In April, India passed a law that will severely curtail VPN activity in the country starting from June 27th, 2022. Why has the world’s largest democracy decided to follow the path set out by some of the world’s most repressive regimes, like Russia or China? More important still, will the new measures even work?
The New Law
First, though, let’s take a look at the law itself, which was put together by the CERT-In, the Indian Computer Emergency Team. It boils down to a set of KYC (know your customer) protocols that will force VPNs to register the name, email address, physical address, IP address, and phone number of users. VPNs will also have to keep logs; all this information is to be stored for five years (180 days in the case of technical requests).
Though having to reveal all your personal details to a VPN is bad enough — although, unless you signed up anonymously, it probably already knows a lot of that about you — it’s the mandatory logging that is raising the most hackles among VPN users. This is because having to keep logs strikes at the very heart of what a VPN does.
In this case, logs are records of where you connected and when, and any good VPN worth its salt does not keep them, it’s part of their pledge to privacy. The only legitimately private VPN is a no-log VPN, and thus forcing a VPN to keep them defeats their very purpose.
Not Just VPNs
That said, it should be made clear that it’s not just VPNs that are being targeted by this law, it strikes at providers of all manner of digital services. Web hosting providers, for example, as well as crypto exchanges and VPS providers are all meant to implement these new KYC directives. In a way, it will create a kind of database of Indian internet users.
Why It’s Being Implemented
As it stands, the new law will have far-reaching effects on the Indian internet. The government seems to understand this, but claims that it’s needed to stem the tide of cybercrime—especially financial fraud.
There’s no denying that the problem is pretty serious: Indian banks, for example, reported 5 trillion rupees ($13 billion) worth of damages on the books in May 2021. Figures on consumer fraud are much harder to find, but several reports mention large sums that cripple victims, sometimes for life. The U.S., too, is plagued by scam calls originating from the subcontinent.
According to the CERT-in itself, it handled almost 1.5 million reports of cybercrime in 2021; that’s a pretty high number even if you take into account that there’s a high likelihood many people don’t bother to report incidents.
By making online services register users, the Indian government is hoping to make it harder to perpetrate these crimes. If the VPN you’re using to mask your activity knows who you are, it’ll be easier to catch you. However, it’s not just criminals that use VPNs to hide their activity, but also political activists and journalists.
Human Rights Concerns
This is rather worrying as India has received poor rankings from international human rights organizations. An Amnesty International report details crackdowns by the Indian government on minorities as well as farmers protesting against government policy in 2021. The report details how India set up “a massive unlawful surveillance apparatus.”
According to Reuters, reporting or speaking out against these activities means you’ll be facing even more pressure from the government. Journalists and activists in India claim to have had their phones hacked and tapped.
While the law will certainly be a useful tool in fighting cybercrime—though never underestimate the ingenuity of people trying to get away with something—it could be used for more than that. According to Mishi Choudhary from the Software Freedom Law Center, in an interview given with Wired magazine: “it seems that the government of India is using every opportunity to make access to the internet much more controlled, as well as monitored.”
Whether or not this control will be aimed only at scammers and fraudsters or will also target journalists, lawyers and other activists remains to be seen.
What This Means for VPNs
However, if the Indian government is trying to exert more control over the country’s internet, it seems it won’t do so without encountering some resistance. When it comes to VPNs, major VPN providers like ExpressVPN and Surfshark have announced that they’ll be pulling out of the country, as has NordVPN. We can only assume plenty more will follow suit.
This doesn’t mean that Indian VPN users—which, collected by AtlasVPN make up roughly 20 percent of the population—are left completely without recourse. In this case, “pulling out” means that these VPN providers will simply abandon their servers in India, but still allow access to servers in other countries.
For example, a user in New Delhi, say, who normally accessed the internet through a server in Mumbai will now have to access it through a server in another country. Though this probably won’t be a problem for too many people, it will inconvenience plenty more as a farther away server will slow down their connection.
Another problem is that by pulling their servers out of India, VPN customers will no longer be able to use Indian IP addresses. Most likely, this problem will be addressed by using so-called virtual servers: machines that can spoof IP addresses, giving you an Indian IP while based somewhere else entirely. That said, these virtual servers aren’t always reliable, and it’s unclear if the Indian law could give CERT-In authority over Indian IPs.
Skirting the Law
The question remains, though, what kind of action VPNs may face for circumventing the new law: for example, whether VPNs will be sanctioned in some ways for allowing Indian users access without registering them. This and many other questions will likely only be answered once the law goes into effect.
Naturally, it won’t just be VPN providers that will be trying to get around the new law, users themselves have several options open to them. As we see in China, people will find new and innovative ways to access the free internet. The new law makes it so you can’t use an India-based VPN or server, but that doesn’t mean people won’t tunnel out some other way.
Whatever happens, it seems the Indian internet won’t be like it was before.