Nearly three months after popular VPN providers, including NordVPN, ExpressVPN and Surfshark, pulled their servers out of India following Cert-In’s new cybersecurity directive, Proton VPN has announced that they’ll be removing their servers from India citing “regressive new surveillance law”.
However, the company isn’t going to leave anyone using Proton VPN in India or accessing the web via Indian servers in limbo, as people will still be able to do so via a system put in place by the company called Smart Routing.
The company will continue offering Indian IP addresses using physical servers based in Singapore through this feature. Proton says this change will ensure that their servers and infrastructure are outside the Indian jurisdiction, ensuring they don’t have to comply with India’s data logging policy.
The five-year-long data logging policy is one of the major bones of contention with the new cybersecurity directive issued by the country’s apex cybersecurity body.
“Government surveillance and censorship is a growing threat around the world and we are deeply concerned about any trends towards restricting privacy and freedoms for citizens, especially this latest move from India. Proton has no intention of ever complying with this or any other mass surveillance law,” said Andy Yen, Founder and CEO, Proton.
The logged data will include IP address, name, contact information, time stamp and usage pattern for at least five years.
“Quite the opposite, we are proud to invest in technology that bypasses surveillance and censorship and provides private access for all users to a free internet. Proton is committed to protecting our users, fulfilling our mission to build a better internet where privacy is the default.”
Here’s a complete list of new directives that VPN providers have to follow in India.
Data centres, VPN, VPS and cloud service providers are required to register information about their users for five years or longer (if needed) after they stop using them.
This information includes validated names, period of subscription, IPs used, email and IP address used at the time of billing, the reason for subscribing, address and contact numbers, as well as the ownership pattern of the subscriber.
CERT-In can ask for this data as and when required, and it must be provided within a given time frame. Failure to do so would be considered non-compliance.Is the new CERT-In cybersecurity directive doing more harm than good?