Back in April the Indian government announced it would be pushing ahead with new rules on cybersecurity. They would require any firms providing cloud services to keep records of the names and IP addresses of their customers for five or more years, and hand it over to the government upon request.
Consumer VPN services fall into this category, but the new laws don’t apply to corporate or enterprise VPNs.
VPN services, by definition, protect their customers’ privacy, and most operate a no-logs policy which means they do not keep any records of IP addresses or anything else that could help identify a particular user or any online activity.
The new data regulation laws, which came into effect on 27 June 2022, would mean that any consumer VPN service with servers in India would be forced to maintain records of users’:
IP address (used to register for the service)
IP addresses (issued by the VPN provider)
use of the service (dates and times)
Not only are these changes terrible for privacy and internet freedom: they’re incompatible with they way most VPN services work. This isn’t simply because of their no-logs policies: the way their hardware is configured means it isn’t possible to record that data.
Surfshark, ExpressVPN and others use RAM-based servers which do not write any data to hard drives, which would be the obvious way to keep such logs.
As you’d expect, no credible VPN service has decided to start logging IP addresses for any customers using their Indian servers. Instead, they’ve had to shut them down ahead of the new laws coming into effect.
“Surfshark proudly operates under a strict “no logs” policy, so such new requirements go against the core ethos of the company. A VPN is an online privacy tool, and Surfshark was founded to make it as easy to use for the common users as possible. The infrastructure that Surfshark runs on has been configured in a way that respects the privacy of our users, and we will not compromise our values – or our technical base”, said Head of Legal, Gytis Malinauskas.
It’s a similar situation with ExpressVPN, which told Tech Advisor “We are doing this because we refuse to ever put our users’ data at risk. Not only is it our policy that we would not accept logging, but we specifically designed our VPN servers to not be able to log, including by running in RAM. Our policy and server architecture are simply incompatible with this new regulation, thus we have no choice but to cease operating physical VPN servers in India.”
Are virtual Indian VPN servers safe to use?
Rather than simply removing India from the list of countries, many VPN services have come up with a workaround. It isn’t ideal, but it’s the next-best option for those who need to unblock content in India.
The solution is to use so-called virtual servers. These aren’t physically located in India, so the data retention laws don’t apply.
For example, with Surfshark and ExpressVPN, when you connect to India, you’re actually connecting to a server in London or Singapore. But as far as any website or online service is concerned, you’re somewhere in India thanks to the use of a range of Indian IP addresses that these servers use.
This means that, yes, virtual Indian servers are safe to use: the normal no-logs policy still applies.
The only disadvantage might be a slower connection. However, it could also be faster. If you’re using Surfshark or ExpressVPN and are in the UK or Singapore, you’ll almost certainly see faster speeds than in you were in India.
Not all VPN providers are offering virtual servers, though. For now at least, NordVPN users won’t find India in the list of countries at all.
Dominik Tomaszewski / Foundry
If you use a different VPN and see India in the list, it’s well worth checking with the company to find out whether it has switched to a virtual server before using it. We’re not aware of any VPN services that have agreed to start logging, but for you own privacy, it’s worth making sure.
The following VPN services have confirmed that they have shut down physical Indian servers: