Surfshark, a virtual private network (VPN) service provider, is shutting down its physical servers in India in “reaction to the new data law,” which mandates that VPN businesses collect and preserve customer data for five years.
ExpressVPN shut down its servers in India last week after refusing to comply with new VPN laws set to take effect on June 27
“Surfshark proudly operates under a strict “no logs” policy, so such new requirements go against the core ethos of the company,” the Netherlands-based VPN company said in a blog post.
CERT-In, India’s cybersecurity nodal body, originally announced the new guidelines on April 28. Validated names of users, IPs allotted to them, IP addresses, email addresses, contact numbers, and ownership patterns are among the data that VPN companies will be compelled to log and disclose with law authorities if necessary.
VPN providers such as NordVPN and ProtonVPN were among the first to express their displeasure with the situation, threatening to pull their servers out of India
Last month, India’s minister of state for electronics and information technology, Rajeev Chandrasekhar, declared that VPN providers either follow the rules or leave the country.
Surfshark promised its consumers that once the new rules take effect, it will launch virtual Indian servers physically based in London and Singapore. Users outside India would be able to access content blocked in India using virtual servers, which provide the same functionality (getting an Indian IP) as physical servers. ExpressVPN is also phasing out its India servers in favor of virtual servers based in the United Kingdom and Singapore.
According to Surfshark, the withdrawal of Indian servers would not affect the company’s Indian users, who will be able to access any of the global servers as before
VPN service providers leaving India, according to Surfshark, is a problem for India’s IT sector, especially in light of rising cyberattacks. According to Surfshark, 14.9 billion accounts have been leaked worldwide since 2004, with 254.9 million of those belonging to Indian users.
Corporate VPNs are exempt from the new laws, according to the Indian government. The new laws have also been dubbed “radical” by Surfshark, who warns that they will have an impact on the privacy of millions of Indians. It will also be ineffective and detrimental to the country’s economic prosperity.
Users will be exposed to additional hazards if VPN businesses keep data logs, according to privacy advocates. It will also raise the compliance costs for VPN providers. According to Ravish Chugh, associate principal analyst at Gartner, the directive dramatically increases the potential of a data leak because VPNs must preserve all personally identifiable information for five years.
“There should be a strong data protection requirement attached to the policy otherwise exfiltration of data will increase tremendously,” she added. Chugh also warned that for VPN vendors this would also increase the cost of storing all the logs for such a long period.
