The decision was made by the Parliament in the spur of the moment of blocking the VPN technology or banning it permanently. It will directly impact upon data security of individuals as well as the MNCs. It has also brought MNCs into big trouble as during lockdown, where the world was in a still and the generation started with work from home where VPN played an essential role by facilitating work consecutively.
Sunny Nehra, admin at Hacks and Security explains through a tweet “Most of the foreign-based outsourcing companies are relying upon VPNs to carry out their tasks in India.
Same is for WFH projects carried out by companies here.”
https://twitter.com/sunnynehrabro/status/1432889986194362373?s=20
Sunny Nehra holds top-level certifications in cyber security and networking varying from conceptual to practical implementation skills of such topics and has a vast amount of experience in creating, deploying and managing hybrid cloud connectivity solutions using VPNs for cooperating level clients. While having a conversation with him, he explained why this proposal makes no sense at all and how infeasible it is. It simply shows the committee’s lack of understanding about the VPN technology.
He also adds“VPN creates a secure tunnel or say a pipeline between the VPN client and VPN server. Remote employees use VPN software to remotely and securely connect to their corporate networks. Even for using cloud the businesses nowadays prefer VPN based hybrid model connectivity for using cloud services. Most of the services maintaining traffic logs of your devices or infrastructure would again be using VPN technology. I am running a service based on VPN to monitor traffic logs for some (limited) but important persons who felt they could be targeted by malicious spyware. Seems the committee is limiting the scope of the VPN technology or its concept.”
The report said “The Committee notes with anxiety the technological challenge posed by VPN services and Dark Web that can bypass cyber security walls and allow criminals to remain anonymous online. As of date, VPN can easily be downloaded as many websites are providing such facilities and advertising them.”
“The Committee also recommends that a coordination mechanism be developed with international agencies to ensure that these VPNs are blocked permanently,” the report added.
While having the conversation Sunny Nehra agrees that VPNs are being used by cybercriminals and explain whats a problem
I asked Sunny Nehra about his views on increasing crimes via VPNs and what could be the best solution.
He explains “Yes, being working with several law enforcement agencies I can say with no doubt that VPNs are used by cybercriminals and unfortunately most of them especially the international ones don’t cooperate well with our Law Enforcement.”
He adds “The worst part is the no-logs VPNs. Some of them even don’t store IP addresses logs that is the info or data that shows which IP address of theirs was allocated to whom at what time. Some leading VPNs are acting as ISPs themselves. They buy a series of IP addresses and take sole responsibility for their allocations, the main ISPs which sold their IPs to these VPNs now themselves won’t keep the logs of those IPs. Now imagine that some malicious person did some online crime using some of those IPs and you have no one to ask whom the IP was allocated at the time the online crime or activity happened.”
What could be the feasible solution?- I asked Mr Nehra
He explained “But that doesn’t mean we should ban the concept of VPNs itself. That’s in fact a kind of joke. What we can best do is make strict laws about how IPs should be sold by Indian ISPs to VPN companies and especially how the logs should be maintained by those VPNs. I have even worked on cases where I faced Indian IPs being used by international VPN companies with no logging of data. For foreign IPs (allocated by foreign ISPs) being used by VPNs, we can ban those VPN applications which are not cooperating with our law enforcement, get the list of IPs those VPNs providing and ask all our ISPs to blacklist those for any connectivity. Government can go for banning those VPNs which have no-logs policies. I know such VPNs are liked by privacy lovers but somewhere they are a safe zone for cyber criminals too.”
“The giant companies, in fact even the average ones nowadays have their in-house VPNs. These companies use VPNs for remote operations so that there is no eavesdropping of the information while data is in transit or safe remote access to the company’s systems or say prevention from MITM (Man In The Middle) attacks. Their logging of VPN data helps them know about the activities of their employees as well as helps law enforcement authorities in case of some malicious activity via some of their systems.”
“Asking to ban such technologies/concepts via arguments of cybercriminals using VPNs is like asking to ban the usage of the knife because it can be used by criminals to murder someone.
It seems, for the committee that proposed it, VPN seems just some applications while VPN as a whole is a huge concept. It’s an upgrade to the proxies and you know well anyone can from any system create any type of proxies. VPN is a way to ensure that the data flow from the client to this system (from which u created the proxy) was all highly encrypted (tunnelled) so that no eavesdropping happens. So how exactly one could ban this concept? It’s like asking to ban all the encrypted data that is flowing across the internet” he explains.