ProtonVPN classifies India as high-risk country, calls VPN rules assault on privacy

Swiss privacy focused internet services provider Proton, which operates end to end encrypted email service Protonmail and the popular virtual private network (VPN) tool ProtonVPN, has called out India’s latest cyber security rules as an “assault on privacy.” The company joins fellow VPN service provider, NordVPN, in voicing concerns regarding rules that will soon require VPN service providers to maintain user logs – a move that could defeat the purpose of privacy that VPNs offer in the first place.

“The new Indian VPN regulations are an assault on privacy, and threaten to put citizens under a microscope of surveillance. We remain committed to our no-logs policy and recommend everyone using our servers in India to follow our guidelines,” an official statement by ProtonVPN said.

India’s latest cyber rules, notified April 28, require VPN service operators to maintain user registration information and usage data logs for a period of at least five years or longer. The rules, which seek to address data security issues, have been called “excessive” and “overreaching” by experts.

In Proton’s guidelines, where the company talks through the usage of VPNs in what it classifies as “high risk countries”, the service provider describes actions that it may take if forced to maintain user data logs. The company’s policy says, “In some high-risk countries, law enforcement or intelligence agencies may exert pressure on our infrastructure providers to monitor network traffic. Since our architecture reduces the amount of information that these agencies can collect through this type of surveillance, they may try to force ProtonVPN to log the online activity on our servers.”

ProtonVPN clarifies that under such circumstances, “we will shut down our server and withdraw from the country in question, instead of compromising our values or our strict no-logs policy.”

Fellow VPN service provider, NordVPN, has already taken a similar approach. In a statement emailed to Mint on Thursday, May 5, Patricija Cerniauskaite, a NordVPN spokesperson, said that while the company is operating as usual for the time being and investigating the new cyber security rules, it is “committed to protecting the privacy of our customers, and therefore, may remove our servers from India if no other options are left.”

The likes of ProtonVPN and NordVPN are regarded as among VPN service providers that do not actively track user data or maintain such backlogs. VPN services, typically those that operate for free, generally collect such data logs and sell the same to third parties to generate revenue.