FBI Alert Warns About Fortinet VPN Flaws and Urges for Immediate Patching
Last updated August 2, 2021
You might have seen articles saying something along the lines of "India is cracking down on VPN users." The truth is a bit more different - it's not India as a whole, but the cyber division of the police in Srinagar, Jammu, and Kashmir.
The whole topic is all over the place and overwhelming for anyone new to it. That's why we put this article together - to help you properly understand what's happening there.
So, here's everything you need to know about the Jammu and Kashmir VPN scandal.
Kashmir is a large area in the North of the Indian subcontinent that's split into three administrative regions: Indian, Pakistani, and Chinese. In this article, we'll be talking about Jammu and Kashmir which is the Indian-administered territory of Kashmir.
Here's a quick overview of the events that led up to this scandal:
All of that culminated in the recent case (called an FIR) the local police (Cyber Police Station, Kashmir Zone) opened against VPN users. It happened one day after social media users started uploading videos of Syed Ali Shah Geelani.
According to Tarif Ashraf, the head of the cyber division in Srinagar, the police is probing people they suspect of using VPNs to post "secessionist ideology" on social media. Basically, they're calling in people for questioning. As one official said: "Anyone found using social media and posting any anti-national material can be called for questioning."
He also claimed the police managed to seize "a lot of incriminating material." He didn't specify what that was but said people who are guilty can face up to seven years in prison.
The police motivated their actions by saying they're combating "miscreants" who:
Apparently, they even called in a journalist for questioning about a tweet he made regarding the separatist leader. Allegedly, they let him leave when they found out he wasn't running that Twitter account.
The authorities are also using firewalls to block social media websites and other platforms. And while it's not specified, they are likely using DPI (Deep Packet Inspection) to detect VPN traffic.
Things are getting even more out of hand, though. Soldiers are apparently stopping people on the street to check their phones for VPN apps. According to locals, they delete the apps or even beat people if they find any VPN apps. They also confiscate phones and dare people to come to retrieve them from the army camps.
Military personnel has also harassed Sanam Aijaz, a television journalist, at a checkpoint, accusing him of "spreading terrorism" by using a VPN. According to him, he was only spared a beating because a local policeman recognized him.
From a legal point of view, no. Actually, what the police are doing would be considered illegal.
Here's the thing - the FIR the police invoked relies on a specific section of the Information Technology Act called Section 66 A. The problem is that section was actually declared "unconstitutional" by the Supreme Court back in 2015, and it was struck down. So basing an entire legal case on it is pretty illegal.
In fact, according to this article, courts actually came hard on police officers who invoked Section 66 A in other Indian states.
The same article also shows how the local police contradict themselves. First, they said they will invoke Section 66 A in the FIR. After a short while, though, they said they'll drop Section 66 A from the FIR, but they'll keep Section 66 B. Well, basing their arguments on that isn't doing them any favors since Section 66 B refers to stolen computer and communication devices.
Also, here's a tweet from the IFF (Internet Freedom Foundation) making it clear that there is no actual order that prevents Jammu and Kashmir VPN usage, nor are there any penalties prescribed for doing that.
Another article from Scroll.in highlights how:
Also, the case is basically an "open" FIR since it doesn't name anyone in particular. That makes it easy for the police to target anyone who uses a VPN, which further questions its legality.
Of course, you can't exactly use those arguments if the police call you in for questioning. Or if the military stops you on the street, and says they want to look through your phone or confiscate it.
If you do, there's no telling how the authorities might abuse their power. It could even lead to physical violence, so we don't advise trying your luck.
Right now, the best thing you can do is avoid using any VPN at all. It's simply not worth the risk. It's much better to wait until things calm down and the police stop going after VPN users.
Who knows, maybe the government will start unblocking more websites in the near future. They already said that people in Jammu and Kashmir will get access to 3G and 4G Internet services on February 24th since that's when the ban expires. Maybe they'll lift other bans once they do that, though that's just positive speculation on our end. No official sources have confirmed that.
If you live in Jammu and Kashmir and know more about what's happening, please let us know in the comments. And if you're not from the area, but have relevant information you want to share with us all, go ahead.
Also, remember to share this article with your friends on social media. It's important to set the record straight, and also draw attention to the human rights violations in the region.