ExpressVPN rejects CERT-In directives, removes its India servers

Virtual private network (VPN) operator ExpressVPN is pulling its servers out of India, citing the impossibility of complying with the country’s upcoming mandate to record users’ names and activities.

“With a recent data law introduced in India requiring all VPN providers to store user information for at least five years, ExpressVPN has made the very straightforward decision to remove our Indian-based VPN servers,” the company said in a blog post.

“ExpressVPN refuses to participate in the Indian government’s attempts to limit internet freedom,” it said.

All companies will be required to notify any cybersecurity incident to CERT-In within six hours and store all data for a specified period of time under the new rules, which will take effect 60 days after being notified, ET had reported earlier.

The new data law proposed by India’s Computer Emergency Response Team (CERT-In) to combat cybercrime is incompatible with the purpose of VPNs, which are supposed to keep users’ internet behaviour private, the company said.

“Rest assured, our users will still be able to connect to VPN servers that will give them Indian IP addresses and allow them to access the internet as if they were located in India. These “virtual” India servers will instead be physically located in Singapore and the UK,” it added.

In terms of the user experience, there is minimal difference. For anyone wanting to connect to an Indian server, simply select the VPN server location “India (via Singapore)” or “India (via UK).”