Indian ISPs Continue Futile Effort To Prevent Subscribers From Using Decent Encryption
from the good-luck-with-that dept
The global war against privacy tools, VPNs and encryption continues utterly-unhinged from common sense, and the assault on consumer privacy remains a notably global affair. Reddit users recently noticed that India’s fifth largest ISP, YOU Broadband, is among several of the country’s ISPs that have been trying to prevent customers from using meaningful encryption. According to the company’s updated terms of service, as a customer of the ISP you’re supposed to avoid using encryption to allow for easier monitoring of your online behavior:
“The Customer shall not take any steps including adopting any encryption system that prevents or in any way hinders the Company from maintaining a log of the Customer or maintaining or having access to copies of all packages/data originating from the Customer.”
Of course enforcement of such a requirement is largely impossible. But You Broadband isn’t just being randomly obtuse, and while the ISP’s TOS is making headlines, this effort isn’t really new. Most Indian ISPs are simply adhering to a misguided (and still not adequately updated) set of 2007 guidelines imposed by India’s Department of Telecommunications (word doc) demanding that ISPs try and prevent their subscribers from using any encryption with greater than a 40 bit key length if they want to do business in India:
“The Licensee shall ensure that Bulk Encryption is not deployed by ISPs connecting to Landing Station. Further, Individuals/Groups/Organizations are permitted to use encryption upto 40 bit key length in the symmetric key algorithms or its equivalent in other algorithms without having to obtain permission from the Licensor. However, if encryption equipments higher than this limit are to be deployed, individuals/groups/organizations shall do so with the prior written permission of the Licensor and deposit the decryption key, split into two parts, with the Licensor.”
Which is and of itself is rather hysterical, given that since 1996 or so, most folks have considered a 40 bit key length to be the security equivalent of wet tissue paper. In fact, Ian Goldberg won $1,000 from RSA for breaking 40 bit encryption in just a few hours way back in 1997, saying this at the time:
“This is the final proof of what we?ve known for years: 40-bit encryption technology is obsolete.”
And yeah, that was twenty years ago. But this sort of policy is pretty standard fair in India, which is no stranger to censorship, internet filtering, and blind, often-mindless expansion of surveillance. India’s government has also been at the forefront of attempting to impose backdoors in encryption, and there’s a recent effort in some corners to attempt to ban Whatsapp as well.
I’ve yet to see any ISP successfully enforce this ridiculous governmental restriction (if you’re in India and you have, let us know in the comment section precisely how). But it’s still part of an over-arching mindset that sees standard, intelligent privacy and security practices as an enemy that must be thwarted. Usually either to expand government surveillance, prop up idiot ham-fisted internet filters (as we’re seeing in Russia, China and India), or to erode consumer rights in the face of what are endless attempts to monetize your online behavior.
Filed Under: encryption, india, privacy, vpns
Comments on “Indian ISPs Continue Futile Effort To Prevent Subscribers From Using Decent Encryption”
Enforcement
This may not be about direct enforcement, but rather their local counterpart of how many US companies write absurd Terms-of-Service that allow them free reign by ensuring that nobody is actually compliant, so arbitrary and capricious enforcement becomes standard.
How does HTTPS Work?
I thought https has 2048 RSA encryption as standard. Is visiting a ‘secure’ https website against TOS?
Re: How does HTTPS Work?
By the letter of the rules in India? Yes.
Isn’t WhatsApp pretty popular in India? And wouldn’t its encryption make it kind of illegal? So how exactly do the ISPs deal with that? Or maybe I should ask how does WhatsApp deal with it in India and what does it do about this?
Businesses want the data for targeted advertising, to sell more junk for landfill, and continue fueling the perpetual growth that is destroying life on earth.
Politicians support the businesses because they are paid by them to do so. They also want the data to build targeted political propaganda bots, and keep gaming the system by exploiting the ignorance and suggestibility of the correct subpopulations, so they can continue manufacturing “consent”.
Defense wants the data to spy on the politicians’ enemies and try to manage blowback from the politicians’ corrupt perpetual wars. Defense contractors just want the the politicians’ corrupt perpetual wars.
Civil society wants none of these things and outnumber them all by 1000000:1. Get a good VPN and never turn it off.