Introduction

On March 15, 2021, the Parliamentary Standing Committee on Home Affairs, presented the 213th Report on “Atrocities and Crimes Against Women and Children” (“Report”) to the Rajya Sabha. The Report discusses and offers recommendations on underlying issues concerning crimes against women and children, human trafficking, cybercrimes, police sensitization etc.

The scope of this article is restricted to Chapter V of the Report that discusses cybercrimes against women and calls for the blocking of Virtual Private Networks (“VPN”) in order to prevent cybercrimes. In their response, the Ministry of Electronics and Information Technology (“MeitY”) clarified that they cannot take suo moto cognizance of initiating blocking action against any information, unless a request is made to them by the nodal officer appointed under the Information Technology (Procedure and Safeguards for Blocking for Access of Information for Public) Rules, 2009 (“Rules”). Further, blocking of information can only take place in instances like protecting the security of state, public order or sovereignty and integrity of India, as provided under S. 69A of the Information Technology Act, 2000 (“IT Act”).

Dissatisfied with this ‘incomplete’ response, on August 10, 2021, the Committee again responded and called for the Ministry of Home Affairs (“MHA”) to get information related to coordination mechanisms that have been put in place with international agencies for blocking VPNs and all other initiatives undertaken to strengthen surveillance mechanisms by the MeitY. Thus, restating its stance on the need for blocking VPNs permanently.

I will begin by briefly discussing how VPNs work and why they are crucial for ensuring information security and data privacy. Then I will move on to analyse key points laid down by the Committee in Chapter V and the issues surrounding the same. Further, I will also discuss global instances of banning VPNs, before offering concluding remarks.

VPNs: Background and Importance

VPNs enable you to create a “secure private network over a public network like the Internet”.^[1] You can create VPNs using software, hardware, or a combination of both to create a private link between two or more peers over a public network.^[2] A VPN software masks your internet protocol address and encrypts the data that is being transferred through a public network like the internet. This is important as telecom service providers cannot snoop in on the traffic data of the VPN users. Further, it tunnels your data to an exit node that is located in a different location, thereby giving the impression that a user is present in a different location than where the public internet is being used by them.

In a post pandemic world, the role of VPNs is crucial for securing information security in online communication, as many organisations have moved to a remote working paradigm. Further, since usage of public Wi-Fi poses a potential threat to your personal data, using VPNs secures your data especially for conducting online transactions. Taking this into consideration, on November 5, 2020, the Department of Telecommunications (“DOT”), announced its new relaxed guidelines for Other Service Providers (“OSPs”) (companies like tele-marketing, call centres, network operation centres etc.) to improve ease of doing business in India. Earlier OSPs had to fulfill robust requirements like providing a hefty bank guarantee, lengthy registration process, among other things. However, the DOT has now permitted the use of private VPNs^[3] and removed the bank guarantee and registration obligations, thereby confirming the government’s relaxed stance on the usage of VPNs. These obligations have been further relaxed in the wake of the ongoing pandemic and the new work from home structure. In an amendment dated June 23, 2021, the DOT has removed the distinction between domestic and international OSPs, thereby allowing a single OSP to be able to serve both domestic and international customers. This will not only reduce the cost of doing business, but will also allow interconnection between domestic and international OSPs without any restrictions. 

Beyond this, usage of VPNs is in tandem with the fundamental rights framework of the right to privacy as guaranteed by the Puttaswamy judgment,^[4] since VPNs allow citizens to securely transmit their information, while ensuring their identity is safe and anonymous. This is crucial to fight against the rampant and discriminatory attacks on the freedom of speech and expression that currently plague India.

Chapter V: Key Points and Critical Analysis

Chapter V of the Report poses two main challenges in dealing with cybercrimes, before proposing recommendations, namely: (i) legal; and (ii) technological challenges.

Legal Challenges

According to the Report, the main issue with cybercrimes is that of ‘jurisdictional complexity’ that prevents prosecution and makes the investigation difficult. This means that often cyber criminals are operating from one place, while their victims are in another. This transnational nature of cybercrimes necessitates inter-state (within India) and inter-governmental (global) coordination among different stakeholders. Further, there is also lack of parity in legislations since different governments have different legislations governing cyberspace globally. Hence, harmonization of legislations is a crucial step towards ensuring safety of women and children. Lastly, the Committee opined that currently the IT Act provides for a sufficient framework to deal with issues of cyber security, cyber-crime, and cyber terrorism.

Technological Challenges

Under this, the Committee stated the role of modern cybercrime tools like malware, trojans, botnets etc., that use features like obfuscation, anonymity etc., to make it difficult to trace the source of these crimes for investigators. Further, they asserted the role of VPNs and dark web in aiding criminals to maintain their anonymity, before stating the need of specialized investigative skills and tools to address the pandemic of cybercrimes.

