Another VPN quits India, as government proposes social media censorship powers
New Delhi now fighting criticism of eroding free speech and privacy with two proposed regulations
India's tech-related policies continue to create controversy, with fresh objections raised to a pair of proposed regulation packages.
One of those regulations is the infosec reporting and logging requirements introduced by India's Computer Emergency Response Team (CERT-In) in late April. That package requires VPN, cloud, and numerous other IT services providers to collect customers' personal information and log their activity, then surrender that info to Indian authorities on demand. One VPN provider, ExpressVPN, last week quit India on grounds that its local servers are designed not to record any logs so compliance would be impossible. ExpressVPN will soon route customers' traffic outside India.
On Tuesday, another VPN – Surfshark – announced it would do likewise.
The company announced its decision in a post that labelled CERT-In's rules "radical action that highly impacts the privacy of millions of people living in India."
India's government decide what millions of Indians can or cannot say online.
CERT-In's rules have also been criticized by The Internet Society, the nonprofit that advocates for an open internet.
In an Impact Brief [PDF] that assesses the impact of CERT-In's rules, the Society rates the requirement to sync with India-controlled network time protocol servers as creating a dangerous single point of failure. The Brief also takes issue with the rules' requirement to collect user data, as India lacks data privacy and data protection laws. The Society also suggests that CERT-In is not the appropriate body to collect data, as it is not a law enforcement agency.
Those criticisms come on top of similar suggestions from BSA The Software Alliance and ten other tech-related lobby groups, all of whom suggest the rules make India a less attractive destination for foreign investment.
Glutton for punishment?
India's government has so far shrugged off that criticism, but has earned itself more of the same at home by revising the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules that it introduced in 2021. Those rules saw social media companies push back on grounds that the regulations required them to identify users and could restrict free speech.
On Monday India's Ministry of Electronics and Information Technology (MeitY) published proposed amendments [PDF] to the Rules that, among other things, propose the creation of a government-run committee that would consider citizens' grievances about content posted to social media. That committee would have the power to override social networks' content moderation decisions.
- India probes ZTE and Vivo over finances, sparking Chinese protests
- Indian authorities issue conflicting advice about biometric ID card security
- Indian stock markets given ten day deadline to file infosec report, secure board signoff
That's scary, given that Indian police last year visited Twitter's local office to inquire why the microblogging service chose to label posts by a government spokesperson as "manipulated media."
India's Internet Freedom Foundation characterised the proposed committee's powers as follows:
MeitY will essentially be able to appoint itself to sit on top of social media platforms, & decide what millions of Indians can or cannot say on their Facebook or Twitter profiles. This is being done with no transparency or accountability measures built into the Rules.— Internet Freedom Foundation (IFF) (@internetfreedom) June 7, 2022
Complicating perceptions of the proposed amendments is that MeitY published them last week, but then took down the file. An identical proposal re-appeared on Monday.
India's IT minister Rajeev Chandrasekhar has said the amended Rules add "more effective grievance addressal ensuring constitutional rights of citizens are respected" and will have "no impact on Indian Startups."
Many nations have laws that give local authorities the power to compel social media to remove content under specific circumstances.
India's proposed amendments allow citizens to seek takedown orders whenever they feel aggrieved.
The Register will be surprised if the proposed amendments don't generate another wave of letters from international lobby groups protesting India's plans. ®
- Aatmanirbhar Bharat
- Advanced persistent threat
- Bharti Airtel
- Black Hat
- Bug Bounty
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Privacy Sandbox
- Remote Access Trojan
- RSA Conference
- Social Network
- Trusted Platform Module
- Zero trust