In April, India passed a law that will drastically restrict VPN activities in the country from June 27, 2022. Why did the world’s largest democracy choose to follow the path blazed by some of the world’s most repressive regimes, such as Russia or China? More importantly, will the new measures work?
However, first let’s take a look at the law itself , which was drafted by CERT-In, India’s computer emergency team. It boils down to a set of KYC (know your customer) protocols that will force the VPN to register the name, email address, physical address, IP address, and phone number of the users. VPNs will also need to keep logs; all this information must be kept for five years (180 days in case of technical requests).
While having to reveal all your personal details to a VPN is already bad enough – although if you haven’t signed up anonymously, it probably already knows a lot about you – it’s the mandatory logging that causes the most annoyance among VPN users. This is because the need for logging is at the core of what a VPN does.
In this case, the logs are records of where and when you connected, and any good decent VPN doesn’t keep them, it’s part of their privacy promise. The only legitimately private VPN is a no-log VPN, and thus forcing VPNs to keep them defeats their very purpose.
Not only VPN
However, it should be made clear that this law is not only directed at VPNs, but also at providers of all kinds of digital services . For example, web hosting providers as well as crypto exchanges and VPS providers are designed to implement these new KYC directives. In a sense, this will create a kind of database of Indian Internet users.
Why is it implemented
As it stands, the new law will have far-reaching implications for the Indian internet. The government seems to understand this, but claims it is necessary in order to stem the tide of cybercrime, especially financial fraud.
There is no denying that the problem is quite serious: Indian banks, for example, reported 5 trillion rupees ($13 billion) in losses on their books in May 2021. Data on consumer fraud is much harder to come by, but several reports mention large amounts. that cripple victims, sometimes for life. The US is also suffering from fraudulent calls originating from the subcontinent.
According to CERT itself , it processed nearly 1.5 million cybercrime reports in 2021; this is quite a large number, even if we take into account that there is a high probability that many people do not bother to report incidents.
By forcing online services to register users, the Indian government hopes to make these crimes more difficult to commit. If the VPN you use to mask your activities knows who you are, you will be easier to catch. However, to hide their activities, VPNs are used not only by criminals, but also by political activists and journalists.
Human rights issues
This is quite worrying as India has received low ratings from international human rights organizations. An Amnesty International report details the Indian government’s crackdown on minorities as well as farmers protesting government policies in 2021. The report details how India set up a “massive illegal surveillance apparatus”.
According to Reuters , reporting or speaking out against these actions means you will face even more pressure from the government. Journalists and activists in India claim their phones have been hacked and tapped.
While the law will certainly be a useful tool in the fight against cybercrime, while the ingenuity of people trying to evade responsibility should never be underestimated, it can be used for more than that. According to Misha Chowdhary of the Software Freedom Law Center in an interview given to Wired magazine , “It looks like the Government of India is taking every opportunity to make Internet access more controlled and controlled.”
Whether this control will be directed only at fraudsters and fraudsters, or whether it will also be directed at journalists, lawyers and other activists, is still unknown.
What does this mean for a VPN
However, if the Indian government is trying to increase its control over the internet in the country, it looks like it won’t do so unopposed. When it comes to VPNs, big VPN providers like ExpressVPN and Surfshark have announced that they are pulling out of the country, as is NordVPN . We can only assume that many others will follow suit.
This does not mean that Indian VPN users, who, according to data collected by AtlasVPN, make up approximately 20 percent of the population, are left completely without remedies. In this case, “pull” means that these VPN providers will simply give up their servers in India, but still allow access to servers in other countries.
For example, a user in New Delhi who used to connect to the Internet through a server in Mumbai will now be able to access it through a server in another country. While this probably won’t be a problem for too many people, it will inconvenience a lot more people as the remote server will slow down their connection.
Another issue is that by pulling their servers out of India, VPN clients will no longer be able to use Indian IP addresses. Most likely, this problem will be solved with the help of so-called virtual servers: machines that can spoof IP addresses, giving you an Indian IP address while in a different location. However, these virtual servers are not always reliable and it is not clear if Indian law can give CERT-In power over Indian IP addresses.
circumvention of the law
However, the question remains what actions VPNs may face for circumventing the new law: for example, whether there will be any sanctions on VPNs for granting access to Indian users without their registration. This and many other questions are likely to be answered only after the law enters into force.
Naturally, not only VPN providers will try to circumvent the new law, users themselves have several options. As we can see, in China, people will find new and innovative ways to access free internet. The new law makes it so you can’t use a VPN or a server in India, but that doesn’t mean people won’t tunnel in some other way.
Whatever happens, it looks like the Indian internet will never be the same again.