India Says VPN Firms Unwilling To Comply With New Rules 'Will Have To Pull Out' of the Country (techcrunch.com) 49
India is pushing ahead with its new cybersecurity rules that will require cloud service providers and VPN operators to maintain names of their customers and their IP addresses and suggested firms unwilling to comply to pull out of the world's second largest internet market. From a report: The Indian Computer Emergency Response Team clarified on Wednesday that "virtual private server (VPS) providers, cloud service providers, VPN service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and government organisations" shall follow the directive, called Cyber Security Directions, that requires them to store customers' names, email addresses, IP addresses, know your customer records, financial transactions for a period of five years. The new rules, which were unveiled late last month and go into effect late June, won't be applicable to corporate and enterprise VPNs, the government agency clarified. Several VPN providers have expressed worries about India's new cybersecurity rules. NordVPN, one of the most popular VPN operators, said earlier that it may remove its services from India if "no other options are left." Rajeev Chandrasekhar, the junior IT minister of India, said that VPN providers who wish to conceal who uses their services "will have to pull out."
good luck (Score:2)
when a government doesn't understand the internet, it gives you those stupid un-enforceable policies...
Re: (Score:3)
I guess, but the policies are, in fact, mostly enforceable. Some people will find their way around it, of course... but they're aiming at the majority.
If they were unenforceable, companies wouldn't be vacating the country.
Re: good luck (Score:2)
They're enforceable on the public. They are unenforceable on the criminals they seek to catch. Anyone who thinks this harms threat actors has rocks in their head.
Re: (Score:2)
Their aim *is* the public. They want to control average person. They know they can't control criminals/terrorists.
Re: good luck (Score:2)
Never attribute to malice what is easier explained by stupidity
I'm tired of these authoritarians (Score:5, Insightful)
You expect it from banana republics, china, russia etc but not from so called democracies like india. But it seems all governments in one form or another are sliding down the slippery slope of removing online privacy and control from their citizens. Its only going to end in one place - a crippled internet for most people with those who know how (including criminals) simply bypassing any controls using black market software. Politicians are so techno illiterate its farcical.
Re:I'm tired of these authoritarians (Score:4, Insightful)
Seems to me large part of the US south is socially stuck in the 19th century. That has a few plus points wrt crime and punishment but mostly negative. I wouldn't want to live there.
Re: (Score:3)
There are nice people in the south. But they do seem to be turning into a minority; but maybe it's because the yahoos have learned to monopolize the megaphones (magaphones?).
Re: (Score:2)
Re:I'm tired of these authoritarians (Score:5, Insightful)
I have to agree, sadly.
Slashdot loves to say "blah blah the internet routes around the damage" but when the damage is coordinated effort by multiple large state actors, you start to run out of routes.
I doubt anyone helping the policy makers in India (remember the actual policy makers probably can't tell you what a VPN even is) think they can prevent people from using VPNs. They do think they can identify the non-compliant commercial providers and go after them when they attempt to take payments - and they are probably right on this point.
Delivering high thruput VPN is not free - eventually the paid providers will get on the right side of the law or dry up. Some others will go the ad/malware/spyware route to the point the users give up and leave. Yes there will always be some nerds that have one way or route traffic where they want it but it will be out of reach to most.
Re: (Score:3)
I look back at the late 90s and early 2000s and cry. We were so fucking idealistic, and look what happened.
Re: (Score:3)
I have felt this way too. In grad school there were so many good things happening. Apartheid collapsed. The Soviet Union collapsed. Things were looking up. Ok, a few bad things happened but there was enough press coverage to bring it to light that this was also good (ie, Rodney King). Of course, there were things chipping away at the foundations that were overlooked or assumed to go away in time, which they didn't.
Re: (Score:3)
The other issue will be having servers in India, both for performance and so that Indian users can access geo-locked content.
Re: (Score:2, Informative)
A VPN provider doesn't have to have a presence in India though to be useful for users there. The base corporation can exist anywhere its beneficial to with origin points in other countries.
The only way to stop Indian users would be to
a) Intentionally block them, which seems unlikely if they are not official operating in India,
or b) the ISP's in India block traffic to the VPN's IPs, which is possible but ends up being a game of whack-a-mole thats hard to win.
Realistically this will only be enforceable if a
Re: (Score:2)
A VPN provider doesn't have to have a presence in India though to be useful for users there. The base corporation can exist anywhere its beneficial to with origin points in other countries.
The only way to stop Indian users would be to
(SNIP)
or b) the ISP's in India block traffic to the VPN's IPs, which is possible but ends up being a game of whack-a-mole thats hard to win.
Realistically this will only be enforceable if a very large majority of world governments went down this path.
I suspect that would be what happens since the government can directly reach local ISPs; and simply making them block VPN IP addresses under threat of fines is an easy, if somewhat ineffective, solution.
They could attempt to go after VPN providers as well claiming their law applies even if you have no presence in India, much like the EU does for the GDPR, but that would be tough to enforce.
Re: (Score:2)
Its only going to end in one place
This is always the case, every time. Something new comes along. It's wild west, then it's a horrible mess, then it's strongly controlled by governments/abused, and then finally we get some reasonable rules based on decades if not centuries of experience. Case in point, the printing press and the Printing Ordinance of 1643 which eventually placed anything coming out of a press under regulation, fast forward to the late 1700s when freedom of the press was popular among intellectuals in several countries.
Wa
Re:I'm tired of these authoritarians (Score:5, Insightful)
India is stepping back from being an inclusive democracy, and reducing freedoms in many areas. That's what happens when you get a demogogue into power. The same issue is happening in Hungary. More scary is that CPAC, the conservative political group in the US, is going to have its next conference in Hungary because they're all in love with how that dictator is running things and gagging the media and kissing Putin's ass. In the last couple of decades there has been a very large and noticable step backwards from democracry around the world.
