Rolling Series

Banning VPNs to Prevent Cybercrime: A Feasible Plan?

The blog is authored by, Anshika Gubrele, and Kaustubh Kumar, 4th year B.A.LL.B Hons. student at Bharati Vidyapeeth (Deemed to be University) New Law College, Pune and 2nd year BA.LL.B Hons. student at NUSRL Ranchi, respectively.

Header Image Credits: Pexels Free Photo


INTRODUCTION

With the rapidly industrialising and digitalising world, ‘privacy’ has become one of the major ethical and legal issues. In order to protect the data of citizens, consumers, employees as well as employers, various nations introduced and implemented data protection laws, for instance, General Data Protection Regulation (GDPR) in the European Union,[1] while some are still striving to introduce and implement them, for instance, India[2] and Pakistan.[3] Due to the absence of adequate infrastructure and legislations regulating the same, business houses have started heavily relying on Virtual Private Networking (hereinafter referred to as ‘VPN’).

A VPN is an application that provides end-to-end encryption to any computer device connected through the internet. The VPN provides a secure private web connection regardless of the distance between the two systems connecting. It plays a crucial role in maintaining the privacy of the data transmitted from one system to another by highly encrypting it, thereby securing the data and minimising the chances of hacking, adulteration with data, and so on.[4]

However, a report table by the Hon’ble Parliamentary Standing Committee on Home Affairs tabled on August 10, 2021, after keenly watching the excessive use of VPN, suggested a ban on Virtual Private Networking.[5] The Committee is of the view that a blanket ban should be imposed on the VPN application as well as VPN service providers.[6] The moot question that this article endeavours to deal with is whether this blanket ban would do loss to the country as the Industrial Revolution 4.0 is the future that aims to digitalise each aspect of human life backed with Artificial Intelligence (AI) and Internet of Things (IoT), that is, from medicine to law, conservation of the environment to AI-powered automated weapons for warfare, etc.[7] Data Privacy is going to be a major concern in a digitalised world, and VPNs, to a major extent, are likely to act as a kernel in filling that void to protect the data. Considering the importance and the benefits of VPNs, the paper throws light on the pros and cons of the suggestion made by the committee and lays down some suggestions and recommendations towards the end to deal with the issue.

Functioning of VPNs And its Benefits

Instances such as the sale of data by companies and individuals for their benefit,[8] constant monitoring of users by big-tech giants (such as surveillance by Google and Facebook)[9], hacking of big databases (such as Zomato and Dominos data breach),[10] etc., are enough to showcase the erosion of personal data at an alarming rate. As a result, VPN became a panacea for the users to prevent their ‘privacy’ from turning into a ‘myth’. VPN creates a private network and masks the IP address making the tracing of the actual user difficult so as to maintain his/her privacy. As per the reports, the VPN market was estimated at 35.4 billion dollars in 2020 and is likely to expand manifold by reaching a size of 107.6 billion dollars by 2027.[11] Nearly one-third of the population residing in the world has used or is using VPN.[12] Moreover, another study mentions that when it was asked by the consumers why they use VPN, the answer of most of them was one and the same i.e., to prevent identity theft.[13]

Apart from providing a safe harbour to the consumers by protecting their private data through end-to-end encryption, the VPNs also secure the system from any malware, trojan or other viruses attacks.[14] Data suggests that Antivirus and/or in-built firewalls struggle to protect the system from about 75 percent of the viruses.[15] They are majorly efficient against the already known viruses and malware and fail when it comes to nascent ones. Depending on the VPN that one company uses, VPNs provide encryption keys that can be used in order to retrieve or decrypt the information encrypted while sharing, uploading or storing the files on an internet connection.[16]

The VPN services also help an individual remotely accessing the data by storing the encrypted data in cloud storage. If ones’ system gets stolen, then he can remotely access the same through a secured server.[17] Another major benefit of using VPN is that it provides a safe harbour from international/national censorships. For instance, Indonesia, India, Saudi Arabia, etc. Indonesia is a country where access to social media and ‘negative’ content (porn, hate speech, terrorism, etc.) is restricted.[18] Consequently, citizens extensively utilise VPNs in order to get access to these contents making Indonesia the biggest VPN user in the world. India and Saudi Arabia (along with other middle-east nations) stand at second and third positions respectively, making Asia the highest VPN user of the rest of the world.[19] Though various reports show variation in the ranking such as some consider India at the first rank in VPN user,[20] thereby it can be concluded that the two major nations of South Asia are the biggest consumers of VPN.

