ExpressVPN shuts down servers in India, refuses to collect and share user data

Express VPN said it is removing its VPN servers in India as it doesn't want to “participate in the Indian government's attempt to limit internet freedom” in the name of fighting cybercrime.  

Owned by British Virgin Islands-based Express Technologies, ExpressVPN called the new law "overreaching" and broad which opens up the "window for potential abuse." 

"We believe the damage done by potential misuse of this kind of law far outweighs any benefit that lawmakers claim would come from it," the VPN company said in a blog post. 

Express VPN reiterated that it will never collect logs of user activity, browsing history, traffic destination, connection logs, timestamps, or session duration.

"Essentially, we do not store or collect any data that could identify an individual and their online activity," the VPN company added.

Under the April 28 order issued by the Ministry of Electronics and Information Technology (MeitY), companies such as ExpressVPN would have been forced to collect and store all this data for five years and share it with relevant government authorities when asked. 

MeitY has asked VPN providers to collect and record validated names of subscribers, IPs allotted to them, IP addresses, email addresses, validated addresses, contact numbers, and ownership patterns for 5 years or longer even after the customer has canceled the registration. 

The new order is expected to come into effect on June 27. 

Last month, May 5, NordVPN had threatened to pull out servers from India if it was forced to collect and share user data. NordVPN had told Mint at that time that it is “committed to protecting the privacy of customers, and therefore, may remove servers from India if no other options are left.”

Switzerland-based ProtonVPN had also expressed concern over the new rules and said it will remain committed to its no-logs policy. In its response to these threats, last month, MeitY’s Minister of State Rajeev Chandrasekhar told Mint that VPN companies to follow rules or leave India. 

In terms of impact on ExpressVPN's existing customers outside India who want to access Indian IP, the VPN company assured that there will none. 

"Our users will still be able to connect to VPN servers that will give them Indian IP addresses and allow them to access the internet as if they were located in India," it said in the blog post.

The virtual India servers will be physically located in Singapore and the UK.

Most reputed VPN providers claim to have a no-logs policy, especially for paying users, which means the VPN provider doesn’t collect or log traffic that passes through its servers. Some VPN providers collect connection logs but draw a line when it comes to usage logs, which can include a lot of potentially sensitive personal information. 

The use of VPN apps in India has soared after the pandemic. India ranked fourth among 85 countries in the VPN penetration rate in the first half of 2021, according to Atlas VPN’s Global VPN adoption index. VPN installation in India grew from 3.28% in 2020 to 25.27% in the first half of 2021. India is believed to have 270 million VPN users. 

Lawmakers have expressed concern over this as VPNs are being used by cybercriminals to stay under the radar. In September 2021, a Parliamentary Committee on Home Affairs suggested that VPN apps should be banned in India.