Archive for India

« Older Entries

India Backs Down From Forcing A “Cybersecurity” Apps Onto Phones After Backlash

Posted in Commentary with tags on December 4, 2025 by itnerd

India over the last few days has been pushing tech companies like Apple and Google to install a state developed app that is meant to be enhancing security onto phones in the country and make sure that the app could not be removed. After pushback from pretty much everyone, India yesterday backed away from that effort.

If you want to go down the rabbit hole on this, here’s a story on this along with India’s “spin” on why they backed away from doing this.

Ted Miracco, CEO, Approov had this to say:

   “With most of us living and working on our mobile devices, the challenge is not just balancing security and privacy, but also balancing control of the private information between the tech giants as “gatekeepers” and government regulators, who often lack the expertise or execution to keep up with the pace of technological changes. 

  “True security cannot reside in the operating system alone because the OS can be compromised. It must be anchored in silicon, and the tech giants do facilitate security via the Secure Enclave (Apple), the Titan M2 chip (Google) and Knox Vault (from Samsung). These are separate microcomputers inside your phone with their own processor and memory that store your biometric data and encryption keys. We must ensure apps use these hardware APIs to generate keys that never leave the secure chip, and this data cannot be shared with governments, which was the overreach by the Indian government with the Sanchar Saathi app that has unfettered access to device level APIs. 

   “To roll back Big Tech without empowering “Big Brother,” we must decouple service from surveillance using both laws and source code. The legal lever involves enforcing an “Information Fiduciary” standard, which legally obligates tech companies to act in your best interest by banning them from exploiting your data for profit and effectively neutralizing their exploitative business models. The technical lever involves Self-Sovereign Identity (SSI) and Zero-Knowledge Proofs (ZKP), which ensure that while these fiduciaries can verify you are a citizen or over 18, they technically never possess your raw identity data; this means that when a government issues a subpoena or demands mass surveillance, the tech giants have no central database to hand over because the keys remain exclusively on your mobile device in the secure silicon enclave.

     “While the EU’s GDPR focuses on protecting data, the DGA (passed in 2022) focuses on restructuring who holds it – creating a regulated class of “Data Intermediaries”, as neutral third parties that legally cannot use your data for their own profit like selling ads. Instead of you fighting Facebook alone, you join a “Data Cooperative” or “Data Union” where the union holds your data in a vault and if a company wants to target you with ads, they must negotiate with your union, which can demand a fee or strict privacy guarantees. Hence, the mobile app never “owns” the data, but they can license access to it temporarily.”

George McGregor, VP, Approov follows up with this:

   “Government initiatives to reduce mobile-enabled crime through citizen-facing apps are laudable — public safety is a critical goal. But making such apps mandatory sets a troubling precedent. Which apps are installed on an individual device must always be a personal choice.

   “Security isn’t based in who publishes an app, but from how that app proves its integrity and behavior. Government apps need to be held to the same standard of provable security and transparency as any other apps.  Without strong safeguards like runtime attestation and Zero Trust principles, mandatory apps risk becoming new vectors for abuse, surveillance, or exploitation — even if well-intentioned.”

Michael Bell, CEO, Suzu Labs had this to say:

   “The problem with India’s approach wasn’t the goal of improving mobile security, it was the implementation: closed-source code, root-level access, no independent audit, and no user control. If the goal is mandatory security that doesn’t become surveillance, the framework needs to be transparent (open-source, publicly auditable), minimal (only the permissions absolutely necessary), and accountable (independent oversight, clear data access logs). The EU’s approach with GDPR and the upcoming Cyber Resilience Act comes closest to getting this right: they mandate security outcomes and transparency requirements on vendors rather than installing government software on every device, which keeps the trust relationship between users and their hardware intact.

   “The honest answer is that perfect security and perfect privacy are fundamentally in tension, and any system that claims otherwise is lying. What we can do is shift the burden: instead of governments monitoring citizens, require device manufacturers and app developers to meet security baselines, mandate transparency about data collection, and give users genuine control. The US hasn’t gotten this right at scale, though California’s CCPA and some state-level IoT security laws are moving in the right direction by regulating the ecosystem rather than surveilling the endpoint.”

