Virtual private network (VPN) provider Surfshark on Tuesday announced that it is shutting down its servers in India as a response to the government’s directive that made it mandatory for VPN service providers to record and keep logs of users for 180 days and collect and keep customer data for five years. The Netherlands-based company said it operated under a strict “no log” policy, so the new requirements by the government go against its “core ethos.” Last week, ExpressVPN pulled its VPN servers in the country in response to the government’s order.
Surfshark said that its physical servers in India would be shut down before the new law comes into power. The company decided to introduce its virtual Indian servers instead of the physical servers in the country that will be located in Singapore and London. The virtual servers will have an Indian IP to provide the same functionality, but without being physically located in the country.
“Virtual servers are functionally identical to physical ones – the main difference is that they’re not located in the stated country. They still provide the same functionality,” Surfshark said.
The company also underlined that its users in India who do not use Indian servers would not notice any differences.
“A VPN is an online privacy tool, and Surfshark was founded to make it as easy to use for the common users as possible. The infrastructure that Surfshark runs on has been configured in a way that respects the privacy of our users, and we will not compromise our values – or our technical base,” said Gytis Malinauskas, Head of Legal at Surfshark, in a prepared statement.
Surfshark also said that it would continue to closely “monitor the government’s attempts to limit Internet freedom and encourage discussions intended to persuade the government to hear the arguments of the tech industry.”
The company mentioned that VPN service providers leaving the country was not good for the IT sector.
Citing its internal data, Surfshark said that since 2004, 14.9 billion accounts have been leaked online — of which, 254.9 million are of users from India.
“Taking such radical action that highly impacts the privacy of millions of people living in India will most likely be counterproductive and strongly damage the sector’s growth in the country. Ultimately, collecting excessive amounts of data within Indian jurisdiction without robust protection mechanisms could lead to even more breaches nationwide,” the company noted.
India’s Computer Emergency Response Team (CERT-In) passed the order requiring VPN service providers to keep a log of their users for at least five years and sharing them with authorities when required. It will come into force from June 27.
Shortly after the government’s order became public, various VPN service providers expressed their dissent. NordVPN parent Nord Security was amongst the first ones to hint to remove its servers from the country if no other options are provided.