NordVPN to shut servers in India as government tightens data retention laws


June 14: Downloading the torrent file for the latest Netflix release while sitting in a comfortable bed anywhere in India becomes all the more difficult, as more and more virtual network providers pull out of the country to avoid the latest diktat of the Narendra Modi government, share data of VPN users or face a ban. The move strikes at the core of VPNs: protect user privacy.

On Tuesday, NordVPN developed by Nord Security, a cybersecurity software development company that set shop 10 years ago and has 5.600 servers in 59 countries, announced its servers in India will be shut down on June 26, a day before the new rules come into effect.

The company said on Tuesday that it doesn’t maintain any logs of its customers’ data, or strings of information that New Delhi will require all VPN providers to share.

“We are committed to protecting the privacy of our customers. Therefore, we are no longer able to keep servers in India,” Laura Tyrylyte, head of public relations at NordVPN told TechCrunch. “Our Indian servers will remain until June 26. In order to ensure that our users are aware of this decision, we will send notifications with the complete information via the NordVPN app starting from June 20.”

“As digital privacy and security advocates, we are concerned about the possible effect this regulation may have on people’s data. From what it seems the amount of stored private information will be drastically increased throughout hundreds or maybe thousands of different companies. It is hard to imagine that all, especially small and medium enterprises, will have the proper means to ensure the security of such data,” Tyrylyte added.

The Lithuania-based company operates under the jurisdiction of Panama which does not have any data retention laws and in April 2019 had shut its servers in Russia, following a similar order from the Putin government.

The Indian Computer Emergency Response Team, the body appointed by the government to protect India’s information infrastructure, unveiled cybersecurity guidelines in late April that will require “virtual private server (VPS) providers, cloud service providers, VPN service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and government organizations” to store customers’ names, email addresses, IP addresses, know-your-customer records and financial transactions for a period of five years.

Earlier, two other popular VPN providers ExpressVPN and SurfShark have already shut down their servers in India. There is no data available on the number of active VPN users in India, though most of the VPN providers in their websites maintain that their services are used by millions of users worldwide.

ProtonVPN has also reaffirmed its commitment towards the “no log policy” followed by the company. Some VPN providers including ExpressVPN have indicated that “virtual server locations” will continue to be available to India-based customers, though it could still violate the new cyber laws.

NordVPN’s Tyrylyte told TechCrunch that the company believes it was “going to find a way to meet the requirements of all of our customers, regardless of their location.”

Lawmakers in India have made it clear that they have no intentions to relax the new rules.

Rajeev Chandrasekhar, the junior IT minister of India, said in a press conference last month that VPN providers who wish to conceal who uses their services “will have to pull out” of the country. The government, he said, will not be holding any public consultation on these rules.

The new rules also mandate firms to report incidents of security lapses such as data breaches within six hours of noticing such cases. Following pushback from advocacy groups, Chandrasekhar said last month that India was being “very generous” in giving firms six hours of time to report security incidents, pointing to nations such as Indonesia and Singapore that he said had stricter requirements.

“If you look at precedence all around the world — and understand that cybersecurity is a very complex issue, where situational awareness of multiple incidents allow us to understand the larger force behind it — reporting accurately, on time, and mandatorily is an absolute essential part of the ability of CERT and the government to ensure that the internet is always safe,” he said.

The new guidelines were formulated after the Indian parliamentary committee on Home, which is responsible for internal security, called for a permanent ban on all VPNs in September last year and stricter surveillance as cybercriminals were using VPNs.