As the clock ticked towards 9 PM on the night of June 29, the talk of Internet in India was the Ministry of Electronics and IT’s press release indicating that 59 apps would be banned. The stated reason for this ban was that they were engaged in activities prejudicial to the sovereignty and integrity of India.
The common thread among these apps is that they are of ‘Chinese origin’ even though that isn’t explicitly mentioned in the government’s banning order.
How it could be implemented
For now, let’s set aside the question of whether the ban is a fitting response to the killing of 20 Indian soldiers in Galwan, Ladakh on June 15 , and whether it is justified or not. What is likely to happen from here is that the Google Play Store and iOS App Store will be asked to de-list the apps from their Indian storefronts. There is precedent for this when a ban on TikTok was ordered by the Madras High Court.
At the time of writing, TikTok appears to be unavailable for download on the iOS App Store and Google Play Store. However, most of other 58 apps listed seem to be unaffected. Therefore it isn’t clear why the TikTok app is no longer listed. The Play Store does list several questionable TikTok clones already. At such times, it also common for installable versions of apps to be shared outside the confines of app stores (installing these apps is referred to as side-loading). As users are likely to seek ‘alternatives’, this opens them up to even more risks from a cyber security perspective.
A recent example of this attack vector was the number of malicious copies of Aarogya Setu being shared. And it doesn’t help that this mechanism of distribution was also used by some states to distribute their COVID-19 apps. In a sense, incentives are being created for people to indulge in behaviour that puts them at risk.
Secondly, Internet service providers (ISPs) and content delivery networks (CDNs) will probably be asked to block the domains that these apps/services use. What is unknown here is whether the government will give them a pre-determined list or put the onus on these private operators to find the hostnames and put them on a block-list.
Excellence in execution?
How well this will be executed is debatable. Experience with the whitelist/allow-list experiment in Jammu and Kashmir indicates that the state capacity to determine finer details may be limited. Alternatively, the porn-block, in which ISPs appear to have been granted a certain level of discretion seems to be more effective, even if not 100% accurate.
There are also lessons to be learnt from Russia’s attempts to block Telegram in 2018. The app was able to use “domain fronting” – an unintended effect of using Content Delivery Networks to bypass attempts to block it. In domain fronting, a request advertises that it is intended for www.xyz.com while it may actually be abc.xyz.com or another domain altogether depending on how it is architected. Since such requests are encrypted, the blocking mechanism cannot determine that the request is actually for abc.xyz.com and not www.xyz.com.
Which is to say that even if domains are accurately determined and blocked, there is still a possibility for apps to bypass them by disguising requests as being meant for another domain – as long as they share an HTTPS certificate and origin infrastructure. This is a common censorship evasion method.
Again, in the Telegram instance, as Russian efforts to block it got more aggressive, they resorted to using IP addresses which ended up impacting Amazon Web Services and Google services in Russia. It may not play out the same way in India, though.
Users can also choose to use VPNs. It is unlikely that people will opt to use paid/subscription based services and gravitate towards free VPNs, which are also a security risk.
A game of whack-a-mole
Whether it comes down to this depends on how seriously the Union government wants to actually implement the ban. And, how much of an appetite the listed apps/services have to try and circumvent it. It could very well result in a game of whack-a-mole. In cases where they have an established India presence with local employees – the risk of law enforcement action will certainly play a part in evaluating the trade-off, so the chances of overt circumvention by the likes of TikTok is relatively low. We shouldn’t expect responses across all 59 apps to be uniform in this context.
Some of this calculus will also change based on how much noise is made about these services still being accessible. The louder it gets, the higher the likelihood of the government being pushed into follow-up action.
For now, it is unclear how the list was drawn up and what the ban means practically. What happens if users continue to use the apps they already have downloaded? Is it now illegal to share content from TikTok or documents scanned on CamScanner? Or for someone to communicate with family/business contacts in China using WeChat? Will the state machinery take action against them like it did in the case of PUBG last year?
And as the Internet Freedom Foundation has pointed out, the lack of transparency is a cause for concern. This move has all the makings of a slippery slope, especially if it is accepted with unequivocal cheerleading and no review of accountability in the future. Today it is a thinly veiled response to China but tomorrow it could be something else entirely.
There is also an open question of how China will respond. So far, Beijing has said it is “strongy concerned” about India’s action and is “verifying” the situation. Scope for a similar reciprocal action is limited since Indian apps do not (and cannot) attain similar levels of popularity in China. In the cyber-realm, it could turn the fabled ‘great cannon’ towards Indian businesses, meaning they should prepare themselves for an uptick in denial of service and other web-based attacks.
China may also focus some of its evolving information disorder operations on India. On international rhetoric, China’s actions have been rather curious since the start of this instalment of tensions along the LAC. For example, just a day before a Union minister in India called for a ban on Chinese food, the Chinese government-owned Global Times ran a positive story about Indian restaurants in Shanghai.
Of course, Beijing may not restrict its response to the cyber domain. An in-depth report on Chinese investment in India stated that it increased ‘five-fold’ in 3 years since 2014. And an FT article from February indicated that Chinese investors had invested in 54 rounds of funding 2019.
So an economic escalation could very well be on the cards if China chooses to go down that road. With the economic hardship that the slowing economy and pandemic has already inflicted, this unprecedented step by the Union government could cause India some pain too.
Prateek Waghre is a research analyst at The Takshashila Institution