Listen to this article:
In directions issued on April 28 by the Ministry of Electronics and Information Technology and the Indian Computer Emergency Response Team (CERT-In), amidst a lush forest of legalistic whereases, nestled an order to Virtual Private Network (VPN) providers to perform a KYC (‘know your customer’) on their users and maintain usage logs for five years. The rules become enforceable next month.
The order confirms that the Modi government wants an information-asymmetric surveillance society. It wants its affairs to be perfectly opaque (think electoral bonds, the stonewalling on Pegasus) and the doings of the public to be perfectly transparent.
For VPN providers, the order is a poison pill. They sell privacy through end-to-end encryption and masking location. Requiring them to file KYCs and maintain usage logs defeats the purpose.
In fact, the order is a clever way of putting VPNs out of business in India without actually banning them, like China and Russia did. A ban would needless excite the Western press and institutions like Human Rights Watch and the UN, which are already concerned about restrictions on free speech in India, whether by internet throttling and shutdowns as in Kashmir, or by straightforward arrest, as in the case of Jignesh Mevani.
Market leader NordVPN has threatened to pull its servers out of India rather than comply. For them, it’s probably not a big deal. They have only one accessible server located in Mumbai, while there are 16 in the US and four in the UK. The one-server deal is common in markets much less important than India, like Thailand and Argentina. Other providers like SurfShark say that it is technically impossible for them to store user data because it is routinely overwritten in server RAM. Others like ExpressVPN are speaking out about a “worrying attempt to infringe on the digital rights of citizens”.
Who uses VPNs? A wide spectrum, from rights workers on hostile ground to criminals, for the same reason ― to fly under the radar. Free speech proponents want to protect the former, while CERT-In wants to go after the latter. Corporates are power users, but seem to be tacitly excluded from the government’s order.
In between are regular citizens, tired of being tracked by platforms, or just trying to access the Netflix US catalogue from India. Internet technologies are dual use, because technology is morally agnostic. Before VPNs were a thing, there was The Onion Router (Tor), which bounced traffic across at least three servers to shake off trackers. Tor was created for activists in authoritarian countries, but criminals soon made it the gateway to the Darknet, where stores sold contraband from homemade drugs to assassination services (it was sobering to discover, on an assassin’s rate card, that the life of a top newspaper editor is cheaper than a minor politician’s).
In 2016, the FBI led Operation Hyperion against the Darknet’s illegal storefronts and their customers. The onion network was compromised and Tor lost trust. The state and businesses moved in. Checking the ownership of its exit nodes, where traffic is decrypted, one found security agencies, spammers and scammers, who were obviously snooping on plaintext as it left Tor.
VPNs are like Tor, but on the question of security, the resemblance to BlackBerry is even stronger. Once Canada’s most valuable product, it closed down very quietly this January, shouldered aside by iPhones and Droids. But the fall of the cult device with the fiddly little keys and cast-iron security began in 2008, when the Manmohan Singh government demanded access to its network. There was an immediate reason: the terrorists in the Mumbai attacks had used BlackBerrys and the Indian security forces couldn’t break the encryption.
In 2013, BlackBerry buckled to keep the India market and gave real-time access to users’ mail, BBM messages and browsing data. The internet, as its name suggests, is inter-networked, and nothing happens in isolation. Users understood that if the security of one was compromised, so was the security of many. The withdrawal of trust was palpable, and if VPNs buckle to the government’s demands, they will repeat history ― without even the excuse of a 26/11, because no special threat is now visible.