BACKGROUND OF THE ISSUE

Apart from the benefits mentioned, the VPN also possesses various loopholes that have enough potential to put a person in huge trouble. The VPNs do not provide a mechanism for the consumers to check their effectiveness. Though VPNs provide a secure mechanism by encrypting data and maintaining the anonymity of a system, the problem arises when VPN service providers themselves utilise data against you. For instance, if a cybercriminal creates a free VPN application and you utilise the same for your business purposes. The data that you upload, share, download, fill at various websites, etc., gets known to the VPN service provider, i.e., to that cybercriminal here, thereby soon you might face big trouble.

Another major issue is the use of VPN by cybercriminals to commit cybercrime and maintain their anonymity. For instance, in June 2021, the Dutch National Police (Politie) along with Europol’s European Cybercrime Centre (EC3), Eurojust, the FBI and the UK National Crime Agency in an international law enforcement operation seized the web domains and servers of an underground VPN utilised by cybercriminals in conducting ransomware attacks, phishing attacks and other forms of cyberattacks by hiding their identity. The VPN was even highly advertised on the Dark Web for just 25$ to facilitate other criminals.[21]

Another example to elucidate the issue can be of Safe-Inet – a VPN used by cybercriminals. The VPN was utilised for over a decade by cybercriminals to conduct ransomware attacks, E-skimming breaches, and other cyberattacks. Law enforcement agencies identified more than 250 companies that were spied on by cybercriminals through this VPN, maintaining their anonymity. The VPN service has its influence in various European countries including Germany, Switzerland, the Netherlands, France and the United States.[22] Though there are a plethora of such examples where law enforcement agencies have taken down the domains and seized the infrastructure of the VPN services, these two examples are enough to showcase the gravity of the issue.

The mala fide uses of VPN by the cybercriminals also include the sale and purchase of child pornography, stolen data, drugs, weapons and other illicit material through the Dark Web as well as Surface Web. It is also used in various types of scams and loot. In India, VPN is also used excessively to access illegal websites, for instance, pornographic content. As per the reports, after a restriction on access to pornographic content, the consumer base of VPNs surged nearly 405% to 57 million in just twelve months starting from October 2018 in India.[23] The reports further observed that consumers are majorly using “free” VPNs that are not at all free as they sell consumers personal data and make money.[24] Consequently, rather than maintaining the anonymity and privacy of the user, these VPNs infringe those rights and make benefit out of the same.

Owing to these very reasons, the Parliamentary Standing Committee on Home Affairs suggested the Government of India ban VPNs with the help of Internet Service Providers (ISPs).[25] As per the committee, the VPNs backed with/along with Dark Web pose a major threat to society by facilitating cybercriminals in maintaining anonymity and bypassing the cybersecurity walls employed to protect the mechanisms.[26] The Committee, taking note of the fact that VPN services are easy, free of cost and readily available in India, has recommended the Ministry of Home Affairs (MHA) to coordinate with the Ministry of Electronics and Information Technology (MeitY) so as to identify and block the VPNs.[27] The Committee even suggested that a ‘coordination mechanism’ must be developed with ‘international stakeholders’ so as to implement the ban effectively.[28] The MeitY, as per the report of the committee, should take initiatives to improve and develop state-of-the-art technology to strengthen the tracking and surveillance mechanisms on the utilisation of VPNs and the Dark Web.[29]

Analysing the Consequences of the Committee’s Suggestion

Though the bona fide suggestion of the committee is to benefit the citizens of the nation and bolster the cyberinfrastructure of the country, it is likely to have negative effects as well.

  1. Positive Effects

One of the most important reasons behind suggesting the ban of VPNs by the Parliamentary Committee is the technological challenges it poses. VPN services can be utilised by criminals committing cybercrimes in the cyber domain to remain anonymous and hide their real identities that ultimately lead to difficulties during the investigation of such crimes. VPN services encrypt data and hide the IP address of the offenders that helps them to run out of the grips of law since they could not be traced online. Therefore, banning VPNs is an attempt to minimize the rapidly increasing cyber crimes being committed in India. This can bring a positive outcome when cybercriminals can no longer use VPNs as their shields for committing such offences on Dark Web and Surface Web, subsequently, it will reduce the number of cybercrimes being committed in India that always has been a hindrance to an individual’s privacy.

  1. Negative Effects

Owing to the threats posed by VPN, as discussed above, the giant companies utilise their own internal server system and provide employees with their own private networks created on their server to encrypt the data and prevent any unforeseen cyberattack.[30] The companies employ large data discovery tools, which scan the movement of data from the systems (provided by the company in offices) utilised by the employees. Companies even restrict the flow of data outside company devices.[31] However, these servers/networks/mechanisms work effectively only with company devices utilised through the company’s server. For instance, when any sensitive information is shared from a company’s computer device to his personal device by the employee through the company’s server, then the server immediately restricts this data outsourcing, alarming the cyber experts employed in the company.

