Major VPN services have shut down service in India, as there is no way to comply with a new law without breaching their own privacy protection standards.
The law also applies to iCloud Private Relay, but Apple has not yet commented on its own plans.
New rules from India’s Computer Emergency Response Team
India’s Computer Emergency Response Team (CERT) has said that new rules will apply to VPN providers from September 25. These will require services to collect customer names, email addresses, and IP addresses. The data must be retained for at least five years, and handed over to CERT on demand.
This would breach the privacy standards of major VPN services, and be physically impossible for services like NordVPN, which keep no logs as a matter of policy. The company is registered in Panama specifically because there are no data-retention laws there, and no international intelligence sharing.
Major VPN services shut down Indian servers
The Wall Street Journal reports that major VPN services have shut down their Indian servers.
Major global providers of virtual private networks, which let internet users shield their identities online, are shutting down their servers in India to protest new government rules they say threaten their customers’ privacy […]
Such rules are “typically introduced by authoritarian governments in order to gain more control over their citizens,” said a spokeswoman for Nord Security, provider of NordVPN, which has stopped operating its servers in India. “If democracies follow the same path, it has the potential to affect people’s privacy as well as their freedom of speech,” she said […]
Other VPN services that have stopped operating servers in India in recent months are some of the world’s best known. They include U.S.-based Private Internet Access and IPVanish, Canada-based TunnelBear, British Virgin Islands-based ExpressVPN, and Lithuania-based Surfshark.
ExpressVPN said it “refuses to participate in the Indian government’s attempts to limit internet freedom.”
The government’s move “severely undermines the online privacy of Indian residents,” Private Internet Access said.
Customers in India will be able to connect to VPN servers in other countries. This is the same approach taken in Russia and China, where operating servers within those countries would require VPN companies to comply with similar legislation.
Apple’s iCloud Private Relay affected
The law also applies to iCloud Private Relay, which is effectively a VPN service used only for Safari.
The design of the iCloud Private Relay system ensures that no single party handling user data has complete information on both who the user is and what they are trying to access.
To do this, Private Relay uses modern encryption and transport mechanisms to relay traffic from user devices through Apple and partner infrastructure before sending traffic to the destination website.
Apple has not yet commented on its own planned response, but we have reached out to the company and will update with any response.
Cloud services also included
Cloud storage services are also subjected to the new rules, though there would be little practical impact on Apple here. iCloud does not use end-to-end encryption, meaning that Apple holds a copy of your decryption key, and can therefore already comply with government demands for information. 9To5Mac