UPDATE: Since this article was published, the Indian government has extended the deadline for complying with its new cybersecurity directives and data collection rules by 3 months. The new deadline is September 25, 2022.
VPN provider PureVPN has confirmed it is shutting down its India servers, thus avoiding the ramifications of the new data collection directive scheduled to come into effect in India on June 27th.
VPN companies have been leaving India in droves over the past few weeks because the new laws sanctioned by the Ministry of Electronics and Information Technology conflict directly with the no-logs policy that all legitimate VPN providers follow.
Virtual servers have already been touted as a workaround to the heavy-handed legislation, but not all VPN companies leaving India have committed to setting them up.
PureVPN Leaves India for Good
“We are a strict no-log company,” said Shaheryar Popalzai, Head of MarComm, PureVPN in a statement justifying the decision to remove its server infrastructure from the territory.
“While we do not collect any identifiable information from our users,” he continued, “we cannot operate physical servers in a country where we will be forced to change our operating methods and compromise our users’ privacy and security.”
The position tacks closely to the one held by ExpressVPN, Surfshark, and NordVPN, who all provided a similar explanation for leaving India before the law came into effect.
India’s Data Collection Law Enforced Today
The much-talked-about data collection directive is due to come into effect today. The policy was created by the Indian Computer Emergency Response Team (CERT-In), which is a wing of the Ministry of Electronics and Information Technology.
It requires all companies processing the data of Indian citizens in the country to hold onto information such as names, email IDs, and – most importantly in the context of VPNs – IP addresses. As per the directive, such data must be held for at least five years.
The order is the latest government action to contribute to the slow erosion of internet freedom in India, with the country’s population regularly subject to orchestrated internet blackouts, particularly during times of protest.
A Huge Blow to a Big VPN Market
The entire point of a VPN is that they mask your IP address and make it harder to trace your internet traffic back to your device.
VPNs like PureVPN go to great lengths not only to hide users’ IP addresses but also to not collect any data on their traffic. In general, they aim to collect and hold as little information about users as possible.
The new directive comes into direct conflict with this, and essentially defeats the whole point of a VPN. Any VPN company still operating servers in India claiming to keep no logs will now either be breaking the law or lying to their customers.
According to Top10VPN, India has the second-highest rate of VPN usage in the world, with 45% of the population using the privacy-preserving technology in 2020 alone.
In raw terms, that’s around 620 million people – almost double the entire population of the USA. Now, they’ll have no local servers to reroute their internet connection through.
Will Virtual Servers Save the Day?
India’s law has placed a new focus on the existence of virtual servers, which are servers run and managed by VPN companies outside of the countries they’re listed as being in.
This is possible because a server can be set up to dish out Indian IP addresses, for instance, without actually being located in India. For the end-user, virtual servers function identically to servers actually located in the country.
They are often used by VPN companies to provide access to content in countries where the safety of their servers – and the user data being processed – cannot be guaranteed.
Surfshark and ExpressVPN both have virtual servers present in their networks serving users in other territories.
On top of this, virtual servers typically share hardware with other virtual servers, and thus the running costs aren’t as expensive as a VPN configured on a physical server.
PureVPN is “already running virtual servers for multiple locations such as Bangladesh, Bahrain, Egypt” according to Popalzai.
Do Businesses Need VPNs?
All the VPNs discussed in this article are geared toward individual consumers. However, Business VPNs are an increasingly popular piece of tech that companies are using to ensure the data and information they’re working with on a daily basis remains safe.
Companies like PureVPN offer both a consumer VPN and a VPN for businesses. Business VPNs provide a secure, encrypted tunnel through which employees working in remote locations can access company servers. Universities and other educational institutions often use them too.
If you have a lot of employees working remotely but aren’t yet using a VPN for Business, we’d strongly advise setting yourself up with one – in 2022, it’s an essential security tool.