This rollback is a good thing as I really had some reservations about what the Indian government was doing. Hopefully a more thoughtful approach to this app is done so that it can be rolled out with a fair amount of confidence that there are not any side effects.

Leave a comment »

Canadian Gets Held By Indian Authorities For Carrying A Garmin InReach Satellite Communication Device

Posted in Commentary with tags , on January 2, 2025 by itnerd

Before travelling to another country with your tech, it always pays to see how the local laws might affect you and the tech you carry. For example, some countries have restrictions on VPN usage or encryption technologies. Thus if you’re going to one of those countries, you might want to avoid using a VPN or bringing a laptop that’s encrypted.

Now to be clear, this example that I am about to bring you is not a case of blame the victim. It’s more of a cautionary tale:

In early December, a Canadian trail runner named Tina Lewis was two months into her extended trip to India when she ran into legal trouble due to her backcountry GPS communication device.

On December 6, Lewis, 51, arrived at Dabolim International Airport in the city of Goa, to fly to the nearby city of Kochi. She was traveling with a Garmin inReach Mini, a popular GPS and satellite messaging device often used by backpackers and climbers.

“It had been an amazing trip, the trip of a lifetime,” Lewis told Outside.

But when Lewis removed her InReach from her carry-on bag and placed it onto a scanning tray, she said a security officer approached her and asked her questions about the device. Lewis said armed guards then removed her from the line.

Lewis missed her flight. For the next four hours she was detained and interrogated about the InReach. Although her eventual fine was just $11, Lewis said she spent more than $2,000 to pay legal fees and bail.

“They treated me like a frickin’ fugitive,” she said.

And:

Lewis had unknowingly violated an Indian law that requires individuals to obtain a license before owning or using a personal satellite communication device. Lewis spent the next six days attempting to get her passport back from authorities. She had to appear in court on three consecutive days, and she eventually hired lawyers to avoid jail time.

India’s laws prohibiting individuals from owning satellite devices are published online: Unless registered and licensed by the government, satellite communicators are illegal. The Garmin website lists India as one of 14 countries that may “regulate or prohibit the use or possession of a satellite communicator” or are otherwise embargoed by the United States. The other nations on the list are Afghanistan, Ukrainian Crimea, Cuba, Georgia, Iran, North Korea, Myanmar, Sudan, Syria, Thailand, Vietnam, China, and Russia.

But the roots of the law are tied to an obscure rule from India’s past. The ban on satellite communication originated with the Indian Telegraph Act of 1885 and the Wireless Telegraphy Act of 1933. According to Global Rescue, an international medical and security evacuation service, these older laws were reinforced after the Mumbai terror attacks of 2008, when an Islamist militia used satellite communicators to coordinate bombings and shootings that killed nearly 200 people.

Now from first hand experience having travelled to the country on several occasions, I can say that India has some “interesting” laws when it comes to tech. But this one is kind of surprising. Though I can see from India’s perspective why they need a law like this one. The flip side of that is that the Garmin InReach is a popular device among those who go to remote areas on a frequent basis. Thus you would think that that this is a law that requires modernization for that reason.

By the way, this Canadian wasn’t the only person caught up in a situation like this:

She isn’t the only traveler to run afoul of the law. On December 9, just three days after Lewis’ arrest, a Czech traveler named Martin Polesny with a Garmin was detained at another Goa state airport. The following day, an American named Joshua Ivan Richardson was arrested with a satellite phone in Dehradun. A month prior, another American was detained at Chennai airport for the same reason.

Well, that’s not going to help with getting tourists into India and spending money there. Because now that these stories are out there, the users of these devices are going to think twice about going there because few if any of them are going to leave their Garmin InReach devices at home.

Oh. To borrow a phrase that was often used by Steve Jobs, there’s one more thing:

Direct satellite communication features are increasingly standard in modern smartphones. The newest versions of Apple’s iPhones have satellite communication capabilities. iPhones allow users to send messages to emergency services, share location, and stay in touch with emergency contacts, all while off the grid, with no cellular or Wi-Fi coverage, via satellite connection.

So in theory, if I go to India with my iPhone 14 Pro which has a feature called SOS Over Satellite, I could get into trouble. Well, seeing as I don’t go anywhere without my phone I have two choices. Take my chances or avoid going to India. And it will likely be the latter. Thus if I could give one piece of advice to the Indian government, you need to rethink this law. And at the same time, if I could give one piece of advice to travellers, check the local laws in regards to your tech and make your travel plans accordingly.

