Major VPN services have shut down services in India because there is no way to comply with the new laws without violating their own privacy standards.

This law also applies to iCloud Personal Relay, but Apple hasn’t commented on its own plans yet…

India’s Computer Emergency Response Team New Rules

India’s Computer Emergency Response Team (CERT) said that the new rules will apply to VPN providers from 25 September. This will require the service to collect customer names, email addresses, and IP addresses. Data must be retained for at least five years and submitted to CERT upon request.

This would violate the privacy standards of major VPN services and be physically impossible for a service like NordVPN, which maintains no logs in principle. The company is registered in Panama specifically because there are no data retention laws and no international information sharing.

Major VPN Service Shutting Down Indian Servers

Wall Street Journal reported that major VPN services had shut down their India servers.

The world’s leading provider of virtual private networks, which allow internet users to protect their online identities, shut down their servers in India in protest against new government regulations they say threaten the privacy of their customers. […]

Such rules are “usually introduced by authoritarian governments to better control their citizens,” said a spokesperson for Nord Security, a provider of NordVPN, which has stopped operating its servers in India. “If democracy follows the same path, it has the potential to affect people’s privacy as well as their freedom of expression,” he said. […]

Other VPN services that have shut down server operations in India in recent months are some of the most well-known in the world. They include US-based Private Internet Access and IPVanish, Canada-based TunnelBear, British Virgin Islands-based ExpressVPN, and Lithuania-based Surfshark.

ExpressVPN says it “refuses to participate in the Indian government’s efforts to restrict internet freedom.”

The government’s decision “severely damages the online privacy of Indian residents,” Private Internet Access said.

Customers in India will be able to connect to VPN servers in other countries. This is the same approach taken in Russia and China, where servers operating in those countries would require VPN companies to comply with similar laws.

Apple’s personal iCloud relay affected

This law also applies to iCloud Private Relay, which is actually a VPN service used only for Safari.

The design of the iCloud Personal Relay system ensures that no party processing user data has complete information about who the user is and what they are trying to access.

To achieve this, Private Relay uses modern encryption and transport mechanisms to relay traffic from a user’s device through the infrastructure of Apple and its partners before sending the traffic to the destination website.

Apple hasn’t commented on its own planned response, but we’ve reached out to the company and will update any responses.

Cloud services are also included

Cloud storage services are also subject to the new rules, though there’s little practical impact on Apple here. iCloud does not use end-to-end encryption, which indicates that Apple has a copy of your decryption key and may therefore have complied with government requests for information.

Photo: Petter Lagson/Unsplash

Check out the video below for more Apple news: