India’s new rules for virtual private network (VPN) providers may lead such companies to abandon Indian users on their platforms. In a statement to Mint today, one of the top VPN providers in the world, called NordVPN, said that it may cease operations in India in light of the cybersecurity rules furnished by the Ministry of Electronics and Information Technology (MeitY), on April 28, through the Indian Computer Emergency Response Team (CERT-In).
“At the moment, our team is investigating the new directive recently passed by the Indian government and exploring the best course of action. As there are still at least two months left until the law comes into effect, we are currently operating as usual. We are committed to protecting the privacy of our customers therefore, we may remove our servers from India if no other options are left,” Patricija Cerniauskaite, spokesperson for NordVPN, said.
VPNs, which typically mask a user’s actual internet protocol (IP) address and encrypt a user’s web traffic to add a layer of privacy to browsing, often store and track user data even without any mandate. A research of data parameters collected by private VPNs show how a large section of these services regularly maintain user data logs. NordVPN, in this research, is pegged as one of the few VPNs that do not voluntarily maintain data tracks of its users.
Explaining prevalent data collection and tracking practices by VPNs, Akash Karmakar, partner at law firm Panag & Babu, said, “VPNs did not track users other than for payment data which was stored by the payment gateway. Most VPNs used a double blind approach where they did not collect the user data and any user grievance was raised as an anonymous ticket.”
He added that the statutory limitation period for VPNs for user data tracking was three years, for which a user would be mapped to payments made by respective users for data security practices. “Now, with the five-year retention period, the intention of the government seems to be to mandate that VPNs introduce a traceability requirement to identify their users,” Karmakar added.
The new set of cyber security rules state that companies are required to mandatorily report cyber incidents, which include most forms of threats and breaches, to the Indian Computer Emergency Response Team (Cert-In) within six hours of noticing the same. The rules also urge crypto exchanges to maintain logs similar to what VPNs have been mandated to do.