At the beginning of this month, the Indian Home Ministry made a startling proposal to ban VPN services such as NordVPN, ExpressVPN, etc., which sent shock waves across the digital community.
What is a VPN?
A virtual private network (VPN) extends a private network across a public network, allowing users to send and receive data as if their computers were physically linked to the private network. It is simply an encrypted connection between a device and a network over the Internet.
VPN is used widely across the globe by people both within and outside the information security community. Primarily, VPN allows users to stream blocked content, secure remote work, surf the web anonymously and maintain data privacy. According to the data gathered by Atlas VPN, India ranks fourth on VPN adoption rate.
In its latest proposal released by the Parliamentary Standing Committee on Home Affairs, the ministry urges the government to permanently ban VPNs in India owing to their extensive application in various cybercriminal activities, circumventing security protocols while avoiding detection. This article delves into the possibility of blocking VPNs permanently and the potential consequences of the same.
Is It Actually Possible to Block Complete Access to VPNs?
Yes, it is possible to restrict VPNs, but the more relevant question is whether or not it would be 100% effective. For instance, when the Indian government banned TikTok and PUBG, it wasn’t enough to prohibit public individuals from using these applications. Through alternate routes they were able to easily bypass the ban on these Chinese applications. If amateurs are capable of evading state-imposed bans such as these, cyber crooks who are armed with sophisticated tools and technology.
Popular techniques such as Deep Packet Inspection helps to resolve this issue. Deep Packet Inspection or DPI is a type of data processing technique by which the data being sent over a computer network is inspected in detail. This system detects, alerts, blocks, re-routes, or logs malicious traffic. In addition to DPI, IP address or port blocking techniques can also be leveraged to efficiently block VPN usage.
China uses QoS (Quality of Service) filtering along with DPI, to slow down network traffic for unwanted connections that eventually lead to a timeout error and/ or dropping of the connection. Previously, Reliance JIO has used a packet filtering technique based on Server Name Indication (SNI) inspection to block access to certain websites.
Steps That Will Ensue
If the VPN ban were to take effect in India, the government would release a mandate for Internet Service Providers (ISPs) to block commonly used VPN protocols along with the various ports used by these VPN services. However, less technical ISPs will still have a difficulty while implementing an effective blanket ban over VPN services.
Impact on Information Security
The pandemic has forced more businesses to opt for remote work than ever before. And this caused VPN adoption rates to skyrocket across the globe, to combat security concerns that come with the territory. However, this begs the question: Will a VPN block jeopardize the security of large corporations and businesses?
From the information we have gathered, it is safe to assume that these restrictions do not apply to VPN tunnels used by huge firms or businesses, but rather to VPN companies that help commoners circumvent the current internet restrictions enacted in India to combat cybercrime. We also think the government would allow companies that comply with Indian data protection laws and regulations, to use VPN as and when necessary.
Is a VPN Ban the “Only Option”?
Regulating VPNs without blocking their services is a laborious task. As mentioned earlier, the primary targets of the Indian government would be VPN service providers. Thus, forcing an offshore company to comply with the local data laws and share user information could strain relations with large MNCs and investors from other countries.
Imposing this ban isn’t an effective way to prevent individuals from using VPN. Those who intend to use it can easily find a way around the ban. Instead of banning VPNs, India should focus on increasing its diplomatic relations around the world. This will facilitate easier data sharing and eventually lead to a much larger pool of information which can be made useful. The EuroPol Joint Cybercrime Action Taskforce’s recent arrests, which effectively took down a large cybercrime syndicate, demonstrates the effectiveness and coordination of such diplomatic connections.
Is a VPN Ban “Really Necessary”?
The primary concern of any government would be to protect its citizens and their individual rights. This leads to an important question: Would the state rather ban VPN altogether and curb cybercriminal activities targeting such services or prioritize privacy protection of its citizens? Both these conditions are mutually exclusive and cannot occur simultaneously.
It is our understanding that the Indian government would implement the ban with the primary objective of preventing cybercriminal activities. However, cyber crooks operating today are very skilled and use highly sophisticated techniques besides VPN services to avoid being traced back to their original identity or IP address. This is especially true of state-sponsored threat actors or experienced cybercriminals who employ a variety of approaches and operational security tactics to avoid being traced.
For instance, an experienced cybercriminal wouldn’t use their own personal computer to carry out an attack. Instead, they would use secure tunnels or Remote Desktop Protocol (RDP) to gain access to an already compromised computer located in a different country that has poor diplomatic relations with India, to carry out the attack. In that case, the investigating officers will still have trouble tracing back the original attackers or perpetrators to their sources.
As the Associate Vice President of the Threat Intelligence Research team, Darshit directs the team's efforts to create and disseminate strategic and threat-focused cyber intelligence. Prior to joining CloudSEK, he was a Senior Cyber Threat Intelligence Researcher at Intel471.