Proton VPN Refuse To Store Customers’ Information; Removes Servers From India
Yet another VPN company has joined the list and pulled its physical servers from India in protest against the April 28 cybersecurity directions of the Indian Computer Emergency Response Team (CERT-In).
Mandatory to store private citizen data
Like its peers, Protonvpn made its move in response to the new CERT-In guidelines for such service providers to maintain user logs for five years.
Although the directions came into force on June 28, CERT-In extended the deadline for micro, small and medium enterprises (MSMEs) to September 25.
The company called these terms “highly regressive and represent a significant increase in government intrusion into people’s private lives”.
Several firms remove servers from India
Earlier, other virtual private network (VPN) service providers had removed their servers in India such as Netherlands-based Surfshark, Express VPN and Panama-based NordVPN.
All three have only removed their physical servers from India, without disrupting the service.
They all took a unified stand against logging requirements in the CERT-In directions that require service providers such as Proton to log customer details such as IP addresses, customer names and so on for a period of five years.
Andy Yen, founder and CEO of Proton said that the company has no intention of ever “complying with this or any other mass surveillance law.”
He expressed pride in that the company invests in technology that “bypasses surveillance, censorship and provides private access for all users to a free internet. “
Services still available to Indian users
Removal of servers from the country does not mean that Indian customers will not have access to its service.
Edward Stone, communications lead at Proton AG said, “We could not in good conscience simply pull out of India and leave people cut off. That’s why we have put our money where our mouth is and put in place new protections for Indian users.”
Proton said users can keep an Indian IP address and access the Indian internet securely.
But the servers will be physically located outside the jurisdiction of the Indian government and therefore not subject to logging rules.
CERT-In direction requirements
Service providers are expected to log:
- Full name, physical address, email address, and phone number
- IP address used to register for the VPN
- IP addresses used to connect to VPN servers in India
- List of IP addresses issued for each customer
But it is not just the logging requirements that are of concern.
Issues regarding server time latency
CERT-In also wanted companies to synchronise their servers’ clocks to the servers of the National Informatics Centre or the National Physical Laboratory.
Time servers are a key part of a cyber security investigation.
Experts say that by choosing NIC or NPL time servers, issues regarding server time latency may prop up.
Aside from that there are other better options than NIC or NPL.
CERT-In has clarified that the requirement of maintaining customer logs will not apply to enterprise and corporate virtual private networks.
It said that the term “VPN service providers” will just apply to entities that provide “internet proxy like services through the use of VPN technologies, standard or proprietary, to general Internet subscribers”.
The directions will also apply to foreign firms.