Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Businesses Privacy Your Rights Online

India Says VPN Firms Unwilling To Comply With New Rules 'Will Have To Pull Out' of the Country (techcrunch.com) 49

India is pushing ahead with its new cybersecurity rules that will require cloud service providers and VPN operators to maintain names of their customers and their IP addresses and suggested firms unwilling to comply to pull out of the world's second largest internet market. From a report: The Indian Computer Emergency Response Team clarified on Wednesday that "virtual private server (VPS) providers, cloud service providers, VPN service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and government organisations" shall follow the directive, called Cyber Security Directions, that requires them to store customers' names, email addresses, IP addresses, know your customer records, financial transactions for a period of five years. The new rules, which were unveiled late last month and go into effect late June, won't be applicable to corporate and enterprise VPNs, the government agency clarified. Several VPN providers have expressed worries about India's new cybersecurity rules. NordVPN, one of the most popular VPN operators, said earlier that it may remove its services from India if "no other options are left." Rajeev Chandrasekhar, the junior IT minister of India, said that VPN providers who wish to conceal who uses their services "will have to pull out."
This discussion has been archived. No new comments can be posted.

India Says VPN Firms Unwilling To Comply With New Rules 'Will Have To Pull Out' of the Country

Comments Filter:
  • when a government doesn't understand the internet, it gives you those stupid un-enforceable policies...

    • I guess, but the policies are, in fact, mostly enforceable. Some people will find their way around it, of course... but they're aiming at the majority.

      If they were unenforceable, companies wouldn't be vacating the country.

  • by Viol8 ( 599362 ) on Wednesday May 18, 2022 @09:29AM (#62545874) Homepage

    You expect it from banana republics, china, russia etc but not from so called democracies like india. But it seems all governments in one form or another are sliding down the slippery slope of removing online privacy and control from their citizens. Its only going to end in one place - a crippled internet for most people with those who know how (including criminals) simply bypassing any controls using black market software. Politicians are so techno illiterate its farcical.

    • by DarkOx ( 621550 ) on Wednesday May 18, 2022 @09:39AM (#62545904) Journal

      I have to agree, sadly.

      Slashdot loves to say "blah blah the internet routes around the damage" but when the damage is coordinated effort by multiple large state actors, you start to run out of routes.

      I doubt anyone helping the policy makers in India (remember the actual policy makers probably can't tell you what a VPN even is) think they can prevent people from using VPNs. They do think they can identify the non-compliant commercial providers and go after them when they attempt to take payments - and they are probably right on this point.

      Delivering high thruput VPN is not free - eventually the paid providers will get on the right side of the law or dry up. Some others will go the ad/malware/spyware route to the point the users give up and leave. Yes there will always be some nerds that have one way or route traffic where they want it but it will be out of reach to most.

      • by sconeu ( 64226 )

        I look back at the late 90s and early 2000s and cry. We were so fucking idealistic, and look what happened.

        • I have felt this way too. In grad school there were so many good things happening. Apartheid collapsed. The Soviet Union collapsed. Things were looking up. Ok, a few bad things happened but there was enough press coverage to bring it to light that this was also good (ie, Rodney King). Of course, there were things chipping away at the foundations that were overlooked or assumed to go away in time, which they didn't.

      • by AmiMoJo ( 196126 )

        The other issue will be having servers in India, both for performance and so that Indian users can access geo-locked content.

      • Re: (Score:2, Informative)

        by MBGMorden ( 803437 )

        A VPN provider doesn't have to have a presence in India though to be useful for users there. The base corporation can exist anywhere its beneficial to with origin points in other countries.

        The only way to stop Indian users would be to
        a) Intentionally block them, which seems unlikely if they are not official operating in India,
        or b) the ISP's in India block traffic to the VPN's IPs, which is possible but ends up being a game of whack-a-mole thats hard to win.

        Realistically this will only be enforceable if a

        • A VPN provider doesn't have to have a presence in India though to be useful for users there. The base corporation can exist anywhere its beneficial to with origin points in other countries.

          The only way to stop Indian users would be to

          (SNIP)

          or b) the ISP's in India block traffic to the VPN's IPs, which is possible but ends up being a game of whack-a-mole thats hard to win.

          Realistically this will only be enforceable if a very large majority of world governments went down this path.

          I suspect that would be what happens since the government can directly reach local ISPs; and simply making them block VPN IP addresses under threat of fines is an easy, if somewhat ineffective, solution.

