VPN provider Surfshark became the latest company to withdraw its servers from India this week, in response to government attempts to regulate encrypted web traffic.
New guidance from India's leading cybersecurity agency, the Computer Emergency Response Team of India (Cert-In), requires VPN, virtual private server (VPS), and cloud service providers to store names, email addresses, IP addresses, knowledge of customer records and financial transactions. for a period of five years.
SurfShark announced in an article titled "Surfshark shutting down servers in India in response to data law" on Wednesday that it "proudly operates under a strict 'no logs' policy, so these new requirements go against fundamental ethics." of the company”. .
SurfShark is not the first VPN provider to withdraw its servers from the country following the directive. ExpressVPN also decided to take the same action last week, with NordVPN also warning that it would remove physical servers if the guidelines are not reversed.
New VPN regulations 'lack clarity'
Like many businesses around the world, Indian businesses have increased their reliance on VPNs since the COVID-19 pandemic forced many employees to work from home. VPN adoption has grown to allow employees to access sensitive data remotely, even as companies have begun adopting other secure means of enabling remote access, such as Zero Trust, Network Access, and Smart DNS solutions.
An Atlas VPN report highlights that the VPN penetration rate in India increased from 3% in 2020 to over 25% in the first half of 2021, growing at the fastest rate in the world to a staggering 348,7 million of installations, which represents a growth of 671% compared to 2020. .
"This will have a huge impact on Indian businesses as these provisions could make it more difficult for them to support employees working remotely, as has been the case since the COVID pandemic," said Prasanth Sugathan, Partner at Sugathan Law Firm and Associates.
The directive issued by Cert-In on April 28 also states that cybersecurity vulnerabilities must be disclosed within six hours of their discovery. In fact, there is so much confusion about the eight-page directive that Cert-In has published a 28-page FAQ.
“The guidelines are very broad and there is not a lot of clarity on how this will be applied due to the wording of the directive. The mere fact that the government had to issue a lengthy FAQ with the directive shows the complexity of the situation. You may not have FAQs to clarify statutory provisions,” Sugathan said.
According to data from Surfshark, since 2004, 254,9 million accounts belonging to Indian users have been hacked. "To put this in perspective, 18 out of 100 Indians have had their personal data hacked," according to a Surfshark note.
“Taking such drastic measures that have a significant impact on the privacy of millions of people living in India will likely backfire and greatly damage the growth of the sector in the country. Ultimately, the collection of excessive amounts of data within Indian jurisdiction without robust protection mechanisms could even lead to more breaches across the country.
Copyright © 2022 IDG Communications, Inc.