Rights groups, company leaders decry silence over VLC player ban in India
Cybersecurity experts, researchers and rights groups have raised alarms around the government of India’s efforts to block VLC Media Player.
Human rights lawyers, journalists and VLC executives remain in the dark as to why the platform’s website has been barred in the country, despite repeated requests for information from the Indian government since the ban went into effect at the beginning of the year.
Since February, the download site for VLC has been banned by internet service providers in India but few reasons were ever provided publicly — although company executives and cyber experts suspect it is linked to alleged vulnerabilities exploited by Chinese hackers.
For those who downloaded it before the ban, the player itself still works in the country.
In June, the Internet Freedom Foundation filed an application for more information with the Department of Telecommunications. The group is an Indian digital liberties organization focused on free speech, digital surveillance, privacy and net neutrality.
The rights organization said it requested the reason behind the blocking of videolan[dot]org in India and whether the website owners were given a hearing before access was blocked.
That request was transferred to the Ministry of Electronics and Information Technology, which told the group in July that “no information is available.”
Neither ministry responded to The Record’s requests for comment.
Tanmay Singh, senior litigation counsel at Internet Freedom Foundation, told The Record the group filed an appeal this month and is expecting a response within 30 days, as required by law.
“We are optimistic that we may receive some more information from the government, though our past experience is that the Indian IT Ministry has not offered helpful disclosures at the first appellate stage,” he said.
Singh added that the government is not required to provide a reason for banning videolan.org because of a legal provision in a 2009 law, called Rule 16, which allows the government to claim an “obligation of confidentiality.”
“This is despite the Supreme Court in 2015 holding that a user subject to the blocking process must be provided a copy of the blocking order, as well as an opportunity to be heard,” he said. “Due to the Government’s reliance on Rule 16, it is unlikely that the Indian Government will provide a detailed explanation unless directed to do so by a court of law.”
Singh tied the situation with VLC to the wider ban on 59 mobile apps in the country – including TikTok – which became permanent in January 2021 and came on the heels of deadly skirmishes with Chinese troops at the disputed Himalayan border, resulting in the deaths of 20 Indian soldiers.
The government said the bans were tied to concerns about what level of access the Chinese government has to data collected by the apps and “prejudicial to sovereignty and integrity of India, defense of India, security of state and public order.”
The Ministry of Electronics and Information Technology had asked Tencent Holdings’ WeChat, Alibaba’s UC Browser, TikTok and others to provide responses to a list of questions about data privacy, which it ultimately deemed unsatisfactory.
The Internet Freedom Foundation disputed those app prohibitions at the time, writing that “much of this has been done without adequate legal reasoning.”
‘An incorrect basis’
For months, VLC has complained about what it called an unfair ban on downloads of its video player in India, which company president Jean-Baptiste Kempf said appears to have started on February 13, and applied “on an incorrect basis.”
Indian security researcher Sunny Nehra said that when the ban first started, only one or two ISPs blocked the page but that number has slowly increased over the past few months.
“No one from the government contacted us to explain anything. It seems they took their decision based on incorrect reporting of a security issue,” Kempf said.
According to him, the source of the company’s trouble is outlined in a report in April from the Symantec Threat Hunter team about a Chinese state-backed advanced persistent threat (APT) group named Cicada or APT10.
Several researchers, some with connections to the internet service providers, tied the alleged ban of VLC to Symantec’s finding that the attackers were exploiting the legitimate VLC Media Player to take remote control of a victim’s machine.
Symantec’s Brigid O Gorman told BleepingComputer at the time that the group used clear versions of VLC and attached malicious files to it. The company noted in its report that victims of the attack were found in India.
However, a threat actor would need to install a very outdated VLC version for the attack to work, Nehra explained, because the version that could be vulnerable to attack was patched in 2010.
Eric Chien, a fellow on the Symantec Threat Hunter team, said it was not common for this kind of abuse of VLC to occur, but noted that the technique was seen across multiple organizations in multiple countries.
“We don’t have any knowledge the Indian ban is related to the Cicada VLC issue,” Chien said.
Regardless, company executives and rights groups aren’t holding their breath for clarity on the reason behind the ban.
“VLC is immensely popular in India. We’re talking about 50 million-plus users,” Kempf said, noting that the site has seen a 10% traffic drop.
“The government does not answer, so we don’t know.”