Surfshark shuts down servers in India in response to data law

In response to the new Indian data regulation laws, cybersecurity company Surfshark is shutting down its servers in India. The new laws require VPN providers to record and keep customers’ logs for 180 days as well as collect and keep excessive customer data for five years.

“Surfshark proudly operates under a strict “no logs” policy, so such new requirements go against the core ethos of the company. A VPN is an online privacy tool, and Surfshark was founded to make it as easy to use for the common users as possible. The infrastructure that Surfshark runs on has been configured in a way that respects the privacy of our users, and we will not compromise our values – or our technical base”, says Gytis Malinauskas, Head of Legal at Surfshark.

Surfshark’s physical servers in India will be shut down before the new law comes into power. Up until then, users will be able to connect to servers in India as usual. After the new regulations come into effect, we’ll introduce our virtual Indian servers – which will be physically located in Singapore and London. Users will be able to find them in our regular list of servers.

Virtual servers are functionally identical to physical ones – the main difference is that they’re not located in the stated country. They still provide the same functionality – in this case, getting an Indian IP.

Users in India who don’t use Indian servers will not notice any differences – they will still be able to connect to whichever server outside the country they please. Meanwhile, Surfshark will continue to closely monitor the government’s attempts to limit internet freedom and encourage discussions intended to persuade the government to hear the arguments of the tech industry.

Notably, VPN suppliers leaving India isn’t good for its burgeoning IT sector. Surfshark’s data shows that since 2004, the year data breaches became widespread, 14.9B accounts have been leaked and a striking 254.9M of them belong to users from India.

To put in perspective, 18 out of every 100 Indians had their personal contact details breached. The situation is extremely worrying in terms of lost data points, considering that per every 10 leaked accounts in India, half are stolen together with a password.

Taking such radical action that highly impacts the privacy of millions of people living in India will most likely be counterproductive and strongly damage the sector’s growth in the country. Ultimately, collecting excessive amounts of data within Indian jurisdiction without robust protection mechanisms could lead to even more breaches nationwide.