Netherlands-based virtual private network (VPN) company Surfshark has confirmed that it received a notice from the Indian Computer Emergency Response Team (CERT-In). The notice, one of several sent by CERT-In to VPN companies, seeks clarifications on Surfshark's compliance with the 2022 cybersecurity directions of the Indian government, a company spokesperson told Moneycontrol.
This marks the latest development in the year-long controversy surrounding several VPN companies, including Surfshark, that have removed their Indian servers, pledging non-compliance with CERT-In directions. The policy was accused of being privacy-invasive and unconstitutional, and is currently facing a legal challenge at the Delhi High Court.
Previously, Moneycontrol reported that CERT-In sent these notices to VPN companies in February 2023.
"Since the implementation of the regulations, CERT-In has reached out to us regarding compliance with cybersecurity directions," Gytis Malinauskas, head of legal at Surfshark told Moneycontrol.
"We have responded by requesting additional information and seeking clarification on the situation. However, as of now, we have not received any further feedback or updates on the matter," Malinauskas added.
Last year, CERT-In mandated that service providers, including those offering VPNs, maintain logs of IP addresses used to register for the VPN, IP addresses used to connect to VPN servers in India, and a list of IP addresses issued for each customer for a period of five years.
The requirement to store user data earned the ire of VPN companies, who vowed non-compliance and removed their servers from India in protest. These companies, apart from Surfshark, include Switzerland-based Proton, ExpressVPN, and Panama-based NordVPN.
"The new law, made most VPN providers redraw from India - if not all. Impossible to comply with. So the normal action to take: do not have any service in India, do not do any marketing in India, do not have any presence in India - i.e. do not have any business activity in India. However, we do have Indian customers," a spokesperson for Sweden-based VPN company Mullvad told Moneycontrol.
Responding to a query on whether there has been any effect of the cybersecurity directions, Yegor Sak, founder of Canada-based VPN firm Windscribe said, "No. We're not complying with foreign government's directives, especially ones that make no sense and ask for things that are impossible."
Mullvad and Windscribe confirmed that they have not yet received any notices from CERT-In. Moneycontrol has reached out to other VPN service providers as well, and the article will be updated when a response is received.
Will the removal of servers put VPNs outside the ambit of CERT-In directions?
It is unlikely that ExpressVPN, Surfshark, or other service providers that have removed or may remove their India servers in the future will be outside the ambit of CERT-In directions.
This is because, in the FAQs regarding the directions released in May, CERT-In clarified that the directions "are applicable to any entity whatsoever in the matter of cyber incidents and cybersecurity incidents." In another FAQ addressing whether the directions are applicable to service providers not located in India but catering to Indian users, CERT-In reiterated the same.
"Prior to the implementation of the new law by India's Computer Emergency Response Team (CERT-In) on June 27, 2022, we made the decision to shut down our physical servers in India. Consequently, we have ceased offering our services directly to residents of India. However, we have introduced virtual Indian locations, which are located in Singapore and London. These virtual locations allow users to access our services and provide them with an Indian IP address. You can find these virtual Indian locations listed among Surfshark's regular servers," Malinauskas said.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
