New Delhi: A Netherlands-based cybersecurity services and Virtual Private Network (VPN) provider Surfshark has become the latest name that will be shutting down its physical servers in India after the Central government issued fresh directions asking VPN providers to register and share customer data with them when requested.
“In response to the new Indian data regulation laws, Surfshark is shutting down its servers in India. The new laws require VPN providers to record and keep customers’ logs for 180 days as well as collect and keep excessive customer data for five years,” the company said in a statement Tuesday.
The company said it has “a strict no logs” policy and will be shutting down its physical servers located in India before the new directions are expected to kick in by the end of June.
The new directions were issued by the IT Ministry’s Indian Computer Emergency Response Team (CERT-In) on 28 April.
Since then, another VPN provider ExpressVPN, headquartered in the British Virgin Islands, had similarly shut down physical servers in India.
Other providers like NordVPN and PureVPN have also voiced concern that complying with the new directive isn’t feasible, which means it is possible these companies may leave India as well.
What is the new govt direction?
CERT-In, which deals with cybersecurity incidents, issued directions to Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN service) providers asking them to register and store information about users for 5 years or for a duration mandated by law.
The user data includes customer name, usage period of the service, IPs used by customers, email address, address and contact numbers. Service providers have to also submit user data of the IP address and time stamp used at the time of registering for the VPN as well as state the purpose for using the service.
How Surfshark will serve India users now
“After the new regulations come into effect, we’ll introduce our virtual Indian servers – which will be physically located in Singapore and London. Users will be able to find them in our regular list of servers,” the company said.
Virtual servers function identical to physical ones. The only difference is the server is not located in the stated country. However, it will provide the VPN user with an Indian IP address and will look like the user is connecting to the internet from India.
Users in India (who opt to connect to a server in another country) “will not notice any differences – they will still be able to connect to whichever server outside the country they please.”
“VPN suppliers leaving India isn’t good for its burgeoning IT sector,” Surfshark noted, stating that details of 14.9 billion accounts were leaked in data breaches since 2004 and nearly 255 million of them were of Indian users.
A VPN gives users an encrypted and secure way to access the internet, making it harder for hackers to track personal data.
“To put in perspective, 18 out of every 100 Indians had their personal contact details breached…per every 10 leaked accounts in India, half are stolen together with a password,” it said.
Surfshark also warned that “collecting excessive amounts of data within Indian jurisdiction without robust protection mechanisms could lead to even more breaches nationwide.”
(Edited by Monami Gogoi)
Also read: ‘Pirates’ robbing entertainment giants back in focus as Disney Star files FIR on leaked shows