Indian government can spy on Indian internet users in real time

Internet privacy in India is under threat as the government has the ability to watch the online activity of nearly anyone using an Indian internet service provider. This is the result of a years-long effort by the Indian government to ramp up online surveillance, particularly since the 2008 Mumbai terrorist attacks.

But in recent months, authoritarian orders targeting VPNs and a new disclosure from telecommunications officials suggest the attack on privacy is entering a new phase. 

On Nov. 10, the tech site Entrackr(new window) revealed that the Department of Telecommunications has had virtually unrestricted access to web traffic directly from the source: India’s internet service providers (ISPs).

Through a public records request, Entrackr learned that the government can access internet users’ activities remotely and in real time, without the user or even the ISP knowing about the surveillance.

This means that Indian internet users can never be sure that their conversations and web browsing are not being monitored by law enforcement agents.

This report comes shortly after the Indian government enacted laws requiring VPN services to keep logs on their users’ activity. These developments raise serious questions for Indians who care about their privacy and the importance of privacy in a democracy. The extent of the government’s surveillance is not known publicly, but the government has made no secret that it wants privileged access to everything Indians do online.

This article explains what the latest revelations mean for Indian internet users and how you can protect your privacy in the face of these intrusions.

The Central Monitoring System

The cornerstone of India’s surveillance infrastructure is its Central Monitoring System. Conceived prior to 2007 and fast-tracked after the 26/11 terror attacks, the system is designed to intercept telephone calls and internet data, but much of the program is shrouded in secrecy.

The director of the Software Freedom and Law Center in India said in 2013 that “No one knows what they have proposed or whether it has parliamentary mandate. … It’s like a black hole.” 

An anonymous source working on the program told The Times of India(new window) that the Secretary of Department of Electronics and Information Technology authorizes all targeted surveillance orders which would then be passed to the telecoms provider. Such spying is permitted under a law based on India’s 1885 rules for intercepting telegraph messages.

The writers of this law could not have imagined how it would be stretched and abused by The Central Monitoring System. “Essentially, every form of electronic communication will be under the government’s microscope. Even partially written emails saved in draft folders will be vulnerable to government intrusion,” according to a 2015 paper(new window) by a Washington University law professor.

The extent of the government’s technical capacity to access this data would depend on the cooperation of internet companies. But the news reported by Entrackr suggests that in the case of internet service providers, no such barrier exists. The ability to conduct real-time remote surveillance raises the possibility that law enforcement agents and spies can monitor any user at will.

Closing the VPN loophole

Savvy readers may recognize the simple solution to ISP-level surveillance: Just connect to a VPN.

A virtual private network uses end-to-end encryption to conceal your web traffic as it travels between your computer and the websites you visit. The internet service provider can’t see much of anything about your activities when you connect through a VPN.

VPNs, therefore, are a major loophole in the Indian government’s surveillance regime. That may be why this year they launched an effort to close that loophole.

Most VPN providers explicitly design mechanisms to capture as little data as possible about their users. Proton VPN, for example, does not keep any logs of your activity, and any government requests for user data must withstand the scrutiny of Swiss courts. 

But in 2022, the Indian government issued an order to VPN companies that have servers in India requiring them to maintain extensive logs about their customers. They expect VPNs to maintain logs of users’ names, IP addresses, and even the reason people are using a VPN. 

In response, we at Proton VPN replaced our servers in India with servers in Singapore that use Smart Routing. This feature allows our VPN servers to provide you with an Indian IP address even though they’re located in Singapore, where they’re safe from India’s VPN logging requirements.

Learn more about Smart Routing

How to stay private in India

Between its 19th-century surveillance laws and a powerful Central Monitoring System, India is a country increasingly hostile to online privacy.

We still do not know if the Central Monitoring System is being used to conduct mass surveillance, but there is so much secrecy about the program that the possibility cannot be ruled out. 

This isn’t the first time critics have raised the alarm about mass surveillance in India. In 2021, the Indian government tried to force WhatsApp and other online messaging services to remove their encryption and keep a record of all messages in a “traceable” database, leading WhatsApp to sue(new window)

Technically, the government is only supposed to use surveillance to protect the “sovereignty or integrity of India, defense of India, security of the state, friendly relations with foreign states or public order.” But these conditions are broad, ill-defined, and applied without public scrutiny. Human rights experts say overreach is all too easy.

The good thing is there are simple ways to protect your privacy that are almost impossible for the government to counteract.

The best way to keep your data private in India is to encrypt as much of it as possible and to use internet services based in privacy-friendly countries.

  • Use a no-logs VPN service that does not have physical servers in India. In the wake of the September 2022 user logging order, Proton VPN no longer has any physical presence in India, instead using Smart Routing servers in Singapore.
  • Use end-to-end encrypted email. If you are using an end-to-end encrypted email provider(new window), the government will not be able to obtain the contents of your communications. It’s important to be sure both ends of the conversation are using the same platform. (For example, if you are using Proton Mail but the person you email is not, then your message may be accessible via your recipient’s email provider.) Again, you should also choose service providers that do not have a physical presence in India.
  • Use end-to-end encrypted chat apps. For secure messaging, we recommend using Signal(new window), which is not based in India and encrypts both ends of every conversation by default, including all metadata.
Protect your privacy and security online
Get Proton VPN free

Related articles

What is AirTag stalking?
In an era of “smart devices” that often double as spy devices, AirTags are tracking tools that are open about their function and can be vital in helping locate lost items (as anyone who has lost their car keys can attest to). However, as a recent cla
How to fix a "Your connection is not safe" error
As you surf the web using your browser, you’ll no doubt encounter websites that your browser will refuse to load, instead showing some variation of an error message, such as Your connection is not private or Warning: Potential Security Risk Ahead. 
Your search history is a window into your inner life. Anyone with access to it knows what your hobbies and interests are, your sexual orientation and preferences, the things that worry you (for example your medical concerns), your political affiliati
how to flush dns blog
  • Privacy deep dives
A DNS cache is a record of all the websites you’ve visited over a set amount of time. Simply put, your DNS cache is a list of websites you visited in the past that’s stored on your device. Your computer uses it to speed up visits to those same websit
Is Temu legit?
  • Privacy basics
Temu has become an unavoidable brand. Unknown to most up to a year ago, the online retailer exploded onto the digital scene in the United States with lavish ads and a riveting social media campaign, and has started its takeover in Europe now, too. As
We examIne whether the controversial Chinese video platform is safe to use
  • Privacy basics
In this article, we take an in-depth look at whether the wildly popular social media platform TikTok is safe to use. Several countries recently banned government officials from using TikTok, and now the US House of Representatives has passed the Pro