Amid the bomb threats being received by over 100 schools in the national Capital since May this year, the Delhi Police has been unable to crack the cases due to VPNs (Virtual Private Network) and proxy servers which acted as key barriers in solving cases and legal frameworks for obtaining information from these services are inadequate, leading to delays in investigations.
Since May this year, over 50 bomb threat emails have targeted not only schools but also hospitals, airports and airline companies in Delhi, but the police have yet to make any breakthroughs in these cases.
Former Chief Minister Arvind Kejriwal had also raised concerns over threats to schools on Wednesday and questioned the police's failure to catch the culprit. According to senior officials, the Delhi Police have written to service providers like Google, VK (known as Mail.Ru), and Outlook.Com to obtain the IP addresses of the senders.
In some cases, the police have received responses, but they have not been able to determine the exact origin. The Delhi Police have also sought the assistance of Interpol through central agencies.
"Our investigation is underway. We are working to trace the origin of the sender. While their servers or domains have been traced to European or Middle Eastern countries, the actual origin remains unconfirmed, as the emails were sent using VPNs (Virtual Private Networks) or proxy servers," an officer said, adding that a dedicated unit of the Delhi Police Special Cell has been tasked with investigating the threat cases.
Several Delhi schools have received bomb threat emails in the past nine days, prompting security agencies to conduct checks in five separate incidents. "Though nothing suspicious has been found in any of the threats so far, we cannot take any of them lightly. Each message was taken seriously, and thorough checks were conducted, following all security protocols," the officer said.
The officer further explained that VPN networks function like a web on the internet, where the origin is not directly connected to its server. "For example, if we are talking to each other, it's direct connectivity, but if we are connected through a VPN, our communication happens via multiple domain servers," he said.
The first case of threats to Delhi schools and hospitals was reported in May. Several other government installations, including Tihar Jail and some Union Ministry departments, also received bomb threats. In October, over 150 domestic and international flights operating from Delhi received similar bomb threat messages sent on X, where the sender had used VPN networks.
Delhi airport police registered 16 separate cases and conducted investigations, but have not been able to make any breakthroughs yet.
Cyber law expert and Supreme Court advocate Dr. Pavan Duggal said the problem is that India does not have a dedicated law to regulate the use of VPNs. He explained that most VPN service providers are located outside India's territorial boundaries. As a result, obtaining inputs from them becomes a significant challenge.
"Although the Information Technology Act, 2000 has been granted extraterritorial jurisdiction under Sections 1 and 75, the ground reality is that India has not been able to enforce this jurisdiction against VPN service providers located outside India," Duggal said. "Currently, cybercriminals are emboldened by the use of VPNs.
They know that the legal frameworks in India are not adequate to compel VPN service providers to share information," he added.