Leave a comment »

India’s Digital Personal Data Protection Bill Moves Through Parliament

Posted in Commentary with tags , on August 8, 2023 by itnerd

India’s Digital Personal Data Protection Bill of 2023 passed in the lower house of Parliament and will now face the higher house before it becomes law. Highlights of the bill include:

  • The Bill will apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitised.  It will also apply to such processing outside India, if it is for offering goods or services in India.
  • Personal data may be processed only for a lawful purpose upon consent of an individual.  Consent may not be required for specified legitimate uses such as voluntary sharing of data by the individual or processing by the State for permits, licenses, benefits, and services.
  • Data fiduciaries will be obligated to maintain the accuracy of data, keep data secure, and delete data once its purpose has been met.
  • The Bill grants certain rights to individuals including the right to obtain information, seek correction and erasure, and grievance redressal.
  • The central government may exempt government agencies from the application of provisions of the Bill in the interest of specified grounds such as security of the state, public order, and prevention of offences.
  • The central government will establish the Data Protection Board of India to adjudicate on non-compliance with the provisions of the Bill.

But all of this does concern me:

  • Exemptions to data processing by the State on groundssuch as national security may lead to data collection, processing, and retention beyond what is necessary.  This may violate the fundamental right to privacy.
  • The Bill does not regulate risks of harms arising from processing of personal data.  
  • The Bill does not grant the right to data portability and the right to be forgotten to the data principal.
  • The Bill allows transfer of personal data outside India, except to countries notified by the central government.  This mechanism may not ensure adequate evaluation of data protection standards in the countries where transfer of personal data is allowed.

Ani Chaudhuri, CEO, Dasera had this comment:

In today’s hyper-connected world, data is businesses, governments, and individuals lifeblood. The Digital Personal Data Protection Bill, 2023, tabled by the Indian Parliament, promises to reshape India’s digital ecosystem fundamentally. However, some provisions raise eyebrows, and some sigh relief. As the CEO of a leading data security and governance firm, here’s my perspective:

1. Applicability and Scope: The Bill’s clarity on what constitutes digital and non-digital data is commendable. This distinction is pertinent in our digital transformation era, where data can easily traverse between these forms. However, the territorial applicability might leave room for data misuse if foreign entities do not offer goods or services but still process Indian data.

2. Consent: The Bill strengthens the individual’s position as the custodian of their data. The stipulation around explicit affirmative action for consent is a commendable step forward. However, the reliance on “consent managers” might introduce new business complexities.

3. Grounds of Processing: The shift from ‘deemed consent’ to ‘legitimate uses’ presents challenges and opportunities. While it offers clarity, it significantly burdens businesses to rethink their data collection and processing strategies.

4. Data Fiduciaries: The onus on data fiduciaries to ensure compliance even when they outsource the processing is a welcome move. This will ensure a chain of responsibility and enforce better data practices.

5. Cross-border Transfers: A “negative list” approach, while seemingly liberal, might lead to complications if the principles on which countries are barred aren’t transparently laid out.

6. Blocking Power: A potentially controversial move. Any power to block public access must be exercised with utmost caution, ensuring it does not stifle freedom of expression or business continuity.

7. Exemptions: A double-edged sword. While exemptions might be necessary for state functionality, they shouldn’t become a backdoor to bypass the very essence of the bill.

8. Penalties: Reducing the maximum penalty suggests a softer stance on non-compliance. Whether this is conducive to robust data protection or simply a concession to businesses is up for debate.

Overall, the 2023 Bill is a thoughtful attempt to balance protecting individual rights and fostering business growth. However, the concerns around compliance costs, especially for startups, are genuine. Without ‘deemed consent’ will undoubtedly introduce more rigidity into the system. While data protection is of utmost importance, we must ensure that we do not inadvertently stifle innovation and business growth.

Although lacking specific timelines, the phased approach to implementation gives businesses a window to adapt. However, startups may bear the brunt, given the high compliance costs. The bill in its current form appears to swing the pendulum more towards protection and less towards ease of doing business.”

