NordVPN to shut VPN servers In India from June 26

After Surfshark and ExpressVPN, Panama-based virtual private network (VPN) service provider NordVPN has decided to remove its servers from India citing the April 29 directions of the Indian Computer Emergency Response Team (CERT-In), the company said in a statement to Moneycontrol.

The VPN service provider said that it will remove its servers on June 26, a day before the directions come into force.

“As one of the industry leaders, we adhere to strict privacy policies, which means we don’t collect or store customer data. No-logging features are embedded in our server architecture and are at the core of our principles and standards. Moreover, we are committed to protecting the privacy of our customers. Therefore, we are no longer able to keep servers in India,” Laura Tyrylyte, head of public relations at NordVPN told in a statement to Moneycontrol. She added that consumers will be notified through the app from June 20.

The April 29 directions bring in additional compliance requirements for all body corporates whose users are in India. It has been criticised by industry and civil society alike. However, VPN service providers including NordVPN and others have slammed it citing privacy concerns arising out of requirements that mandate service providers to log customer details, IP addresses allotted etc for a time period.

Tyrylte said that the regulation will increase the storage of private information and that it would have a direct impact on citizens’ data. She said, “As digital privacy and security advocates, we are concerned about the possible effect this regulation may have on people’s data. From what it seems, the amount of stored private information will be drastically increased throughout hundreds or maybe thousands of different companies,” she said.

She also drew parallels between the CERT-In directions and regulations of authoritarian governments, and asserted that the directions will have a negative impact on people’s privacy.

“In the past, similar regulations were typically introduced by authoritarian governments in order to gain more control over their citizens. If democracies follow the same path, it has the potential to affect people’s privacy as well as their freedom of speech. One way or another, this law will likely have a negative impact on people’s privacy and digital security,” she added.

ExpressVPN and Surfshark
On June 2, ExpressVPN, while announcing that it has removed its India servers from the country, termed the CERT-In guidelines as “incompatible with the purpose of VPNs, which are designed to keep users’ online activity private”.

Five days later on June 7, Surfshark announced that they too will be shutting down its servers in the country.

Gytis Malinauskas, Head of Legal at Surfshark had said, “The infrastructure that Surfshark runs on has been configured in a way that respects the privacy of our users, and we will not compromise our values – or our technical base.”

Ambit of CERT-In directions
It is unlikely that NordVPN, ExpressVPN or Surfshark will be outside the ambit of the CERT-In directions because they have removed their servers from India.

In the FAQs issued by Ministry of Electronics and Information Technology (Meity) on CERT-In directions, the agency had clarified that the directions “are applicable to any entity whatsoever, in the matter of cyber incidents and cyber security incidents”. In another FAQ on whether the directions are applicable to service providers who are not located in India but are catering to Indian users, CERT-In had reiterated the same.

The FAQs had also clarified that the directions will not apply to enterprise and corporate VPNs.

Minister’s ultimatum
Last month, Minister of State for Electronics and Information Technology Rajeev Chandrasekhar warned VPN companies that they are free to leave the country if they do not follow the directions.

Chandrasekhar, who was addressing a press conference on the clarifications issued by CERT-In on the April 28 directions said, “There is no opportunity for somebody to say we will not follow the laws and rules of India. If you don’t have the logs, start maintaining the logs. If you’re a VPN that wants to hide and be anonymous about those who use VPNs and you don’t want to go by these rules, then if you want to pull out (from the country), frankly, that is the only opportunity you will have. You will have to pull out.”

Last week, in a meeting chaired by Chandrasekhar, MeitY said it was considering relaxations for MSMEs and startups from the CERT-In directions. It also clarified other provisions of the directions, including cybersecurity reporting mandate and so on which have caused concerns in the industry. Moneycontrol