In April 2022, the Indian Computer Emergency Response Team (CERT-In) introduced cybersecurity guidelines in an effort to counter cyberattacks and strengthen online security. The new rules would require VPN services and other cloud service providers to maintain all customer data and ICT transactions for five years.The VPN industry has denounced the new directives, saying that such stringent laws go against the basic purpose and policy of Virtual Private Networks. Several VPN providers have removed their physical Indian servers.What are these new rules? And is there a workaround?

What Do the New Privacy Rules Mean for VPN Providers?

private data logs

Under the new directions, service providers are required to keep a record of customers' information for five years or longer and hand it over to the government upon request.

The rules apply to consumer VPNs; corporate or enterprise VPNs don't fall into this category.

The new regulations, once implemented, would mean that any consumer VPN with physical servers in India would be forced to store customers' records, including:

  • Full name and address.
  • Phone number.
  • Email address.
  • Actual IP address.
  • New IP address (issued by the VPN).
  • Timestamp of registration.
  • Ownership pattern of customers.
  • Purpose of using the VPN.

VPN services are also required to maintain records of users even after they have canceled the service. Not only are these rules in violation of users' privacy; they are also incompatible with the way most VPNs work. Apart from the strict no-logs policies, the hardware configuration makes it impossible for some VPN providers to record data.

ExpressVPN, PIA, and Surfshark, for instance, operate RAM-based servers that use volatile RAM modules instead of traditional hard drives. Once power is removed from the servers, all data is lost.

The new rules were initially expected to come into effect within 60 days of being announced, i.e. on July 27. But according to an update from CERT-In, the deadline has been extended by three months to September 25, 2022.

The extension will provide cloud service providers and SMEs the time required to build the capacity for implementing new directions. Failing to meet these could lead to imprisonment or other punitive actions.

How Did the Cybersecurity Industry React to India's Privacy Rules?

man pointing finger at a touchscreen

The Internet Freedom Foundation (IFF) issued a statement calling this law a violation of users' privacy and information security.

VPN service providers, in particular, are up in arms against the guidelines as they go against the basic principles of VPNs, which is to keep the users' activity private.

ExpressVPN was the first to move its servers out of India. It described the rules as "broad" and "overreaching" and maintained that the potential misuse of such a law far outweighs the benefits.

Surfshark soon followed suit and announced shutting down its Indian servers. In a blog post, the company said,

"Surfshark proudly operates under a strict “no logs" policy, so such new requirements go against the core ethos of the company."

NordVPN also confirmed that it's terminating Indian servers in response to the country's cybersecurity directive.

Several other VPN service providers are considering the same route if the privacy law is implemented in its current form, including:

  • Proton VPN.
  • CyberGhost.
  • Hide.me.
  • Pure VPN.
  • Privado.

Despite this, some VPNs still offer a way to get an Indian IP address using virtual servers.

Are Virtual Servers Safe to Use?

cloud servers links

If you're a privacy-conscious user and need to unblock Indian content, there's a workaround in the form of virtual servers. It isn't ideal, but is still the next-best option.

A virtual server is a software-based representation of a dedicated physical server. It recreates the functionality but lacks the underlying machinery of a physical server. Network administrators use virtualization software to divide a physical server into multiple virtual servers.

VPNs like Surfshark and ExpressVPN use virtual servers to help users unblock Indian content. These servers are physically located in the UK and Singapore but use a range of Indian IP addresses that make it appear as if you're browsing the web from within India.

Since virtual servers aren't physically located in India, the new data retention laws don't apply to them. You still enjoy the normal no-logs policy—with some minor drawbacks. These include resource hogging and low-performance issues. This usually happens when a single physical machine hosts several virtual servers, some of which may start to overuse resources.

The second drawback relates to their availability. Not all VPN services offer virtual servers; those that do, usually suffer from lags and slow connection speeds. However, you may see faster speeds if you're connecting from a country it's located.

What Does This Mean for VPN Users?

As top VPN companies terminate their servers in India, users are concerned about how they will use VPN services. Many VPNs have started providing virtual servers to cater to their needs.

As of now, we aren't aware of any VPN companies that have agreed to the data retention laws. But if you use a VPN and see an Indian server in the list of countries, it's worth checking with the company for your own privacy.