British Virgin Islands-based PureVPN has become the fourth VPN company to remove its servers from India. Their announcement comes on Monday (July 27), the date from which the ​​Computer Emergency Response Team (CERT-In)’s directives to enhance cyber security would be implemented. 

In a press release, the company said it would not comply with the Centre’s directives. Users can continue to avail of their VPN services by accessing virtual servers. 

“We are a strict non-log company. While we do not collect any identifiable information from our users, we cannot operate physical servers in a country in which we will be forced to change our operating methods and compromise our users’ privacy and security,” said Head of MarCom, PureVPN, Shaheryar Popalzai. 

New cybersecurity norms

On April 28, CERT-In, an office within the Ministry of Electronics and Information Technology issued directives to further bolster Indian cyber security. Under the new norms, CERT-In had asked VPN service providers, along with data centres and cloud service providers, to store information including the names, email IDs and IP addresses (among other things) of their customers for five years.

VPN companies had vehemently opposed these directives, noting that it was against their operational policies to either store or disclose such logs to the government.

So far, NordVPN, ExpressVPN, Surfshark and now PureVPN have withdrawn their servers from India.

The immediate impact on consumers will be minimal as customers with Indian IPs can continue to access VPN services by accessing their servers abroad. The lag time in accessing websites is supposed to increase; further, customers cannot access websites in India which require an Indian geolocated IP.

However, the government has warned VPN companies catering to the general public that they are free to leave India if they do not adhere to CERT-In’s diktat. Activists and experts, however, note that CERT-In’s statements infringe on the privacy of Indian citizens.