Security
Headlines
HeadlinesLatestCVEs

Headline

VPN Providers Threaten to Quit India Over New Data Law

The country has ordered companies operating VPNs to collect user data and hand it over to officials—but they’re refusing to do so.

Wired
#web#git#intel#backdoor#asus#auth#sap

VPN companies are squaring up for a fight with the Indian government over new rules designed to change how they operate in the country. On April 28, officials announced that virtual private network companies will be required to collect swathes of customer data—and maintain it for five years or more—under a new national directive. VPN providers have two months to accede to the rules and start collecting data.

The justification from the country’s Computer Emergency Response Team (CERT-In) is that it needs to be able to investigate potential cybercrime. But that doesn’t wash with VPN providers, some of whom have said they may ignore the demands. “This latest move by the Indian government to require VPN companies to hand over user personal data represents a worrying attempt to infringe on the digital rights of its citizens,” says Harold Li, vice president of ExpressVPN. He adds that the company would never log user information or activity and that it will adjust its “operations and infrastructure to preserve this principle if and when necessary.”

Other VPN providers are also considering their options. Gytis Malinauskas, head of Surfshark’s legal department, says the VPN provider couldn’t currently comply with India’s logging requirements because it uses RAM-only servers, which automatically overwrite user-related data. “We are still investigating the new regulation and its implications for us, but the overall aim is to continue providing no-logs services to all of our users,” he says. ProtonVPN is similarly concerned, calling the move an erosion of civil liberties. “ProtonVPN is monitoring the situation, but ultimately we remain committed to our no-logs policy and preserving our users’ privacy,” says spokesperson Matt Fossen. “Our team is investigating the new directive and exploring the best course of action,” says Laura Tyrylyte, head of public relations at Nord Security, which develops Nord VPN. “We may remove our servers from India if no other options are left.”

The hardball response from VPN providers shows how much is at stake. India has rapidly shifted away from a free and open democracy and launched crackdowns on non-governmental organizations, journalists, and activists, many of whom use VPNs to communicate. Human Rights Watch recently warned that media freedom is under attack in the country, with a number of law and policy changes threatening the rights of minority citizens in the country. India dropped eight places in Reporters Without Borders’ Press Freedom Index in the past year and now sits 150th out of 180 countries worldwide. Authorities are alleged to have targeted journalists, stoking nationalist division and encouraging harassment of reporters who are critical of Indian prime minister Narendra Modi. By collecting and storing data on all VPN users in India, authorities may find it easier to see who VPN-using journalists are contacting and why.

Officials in India have claimed that the new rules for VPN providers aren’t part of a data grab aimed at further stymying press freedoms, but rather an attempt to better police cybercrime. India has been hit by a number of significant data breaches in recent years and was the third-most affected country worldwide in 2021. “Data breaches have become so common in India that they no longer make front page news as they used to,” says Mishi Choudhary, a technology lawyer and founder of the Software Freedom Law Center, a technology legal support services provider in India. In May 2021, the names, email addresses, locations, and phone numbers of more than 1 million customers of Domino’s Pizza were stolen and posted online; in the same year, the personal information of 110 million users of digital payment platform MobiKwik ended up on the dark web. Now, as the major incidents pile up, Indian officials are going after VPNs in an apparent attempt to reign in the cybercrime surge.

“CERT-In is duty-bound to respond to any cybersecurity incidents,” says Srinivas Kodali, a researcher focusing on digitalization in India from the Free Software Movement of India—though he disputes its efficacy in doing so. Having this information on hand should, in theory, allow CERT-In to investigate any incidents more speedily after the fact. But many don’t believe that’s the full story. “CERT-In doesn’t really have a clean past, and they’ve never really protected citizens’ privacy,” Kodali claims. “According to the rules, they are going to only demand these logs when they actually need them for part of an investigation. But in India, you never know how they will be abused.”

Such concerns of overreach are not unfounded. According to data published in April 2022 by Access Now, an advocacy group lobbying for internet freedoms, India was responsible for 106 of the 182 documented internet shutdowns in 2021. It was the fourth successive year the country held the unenviable title of the internet shutdown capital of the world. At the same time, India’s government has allegedly misled parliament about its use and deployment of the Israeli-produced spyware Pegasus against 160 politicians, lawyers, and activists within the country.

That ‘collect data first, ask questions later’ approach to law enforcement has others worried, too. “This is a blunderbuss way of remembering all data and keeping tabs on your users,” says Anupam Chander, professor of law at Georgetown University in Washington, DC. “That way, if [India] needs it for law enforcement, intelligence purposes, or other purposes, they can grab it later.” And the VPN data grab could, potentially, collect information on millions of Indians who rely on the technology. One in five Indians used a VPN in 2021, according to data gathered by service provider Atlas VPN—up from just 3 percent in 2020. The increased usage echoes a broader rise in the use of VPNs in countries such as Venezuela, Costa Rica, and Cambodia, which saw similar increases. It also shows how people in India are seeking out VPNs for information security purposes, as well as to avoid geoblocking of popular websites.

There’s another reason everyday Indians are pursuing VPNs: the rollout of a controversial nationwide identification database. The ID system known as Aadhaar—which first launched in 2009 and has evolved since then—assigns citizens a 12-digit identity code based on their biometric and demographic information. Its proponents say that Aadhaar is part of a plan to digitize the Indian economy and make it easier to access government services. Its opponents say Aadhaar’s ubiquity and required use—you can’t open a bank account, get an ambulance, or pay your taxes without one—is an attempt to shoehorn a surveillance state into existence under the auspices of making things easier for citizens. Choudhary worries that the new rules for VPN providers are part of a broader “mission creep” to control what is said and by whom across India. “This is not just bureaucracy,” Choudhary says. “It seems that the government of India is using every opportunity to make access to the internet much more controlled, as well as monitored.” CERT-In did not respond to a request for comment.

And India is not alone. “South Asian governments are basically competing with each other in this operational Olympics around violating the digital rights of their citizens,” says Pakistani lawyer and internet activist Nighat Dad. Pakistan’s government attempted to introduce a law in October 2021 that gave it the right to monitor and censor any content posted on social media in the country. Pakistan has previously blocked access to Facebook, Twitter, YouTube, WhatsApp, and Telegram “to maintain public order.” Dad is scared. “Not only in Pakistan but in India, there are marginalized communities who are at risk. This is a scary situation.” Similar concerns have been raised in Indonesia, where digital platforms have to register with the communications ministry and agree to provide access to their systems and data on request. So too in Bangladesh, where internet freedom has reached an “all-time low,” according to Freedom House, as the governing party uses laws to crack down on political dissent through social media.

VPNs that are developed within—or operate in—India will have to choose whether to accede to CERT-In’s request or withdraw their support from the country. Kodali says providers may adopt a halfway-house solution, barring new users from paying for VPNs with an Indian bank account, which would theoretically make it impossible for Indians to sign up while in practice quietly permitting them to find a workaround. But what starts in India likely won’t end there. “This does have global implications,” says Chander, who believes India is learning a lesson from China, with its stringent internet crackdowns. There’s a worry other, more liberal governments will follow the Indian-Chinese model, too. Attacks on end-to-end encryption are commonplace in the UK, while the US joined India, the UK, Japan, Australia, and New Zealand in signing an international statement asking for backdoor access that would subvert encryption standards. “I think it’s important that governments justify these actions,” says Chander, “and explain how they don’t threaten civil liberties.”

Wired: Latest News

More Spyware, Fewer Rules: What Trump’s Return Means for US Cybersecurity