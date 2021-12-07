There are thousands of websites blocked in India. That much is known. But beyond this, such as why they are banned or how they are banned, there is not much information. From the time Indian telecom companies like Airtel, ACT, Jio, and others started receiving government directives to ban websites, the whole process through which websites are banned in India has always been opaque. People and internet users come to know about the banned websites only when they try to access them. Depending on their luck, they may get a message telling them that the website is banned. Or the browser simply throws up an error.



Sometimes the banned website becomes accessible again, while on many occasions, new websites are added to the ban list—all in a manner that is hush-hush at worst and unsystematic at best.



The internet service providers (ISPs) in India do not communicate to their users about the banned website apart from showing the error message when the website is accessed. And neither does the Department of Telecom, which usually sends directives to ISPs with a list of websites that need to be banned in the country.



Now cybersecurity researchers, hoping to get some clarity on India's shadowy website banning madness and methods, are poking into the networks run by ISPs like Airtel and ACT. Their purpose is to figure out how websites are banned in India and if there is a way to find out which all websites are banned.



Websites blocked on ACT Fibernet

Earlier this year in March, Karan Saini, a security researcher, started compiling a list of websites or domains blocked by ACT Fibernet. So far, he has found a list of over 5,000 websites that have been blocked by the ISP.



Saini earlier pointed out the flaws with security settings of ACT-issued routers in the past, which can expose them to the open Internet. Interestingly, in most cases, users are not allowed to change routers for their connection. Instead, they are asked to use ISP-supplied routers.



Saini says the goal behind his project is to keep an up-to-date, centralised list of blocked websites because when the government blocks websites or when a court orders to block a website, the information is not communicated to Indian internet users.



He says that this lack of information potential weakens the security for a user. "ISPs often show a message which informs users that a website has been blocked because of an Indian government's request," says Saini. He explains that before this message is displayed on a user's browser, there is a redirection involved. This is potentially a security risk.



"Essentially, what ISPs are doing is that they are redirecting you to a website under their control," says Saini. This happens even though the user types something else in the browser. "Now, for example, if ACT Fibernet gets hacked tomorrow, and someone goes to one of these blocked websites for whatever reason, the hacker can start redirecting people to a phishing page."



The concern raised by Saini is not something that is seemingly bothersome to ISPs or the government. Instead, secrecy is more important. Gurshabad Grover, a legal researcher and technologist, notes, "The blocking provision mandates confidentiality of orders (that ISPs get). Even people whose own content has been affected have not been able to get responses through RTI requests."



To shed some light on the whole thing, Saini has put out the list in public. "The names of websites that are blocked in India are mostly secret. When the pornographic website ban happened in 2017-18, the list (of blocked websites) was leaked by someone in the government. But overall, there is no comprehensive effort (from ISPs or the government) to maintain a list of websites you can't access from within India. The list that I am maintaining is only for ACT Fibernet," says Saini.



In most instances, the websites that are banned are pornographic or host copyrighted material. But then there are outliers as well in Saini's list. "There are hundreds of piracy websites and pornographic websites, but there are also websites of political leaders. There is the website of a CPIM leader which is blocked. There are a bunch of websites about Kashmir which are blocked. Websites maintained by some Sikh expatriates in Canada are also blocked," he says.

Websites blocked on Airtel Xstream Broadband

Saini is not alone. There is also Abhay Rana, another security researcher, who is having a go at figuring out all that is banned on Airtel's internet connections. So far, Rana has found over 2000 websites that are blocked on Airtel. Like Saini, he too has shared the list in public to bring some transparency to users who are paying to block-happy ISPs.



Like Saini, Rana, too, has looked into publicly ascertained network information to see what is blocked or not blocked on a network. "There are some anti-censorship tools that allow a user to look into a network. These tools can be used to determine the status of websites on a network, which is banned and using what possible methods. The information is valuable for security researchers, legal experts and users," he says.



One such tool is MassDNS that Saini used to create his list. As the name implies, it is an automated tool to resolve the DNS of a website. When run, it can report the status of a website as live (available) or inactive (blocked).



"MassDNS essentially queries every single blocked website that exists," says Saini. "Using the tool so far, I have queried upwards of 200 million domain names to find 5500 sites that are blocked. I have written a script which takes note every time the tool comes across a blocked website."



Different ISPs have different methods

If the list of websites that are banned in India is a secret, how they are banned is another mystery. Grover says that different ISPs use different methods to block websites. This could be one reason why Saini has found over 5000 websites blocked in India on the ACT network, while Rana has so far found over 2000 websites inaccessible on the Airtel broadband.

Grover says the government directives ask ISPs to block websites but do not specify how these websites need to be blocked. "In India, we have studied six ISPs: ACT, Airtel, BSNL, MTNL, Jio, and Vodafone," he says. "They all use different methods. Some of them block websites individually while some go after a cluster of IPs."



In other words, there are a lot of websites that users find blocked on one network but not on another. The problem is aggravated by the lack of a centralised database and proper mechanism for blocking and unblocking of websites. "There is no centralised way of keeping track of what is blocked and unblocked, different ISPs are blocking different websites in India," says Grover. "The result is that in India as internet users, we can have different experiences of what is acceptable and what is not depending on the ISPs we use."



Saini agrees. He says the mechanism, or rather lack of it, around website blocking, is such that even court orders are not followed. "There are no centralised systems for these ISPs to block the websites properly," he says. "For example, say Airtel blocks a website because the government told it to. One week from now, the government will remove this website from the blocklist, or there will be a new court order saying that this particular website is no longer blocked. But it is possible that it may remain blocked. Sometimes ISPs forget to unblock these websites."



What the security researchers essentially mean is that ISPs in India are quick to block something but not so prompt or uniform in unblocking a website.



We reached out to ACT and Airtel for a statement, but the two companies have not yet responded. While the two security researchers have only looked at ACT Fibernet and Airtel Xstream Broadband, other internet providers like Jio Fiber, MTNL, BSNL and other ISPs also block websites in an opaque manner.



This different methodology by different ISPs adds to the confusion. The problem has become acute in recent times as more and more websites have moved to HTTPS, which makes blocking them more difficult.



"ISPs are blocking HTTPS websites in India by using a technique called Server Name Indication Detection and then intercepting the connection. The problem with this is that it prevents the presentation of censorship notice to the user that is possible in case of simple HTTP websites," explains Grover. "It leads to a question from the user: Why am I not able to access this. The legal regime is already opaque. This sort of invasive blocking exacerbates that opaqueness."



Lack of coherence is aggravated by lack of transparent legal and policy regime. Take the case of Tanul Thakur and his website called Dowrycalculator.com. Tanul started this website as a satire against the practice of dowry. Soon it was blocked on ISPs due to a government directive. Thakur appealed against the ban. "The case is still pending in Delhi High Court, but Thakur so far has been unable to gather why the website has been blocked," says Grover.



Grover, who has looked at the legal and policy aspects of website blocking in India, says that it is near impossible to get information on why a website has been blocked in India. One can only guess at it. "There are a few bureaucrats in the ministry who pass an order (to block websites), and even the review committee consists of a handful of bureaucrats. Overall this legal regime is very opaque, and neither the judiciary nor the public or the parliament can actually scrutinise it," he says.



At times Grover and his colleagues have tried to get more information from the government. They haven't succeeded. In the case of the website blocking happening on the basis of the court order, the publicly available order provides some information. "But there is no comprehensive list of websites blocked in India due to government orders," says Grover. "The government refuses to answer. We tried multiple times in the past but failed to get anything. Organisations like IFF, Centre of Internet and Freedom, Software freedom laws India have tried but failed to get (the info)."