India’s Computer Emergency Response Team (CERT) has said that new rules will apply to VPN providers from September 25. These will require services to collect customer names, email addresses, and IP addresses. The data must be retained for at least five years, and handed over to CERT on demand.
I can still see ProtonVPN servers still active in India. What is the plan for Proton VPN after September 25th? Anyone know?
Proton won‘t start logging.
https://twitter.com/ProtonVPN/status/1522207364136456192
The High Risk Countries policy will apply, you can find the information here:
You can find additional information in a past thread here:
Here’s what the ProtonVPN policy says about using ProtonVPN services in a high risk country. This means be ready to have your information compromised if we use any server residing in India. This is terrible news for privacy in India.
Understand your threat model before connecting to servers in high-risk countries
As outlined in our threat model, Proton VPN cannot guarantee the absolute security of our servers in high-risk countries (such a guarantee is impossible for all VPN services). Therefore, you should consider any servers in a country with weak privacy protections to potentially be compromised as part of your user threat model.
Update: I’m jacked in to ProtonVPN Secure Core India (via Switzerland) at the moment. Secure Core is up and running in India, and I’m confident my data will remain secure, that even CERT India can’t crack me. I plan to continue enjoying my secure, private experience even after September 25.
Anyway, I’m starting to get hungry. Considering some malai kofta or perhaps some saag paneer …
So, I was right all along. ProtonVPN is pulling out of India altogether rather than comply with the new law. This is why I pay for ProtonVPN! Good job!
When the govt realizes this bypass using Secure-Core they would get frustrated and start putting the onus on internet users.
So, ProtonVPN will be breaking the Indian laws? In one sense this might be a good thing as the law might be challenged in a court and even go up to the Supreme Court of India where this law might even be struck down as unconstitutional.
I read somewhere that Proton will probably add a Secure Core option to India as they do in other unfriendly jurisdictions. In any case, all Proton servers are encrypted, and even 1B Indians crunching numbers 24/7/365 won’t crack that math. So, even if the servers themselves aren’t secure (e.g. they get confiscated), your data will remain secure.
As a swiss company, Proton VPN needs to respect swiss law.
I am trying to visualize 1B indians sitting there with a pen and paper trying to crack the RSA encryption 
It’s not about cracking the code. It’s about invasion of the privacy that VPN is supposed to provide in the first place. No wonder all the other VPN providers are planning on quitting India before the law comes into affect.
I am assuming that the companies that remain will comply with the new law or get into legal troubles.
Swiss law applies only within Swiss borders. Outside is a separate matter. Local jurisdiction and laws apply there and take precedence. Just like you can travel to a foreign country with your country’s passport but local law still apply to you there just like it applies to the locals.
Ultimately yes, if a tyrannical government insists on enforcing its oppressive laws by confiscating servers, it’s time to pull out. Proton will likely add the Secure Core option to India. This explains how that works:
"We installed our Secure Core servers and continue to operate them ourselves to eliminate any chance that they could be tampered with, and all Secure Core VPN servers are located in countries with strong data privacy laws. Proton VPN’s Secure Core routes your traffic through these hardened servers before connecting you to a second VPN server. With Secure Core, if the other VPN server is somehow compromised, your online traffic and IP address remain safe." [emphasis mine]
I look forward to using Proton’s India Secure Core option for my sensitive online activity. If Indian oppressors are watching the traffic, they still won’t see my true IP address from where it originates; all they will see is a connection back to Proton’s Swiss, Icelandic, and/or Swedish Secure Core Servers. We already know the encryption can’t be compromised; all the authoritarians can hope to do is see from where it originates. (In the case of Secure Core, it originates from Switzerland, Iceland, or Sweden.)
For example, I’m home in the USA (surveillance central). My ISP and other spies see my connection to ProtonVPN. They don’t see that I’m posting on Reddit. My ProtonVPN Secure Core traffic first hits a Proton-owned Secure Core server in Switzerland, Iceland, or Sweden. It then hits another Proton server (most likely leased) in another country. If someone in the other country uses a specific attack against that local server and tries to see where the traffic originates from, all he will see is Proton’s Secure Core server, not my home IP. It’s a dead end. The encryption can’t be compromised. My data is safe.
Proton has no local presence in India. My top comment is what counts.
But it has local assets (servers) which come under local jurisdiction. These assets do not reside in the Swiss Embassy hence are not in Swiss Jurisdiction.
We are turning in circles and I am taking myself out of that discussion. My top comment answered your question, please read the high risk country blog post linked there carefully, it is all written down there.
Important bits:
To avoid unfriendly governments from trying to claim jurisdiction over Proton VPN, we will utilize third-party infrastructure in high-risk countries. VPN services that own hardware or have a substantial staff presence in a country with weak privacy protections could fall under that country’s jurisdiction through the “principal place of business” doctrine. By working through third parties, Proton VPN avoids having a physical presence in any jurisdictions with weak privacy protections, making it difficult to dispute our status as a Swiss company.
We expect that in some high-risk countries, law enforcement or intelligence agencies may exert pressure on our infrastructure providers to monitor network traffic upstream of our servers. In the US, for example, ISP monitoring and NSA data collection is the default on almost all Internet connections. Since our Secure Core architecture reduces the amount of information that these agencies can collect through this type of surveillance, they may try to force Proton VPN to log the online activity on our servers. If this situation arises, we will shut down our server and withdraw from the country in question, instead of compromising our values or our strict no-logs policy.
Thanks for your input. I guess it’s a waiting game right now. We’ll see how ProtonVPN reacts after the law goes into effect on September 25th. If there is no change in status then we’ll know that either of the two are true:
However a public clarification and actions taken from ProtonVPN official blog would be very welcome to clear up the confusion.