While the Bill addresses several data protection concerns, it remains to be seen how its implementation will affect the digital landscape in India. What’s imperative is a continuous dialogue between stakeholders to ensure the Bill serves its purpose without stifling the Indian digital ecosystem.

I am very suspicious of this bill personally because of the privacy related concerns that I highlighted earlier, among other concerns. But there are things that could be considered “good” in this bill that I will see how it is implemented and what the effects of that implementation are before passing judgement on it.

Leave a comment »

NordVPN And SurfShark To India: We’re Outta Here!

Posted in Commentary with tags on June 14, 2022 by itnerd

Frequent readers will recall that India brought in strict new laws that require VPN operators to retain data on who uses their services, or else, and VPN companies considering their options including leaving the company. Which is the route that ExpressVPN took. And now it seems others are joining them in exiting the country. Starting with NordVPN:

“Moreover, we are committed to protecting the privacy of our customers. Therefore, we are no longer able to keep servers in India,” Laura Tyrylyte, head of public relations at NordVPN, told TechCrunch.

“Our Indian servers will remain until 26 June 2022. In order to ensure that our users are aware of this decision, we will send notifications with the full information via the NordVPN app starting 20 June. As digital privacy and security advocates, we are concerned about the possible effect this regulation may have on people’s data. From what it seems, the amount of stored private information will be drastically increased throughout hundreds or maybe thousands of different companies. It is hard to imagine that all, especially small and medium enterprises, will have the proper means to ensure the security of such data,” she added.

Joining them in heading to the exits is SurfShark:

Surfshark’s physical servers in India will be shut down before the new law comes into power. Up until then, users will be able to connect to servers in India as usual. After the new regulations come into effect, we’ll introduce our virtual Indian servers – which will be physically located in Singapore and London. Users will be able to find them in our regular list of servers. 

Virtual servers are functionally identical to physical ones – the main difference is that they’re not located in the stated country. They still provide the same functionality – in this case, getting an Indian IP. 

Users in India who don’t use Indian servers will not notice any differences – they will still be able to connect to whichever server outside the country they please. Meanwhile, Surfshark will continue to closely monitor the government’s attempts to limit internet freedom and encourage discussions intended to persuade the government to hear the arguments of the tech industry. 

This isn’t really going well for India as I think they expected VPN companies to roll over and comply. But that’s not happening. And the fact that some VPN companies are pulling their servers from the company, it will encourage other VPN companies to do the same. That makes India look rather lame. And it may make them rethink this rather than lose face. Though I can see a scenario where India barrels ahead to make a point. We’ll have to see which direction that they decide to go in.

Leave a comment »

ExpressVPN To India: We’re Outta Here!

Posted in Commentary with tags on June 3, 2022 by itnerd

I’ve been writing about India’s demands to VPN providers to keep and provide data to the Indian Government on what Indian VPN users are doing, and how VPN operators are thinking twice about being in the country as a result. The Indian Government has even said do what we want you to do or get out. Well, ExpressVPN has decided to get out:

In a blog post, the British Virgin Island-based company said that with the introduction of the new cybersecurity rules by the Indian Computer Emergency Response Team (CERT-In), it has made a “very straightforward decision to remove our Indian-based VPN servers.” While ExpressVPN is the first to pull its services from India, other VPN providers like NordVPN have also taken a similar stance. 

The guidelines, released by CERT-In on April 26, asked VPN service providers along with data centers and cloud service providers, to store information such as names, e-mail IDs, contact numbers, and IP addresses (among other things) of their customers for a period of five years. The government said it wants these details to fight cybercrime, but the industry argues that privacy is the main selling points of VPN services, and such a move would be in breach of the privacy cover provided by VPN platforms. 

ExpressVPN described the cybersecurity rules as “broad” and “overreaching.” “The law is also overreaching and so broad as to open up the window for potential abuse. We believe the damage done by potential misuse of this kind of law far outweighs any benefit that lawmakers claim would come from it,” ExpressVPN said. It added that while CERT-In’s rules are intended to fight cybercrime, they are “incompatible with the purpose of VPNs, which are designed to keep users’ online activity private.” Indian users of ExpressVPN will still be able to use its service via “virtual” India servers located in Singapore and the UK. “We will never collect logs of user activity, including no logging of browsing history, traffic destination, data content, or DNS queries. We also never store connection logs, meaning no logs of IP addresses, outgoing VPN IP addresses, connection timestamps, or session durations,” the company said.

