Indian Government Now Wants VPNs To Collect And Turn Over Personal Data On Users
from the turning-citizens-into-open-books dept
The government of India still claims to be a democracy, but its decade-long assault on the internet and the rights of its citizens suggests it would rather be an autocracy.
The country is already host to one of the largest biometric databases in the world, housing information collected from nearly every one of its 1.2 billion citizens. And it’s going to be expanded, adding even more biometric markers from people arrested and detained.
The government has passed laws shifting liability for third-party content to service providers, as well as requiring them to provide 24/7 assistance to the Indian government for the purpose of removing “illegal” content. Then there are mandates on compelled access — something that would require broken/backdoored encryption. (The Indian government — like others demanding encryption backdoors — refuses to acknowledge this is what it’s seeking.)
In the name of cybersecurity, the Indian government is now seeking to further undermine the privacy of its citizens. The government’s cybersecurity agency is now requiring almost every entity using a computer to give it a heads-up when they’re hacked.
India’s nodal cybersecurity agency, Computer Emergency Response Team (CERT-In), has directed all service providers, intermediaries, data center providers, corporates, and government organizations to report cyber incidents within six hours of their detection.
That’s an ok thing to ask for. The next part, however, isn’t:
The new directions issued by CERT-In also require virtual asset, exchange, and custodian wallet providers to maintain records on KYC and financial transactions for a period of five years. Companies providing cloud, virtual private network (VPN) will also have to register validated names, emails, and IP addresses of subscribers.
Taking the “P” out of “VPN:” that’s the way forward for the Indian government, which has apparently decided to emulate China’s strict control of internet use. And it’s yet another way the Indian government is stripping citizens of their privacy and anonymity. The government of India wants to know everything about its constituents while remaining vague and opaque about its own actions and goals.
CERT-In claims this directive closes gaps that have “hindered incident responses.” It also claims that stripping users of anonymity and privacy will guarantee a “safe and trusted internet” in India. That seems unlikely. It’s not going to make citizens trust their government more. And it’s going to push users to other services located outside of the government’s control that may subject residents to data harvesting by even less trustworthy entities. That’s only going to create more problems and it will do nothing to protect the safety of India’s internet users.
Comments on “Indian Government Now Wants VPNs To Collect And Turn Over Personal Data On Users”
The reasonable part of the law:
India’s nodal cybersecurity agency, Computer Emergency Response Team (CERT-In), has directed all service providers, intermediaries, data center providers, corporates, and government organizations to report cyber incidents within six hours of their detection.
The incentive for not obeying the law:
The new directions issued by CERT-In also require virtual asset, exchange, and custodian wallet providers to maintain records on KYC and financial transactions for a period of five years. Companies providing cloud, virtual private network (VPN) will also have to register validated names, emails, and IP addresses of subscribers.
And the rest of the world is facepalming at the Great Firewall of India.
It's horrifying how many governments see it that way
Since it apparently keeps needing to be said…
1984 was a warning, not a how-to guide.
I’m okay with this.
VPN users could be using a VPN for terrorism or sharing illegal porn.
Makes sense that that information should be turned over.
Re:
You can invite friends into your home for the same purposes, does that mean you would be happy with having to keep a log of who visited, with names and times of visit, and hand that over to the government on request?
Re: Re:
I would yes. People have to product receipts for the IRS on request. I don’t see why that shouldn’t be any different.
Re: Re: Re:
Producing receipts for the IRS is for tax purposes, numbnuts. Completely different data with a limited purpose.
Re: Re: Re:2
No, it’s for anti-fraud purposes.
Re: Re: Re:3
To make sure you’re paying the correct amount of tax, actually. So yes, it’s to make sure you’re paying enough tax (anti-fraud), but it’s also to make sure you’re not paying too much (anti-error). That’s still a limited purpose related to taxation. If you haven’t got any better rebuttals, maybe it’s time to stop rebutting your head against a brick wall.
Re:
Rifle users could be using a rifle in terrorist acts or producing illegal porn, but I guess you’re OK with ordinary citizens having their rifles taken away and being unable to go hunting, right?
Re: Re:
That’s not quite the same. A more analogous example would be:
In a country whose Constitution guarantees the right to bear arms, would it be acceptable for the government to require that every citizen report to the government the gun model, bullet type, and target every time the citizen shoots something?
Re: Re: Re:
And having to turn over that data each and every time would have the chilling effect that people are putting in so much effort to go hunting that they would eventually stop, so my hypothetical example is analogous at the end point.
Re:
The idea a VPN could be used for nefarious things doesn’t justify stripping everyone of privacy.
Some need a VPN because of repressive countries like India in order to get around state censorship or learning things the government would prefer to keep hidden or even journalists reporting on things.
Also VPNs have ways of knowing what you’re doing on their networks. That whole “no tracking” promise they make? That’s a lie.
Re:
Privacy and the ability to meet and/or talk in person without the government able to listen and record what’s said also allow such behavior, so quick question: how many cameras would it be acceptable for them to install in your house to keep track of any potential illegal activities you might be considering?
(To head off a potential objection I’m sure they would be happy to give you a pinky-promise that despite the cameras rolling constantly they’ll only actually look when they’ve got super-duper serious reason to do so and no-one in the government would ever abuse the access.)
Slightly less than ok
There are at least two problems with this.
The most important problem is that the CERT-In could take advantage of these reports to attempt to breach and to collect a ton of data about the services and clients.
Another problem is that a service provider hit with a really bad cyber incident might not have working infrastructure or sufficient human power to make the report. If the service provider doesn’t have enough time to patch up a breach, then making the report prematurely could compromise more data from the service provider.
All that NordVPN will have to do is close down its servers in India, problem solved
If none of their servers are in India, they do not have to comply with Indian law
VPN providers did that same thing and pulled their servers out of Russia when Russia passed thir VPN restrctions. so that the Russian government cannot enforce their laws on that.
As for payments, NordVPN and other providers can simply go Bitcoin-only, if countries try to cut off Master, Visa, Amex, etc.
Bitcoin, if done right, is untraceable
Re:
Apparently they already shut down there servers in India.
Re: Re:
NordVPN servers are still up in India.
it is possible they could be taking another tack. Turn on logging on their India, but not on any of the others.
A server outside of India does not have to follow India law.
As long as the company, itself, does not have offices there, they only have to follow Indian law on their servers in India.
and tell me how long it’ll be before the same thing happens in the USA, then happens in the UK, in the EU, then worldwide? and the whole object is to take away any semblance of power and control that the ordinary people have or might get, making it harder to get info on the same fuckers who want to know everything possible about us! govts, security services and, most importantly, the entertainment industries are after whatever they can find out about us but are shit scared about us finding out a damn thing about their dirty, double dealings! all of this has been instigated by those industries and almost every country on the Planet are doing whatever they’re told so that the Internet is taken away from us and total control given to them!!
I’m in favor of everything within the law, given the current security situation, control will not be superfluous, not only in India but also in any country with a large population. I was able to pick up an official VPN on this site https://mrspyer.com/track-location-with-phone-number/ , a very good selection with the main characteristics. I recommend it. Thanks to the author for the interesting information.
guys from https://vpnmag.ru/10-luchshih-vpn-2022/ made a great list of vpn, where u can find the better option for u
(> _ <) =3