Virtual Private Networks (VPNs) are currently the premier strategy for disappearing on the internet. Users of VPNs take advantage of a secondary server that reroutes, disguises, and scrubs their internet activity. VPNs make their money by giving users the option to keep their information to themselves in a world that increasingly demands the right to peer over our shoulders. India has introduced legislation that, if adopted around the world, would deal a massive blow to the very concept of Web 2.0 privacy.
The Legislation
A national directive from India’s Computer Emergency Response Team (CERT-in) has demanded that VPNs collect and store customer data that would make their users easily identifiable and totally undermines the business model of these networks[1]. The policy asks that VPNs store: validated customer names, physical addresses, IP addresses (including original, reissued, and any previous addresses), reasons for using their services, and dates. All of these are to be packaged together to create a sort of “ownership pattern.” CERT-in wants VPN companies to take all of this information and set it aside for a minimum of five years.
Most obviously, data like this can be used by the government to take a look directly at all of the internet activity of any user passing through the servers of these virtual networks. Any download, purchase, or stream could easily be laid bare at the feet of any official that signs off on the right paperwork.
Secondly, we see how this invalidates the utility of a VPN. We turn to these services when we want to opt out of the ravenous cycle of scraping and selling our data. Private users of VPNs do so with the express purpose of keeping their data to themselves. When VPNs are forced to hold onto this information, private users might as well parade around the internet without a private network. Businesses and remote employees are a large constituency of the virtual private network. They depend on VPNs to do business online in a secure and confidential manner.
What Happens to VPN Companies?
Companies that provide virtual private networks would find themselves on the hook for infrastructure they want no part of. Currently, VPNs are built with servers that use RAM disks rather than rewritable memory. This makes them much more nimble and they don’t have to dedicate resources to setting aside terabytes of information for half a decade (or longer if they want to err on the side of caution, as many companies do).
Any VPN company operating in India either has to dump a significant portion of their revenue into refitting their facilities or they need to start looking into moving to another country entirely. There’s also the possibility of other governments following suit in the wake of CERT-in’s decision.
VPN companies, while concerned with the privacy of their customers, will now be faced with the allure of selling their user’s data. After being asked to collect and collate it, they’ll be in the unique position of holding the exact information that was once off the market just a few short days prior. We’d love to remain optimistic in this case, but the financial gain would simply be too enticing for many companies to resist[2].
Storage of your personal data also implies the potential that hackers will find a way to pry open whatever storage solution VPN companies settle on. We can see by looking through the directions CERT-in put forward that they don’t require any sort of standard of storage[3], all they want is data that can be reconstructed and easily accessed in the event that a “cyber security incident” requires the information is recalled and presented. We can see in these directions that a “cyber security incident” can be as vague as it needs to be. VPNs in India will not only be at a distinct disadvantage after this takes effect — they’ll also be plump targets for hackers.
How does IPFS solve this
The InterPlanetary File System (IPFS) and the practical applications of Web 3.0 are on the rise, and they’re solutions that aim to create an internet where this sort of legislation can no longer extend its fingers into your personal data. IPFS and end-to-end encryption create an ecosystem where tracking, storing, and spying on personal data is effectively undoable.
Unfortunately, early applications of Web 3.0 technology has been caught up in the frenzy of cryptocurrency and get-rich-quick schemes. The true potential of a decentralized internet lies in the security and freedom users can find by unchaining themselves from centralized authorities online. IPFS storage systems don’t rely on a single server to store your data, making it incredibly difficult for outside actors to access it — that includes providers of the storage service. The only person with the key to unencrypt your data is you, the only eyes on your decentralized data is you, and the only agency storing your data is you. IPFS obliterates the role of the central “middleman” when it comes to storage, creating an online collective that can’t simply be strong-armed into setting aside your private information for access by a government body.
AXEL Wants to Protect Your Privacy
AXEL is a decentralized storage solution for all of your storage and file-sharing needs.
You can try AXEL Go Premium with all features unlocked free for 14 days. Sign up today and see how AXEL Go can improve your workflow and supplement your organization’s cybersecurity.
Citations
[1] Hodge, Rae. “India Orders VPN Companies to Collect and Hand over User Data.” CNET. CNET, May 5, 2022. https://www.cnet.com/news/privacy/india-orders-vpn-companies-to-collect-and-hand-over-user-data/.
[2] Brown, Brad, Kumar Kanagasabai, Prashant Pant, and Gonçalo Serpa Pinto. “Capturing Value from Your Customer Data.” McKinsey & Company. McKinsey & Company, April 28, 2022. https://www.mckinsey.com/business-functions/quantumblack/our-insights/capturing-value-from-your-customer-data.
[3] “No. 20(3)/2022-CERT-in Government of India Ministry of …” Accessed May 5, 2022. https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf.