Surfshark to shut down VPN servers in India in response to new rules

After ExpressVPN, now virtual private network (VPN) service provider Surfshark said that it is shutting down its physical servers in India in “response to the new data law” that requires VPN companies to collect and store data of their users for five years. 

“Surfshark proudly operates under a strict “no logs” policy, so such new requirements go against the core ethos of the company,” the Netherlands based VPN company said in a blog post. 

Last week, ExpressVPN said that it is shutting down its servers in India as it refused to comply with the new VPN rules that would come into effect on June 27. The new rules were first announced on April 28 by India’s cybersecurity nodal agency CERT-In. The data that VPN companies will have to log and even share with law enforcement if required, includes validated names of subscribers, IPs allotted to them, IP addresses, email addresses, contact numbers, and ownership patterns. 

VPN companies such as NordVPN and ProtonVPN were the first to express their concern over it and even threatened to pull servers from India. 

In its response, India’s minister of state for electronics and IT Rajeev Chandrasekhar said last month that VPN companies will have to follow the rules or they can move out of India.

Surfshark assured its users that after the new rules come into effect, it will introduce virtual Indian servers, which will be physically located in London and Singapore. Virtual servers provide the same functionality (getting an Indian IP) as physical servers and users outside India will be able to access content restricted in India using the virtual servers. ExpressVPN is also replacing its India servers with virtual servers hosted in the UK and Singapore. 

The removal of Indian savers will not have any impact on the company’s Indian users and they will continue to access any of the global servers as they were earlier, Surfshark said. 

Surfshark warned that VPN service providers leaving India is a concern for India’s IT sector, especially in the face of the growing cyberattacks. According to Surfshark, since 2004, 14.9 billion accounts have been leaked globally, out of which 254.9 million belong to Indian users. 

The Indian government on its part has exempted corporate VPNs from following the new VPN rules. 

Surfshark also called the new rules radical and warned that it will impact the privacy of millions of people living in India. It will also be counterproductive and strongly damage the sector’s growth in the country. 

“Ultimately, collecting excessive amounts of data within Indian jurisdiction without robust protection mechanisms could lead to even more breaches nationwide,” it added. 

Privacy advocates have also warned that maintaining data logs by VPN companies will open users to new risks. It will also increase the cost of compliance for VPN companies.

Ravisha Chugh, associate principal analyst at Gartner points out that since the order requires VPNs to store all personally identifiable information for five years it significantly heightens the risk of a data leak. “There should be a strong data protection requirement attached to the policy otherwise exfiltration of data will increase tremendously,” she added. Chugh also warned that for VPN vendors this would also increase the cost of storing all the logs for such a long period.