One of the world's largest virtual private networks, ExpressVPN, said it's shutting down its India-based bare-metal servers Thursday but will continue providing service to the country's users via virtual servers. The move comes in response to recent Indian government directives requiring VPN providers to log customer data for five years or longer. ExpressVPN said India-based users will still be able to use its app and software.
Read more: Casual vs. Critical: When Your VPN Is a Matter of Life or Death, Here's How to Pick One
The directive from India's Computer Emergency Response Team, known as CERT-in, mandates VPNs, cloud service providers and data centers to collect personally identifiable data about customers, including customer "usage patterns." VPNs that operate on built-in anti-logging hardware, as ExpressVPN says its network does, would be operating outside of the law.
"We are doing this because we refuse to ever put our users' data at risk. Not only is it our policy that we would not accept logging, but we specifically designed our VPN servers to not be able to log, including by running in RAM. Our policy and server architecture are simply incompatible with this new regulation, thus we have no choice but to cease operating physical VPN servers in India," ExpressVPN said in a Wednesday night release.
ExpressVPN has previously launched virtual servers in countries where bare-metal servers would be subject to service interruption by authorities. The company said its virtual servers for India will have physical counterparts in Singapore and the UK. To connect to those servers, users can simply use the app as normal and select locations labeled "India (via Singapore)" or "India (via UK)."
Read more: You Need to Be Using a VPN on Your Phone. Here's How to Set it Up in Under 10 Minutes