A timely piece in Rest of World on the tightening of regulations on the use of VPNs by the Modi administration in India. In this instance, the enforcement of visibility is carried out at the business level, with a regulatory requirement of customer data retention placed on VPN providers. This new policy may precipitate the exit from the Indian market of certain foreign companies, such as Proton VPN (which is headquartered in Switzerland).
A blanket requirement of data collection on VPN use at the source, such as in the Indian case, strongly suggests that the underlying goals of the policy are the unfettered operation of mass surveillance and a chilling effect on stigmatized activity online, since more targeted and discriminating solutions exist technically to deal with specific forms of malfeasance and lawbreaking behind VPNs. In this case (as in the resort to prolonged internet shutdowns), Indian digital policies can be seen to inhabit a troubling hybrid zone, in which a democratic government acts in ways more readily associated with authoritarian regimes. In general, the hardening of India’s policymaking on IT, including a muscular assertion of its data sovereignty, cannot easily be disentangled from geopolitical considerations (specifically, concern over Chinese influence), but has also undeniably benefited the government’s domestic agenda and its electoral and interest coalition.
Brexit begins to deliver on race-to-the-bottom deregulation: according to reports from UK-based NGO Open Rights Group, the recent free-trade deal with Japan will allow GDPR-level protections on Britons’ data to be circumvented. Specifically, US-based companies will be able to route UK users’ data through Japan, thereby defeating regulatory protections UK law inherited from the EU. It is interesting to see strategies and loopholes traditionally used for internationally produced goods now being applied to user data.
Technology policy is often characterized as an area in which governments play catch-up, both cognitively and resource-wise, with the private sector. In these two recent cases, otherwise quite far apart both spatially and thematically, law enforcement can be seen to flip this script by attempting to pin responsibility for social externalities on those it can reliably target: the victims and the small fry. Whether it is criminalizing those who pay to be rid of ransomware or rounding up the café owners who failed to participate in the State’s mass surveillance initiatives, the authorities signal the seriousness of their intentions with regards to combating social ills by targeting bystanders rather than the actual perpetrators. Politically, this is a myopic strategy, and I would not be surprised if it generated a significant amount of pushback.
I am catching up on some background reading by (and listening to a podcast interviewing) Elizabeth Renieris, a fellow at Harvard’s BKC and consultant on law and policy engineering. It is rather fiery stuff on privacy as an inalienable right and the scourge of personal data commodification. I think she comes across better in the audio interview, which is also long-form. But, in any case, food for thought on where the bounds for current legal discourse on these topics fall.