Moneycontrol PRO
Open App
you are here: HomeNewsBusiness

ProtonVPN removes India servers protesting CERT-In's cybersecurity directions

This is the latest virtual private network (VPN) service provider to remove its servers from India after Netherlands-based Surfshark, Express VPN and Panama-based NordVPN.

September 22, 2022 / 03:59 PM IST
Representative image.

Representative image.

Proton, the Swiss company behind Proton VPN, on September 22, announced it was removing its physical servers from India while condemning the April 28 cybersecurity directions of the Indian Computer Emergency Response Team (CERT-In).

This is the latest virtual private network (VPN) service provider to remove its servers from India after Netherlands-based Surfshark, Express VPN and Panama-based NordVPN.

These VPN service providers took a uniform stand against logging requirements in the CERT-In directions that require service providers such as Proton to log customer details such as IP addresses, customer names and so on for a period of five years.

In a statement, Andy Yen, founder and CEO of Proton said, "Proton has no intention of ever complying with this or any other mass surveillance law. Quite the opposite, we are proud to invest in technology that bypasses surveillance and censorship and provides private access for all users to a free internet. "

However, the removal of servers from the country does not mean that Indian customers of Proton will not have access to its service.


Proton's India traffic will be routed through servers based in Singapore.

"This means users can keep an Indian IP address and access the Indian internet securely, but from servers physically located outside the jurisdiction of the Indian government and therefore not subject to logging rules," a release by Proton said.

CERT-In direction requirements

Under the CERT-In directions, service providers are expected to log:

Full name, physical address, email address, and phone number
IP address used to register for the VPN
IP addresses used connect to VPN servers in India

List of IP addresses issued for each customer

Apart from the logging requirements, concerns were also raised regarding the requirement that all body corporates have to mandatorily retain logs of their systems for 180 days and will have to report cybersecurity events within six hours.

CERT-In also wanted companies to synchronise their servers’ clocks to the servers of the National Informatics Centre or the National Physical Laboratory. Time servers are a key aspect of a cyber security investigation. Experts have said that by choosing NIC or NPL time servers, issues regarding server time latency may prop up, and it has also been pointed out that there are other better options than NIC or NPL.

Not all VPNs and extension

In a clarification issued by the CERT-In, the agency had said that the requirement of maintaining customer logs will not apply to enterprise and corporate virtual private networks.

According to the document released by CERT-In titled “Frequently Asked Questions on Cyber Security Directions of 28.04.2022”, the term “VPN service providers” will just apply to entities that provide “internet proxy like services through the use of VPN technologies, standard or proprietary, to general Internet subscribers”. The clarifications also state that the directions will also apply to foreign firms.

Although the directions came into force on June 28, CERT-In extended the deadline for micro, small and medium enterprises (MSMEs) to September 25.
Aihik Sur covers tech policy, drones, space tech among other beats at Moneycontrol
first published: Sep 22, 2022 03:59 pm
ISO 27001 - BSI Assurance Mark