Virtual private network operator ExpressVPN will pull its servers from India, citing the impossibility of complying with the nation’s incoming requirement to record users’ identities and activities.
ExpressVPN offers software that routes traffic through servers that load their operating systems entirely into RAM and therefore leave no trace of users’ activities on persistent media. The outfit suggests that’s a point of difference to other VPN providers.
ExpressVPN refuses to participate in attempts to limit internet freedom.
But that design is a problem given India’s recently introduced requirement that VPN providers verify customers’ identity, retain their contact details, and store five years worth of data describing their “ownership pattern”.
In a blog post, ExpressVPN states its all-RAM design makes compliance with India’s rules impossible because it doesn’t store any logs of users’ activites.
The company also dislikes India’s rules, which it has described as “incompatible with the purpose of VPNs.”
“The law is also overreaching and so broad as to open up the window for potential abuse,” the post adds. “We believe the damage done by potential misuse of this kind of law far outweighs any benefit that lawmakers claim would come from it.”
“ExpressVPN refuses to participate in the Indian government’s attempts to limit internet freedom.”
The company’s remedy is to offer its Indian users servers located in Singapore and the UK as alternatives. Those servers will be named “India (via Singapore)” or “India (via UK).”
The latter is already up and running and has been for several years. ExpressVPN offered the via UK option because it has found that offshore servers can sometimes be faster and more reliable than in-country offerings.
India’s new rules have been widely criticized as impractical and for impinging on privacy.
In response to such criticism, minster for Information Technology Rajeev Chandrasekhar said that if VPN providers don’t like the rules, they can leave India.
ExpressVPN has called that bluff by continuing to offer its service while attempting to put itself beyond the reach of Indian authorities – which is not what India wanted when it introduced its infosec reporting requirements. ®