Virtual Private Network (VPN) provider ExpressVPN on Thursday
announced that it’s removing Indian-based VPN servers in response
to a new cybersecurity directive issued by the Indian Computer
Emergency Response Team (CERT-In).
“Rest assured, our users will still be able to connect to VPN
servers that will give them Indian IP addresses and allow them to
access the internet as if they were located in India,” the company
said[1]. “These ‘virtual’ India
servers will instead be physically located in Singapore and the
U.K.”
The development comes as the CERT-In has enforced new controversial[2]
data retention requirements[3] that are set to come
into effect on June 27, 2022, and mandate VPN service providers to
store subscribers’ real names, contact details, and IP addresses
assigned to them for at least five years.
The logged user data, CERT-In emphasized, will only be requested
for the purposes of “cyber incident response, protective and
preventive actions related to cyber incidents.”
The agency has since clarified[4]
that this rule does not apply to corporate and enterprise VPN
solutions and are only aimed at those operators who provide
proxy-like services to “general Internet subscribers/users.”
“The new data law […], intended to help fight cybercrime, is
incompatible with the purpose of VPNs, which are designed to keep
users’ online activity private,” ExpressVPN said. “The law is also
overreaching and so broad as to open up the window for potential
abuse.”
The rules, dubbed Cyber Security Directions, also mandate firms
to report incidents of security lapses such as data breaches and
ransomware attacks within six hours of noticing them.
References
- ^
said
(www.expressvpn.com) - ^
controversial
(www.medianama.com) - ^
data
retention requirements (thehackernews.com) - ^
clarified
(www.cert-in.org.in)
Read more https://thehackernews.com/2022/06/expressvpn-removes-servers-in-india.html