Leading virtual private network (VPN) service provider NordVPN on Tuesday announced it will remove servers from India over a recent cybersecurity directive from the Indian Computer Emergency Response Team (CERT-In).
Panama-based NordVPN joins Surfshark and ExpressVPN in removing its servers from the country over the April 28 directive from India’s cyber agency that seeks additional compliance requirements for all VPN providers whose users are in the country.
“As one of the industry leaders, we adhere to strict privacy policies, which means we don’t collect or store customer data. No-logging features are embedded in our server architecture and are at the core of our principles and standards,” a NordVPN spokesperson said in a statement.
“Moreover, we are committed to protecting the privacy of our customers. Therefore, we are no longer able to keep servers in India,” the company added.
The new cybersecurity norms asked VPN service providers along with data centres and cloud service providers, to store information such as names, email IDs, contact numbers, and IP addresses (among other things) of their customers for a period of five years.
CERT-In later issued a set of clarifications, stating that the rules of maintaining customer logs will not apply to enterprise and corporate virtual private networks (VPNs).
Earlier this month, ExpressVPN announced it has removed its India servers from the country, terming the CERT-In norms as “incompatible with the purpose of VPNs, which are designed to keep users’ online activity private”.
Surfshark later announced to shut down its servers in the country.
Another player Proton VPN said in a tweet that the new CERT-In norms are “an assault on privacy, and that it will continue maintaining its no-log policy”.
“The new Indian VPN regulations are an assault on #privacy and threaten to put citizens under a microscope of surveillance. We remain committed to our no-logs policy and recommend everyone using our servers in India to follow these guidelines,” it had tweeted.
Internet Freedom Foundation (IFF) had called on CERT-In to recall “Directions on Information Security Practices issued on April 28 that go into effect on June 27”.
“These directions are vague. They undermine user privacy and information security, contrary to CERT’s mandate,” the IFF had tweeted.
“At the outset we note that non-compliance of these directions issued under Section 70B carry a potential criminal liability for imprisonment. Hence, there needs to be greater care on, who they apply; what are the compliance demands; and their link to cyber security,” it added.
The directions apply to “all service providers, intermediaries, data centers, body corporate and government organizations”.