In response to government efforts to control encrypted web traffic, VPN provider Surfshark became the latest company to pull its servers from India this week.
The new guidelines from India’s top cyber security agency, the Indian Computer Emergency Response Team (CERTI-IN), require customers to know the names, email addresses, IP addresses of VPNs, Virtual Private Servers (VPSs) and cloud service providers. Customer records, and financial transactions for five years.
SurfShark on Wednesday announced in a post titled “Surfshark shuts down servers in India in response to data law” that it “proudly operates under a strict” no log “policy, so such new requirements go against the company’s core policy.”
SurfShark is not the first VPN provider to pull servers out of the country following the guidelines. ExpressVPNO decided to take similar action last week, and NordVPNO warned that it would remove the physical servers if the instructions were not reversed.
New VPN Regulation “Lack of Transparency”
Like many businesses around the world, Indian companies have increased their reliance on VPNs since the COVID-19 epidemic forced many employees to work from home. The adoption of VPNs has allowed employees to access sensitive data remotely, and companies have even begun to use other secure means to allow remote access, such as zero trust network access and smart DNS solutions.
A report from Atlas VPN highlights that the VPN penetration rate in India increased from 3% in 2020 to 25% in the first half of 2021, growing at the fastest rate with 348.7 million installations worldwide, representing a 671% increase over 2020.
Prashant Sugathan, a partner at law firm Sugathan & Associates, said: “This will have a huge impact on Indian businesses as these provisions may make it harder for them to support workers working remotely, which has resulted from the Kovid epidemic.”
The directive, issued by Cert-In on April 28, further states that cyber security breaches must be disclosed within six hours of the discovery. In fact, there is so much confusion with the eight-page instruction that Cert-In has issued a 28-page FAQ.
“The instructions are very broad and there is not much clarity about how it will apply due to the wording of the instructions. The mere fact that the government had to issue a long FAQ note with the instructions shows the complexity of the situation. Sugathan said.
According to Surfshark, 254.9 million user accounts from India have been breached since 2004. According to a Surfshark note, “To put it bluntly, 18 out of every 100 Indians have breached their personal contact details.”
“Taking drastic measures that would seriously affect the privacy of millions of people living in India would probably be counterproductive and would severely hamper the growth of the country’s sector. Notes added.
Copyright © 2022 IDG Communications, Inc.