Per its terms and conditions, YOU Broadband, the fifth largest Indian internet service provider (ISP), doesn’t let its subscribers use strong encryption. The ISP does technically allow VPN and encryption use… but only “up to the bit length permitted by the Department of Telecommunications,” which is 40 bits. It was over twenty years ago in 1997 that Ian Goldberg won $1,000 from RSA for breaking 40 bit encryption in just a few hours. He famously said then:
“This is the final proof of what we’ve known for years: 40-bit encryption technology is obsolete.”
Yet YOU Broadband, and other Indian ISPs, still insist that their users can’t use anything stronger than a twenty-year-broken key size. That’s not viable security in the 21st century, and makes you wonder why encryption is discouraged in the first place. Nowadays, because 40 bit encryption has long been shown to be obsolete, the minimum standard is usually at least a 128 bit encryption key size.
Indian ISP, YOU Broadband, doesn’t want you to use encryption because it hampers their logging
Earlier this week, redditor bf_of_chitti_robot pointed out in the /r/India subreddit that Clause 38 of YOU Broadband’s Terms and Conditions clearly set out the company’s stance on encryption, as well as explaining why the company wanted such a rule.
YOU Broadband Terms and Conditions Clause 38 (June 2016 Internet Archive snapshot):
The Customer shall not take any steps including adopting any encryption system that prevents or in any way hinders the Company from maintaining a log of the Customer or maintaining or having access to copies of all packages/data originating from the Customer.
The ISP’s stated intentions of maintaining customer logs and ensuring that they have access to copies of all your packages/data are, of course, mandated by law under the Information Technology Act. After the clause was pointed out, YOU Broadband quickly updated Clause 38 of their user policy to simply state:
The Customer may use VPN and encryption up to the bit length permitted by the Department of Telecommunications.
Needless to say, nothing has changed about their intentions – making sure you aren’t using strong encryption because it gets in the way of their snooping. This is the same snooping that ISPs in America, like AT&T, are able to exploit now that internet privacy rules have been relaxed in the states (but not all states). Nosy ISPs seem to be an international problem.
India’s Department of Telecommunications only allows up to 40 bit encryption, which is insecure
What is the bit length permitted by the Department of Telecommunications, anyways? According to a 2002 note on ISP regulation by the Department of Telecommunications, the encryption key length hard limit is 40 bits for internet service licensees aka internet service providers.
Internet service licensees, such as YOU Broadband, have an obligation to the licensor, the Department of Telecommunications, to forbid individuals, groups, and organizations from using encryption with keys stronger than 40 bits without permission. Instead of asking the regulators for this permission to allow its users to actually utilize viable encryption key lengths without violating the user policy, YOU Broadband has elected to pass on the 15 year old rule on encryption – essentially making the use of encryption online against the rules of the ISP and a potential reason to lose service. Under the current and previous iterations of the user policy, YOU Broadband subscribers are technically breaking the ISP’s rules every time they access https://www.google.co.in.
Secure encryption is a necessity in today’s online world – and an ISP that explicitly forbids it needs to be pointed out. What would you do if your ISP said that you shouldn’t use meaningful encryption? What do you do when your government’s laws are outdated and don’t protect your privacy?