In instructions issued on April 28 by the Ministry of Electronics and Information Technology and Computer Emergency Response Team India (CERT-In), amidst a lush forest of legalistic recitals, nestled an order to the vendors of virtual private networks (VPNs) to perform KYC (“know your customer”) on their users and retain usage logs for five years. The rules will come into effect next month.
The order confirms that the Modi government wants an asymmetric information surveillance society. He wants his affairs to be perfectly opaque (think election bonds, filibuster Pegasus) and the actions of the public to be perfectly transparent.
For VPN providers, ordering is a poison pill. They sell privacy through end-to-end encryption and location masking. Requiring them to file KYCs and keep usage logs defeats the purpose.
In fact, the command is a clever way to bankrupt VPNs in India without banning them, like China and Russia did. A ban would unnecessarily excite the Western press and institutions such as Human Rights Watch and the UN, which are already concerned about restrictions on freedom of expression in India, whether through internet throttling and shutdowns as in Kashmir, or by simple arrests, as in the case of Jignesh Mevani.
Market leader NordVPN has threatened to pull its servers from India rather than comply. For them, it probably doesn’t matter. They only have one accessible server located in Mumbai, while there are 16 in the US and four in the UK. A server agreement is common in markets much smaller than India, such as Thailand and Argentina. Other providers like SurfShark say that it is technically impossible for them to store user data because it is systematically overwritten in server RAM. Others like ExpressVPN talk about a “disturbing attempt to undermine citizens’ digital rights”.
Who Uses VPNs? A broad spectrum, from advocates in hostile terrain to criminals, for the same reason ― flying under the radar. Proponents of free speech want to protect the former, while CERT-In wants to attack the latter. Corporations are power users, but seem to be tacitly excluded from government order.
In between are ordinary citizens, tired of being tracked by platforms, or simply trying to access the US Netflix catalog from India. Internet technologies are dual-use, as the technology is morally agnostic. Before VPNs were a thing, there was The Onion Router (Tor), which bounced traffic off at least three servers to shake up trackers. Tor was created for militants in authoritarian countries, but criminals quickly made it the gateway to the Darknet, where stores sold contraband ranging from homemade drugs to assassination services (it was sobering to discover , on an assassin’s rate card, that the life of a major newspaper publisher is cheaper than that of a minor politician).
In 2016, the FBI led Operation Hyperion against illegal Darknet storefronts and their customers. The onion network was compromised and Tor lost trust. The state and corporations have moved in. Checking the ownership of its exit nodes, where traffic is decrypted, found security agencies, spammers and scammers, who were obviously snooping on the plaintext as it exited Tor.
VPNs are like Tor, but when it comes to security, the resemblance to BlackBerry is even stronger. Once Canada’s most valuable commodity, it closed very quietly in January, sidelined by iPhones and droids. But the downfall of the cult device with delicate little keys and cast-iron safety began in 2008, when the Manmohan Singh’s government demanded access to its network. There was an immediate reason: the terrorists in the Mumbai attacks had used BlackBerrys and Indian security forces couldn’t crack the encryption.
In 2013, BlackBerry gave in to keep the Indian market and gave real-time access to user mail, BBM messages and browsing data. The internet, as the name suggests, is interconnected and nothing happens in isolation. Users understood that if one person’s security was compromised, so was the security of many. The distrust was palpable, and if VPNs bow to government demands, they will repeat history – without even the excuse of a 26/11, as no particular threat is now visible.