March 28, 2024

NordVPN and Private Internet Access (PIA) are set to remove their physical virtual private network (VPN) servers located in India as a result of the government’s order that is coming into force later this month. The order seeks to make it mandatory for VPN service providers to record and keep logs of up to five years. The update comes just days after VPN service providers Surfshark and ExpressVPN announced their plans to pull India-based VPN servers over the directive.

Laura Tyrylyte, Head of Public Relations at NordVPN, told Gadgets 360 that it decided to remove its physical servers from India on June 26 to not comply with the order released by India’s Computer Emergency Response Team (CERT-In) in late April. The official order is notably coming into effect from June 28.

The Panama-based VPN service provider will send notifications to inform users “with full information” about the update via the NordVPN app starting June 20, the spokesperson said.

Unlike the other VPN service providers that are set to replace their physical servers in the country with virtual servers with Indian IP addresses due to the order, Tyrylyte said that NordVPN was not planning to build virtual servers and would remain using a completely dedicated infrastructure.

“No-logging features are embedded in our server architecture and are at the core of our principles and standards. Moreover, we are committed to protecting the privacy of our customers. Therefore, we are no longer able to keep servers in India,” the spokesperson said.

NordVPN believes that due to the government’s directive that requires VPN service providers — alongside data centres, virtual private server (VPS) providers, and cloud service providers — to register and maintain accurate information of their users for five years or longer, there could be a “possible effect” on people’s data.

The company also considered that the move could “drastically increase” the amount of stored private information “throughout hundreds or maybe thousands of different companies” in the country.

“In the past, similar regulations were typically introduced by authoritarian governments in order to gain more control over their citizens. If democracies follow the same path, it has the potential to affect people’s privacy as well as their freedom of speech. One way or another, this law will likely have a negative impact on people’s privacy and digital security,” the spokesperson noted.

NordVPN notably has over 30 VPN servers in India, per the details publicly available on its website.

Similar to NordVPN, PIA through a blog post announced that it is removing its VPN servers located in India. The company is, however, set to continue to offer its users access to Indian IP addresses using its geo-located servers based in Singapore.

“Connecting to them still changes your virtual location to India and makes you anonymous online, but it does not force us to comply with India’s new data collection directive,” the Denver, Colorado-headquartered company said.

PIA said that the directive passed by the government was the “first step to tougher online censorship” and “severely undermines the online privacy of Indian residents.”

CERT-In said that the order was made to limit the number of cybercrimes and cyberattacks in the country. However, PIA said that it was not entirely clear how collecting your data would not do the exact opposite. It also noted that the directive could result in a “widespread VPN adoption” over time.

PIA advised users to avoid services with physical VPN servers in the country.

“Once the new data collection legislation sets in, they will have to log and store your data, not to mention hand it over to the authorities if asked,” the company said.

Shortly after the order was released by CERT-In, VPN service providers had raised concerns over the move and hinted at the removal of their physical servers in the country. Tech firms including Facebook and Google also warned that the new rules by the government might create a fearing environment in the industry.

ExpressVPN and Surfshark emerged as the two initial entities to remove their servers in the country.

CERT-In last month released a Frequently Asked Questions (FAQ) document to give some clarifications on the order. However, it does not address the privacy concerns raised by stakeholders including all major VPN service providers.

Last week, the IT minister also held a meeting with some entities about its directions. People familiar with the matter, though, told Gadgets 360 that none of the global VPN players and digital rights groups including the Internet Freedom Foundation were not invited for the close-door conversation.