Security services-provider Avast decided to make unavailable its virtual private network (VPN) services from India affecting several users, following a mandate issued by the Indian Computer Emergency Response Team (CERT-In) on customer data collection and storage by service-providers.
In a
statement, Avast says, "Due to cybersecurity regulations in India, we are making changes to the availability of various Avast VPN features. The CERT-In requires all VPN providers to log information such as email addresses, IP addresses, time stamps, and more. This information must then be stored for a minimum of five years."
"All Avast VPN features are now unavailable while in India. If you try to connect to one of our VPN features while being physically in India, you will see the following error message: VPN is unavailable. This feature cannot be accessed in this territory. The access to Indian servers is no longer available, regardless of your location. You are still able to use our VPN features while travelling outside of India," it added.

The VPN restrictions apply to Avast products like SecureLine VPN, Avast One, Mobile Security Premium and Avast Secure Browser PRO.
However, Avast is not the only VPN service-provider that has withdrawn its services from India. Earlier, refusing to participate in the Indian government's attempts to limit internet freedoms and maintaining their commitment to protecting users online, ExpressVPN, NordVPN, Surfshark, and IPVanish removed their servers from the country, says
a report from Tomsguide.
According to the report, Apple and Google have removed six VPNs from the App and Google Play stores in India. It includes PrivadoVPN and Hide.me VPN. Hide.me VPN's chief executive officer (CEO) Sebastian Schaub told Tomsguide that "We find the actions from the Indian government highly concerning and this sort of censorship should not have a place in a democracy. However it does not come as a big surprise after the recent law amendments, which adds an impossible burden on VPN providers to operate legally in the country."
In April 2022, CERT-In released guidelines mandating VPNs to store certain information about their customers. The requirements under the guidelines are twofold – (i) information such as names of customers, allotted IP addresses, IP address while registering, purpose for hiring VPN services, and so on, need to be stored for five years and (ii) customer logs that can include data such as timestamps, bandwidth used, sites visited, files downloaded and so on, need to be stored for 180 days.
While the move has been alleged to be an invalid invasion of privacy, the government has argued that it is a reasonable restriction needed to combat cybercrimes. The apparent concerns on both sides – regarding breach of privacy and fighting crime—are justified, and thus, it becomes necessary to balance them.
VPNs are seen specifically as providers of privacy. The expectation of the same from them is higher. By creating secured networks through which users can connect to the global network, VPNs protect users' data from being viewed by internet service-providers (ISP) which is what conventionally happens. In fact, a 'No-Logs' (not storing customer logs) policy is a significant selling point for many VPN providers. With VPN providers halting their operations in India, the guidelines are seen to be nullifying VPN's ability to provide privacy.
The CERT-In guidelines mandate the storage of names, contacts and addresses, all of which are personal data sets, since the individual to who they belong can be identified through them. Their leakage can pose various dangers.
You may also want to read...