Per its terms and conditions, YOU Broadband, the fifth largest Indian internet service provider (ISP), doesn’t let its subscribers use strong encryption. The ISP does technically allow VPN and encryption use… but only “up to the bit length permitted by the Department of Telecommunications,” which is 40 bits. It was over twenty years ago in 1997 that Ian Goldberg won $1,000 from RSA for breaking 40 bit encryption in just a few hours. He famously said then:
“This is the final proof of what we’ve known for years: 40-bit encryption technology is obsolete.”
Yet YOU Broadband, and other Indian ISPs, still insist that their users can’t use anything stronger than a twenty-year-broken key size. That’s not viable security in the 21st century, and makes you wonder why encryption is discouraged in the first place. Nowadays, because 40 bit encryption has long been shown to be obsolete, the minimum standard is usually at least a 128 bit encryption key size.
Indian ISP, YOU Broadband, doesn’t want you to use encryption because it hampers their logging
Earlier this week, redditor bf_of_chitti_robot pointed out in the /r/India subreddit that Clause 38 of YOU Broadband’s Terms and Conditions clearly set out the company’s stance on encryption, as well as explaining why the company wanted such a rule.
YOU Broadband Terms and Conditions Clause 38 (June 2016 Internet Archive snapshot):
The Customer shall not take any steps including adopting any encryption system that prevents or in any way hinders the Company from maintaining a log of the Customer or maintaining or having access to copies of all packages/data originating from the Customer.
The ISP’s stated intentions of maintaining customer logs and ensuring that they have access to copies of all your packages/data are, of course, mandated by law under the Information Technology Act. After