VPN Users’ Anonymity Under Threat Following Indian Security Order

Home > Technology > Digital Freedom >

Claiming that criminals use encryption to stay anonymous, last year a parliamentary committee urged the Indian government to ban VPNs. While that didn't happen, new security-focused directions published by the Ministry of Electronics and Information Technology look set to make effective online anonymity a thing of the past.

lockPeople being free to share and access ideas, knowledge and opinions with their peers is a universally accepted standard for the entire human race. The big problem is that the definition of ‘free’ differs widely and is often defined by the few, not the many.

In online terms, true freedom is already under threat. As governments take more control over ‘their’ parts of the internet, citizens are informed that this is for the greater good, to keep their families safe and economies strong. Giving up small freedoms here….and a few others over there….are presented as insignificant sacrifices hardly worth our attention.

However, once these systems are in place, governments can use them to ‘protect’ citizens from dissenting opinions, unpalatable news, whistleblowing, and our ability to absorb all information, thereby reaching educated conclusions of our own. Early adopters of VPNs recognized this years ago, and as more people retain choice by using them, some governments are calling for VPNs to be restricted or even banned.

Calls for VPN Ban in India

In common with many countries worldwide, India has introduced laws to render illegal certain types of content online. It blocks thousands of websites due to copyright infringement and pornography, for example, but is now engaged in censorship to suppress political opposition in the name of national security. It even threatened to put Twitter executives in prison for refusing to censor opponents.

Due to the increased security and anonymity they provide, good VPN services with high standards enable people to absorb and impart information more freely. They are not a silver bullet but can be considered as part of a toolkit to unfilter internet access and restore freedoms. As a result, India’s government (and more besides) view them as a threat.

Last year a Parliamentary Standing Committee called for a total ban on VPNs, advising that they allow criminals to be anonymous online. The Ministry of Electronics and Information Technology was urged to force ISPs to block these encryption tools and increase online surveillance to clear any remnants.

While the government didn’t respond with a full ban, new directions to India’s IT sector reveal that if VPNs are to stay, the authorities will have the power to identify their users.

Security Measures for a “Safe & Trusted Internet”

The Indian Computer Emergency Response Team (CERT-In) serves as the national agency for online security. It analyzes cyber threats and can obtain logging information from service providers, intermediaries, data centers and corporate bodies. After identifying gaps in its ability to analyze ‘incidents’, CERT-In recently issued directions to companies providing internet services designed to ensure a “safe & trusted Internet” in the country.

While the directions focus on improved responses to security incidents, Indian authorities have also ordered all service providers, intermediaries, and data centers to enable and maintain logs. These must contain 180 days of event logging and be maintained within Indian jurisdiction for straightforward access. For other service providers the requirements are even tougher.

VPN Providers Cannot Be Anonymous, Must Carry Logs

Although caveats apply (and vary between providers), a good VPN service should be able to offer enhanced or even complete anonymity to users. Many do this, at least in part, by not carrying logs that can link a specific user to any IP address at any given time. India’s directions are designed to thwart this business model.

All VPN services, data centers, VPS (virtual private server) providers, and cloud services must store a laundry list of information and logs for at least five years, longer if the government chooses to change the law. The rules apply to all of the above services, but given the nature of VPN services as censorship-busting anonymity tools, they appear to be the hardest hit.

An email address is often sufficient when a customer signs up for a VPN service. In future, VPN providers in India will be required to obtain a customer’s real name, address, and phone number. All information provided must be validated as accurate.

Providers will also be required to record the user’s email address, IP address and timestamp used at the time of registration and obtain a statement of intent from the subscriber, i.e a description of what the VPN will be used for.

The ‘period of hire’ (times and dates) must also be logged to include every IP address allocated to and used by customers. All service providers must synchronize their clocks with specified NTP servers for uniform accuracy across the industry.

Implications for VPN Providers and Users

The full implications will become clearer over time, but the directions seem to impact VPN providers in India and, to a lesser extent, those based overseas operating servers in India.

Pervasive logging throughout the entire system translates to a generally hostile environment for anonymity so after consideration, some providers may be less keen to do business locally. Especially given that prison sentences are available for non-compliance.

The directions can be found here (pdf)


Popular Posts
From 2 Years ago…