© The Indian Express Pvt Ltd
Tags:
Journalism of Courage
Surfshark is shutting down its Indian servers in response to the country’s cybersecurity rules. The norms, released by the Indian Computer Emergency Response Team (CERT-In) in April, require VPNs to record and keep users’ logs for 180 days as well as store a range of information for five years. The company said its users’ would still be able to use its services via “virtual” servers located in Singapore and London.
Surfshark follows ExpressVPN, which also pulled its India servers last week in the aftermath of the cybersecurity rules, which have received widespread criticism from VPN providers along with other stakeholders.
In a blog post, the Netherlands-based company said India’s cybersecurity rules “go against the core ethos” of the company’s “no logs” policy.
“The infrastructure that Surfshark runs on has been configured in a way that respects the privacy of our users and we will not compromise our values – or our technical base,” it said. “Ultimately, collecting excessive amounts of data within Indian jurisdiction without robust protection mechanisms could lead to even more breaches nationwide”.
Surfshark runs a network of over 3,200 servers in more than 65 countries.
Surfshark said India’s cybersecurity directive “is not good for its burgeoning IT sector”.
Citing its own data, it said that since 2004, around 15 billion accounts have faced data breaches, out of which more than 250 million belonged to Indian users. “The situation is extremely worrying in terms of lost data points, considering that per every 10 leaked accounts in India, half are stolen together with a password. Taking such radical action that highly impacts the privacy of millions of people living in India will most likely be counterproductive and strongly damage the sector’s growth in the country,” the company said.
Last week, ExpressVPN pulled its India servers, saying it “refuses to participate in the Indian government’s attempts to limit internet freedom”.
Surfshark may not be the last provider to shut down its India servers. Panama-based NordVPN has also been considering going the same route if the rules are implemented in their current form.
The guidelines, released by CERT-In on April 28, asked VPN service providers along with data centres and cloud service providers to store information such as names, e-mail IDs, contact numbers, and IP addresses. among other things, of their customers for a period of five years.
While the government has said it wants these details to fight cybercrime, the industry argues that privacy is the main selling point of VPN services, and such a move would be in breach of the privacy cover provided by VPN platforms.
However, despite these concerns, Minister of State for Electronics and IT Rajeev Chandrashekhar had earlier said that VPNs who would not adhere to the rules are free to exit the country.
The rules will come into effect on June 27.
Despite the company shutting down its servers, Surfshark said its Indian users will continue to be able to access its services. “Surfshark’s physical servers in India will be shut down before the new law comes into power. Up until then, users will be able to connect to servers in India as usual. After the new regulations come into effect, we’ll introduce our virtual Indian servers – which will be physically located in Singapore and London. Users will be able to find them in our regular list of servers,” Surfshark said.
“Virtual servers are functionally identical to physical ones – the main difference is that they’re not located in the stated country. They still provide the same functionality – in this case, getting an Indian IP,” it added.
While it is possible that connecting to virtual servers may face some lag, Surfshark’s users in India who don’t use Indian servers will not notice any differences.
Newsletter | Click to get the day’s best explainers in your inbox
