India's internet privacy is in danger because the government can watch almost everyone who uses an Indian internet service provider. The Indian government has been working for years to improve online monitoring, especially after the terrorist attacks in Mumbai in 2008. But recently, there have been authoritarian orders against VPNs and a new disclosure from telecommunications officials that suggest the attack on privacy is moving into a new phase.

The technology website Entrackr (ISPs) said on November 10 that the Department of Telecommunications had almost unrestricted access to web traffic coming directly from India's internet service providers.

Entrackr discovered through public records requests that the government has remote, real-time access to internet users' activities without the user or even the ISP being aware of the monitoring.

This means that users of the internet in India can never be certain that law enforcement isn't listening in on their conversations and watching what sites they visit.

This report came out not long after the Indian government passed laws that require VPN providers to keep logs of what users do. For Indians who value their privacy and the role that privacy plays in a democracy, these developments raise important questions. Although the extent of government surveillance is unknown to the public, it is clear that the government wants unrestricted access to everything Indians to do online.

This article talks about what the most recent leaks mean for people who use the internet in India and gives tips on how to protect your privacy when this happens.

Central Monitoring System (CMS)

The Central Monitoring System is the backbone of India's surveillance infrastructure. The system, which was conceived before 2007 and accelerated following the 26/11 terror attacks, is designed to intercept phone calls and internet data, but much of the program remains classified.

In 2013, the director of India's Software Freedom and Law Center stated, “No one knows what they have proposed or whether it has a parliamentary mandate.” It's similar to a black hole.

According to an anonymous source working on the program, the Secretary of the Department of Electronics and Information Technology authorizes all targeted surveillance orders, which are then passed on to the telecom provider. Such spying is legal under a law based on Indian rules for intercepting telegraph messages from 1885.

The Central Monitoring System could not have predicted how far this law would be stretched and abused. “Essentially, every form of electronic communication will be scrutinized by the government.” According to a 2015 paper by a Washington University law professor, “even partially written emails saved in draft folders will be vulnerable to government intrusion.”

The extent to which the government's technical capacity to access this data is dependent on internet companies' cooperation. However, according to Entrackr, no such barrier exists in the case of internet service providers. The ability to conduct real-time remote surveillance increases the likelihood that law enforcement and spies can monitor any user at any time.

Closing the VPN loophole

The simple solution to ISP-level surveillance may be recognized by astute readers: Simply connect to a VPN.

End-to-end encryption is used by a virtual private network to conceal your web traffic as it travels between your computer and the websites you visit. When you connect through a VPN, your internet service provider cannot see much of your activity.

VPNs are thus a significant gap in the Indian government's surveillance regime. That could be why they decided to close the loophole this year.

Most VPN providers explicitly design mechanisms to collect as little data about their users as possible. Proton VPN, for example, does not log your activity, and any government requests for user data must be approved by Swiss courts.

However, in 2022, the Indian government issued an order requiring VPN companies with servers in India to keep extensive logs of their customers. They expect VPNs to keep records of users' names, IP addresses, and even the reason they use a VPN.

In response, Proton VPN, Express VPN and many more replaced our servers in India with Smart Routing servers in Singapore. This feature enables our VPN servers to provide you with an Indian IP address, although they are based in Singapore, where they are not subject to India's VPN logging requirements.

How to Maintain Your Privacy in India

India is a nation that is becoming more and more hostile to online privacy due to its 19th-century surveillance laws and a potent Central Monitoring System.

Although there is so much secrecy surrounding the program that it is still unknown if the Central Monitoring System is being used for mass surveillance, it is impossible to rule out the possibility.

Critics have previously expressed concern about India's widespread surveillance. WhatsApp filed a lawsuit after the Indian government attempted to compel it and other online messaging services to remove their encryption and store all messages in a “traceable” database in 2021.

Only “sovereignty or integrity of India, defense of India, security of the state, friendly relations with foreign states, or public order” are technically protected by the government's use of surveillance. But these requirements are vague, poorly defined, and implemented secretly. According to human rights experts, overreach is all too simple.

The good news is that there are straightforward privacy protection measures that are nearly impossible for the government to thwart.

Use internet services based in privacy-friendly nations and encrypt as much of your data as you can to keep it private in India.

• Use a VPN service with no logs that don't have any physical servers in India. Proton VPN no longer has a physical presence in India as a result of the September 2022 user logging order; instead, it uses Smart Routing servers in Singapore.

• Email should be encrypted end-to-end. The government won't be able to access the content of your communications if you use an end-to-end encrypted email provider. Make sure the conversation is taking place on the same platform on both ends. (For instance, if you use Proton Mail, but the recipient does not, the recipient's email provider may be able to access your message.) Once more, you ought to pick service providers without a physical presence in India.

• Use chat apps with end-to-end encryption. We advise using Signal for secure messaging because it is not based in India and encrypts all metadata and both ends of every conversation by default.