After the commencement of the COVID-19 pandemic, the whole world fell into a state of distress; so, the companies to protect their sensitive and private data. As a result, the Department of Telecommunication under the Ministry of Communication came up with a revised set of guidelines for Other Service Providers (OSPs).[32] The guidelines allowed the utilisation of VPNs by the employees working from home and remote places so as to protect the data of the companies.[33] The companies following the guidelines allowed the employees to use VPNs either free or paid to ensure privacy and data security. However, the suggestion to put a ban on VPNs is likely to do irreparable harm to such companies by leaving them without any remedies in maintaining privacy and data security.

Another important aspect is that watching pornographic films in your private rooms or space is still not ‘illegal’ in India. However, it is an offence when the same is manufactured, published and distributed both under Indian Penal Code, 1860[34] and Information Technology Act, 2000.[35] The Supreme Court in India back in 2015 orally remarked in a case that watching porn in a private room may fall under the right to personal liberty enshrined under Article 21 of the Indian Constitution.[36] Therefore, it cannot be taken away by any authority except the procedure established by law.[37] Ultimately, the Hon’ble Apex Court declined to pass an interim order to block pornographic websites in India.[38] In the same year, the Government of India also suggested that if Indian citizens use VPNs, then it would not impose a ban on porn in the country.[39] Now if VPNs would be banned then individual’s right to watch pornographic films privately would also get violated.

Suggestions And Recommendations

In a developing digital economy like India wherein people have been relying on networks for the transmission of data, the significance of cyber-security is directly proportional to the rate of growth. It is noteworthy that in such situations, the rapid growth of VPNs was supported.[40] Moreover, as every technology comes up with its own limitations such as the VPNs, therefore having some drawbacks but this fact cannot be ignored that it provides secure networks which facilitate smooth and safe data transmission. Keeping in mind all the pros and cons, banning VPN is not the only solution to the problem put forth by the Parliamentary Committee. Therefore, we need to find alternative methods instead of permanently banning the VPNs.

When this pandemic began initially in 2020, work from home became a norm since then. Easing the use of VPNs in the country was recommended back then to strengthen the work from home mechanism that has been newly adopted keeping in mind the ongoing crisis, as companies usually use intra-organizational networks for transmitting confidential and sensitive information or documents back and forth. Banning VPNs would hamper the private sector that is following this work from home model.[41]

Furthermore, VPNs are not something over which the service providers cannot keep a check even when it is encrypted. While anti-virus software does not provide the required protection, the necessity of VPNs can be observed in the current times. Banning them would simply mean removing the extra layer of security. The Government may lay down a separate set of guidelines providing enough cybersecurity mechanisms, followed by the VPN service providers, likely to minimise the cyberattacks or access to the Dark Web. The Government shall allow access to only those VPN servers that strictly adhere to such guidelines and ban others.

It is crystal clear that the pros of using it can outweigh the cons. Therefore banning it might do more harm rather than doing better for the country. It is far more judicious to provide law enforcement agencies with cyber skills and technical assistance that will be helpful for them to catch such offenders.

In China, though VPNs have been banned, there are still certain VPNs that the government has pre-approved for use that allows the government to scan internet traffic through these VPN servers. These are screened by the government itself and do not provide advanced security features to the users. Likewise, the Indian Government can also come up with its own VPNs letting them keep a check on the users’ activities.[42]

However, the issue with this model is that it is likely to infringe the right to privacy of the users and businesses as the Government in order to control traffic would be able to keep a check on the data moving through the servers back and forth. Thus, an effective mechanism should be laid down in such a manner that only harmful and suspicious connections get automatically segregated from the mainstream server and reviewed by programmed algorithms imbibed in the VPN. Such ‘suspicious’ connections should be put on a hold from utilising VPN until the programmed algorithm reviews them. If the programmed algorithms identify them as ‘suspicious’, then they should be blocked immediately from accessing the VPN further in the future course of time. Thus, this way, the Government can ensure the right to privacy to the individuals, provide the citizens access to VPN, and with automated and programmed algorithms/tools imbibed in the VPN can lighten its cybersecurity burden.

