50% OFF

End-of-year offer

View deals

Indian government can spy on Indian internet users in real time

Posted on November 11th, 2022 by in Articles & News.

 

Internet privacy in India is under threat as the government has the ability to watch the online activity of nearly anyone using an Indian internet service provider. This is the result of a years-long effort by the Indian government to ramp up online surveillance, particularly since the 2008 Mumbai terrorist attacks.

But in recent months, authoritarian orders targeting VPNs and a new disclosure from telecommunications officials suggest the attack on privacy is entering a new phase. 

On Nov. 10, the tech site Entrackr revealed that the Department of Telecommunications has had virtually unrestricted access to web traffic directly from the source: India’s internet service providers (ISPs).

Through a public records request, Entrackr learned that the government can access internet users’ activities remotely and in real time, without the user or even the ISP knowing about the surveillance.

This means that Indian internet users can never be sure that their conversations and web browsing are not being monitored by law enforcement agents.

This report comes shortly after the Indian government enacted laws requiring VPN services to keep logs on their users’ activity. These developments raise serious questions for Indians who care about their privacy and the importance of privacy in a democracy. The extent of the government’s surveillance is not known publicly, but the government has made no secret that it wants privileged access to everything Indians do online.

This article explains what the latest revelations mean for Indian internet users and how you can protect your privacy in the face of these intrusions.

The Central Monitoring System

The cornerstone of India’s surveillance infrastructure is its Central Monitoring System. Conceived prior to 2007 and fast-tracked after the 26/11 terror attacks, the system is designed to intercept telephone calls and internet data, but much of the program is shrouded in secrecy.

The director of the Software Freedom and Law Center in India said in 2013 that “No one knows what they have proposed or whether it has parliamentary mandate. … It’s like a black hole.” 

An anonymous source working on the program told The Times of India that the Secretary of Department of Electronics and Information Technology authorizes all targeted surveillance orders which would then be passed to the telecoms provider. Such spying is permitted under a law based on India’s 1885 rules for intercepting telegraph messages.

The writers of this law could not have imagined how it would be stretched and abused by The Central Monitoring System. “Essentially, every form of electronic communication will be under the government’s microscope. Even partially written emails saved in draft folders will be vulnerable to government intrusion,” according to a 2015 paper by a Washington University law professor.

The extent of the government’s technical capacity to access this data would depend on the cooperation of internet companies. But the news reported by Entrackr suggests that in the case of internet service providers, no such barrier exists. The ability to conduct real-time remote surveillance raises the possibility that law enforcement agents and spies can monitor any user at will.

Closing the VPN loophole

Savvy readers may recognize the simple solution to ISP-level surveillance: Just connect to a VPN.

A virtual private network uses end-to-end encryption to conceal your web traffic as it travels between your computer and the websites you visit. The internet service provider can’t see much of anything about your activities when you connect through a VPN.

VPNs, therefore, are a major loophole in the Indian government’s surveillance regime. That may be why this year they launched an effort to close that loophole.

Most VPN providers explicitly design mechanisms to capture as little data as possible about their users. Proton VPN, for example, does not keep any logs of your activity, and any government requests for user data must withstand the scrutiny of Swiss courts. 

But in 2022, the Indian government issued an order to VPN companies that have servers in India requiring them to maintain extensive logs about their customers. They expect VPNs to maintain logs of users’ names, IP addresses, and even the reason people are using a VPN. 

In response, we at Proton VPN replaced our servers in India with servers in Singapore that use Smart Routing. This feature allows our VPN servers to provide you with an Indian IP address even though they’re located in Singapore, where they’re safe from India’s VPN logging requirements. 

Learn more about Smart Routing

How to stay private in India

Between its 19th-century surveillance laws and a powerful Central Monitoring System, India is a country increasingly hostile to online privacy.

We still do not know if the Central Monitoring System is being used to conduct mass surveillance, but there is so much secrecy about the program that the possibility cannot be ruled out. 

This isn’t the first time critics have raised the alarm about mass surveillance in India. In 2021, the Indian government tried to force WhatsApp and other online messaging services to remove their encryption and keep a record of all messages in a “traceable” database, leading WhatsApp to sue

Technically, the government is only supposed to use surveillance to protect the “sovereignty or integrity of India, defense of India, security of the state, friendly relations with foreign states or public order.” But these conditions are broad, ill-defined, and applied without public scrutiny. Human rights experts say overreach is all too easy.

The good thing is there are simple ways to protect your privacy that are almost impossible for the government to counteract.

The best way to keep your data private in India is to encrypt as much of it as possible and to use internet services based in privacy-friendly countries.

