This Indian ISP won’t let its users use 128 bit or 256 bit encryption

Posted on Jul 4, 2017 by Caleb Chen
india 40 bit encryption limit

Per its terms and conditions, YOU Broadband, the fifth largest Indian internet service provider (ISP), doesn’t let its subscribers use strong encryption. The ISP does technically allow VPN and encryption use… but only “up to the bit length permitted by the Department of Telecommunications,” which is 40 bits. It was over twenty years ago in 1997 that Ian Goldberg won $1,000 from RSA for breaking 40 bit encryption in just a few hours. He famously said then:

“This is the final proof of what we’ve known for years: 40-bit encryption technology is obsolete.”

Yet YOU Broadband, and other Indian ISPs, still insist that their users can’t use anything stronger than a twenty-year-broken key size. That’s not viable security in the 21st century, and makes you wonder why encryption is discouraged in the first place. Nowadays, because 40 bit encryption has long been shown to be obsolete, the minimum standard is usually at least a 128 bit encryption key size.

Indian ISP, YOU Broadband, doesn’t want you to use encryption because it hampers their logging

Earlier this week, redditor bf_of_chitti_robot pointed out in the /r/India subreddit that Clause 38 of YOU Broadband’s Terms and Conditions clearly set out the company’s stance on encryption, as well as explaining why the company wanted such a rule.

YOU Broadband Terms and Conditions Clause 38 (June 2016 Internet Archive snapshot):

The Customer shall not take any steps including adopting any encryption system that prevents or in any way hinders the Company from maintaining a log of the Customer or maintaining or having access to copies of all packages/data originating from the Customer.

The ISP’s stated intentions of maintaining customer logs and ensuring that they have access to copies of all your packages/data are, of course, mandated by law under the Information Technology Act. After the clause was pointed out, YOU Broadband quickly updated Clause 38 of their user policy to simply state:

The Customer may use VPN and encryption up to the bit length permitted by the Department of Telecommunications.

Needless to say, nothing has changed about their intentions – making sure you aren’t using strong encryption because it gets in the way of their snooping. This is the same snooping that ISPs in America, like AT&T, are able to exploit now that internet privacy rules have been relaxed in the states (but not all states). Nosy ISPs seem to be an international problem.

India’s Department of Telecommunications only allows up to 40 bit encryption, which is insecure

What is the bit length permitted by the Department of Telecommunications, anyways? According to a 2002 note on ISP regulation by the Department of Telecommunications, the encryption key length hard limit is 40 bits for internet service licensees aka internet service providers.

Internet service licensees, such as YOU Broadband, have an obligation to the licensor, the Department of Telecommunications, to forbid individuals, groups, and organizations from using encryption with keys stronger than 40 bits without permission. Instead of asking the regulators for this permission to allow its users to actually utilize viable encryption key lengths without violating the user policy, YOU Broadband has elected to pass on the 15 year old rule on encryption – essentially making the use of encryption online against the rules of the ISP and a potential reason to lose service. Under the current and previous iterations of the user policy, YOU Broadband subscribers are technically breaking the ISP’s rules every time they access https://www.google.co.in.

Secure encryption is a necessity in today’s online world – and an ISP that explicitly forbids it needs to be pointed out. What would you do if your ISP said that you shouldn’t use meaningful encryption? What do you do when your government’s laws are outdated and don’t protect your privacy?

Like this article? Get notified by email when there is a new article or signup to receive the latest news in the fight for Privacy via the Online Privacy News RSS Feed.

Comments are closed.

6 Comments

  1. Fallen Stars

    what if i buy an AES-256 bit encrypting VPN in a particular country where government allows only those VPN’s whose encryption is less then 256 bit,then use it with my ISP which is an private vendor.
    Will it be legal or i’m offending legal rules?

    7 years ago
  2. continuedhere

    this is clearly not being enforced because if it was most of the top sites would simply stop working for indians. Even your bog standard SSL connection employs at least 2048bit RSA now.

    7 years ago
  3. JG

    The Customer shall not take any steps including adopting any encryption system that prevents or in any way hinders the Company from maintaining a log of the Customer or maintaining or having access to copies of all packages/data originating from the Customer.

    Well… Technically, the Terms of Service just say the ISP must be able to log and store a copy of all data I send. It doesn’t say they have to be able to actually read the data.

    They should be able to store a copy of the packet regardless of the encryption level. It’ll just take them a little longer to figure out what I’m actually sending.

    7 years ago
    1. Caleb Chen

      Good point! Someone on HN even mentioned putting your strong encryption through an additional round of 40 bit encryption to be compliant.

      7 years ago
  4. caleb anderson

    how will they even know you’ve used greater than 40 bit encryption?

    7 years ago
    1. Disqus

      They won’t – because there is a hard limit set.

      7 years ago