On the surface, the new Telecommunications Act, 2023, looks to create a legal and regulatory framework that focuses on safe and secure telecom networks.
However, the response to the Act has been mixed as many have pointed out that the legislation could be applied to entities other than Indian telcos, such as messaging and email platforms, cloud services, SaaS applications, etc.
Passed by Parliament during the tumultuous Winter Session, the Telecom Act was criticised for having "broad" and "vague" language that could potentially lead to OTT regulation, interception of encrypted messages, arbitrary internet shutdowns, mandatory verification of social media users, and more.
Though, Union IT Minister Ashwini Vaishnaw later clarified to Economic Times that the likes of WhatsApp won't come under the regulatory ambit of the Act.
And yet, one of the features of the Telecom Act that hasn't received much inspection (but is perhaps equally alarming) is how the new legislation could affect Virtual Private Network (VPN) users and service providers – both in and outside India.
What Is a Telecom Identifier?
While the Act doesn't expressly include VPN providers under its regulatory purview, legal experts told The Quint that a plain reading of the legislation seems to render VPNs illegal.
For starters, the Telecom Act introduces a new term called 'telecommunication identifier' which is defined as "a series or combination of digits, characters, and symbols used to uniquely identify:
A user
A telecommunication service
A telecommunication network
Elements of a telecommunication network
Telecommunication equipment
An authorised entity"
Furthermore, sub-sections 8 and 9 under Section 3 empower the State to allot telecom identifiers to authorised entities, but also lets authorised entities use telecom identifiers that are allotted by international bodies.
So, is telecom identifier = IP address? "We have to wait for delegated legislation to know for sure. It is very likely we will see different kinds of identifiers depending on the standard at play and the object to be identified," Suman Kar, CEO of cybersecurity consultancy firm BanBreach, told The Quint.
"IPv4 addresses (like 189.123.123.90) are unlikely to meet the uniqueness bar [of a telecom identifier]. IPv6 addresses (like FE80:CD00:0000:0CDE:1257:0000:211E:729C) may work for devices and subscribers both but at the cost of eroding end-user privacy," he said.
Brush Up: What Is an IP Address?
"Internet Protocol (IP) addresses are essential for network connectivity and the functioning of the Internet, as they uniquely identify each device on a network and act as its digital location. This identification is crucial for routers and other network devices to find and communicate with each device. Without an IP address, connecting to the Internet is not possible," Meghna Bal, a lawyer at tech policy think tank Esya Centre, said.
How are IP addresses allotted? "The Internet Corporation for Assigned Names and Numbers (ICANN) carries out the initial allocation of IP addresses. It assigns eight blocks of IP addresses to Regional Internet Registries (RIRs). These RIRs are then tasked with the responsibility of distributing these allocations to various organisations upon request," Bal explained.
Expand
According to Kar, telecom identifiers could also mean 5G identifiers such as:
Permanent Equipment Identifier (PEI): A 15-digit number used to identify the vendor or model of the user device accessing 5G networks.
International Mobile Subscriber Identifier (IMSI): A 15-digit number that’s assigned to the SIM card inserted in the phone.
Globally Unique Temporary Identifier (GUTI): A temporary ID assigned to a 5G device by the Access & Mobility Management Function (AMF).
Subscription Permanent Identifier (SUPI): A globally unique identifier assigned to each subscriber in the 5G system.
"The government may simply choose to co-opt one or more such existing standards and repurpose them," he said.
How Does the Telecom Act Affect VPN Users?
Whether or not IP addresses fall under the definition of telecom identifier is important because Section 42(3)(b) of the Act makes it an offence to use telecom identifiers that are not allotted or permitted by the State, and Section 42(3)(c) makes it an offence to tamper with telecom identifiers.
Such offenders could face a maximum jail term of three years or a maximum fine of Rs 50 lakh or both. Given that using a VPN would change your public IP address to an IP address of a VPN server that's located somewhere else in the world, would that count as tampering?
Another part of the Act relevant to VPN users is Section 29 which states that "no user shall furnish any false particulars, suppress any material information, or impersonate another person, while establishing his identity for availing of telecommunication services; or (b) fail to share information as required under this Act."
Section 42(2) of the Act also states that:
"Whoever directly or indirectly or through personation –
(a) gains or attempts to gain unauthorised access to a telecommunication network or to data of an authorised entity or transfers data of an authorised entity; or
(b) intercepts a message unlawfully,
shall be punishable with imprisonment for a term which may extend to three years, or with fine which may extend up to two crore rupees, or with both."
