Policing the VPN

A recent directive of the Indian Computer Emergency Response Team (Cert-In) requiring Virtual Private Network (VPN) service providers to store user data for five years, is yet another step to make India a full-fledged surveillance state with all other internet based free flow of information already being policed by the current government.

Journalists, activists and others who use VPNs to hide their Internet footprint will now be in a quandary to think whether to use such devices. Law enforcement agencies however have welcomed the move, which will make it easier to track criminals using VPNs, they have claimed.

Experts, however, believe that governments and their agencies can easily misuse such a rule. They also point out that this may drive VPN users, especially the criminals and terrorists, towards the dark and deep web that are much tougher to police than VPN services.

This will enable the government to take action against users accessing contents that are blocked in the country using VPNs, such as the game PUBG Mobile. The government has not yet blocked VPNs though. They can still be used to access contents that are blocked in areas of most common usage of the services.

VPNs record user data through logging, which could mean maintaining the logs of users’ browsing activity, like online behavior, connection timestamps and more like customer names, their physical addresses, email IDs, phone numbers, reasons they use the service, dates from which they use it, and their ownership pattern.

Additionally, Cert’s directive asks VPN providers to keep a record of the IP and email addresses that the customer uses to register the service along with the timestamp of registration. Importantly, VPN providers will have to store all IP addresses that its customers generally use.

Some VPNs log data required to enforce device caps, measure how much data they have used, and monitor network performance. Many services log browsing data, metadata about a person’s usage, websites they have visited, IP addresses involved and more. Others like Hola VPN also collect information on other apps installed on a person’s phone and when they register or sign in to social media, in keeping with the firm’s privacy policy. The name and email address of a user is available to any VPN service.

India has already become a surveillance state with 10 law enforcing security agencies authorized to tap citizens’ mobile phones, their use of all the Internet based platforms including social media presence. Orders to this effect were notified in December 2018.

A bill to safeguard privacy of citizens in keeping with the Supreme Court of India having declared privacy as a fundamental right by a nine-judge bench unanimously is pending before the Standing Committee of Parliament on Information Technology.

Ban on VPNs will be an infringement to people’s fundamental right to privacy and impact adversely even corporates which might look for secure connections from prying rivals. VPN servers from foreign soil however will continue to allow users to bypass blocking rules by the government.

(The writer is a former civil servant. Views are personal)