The Standing Committee on Home Affairs recently reiterated its stance on Virtual Private Networks or VPNs, asking for them to be permanently blocked. We wrote to the Ministry of Home Affairs (MHA), highlighting why VPNs are important and asking for the committee’s proposal to be put through a public consultation that includes criminologists, technologists, industry and civil society organisations.
On 15th March, 2021, the Standing Committee on Home Affairs presented its report on 'Atrocities and Crimes against Women and Children’ to the parliament. Chapter 5 of the report dealt exclusively with cyber crimes against women and children. In it, the Committee noted that, with respect to the challenges in dealing with cyber crimes:
- In instances where the offender is not located in the state in which a cyber crime has been committed, local law enforcement must provide optimum support to the travelling investigating officers .
- Better coordination with foreign cyber crime agencies is necessary to curb trans-national cyber crimes.
- Virtual Private Networks (VPNs) allow their users to bypass security walls and allow criminals to retain a sense of anonymity, and so these VPNs must be permanently blocked.
Basically, the committee asked the MHA to work with the Ministry of Electronics and Information Technology (MeitY) to block VPNs and to ‘strengthen tracking and surveillance mechanisms’!
MeitY responded to these recommendations by stating that section 69A of the Information Technology Act, 2000 allows the government to block public access to information in certain cases such as in the interest of the sovereignty and integrity of India. Additionally, MeitY said that the blocking of information is done either in compliance of a court order or in pursuance of the recommendation of an inter-ministerial committee constituted under the Information Technology (Procedure and Safeguards for Blocking for Access of Information for Public) Rules, 2009. Thus, the ministry can block such VPNs only after receiving such a request.
As reported by media outlets, on 10th August, 2021, the Standing Committee responded to the MEITY’s response in its report on ‘Action Taken by the Government on the Recommendations/Observations contained in its Two Hundred Thirtieth Report on 'Atrocities and Crimes against Women and Children’ ’. In the report, the committee said that this response was “incomplete” and reiterated its stance on VPNs:
The Committee notes the incomplete reply of the MeitY as no information has been provided on coordination mechanisms with international agencies to block VPNs permanently and initiatives taken/proposed to strengthen the tracking and surveillance mechanisms to put a check on the use of VPN and the dark web. The MHA may put its efforts in getting such information from MeitY and furnish the same to the Committee.
But what is a VPN?
- Once a user has downloaded the VPN software, all their data traffic is encrypted by the software before being transmitted. This encrypted data is then transmitted over the internet. This helps prevent telecom service providers from snooping in on the traffic data of subscribers and end users.
- Now, the encrypted data is received by both the user’s Internet Service Provider’s (ISP’s) server as well as the VPN server. However, the ISP cannot track the user’s data as it is encrypted. On the other hand, the VPN server decrypts the data and forwards the web request to the relevant website. Once it receives the requested information (such as, for example, a web page or an email), the VPN server encrypts this information and sends it back towards the user over the internet.
- This process ends when the encrypted information is decrypted by the user’s local VPN software and served to the user. Once again, as it is encrypted, the ISP cannot track this information.
Why VPNs are important
VPNs help to protect information security in multiple ways. Firstly, VPNs are increasingly used by business and government agencies to secure confidential information online. Not only do VPNs provide a secure channel for storing and sharing information, organisations can also use their local VPNs to provide remote access to network resources for their employees. For these very reasons, the usage of business VPNs is increasing, especially in light of the COVID-19 pandemic induced filip to digitalisation. Industry response to the media reports about the proposed ban on VPNs has illustrated these concerns, with businesses saying that such a move would be “counterproductive” as organisations employing work-from-home protocols have been using VPNs to conduct their business remotely. Businesses have also deployed VPNs to secure sensitive information.
These realities have also been recognised by the government, as can be seen by steps taken to encourage work-from-home protocols in the IT sector: on 5th November, 2020, the Ministry of Communications announced new guidelines for Other Service Providers (OSPs) in the IT industry. These guidelines allowed OSPs to use VPNs to integrate call networks and sanctioned the use of private VPNs. This illustrates the necessity of VPNs for modern economic activity.
Contrary to popular perception, cyber security experts often promote VPNs to help keep internet users safe and their sensitive personal information private. During FY 2020-21, 59% of Indian adults were victims of a cyber crime. The increase in cyber crimes and online fraud has made protecting data security important for individuals. As a result, many citizens are resorting to the use of VPN services to secure their information when using public or unsecured networks: in the first six months of 2021, India saw 348.7 million VPN installations, a year on year growth of 671%. The comprehensive encryption protocols generally deployed by VPNs secure user data against diverse threats and provide citizens with an effective tool to fight online profiling for commercial purposes.
VPNs also help secure digital rights under the Constitution of India specially for journalists, whistleblowers and activists. The encrypted nature of information transfer over VPNs allows them to not only to secure the confidential information but also to safeguard their own identity, thus protecting them from surveillance and censorship. VPNs as a privacy advancing technology that often implement encryption protocols fall squarely within the protection of the fundamental right to privacy articulated by the Supreme Court in the Right to Privacy judgement.
Lastly, there are increasing instances wherein ISPs continue to discriminate against certain types of internet content and block them with impunity. These instances conform with observations from a larger study published by the Centre for Internet and Society. In it, researchers found that the website blocklists of licensed internet service providers (ISPs) across India are widely inconsistent with one another, suggesting that a larger pattern wherein internet providers are either a) not complying with blocking orders or b) arbitrarily blocking websites without legal orders. Given that the Department of Communications is yet to operationalise the Telecom Regulatory Authority of India’s recommendations on enforcing net neutrality, VPNs are a key tool in the fight for net neutrality as they allow users to sidestep arbitrary blockings of websites by ISPs that are without any legal basis.
As has been pointed out by MEITY, legal instruments for the blocking of content already exist under section 69A of the Information Technology Act for specific websites and domains. With respect to requests for user information there exist mechanisms under Mutual Legal Assistance Treaty processes as well as provisions under the Code of Criminal Procedure which are often used by police departments. While greater coordination with foreign agencies is necessary to curb cyber crimes, such steps that may include operationaising and entry under the US Cloud Act are contingent on the passage of a data protection law and surveillance reforms.
We acknowledge the concerns of the Standing Committee and are aligned to make online communications safer for women and children. However, the proposal to ban VPNs will harm individual liberty and privacy, and are likely to be held unconstitutional. Thus, we call on the MHA to consider any such proposal only after seeking legal opinion and further opening up a public consultation process that is inclusive of criminologists, technologists, industry and civil society organisations, specially those with a focus on digital rights. This will help further the objective of ensuring public safety, especially of women and children, while protecting and advancing privacy preserving technologies.
- IFF”s letter to the Ministry of Home Affairs regarding ‘Recommendations of the Standing Committee on Home Affairs with respect ot Virtual Private Networks (VPNs)’ (link)
- Previous blogpost titled ‘Is the DoT doing a rethink on net neutrality? We press for transparency and enforcement #SaveTheInternet’ dated 26th August, 2021 (link)