Virtual private network (VPN) provider Surfshark announced Tuesday that it will shut down its servers in India in response to a government directive that made it mandatory for VPN service providers to register and maintain user logs for 180 days and collect and maintain user logs. customers. five-year data.
Surfshark shuts down servers in India
The Netherlands-based company said it operated under a strict “no logging” policy, so the new government requirements go against its “core value”. Last week, ExpressVPN withdrew its VPN servers in the country in response to the government order.
The company said in its statement “Surfshark’s physical servers in India will be shut down before the new law comes into effect. Until then, users will be able to connect to servers in India as usual. After the new regulations come into force, we will introduce our virtual Indian servers, which will be physically located in Singapore and London. Users will be able to find them in our usual list of servers”.
Virtual servers are functionally identical to physical ones; the main difference is that they are not located in the indicated country. They still provide the same functionality, in this case getting an Indian IP.
“Indian users not using Indian servers will not notice any difference; they will still be able to connect to any server outside the country they want. In the meantime, Surfshark will continue to closely monitor the government’s attempts to limit Internet freedom and encourage discussions aimed at persuading the government to listen to the tech industry’s arguments” the company noted.
In particular, VPN providers leaving India are not good for its burgeoning IT sector. Surfshark data shows that since 2004, the year data breaches became widespread, 14.9 billion accounts have been breached and a staggering 254.9 million of them belong to users in India.
To put it into perspective, 18 out of 100 Indians had their personal contact details breached. The situation is extremely worrying in terms of lost data points, considering that for every 10 accounts leaked in India, half are stolen along with a password.
Taking such a radical action that heavily impacts the privacy of millions of people living in India is likely to backfire and heavily damage the growth of the sector in the country. Ultimately, the collection of excessive amounts of data within Indian jurisdiction without strong protection mechanisms could lead to even more breaches across the country.
New VPN rules in India
A new Indian computer directive entitled “Directions under sub-section (6) of section 70B of the Information Technology Act, 2000 relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet.”. The Emergency Response Unit (CERT-In) at the Ministry of Electronics and Information Technology was unveiled on April 28.
Guidelines relating to information security practices, procedures, prevention, response and reporting of cyber incidents on the Internet for a secure and reliable Internet under sub-section (6) of section 70B of the Information Technology Act, 2000. The new guideline from Indian Computers was released on April 28 by the Emergency Response Team (CERT-In) under the Ministry of Electronics and Information Technology.
The new rules encourage VPN providers to register and store such information from customers for at least five years:
- Name, email address and phone number
- The client’s goal is to use the VPN service
- The IP addresses assigned to the client and the IP address that the client used to register with the service
- “Ownership model” of the client
One of the main reasons Cert-In provided this information is that it will help to effectively track anti-social elements and cybercriminals who engage in various dishonest acts on the Internet.
According to a report by WIRED, several VPN providers expressed similar concerns about the new guidelines. For example, ExpressVPN’s vice president Harald Lee said the company will never log user information or activity and will change its operations and infrastructure “if and when necessary in order to maintain.”
“CERT-In is committed to responding to any cybersecurity incident,” said Srinivas Kodali, a researcher with the Indian Free Software Movement, which focuses on digitization in India. Although he denies its effectiveness in doing so. Keeping this information at hand should, in theory, allow CERT-In to investigate any event after the fact more quickly. But many believe this is not the whole story.
“CERT-Ins really has no clean record, and they have never protected the privacy of citizens,” says Kodali. “According to the rules, they are only going to demand these magazines when they are really needed for the investigation. But in India, you never know how they will be abused.”
The approach to law enforcement “collecting data first and then asking questions” also worries others. “It’s an easy way to remember all the data and keep track of your users,” said Anupam Chander, a law professor at Georgetown University in Washington, DC.
He added that “so if [India] needs it for law enforcement, intelligence or other purposes, they can get it later.” And capturing VPN data can potentially gather information about the millions of Indians who rely on the technology. According to data collected by the Atlas VPN service provider, one in five Indians used a VPN in 2021, compared to 3 per cent in 2020.
In addition, Surfshark told Wired that the VPN provider can no longer comply with India’s logging rules because it only uses servers with RAM that automatically overwrite user data, while ProtonTheVPN said that Although it was monitoring the instructions, it was bound by them. To protect the no logs policy and the privacy of its users.