After ExpressVPN, another virtual private network (VPN) service provider Surfshark has decided to shut down its servers in India in the wake of new CERT-In directive, which mandates storage of user data for five years. Surfshark said though its physical servers will be shut down before the new regulations come into effect, Indian users will continue to access services through their virtual Indian servers – which will be physically located in Singapore and London.
The new directions will come into effect from June 27. “A VPN is an online privacy tool, and Surfshark was founded to make it as easy to use for the common users as possible. The infrastructure that Surfshark runs on has been configured in a way that respects the privacy of our users, and we will not compromise our values – or our technical base,” said Gytis Malinauskas, head of Legal at Surfshark.
Meanwhile, the government reiterated on Tuesday that anybody providing services in the country has to obey the rules. It is, however, not clear how the government will enforce the rules when the companies are not physically present in India.
“There are some companies who believe anonymity is their express marketing USP. Unfortunately for us, anonymity is not a safe harbour for criminality. Lot of companies have built their business model around anonymity. For us production of evidence during the commitment of a crime or investigation of a crime is an absolutely unambiguous obligation of every intermediary,” minister of state for electronics and IT Rajeev Chandrasekhar said.
He said the government is not asking for data from these companies. “We don’t want any data but when there is an illegality committed, you should definitely be in a position to produce data about who committed that illegality. This is what we are asking for. We are going to have zero tolerance on anonymity being a cover for crime online,” he asserted.
Surfshark though said VPN suppliers leaving India isn’t good for its burgeoning IT sector. The company said its data shows that since 2004, the year data breaches became widespread, 14.9 billion accounts have been leaked and a striking 254.9 million of them belong to users from India.
To put in perspective, 18 out of every 100 Indians had their personal contact details breached. The situation is extremely worrying in terms of lost data points, considering that for every 10 leaked accounts in India, half are stolen together with a password, the VPN provider added.
“Taking such radical action that highly impacts the privacy of millions of people living in India will most likely be counterproductive and strongly damage the sector’s growth in the country.
Ultimately, collecting excessive amounts of data within Indian jurisdiction without robust protection mechanisms could lead to even more breaches nationwide,” Surfshark said.
The Indian Computer Emergency Response Team (CERT-In) had come with a directive on April 28, which mandated all VPNs, cloud service providers, government and private agencies, intermediaries, data centres among others to store data of users like real names, IP addresses assigned to them, usage patterns, and other identifying data for a period of five years. Apart from storing data, CERT-In has also asked for mandatorily reporting cyber security breach incidents to it within six hours of noticing them.