The global war against privacy tools, VPNs and encryption continues utterly-unhinged from common sense, and the assault on consumer privacy remains a notably global affair. Reddit users recently noticed that India's fifth largest ISP, YOU Broadband, is among several of the country's ISPs that have been trying to prevent customers from using meaningful encryption. According to the company's updated terms of service, as a customer of the ISP you're supposed to avoid using encryption to allow for easier monitoring of your online behavior:
"The Customer shall not take any steps including adopting any encryption system that prevents or in any way hinders the Company from maintaining a log of the Customer or maintaining or having access to copies of all packages/data originating from the Customer."
Of course enforcement of such a requirement is largely impossible. But You Broadband isn't just being randomly obtuse, and while the ISP's TOS is making headlines, this effort isn't really new. Most Indian ISPs are simply adhering to a misguided (and still not adequately updated) set of 2007 guidelines imposed by India's Department of Telecommunications (word doc) demanding that ISPs try and prevent their subscribers from using any encryption with greater than a 40 bit key length if they want to do business in India:
"The Licensee shall ensure that Bulk Encryption is not deployed by ISPs connecting to Landing Station. Further, Individuals/Groups/Organizations are permitted to use encryption upto 40 bit key length in the symmetric key algorithms or its equivalent in other algorithms without having to obtain permission from the Licensor. However, if encryption equipments higher than this limit are to be deployed, individuals/groups/organizations shall do so with the prior written permission of the Licensor and deposit the decryption key, split into two parts, with the Licensor."
Which is and of itself is rather hysterical, given that since 1996 or so, most folks have considered a 40 bit key length to be the security equivalent of wet tissue paper. In fact, Ian Goldberg won $1,000 from RSA for breaking 40 bit encryption in just a few hours way back in 1997, saying this at the time:
"This is the final proof of what we’ve known for years: 40-bit encryption technology is obsolete."
And yeah, that was twenty years ago. But this sort of policy is pretty standard fair in India, which is no stranger to censorship, internet filtering, and blind, often-mindless expansion of surveillance. India's government has also been at the forefront of attempting to impose backdoors in encryption, and there's a recent effort in some corners to attempt to ban Whatsapp as well.
I've yet to see any ISP successfully enforce this ridiculous governmental restriction (if you're in India and you have, let us know in the comment section precisely how). But it's still part of an over-arching mindset that sees standard, intelligent privacy and security practices as an enemy that must be thwarted. Usually either to expand government surveillance, prop up idiot ham-fisted internet filters (as we're seeing in Russia, China and India), or to erode consumer rights in the face of what are endless attempts to monetize your online behavior.