Emerging Threats
mins read

Home Ministry Proposes Ban on VPN Services: Should You Be Worried?

Home Ministry Proposes Ban on VPN Services: Should You Be Worried?

September 15, 2021
Green Alert
Last Update posted on
February 3, 2024
Beyond Monitoring: Predictive Digital Risk Protection with CloudSEK

Protect your organization from external threats like data leaks, brand threats, dark web originated threats and more. Schedule a demo today!

Schedule a Demo
Table of Contents
Author(s)
No items found.

At the beginning of this month, the Indian Home Ministry made a startling proposal to ban VPN services such as NordVPN, ExpressVPN, etc., which sent shock waves across the digital community. 

 

What is a VPN?

A virtual private network (VPN) extends a private network across a public network, allowing users to send and receive data as if their computers were physically linked to the private network. It is simply an encrypted connection between a device and a network over the Internet. 

VPN is used widely across the globe by people both within and outside the information security community. Primarily, VPN allows users to stream blocked content, secure remote work, surf the web anonymously and maintain data privacy. According to the data gathered by Atlas VPN, India ranks fourth on VPN adoption rate.

VPN downloads by country, the country's population, and the VPN adoption rate in 2020 and H1 2021
VPN downloads by country, the country’s population, and the VPN adoption rate in 2020 and H1 2021

 

In its latest proposal released by the Parliamentary Standing Committee on Home Affairs, the ministry urges the government to permanently ban VPNs in India owing to their extensive application in various cybercriminal activities, circumventing security protocols while avoiding detection. This article delves into the possibility of blocking VPNs permanently and the potential consequences of the same. 

 

Is It Actually Possible to Block Complete Access to VPNs?

Yes, it is possible to restrict VPNs, but the more relevant question is whether or not it would be 100% effective. For instance, when the Indian government banned TikTok and PUBG, it wasn’t enough to prohibit public individuals from using these applications. Through alternate routes they were able to easily bypass the ban on these Chinese applications. If amateurs are capable of evading state-imposed bans such as these, cyber crooks who are armed with sophisticated tools and technology.

Popular techniques such as Deep Packet Inspection helps to resolve this issue. Deep Packet Inspection or DPI is a type of data processing technique by which the data being sent over a computer network is inspected in detail. This system detects, alerts, blocks, re-routes, or logs malicious traffic. In addition to DPI, IP address or port blocking techniques can also be leveraged to efficiently block VPN usage. 

China uses QoS (Quality of Service) filtering along with DPI, to slow down network traffic for unwanted connections that eventually lead to a timeout error and/ or dropping of the connection. Previously, Reliance JIO has used a packet filtering technique based on Server Name Indication (SNI) inspection to block access to certain websites.

 

Steps That Will Ensue 

If the VPN ban were to take effect in India, the government would release a mandate for Internet Service Providers (ISPs) to block commonly used VPN protocols along with the various ports used by these VPN services. However, less technical ISPs will still have a difficulty while implementing an effective blanket ban over VPN services.

 

Impact on Information Security

The pandemic has forced more businesses to opt for remote work than ever before. And this caused VPN adoption rates to skyrocket across the globe, to combat security concerns that come with the territory. However, this begs the question: Will a VPN block jeopardize the security of large corporations and businesses? 

From the information we have gathered, it is safe to assume that these restrictions do not apply to VPN tunnels used by huge firms or businesses, but rather to VPN companies that help commoners circumvent the current internet restrictions enacted in India to combat cybercrime. We also think the government would allow companies that comply with Indian data protection laws and regulations, to use VPN as and when necessary.

 

Is a VPN Ban the “Only Option”?

Regulating VPNs without blocking their services is a laborious task. As mentioned earlier, the primary targets of the Indian government would be VPN service providers. Thus, forcing an offshore company to comply with the local data laws and share user information could strain relations with large MNCs and investors from other countries.

Imposing this ban isn’t an effective way to prevent individuals from using VPN. Those who intend to use it can easily find a way around the ban. Instead of banning VPNs, India should focus on increasing its diplomatic relations around the world. This will facilitate easier data sharing and eventually lead to a much larger pool of information which can be made useful. The EuroPol Joint Cybercrime Action Taskforce’s recent arrests, which effectively took down a large cybercrime syndicate, demonstrates the effectiveness and coordination of such diplomatic connections.

 

Is a VPN Ban “Really Necessary”?

The primary concern of any government would be to protect its citizens and their individual rights. This leads to an important question: Would the state rather ban VPN altogether and curb cybercriminal activities targeting such services or prioritize privacy protection of its citizens? Both these conditions are mutually exclusive and cannot occur simultaneously.

It is our understanding that the Indian government would implement the ban with the primary objective of preventing cybercriminal activities. However, cyber crooks operating today are very skilled and use highly sophisticated techniques besides VPN services to avoid being traced back to their original identity or IP address. This is especially true of state-sponsored threat actors or experienced cybercriminals who employ a variety of approaches and operational security tactics to avoid being traced.

For instance, an experienced cybercriminal wouldn’t use their own personal computer to carry out an attack. Instead, they would use secure tunnels or Remote Desktop Protocol (RDP) to gain access to an already compromised computer located in a different country that has poor diplomatic relations with India, to carry out the attack. In that case, the investigating officers will still have trouble tracing back the original attackers or perpetrators to their sources.

