Veiled threats to privacy

Virtual private networks or VPNs, have many uses. By surfing through a VPN, users can mask a large proportion of personal data, obfuscate location, and conceal surfing patterns. This makes them useful to people with many different use-cases.

Human rights activists who don’t wish to be tracked by hostile regimes use them; corporates seeking end-to-end encryption for communications use them; people who wish to access geo-blocked websites, and content, use them; people who wish to access online banking services only available to residents of a given country use them; those who simply wish to protect their data use them.

One common use case, for example, is accessing Netflix or Amazon Prime content from, let’s say, Mexico, while sitting in Delhi. Another common use case is a rupee transaction on some Indian website while sitting in London. A third increasingly common use case in the WFH era is corporates giving a geographically widespread set of employees secure log-ins tied to a single VPN-based location.

VPN providers offer combinations of privacy, and data security. Most keep no logs of users, and maintain as little user-data as possible. Most VPN providers offer both free and paid services, with paid services tied to more bandwidth, a wider choice of servers, etc. A free user may only get the choice of using a server in, say, two or three countries, while a paid user may get the choice of servers based in many locations.

Authoritarian regimes hate VPNs for obvious reasons. VPNs allow users to communicate privately, and to access websites that autocrats block. To take three egregious examples, Russia, Iran and China block and ban VPNs, and hand out jail-time and fines for anybody caught using them.

In technical terms, somebody who is not using a VPN has an IP address, which translates to their location. This is visible to every website that the user visits. The internet service provider (ISP) can also track the surfing patterns of the user, enumerating every website that is visited.

That is, if user X visits websites A, B, and C, the service provider knows all about it. Websites A, B, C also know where X is coming from, using which ISP, etc. If the ISP has instructions to block any given websites, it can prevent the user from going to those sites. User X also leaks other data and metadata to any website visited.

When user X uses a VPN however, several types of masking happen. As far as the ISP is concerned, the VPN is the only site that X is visiting. The VPN re-routes and redirects the user to wherever, without informing the ISP. Second, the IP address changes to that of the VPN, as far as any other website is concerned. If it’s a good VPN, you also cease to leak data in the same way.

In 2021, about 20 per cent of India’s surfers used VPNs, up from around 3.3 per cent in 2020. But while India doesn’t like being classified as an authoritarian regime, it shares attitudes with Russia, China, Iran, etc, when it comes to free speech and privacy. So, being India, it’s found a peculiarly bureaucratic way to try and prevent VPNs operating in India, without explicitly banning them.

In end-April, the CERT-In issued rules that became applicable in June. Every VPN operating in India will now require to do the KYC for users and keep logs of their usage for five years. Criminal cases with jail time and fines could be filed for non-compliance. In a further clarification, the government kindly allowed corporate users to circumvent these regulations, presumably because it has other ways to track corporate VPN usage.

This not only runs counter to the entire use case for VPNs, it is also technically impossible for many of them to comply with. VPN servers are not only not configured to keep logs; they are often designed to actively delete logs. Some VPN providers have already started walking out of India, which is no surprise. This new regulation adds another layer of threat in an ongoing assault on free speech and privacy.