SUMMARY
We value people's privacy – that's why we stand against India's new data regulation law. We'll shut down our physical Indian servers: Surfshark
Surfshark said it operates under a strict ‘no logs’ policy, and the new mandates go against the ‘core ethos’ of the company
Surfshark’s ‘virtual Indian servers’ will now be physically located in Singapore and London
As the deadline for new directives for virtual private networks (VPN), issued by the Indian Computer Emergency Response Team (CERT-In), inches closer, Surfshark has announced that it will shut its physical servers in India.
In a tweet, the VPN service provider said, “…We value people’s privacy – that’s why we stand against India’s new data regulation law. We’ll shut down our physical Indian servers…”
In a press statement, the Netherlands-based company termed the move a ‘radical action’ that impacts the privacy of millions of people.
Surfshark said it operates under a strict ‘no logs’ policy, and the new mandates go against the ‘core ethos’ of the company.
Lashing out at the new guidelines, the company said that VPN suppliers leaving India is not good for its burgeoning IT sector. “Taking such radical action that highly impacts the privacy of millions of people living in India will most likely be counterproductive and strongly damage the sector’s (information technology) growth in the country,” it added.
The VPN platform said it will shut its physical servers in the country before the law comes into effect on June 27. Post that, the company will establish its ‘virtual Indian servers’ which will be physically located in Singapore and London.
“We will continue to closely monitor the government’s attempts to limit internet freedom and encourage discussions intended to persuade the government to hear the arguments of the tech industry,” it added.
It said that 254.9 Mn Indians have had their accounts breached since 2004, adding that collecting excessive amounts of data within Indian jurisdiction without robust protection mechanisms could lead to even more breaches.
This is the second major high-profile exit of a VPN vendor from the country. Earlier this month, ExpressVPN deinstalled its India-based servers citing its refusal to ‘participate in the Indian government’s attempts to limit internet freedom’.
The Bone Of Contention
The issue at the centre of the controversy is the April 28 order issued by CERT-In which mandates that all private VPNs, cloud service providers and other allied organisations should collect user data and store them for five years or more.
Non-compliance with the orders may lead to imprisonment for up to a year or fine of up to INR 1 Lakh, or both.
The move was panned by internet privacy activists, with one of them terming the new rules as having the potential to enable state-sponsored mass surveillance, commercial profiling and censorship.
Under fire, CERT-In later clarified that enterprise and corporate VPNs would be exempt from maintaining customer logs. However, the Centre continues to remain adamant on its demand, directing VPN operators to either follow the norms or terminate their businesses in the country.
According to a report, India is the second-largest VPN market in the world, accounting for 45% of internet usage happening through VPN. According to another report, VPN installations stood at 348.7 Mn in the first half of 2021 in the country.