Author

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Emerging Threats
March 10, 2020

RBI guidelines for banks to combat escalating cyber attacks

RBI guidelines for banks to combat escalating cyber attacks

Blog Image
Emerging Threats
April 22, 2020

Top open source resources to stay vigilant against COVID-themed cyber attacks

Top open source resources to stay vigilant against COVID-themed cyber attacks

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Emerging Threats

min read

Home Ministry Proposes Ban on VPN Services: Should You Be Worried?

Home Ministry Proposes Ban on VPN Services: Should You Be Worried?

Authors
Co-Authors
No items found.

At the beginning of this month, the Indian Home Ministry made a startling proposal to ban VPN services such as NordVPN, ExpressVPN, etc., which sent shock waves across the digital community. 

 

What is a VPN?

A virtual private network (VPN) extends a private network across a public network, allowing users to send and receive data as if their computers were physically linked to the private network. It is simply an encrypted connection between a device and a network over the Internet. 

VPN is used widely across the globe by people both within and outside the information security community. Primarily, VPN allows users to stream blocked content, secure remote work, surf the web anonymously and maintain data privacy. According to the data gathered by Atlas VPN, India ranks fourth on VPN adoption rate.

VPN downloads by country, the country's population, and the VPN adoption rate in 2020 and H1 2021
VPN downloads by country, the country’s population, and the VPN adoption rate in 2020 and H1 2021

 

In its latest proposal released by the Parliamentary Standing Committee on Home Affairs, the ministry urges the government to permanently ban VPNs in India owing to their extensive application in various cybercriminal activities, circumventing security protocols while avoiding detection. This article delves into the possibility of blocking VPNs permanently and the potential consequences of the same. 

 

Is It Actually Possible to Block Complete Access to VPNs?

Yes, it is possible to restrict VPNs, but the more relevant question is whether or not it would be 100% effective. For instance, when the Indian government banned TikTok and PUBG, it wasn’t enough to prohibit public individuals from using these applications. Through alternate routes they were able to easily bypass the ban on these Chinese applications. If amateurs are capable of evading state-imposed bans such as these, cyber crooks who are armed with sophisticated tools and technology.

Popular techniques such as Deep Packet Inspection helps to resolve this issue. Deep Packet Inspection or DPI is a type of data processing technique by which the data being sent over a computer network is inspected in detail. This system detects, alerts, blocks, re-routes, or logs malicious traffic. In addition to DPI, IP address or port blocking techniques can also be leveraged to efficiently block VPN usage. 

China uses QoS (Quality of Service) filtering along with DPI, to slow down network traffic for unwanted connections that eventually lead to a timeout error and/ or dropping of the connection. Previously, Reliance JIO has used a packet filtering technique based on Server Name Indication (SNI) inspection to block access to certain websites.

 

Steps That Will Ensue 

If the VPN ban were to take effect in India, the government would release a mandate for Internet Service Providers (ISPs) to block commonly used VPN protocols along with the various ports used by these VPN services. However, less technical ISPs will still have a difficulty while implementing an effective blanket ban over VPN services.

 

Impact on Information Security

The pandemic has forced more businesses to opt for remote work than ever before. And this caused VPN adoption rates to skyrocket across the globe, to combat security concerns that come with the territory. However, this begs the question: Will a VPN block jeopardize the security of large corporations and businesses? 

From the information we have gathered, it is safe to assume that these restrictions do not apply to VPN tunnels used by huge firms or businesses, but rather to VPN companies that help commoners circumvent the current internet restrictions enacted in India to combat cybercrime. We also think the government would allow companies that comply with Indian data protection laws and regulations, to use VPN as and when necessary.

 

Is a VPN Ban the “Only Option”?

Regulating VPNs without blocking their services is a laborious task. As mentioned earlier, the primary targets of the Indian government would be VPN service providers. Thus, forcing an offshore company to comply with the local data laws and share user information could strain relations with large MNCs and investors from other countries.

Imposing this ban isn’t an effective way to prevent individuals from using VPN. Those who intend to use it can easily find a way around the ban. Instead of banning VPNs, India should focus on increasing its diplomatic relations around the world. This will facilitate easier data sharing and eventually lead to a much larger pool of information which can be made useful. The EuroPol Joint Cybercrime Action Taskforce’s recent arrests, which effectively took down a large cybercrime syndicate, demonstrates the effectiveness and coordination of such diplomatic connections.

 

Is a VPN Ban “Really Necessary”?

The primary concern of any government would be to protect its citizens and their individual rights. This leads to an important question: Would the state rather ban VPN altogether and curb cybercriminal activities targeting such services or prioritize privacy protection of its citizens? Both these conditions are mutually exclusive and cannot occur simultaneously.

It is our understanding that the Indian government would implement the ban with the primary objective of preventing cybercriminal activities. However, cyber crooks operating today are very skilled and use highly sophisticated techniques besides VPN services to avoid being traced back to their original identity or IP address. This is especially true of state-sponsored threat actors or experienced cybercriminals who employ a variety of approaches and operational security tactics to avoid being traced.

For instance, an experienced cybercriminal wouldn’t use their own personal computer to carry out an attack. Instead, they would use secure tunnels or Remote Desktop Protocol (RDP) to gain access to an already compromised computer located in a different country that has poor diplomatic relations with India, to carry out the attack. In that case, the investigating officers will still have trouble tracing back the original attackers or perpetrators to their sources.