India's internet privacy and how it doesn't actually exist

Dhruv | Aug 6, 2022

If you are in India, you must have heard about debates that went on for VPN and Personal data protection(PDP) bill. With VPNs being controlled and no data protection law in sight, the right to privacy for internet anonymity is being erased.


What is a VPN

VPN stands for “virtual private network” — a service that protects your internet connection and privacy online. It creates an encrypted tunnel for your data, protects your online identity by hiding your IP address, and allows you to use public Wi-Fi hotspots safely.

Uses of VPN

Use of a VPN can be justified for a variety of reasons. Most people useit for internet anonymity, safety, and freedom as justifications (unblocking restricted or censored material).

  • Because they only see the IP address of the VPN server you’re connected to, websites, marketers, streaming services, governments, and cybercriminals can no longer use your IP address to identify you. Additionally, they won’t be able to determine your actual location because to others, you will appear to be where the VPN server is located. Therefore, using a VPN will prevent your online behaviour from being associated with your IP address. One can browse the internet more anonymously using this method.
  • Strong encryption techniques used by a VPN secure your data traffic, virtually prohibiting data reading and intercept. Why is this crucial? Nowadays, a lot of people are interested in listening in on or spying on what you are doing online. Governments and cybercriminals are only two of the many groups interested in your internet activity. It is far more difficult for them to access your data because of the security a VPN provides. As a result, your internet
  • By enabling you to connect to a server in another location, a VPN can assist you in getting around censorship and restrictions. You can use this method to access the internet as if you were in a different nation. You will be able to access websites and services that are unavailable in your home country in this way.

There are a lot more uses but in a nutshell, people can use VPN to protect their right to privacy which holds that the right to privacy is protected as a fundamental right under Articles 14, 19 and 21 of the Constitution of India.

What Indian Government has done?

The new cybersecurity standards require data centres, cloud service providers, and VPN service providers to retain client information for a minimum of five years, including names, email addresses, phone numbers, and IP addresses.

The directive issued by the government mandates VPN providers to maintain the following data as part of the know your customer (KYC) policy for a period of five years:

  • Validated name of subscribers/customers
  • Period of hire
  • IPs allotted to the user
  • Email address, IP address and time stamp used at the time of registration.
  • Purpose of hiring services
  • Validated address and contact numbers
  • Ownership pattern of the subscribers

Essentially, this will eliminate one of the major benefits and use cases of VPN – anonymity. According to the directive, CERT-In can at any time ask these service providers to furnish this data. A failure to furnish the data will result in punitive action under the IT Act, 2000 and other applicable laws.

How it effect users

According to the new regulations, extensive know-your-customer (KYC) verification procedures may be required of VPN users in India before they can subscribe to a service. This can entail explaining why they choose to use it. Internet freedom campaigners say that this could result in the government learning personal information about users.

Why this sucks!

First of all, this beats the major purpose of VPN which is internet anonymity. The countries where VPN is banned include China, Belarus, Iraq, North Korea, Oman, Russia and the UAE. The current regulations by Indian government does not ban VPNs but they are rendering them useless if servers are hosted in India.

The rules have the potential to cause a great deal of harm, particularly in the absence of a data protection law. While there is a clear need for enhanced cybersecurity, when you ask for indiscriminate data collection, everyone is at risk - and there is greater risk for people already at risk, such as activists, journalists, dissenters, minorities.

India Personal Data Protection(PDP) Bill

What was it about

The repealed Personal Data Protection Bill, 2019, would have made it easier to request that personal data be erased and would have required internet giants like Meta and Google to obtain specific consent for most uses of a person’s data. Such measures have been adopted by nations all over the world, including Europe with the General Data Protection Regulation.

After India’s privacy law plan of 2019, it also floated new proposals to regulate “non-personal data”, a term for data viewed as a critical resource by companies that analyse it to build their businesses. The parliamentary panel had said such non-personal data should be included in the purview of the privacy bill.

The bill also exempted government agencies from the law “in the interest of sovereignty” of India, a provision privacy advocates at the time said would allow agencies to abuse access.

However, privacy groups and a few legislators protested that the bill would have given the government unnecessarily extensive control over personal data while exempting law enforcement agencies and public entities from the law’s requirements, presumably for grounds of national security.

Ofcourse, government took it back

A government notice on 3rd August,2022 said the decision came as a parliamentary panel’s review of the 2019 bill suggested many amendments, leading to the need for a new “comprehensive legal framework”. The government will now “present a new bill”, the notice added.

However, a number of attorneys and experts assert that laws are urgently required to protect people’ online privacy and hold businesses accountable for improperly utilising or disclosing users’ personal information. Many Indians were shocked by the quick withdrawal of the bill by a government that rarely gives in to political pressure. According to Apar Gupta, the executive director of the Internet Freedom Foundation, a digital rights organisation with offices in New Delhi, “it’s not about achieving a flawless law, but a law at this moment.” “Each day lost results in more damage and injury.”

Why all of this concerns me

This all concerns me as a citizen of world’s largest democracy.

  • Firstly, we all know how privacy has just been a facade in India and how right to privacy is infringed without any consequences. Take for example, live-in relationships. Majority of population still abhore it and even many courts have stated that they are not morally correct. I don’t get how this sits well with the fundamental right of privacy that have been granted to us as citizens of India by the Honourable Supreme Court.
  • Government banning no-log VPNs and making them keep logs of user activities just kills the right. While this maybe helpful to stop cybercrime but infringing one’s right to do it doesn’t seem sane. Imagine someone watching you all the time even inside your home and seeing your every activity. Dreadful, right! This is what’s happening to our internet privacy.
  • No good Personal Data Protection law. Here, I will say “Government tried but what they tried was to have a PDP law which exempts enforcement agencies and public entities from the law’s requirements.”. They rescinded the law but it gave us an insight of government’s measures and how they want to keep track of everyone all the time. Don’t forget about that the government is planning to roll out a GPS based toll system for vehicle owners that will render current fastag system redundant which will make each vehicle to be fitted with a GPS chip so government can track you. With no PDP law and all known misuse of information by agencies, this is just a slap on the face of right to privacy.

I agree, governments are not perfect. They need time to figure things out and do some stuff. But privacy laws have been talked about a lot. Other countries have got their privacy laws but the biggest democracy is still struggling with it. Add to it, the banning of anonymity using VPNs and Indian government telling VPN Companies: “VPNs That Refuse to Log Customer Data Should Leave the Country”, it gets worse. There is nothing to add more to it. But this sucks.