A new draconian law in India has recently shaken up commercial VPNs. To avoid the collection of data from their customers, they all leave the country. Is it so dangerous to connect in India?
You probably know how a VPN works. The goal is to connect to a server not to use its real IP and additionally encrypt your traffic. All commercial VPNs also offer to go through a server abroad. The goal is, for example, to connect to a server in the USA to enjoy American TV channels online or American Netflix. But why would anyone want to connect in India? Indian expatriates can potentially connect to a server in their country of origin to watch a cricket match for example (yes it’s a bit “cliché”, but hey…)
What’s wrong with India?
However, a new law concerning data collection (20(3)/2022-CERT-in) poses many problems for VPNs. It requires businesses and online service providers to store user activities and data for use in the event of a cyber incident and/or cyber security-related events. India’s IT Department therefore requires companies and any online services with physical servers in its jurisdiction to collect sensitive customer data. They must also keep this data for at least five years, even if their customers no longer use their services.
We know the song: whether it’s terrorism, pedophilia or here “cybersecurity”, the goal is of course to collect data on citizens to better control them.
VPNs are on the mend!
This is not the first time that India has taken a bit for its Chinese neighbor by threatening Twitter employees with jail or banning certain online services. In the case of VPNs, the minister in charge of new technologies was clear: “Leave India if you do not respect the law. The various VPNs have therefore all issued press releases to reassure their customers: ProtonVPN, ExpressVPN, Surfshark and NordVPN are leaving the ship so as not to be under a legal obligation to record personal information. Some, like CyberGhost, have nevertheless found the solution with the possibility of connecting to a virtual server. Everything works as if you are connecting to Mumbai, but since the server is not present in the country, the law does not apply. On the other hand, if it is no longer possible for an Indian citizen to register for a VPN, the only option for journalists and whistleblowers would be to go through Tor…