What now? “In response to the new Indian data regulation laws, Surfshark is shutting down its servers in India,” the Virtual Private Network (VPN) service provider said in a blog post dated June 7.
Déjà vu: This development comes a few days after ExpressVPN announced that it will remove its Indian-based VPN servers for the same reason. Back then, we wrote that this could set the stage for other VPN providers to follow suit, and it looks like it did. (story below)
What data regulation law? It’s not exactly a “data regulation law” as both Surfshark and ExpressVPN refer to it as, but rather a cybersecurity directive issued by the Indian Computer Emergency Response Team (CERT-In) on April 28. The directive, among other things, requires VPN service providers to maintain detailed information on customers such as their names, contact details, the purpose of using the service, IP address, etc, for a period of at least five years and possibly logs of web activity for a period of 180 days.
Why is Surfshark not happy with the directive?
“Surfshark proudly operates under a strict “no logs” policy, so such new requirements go against the core ethos of the company. A VPN is an online privacy tool, and Surfshark was founded to make it as easy to use for the common users as possible. The infrastructure that Surfshark runs on has been configured in a way that respects the privacy of our users and we will not compromise our values – or our technical base.” – Surfshark
New measures do not provide the cybersecurity that India needs: Surfshark argued that the directions go against cybersecurity rather than strengthen it:
“Taking such radical action that highly impacts the privacy of millions of people living in India will most likely be counterproductive and strongly damage the sector’s growth in the country. Ultimately, collecting excessive amounts of data within Indian jurisdiction without robust protection mechanisms could lead to even more breaches nationwide.”
Don’t understand how VPN is related to data breaches: Echoing similar thoughts as Surfshark, Dr. Joseph Lorenzo Hall, Senior Vice President for a Strong Internet, Internet Society, in his closing keynote address at an event organised by MediaNama remarked:
“VPN is not a piece of software; it’s not a service. It’s a concept where you have a network that says: I am allowing people to connect with me in a trusted fashion using this protocol. I don’t understand how the VPN requirement is related to (data) breaches. It seems like they are painting VPNs with a broad malicious brush.”
Earlier story dated June 3:
Why ExpressVPN Is Exiting India And What It Means For Others
What happened? “With a recent data law introduced in India requiring all VPN providers to store user information for at least five years, ExpressVPN has made the very straightforward decision to remove our Indian-based VPN servers,” the company announced on June 2
What law? The Indian Computer Emergency Response Team (CERT-In) on April 28 issued cybersecurity directions, which, among other things, require VPN service providers to maintain detailed information on customers such as their names, contact details, the purpose of usage, IP address, etc, and possibly logs of web activity as well.
Users can still access Indian servers. How? ExpressVPN said that its users will still be able to connect to VPN servers that will give them Indian IP addresses and allow them to access the internet as if they were located in India. These “virtual” India servers will instead be physically located in Singapore and the UK.
“As for internet users based in India, they can use ExpressVPN confident that their online traffic is not being logged or stored, and that it’s not being monitored by their government.” – ExpressVPN
But, ExpressVPN is not out of the weeds yet: If ExpressVPN thought it can pull out of the country to avoid the new law, it is mistaken. The FAQs on the cybersecurity directions say that the directions apply to foreign companies serving Indian users as well, not just companies based in India. And since ExpressVPN will continue to serve Indian users, it is subject to the directions regardless of whether it physically has servers in India or not. In a response to Entrackr on Thursday, the IT Ministry reiterated, “The directions apply to any VPN Service provider offering services to the users in India.” However, it might be harder for the government to go after the company now because it does not have a physical presence in India.
Why are VPN providers not happy with the cybersecurity directions? Many of the popular VPN providers made it clear that they will not comply with the directions because it goes against the very privacy features that VPNs tout. “We will never collect logs of user activity, including no logging of browsing history, traffic destination, data content, or DNS queries. We also never store connection logs, meaning no logs of IP addresses, outgoing VPN IP addresses, connection timestamps, or session durations,” ExpressVPN reiterated in its announcement.
“ExpressVPN refuses to participate in the Indian government’s attempts to limit internet freedom. As a company focused on protecting privacy and freedom of expression online, we will continue to fight to keep users connected to the open and free internet with privacy and security, no matter where they are located.” – ExpressVPN
Technically not possible for us to comply: “Not only is it our policy that we would not accept logging, but we have also specifically designed our VPN servers to not be able to log, including by running in RAM. Data centers are unlikely to be able to accommodate this policy and our server architecture under this new regulation, and thus we will move forward without physical servers in India,” ExpressVPN said.
What are the ramifications of this move? ExpressVPN could set the stage for other VPN providers to make the same decision. NordVPN has already indicated that it will pull out from the country as well. Not just VPNs, but other companies that find the directions onerous might also exit India. And in place of these global products, Indian users might be left with inferior alternatives.
And that, kids, is how we make a market for lemons. https://t.co/TE5rTqiY9J
— Banbreach (@Banbreach) June 2, 2022
Didn’t the IT Minister give an ultimatum recently? Yes. On May 18, Minister of State for Electronics and Information Technology Rajeev Chandrasekhar told VPN providers that they can either comply or leave the country. “If you don’t have the logs, start maintaining the logs. If you’re a VPN that wants to hide and be anonymous about those who use VPNs and you don’t want to go by these rules, then if you want to pull out (from the country), frankly, that is the only opportunity you have,” Chandrasekhar said. Looks like ExpressVPN took this to heart.
Update (8 June, 9:40 am): This story was updated and headline changed after Surfshark’s announcement.
- Global Coalition Criticises India’s Cybersecurity Directive
- VPN Providers Undeterred By Minister’s Ultimatum To Comply Or Leave India
- VPN Providers Call India’s New Rules Worse Than China, Russia
- Do VPN Providers Have To Store Web Activity Logs Of Users? Yes And No
- Corporate VPNs Not Subject To Cybersecurity Directive, Govt Clarifies