          They could attempt to go after VPN providers as well claiming their law applies even if you have no presence in India, much like the EU does for the GDPR, but that would be tough to enforce.

    • Its only going to end in one place

      This is always the case, every time. Something new comes along. It's wild west, then it's a horrible mess, then it's strongly controlled by governments/abused, and then finally we get some reasonable rules based on decades if not centuries of experience. Case in point, the printing press and the Printing Ordinance of 1643 which eventually placed anything coming out of a press under regulation, fast forward to the late 1700s when freedom of the press was popular among intellectuals in several countries.

      Wa

    • by Darinbob ( 1142669 ) on Wednesday May 18, 2022 @12:36PM (#62546410)

      India is stepping back from being an inclusive democracy, and reducing freedoms in many areas. That's what happens when you get a demogogue into power. The same issue is happening in Hungary. More scary is that CPAC, the conservative political group in the US, is going to have its next conference in Hungary because they're all in love with how that dictator is running things and gagging the media and kissing Putin's ass. In the last couple of decades there has been a very large and noticable step backwards from democracry around the world.

      The reason India is doing this is to help stifle dissenting voices, the same reason they are muzzling the press. Control the VPN and then like Russia you can start blocking Twitter and Facebook when they start criticizing the ruling party.

    • Did you know that India's laws prevent you from using anything above 40bits encryption? You can use higher with specific permission and submission of the keys.

      https://www.mondaq.com/india/t... [mondaq.com]

      I was surprised when I read thru the T&C from an ISP.

      Although some agencies are recommending higher bits for certain purposes, it's still not legal or you have to get permission / submit the decryption keys presumably.

      That law is over 10 years old, and has never been updated (and even 10 years ago, 40bits RSA was n

    • Comment removed based on user account deletion
    • by mjwx ( 966435 )

      You expect it from banana republics, china, russia etc but not from so called democracies like india. But it seems all governments in one form or another are sliding down the slippery slope of removing online privacy and control from their citizens. Its only going to end in one place - a crippled internet for most people with those who know how (including criminals) simply bypassing any controls using black market software. Politicians are so techno illiterate its farcical.

      India isn't really that functional of a democracy. There's a lot of vote rigging, vote buying, and other shenanigans going on. The nationalist government has been very soft on human rights abuses, rapes, et al whilst being quite aggressive against minority religions and populations. Actions like these are what we expect from a government that is a nationalist autocracy in all but name only.

      The Philippines has a more functional democracy and that is effectively four dynasties sharing control.

      You're rig

  • by Lohrno ( 670867 ) on Wednesday May 18, 2022 @09:37AM (#62545898)

    On the one hand this is a real threat to online privacy protections.

    On the other hand this might have an effect on the fraudsters that India is now famous for.

    • by Anonymous Coward on Wednesday May 18, 2022 @10:14AM (#62546016)

      Unfortunately that won't be the case...

      "won't be applicable to corporate and enterprise VPNs"

      Fraud is institutionalized and sanctioned via corporation and local gov't.. Take a look at Mark Rober's latest YouTube video...

      • Comment removed based on user account deletion
        • The sentence here is distinguishing between privacy services, which are called VPNs, and systems used to connect intranets together and to allow remote users to join the office network, which confusingly are also referred to as VPNs despite being a completely unrelated thing (the idiots that decided to use the term VPN for the former need to be smacked.)

          Huh? In both cases all network traffic from the local computer is encrypted and sent through a single endpoint to then be routed at/by that endpoint. While the MOTIVATION is different in both cases (though still related), the technology is basically the same.

          • Comment removed based on user account deletion
            • by Anonymous Coward
              A VPN is nothing more than a private network that uses the public network to extend it's range. This definition applies to both a VPN service and a VPN used by a company for people to WFH etc.
      • That mark rober video is both great and terrifying. Literal mafia thugs showing up on someone's door to silence them, and it's condoned by the local corrupt police. It's awful to realize that's still happening in the world.
    • Re: (Score:3, Interesting)

      by mark-t ( 151149 )

      Gonna get modded down here, but there should be no expectation of privacy when you are in public.

      And it's pretty hard to argue that being online isn't essentially the same thing as being in public (with regards to online activities). VPN's might obfuscate your details from others, but it doesn't obfuscate it from the VPN provider itself, and there's no reason to expect that the VPN provider should be obligated to not log details about you when you are directly interacting with it.

