinging on privacy.

In response to such criticism, minster for Information Technology Rajeev Chandrasekhar said that if VPN providers don't like the rules, they can leave India.

ExpressVPN has called that bluff by continuing to offer its service while attempting to put itself beyond the reach of Indian authorities – which is not what India wanted when it introduced its infosec reporting requirements. ®

Broader topics


Other stories you might like

  • India extends deadline for compliance with infosec logging rules by 90 days
    Helpfully announced extension on deadline day

    Updated India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

    The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

    The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

    Continue reading
  • America edges closer to a federal data privacy law, not that anyone can agree on it
    What do we want? Safeguards on information! How do we want it? Er, someone help!

    American lawmakers held a hearing on Tuesday to discuss a proposed federal information privacy bill that many want yet few believe will be approved in its current form.

    The hearing, dubbed "Protecting America's Consumers: Bipartisan Legislation to Strengthen Data Privacy and Security," was overseen by the House Subcommittee on Consumer Protection and Commerce of the Committee on Energy and Commerce.

    Therein, legislators and various concerned parties opined on the American Data Privacy and Protection Act (ADPPA) [PDF], proposed by Senator Roger Wicker (R-MS) and Representatives Frank Pallone (D-NJ) and Cathy McMorris Rodgers (R-WA).

    Continue reading
  • Spain, Austria not convinced location data is personal information
    Privacy group NOYB sues to get telcos to respect GDPR data access rights

    Some authorities in Europe insist that location data is not personal data as defined by the EU's General Data Protection Regulation.

    EU privacy group NOYB (None of your business), set up by privacy warrior Max "Angry Austrian" Schrems, said on Tuesday it appealed a decision of the Spanish Data Protection Authority (AEPD) to support Virgin Telco's refusal to provide the location data it has stored about a customer.

    In Spain, according to NOYB, the government still requires telcos to record the metadata of phone calls, text messages, and cell tower connections, despite Court of Justice (CJEU) decisions that prohibit data retention.

    Continue reading

Biting the hand that feeds IT © 1998–2022