Conclusion

If one needs to draw an inference from the above contentions, then it is evident that using VPNs can cause more benefits than harm. Its vital features of giving anonymity to its users and security to individuals cannot be denied and ignored. Also, banning them strictly and then opting for the China model would be an intrusion into an individual’s privacy and can result in a major loss for the private sectors in India. Furthermore, it has to be noted that though in this Digital Era, the number of cybercrimes that are being committed are rapidly increasing and needs to be controlled, however, the policymakers should try to find alternative methods before bringing in action a harsher decision to ban VPNs all over the country. Therefore, the decision of banning should be reconsidered by the committee or even if it is adamant to ban VPNs for the benefit of the nation, then it should at least ponder upon other mechanisms to cushion the negative effects that its decision of banning VPN might pose.


[1] EU General Data Protection Regulation (GDPR): Regulation (EU) 679/2016

[2] Siddharth Sonkar, ‘Privacy Delayed Is Privacy Denied’ (The Wire, 24 May 2021) <https://thewire.in/tech/data-protection-law-india-right-to-privacy&gt; accessed 12 September 2021.

[3] Saifulla Khan and Saeed Hasan Khan, ‘Pakistan: Data Privacy Comparative Guide’ (Mondaq, 25 January 2021) <https://www.mondaq.com/privacy/1005646/data-privacy-comparative-guide&gt; accessed on 12 September 2021.

[4] ‘What is a VPN and why is it important?’ (Betternet, 2019) <https://support.betternet.co/hc/en-us/articles/218140103-What-is-a-VPN-and-why-is-it-important-&gt; accessed 12 September 2021

[5] Parliamentary Committee to government: Ban VPN services in India’ (The Times of India, 01 September 2021) <https://timesofindia.indiatimes.com/gadgets-news/parliamentary-committee-wants-vpn-services-to-be-banned-in-india-report/articleshow/85807939.cms&gt; accessed 12 September 2021

[6] ibid

[7] Yahong Zhang, Industry 4.0: what it is and how it will change the world as we know it’ (Hapticmedia, 26 January 2020) <https://hapticmedia.com/blog/industry-4.0/&gt; accessed 12 September 2021.

[8] Aritra Sarkhel and Neha Alawadhi ‘How data brokers are selling all your personal info for less than a rupee to whoever wants it’ (The Economic Times, 28 February 2017) <https://economictimes.indiatimes.com/tech/internet/how-data-brokers-are-selling-all-your-personal-info-for-less-than-a-rupee-to-whoever-wants-it/articleshow/57382192.cms&gt; accessed 12 September 2021

[9] ‘Facebook and Google’s pervasive surveillance poses an unprecedented danger to human rights’ (Amnesty International, 21 November 2019) <https://www.amnesty.org/en/latest/press-release/2019/11/google-facebook-surveillance-privacy/&gt; accessed 12 September 2021

[10] ‘DOMINO’S INDIA DATA BREACH: NAME, LOCATION, MOBILE NUMBER, EMAIL OF 18 CRORE ORDERS UP FOR SALE ON DARK WEB’ (Firstpost, 25 May 2021) <https://www.firstpost.com/tech/news-analysis/dominos-india-data-breach-name-location-mobile-number-email-of-18-crore-orders-up-for-sale-on-dark-web-9650591.html&gt; accessed on 12 September 2021

[11] Neha Alawadhi ‘Parliamentary panel’s proposed VPN ban draws flak from users, industry’ (Business Standard, 02 September 2021) <https://www.business-standard.com/article/technology/parliamentary-panel-s-proposed-vpn-ban-draws-flak-from-users-industry-121090201192_1.html&gt; accessed on 16 September 2021

[12] Ivana Vojinovic ‘VPN Statistics for 2021 – Keeping Your Browsing Habits Private’ (DataProt, 21 March 2021) <https://dataprot.net/statistics/vpn-statistics/&gt; accessed 12 September 2021

[13] Aliza Vigderman and Gabe Turner ‘2021 VPN Usage Statistics’ (Security.org, 18 August 2021) <https://www.security.org/vpn/statistics/&gt; accessed on 12 September 2021

[14] Michael Gargiulo ‘What Is A Business VPN, And How Can It Secure Your Company?’ (Forbes, 15 November 2018) <https://www.forbes.com/sites/forbestechcouncil/2018/11/15/what-is-a-business-vpn-and-how-can-it-secure-your-company/?sh=70b6ab9863a5&gt; accessed 12 September 2021

[15] Michael Horowitz ‘How useful is antivirus software?’ (COMPUTERWORLD, 24 June 2012) <https://www.computerworld.com/article/2472120/how-useful-is-antivirus-software-.html&gt; accessed 12 September 2021

[16] ibid 14

[17] ‘3 Reasons Your Business Needs A VPN’ (OPENVPN) <https://openvpn.net/blog/3-reasons-your-business-needs-a-vpn/&gt; accessed 12 September 2021.