I really don’t get why India is so hell bent on this rather stupid and ill advised VPN law. If they really wanted to make a difference in terms of cybercrime, they would spend more time cracking down on its internal cybercrime and world-leading fraudulent call center and scamming activities. But they won’t because the scammers and fraudsters clearly have the Indian Government in their pockets. In the meantime, expect to see more VPN providers do some version of what Express VPN has done. Which means that the Indian Government won’t be winning this fight.

Leave a comment »

India To VPN Companies: Do What We Want Or Get Out Of India

Posted in Commentary with tags on May 18, 2022 by itnerd

You might recall that I did a story on India wanting VPN companies to retain data on who uses their services, and VPN companies considering their options including leaving the company. India has now escalated this by saying the following:

The Indian Computer Emergency Response Team clarified (PDF) on Wednesday that “virtual private server (VPS) providers, cloud service providers, VPN service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and government organisations” shall follow the directive, called Cyber Security Directions, that requires them to store customers’ names, email addresses, IP addresses, know your customer records, financial transactions for a period of five years.

And:

Rajeev Chandrasekhar, the junior IT minister of India, said that VPN providers who wish to conceal who uses their services “will have to pull out.” He also said that there won’t be any public consultation on these rules.

Keep in mind that India is the second largest Internet market on the planet. So I am guessing that the Indian government is counting on the fact that VPN providers will comply rather than give up doing business in that market. And even if some or most of them do leave, the Indian government will win anyway because it will leave the VPN companies that do comply with their directive. That of course assumes that Indian citizens don’t just go out and get a VPN service from outside the country. After all, it’s not like we haven’t seen that happen before.

This will be interesting to see as I suspect that the push back will be substantial from both sides, and only one side will win. Let’s see which side that is.

1 Comment »

India Orders VPN Providers To Retain Data…. VPN Providers Are Considering Their Options Including Leaving The Country

Posted in Commentary with tags , on May 9, 2022 by itnerd

India has ordered VPN’s to collect and store users’ data, including names, addresses, contact numbers, email and IP addresses, for up to five year. With this move, Wired reported that VPN providers have since threated to quit India:

The justification from the country’s Computer Emergency Response Team (CERT-In) is that it needs to be able to investigate potential cybercrime. But that doesn’t wash with VPN providers, some of whom have said they may ignore the demands. “This latest move by the Indian government to require VPN companies to hand over user personal data represents a worrying attempt to infringe on the digital rights of its citizens,” says Harold Li, vice president of ExpressVPN. He adds that the company would never log user information or activity and that it will adjust its “operations and infrastructure to preserve this principle if and when necessary.”

Artur Kane, CMO at GoodAccess had this to say:

“Though controversial upon inception, the so-called data retention legislation has now been with us for decades. Most technologically developed countries enforce these directives with varying retention periods, usually ranging from 6 months to 2 years. In some countries, all expenses on data retention are even covered by the government.

Until now, the data retention obligations were limited to infrastructure providers (internet service providers, telecommunications), and asking the same of VPN vendors is without precedent in democratic countries.

The use of VPNs, in the past widely adopted by companies to provide remote access to company IT resources, has rapidly spread to millions of consumers over the past decade, who use it to avoid surveillance by internet providers, bypass country-based content filtering, and other restrictions. In my opinion, cybercriminals had been using VPNs to anonymize their activities even before ordinary users jumped on the trend.

Now, forcing VPN providers to track user traffic and their private data (like source and destination IP, port, protocol, and timestamps) is going to invalidate one of the last remaining safeguards of personal privacy on the public internet while helping to expose only a handful of lawbreakers. 

The value for the price doesn’t add up, either. Privacy is a basic human need, legally protected in many free countries, and people have the right to protect it, especially now, when their sensitive data is more valuable than ever and is being collected on a shocking scale.

Law on the public internet can be enforced in other ways that do not impact user privacy, such as the use of behavioral algorithms by vendors, looking for characteristic patterns of potentially malicious behaviors, or disabling VPN services to those accounts where such events were detected.”

