VPNs, give Internet privacy public value

New rules requiring virtual private networks (VPN) to maintain logs of user activity and hand them over to law enforcement agencies have become contentious. The country’s top cyber policing body, Indian Computer Emergency Response Team (CERT-In), is in its rights to seek investigative powers over VPNs, the conduit for a big chunk of security attacks. This poses an existential risk to VPNs that an increasing number of Indians are using to protect their privacy online. Then there is the issue of whether VPN service providers have the technical wherewithal to log user activity, given their services are predicated on assuring anonymity. Finally, foreign players may not be allowed by their local laws to disclose information being sought.

A ban on VPNs, as contemplated by Indian lawmakers, would be a blunt tool with security concerns scuttling legitimate online commerce. There are ways to get around firewalls, like the one China has built. Smart policing would have to turn its attention to the entry and exit points of these private networks, which involves multilateral coordination in law enforcement. Much like landing areas in the real world needing surveillance more than sea lanes. Coordinated action by police forces in the West is being used to take down VPN services that are used for cybercrime. That remains a continuous law enforcement endeavor.

Setting special disclosure requirements in excess of court orders in the course of criminal investigation could push VPNs beyond Indian jurisdiction, negating the original intention of the rules that are to come into force. VPNs update the right to be forgotten, a movement gaining currency in most liberal democracies. That involves not keeping logs in the internet’s private spaces.