ExpressVPN on Thursday announced that it has removed its virtual private network (VPN) servers in India in response to the recent directions given by the government to make it mandatory for VPN service providers to keep user data for at least five years and share records with authorities when required. The British Virgin Islands-based company said that the directions, which were given by India’s Computer Emergency Response Team (CERT-In) and will come into force starting June 27, were “incompatible with the purpose of VPNs” and “overreaching”.
As a result of the update, ExpressVPN will no longer have its Indian-based VPN servers. Users will, however, still be able to connect to VPN servers that will give them Indian IP addresses and connect to the Internet as if they were located in India, the company said in a blog post.
The “virtual” India VPN servers will be physically located not in the country and will instead be available in Singapore and the UK, the company noted.
“As for Internet users based in India, they can use ExpressVPN confident that their online traffic is not being logged or stored, and that it’s not being monitored by their government,” ExpressVPN added.
The company said that the order by the government that was released in late April was “overreaching and so broad as to open up the window for potential abuse.”
ExpressVPN said that the law is “incompatible with the purpose of VPNs, which are designed to keep users’ online activity private.”
“We believe the damage done by potential misuse of this kind of law far outweighs any benefit that lawmakers claim would come from it,” it explained.
ExpressVPN also assured that it would never collect logs of user activity, including browsing history, traffic destination, data content, or DNS queries. The service provider stated that it never stored connection logs, including the logs of IP addresses, outgoing VPN IP addresses, connection timestamps, or session durations.
All this is something that the government wanted VPN service providers to store for at least five years. The directive also ordered service providers to “mandatorily enable logs” of their systems and maintain them securely for a rolling period of 180 days.
ExpressVPN said that in addition to its policy that is not allowed to accept logging, its VPN servers are specifically designed to be unable to log, including by running in RAM.
“Data centres are unlikely to be able to accommodate this policy and our server architecture under this new regulation, and thus we will move forward without physical servers in India,” the company said.
With the virtual Indian servers, ExpressVPN said that the user experience will have a minimal difference over what its users would get through physical servers. They will be required to select the VPN server location ‘India (via Singapore)’ or ‘India (via UK)’ to connect to an Indian server.
ExpressVPN already has virtual server locations. The company said that it had been operating its ‘India (via UK)’ server location for several years.
These virtual locations use a registered IP address that matches the country users have chosen to connect to, while the server is physically located in another country.
ExpressVPN said that virtual locations were used to provide faster, more reliable connections — over traditional Internet connections.
It is important to point out that alongside ExpressVPN, NordVPN parent Nord Security, Surfshark, and ProtonVPN had raised concerns over the Indian government’s directive. Nord Security also hinted that it might remove its servers from India if no other options were left.