In a radical move that has polarised internet users, the Parliamentary Standing Committee on Home Affairs has urged the Indian government to prohibit Virtual Private Networks (VPNs). Citing the proliferation of cyber threats on these encrypted services, the Committee has recommended that a mandate be issued to Internet Service providers (ISPs), which blocks the usage of commonly employed VPN protocols and ports. It has also proposed a coordination mechanism that works in tandem with the Ministry of Electronics and Information Technology (MeitY) to ban VPNs permanently.
Any restriction on VPNs, however, threatens to impinge on the privacy rights of citizens, as they would no longer be able to obscure their online identities. In particular, it will be detrimental to businesses and industries which have increasingly relied on these technologies to maintain confidentiality and conduct remote operations. Against this backdrop, the government will have its work cut out in reconciling the diverse interests of stakeholders.
A SCREEN OF ANONYMITY
True to its name, a VPN masks the Internet Protocol (IP) address on a public WiFi connection by creating a private network within it. The virtual network is then encrypted against any outside interference so that ISPs, malware, third-party trackers, or other malicious actors do not get access to data flows and internet traffic. In other words, VPNs are commonly utilised as a digital tool to secure networks and digital assets from cyberthreats.
Under the VPN system, the original IP address is disguised by assigning remote addresses connected to other servers. Since the data is tunnelled to these exit nodes, it makes it look like the system is being operated from other parts of the world. This not only helps to conceal the physical location and identity of users but also allows them to access prohibited services in a region. For instance, VPNs can be used to access Google in China, even though the latter is banned in the country.
Recognising this loophole, Beijing has imposed tight regulations on the use of VPNs. Other countries that regulate or ban their use include Russia, Belarus, Iraq, North Korea, Oman and the U.A.E. If the recommendation of the Parliamentary Committee on Home Affairs is adopted, India would be the latest jurisdiction to prohibit such VPNs.
THE PROHIBITION RATIONALE
This is not the first time that government agencies in democratic countries have come out against the use of VPNs. For instance, in July 2021, British and American authorities had alleged that Russian hackers were misusing VPNs to hide their nefarious activities online. Now, a similar rationale has been employed by the Indian Parliamentary Committee to propose a ban on VPNs.
According to it, VPN services pose a security challenge for the country, as they allow unsolicited operations by cybercriminals. Akin to the dark web, they can bypass security walls and remain anonymous online. Since they are commonly advertised on several websites, such VPNs can also be downloaded quite easily by any layperson.
Just as ordinary users rely on these encrypted networks to protect their privacy and identity, threat actors can misuse them to escape surveillance. This renders it difficult for law enforcement agencies to track down their activities, forcing them to rely on other surveillance methods, which are relatively more expensive.
Another concern that has been flagged in policy circles relates to the leakage of data. For instance, in July 2021, cybersecurity researchers at vpnMentor had discovered that 1.2 terabytes of private user data were exposed online by seven VPN providers. This included email addresses, device IDs, passwords, home addresses and internet activity logs of nearly 20 million users. In light of such risks, the Indian Parliamentary Committee has effectively advised the Centre to take action against VPNs.
STRIKING A BALANCE
While the concerns raised by the Committee are legitimate, critics point out that a complete prohibition of VPNs will hinder data protection. Apart from ordinary users whose privacy will be compromised, the ban will impact companies who use these encryption tools to safeguard corporate data and secure communication lines.
It is worth remembering that VPNs often act as the first line of defence against hackers, malware and third-party attackers on online platforms. By creating a closed network for employees, they prevent threat actors from snooping, even if they use the same public WiFi networks. This is especially important in an era where the COVID-19 pandemic has normalised remote working and accelerated the transition to a digital economy.
Today, every company, including the cloud industry, appears to be shifting to a VPN-based solution. Therefore, any attempt to proscribe the same would be counterproductive, as all organisations that run their operations remotely and conduct transactions online would be left in the lurch.
In addition to this, VPNs afford better protection against ads and marketing trackers. Users are afforded a degree of anonymity while browsing online, thereby preventing advertisers from accessing their sensitive data like shopping profiles and purchase history. Similarly, VPNs can be deployed as an additional security cover by journalists, whistle-blowers, and other activists, who fear surveillance or repression by authoritarian regimes. They can also be used to bypass arbitrary restrictions on websites placed by governments or ISPs, especially when there is no legal basis.
Owing to all these factors, the government will have to engage in a carefully calibrated cost-benefit analysis before vetoing the use of VPNs. It must objectively analyse whether law enforcement officers can track down criminals, despite their use of VPNs. In this regard, studies seem to suggest that the police can request usage and connection logs from VPN service providers, subject to a court order in many jurisdictions. The Indian government must evaluate whether a similar approach can be adopted to strike a balance between the interests of different stakeholders. As with any other encryption technology, the key lies in breaking the impasse between ‘national security’ concerns and ‘privacy rights’ of citizens.
- Implementing an outright ban on VPNs may set the wrong precedent, as it will undercut the internet’s reputation as a ‘safe medium’ to conduct businesses. Any restriction on encrypted tools, therefore, should be narrowly tailored to achieve the legitimate objectives of law enforcement.
- In this context, the tests of proportionality laid down by the Indian Supreme Court in Puttaswamy Union of India will serve as a good guiding principle. The Ministry of Home Affairs should also conduct extensive consultations with cyber experts, criminologists, civil society members and other stakeholders before proscribing the use of VPNs.
- If the VPN ban is implemented, it could potentially run into conflict with other policies of the Central government. For instance, in 2020, the government had announced sweeping changes to its regulations for the tech industry, allowing companies to run their own VPN services. The ‘Other Service Providers’ (OSPs) sector, in particular, had been encouraged to use these encrypted networks in light of the growing ‘work-from-home’ trends in the IT industry. Given this reality, any policy inconsistency at this point would make for poor optics.