Explained: After ExpressVPN, why Surfshark shut down its servers in India

Why has Surfshark removed its India servers?

In a blog post, the Netherlands-based company said India’s cybersecurity rules “go against the core ethos” of the company’s “no logs” policy.

“The infrastructure that Surfshark runs on has been configured in a way that respects the privacy of our users and we will not compromise our values – or our technical base,” it said. “Ultimately, collecting excessive amounts of data within Indian jurisdiction without robust protection mechanisms could lead to even more breaches nationwide”.

Surfshark runs a network of over 3,200 servers in more than 65 countries.

Surfshark said India’s cybersecurity directive “is not good for its burgeoning IT sector”.

Citing its own data, it said that since 2004, around 15 billion accounts have faced data breaches, out of which more than 250 million belonged to Indian users. “The situation is extremely worrying in terms of lost data points, considering that per every 10 leaked accounts in India, half are stolen together with a password. Taking such radical action that highly impacts the privacy of millions of people living in India will most likely be counterproductive and strongly damage the sector’s growth in the country,” the company said.

How have other VPN providers reacted?

Last week, ExpressVPN pulled its India servers, saying it “refuses to participate in the Indian government’s attempts to limit internet freedom”.

Surfshark may not be the last provider to shut down its India servers. Panama-based NordVPN has also been considering going the same route if the rules are implemented in their current form.

What are India’s rules related to VPNs?

The guidelines, released by CERT-In on April 28, asked VPN service providers along with data centres and cloud service providers to store information such as names, e-mail IDs, contact numbers, and IP addresses. among other things, of their customers for a period of five years.

While the government has said it wants these details to fight cybercrime, the industry argues that privacy is the main selling point of VPN services, and such a move would be in breach of the privacy cover provided by VPN platforms.

However, despite these concerns, Minister of State for Electronics and IT Rajeev Chandrashekhar had earlier said that VPNs who would not adhere to the rules are free to exit the country.

The rules will come into effect on June 27.

What happens to Indian users of Surfshark?

Despite the company shutting down its servers, Surfshark said its Indian users will continue to be able to access its services. “Surfshark’s physical servers in India will be shut down before the new law comes into power. Up until then, users will be able to connect to servers in India as usual. After the new regulations come into effect, we’ll introduce our virtual Indian servers – which will be physically located in Singapore and London. Users will be able to find them in our regular list of servers,” Surfshark said.

“Virtual servers are functionally identical to physical ones – the main difference is that they’re not located in the stated country. They still provide the same functionality – in this case, getting an Indian IP,” it added.

While it is possible that connecting to virtual servers may face some lag, Surfshark’s users in India who don’t use Indian servers will not notice any differences.

Newsletter | Click to get the day’s best explainers in your inbox