[18] ‘FREEDOM ON THE NET 2020 – Indonesia’ (Freedom House, 2020) <https://freedomhouse.org/country/indonesia/freedom-net/2020&gt; accessed 12 September 2021

[19] ibid 11

[20] Aleksandar Kochovski ‘The Top 25 VPN Statistics, Facts & Trends for 2021’ (Cloudwards, 24 May 2021) <https://www.cloudwards.net/vpn-statistics/&gt; accessed 12 September 2021

[21] Danny Palmer ‘This VPN service used by ransomware gangs was just taken down by police’ (ZD Net, 30 June 2021) <https://www.zdnet.com/article/this-vpn-service-used-by-ransomware-gangs-was-just-taken-down-by-police/&gt; accessed on 12 September 2021

[22] Press Release – ‘CYBERCRIMINALS’ FAVOURITE VPN TAKEN DOWN IN GLOBAL ACTION’ (EUROPOL, 22 December 2020) <https://www.europol.europa.eu/newsroom/news/cybercriminals%E2%80%99-favourite-vpn-taken-down-in-global-action&gt; accessed on 12 September 2021

[23] Kuwar Singh ‘What porn ban? A 400% rise in VPN downloads in India shows where there’s a will there’s a way’ (Quartz India, 02 December 2019) <https://qz.com/india/1759306/top-vpns-used-by-indians-to-watch-porn-despite-the-ban/&gt; accessed on 12 September 2021

[24] ibid

[25] ‘Parliamentary Committee to government: Ban VPN services in India’ (The Times of India, 01 September 2021) <https://timesofindia.indiatimes.com/gadgets-news/parliamentary-committee-wants-vpn-services-to-be-banned-in-india-report/articleshow/85807939.cms&gt; accessed on 16 September 2021

[26] ‘Parliamentary Committee reportedly wants to ban VPN services: Why it should worry India Inc’ (Financial Express, 02 September 2021) <https://www.financialexpress.com/industry/technology/parliamentary-committee-reportedly-wants-to-ban-vpn-services-why-it-should-worry-india-inc/2322516/&gt; accessed on 16 September 2021

[27] Poulomi Ghosh ‘Does home ministry want to ban VPN? Here is all you need to know’ (Hindustan Times, 02 September 2021) <https://www.hindustantimes.com/india-news/does-home-ministry-want-to-ban-vpn-here-is-all-you-need-to-know-101630555850035.html&gt; accessed on 16 September 2021

[28] ibid 25

[29] ibid 27

[30] Andrada Coos ‘5 Ways Big Companies Protect their Data’ (Endpoint Protector, 27 December 2018) <https://www.endpointprotector.com/blog/5-ways-big-companies-protect-their-data/&gt; accessed on 12 September 2021 

[31] ibid

[32] Department of Telecommunications, Ministry of Communications, New Guidelines for Other Service Providers (OSPs) (No. 18- 8/2020-CS-I, 2020)

[33] ibid Chapter 4

[34] Indian Penal Code 1860, ss 292, 293, 294.

[35] Information Technology Act 2000, ss 67, 67A, 67B.

[36] Constitution of India 1950, art 21.

[37] Apoorva Mandhani ‘Watching, publishing, sharing pornography: What is a crime in India and what isn’t’ (The Print, 21 July 2021), <https://theprint.in/theprint-essential/watching-publishing-sharing-pornography-what-is-a-crime-in-india-and-what-isnt/700179/&gt; accessed on 17 September 2021

[38] ‘It’s legal to watch porn in the privacy of your house, says SC’ (Hindustan Times, 09 July 2015), <https://www.hindustantimes.com/india/it-s-legal-to-watch-porn-in-the-privacy-of-your-house-says-sc/story-WSre0BXJDfHbErouNgmdtK_amp.html&gt; accessed on 17 September 2021

[39] ‘No ban on porn if Indians use VPNs : Govt’ (India Today, 04 August 2015), <https://www.indiatoday.in/technology/news/story/no-ban-on-porn-if-indians-use-vpns-govt-286382-2015-08-04&gt; accessed on 17 September 2021

[40] ‘Don’t ban VPNs: The pros definitely outweigh the cons’ (The Financial Express, 10 September 2021), <https://www.financialexpress.com/opinion/dont-ban-vpns-the-pros-definitely-outweigh-the-cons/2327410/&gt; accessed 17 September 2021

[41] ibid

[42] ‘Is it legal to use a VPN in China in 2021?’ (Switch VPN Team, 16 June 2021), <https://switchvpn.net/blog/is-it-legal-to-use-a-vpn-in&gt; accessed 17 September 2021

Views expressed are personal.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s