ExpressVPN is a VPN service operated by the British Virgin Islands-registered company Express Technologies Ltd..
The company that is owned by Kape Technologies, a UK-based adware platform, markets its product as a privacy and security tool to encrypt users' web traffic and masking their real IP addresses.
In September 2021, there were around 3 million ExpressVPN users around the world.
Due to the fact that its service deals with sensitive user data, the company has to protect the data no matter the cost, for the sake of its brand's credibility.
This is the reason why ExpressVPN is exiting India, simply because it doesn't want to comply with a new cybersecurity directive issued by the Indian Computer Emergency Response Team (CERT-In).
It began back on April 28th, when the Indian government issued new rules demanding all VPN service providers to store user data for at least five years, even after customers have deleted their accounts or canceled their subscriptions.
What's more, VPN companies are also required to share the data with authorities whenever required, and inform cybersecurity incidents to Cert-In within six hours.
The law is meant to help the government tackle cybercriminals.
The law that is set to go into affect in June, threatens noncompliant businesses with a year in prison.
The law was announced by Rajeev Chandrasekhar, India's Minister of State for Skill Development and Entrepreneurship and Electronics and Information Technology. who said that VPN companies have to "maintain logs".
"If you are a VPN that wants to hide and be anonymous about those who use VPNs to do business in India and do not want to go by these rules, then frankly pull out of India. That is the only opportunity you have," India's minister had said.
And this is exactly what ExpressVPN is doing.
ExpressVPN considers the data law initiated by CERT-In, intended to help fight cybercrime, incompatible with the purpose of VPNs, which are designed to keep users’ online activity private.
While the government doesn't detail whether the this law applies to international providers doing business in India, ExpressVPN is taking no risk and no chances.
Before the law goes into affect, the company is removing all of its servers from India from its network.
In a blog post:
We will never collect logs of user activity, including no logging of browsing history, traffic destination, data content, or DNS queries. We also never store connection logs, meaning no logs of IP addresses, outgoing VPN IP addresses, connection timestamps, or session durations.
Essentially, we do not store or collect any data that could identify an individual and their online activity.
The company also said that the law is also overreaching and so broad, that it opens the window for potential abuse.
"We believe the damage done by potential misuse of this kind of law far outweighs any benefit that lawmakers claim would come from it," the company said.
While the company removes its servers from India, the company assured that its users from India can still use ExpressVPN by connecting to its servers in Singapore or the UK.
Doing so will grant them virtual Indian IP addresses.
"Rest assured, our users will still be able to connect to VPN servers that will give them Indian IP addresses and allow them to access the internet as if they were located in India," the company said. "These 'virtual' India servers will instead be physically located in Singapore and the U.K,"
The company said that it has been operating “India (via UK)” server location for several years, and that virtual locations are used, where necessary, to provide faster, more reliable connections, it said.
The move by ExpressVPN should allow all of its Indian users to continue using a VPN without having their data stored by the company and turned up by the government on request, just the way it was before.
While this appears to be a win for privacy advocates, other VPN providers are expected to follow ExpressVPN's footsteps.
The internet has the ability to reach far-reaching places, allowing anyone with connection to access the almost limitless information and data.
Because of this fact, each and every government around the world has their own rules regarding what their respective citizens can see and cannot see.
And in India, its government does have a tendency of restricting access to many online services whenever they get in the way.
Among the most popular ways to circumvent this regulation, is by using VPN.
VPN services are used by many to access services that aren't available in their country or to simply browse the internet safely and anonymously. The latter is especially crucial in countries with strict internet censorship. And this is exceptionally true in India, where policies have tanked its internet freedom rankings for multiple consecutive years.
The government that finally realized that people can use VPN services, wants to ban VPNs, in order to prevent Indian users from accessing what the government think they shouldn't.
It's worth noting that ExpressVPN's parent company, Kape, also owns other VPN services and cybersecurity tools, including CyberGhost, Private Internet Access (PIA), and ZenMate.