NordVPN, one of the world’s largest VPN providers, may pull out of India due to the Indian Computer Emergency Team’s order last week requiring virtual private network providers to maintain user data. “We are committed to protecting the privacy of our customers therefore, we may remove our servers from India if no other options are left,” Patricija Cerniauskaite, a spokesperson for NordVPN’s parent Nord Security, told Entrackr in a statement.
The Ministry of Electronics and Information Technology, under which CERT-in comes, ordered that VPN companies, along with cryptocurrency exchanges preserve records of users for five years. VPNs are used to reroute users’ internet connections through a different network; this can be used for a variety of purposes, like connecting into an office network that is otherwise not accessible from the general internet, or to access blocked websites by using servers in other countries.
VPN providers like Nord generally advertise another feature of VPNs as a selling point: privacy. They frequently claim to maintain no logs; Nord has had its no-logs policy audited periodically by PriceWaterhouseCoopers. But the IT Ministry’s order would require the company to break that policy for servers located in India. Users in India would likely be able to continue being able to connect to Nord’s servers in other countries, though.
Other VPN providers who comply with user privacy requirements may also depart by June, when the IT Ministry’s order comes into effect.
NordVPN currently provides 28 servers in India, to which its users in India and elsewhere in the world can connect. Its servers in India appear to be hosted at facilities run by Edgoo Networks in Mumbai. Nord used to have servers in Chennai as well, but it discontinued those a few months back. Nord’s India servers are notable because they appear to allow access to websites that are supposed to be blocked in India. This has not been reported before.
With this, India joins an unenviable list of other large countries from which Nord and other VPN providers either pulled out servers, or never had a presence in: Russia, from which Nord and other VPN providers pulled servers in the aftermath of the country ordering VPN firms to provide backdoor access to the government on demand in 2019; and China, which imposes strict controls on VPN providers.
“At the moment, our team is investigating the new directive recently passed by the Indian government and exploring the best course of action. As there are still at least two months left until the law comes into effect, we are currently operating as usual,” Cerniauskaite said.
While the IT Ministry’s order comes as a part of a cybersecurity directive, it’s interesting to note that NordVPN’s internal cyber risk rankings rated India as the country with the lowest cybercrime risk.