Regulating the Dark Web: Challenges & Opportunities

Cyble, a cyber intelligence firm, recently reported that more than 1 lakh copies of Indian national ID cards such as PAN, Aadhaar, and Passport are available for sale on the dark web. Before this, the same company found a seller claiming to share data of 4.75 crore Indian Truecaller users for a total of $1000. While the selling of personal information on the dark web is one thing, one of the worst virtual vices in the present society is proliferation of child sexual abuse material (CSAM)/child pornography (CP).

Dark web is accessed through the Tor browser which is readily available for downloading across various platforms. While ISPs can identify if an individual is using the Tor browser, freely available VPN services further help individuals hide their activities. There are many reports wherein dark web-based websites have been taken down as they were facilitating copyright violation, selling drugs and guns, distribution of CSAM/CP content, hackers for hire, etc. While all these actions are indeed punishable by the law, it is only possible when a perpetrator is actually caught.

If I am using dark web, does it mean that I am free to do anything?

As of now, no country has concrete policies about regulating dark web. In this article, we explore the possibilities and challenges we would need to deal with.

Challenges

The ever-green defence to a regulation seeking to control internet usage of individuals is the violation of fundamental rights. As far as India is concerned, the Kerala High Court was the first court to recognise internet access as a fundamental right and the Supreme Court held the same recently.

Considering the essential nature of the internet in our daily lives, it is next to impossible to lay down blanket restrictions. Accessing the dark web is not a crime, and there is no reason why it should be. Any legislation seeking to regulate access to the dark web must be substantiated by guidelines and a reasonable cause to minimise the chances of being struck down or held unconstitutional.

The next challenge would be Virtual Private Networks (VPNs). These days, using VPNs has become a common practice for many as it allows you to securely access the internet with increased privacy. Using a VPN is different than changing the number plate on a stolen car to avoid getting caught. While there is nothing inherently illegitimate about it, one might ask questions such as:

Why would an ordinary person need to hide his internet history from getting tracked?

Irrespective of such questions, we do not see a foreseeable future where VPNs are banned in India. Other challenges that we might encounter are lack of infrastructure and appropriate regulation of internet service providers (ISPs). If the Central Government decides to take an authoritative step, they might find it hard to justify the reasonability of such actions. This, however, does not mean that we should let the whole thing go unchecked. NCRB reports clearly show that cyber crimes are rapidly increasing in India year on year.

What are our possible options?: Better late than never

A comprehensive legislative policy is the only way to keep a check on the illegal activities happening on the dark web. It is believed that the internet we access in our day-to-day lives is just the tip of the iceberg. While it seems not-so-feasible for a single country to regulate the dark web, India can definitely control how its citizens access the dark web.

For VPNs, India does not have any dedicated law or relevant provisions. While countries like Iraq, Turkmenistan, and Belarus have completely banned VPN services, countries like the UAE, Russia, and China have restricted access to VPN services. In the UAE, only banks and similar organisations can use VPN while it is highly restricted for personal use. For China and Russia, only government-approved VPN services can be used. This totally defeats the idea of having a VPN service in the first place.

We suggest that India may implement a similar regime where freely available and unchecked VPN services may be banned. However, the government may create an authority for mandatory registration of VPN service providers. Such an authority may be regulated under Chapter VI of the Information Technology Act, 2000. Considering the number of authorities we already have, it is also suggested that a sub-committee can be formed within an existing statutory body.

Whether ISPs take any action or report to appropriate authorities when they detect any malpractice is highly questionable. An obligation can be placed on the ISPs by issuing guidelines to set up an additional team for filtering or isolating suspicious user activity. Based on the collected data, they can create a report. Here, we suggest that no user information should be disclosed except their IP address.

This report can be forwarded to a designated government/law enforcement unit which can put such users under the watch list for a specific period. In case a user is availing VPN service, the government may ask the service provider to decrypt the user’s activity under the ambit of Section 69 of the Information Technology Act, 2000. Section 69 empowers the government to issue directions for interception or monitoring or decryption of any information through any computer resource. Depending upon the offence and its gravity, he may be prosecuted and barred from using VPN services for a specific period. We believe that even a rudimentary application of such policies will act like oil in the rusted wheels of India’s position concerning cyber crimes on the dark web.

Conclusion: Ignorance is not bliss

A 2017 Symantec report ranked India third among the nations facing most cyber threats. In 2019, a consumer tech review firm ranked India 15th out of 60 countries among least cyber secure countries. A report by safeandsecureiot.com found that New Delhi is one of the cities that draw most cyber attacks. While these statistics are indeed concerning, policy discussions around VPN services and dark web are rare in India. Cyber crimes happening on the dark web are nothing short of a criminal underworld. The worst part is that VPN services and dark web can be accessed by any individual with a smartphone and decent internet connection – this would be approximately half a billion individuals. Dark web is a constant threat that needs to be addressed. It is time for Indian stakeholders to take heed of the same. Otherwise, as Benjamin Franklin once said,

By failing to prepare, you are preparing to fail.

This article has been jointly written by Prakarsh and Shruti Mishra. They are undergraduate students at NLIU, Bhopal.

Disclaimer: Views or opinions expressed in this article, whether impliedly or explicitly, are personal.

Edited by Raj Pagariya

Featured Image Credits: Background vector created by kotkoa – www.freepik.com