Days before the new cybersecurity rules issued by India’s Computer Emergency Response Team (CERT-In) that mandates VPN (virtual private network) providers to store a wide range of user data for at least five years, Panama-based NordVPN said it may consider removing its servers from the country.
“The directive will come into effect on June 27. If the current Indian government's position does not change in the next couple of weeks, we will remove our servers,” Laura Tyrylyte, head of public relations at Nord Security tells Fortune India in a mailed response. “That said, we don’t see any reason to remove our infrastructure earlier than necessary. We also aim to reach out to our customers and inform them about upcoming changes prior to removal,” Tyrylyte says.
ExpressVPN and Surfshark have already removed their India servers. “A VPN is an online privacy tool, and Surfshark was founded to make it as easy to use for the common users as possible. The infrastructure that Surfshark runs on has been configured in a way that respects the privacy of our users and we will not compromise our values – or our technical base,” Surfshark says in a blogpost published earlier this week.
The Netherlands-based firm said that VPN suppliers leaving India is not good for the country’s IT sector. Surfshark’s data shows that since 2004, the year data breaches became widespread, 14.9 billion accounts have been leaked and a striking 254.9 million of them belong to users from India.
“Taking such radical action that highly impacts the privacy of millions of people living in India will most likely be counterproductive and strongly damage the sector’s growth in the country. Ultimately, collecting excessive amounts of data within Indian jurisdiction without robust protection mechanisms could lead to even more breaches nationwide,” the company says.
ExpressVPN said that the law is ‘overreaching’ and ‘so broad as to open up the window for potential abuse.’ “We believe the damage done by potential misuse of this kind of law far outweighs any benefit that lawmakers claim would come from it,” says the company, adding that it “refuses to participate in the Indian government’s attempts to limit internet freedom.”
The new VPN rule notified by CERT-In is scheduled to come into effect on June 27, 2022. It mandates companies to store users’ real names, IP addresses assigned to them, usage patterns, and other identifying data for at least five years.
Surfashark said that after the new regulations come into effect, the firm will introduce virtual Indian servers, which will be physically located in Singapore and London, a move similar to that arrived at by ExpressVPN. Virtual server locations generate IP addresses that match the country users intend to connect to while being physically located in a different country. VPN service providers use virtual locations to provide faster, stable connections as and when required.
However, this does not put VPN service providers who choose to remove their India-based servers, beyond the ambit of CERT-In’s directions. As clarified by the Indian cyber security agency, the rules apply even to service providers not located in India, but are catering to Indian users.