I have been to India a number of times and this news is very disappointing. India really needs to reconsider this as this is a massive overreach by the Indian Government. And it risks making them a very repressive country that nobody will want to visit or do business in.

3 Comments »

India Bans More Chinese Apps

Posted in Commentary with tags , on November 24, 2020 by itnerd

India is not done banning Chinese apps. The world’s second largest internet market, which has banned over 175 apps with links to the neighboring nation in recent months, said on Tuesday it was banning an additional 43 such apps.

Like with the previous orders, India cited cybersecurity concerns to block these apps. “This action was taken based on the inputs regarding these apps for engaging in activities which are prejudicial to sovereignty and integrity of India, defence of India, security of state and public order,” said India’s IT Ministry in a statement. The ministry said it issued the order to block these apps “based on the comprehensive reports received from Indian Cyber Crime Coordination Center, Ministry of Home Affairs.” The apps that have been banned include popular short video service Snack Video, which had surged to the top of the chart in recent months, as well as e-commerce app AliExpress, delivery app Lalamove, and shopping app Taobao Live. At this point, there doesn’t appear to be any Chinese app left in the top 500 apps used in India.

Oh boy. I think it’s safe to say that you can expect a response from China as this is pretty much an “F-U” to China. And that’s likely to be an instant response.

This should be fun to watch.

Leave a comment »

India Bans More Chinese Apps….. 118 Of Them….

Posted in Commentary with tags , on September 2, 2020 by itnerd

A few weeks ago I wrote a story about India banning TikTok over security concerns. There’s news now that they’ve banned 118 apps of Chinese origin including PUBG and Tencent. Medianama shared an official statement from the Indian government on the ban extension:

“The Ministry of Electronics and Information Technology has received many complaints from various sources including several reports about misuse of some mobile apps available on Android and iOS platforms for stealing and surreptitiously transmitting users’ data in an unauthorized manner to servers which have locations outside India. The compilation of these data, its mining and profiling by elements hostile to national security and defence of India, which ultimately impinges upon the sovereignty and integrity of India, is a matter of very deep and immediate concern which requires emergency measures,” the IT Ministry said in a statement.

You can fully expect this to inflame tensions between India an China. And those two countries have lots of tensions at the moment. Plus it will likely encourage the US to ban more Chinese apps. Especially seeing as the date to ban TikTok in the US is approaching.

Leave a comment »

Fresh Off Of Banning TikTok, India Looks To Ban Hundreds Of Chinese Made Apps

Posted in Commentary with tags on July 29, 2020 by itnerd

India recently banned TikTok as part of an ongoing spat with China where India cites security reasons for the ban. But news out of India indicates that this may not be the end as the Indian government is looking to ban hundreds of Chinese apps citing the same security reasons:

India has drawn up a list of 275 Chinese apps that it will examine for any violation of national security and user privacy, signaling heightened scrutiny and the possibility of more Chinese internet companies being banned in the country, according to people aware of the developments. This follows the high-profile ban of 59 Chinese apps last month, including short video app TikTok, amid simmering geopolitical tensions between the two Asian giants. 

The list, reviewed by ET, includes gaming app PubG, Zili by phonemaker Xiaomi, AliExpress by ecommerce giant Alibaba as well as apps like Resso and ULike from TikTok-owner ByteDance. “The government may ban all, some or none from the list,” said one person cited above. A spokesperson for the union home ministry did not respond to queries from ET on the developments. However, official sources said reviews aimed at identifying more Chinese apps and their funding is underway. “Some of these apps have been red-flagged due to security reasons while others have been listed for violation of data sharing and privacy concerns,” an official explained. This is in addition to examining the alleged flow of data from these apps to China that poses a threat to sovereignty and integrity of India, according to officials who pointed to what they termed as China’s data-sharing norm that requires companies of Chinese-origin to share data with the home country, irrespective of where they operate.

This is going to be interesting to watch because other countries such as the US and the UK are looking to do something similar. So depending on how bad the blow back is from the government of China, that will likely govern if this spreads. As for the privacy issues that these apps may or may not pose, the makers of these apps could make this go away by providing definitive proof that their apps pose no threat. To date they haven’t done that. But the need to if they don’t want to be banned from the biggest markets on the planet.

1 Comment »

« Older Entries