YOU Broadband, India’s fifth largest wireline Internet provider, has prohibited VPNs with powerful encryption in its fine print. A previous version of this was first pointed out by a user on reddit. This is what it said:
The Customer shall not take any steps including adopting any encryption system that prevents or in any way hinders the Company from maintaining a log of the Customer or maintaining or having access to copies of all packages/data originating from the Customer.
UPDATE (06/07): YOU Broadband has changed that condition after this story came out, to narrowly address VPNs and encryption:
The Customer may use VPN and encryption up to the bit length permitted by the Department of Telecommunications.
All ISPs in India have to follow DoT guidelines, including YOU Broadband. To avoid any misinterpretation, we have simplified our Clause 38. pic.twitter.com/qfzB5hAehg
— YOU Broadband Cares (@youbroadband) July 5, 2017
A large portion of content on the Internet is served encrypted these days, with many sites being served over secure HTTPS connections. This makes the content of those webpages completely unreadable to ISPs. On the other hand, Virtual Private Networks, or VPNs, serve data through a different location often through a completely encrypted tunnel, using upto 4096 bits of encryption, or more. 40 bits of encryption, which is the DOT’s limit, can be broken in a few hours.
You Broadband accounts for 0.63 million of India’s startlingly low 18.25 million wireline broadband connections.
Where have these terms come from?
YOU Broadband’s terms seem to exist because of guidelines issued in 2007 by the Department of Telecommunications in 2007, prohibiting users from using encryption of more than 40 bits. Interestingly, most standards for HTTPS websites seem to have much stronger encryption than that. VPNs may have encryption upto a hundred times stronger than DOT’s limit. Many countries in the middle east have just outright banned VPNs, instead of setting ISP-level restrictions on encryption levels that are hardly enforcible. These rules seem to be more of an enabler of lawful interception than a concerted effort to keep levels of encryption on the Internet low, which is a ship that sailed long ago.
(A local ISP in Gujarat appears to have remarkably — and quite obviously co-incidentally — similar terms.)
Encryption in the Parliament
The DOT’s rules may be making WhatsApp technically illegal too. In 2015, a Rajya Sabha MP asked the Minister of Communications & IT Ravi Shankar Prasad if encrypted communications services threatened national security. In his response, Prasad acknowledged that even though data in transit between a user and their Internet provider was simple, decrypting it was, in many cases, impossible.
[Internet providers] are not able to decrypt some of encrypted intercepted communication to readable format as there are multifarious aspects involved in Security/Law Enforcement Agencies getting such encrypted communication in readable format such as technical, international relationship, legal and regulatory policy, commercial and security requirements etc.
In annother response on the same day to a question about the ill-fated Draft National Encryption Policy, which was a major privacy risk if implemented, Prasad said:
The Government fully respects the upholding of right to privacy of citizens and acknowledges the need for protection of private data against misuse. There is no intention by the Government to implement a policy breaching the right to privacy of citizens.
This is in spite of the fact that the 2007 guidelines place unworkable and insecure standards for encryption, and the government had previously insisted to the Supreme Court that citizens don’t have a right to privacy in the first place.
UPDATE (06/07): YOU Broadband changed their terms of service after this article came out, to say that VPNs and encryption were permissible, but only upto 40 bits. This article and its headline have been updated to reflect that change. Hat-tip to Caleb Chen for flagging the change.
