Surfshark, ExpressVPN pull out of India over data retention laws

Surfshark announced today they are shutting down its VPN (virtual private network) services in India in response to the new requirements in the country that demand all providers to keep customer logs for 180 days.

VPN services aim to provide privacy to internet users by encrypting their network traffic and hiding their actual IP addresses behind those assigned to servers hosted at providers worldwide. This allows customers to select a country of their choice and route their traffic, so it appears as if they are in that country.

Moreover, VPN providers commonly offer a no-logs policy, meaning that they do not log a customer's IP address, browsing history, timestamps, network traffic, or session information.

"In short, Surfshark VPN does not keep track of your online whereabouts or actions in any way. The VPN server only keeps enough data to keep your VPN connection going, and nothing of it is kept after you’re done," explains SurfShark's no-logs policy.

However, India’s new provisions added into section 70B of the Information Technology (IT) Act, 2000, require VPN providers to abandon their core values by retaining usage details, allotted IP addresses, the purpose of using the services, user address, contact details, and more.

Surfshark says that India’s legal action is radical and harms the privacy of the country’s netizens instead of protecting it.

“Taking such radical action that highly impacts the privacy of millions of people living in India will most likely be counterproductive and strongly damage the sector’s growth in the country,” reads Surfshark’s announcement.

“Ultimately, collecting excessive amounts of data within Indian jurisdiction without robust protection mechanisms could lead to even more breaches nationwide.”

The popular VPN vendor says it will instead set up virtual servers located in Singapore and London, but which still appear as if they are based in India.

Collect and store customer data? NO! We value people's privacy – that's why we stand against India's new data regulation law We'll shut down our physical Indian servers. Still, you'll be able to connect to virtual servers through Singapore and London – check our server list

— Surfshark (@surfshark) June 7, 2022

Surfshark promises that India-based users won’t notice any differences in using its VPN services, neither in speed nor website accessibility.

ExpressVPN already exited

ExpressVPN, one of the world’s largest VPN service providers, left the Indian market last week, refusing to comply with the new rules to keep user logs for extensive periods.

They, too, reverted to the solution of virtual servers with Indian IP addresses, which won’t be under Indian law jurisdiction. In fact, they commented that this would make connections more reliable in many cases.

The vendor called out the Indian government for extreme measures and rebuked the authorities for leaving plenty of opportunities for abuse by the involved agencies.

“ExpressVPN refuses to participate in the Indian government’s attempts to limit internet freedom,” boldly declares ExpressVPN’s announcement.

“As a company focused on protecting privacy and freedom of expression online, we will continue to fight to keep users connected to the open and free internet with privacy and security, no matter where they are located.”

The changes to India’s law are sweeping, pushing VPNs outside the country, and more vendors will likely follow ExpressVPN and Surfshark.

We are not alone in our concern about this issue; many industry bodies have called on the Indian Government to reassess its new rules for the sake of its people’s privacy rights. We sincerely hope industry-wide efforts to influence the regulations are fruitful... [1/2]

— ExpressVPN (@expressvpn) June 2, 2022

Other prominent players in the market monitor the situation and hope that their pleads for last-minute changes will be heard as the deadline for the new law entering into force approaches.