wordpress blog stats
Connect with us

Hi, what are you looking for?

, , ,

Surfshark shuts down its Indian VPN servers after ExpressVPN. Who’s next?

ExpressVPN and Surfshark have decided to remove their Indian-based VPN servers because of the new cybersecurity directions.

What now? “In response to the new Indian data regulation laws, Surfshark is shutting down its servers in India,” the Virtual Private Network (VPN) service provider said in a blog post dated June 7.

Déjà vu: This development comes a few days after ExpressVPN announced that it will remove its Indian-based VPN servers for the same reason. Back then, we wrote that this could set the stage for other VPN providers to follow suit, and it looks like it did. (story below)

What data regulation law? It’s not exactly a “data regulation law” as both Surfshark and ExpressVPN refer to it as, but rather a cybersecurity directive issued by the Indian Computer Emergency Response Team (CERT-In) on April 28. The directive, among other things, requires VPN service providers to maintain detailed information on customers such as their names, contact details, the purpose of using the service, IP address, etc, for a period of at least five years and possibly logs of web activity for a period of 180 days.

Why is Surfshark not happy with the directive?

“Surfshark proudly operates under a strict “no logs” policy, so such new requirements go against the core ethos of the company. A VPN is an online privacy tool, and Surfshark was founded to make it as easy to use for the common users as possible. The infrastructure that Surfshark runs on has been configured in a way that respects the privacy of our users and we will not compromise our values – or our technical base.” – Surfshark

New measures do not provide the cybersecurity that India needs: Surfshark argued that the directions go against cybersecurity rather than strengthen it:

Advertisement. Scroll to continue reading.

“Taking such radical action that highly impacts the privacy of millions of people living in India will most likely be counterproductive and strongly damage the sector’s growth in the country. Ultimately, collecting excessive amounts of data within Indian jurisdiction without robust protection mechanisms could lead to even more breaches nationwide.”

Don’t understand how VPN is related to data breaches: Echoing similar thoughts as Surfshark, Dr. Joseph Lorenzo Hall, Senior Vice President for a Strong Internet, Internet Society, in his closing keynote address at an event organised by MediaNama remarked:

“VPN is not a piece of software; it’s not a service. It’s a concept where you have a network that says: I am allowing people to connect with me in a trusted fashion using this protocol. I don’t understand how the VPN requirement is related to (data) breaches. It seems like they are painting VPNs with a broad malicious brush.”

Earlier story dated June 3:

Why ExpressVPN Is Exiting India And What It Means For Others

What happened? “With a recent data law introduced in India requiring all VPN providers to store user information for at least five years, ExpressVPN has made the very straightforward decision to remove our Indian-based VPN servers,” the company announced on June 2

What law? The Indian Computer Emergency Response Team (CERT-In) on April 28 issued cybersecurity directions, which, among other things, require VPN service providers to maintain detailed information on customers such as their names, contact details, the purpose of usage, IP address, etc, and possibly logs of web activity as well.

Users can still access Indian servers. How? ExpressVPN said that its users will still be able to connect to VPN servers that will give them Indian IP addresses and allow them to access the internet as if they were located in India. These “virtual” India servers will instead be physically located in Singapore and the UK.

“As for internet users based in India, they can use ExpressVPN confident that their online traffic is not being logged or stored, and that it’s not being monitored by their government.” – ExpressVPN

But, ExpressVPN is not out of the weeds yet: If ExpressVPN thought it can pull out of the country to avoid the new law, it is mistaken. The FAQs on the cybersecurity directions say that the directions apply to foreign companies serving Indian users as well, not just companies based in India. And since ExpressVPN will continue to serve Indian users, it is subject to the directions regardless of whether it physically has servers in India or not. In a response to Entrackr on Thursday, the IT Ministry reiterated, “The directions apply to any VPN Service provider offering services to the users in India.” However, it might be harder for the government to go after the company now because it does not have a physical presence in India.

Advertisement. Scroll to continue reading.

Why are VPN providers not happy with the cybersecurity directions? Many of the popular VPN providers made it clear that they will not comply with the directions because it goes against the very privacy features that VPNs tout. “We will never collect logs of user activity, including no logging of browsing history, traffic destination, data content, or DNS queries. We also never store connection logs, meaning no logs of IP addresses, outgoing VPN IP addresses, connection timestamps, or session durations,” ExpressVPN reiterated in its announcement.

ExpressVPN refuses to participate in the Indian government’s attempts to limit internet freedom. As a company focused on protecting privacy and freedom of expression online, we will continue to fight to keep users connected to the open and free internet with privacy and security, no matter where they are located.” – ExpressVPN

Technically not possible for us to comply: “Not only is it our policy that we would not accept logging, but we have also specifically designed our VPN servers to not be able to log, including by running in RAM. Data centers are unlikely to be able to accommodate this policy and our server architecture under this new regulation, and thus we will move forward without physical servers in India,” ExpressVPN said.

What are the ramifications of this move? ExpressVPN could set the stage for other VPN providers to make the same decision. NordVPN has already indicated that it will pull out from the country as well. Not just VPNs, but other companies that find the directions onerous might also exit India. And in place of these global products, Indian users might be left with inferior alternatives.

Didn’t the IT Minister give an ultimatum recently? Yes. On May 18, Minister of State for Electronics and Information Technology Rajeev Chandrasekhar told VPN providers that they can either comply or leave the country. “If you don’t have the logs, start maintaining the logs. If you’re a VPN that wants to hide and be anonymous about those who use VPNs and you don’t want to go by these rules, then if you want to pull out (from the country), frankly, that is the only opportunity you have,” Chandrasekhar said. Looks like ExpressVPN took this to heart.

Advertisement. Scroll to continue reading.

Update (8 June, 9:40 am): This story was updated and headline changed after Surfshark’s announcement. 

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



The Delhi High Court should quash the government's order to block Tanul Thakur's website in light of the Shreya Singhal verdict by the Supreme...


Releasing the policy is akin to putting the proverbial 'cart before the horse'.


The industry's growth is being weighed down by taxation and legal uncertainty.


Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