How VPNs in India are going virtual to protect the privacy of users

Hand holding a smartphone with VPN logo on screen and the Indian flag on the background
(Image credit: Shutterstock)

It's now a few weeks until India's new data retention law come into force, and VPN providers are busy planning their next moves.  

Two of the best VPN services around have already announced their decision to pull the plug on their physical servers based within the country.

Last week, ExpressVPN announced that it would remove its physical servers from India, on account that it "refuses to participate in the Indian government’s attempts to limit internet freedom". Then on Tuesday Surfshark announced likewise, confirming not to be willing to compromise the company's values nor its technical base.

With VPN services continuing to strongly defend their no-log policies, are more providers going to follow suit?   

Why do VPNs find India's data law so problematic?

On April 28, the Indian Computer Emergency Response Team (CERT-In) announced a set of directives that VPN services will soon have to follow to continue operating within the country. 

Expected to come into effect on June 27, the new regulation will force VPN providers to keep in store sensitive users' data for up to five years and share these with authorities when required.  

However, as ExpressVPN said when announcing its decision to shut down its Indian servers, CERT-In new directives are "incompatible with the purpose of VPNs".

Short for virtual private network, a VPN is a tool that aims to protect people's online privacy by masking their real IP while securing their data in transit inside an encrypted tunnel

Among other security measures, the most private services around enforce strict no-log policies to guarantee its users that none of their sensitive data can be stored, leaked or shared.

VPN encrypting a flow of data

(Image credit: Shutterstock)

India's new data law comes in an effort to cramp down on an ever-growing cybercrime incidents rate. With more than 86 million data breaches in 2021, India was the third most affected nation worldwide last year.

However, as Surfshark pointed out in an official statement: "Collecting excessive amounts of data within Indian jurisdiction without robust protection mechanisms could lead to even more breaches nationwide."

And VPNs are not the only companies to be soon affected by India's new data retention law. Virtual private servers (VPS), cloud service providers, data centers and cryptocurrencies exchanges all will have to comply with CERT-In directives. 

The effect on ExpressVPN and Surfshark users in India

Both ExpressVPN and Surfshark have reassured their subscribers in India that the decision to shut down their physical servers will have a minimal effect on performance. In fact, Indian users will still be able to safely browse local sites without giving up their anonymity nor any other data. 

Instead of connecting to servers based within the country, they will have to pick one of their virtual servers located in Singapore and in the UK. These will be the same in terms of functionality as users will still get an Indian IP address

However, by rerouting the VPN traffic outside Indian borders, it will be impossible for authorities to get hold of it nor hinder normal VPN activities.  

Express's virtual private servers are already available among its servers list. While Surfshark will release those once the law comes into force. Until now, its users in India will need to access physical servers as usual. 

What next for VPN providers in India? 

Other major VPN providers told TechRadar about their commitment to stand against any users' privacy and anonymity violations.

Both CyberGhost and Private Internet Access (PIA) have confirmed their decision to replicate ExpressVPN and Surfshark's move - they will enable virtual access to Indian websites and content. 

However, CyberGhost have not excluded the possibility to reinstate their servers in the country in the future, "if we have reason to believe we can operate without state-sanctioned impositions on privacy."

PIA users will be able to connect to an Indian IP address using new geo-located servers in Singapore. "It’s not the first time Private Internet Access has had to take a stand against oppressive laws, and this certainly won’t be the last." Previously, it has removed physical servers from Hong Kong, Brazil and South Korea.

Meanwhile, IPVanish has decided not to pull the plug on its Indian physical servers just yet. However, it says it is prepared to take defensive actions if necessary: "If the Indian government confirms and enforces this directive on June 27th without VPN logging exemptions, we expect to shut down our physical servers in India. We have done this previously following government logging requirements in Hong Kong and Russia, so we’re prepared with a response protocol in place." 

The end of physical VPN servers in India?

Major VPN providers are standing firm to protect users' right to privacy and anonymity, without compromising their own policies. They all seem ready to shut down their physical servers in India once the CERT-in directives come into force at the end of the month.

If the infrastructure behind virtual servers makes this shift almost imperceptible to everyday users, this is not the same for the Indian government. Authorities will be actually deprived from the further control they were seeking to gain over their citizens.

Is this marking the end of physical VPN servers in India? Possibly. Virtual servers might even become the new normal to circumvent intrusive policies across the world.

But, at this point, we should probably be wondering if India's new data law will actually be enforced. After all, the decision of VPNs leaving the country makes it clear that CERT-In directives may end up being de facto ineffective.

Chiara Castro
Senior Staff Writer

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com