Here, "personation" is defined as under Section 416 of the Indian Penal Code which holds that "a person is said to “cheat by personation” if he cheats by pretending to be some other person, or by knowingly substituting one person for another, or representing that he or any other person is a person other than he or such other person really is."
For context, VPNs can be used to bypass location restrictions on content. Major VPN service providers have servers around the world, letting users choose from where they’d like to appear to be from.
So what it comes down to is: Whether using VPNs will be seen as tampering with a telecom identifier, and whether using VPNs will be seen as trying to gain unauthorised access to a telecom network by pretending to be someone else.
If the answer is found to be yes in either of the two cases, VPN users could likely face jail term or hefty fines.
That's a problem because VPNs have harmless use cases for businesses whose employees want to connect to a corporate network when they're out of office, or individual users who may not want a network operator or ISP to see their basic web traffic.
But how would the government know if you're using a VPN or when traffic is re-routed to a VPN server?
Well, Section 8(1) of the Act allows the central government to ensure "interference-free use of assigned spectrum" by setting up a monitoring and enforcement mechanism.
Furthermore, Section 22 of the Act allows the central government to take measures that "may include collection, analysis and dissemination of traffic data that is generated, transmitted, received or stored in telecommunication networks."
"For the purposes of this sub-section, the expression "traffic data" means any data generated, transmitted, received or stored in telecommunication networks including data relating to the type, routing, duration or time of a telecommunication," the Act reads.
Can the Act Be Used To Regulate VPN Service Providers?
When asked if VPN service providers would require government authorisation under the Act, BanBreach's Suman Kar was a yes.
"Authorisation is required for the mere intent of possessing radio equipment. VPN providers, of course, meet all three conditions laid out under Section 3," he told The Quint.
And if a VPN service provider becomes an authorised entity, will it have to carry out biometric identification of users? "It would be wise to assume that this is the going to be the norm. It may be so that some providers become exempted from this obligation," the cybersecurity expert opined.
"VPN service providers would want to minimise data collection as possible
"There is evidence that a number of "privacy-focused" services (including VPNs) have given in to regulatory pressure across the globe. This Act legitimises and absolves such State action from scrutiny. The Act also provides an array of means to limit individual privacy directly or indirectly."BanBreach CEO Suman Kar
'Already Removed Servers From India': ProtonVPN
"Proton already removed its physical servers from the country back in 2022 in response to a regressive surveillance law," the VPN service provider told The Quint, referring to the CERT-In cybersecurity directions notified in 2022.
"This law [CERT-In rules] required VPN providers operating in India to collect and store sensitive user data – including IP addresses, names, contact information, time stamps, and usage patterns – for at least five years," ProtonVPN said in its statement.
"Proton could not comply with the [CERT-In] rules due to our strict no-logs policy, and the company also refuses to act in accordance with or condone any efforts to undermine user privacy and free expression," the statement read.
Meanwhile, a Surfshark spokesperson also said that it had decided to shut down its servers in India last year "in response to the Indian data regulation laws."
"India's data privacy and censorship laws have been a growing concern in recent years. We believe that such laws are overreaching and stifling free expression and online privacy in India."Surfshark spokesperson told The Quint
The Quint has reached out to NordVPN, Express VPN, and SnTHostings for comment on the new Telecom Act. This report will be updated when we hear back.
Why Regulating VPNs Is Harder Than It Seems
Legally, the Telecom Act extends to "any offence committed or contravention made outside India by any person, as provided in this Act."
Section 50 also states, "This Act shall apply to any offence committed or contravention made outside India by any person if the act or conduct constituting such offence or contravention involves a telecommunication service provided in India, or telecommunication equipment or telecommunication network located in India."
"However, many VPNs that do not have operations in India can still be downloaded and accessed online. In addition, you have browsers like TOR which obfuscates any surveillance attempt on your online activity," Bal said.
In the past, commercial VPN providers like ProtonVPN have been able to skirt Indian law by putting in place certain technical counter-measures.
"We unveiled new Proton VPN “Smart Routing” servers, which allow people to connect to Indian IP addresses from a remote server. Proton’s new Indian servers (based in Singapore) mean users can keep an Indian IP address and access the Indian internet securely, but from servers physically located outside the jurisdiction of the Indian government and therefore not subject to [CERT-In] logging rules," the Geneva-based company said.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)