It took Iqra Ahmad, a fashion designer from India’s Kashmir region, four years to build her fashion brand online. The downfall, though, happened almost in a snap when, in desperation, she used a virtual private network (VPN) to access the internet.
The 21-year-old, who owns the clothing brand Tul Palav, was a minor social media celebrity of sorts with 50,000 followers on Instagram. She used her fame to globally promote Kashmiri clothing, mainly pherans (a woolen cloak) and gowns embroidered using the local Tilla Dozi method.
In August 2019, India imposed a communication blackout in Jammu & Kashmir, after revoking the erstwhile state’s constitutional autonomy. Some five months later, 2G internet was partially restored in January. However, social media services like Instagram were still inaccessible.
In a bind, Iqra installed a VPN application on Jan. 25. The technology allows users to mask their location while browsing the web, effectively helping to circumvent a ban. However, she didn’t know it severely compromised user security.
“Within a minute, my Instagram account was inaccessible. I was shocked and had no idea on how to recover it. Hundreds of pictures of my work, and more importantly my customers, are lost,” Iqra told Quartz.
She has been trying to retrieve her account ever since: “I contacted the media, the Instagram team and finally the cyber cell in Jammu, where officials told me my account was hacked because I used the VPN application.”
Iqra isn’t alone. There’s been a scramble for VPNs in Kashmir since January, even in the face of all kinds of trouble the technology creates for its users.
At painfully slow speeds, people in the region can access only 300-odd websites, which includes educational and news portals, banking, shopping, and government sites.
Non-local residents in Kashmir, in particular, use VPNs to access social media and keep in touch with their relatives outside the state. “For three months, I hadn’t seen my mother in Bijnor (in Uttar Pradesh state). A local boy installed VPN on my phone and I could then video call my mother,” said Khurshid Ahmad, who runs a hair salon in the uptown Bemina area of Srinagar.
VPNs, though, are fraught with dangers especially when used for internet banking, or online shopping.
Saleem Choudhary, an engineering student in Srinagar lost $70 while using a VPN application to do an online transaction. Wiser from the experience he says: “Bank websites have been whitelisted by the government, therefore users should refrain from VPN during the online transactions.”
On the police’s directions, mobile operators have blocked various VPN applications. Residents, however, always find a new VPN.
Hackers have breached the bank accounts of many people across Kashmir and withdrawn money from their accounts, says Sajid Yousuf, a lawyer and social activist.
UK-based VPN company Surfshark’s research reveals that most free VPN businesses can jeopardise a lot more than users’ browsing history. Surfshark says that out of the 16 most popular VPN apps being used in Kashmir, 13 log users’ information, and a vast majority share it with third-parties.
“Operational transparency of free VPNs is usually kept under lock, and their privacy policies make it difficult to understand how they monetise products and services to generate profit,” said Naomi Hodges, a cyber security expert at Surfshark. “It is clear that free VPN services are the biggest culprits of data abuse, as they have built a profitable business model by selling user information to the highest bidders. It means anyone can purchase users’ data, including government authorities or agencies,” Hodges said.
Surfshark added that the vast majority of free VPNs collect and analyse users’ data themselves. They then provide it to unknown third parties who use it to profile customers. In some cases, VPN service providers allow third-parties to access their customer base directly.
Thus far, the authorities’ reaction has been to crack down on social media users, rather than the VPN providers themselves.
On Feb. 17, the cyber police station in Srinagar registered a report against 200 unnamed social media users who allegedly defied government orders and misused the platforms. They can be prosecuted under the Unlawful Activities Prevention Act, under which the accused can be jailed for months without bail.
Many users also alleged that their phones are being checked for VPNs by security forces. “I was traveling to Shopian (district) when our cab was stopped at a checkpoint. The army man asked the guy sitting beside me how many VPNs he has on his phone. The guy replied none. ‘You better not have VPNs, otherwise, you know what we will do,’” Shefali Rafiq, a local girl, narrated her experience on Twitter.
Kashmir range inspector general, Vijay Kumar, too, urged people not to use social media through VPN.
“The government is aware that people are taking advantage of the loopholes. We know it is being used despite instructions. But there is a line between use and misuse,’’ added Dilbag Singh, director-general of Jammu & Kashmir police. “The government is keeping surveillance on the misuse of the internet.”
Political leaders in the Valley, though, are defiant. Iltija Mufti, the daughter of former Jammu & Kashmir chief minister Mehbooba Mufti, called the police action against social media users absurd. “I will go to Kashmir and use VPN. Let them slap charges against me,” she said.