I4C cites hoax threat mails in VPN app takedowns

The Indian Cyber Crime Coordination Centre (I4C) ordered Google to remove several VPN apps and Chrome extensions on October 29, citing their developers’ non-compliance in providing information to Indian law enforcement agencies about hoax threats sent to schools, airports and hospitals.

The notice ordered the removal of 11 apps, two Chrome extensions and one Windows installer link within 36 hours to avoid loss of safe harbour protection for Google.

“The VPN service providers have been non-compliant to the information/resolution request served by Indian Agencies for identifying the criminals sending life-threatening emails/messages,” stated the I4C notice.

READ | ' ₹10 lakh for impregnating women': New cyber fraud emerges in Bihar; 3 arrested

These emails “are creating a panic situation concerning safety and security of institutions and is impacting public safety and security of the country”, the I4C said.

The takedown notice, which Google shared with Harvard University’s Lumen database, cited violations of section 66 of the Information Technology Act and multiple provisions of the Bharatiya Nyaya Sanhita, including organised crime (section 111), assertions prejudicial to national integration (section 197), harbouring offenders (section 249) and not obeying a public servant’s order (section 223(a)).

The notice itself was issued under section 79(3)(b) of the IT Act.

All eleven VPN apps, including Cloudflare’s 1.1.1.1, Switzerland-based HideMe and Privado, and Potato VPN, have been removed from Google’s Play Store along with two Chrome extensions - Touch VPN and X VPN.

While the notice also listed a Windows installer for Touch VPN, the file remained accessible for download.

It is not clear if the same notice was also sent to Apple but HT found that six of the eleven apps were not available on the Indian App Store even as they remained elsewhere.

READ | Gurugram: Telecom firm officials held in cyber fraud case

Of the remaining five, one (Free Neo VPN) was never listed on the App Store while three (Secure VPN, Thunder VPN and Free VPN Planet) remain available on Apple’s App Store.

HT could not determine if SuperVPN Free has been removed from Apple’s App Store or not as an app by the same name is still available.

HT has reached out to Cloudflare, Privado, Hide.me, and Apple for more information but a reply was awaited till the time of going to print.

The notice did not cite violations of CERT-In’s 2022 directions, which require VPN service providers to maintain system logs for 180 days and subscriber information for five years when requested.

Under these directions, VPN service providers must provide this information to CERT-In upon being asked.

HT has asked CERT-In whether, in this case, they had asked the VPN service providers in question for information about the hoax threats.

The issue of hoax threats has reached the courts. In Arpit Bhargava v Government of NCT of Delhi (2023), Justice Sanjeev Narula addressed the challenge in a November 14 order, noting that such threats sent through VPNs and the dark web represent “a global problem” challenging law enforcement worldwide.

While emphasising the need for deterrence, the order acknowledged that “expecting a foolproof mechanism to entirely prevent such threats is both unrealistic and impractical”.

READ | Two arrested for assisting Dubai-based cyber fraudsters

Earlier this year, the IT ministry had considered blocking ProtonMail in India following hoax bomb threats to Chennai schools, but intervention by Swiss authorities prevented the blocking order.

On October 25, the ministry issued an advisory requiring social media companies to remove hoax bomb threats promptly and provide relevant information to government agencies within 72 hours after a series of hoax threats grounded scores of Indian flights.

The removal of these apps was first reported by TechCrunch.