A week after popular VPN service provider ExpressVPN pulled its India servers, another VPN provider, Surfshark announced it is shutting down its servers in India. This development comes after CERT-In or Computer Emergency Response Team, the country's nodal agency that deals with cyber security threats, hacking and phishing had asked virtual network providers (VPN) companies in India to collect and store extensive user data for at least five years.
"In response to the new Indian data regulation laws, Surfshark is shutting down its servers in India. The new laws require VPN providers to record and keep customers’ logs for 180 days as well as collect and keep excessive customer data for five years," Surfshark said in a statement.
Surfshark’s physical servers in India will be shut down before the new mandate by CERT-In comes into effect later this month. Up until then, users will be able to connect to servers in India as usual. "After the new regulations come into effect, we’ll introduce our virtual Indian servers -- which will be physically located in Singapore and London. Users will be able to find them in our regular list of servers," the company added.
Surfshark has always operated under a strict "no logs policy", so the new government mandate goes against the core ethos of the company. A VPN is an online privacy tool, and Surfshark was founded to make it as easy to use for the common users as possible. "The infrastructure that Surfshark runs on has been configured in a way that respects the privacy of our users and we will not compromise our values -- or our technical base," Surfshark noted.
What happens to Surfshark users in the country who don’t use Indian servers?
Surfshark users in India will still be able to connect to whichever server outside the country they want without noticing any difference. Meanwhile, the VPN provider will continue to closely monitor the "government’s attempts to limit internet freedom" and encourage discussions intended to persuade the government to hear the arguments of the tech industry.
New measures do not provide the cybersecurity that India needs: Surfshark
According to Surfshark, VPN suppliers leaving India isn’t good for its burgeoning IT sector. As per Surfshark’s data, since 2004, the year data breaches became widespread, 14.9 billion accounts have been leaked and a striking 254.9 million of them belong to users from India. To put in perspective, 18 out of every 100 Indians had their personal contact details breached.
"The situation is extremely worrying in terms of lost data points, considering that per every 10 leaked accounts in India, half are stolen together with a password," Surfshark noted.
What do new CERT-In rules for VPN firms say?
Meanwhile, earlier in May, India's nodal agency CERT-In which deals with cyber security threats, hacking and phishing asked VPN service providers in the country to collect and store extensive user data for at least five years, citing objectives like fighting cybercrime and invoking the country's integrity and sovereignty. The new CERT-In rules come into effect later this month.
ABP Live had spoken to NordVPN, a leading VPN service provider operating in India that said the directive will hurt VPN companies in the country to some extent (Read more on this here). NordVPN had also mentioned that it intends to have a dialogue with the government for a "middle ground".