The dangers the proposed VPN ban can fight are real, but such a solution enfeebles individual liberty and privacy
As stated by MeitY, legal instruments for the blocking of content already exist under section 69A of the Information Technology Act for specific websites and domains. (Representative image)
By Rohin Garg
On August 10, 2021, the standing committee on home affairs reiterated its stance on VPNs in its 233rd report on ‘Action Taken by the Government on the Recommendations/Observations contained in its 230th Report on ‘Atrocities and Crimes against Women and Children’.
In the 230th report, the committee had stated that VPNs allow their users to bypass security walls and allow criminals to retain a sense of anonymity, thus these VPNs must be permanently blocked. The ministry of electronics and information technology (MeitY) said that it could block such VPNs only after receiving a request and satisfaction of grounds under section 69A of the Information Technology Act, 2020.
However, the standing committee found this response to be incomplete, and so, in the 233rd report, asked the ministry of home affairs (MHA) to ask MeitY what steps it had taken with regards to the blocking of VPNs. So where does that leave Indian VPN users?
As a start, it may be helpful to understand why VPNs are used and what services they provide. For example, VPNs are increasingly used by business and government agencies to secure confidential information online. Many organisations use local network VPNs not only to provide a secure channel for storing and sharing information, but also to provide remote access to network resources for their employees.
For these reasons, the usage of business VPNs has increased, especially due to the Covid-19 induced fillip to digitalisation: “Of those surveyed, nearly 70% of employees said their companies have expanded business VPN usage with 29% of organisations using a VPN for the first time.” Industry response to the media reports about the proposed ban on VPNs has illustrated these concerns, with businesses saying that such a move would be “counterproductive” as organisations employing work-from-home protocols have been using VPNs to function remotely.
These realities have also been recognised by the government, as seen from the steps taken to encourage work-from-home protocols in the IT sector—on November 5, 2020, the ministry of communications announced new guidelines for Other Service Providers (OSPs) in the IT industry, which allowed OSPs to use VPNs to integrate call networks, and sanctioned the use of private VPNs. Such happenings illustrate the necessity of VPNs for modern economic activity.
During FY21, 59% of Indian adults were victims of a cybercrime. The increase in cybercrimes and online fraud has made data security important for individuals, especially in cases of accessing public networks at airports or eateries. As a result, many are resorting to the use of VPNs to secure their information. In the first six months of 2021, India saw 348.7 million VPN installations, a year-on-year growth of 671%.
It must be noted here that VPNs are not completely secure. Many private VPNs deploy encryption protocols that are not impenetrable. Moreover, even if the protocol deployed is safe, private VPNs (especially many of the ‘free’ VPNs) may still collect your information themselves. However, certain relatively secure options do exist, and users can also set up their own VPN networks to ensure greater security. In such a context, it is not surprising to see an increase in VPN usage.
VPNs help secure digital rights under the Constitution of India, especially for journalists, whistleblowers, and activists. While standard VPNs may not provide the level of security needed to keep them safe, AES- or PGP-encrypted VPNs may provide them with a strong security cover. The use of tools such as VPNs as a privacy-advancing technologies that often implement encryption protocols falls squarely within the protection of the fundamental right to privacy articulated by the Supreme Court in the Puttaswamy judgement.
Lastly, there are increasing instances wherein ISPs continue to discriminate against certain types of internet content and block them with impunity. These instances conform with observations from a larger study published by the Centre for Internet and Society published in January 2020; the research found that the website blocklists of licensed ISPs across India are widely inconsistent, suggesting that a larger pattern wherein internet providers are either not complying with blocking orders or arbitrarily blocking websites without legal orders.
Given that the department of communications is yet to operationalise the Trai’s recommendations on enforcing net neutrality, VPNs are key in the fight for net neutrality as they allow users to sidestep arbitrary blocking of websites by ISPs without any legal basis. As stated by MeitY, legal instruments for the blocking of content already exist under section 69A of the Information Technology Act for specific websites and domains.
With respect to requests for user information there exist mechanisms under Mutual Legal Assistance Treaty processes as well as provisions under the Code of Criminal Procedure which are often used by police departments. Thus, the necessity of such an extreme proposal must itself be questioned. To this extent, one hopes that the MHA will conduct consultations with criminologists, technologists, industry, and civil society organisations before implementing any bans that may excessively curb the digital rights of millions of Indians. Making the internet a safer place for women and children is a task of paramount importance in modern, digital India. The solution to such issues, however, must not come at a disproportionate cost to individual liberty and privacy.
Policy counsel (Regulation & Social Welfare), Internet Freedom Foundation
Subscribe to FE Daily Newsletter for latest updates on markets, business, money, infra & more, right in your mailbox