Decoded: How VPN secures our virtual lives & why a ban is unlikely

Would banning VPN impact WFH? Yes, since it has enabled remote working for many sensitive industries

The Parliamentary Standing Committee on Home Affairs, which was examining the issue of atrocities against women and children, submitted a 90-page report to the Rajya Sabha on August 10 with several suggestions on how to deal with the problem. One of the suggestions was to permanently block Virtual Private Network (VPN) services in India. Now how did a technology, which was initially built for safe file transfer in offices, become such a perceived threat? Here is a look at what VPNs do and where the debate around them is headed.
 
What is a VPN?
 
The first VPN, or virtual private network, technology was developed in 1996 by Microsoft employees, am­ong whom was India-born Gurdeep Singh Pall. Pall also co-authored the first VPN protocol for the industry. VPNs were initially used by large companies to enable secure communication. Essentially, a VPN gives access to sensitive data to the person or entity it is intended for without the risk of it being seen or tampered with by other users on the network.

 

How does it work?
 
An individual, group of individuals or an organisation downloads a VPN software (most good ones have subscription plans), selects a server that will be based in another location (US, UK, Germany or whichever location the VPN provider supports), and starts browsing.
 
Sitting in India, if you connect to, say, a UK server, you can access, for example, Netflix UK’s content library that is said to be the biggest on the streaming service.
 
In a business context, a VPN is useful because it encrypts the data being sent by your device, hiding it from other users on the network, and decrypts it at the end of the intended user. Simply put, you and your colleague could be sitting in Mumbai and Madrid, but with a VPN it will seem like you are both accessing computers or the internet on a network in the same city.

 
One of the provisions of the liberalised OSP (Other Service Providers) guidelines last year, which enabled most technology services and business process management companies to work from home during the pandemic, was to allow the use of private VPNs. This gave clients, including those in areas such as finance, the comfort that their data was secure.
 
Why then are VPNs being perceived as a problem?
 
The use of VPNs did not re­main confined to business applications. As the internet and its applications grew, so did data theft and encryption, and VPNs became av­ailable to the general public through third-party VPN providers. Today, there are several third-party VPN pro­vider websites from which the VPN software can be downloaded. But as mentioned earlier, most reliable ones have subscription plans.

 
VPNs can be used to hide a user's browser history, Internet Protocol (IP) address and geographical location, as well as web activity and devices being used. So you could be sitting next to a person in New Delhi, but your location could appear to be, say, Dublin or New York to any app application that you’re using.
 
This capability is of immense use to people like whistleblowers, journalists, or others who are a vulnerable group. But more generally, VPN is used by businesses to ensure data is secure and inaccessible to unauthorised users.
 
An industry executive gives this analogy: a knife can be used to chop vegetables or murder someone. The same is the problem with VPNs.

 
In spite of their many legitimate and safe uses, VPNs are also used by bad actors, possibly terrorists or criminals, to hide their location and activity.
 
Hasn’t that always been the case? Why then is India talk­ing about it now?
 
Yes, it has been so in the past, too. The only reason VPNs have been in the news lately is the recommendation of the Parliamentary Standing Committee that these should be banned since they are used by criminals or miscreants to "bypass cyber security walls and allow criminals to remain anonymous online".
 
So, is India going to ban the use of VPNs?

 
It is important to understand that this is neither a law nor a proposed legislation as yet. It is a suggestion made by a panel that was looking into the actions taken by the government in response to a March report on atrocities against women and children.
 
The misuse of VPNs is a valid concern, but industry and the government use the technology extensively for secure communications. The Ministry of Electronics and Information Technology submitted to the Standing Committee that there are enough safeguards in the existing IT law to tackle misuse of VPNs.
 
Does that mean VPNs are the most secure online tool or technology?

 
No. Every technology has limitations. In addition to slowing down your internet speed, a common “side effect” most VPN users observe, VPNs cannot hide all your browsing history. You will still have to clear all your cookies in your web browser, for instance. Further, if you use a location-based service like Maps, it will have access to your actual location because of the Global Positioning System, or GPS.
 
What’s more, some applications have technology to recognise that a user has installed a VPN, and will not allow you access to their content or usage.
 
In a work-from-home or hybrid work scenario, would banning VPNs make our virtual lives less secure?

 
Yes. The use of VPNS has enabled work from home for many sensitive industries, applications and government.
 
So what happens next?
 
There has been a lot of pushback on the suggestion to ban VPNs. Further, it is usually authoritarian regimes that have been known to ban VPNs. Whenever a consultation on this issue takes place, the government is likely to take into account the benefits the technology has had for both private, government and individual use.