Indian ISPs Continue Futile Effort To Prevent Subscribers From Using Decent Encryption

from the good-luck-with-that dept

The global war against privacy tools, VPNs and encryption continues utterly-unhinged from common sense, and the assault on consumer privacy remains a notably global affair. Reddit users recently noticed that India's fifth largest ISP, YOU Broadband, is among several of the country's ISPs that have been trying to prevent customers from using meaningful encryption. According to the company's updated terms of service, as a customer of the ISP you're supposed to avoid using encryption to allow for easier monitoring of your online behavior:

"The Customer shall not take any steps including adopting any encryption system that prevents or in any way hinders the Company from maintaining a log of the Customer or maintaining or having access to copies of all packages/data originating from the Customer."

Of course enforcement of such a requirement is largely impossible. But You Broadband isn't just being randomly obtuse, and while the ISP's TOS is making headlines, this effort isn't really new. Most Indian ISPs are simply adhering to a misguided (and still not adequately updated) set of 2007 guidelines imposed by India's Department of Telecommunications (word doc) demanding that ISPs try and prevent their subscribers from using any encryption with greater than a 40 bit key length if they want to do business in India:

"The Licensee shall ensure that Bulk Encryption is not deployed by ISPs connecting to Landing Station. Further, Individuals/Groups/Organizations are permitted to use encryption upto 40 bit key length in the symmetric key algorithms or its equivalent in other algorithms without having to obtain permission from the Licensor. However, if encryption equipments higher than this limit are to be deployed, individuals/groups/organizations shall do so with the prior written permission of the Licensor and deposit the decryption key, split into two parts, with the Licensor."

Which is and of itself is rather hysterical, given that since 1996 or so, most folks have considered a 40 bit key length to be the security equivalent of wet tissue paper. In fact, Ian Goldberg won $1,000 from RSA for breaking 40 bit encryption in just a few hours way back in 1997, saying this at the time:

"This is the final proof of what we’ve known for years: 40-bit encryption technology is obsolete."

And yeah, that was twenty years ago. But this sort of policy is pretty standard fair in India, which is no stranger to censorship, internet filtering, and blind, often-mindless expansion of surveillance. India's government has also been at the forefront of attempting to impose backdoors in encryption, and there's a recent effort in some corners to attempt to ban Whatsapp as well.

I've yet to see any ISP successfully enforce this ridiculous governmental restriction (if you're in India and you have, let us know in the comment section precisely how). But it's still part of an over-arching mindset that sees standard, intelligent privacy and security practices as an enemy that must be thwarted. Usually either to expand government surveillance, prop up idiot ham-fisted internet filters (as we're seeing in Russia, China and India), or to erode consumer rights in the face of what are endless attempts to monetize your online behavior.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: encryption, india, privacy, vpns


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 17 Jul 2017 @ 9:52am

    Enforcement

    This may not be about direct enforcement, but rather their local counterpart of how many US companies write absurd Terms-of-Service that allow them free reign by ensuring that nobody is actually compliant, so arbitrary and capricious enforcement becomes standard.

    link to this | view in thread ]

  2. icon
    aerinai (profile), 17 Jul 2017 @ 10:33am

    How does HTTPS Work?

    I thought https has 2048 RSA encryption as standard. Is visiting a 'secure' https website against TOS?

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 17 Jul 2017 @ 10:34am

    Isn't WhatsApp pretty popular in India? And wouldn't its encryption make it kind of illegal? So how exactly do the ISPs deal with that? Or maybe I should ask how does WhatsApp deal with it in India and what does it do about this?

    link to this | view in thread ]

  4. icon
    Bergman (profile), 17 Jul 2017 @ 11:58am

    Re: How does HTTPS Work?

    By the letter of the rules in India? Yes.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 17 Jul 2017 @ 3:16pm

    Businesses want the data for targeted advertising, to sell more junk for landfill, and continue fueling the perpetual growth that is destroying life on earth.

    Politicians support the businesses because they are paid by them to do so. They also want the data to build targeted political propaganda bots, and keep gaming the system by exploiting the ignorance and suggestibility of the correct subpopulations, so they can continue manufacturing "consent".

    Defense wants the data to spy on the politicians' enemies and try to manage blowback from the politicians' corrupt perpetual wars. Defense contractors just want the the politicians' corrupt perpetual wars.

    Civil society wants none of these things and outnumber them all by 1000000:1. Get a good VPN and never turn it off.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.