The reason India is doing this is to help stifle dissenting voices, the same reason they are muzzling the press. Control the VPN and then like Russia you can start blocking Twitter and Facebook when they start criticizing the ruling party.
Re: (Score:2)
Did you know that India's laws prevent you from using anything above 40bits encryption? You can use higher with specific permission and submission of the keys.
https://www.mondaq.com/india/t... [mondaq.com]
I was surprised when I read thru the T&C from an ISP.
Although some agencies are recommending higher bits for certain purposes, it's still not legal or you have to get permission / submit the decryption keys presumably.
That law is over 10 years old, and has never been updated (and even 10 years ago, 40bits RSA was n
Re: (Score:2)
Re: (Score:2)
You expect it from banana republics, china, russia etc but not from so called democracies like india. But it seems all governments in one form or another are sliding down the slippery slope of removing online privacy and control from their citizens. Its only going to end in one place - a crippled internet for most people with those who know how (including criminals) simply bypassing any controls using black market software. Politicians are so techno illiterate its farcical.
India isn't really that functional of a democracy. There's a lot of vote rigging, vote buying, and other shenanigans going on. The nationalist government has been very soft on human rights abuses, rapes, et al whilst being quite aggressive against minority religions and populations. Actions like these are what we expect from a government that is a nationalist autocracy in all but name only.
The Philippines has a more functional democracy and that is effectively four dynasties sharing control.
You're rig
I do not know how to score this one. (Score:5, Insightful)
On the one hand this is a real threat to online privacy protections.
On the other hand this might have an effect on the fraudsters that India is now famous for.
Re:I do not know how to score this one. (Score:4, Informative)
Unfortunately that won't be the case...
"won't be applicable to corporate and enterprise VPNs"
Fraud is institutionalized and sanctioned via corporation and local gov't.. Take a look at Mark Rober's latest YouTube video...
Re: (Score:2)
Re: (Score:3)
The sentence here is distinguishing between privacy services, which are called VPNs, and systems used to connect intranets together and to allow remote users to join the office network, which confusingly are also referred to as VPNs despite being a completely unrelated thing (the idiots that decided to use the term VPN for the former need to be smacked.)
Huh? In both cases all network traffic from the local computer is encrypted and sent through a single endpoint to then be routed at/by that endpoint. While the MOTIVATION is different in both cases (though still related), the technology is basically the same.
Re: (Score:2)
Re: (Score:1)
Re: I do not know how to score this one. (Score:2)
Re: (Score:3, Interesting)
Gonna get modded down here, but there should be no expectation of privacy when you are in public.
And it's pretty hard to argue that being online isn't essentially the same thing as being in public (with regards to online activities). VPN's might obfuscate your details from others, but it doesn't obfuscate it from the VPN provider itself, and there's no reason to expect that the VPN provider should be obligated to not log details about you when you are directly interacting with it.
Re: (Score:1)
The key benefit of human memory is it's ability to forget. To remove unneeded data now even if it might be useful later. That ability is one of the core components of human society and it's failure in certain cases (lost loved one due to an accident for example) is an underlying cause of multiple human atrocities through out history. Computers don't forge
Re: (Score:2)
Re: (Score:2)
Coming Soon... (Score:4, Interesting)
I'd love to know the Indian version of "Mike Hunt", "Hu Fharded", "Hubicha Kokov", "Won-hung Fat" and a bunch more. I bet they'll become rather common names on the files of VPN companies if the Indian government gets away with this. It would be much better, of course, if the VPNs just moved beyond the reach of Indian law, and left it to potential clients to find them if they can. There's no point in having a VPN if all it's doing is turning your personal data over to a religious nutcase like Narinder Modi.
Re: Coming Soon... (Score:3)
India has a national unique ID system for its citizens. Backed up with biometrics. I suspect that anyone seeking to open a business there would need to provide the identities of its officers as a part of that application. The CEO that lists his name as Hugh Jardonne is ssking for legal trouble.
It would be much better, of course, if the VPNs just moved beyond the reach of Indian law
This seems to be the better approach. After all, one reason for a VPN is to engage in activity not allowed in the local jurisdiction. So the user, service and intermediating VPN need to be outside of the jurisdiction
The real fix for this (Score:1)
Re: (Score:2)
Per TFS this won't affect corporate VPNs, those guys have corporations right?
Re: (Score:2)
Per TFS this won't affect corporate VPNs, those guys have corporations right?
Of course; can't impact the flow of money to government officials. Think of their children...
Re: (Score:1)
Unless they have offices in the target countries (or anywhere else, really), then they can just VPN to those offices and be exempt.
snicker (Score:2)
It's the internet, stupids. So citizens will have to use a foreign payment system to pay for their foreign VPN, so what? It's always smarter to use a foreign VPN provider anyway.
Alt headline (Score:2)
Two words: (Score:2)
The policies can be enforced easily (Score:2)
It's amusing that /. readers have gotten so clueless that they don't understand that these bans can actually be enforced.
The way that you ban them is you get a list of the VPN endpoints and tell ISPs to block them. It's not hard to do. In fact, you can get a list of VPN IPs for free.
Sure there will be people bypassing the block, but who cares?
Re: (Score:1)
Malicious compliance? (Score:1)
Re: (Score:2)
Why would the government bother with such a scheme when they can show up at the VPN provider's office with an order to get the data they want?
Also, if you send them so much data they didn't ask for, they might identify the "malicious compliance" as a denial of service attack and charge you with computer crimes.
Re: (Score:1)