Veiled threats to privacy

Context: Cert-In recently issued a new directive making it mandatory for VPN service providers to keep user data for at least five years and share records with authorities when required.

This new regulation threatens free speech and privacy.

What is a VPN?
What are the different use cases of VPNs?

By surfing through a VPN, users can mask a large proportion of personal data, obfuscate location, and conceal surfing patterns. This makes them useful to people with many different use-cases. For instance: They can be used by the following –

Human rights activists who don’t wish to be tracked by hostile regimes

Corporates seeking end-to-end encryption for communications. Also, in the WFH era, corporates routinely give a geographically widespread set of employees secure log-ins tied to a single VPN-based location

People who wish to access geo-blocked websites, and content. VPNs allow users to communicate privately, and to access websites that autocrats block. For instance: Russia, Iran and China block and ban VPNs, and hand out jail-time and fines for anybody caught using them.

People who wish to access online banking services only available to residents of a given country

Those who simply wish to protect their data

People who want to access Netflix or Amazon Prime content from, let’s say, Mexico, while sitting in Delhi.

VPN providers offer combinations of privacy, and data security. Most keep no logs of users, and maintain as little user-data as possible.

How does a VPN provide privacy and data security?

Somebody who’s not using a VPN has an IP address, which translates to their location. This is visible to every website that the user visits. The internet service provider (ISP) can also track the surfing patterns of the user, enumerating every website that is visited.

That is, if user X visits websites A, B, and C, the service provider knows all about it. Websites A, B, C also know where X is coming from, using which ISP, etc. If the ISP has instructions to block any given websites, it can prevent the user from going to those sites.

User X also leaks other data and metadata to any website visited.

When user X uses a VPN however, several types of masking happen.

As far as the ISP is concerned, the VPN is the only site that X is visiting. The VPN re-routes and redirects the user to wherever, without informing the ISP.

Second, the IP address changes to that of the VPN, as far as any other website is concerned. If it’s a good VPN, one also ceases to leak data in the same way.

In 2021, about 20% of India’s surfers used VPNs, up from around 3.3% in 2020.
How have VPN providers responded?

New directives by the govt not only run counter to the entire use case for VPNs, it is also technically impossible for many of them to comply with.

VPN servers are not only not configured to keep logs; they are often designed to actively delete logs.

Some VPN providers have already started walking out of India, which is no surprise.

Source: This post is based on the article “Veiled threats to privacy” published in the Business Standard on 3rd June 22.

Print Friendly and PDF