VPN companies are gearing up to fight the Indian government over new regulations designed to change the way they operate in the country. On April 28, officials announced that virtual private network companies would be required to collect customer data sets and store them for five years or more, in accordance with new national directive. VPN providers have two months to accept the rules and start collecting data.
The rationale on the part of the country’s Computer Emergency Response Team (CERT-In) is that it should be able to investigate potential cybercrimes. But that doesn’t sit well with VPN providers, some of which have said they can ignore the requirements. “This latest move by the Indian government to require VPN companies to hand over users’ personal data is a disturbing attempt to infringe on the digital rights of its citizens,” said Harold Lee, vice president of ExpressVPN. He adds that the company will never log user information or actions and that it will adjust its “operations and infrastructure to maintain this principle if and when necessary.”
Other VPN providers are also considering their options. Gytis Malinauskas, Surfshark’s head of legal, says the VPN provider currently cannot comply with India’s logging requirements because it uses RAM-only servers that automatically overwrite user-related data. “We are still studying the new regulation and its implications for us, but the overall goal is to continue to provide no-registration services for all of our users,” he says. ProtonVPN is also concerned, calling the move an erosion of civil liberties. “ProtonVPN is monitoring the situation, but ultimately we remain committed to our no-logs policy and maintaining the privacy of our users,” says spokesman Matt Vossen. “Our team is studying the new directive and exploring the best course of action,” says Laura Tirilit, head of public relations at Nord Security, which develops Nord VPN. “We may remove our servers from India if no other options remain.”
The tough response from VPN providers shows just how much is at stake. India quickly moved away from a free and open democracy and launched a crackdown on NGOs, journalists and activists, many of whom use VPNs to communicate. Human Rights Watch recently warned that freedom of the media in the country is under attack, and a number of legislative and policy changes threaten the rights of minority citizens in the country. India down eight places in the Reporters Without Borders Press Freedom Index last year and now ranks 150 out of 180 countries worldwide. Authorities are said to have harassed journalists, fueling nationalist divisions and encouraging the persecution of reporters critical of Indian Prime Minister Narendra Modi. By collecting and storing data on all VPN users in India, it can be easier for authorities to see who journalists using VPNs are contacting and why.
Officials in India have said the new rules for VPN providers are not part of a data grab aimed at further restricting press freedom, but rather an attempt to better control cybercrime. India has suffered from a number of serious data breaches in recent years and has been third most affected country around the world in 2021. “Data breaches have become so frequent in India that they no longer make headlines like they used to,” says Mishi Chowdhary, technology lawyer and founder of Software Freedom Law Center, a technology legal support service provider. in India. In May 2021, the names, email addresses, locations, and phone numbers of over 1 million Domino’s Pizza customers were stolen and posted online; same year personal information 110 million users Digital payment platform MobiKwik is on the dark web. Now that the number of major incidents is piling up, Indian officials are starting to go after VPNs in an apparent attempt to curb the surge in cybercrime.
“CERT-In has a duty to respond to any cybersecurity incident,” says Srinivas Kodali, an India digitalization researcher with the Free Software Movement of India, though he disputes its effectiveness in this regard. In theory, having this information should allow CERT-In to more quickly investigate any incidents after the fact. But many do not believe that this is the full story. “CERT-In doesn’t have a very clean background and they never really protected the privacy of citizens,” Kodali said. “According to the rules, they will only require these logs when they are really needed for part of the investigation. But in India you never know how they will be bullied.”
Such concerns about overreach are not unfounded. India is responsible for 106 out of 182 documented internet outages in 2021. This was fourth consecutive year the country bore the unenviable title of the internet shutdown capital of the world. At the same time, the government of India allegedly misled Parliament on the use and deployment of Israeli-made Pegasus spyware against 160 politicians, lawyers and activists inside the country.
This “collect data first, ask questions later” approach to law enforcement worries others as well. “It’s a crude way to remember all the data and keep track of your users,” says Anupam Chander, professor of law at Georgetown University in Washington, DC. “Thus, if [India] it is needed for law enforcement, intelligence or other purposes, they can take it later.” And VPN data capture could potentially gather information about the millions of Indians who rely on the technology. Every fifth Indian used a VPN in 2021, according to data compiled by service provider Atlas VPN, up from 3 percent in 2020. The increase in usage echoes the broader rise in VPN usage in countries such as Venezuela, Costa Rica, and Cambodia. similar increases. It also shows how people in India are looking for VPNs for information security and also to avoid geo-blocking popular websites.
There is another reason why Indians choose VPN: deployment controversial nationwide identity database. The identification system, known as Aadhaar, which was first launched in 2009 and has evolved since then, assigns citizens a 12-digit identification code based on their biometric and demographic information. Its supporters say Aadhaar is part of a plan to digitize the Indian economy and make it easier to access government services. Its opponents say the ubiquitous and mandatory use of Aadhaar – you can’t open a bank account, call an ambulance or pay taxes without one – is an attempt to create a surveillance state under the guise of making life easier for citizens. Chowdhary is concerned that the new rules for VPN providers are part of a larger “mission” to control what is said and by whom in India. “It’s not just bureaucracy,” Choudhary says. “It appears that the Government of India is taking every opportunity to make Internet access more controlled and controlled.” CERT-In did not respond to a request for comment.
And India is not alone. “The governments of South Asia are actually competing with each other in this operational Olympics, violating the digital rights of their citizens,” says Pakistani lawyer and internet activist Nighat Dad. The government of Pakistan has tried adopt a law in October 2021, giving it the power to monitor and censor any content posted on social media in the country. Pakistan has previously blocked access on Facebook, Twitter, YouTube, WhatsApp and Telegram “to maintain public order”. Dad is afraid. “Not only in Pakistan, but also in India, there are marginalized communities that are threatened. It’s a terrible situation.” Similar concerns have been expressed in Indonesia, where digital platforms must register with the Ministry of Communications and agree to provide access to their systems and data upon request. It’s the same in Bangladesh, where internet freedom hit “an all-time low” according to Freedom House, as the ruling party uses laws to stifle political dissent through social media.
VPNs that are developed or operated in India will have to choose whether to accept the CERT-In request or withdraw their support in the country. Kodali says providers may decide halfway through preventing new users from paying for VPNs with an Indian bank account, which would theoretically make it impossible for Indians to sign up, but in practice allow them to find a workaround. But what begins in India will most likely not end there. “This has global implications,” says Chander, who believes India is learning from China’s tough Internet bans. There are fears that other, more liberal governments will also follow the India-China model. End-to-End Encryption Attacks commonplace in the UKwhile the US joined India, UK, Japan, Australia and New Zealand in signing international statement requesting backdoor access that undermines encryption standards. “I think it’s important that governments justify these actions,” Chander says, “and explain why they don’t threaten civil liberties.”
Credit: www.wired.com /