  • Use a no-logs VPN service that does not have physical servers in India. In the wake of the September 2022 user logging order, Proton VPN no longer has any physical presence in India, instead using Smart Routing servers in Singapore. 
  • Use end-to-end encrypted email. If you are using an end-to-end encrypted email provider, the government will not be able to obtain the contents of your communications. It’s important to be sure both ends of the conversation are using the same platform. (For example, if you are using Proton Mail but the person you email is not, then your message may be accessible via your recipient’s email provider.) Again, you should also choose service providers that do not have a physical presence in India.
  • Use end-to-end encrypted chat apps. For secure messaging, we recommend using Signal, which is not based in India and encrypts both ends of every conversation by default, including all metadata.

Proton was founded by scientists who met at CERN and had the idea that an internet where privacy is the default is essential to preserving freedom. Our team of developers, engineers, and designers from all over the world is working to provide you with secure ways to be in control of your online data.

Secure
your internet

Get Proton VPN
Get Proton VPN

For customer support inquiries, please submit the following form for the fastest response:
Support Form

For all other inquiries:
contact@protonvpn.com


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenPGP.js v4.10.10
Comment: https://openpgpjs.org

xsBNBFiYeeIBCACpwuYcTsACyjQaqY3tOUonokamGZf3VDuLvcA9nQnu4vlB
n1RFFUJa5Pmf2yZ9EjJFSldTl5lreE3tFf53CcZ9wKa1R6aMnN/0VqURJho0
ZTqevQlCvuJ9kKHkDck3Em0/1WWnhDJgabp+fOa5HAHoAvcNy5gVPuexTT/N
wp6QcfB7w+qFhf73s0bcSn5RC+FAYlQxZVFhFtA7/7LthBVatDJrYLYP9XJd
zOZqz9AX0XZwKal25RcVeGHkNKgloo0bTgro4D88MR7saqXFHTRhy3+Wss7c
uqrh0uIkVmqtadoK/rAbqOyFXQ2DlvSMVrEMLUvwlZbC0taqcKDfNA+FABEB
AAHNLWNvbnRhY3RAcHJvdG9udnBuLmNvbSA8Y29udGFjdEBwcm90b252cG4u
Y29tPsLAfwQQAQgAKQUCWJh54wYLCQcIAwIJEN4dfnhhw11TBBUIAgoDFgIB
AhkBAhsDAh4BAAoJEN4dfnhhw11T6PwIAKgIHTUaEcCFQ5WfmwGpdhRgFe7H
gnHR8UOFPrRKnbCOQgTVPGwCFt8UVFhEgbmtroThU89DpxFSYUOD6nZ2k1X3
X4Q9OsItFUUuhPtLJrkz5ghtZLmsAH/edTRbVU1Ew1E8KbylLFI1J5yId7zR
GdnaTXv/E7P3po5X/b08TFAhXSyYYUbMeQuthbJajtpFygr53lm47cOWa4N8
udqLhmpheaQj04DuqYXOGC08JQn+XbHzhFl5Yvlt9Idk8+7c2UJ0qgWKQ5ZV
mquRAw5HDCQM5OqF1MoImDxOH+tK3PUlvFDsLZ1WPEOHK/EN12sPBx0x1R04
fcPTPdbMwgISGM3OwE0EWJh54gEIALqhrLUpvarPc0nkuHpyJC/MsrIDPLuV
qMc49tgjgDBsyIKJFEP9qCnkSOEixaFi+nTljUSpkHGR+PvEGecmcOdW6djN
QGxon/nwBT9d8HbtxJesaEIzwRAxmqQW9MqNq4UsfNQ0VvUYqV9wEbYfdDT/
jZfz9N0hjFELF1sg3UPcCRijhf162bp+rLQdO9vWVUbOdMQvsM/kyUJ6JMXR
xUtyKC05ddxii2SMr4XUW45ostPbxJybOF5oSZpEb1EIlrTLLPAe/498XlBW
hpRAPe+9ZfNs7drMvUEFnnOXahrXAuaaZpyaS/XBaloqSb1+v2AkUep3dbSF
PaRtbXRMS+kAEQEAAcLAaAQYAQgAEwUCWJh54wkQ3h1+eGHDXVMCGwwACgkQ
3h1+eGHDXVMZ4Qf4hu5N8/uYNDqJMFRIWSCpPGxmyIVXGARG4hgR8gwPZY9K
fReAUndX3uODBNIgZU7I3YntawU1DlP6GpP6yyR/8lfUMNCAXPDmd+zTFYIJ
UDHD8sw2GRrFVzFOKUpAapWFOI4XjSMP2UiK4HgrpUjAhe1wSaa7nEjtAuYT
zFx1QSuQD1iYcOF/FAm7EuhBIfWITjYAobGM6gonPbp3IPHM52rUbulllcdV
vCLs+blcyiVCGZlNcmlg3eibAJJL19TQLqT2DbQvQ/SyVBJGjoT+y4TTRtmZ
cebEjt2KJcc4x2lzPq3z2KJNyJTOTMB+aYD9Ma9IObDds+M/+5XDWi7f
=ueTT
-----END PGP PUBLIC KEY BLOCK-----

You can also Tweet to us:
@ProtonVPN