      • Although that may be true, you're setting up a very dangerous set of expectations for the public: "Everything you do is ours to scrutinize in hindsight."

        The key benefit of human memory is it's ability to forget. To remove unneeded data now even if it might be useful later. That ability is one of the core components of human society and it's failure in certain cases (lost loved one due to an accident for example) is an underlying cause of multiple human atrocities through out history. Computers don't forge
        • by xalqor ( 6762950 )
          Right. People have less privacy now, and to properly deal with that everyone needs to be more tolerant... It's going to take a while to reach a new equilibrium where society is able to successfully handle what technology makes possible.
        • by mark-t ( 151149 )
          I never suggested you should mandate that there is no expectation of privacy in such environments... I simply said that one should not expect it, nor do I think anyone has an inherent obligation to respect it outside of human decency which is and must remain a personal choice for each of us.
  • Coming Soon... (Score:4, Interesting)

    by hyades1 ( 1149581 ) <hyades1@hotmail.com> on Wednesday May 18, 2022 @09:52AM (#62545940)

    I'd love to know the Indian version of "Mike Hunt", "Hu Fharded", "Hubicha Kokov", "Won-hung Fat" and a bunch more. I bet they'll become rather common names on the files of VPN companies if the Indian government gets away with this. It would be much better, of course, if the VPNs just moved beyond the reach of Indian law, and left it to potential clients to find them if they can. There's no point in having a VPN if all it's doing is turning your personal data over to a religious nutcase like Narinder Modi.

    • India has a national unique ID system for its citizens. Backed up with biometrics. I suspect that anyone seeking to open a business there would need to provide the identities of its officers as a part of that application. The CEO that lists his name as Hugh Jardonne is ssking for legal trouble.

      It would be much better, of course, if the VPNs just moved beyond the reach of Indian law

      This seems to be the better approach. After all, one reason for a VPN is to engage in activity not allowed in the local jurisdiction. So the user, service and intermediating VPN need to be outside of the jurisdiction

  • If you get the phone/internet scammer industry to lobby against this, it won't happen. The authorities to a ridiculous height are in their pockets and protecting them, and this directly threatens their business.
    • Per TFS this won't affect corporate VPNs, those guys have corporations right?

      • Per TFS this won't affect corporate VPNs, those guys have corporations right?

        Of course; can't impact the flow of money to government officials. Think of their children...

      • I took it to mean "It won't apply if you're using a VPN to connect to a corporate network" and wouldn't apply if it's a bunch of scammers using NordVPN or something like that to hide their location or access another country's resources.

        Unless they have offices in the target countries (or anywhere else, really), then they can just VPN to those offices and be exempt.
  • It's the internet, stupids. So citizens will have to use a foreign payment system to pay for their foreign VPN, so what? It's always smarter to use a foreign VPN provider anyway.

  • "Corrupt Officials Dont Like Others Sidestepping Their Schemes"
  • Dynamic IP. What good is it to record customer's IP addresses when they're constantly changing, probably at random times?
  • It's amusing that /. readers have gotten so clueless that they don't understand that these bans can actually be enforced.

    The way that you ban them is you get a list of the VPN endpoints and tell ISPs to block them. It's not hard to do. In fact, you can get a list of VPN IPs for free.

    Sure there will be people bypassing the block, but who cares?

    • Like the ban on pirate bay... It is banned for everyone who doesn't normally use it anyway and anyone who wants to use it can find a way around the ban easily enough...
  • Setup random IP circulation and random session id circulation and stream the data directly to the government, a constant barrage of data, millions of records every second (whether changed or not) with a session id to IP match record and equally a session id to customer id stream, the government would need to find the exact second a given IP they want the customer for is accessed, then match it to the exact same second on the session ID to customer ID stream (not stored, streamed, no timestamps, that is up t
    • by xalqor ( 6762950 )

      Why would the government bother with such a scheme when they can show up at the VPN provider's office with an order to get the data they want?

      Also, if you send them so much data they didn't ask for, they might identify the "malicious compliance" as a denial of service attack and charge you with computer crimes.

      • Well, you'd have to get an international court order to show up to an office in a different country... Also, this whole scheme is about not having to go through courts to get the data, so here is the data...

You know you've landed gear-up when it takes full power to taxi.

Working...