New VPN & datacenter connection logging rules

CERT-IN i.e Computer Emergency Response Team, India issued new guidelines on 28th April. Guidelines essentially ask those VPN providers to keep a log of customer details, their IP addresses, emails, phone numbers etc and maintain that log for at least 5 years. The detailed notification is here.

This not only extends to VPN players but also to datacenters, VPS, cloud service providers etc. I can understand the problem they are trying to solve as most criminal activities are hidden behind VPN players and investigating agencies just hit a dead end as they see the WAN IP of a VPN player.

Discussion on Indian Govt. run Sansad TV

(Warning: Relatively poor technical discussion, nothing on specifics)

Even though intentions are correct, these rules are technically quite problematic and will not solve any problem at all.

Here’s why:

  • None of the VPN players have enough IP addresses to support all their users & hence they use NAT i.e Network Address Translation on IPv4. A large number of end-users are behind the same public IPv4 address similar to most ISP networks in India. Thus the clause on page 3 of that document “IPs allocated to / being used by the members” is technically a bit hard to implement. They would have to store translation logs & that’s quite a lot of data to store. That would TBs and TBs of daily data to be stored for 5 years for service which they sell at $3-$5/month.

  • VPN players do not physically meet their customers like ISPs do and hence any form of identity is simply shared with scanned documents which can easily be manipulated. There are enough number of Indian identities floating around and a sim card issuance like KYC is not feasible here.

  • Assuming all players either comply with these rules or leave India, next what? Will that solve the crime tracking problem? Well, simply not because anyone can connect to a VPN node outside of India where Indian laws and jurisdiction do not apply. Singapore for instance is just 75ms from Delhi NCR and 32ms from Chennai. That would become a de-facto choice for VPN users in India to hop on to.

So all these rules would result in - slightly more latency for Indian users, more encrypted international traffic flows especially between India & Singapore, possibly loss of tax (GST) to Govt. of India for people who were paying for VPN servers located in India and very likely a grey market for VPNs will develop. For cloud players, it probably won’t have much impact because the majority of them sell services with unique public IPv4 addresses (or a 1:1 NAT which is similar) and hence this just adds a layer of KYC. Beyond that, I doubt they technically have to do anything extra to be compliant. This difference is due to the NAT vs no-NAT environment of the business.

Why despite good intentions Govt of India often make these decisions which are counterproductive?

In my home state Haryana, once a quite efficient Chief Minister - Sh. Bansi Lal banned liquor. Drinking is a massive social issue in India and if seen in isolation i.e a world with drinking Vs a world without drinking, it’s easy to make a choice for decision-makers to just ban it. But that’s a decision in an isolated binary view of things.

This was back in 1998. That ban carried on for 21 months, caused a loss of 1300 crores of revenue, added 90,000 liquor-related cases in the court, 1300,000 bottles were seized, and 16 tragedies resulted in 60 people dying due to those. This old article covers it. Besides all that social & economic cost, this also cost them politically. And ultimately the decision was reversed. Despite this example state of Bihar went for a ban in 2015 (Wikipedia article about it).

These bad policies tend to come because many times decision-makers (politicians and bureaucrats) tend to see things in a binary of “Good” vs “Bad”. If you are not acting to make things “good”, you are on the “bad” side even though these actions result from bad to worst because they cannot be applied on the ground.

Unfortunately, the VPN logging issue is not a technical policy problem but a mindset problem. Back in Aug 2019 I very much supported the logic and reasoning behind the internet ban in Kashmir during changes in article 370. It was harsh but needed and actually worked. VPN logging compared to that is simply an inefficitive policy.