Internet privacy in India is under threat as the government has the ability to watch the online activity of nearly anyone using an Indian internet service provider. This is the result of a years-long effort by the Indian government to ramp up online surveillance, particularly since the 2008 Mumbai terrorist attacks.
But in recent months, authoritarian orders targeting VPNs and a new disclosure from telecommunications officials suggest the attack on privacy is entering a new phase.
On Nov. 10, the tech site Entrackr revealed that the Department of Telecommunications has had virtually unrestricted access to web traffic directly from the source: India’s internet service providers (ISPs).
Through a public records request, Entrackr learned that the government can access internet users’ activities remotely and in real time, without the user or even the ISP knowing about the surveillance.
This means that Indian internet users can never be sure that their conversations and web browsing are not being monitored by law enforcement agents.
This report comes shortly after the Indian government enacted laws requiring VPN services to keep logs on their users’ activity. These developments raise serious questions for Indians who care about their privacy and the importance of privacy in a democracy. The extent of the government’s surveillance is not known publicly, but the government has made no secret that it wants privileged access to everything Indians do online.
This article explains what the latest revelations mean for Indian internet users and how you can protect your privacy in the face of these intrusions.
The Central Monitoring System
The cornerstone of India’s surveillance infrastructure is its Central Monitoring System. Conceived prior to 2007 and fast-tracked after the 26/11 terror attacks, the system is designed to intercept telephone calls and internet data, but much of the program is shrouded in secrecy.
The director of the Software Freedom and Law Center in India said in 2013 that “No one knows what they have proposed or whether it has parliamentary mandate. … It’s like a black hole.”
An anonymous source working on the program told The Times of India that the Secretary of Department of Electronics and Information Technology authorizes all targeted surveillance orders which would then be passed to the telecoms provider. Such spying is permitted under a law based on India’s 1885 rules for intercepting telegraph messages.
The writers of this law could not have imagined how it would be stretched and abused by The Central Monitoring System. “Essentially, every form of electronic communication will be under the government’s microscope. Even partially written emails saved in draft folders will be vulnerable to government intrusion,” according to a 2015 paper by a Washington University law professor.
The extent of the government’s technical capacity to access this data would depend on the cooperation of internet companies. But the news reported by Entrackr suggests that in the case of internet service providers, no such barrier exists. The ability to conduct real-time remote surveillance raises the possibility that law enforcement agents and spies can monitor any user at will.
Closing the VPN loophole
Savvy readers may recognize the simple solution to ISP-level surveillance: Just connect to a VPN.
A virtual private network uses end-to-end encryption to conceal your web traffic as it travels between your computer and the websites you visit. The internet service provider can’t see much of anything about your activities when you connect through a VPN.
VPNs, therefore, are a major loophole in the Indian government’s surveillance regime. That may be why this year they launched an effort to close that loophole.
Most VPN providers explicitly design mechanisms to capture as little data as possible about their users. Proton VPN, for example, does not keep any logs of your activity, and any government requests for user data must withstand the scrutiny of Swiss courts.
But in 2022, the Indian government issued an order to VPN companies that have servers in India requiring them to maintain extensive logs about their customers. They expect VPNs to maintain logs of users’ names, IP addresses, and even the reason people are using a VPN.
In response, we at Proton VPN replaced our servers in India with servers in Singapore that use Smart Routing. This feature allows our VPN servers to provide you with an Indian IP address even though they’re located in Singapore, where they’re safe from India’s VPN logging requirements.
Learn more about Smart Routing
How to stay private in India
Between its 19th-century surveillance laws and a powerful Central Monitoring System, India is a country increasingly hostile to online privacy.
We still do not know if the Central Monitoring System is being used to conduct mass surveillance, but there is so much secrecy about the program that the possibility cannot be ruled out.
This isn’t the first time critics have raised the alarm about mass surveillance in India. In 2021, the Indian government tried to force WhatsApp and other online messaging services to remove their encryption and keep a record of all messages in a “traceable” database, leading WhatsApp to sue.
Technically, the government is only supposed to use surveillance to protect the “sovereignty or integrity of India, defense of India, security of the state, friendly relations with foreign states or public order.” But these conditions are broad, ill-defined, and applied without public scrutiny. Human rights experts say overreach is all too easy.
The good thing is there are simple ways to protect your privacy that are almost impossible for the government to counteract.
The best way to keep your data private in India is to encrypt as much of it as possible and to use internet services based in privacy-friendly countries.
- Use a no-logs VPN service that does not have physical servers in India. In the wake of the September 2022 user logging order, Proton VPN no longer has any physical presence in India, instead using Smart Routing servers in Singapore.
- Use end-to-end encrypted email. If you are using an end-to-end encrypted email provider, the government will not be able to obtain the contents of your communications. It’s important to be sure both ends of the conversation are using the same platform. (For example, if you are using Proton Mail but the person you email is not, then your message may be accessible via your recipient’s email provider.) Again, you should also choose service providers that do not have a physical presence in India.
- Use end-to-end encrypted chat apps. For secure messaging, we recommend using Signal, which is not based in India and encrypts both ends of every conversation by default, including all metadata.