Consequently, they recommended that India should take collective action by assessing and improving existing directives and technologies. Noting the cross-jurisdictional nature of cybercrime, the Committee recommended that MHA should advise states and local law enforcement bodies to provide all essential support to non-local investigating officers for the investigation of a cybercrime. They further recommended that the MHA should liaison with the Ministry of External Affairs and MeitY to sign bilateral and multilateral pacts with different countries in order to address transnational cybercrimes and build comprehensive coordination systems. Lastly, the Committee noted “with anxiety” that VPNs and dark web forgo the security walls and aid criminals in committing cybercrimes by providing them with anonymity. The easy accessibility to VPN software, contributes to the menace of cybercrime and hence, VPNs should be permanently blocked by the MHA. To further ensure this, a coordination mechanism should be created with international agencies for the purpose of putting checks and balances on the future use of VPNs and the dark web.

Critical Analysis

The aforementioned legal challenges as put forth by the Committee are not exclusive to the physical world. The Report defines cybercrime as a ‘digital analogy of the normal crime committed in the physical world’. So for example, banning all driving because there is a risk of accidents would seem absurd to any reasonable person. Instead it would be effective to create rules like driving tests, traffic signals, seat belts while driving etc., to prevent accidents. Similarly, banning VPNs to protect women and children is an unnecessary move that harms the liberty and privacy of all individuals that want to access VPNs due to several reasons. 

First, currently, blocking of content can be undertaken through different mechanisms like S. 69A of the IT Act for violation of interest of sovereignty and integrity in India, public order etc., that already exist. Further, content can be blocked pursuant to a court order as well. Second, through this recommendation, the Committee is essentially walking back on the DOT’s relaxed guidelines for OSPs as discussed above. This is because the Central government has already taken a pro-VPN stance by providing necessary relaxations for ease of doing business. This Report is antithetical to those crucial steps taken in the right direction.

Third, there are more effective ways to address the epidemic of cybercrimes and prevent atrocities against women and children like addressing legislative loopholes since the current cybersecurity framework of India is outdated, scattered, and ineffective. Unfortunately, the Report fails to discuss the same. It is pertinent to note that currently there are multiple agencies like the Indian Computer Emergency Response Team, National Cyber Corrdinationation Centre, etc., that act as nodal points for ensuring cybersecurity in India. Additionally, there are department specific agencies like the Defence Cyber Agency, MHA’s Cyber and Information Security Division, National Critical Information Infrastructure Protection Centre etc., as well. 

However, there is limited clarity regarding the scope of power and functions of these bodies. Hence, if the disease is cybercrimes, the antidote is fixing the scattered regulatory framework and creating a more clear, robust, and uniform cybersecurity framework. This framework can include specific legal mandates like the EU Directive on combating sexual exploitation of children online and child pornography (that mandates EU members to remove web pages containing child pornography), for prevention of atrocities against children and women.

Fourth, the Committee has itself observed in the Report that cyber technology is also being used to commit financial frauds like hacking of bank accounts, etc. VPNs are a crucial tool to assist individuals to secure their privacy on the internet, and not fall prey to financial scams on unsecure networks. Hence, the Committee’s recommendations are prejudicial to the safety and security of the citizens that it aims to protect.

Fifth, throughout the Report, the Committee fixates on a biased view of cyberspace, often using the vastly different “VPNs” and the “dark web” in the same breadth. The Report minimizes cyberspace to only something that is used for “recruiting young people for terrorist activities, undertaking criminal offences etc.” to strengthen the argument for banning VPNs. This biased narrative is reductionist and fails to consider the benefits of an open cyberspace which is critical today, with our virtual identities and physical lives being more intertwined than ever. This is because all facets of our physical lives today like conducting business, forming social bonds and communities, discussing political and social beliefs, happen within the cyberspace. Hence, the importance of an open cyberspace cannot be underestimated and overlooked, like it has been done in this Report.

Lastly, globally, there are several countries like China where there is no outright ban on usage of VPNs, but the government has blocked access to most VPN sites. Other examples include countries like North Korea, Egypt, Myanmar, Syria, among others, where usage of VPNs causes hostility with the government, leading to heavy fines, enhanced surveillance, banning of accounts, and other forms of harassment. However, countries like Iraq, Russia, Uganda, among others have outrightly banned VPNs. The commonality between all these countries: strict censorship laws and government actions to control all information that their citizens have access to, thereby infringing the digital rights and freedom of their citizens.

The Way Forward

Will India really ban VPNs? Unlikely. The response of the MeitY and the legal position laid down by them is evidence enough. However, this Report is a missed opportunity and a step in the wrong direction for India as the world’s largest democracy. The need of the hour is to create regulations that secure privacy and ensure the digital rights of its citizens. Further, the aforementioned examples of countries with restricted digital rights and strict censorship structures should act as a cautionary tale for the future of access to the internet in India. As discussed, this is not to downplay the atrocities faced by women and children within cyberspace, however, banning VPNs is an unnecessary step to address this problem; a better way forward is the creation of robust cybersecurity frameworks, without unevenly compromising on digital freedoms.

The views expressed above are solely of the author.

Sources:

^[1] “Virtual Private Networks”, Second edition, Charlie Scott, Paul Wolfe, and Mike Erwin (January 1999)
^[2] ibid           
^[3] OSP Guidelines 05.11.2020.pdf (pib.gov.in)
^[4] AIR 2017 SC4161