VPNs, proxy servers complicate bomb threat investigations, says Delhi Police

PTI, Dec 19, 2024, 2:47 PM IST

representative image (pti / file)

New Delhi: As bomb threats threw more than 100 Delhi schools into chaos in the past nine days, police and experts said that VPNs and proxy servers acted as key barriers in solving cases and legal frameworks for obtaining information from these services are inadequate, leading to delays in investigations.

Since May this year, over 50 bomb threat emails have targeted not only schools but also hospitals, airports and airline companies in Delhi, but the police have yet to make any breakthroughs in these cases.

Former Delhi Chief Minister Arvind Kejriwal had also raised concerns over threats to schools on Wednesday and questioned the police’s failure to catch the culprit.

According to senior officials, the Delhi Police have written to service providers like Google, VK (known as Mail.ru), and Outlook.com to obtain the IP addresses of the senders.

In some cases, the police have received responses, but they have not been able to determine the exact origin.

The Delhi Police have also sought the assistance of Interpol through central agencies.

“Our investigation is underway. We are working to trace the origin of the sender. While their servers or domains have been traced to European or Middle Eastern countries, the actual origin remains unconfirmed, as the emails were sent using VPNs (Virtual Private Networks) or proxy servers,” an officer said.

A dedicated unit of the Delhi Police Special Cell has been tasked with investigating the threat cases.

Several Delhi schools have received bomb threat emails in the past nine days, prompting security agencies to conduct checks in five separate incidents.

“Though nothing suspicious has been found in any of the threats so far, we cannot take any of them lightly. Each message was taken seriously, and thorough checks were conducted, following all security protocols,” the officer said.

The officer further explained that VPN networks function like a web on the internet, where the origin is not directly connected to its server.

“For example, if we are talking to each other, it’s direct connectivity, but if we are connected through a VPN, our communication happens via multiple domain servers,” he said.

The first case of threats to Delhi schools and hospitals was reported in May. Several other government installations, including Tihar Jail and some Union Ministry departments, also received bomb threats.

In October, over 150 domestic and international flights operating from Delhi received similar bomb threat messages sent on X, where the sender had used VPN networks.

Delhi airport police registered 16 separate cases and conducted investigations, but have not been able to make any breakthroughs yet.

Cyber law expert and Supreme Court advocate Dr. Pavan Duggal said the problem is that India does not have a dedicated law to regulate the use of VPNs.

He explained that most VPN service providers are located outside India’s territorial boundaries. As a result, obtaining inputs from them becomes a significant challenge.

“Although the Information Technology Act, 2000 has been granted extraterritorial jurisdiction under Sections 1 and 75, the ground reality is that India has not been able to enforce this jurisdiction against VPN service providers located outside India,” Duggal said.

“Currently, cybercriminals are emboldened by the use of VPNs. They know that the legal frameworks in India are not adequate to compel VPN service providers to share information,” he added.

According to Vikas Kundu, a researcher at Bengaluru-based cybersecurity firm CloudSEK, certain email services used in conjunction with VPNs or Tor significantly enhance online anonymity, presenting a formidable challenge for law enforcement agencies attempting to trace an individual’s identity.

“For instance, ProtonMail, a secure email service with end-to-end encryption, does not log users’ IP addresses, meaning even the service provider has minimal data to share with authorities. When paired with a VPN, a user’s real IP address is masked and replaced by that of the VPN server, adding another layer of obfuscation,” Kundu said.

He said that using Tor further complicates the process by routing internet traffic through multiple relays across the globe, effectively concealing the origin of the connection.

“The struggle to solve these cases highlights the limitations of traditional investigative approaches when confronted with sophisticated cybercriminal tactics. Tracking cyber threats requires a blend of technical expertise, real-time threat intelligence, and international collaboration, as many of these actors operate beyond national borders,” said Shashank Shekhar, Co-Founder of the Future Crime Research Foundation.

“To overcome these hurdles, agencies need to invest in advanced forensic tools and AI-driven analytics and foster greater cooperation with global cybersecurity organisations,” he added.