Global VPN Providers Pull India Servers Over New Cybersecurity Rules


Major global providers of virtual private networks, which let internet users shield their identities online, are shutting down their servers in India to protest new government rules they say threaten their customers’ privacy.

The Indian agency overseeing computer security will soon require VPN operators in India to collect information such as customer’s names, email addresses and the IP addresses they use to connect to the internet. Providers must maintain the data for at least five years and furnish the information to authorities when asked.

India’s Computer Emergency Response Team has said the new rules, which will be implemented from Sept. 25, are needed to tackle cybercrime and defend the “sovereignty or integrity of India” and the security of the state.

But the withdrawing VPN companies and internet-rights groups say by collecting such data, the companies will imperil their users’ privacy and curtail online speech. Digital groups say the government’s rules amount to overreach and are more typical of those imposed in China or Russia than in democracies.

Such rules are “typically introduced by authoritarian governments in order to gain more control over their citizens,” said a spokeswoman for Nord Security, provider of NordVPN, which has stopped operating its servers in India. “If democracies follow the same path, it has the potential to affect people’s privacy as well as their freedom of speech,” she said.

The rules are the latest challenge facing international technology companies in the world’s most populous democracy, where New Delhi has moved to rein in global tech giants. The government has in recent years moved to tamp down online dissent on platforms such as

Twitter Inc.

and

Meta Platforms Inc.’s

Facebook.

Indian police last year arrested a woman for allegedly helping activist Greta Thunberg in what they called a possible criminal conspiracy to support protests in India by sharing an online tool kit with information on how to bring attention to their cause.

New Delhi has been moving to rein in global tech giants.



Photo:

noah seelam/Agence France-Presse/Getty Images

VPNs typically allow users to mask their location and identities by encrypting and routing their traffic through “tunnels” between their services and customers’ computers.

Other VPN services that have stopped operating servers in India in recent months are some of the world’s best known. They include U.S.-based Private Internet Access and IPVanish, Canada-based TunnelBear, British Virgin Islands-based ExpressVPN, and Lithuania-based Surfshark.

ExpressVPN said it “refuses to participate in the Indian government’s attempts to limit internet freedom.”

The government’s move “severely undermines the online privacy of Indian residents,” Private Internet Access said.

India’s Computer Emergency Response Team didn’t respond to a request for comment on the services’ withdrawal. India’s minister of state for technology,

Rajeev Chandrasekhar,

has said publicly that the new rules are needed to prevent cybercrimes, and that if VPN services don’t want to comply, they should exit India.

“If your business model depends on anonymous use of data centers, the cloud, and VPNs sitting on those infrastructure, that won’t work” because tech companies have an obligation to produce information related to crimes, Mr. Chandrasekhar said in July.

Complying with the regulations would mean VPN companies will “cease to provide their core service—privacy and security—and lose their basic functionality or purpose,” said Namrata Maheshwari, Asia Pacific policy counsel at digital-rights group Access Now.

Some of the services withdrawing from India say they will allow users to connect to their servers in other nations, but not directly in India.

“We have a similar approach in Russia and China, where maintaining a physical server presence in the regions would require us to comply with invasive privacy regulations in these countries,” said a spokesman for Private Internet Access.

Also affected by the new rules are global cloud operators, which will be required to store and furnish data on customers.

Representatives for Amazon Web Services,

Alphabet Inc.’s

Google and

Microsoft Corp.

declined to comment on whether they would comply with the new regulations, or if they were already following the rules. A spokesman for

Apple Inc.

didn’t respond to a request for comment.

U.S. and other tech companies have been pouring billions of dollars into India in recent years to make inroads in the world’s biggest untapped tech market, where hundreds of millions of people are getting online for the first time.

The Wall Street Journal reported last year that India’s government threatened to jail employees of Twitter, Facebook and WhatsApp, prompted by the tech companies’ reluctance to comply with data and takedown requests related to protests against the government. The Indian government has said that foreign companies must comply with local laws.

Write to Newley Purnell at newley.purnell@wsj.com

Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8

Leave a Reply

Your email address will not be published.

%d bloggers like this: