Internet watchdog: More censorship likely in the days to come

(Published in The Express Tribune, Aug 1, 2011)

The Pakistan Telecom Authority has prescribed into law the practice of allowing authorities to monitor and view all internet traffic in Pakistan.

It is no secret that the PTA possesses the ability to censor and monitor traffic coming in and going out of the country but the Statutory Notification SRO 186 (1)/2010 goes a little further and clearly outlines the authorities’ stance on the matter.

While wire-tapping and similar monitoring are considered fair-game for governments to protect their interest, they are commonly enforced through a strict regulatory framework. Even so, on the internet a lot of these monitoring efforts fall flat.

Typically, internet connections can be easily secured through encryption schemes which are commonly utilized to protect users from a common security concern known as man-in-the-middle attacks. Under this attack vector, any intermediary can sniff the information that it is meant to relay. This means that anyone from the corporate IT department to the ISP of the final email recipient can monitor the contents of an email message, or other communication. To prevent this, web-based corporations often use encryption schemes which allow them to decrypt data using a special key known only to them.  Most commonly this is noticeable when visiting a website with an HTTPS prefix instead of the usual HTTP. That means all HTTP traffic without the “S” can easily be sniffed.

Encryption schemes are fairly commonplace and it is trivial for any two parties to have a secure conversation that can evade the most powerful authorities.

This poses a problem for regulatory authorities since their interest lies in being able to monitor traffic in granular details. Under the new PTA regulations the obligation on any licensee, typically an ISP is set out as follows:

“The Licensee(s) and Access Provider shall ensure that signalling information is uncompressed, unencrypted, and not formatted in a manner which the installed monitoring system is unable to decipher using installed capabilities”

This lays the groundwork for any future contentions that may arise. It is foreseeable the Lahore High Court may issue a legal notification to disallow HTTPS or encrypted Gmail and Hotmail services – a notion that doesn’t seem at all far-fetched following the ban on Facebook.