Censor and conquer: PTA’s crackdown on VPN puts Pakistan’s internet security in jeopardy
Once again, Pakistan is on its way to tightening the digital noose. The Pakistan Telecommunication Authority (PTA) is clamping down on VPN usage, aiming to prevent access to the already banned platform X. “After the policy is implemented, only whitelisted VPNs would function in Pakistan and the others will be blocked,” revealed PTA Chairman retired Maj General Hafeezur Rehman during a recent meeting of the Standing Committee on Cabinet Secretariat.
This isn’t the first time Pakistan has tried to control VPN use. Back in 2011, the PTA instructed internet service providers (ISPs) to prevent customers from using VPNs unless they registered with the authority, claiming the move was to combat illegal VoIP (Voice over Internet Protocol) traffic — digital packets of information that travel across networks to facilitate voice and video — and boost national security.
Fast forward 13 years, the government is now installing a sophisticated content-blocking system: a firewall. While the specifics of this mechanism are still under wraps, the push for data localisation and “whitelisting” acceptable VPNs defeats the entire purpose of this application.
With every statement, legislation and draft, it is clear as day that the government lacks a fundamental understanding of technology and, more importantly, computer network security. Allow me to explain.
Tug-of-war between privacy and government oversight
In a digital age where the stakes of cybersecurity have never been higher, organisations, big and small, must take proactive measures to safeguard their networks. One of the basic strategies is deploying tools like proxy servers, VPNs, and encryption software. These aren’t just tech buzzwords; they’re the first line of defence against hacking, intrusions, and cyber attacks.
Interestingly, a 2011 PTA notification says that encrypted software capable of dodging “monitoring” should not be used. But the irony is that the very purpose of using these technologies is to prevent unauthorised monitoring.
Imagine it like this: without these protections, your network is an open book. Anyone can see your Wi-Fi network name and the number of devices connected, identify the IT administrator’s computer, pinpoint where critical data is stored, and even spot the least security-conscious employee whose machine could serve as a gateway for a cyber attack.
VPNs are like cloaking devices for your digital presence. They add an extra layer of security, making the internal network invisible to outsiders and unauthorised users. This “invisibility cloak” prevents hackers from monitoring your network traffic, identifying patterns, and locating vulnerabilities. It’s like trying to find a needle in a haystack — except the haystack is hidden too.
Did the PTA consider this scenario before issuing this order? The head of the authority is expected to have at least a decade of experience as a computer professional at a reputable firm. Surely, a seasoned professional would understand the basics of network security. So, why does the government expect organisations to compromise their security, potentially opening doors to hackers, just to satisfy its need to monitor everyone’s activities?
After facing backlash, the PTA clarified in 2021 that they don’t intend to ban businesses from using VPNs for “legitimate” purposes. However, there’s a catch: businesses must register the IPs associated with their VPNs with the authority. This raises another set of concerns. Where will the data of these registered IPs be stored? How secure is this storage? Who will have access to it? And perhaps most worrying, could this data be vulnerable to hacking, especially from outside Pakistan?
Considering Pakistan’s stellar record, it’s reasonable to fear that sensitive information could be exposed. If hackers gained access to these servers, they could uncover critical details about internal network security in sectors such as banking where customers’ information must remain strictly confidential.
The concerns over data protection arise because the PTA wants access to users’ IP details, which it doesn’t automatically possess. Here’s how it works: the PTA assigns a pool of IPs to a specific ISP, which then allocates these IPs to its users (individuals or businesses) through a complex system, creating hundreds of unique addresses.
As a result, the PTA can’t directly track who is using which IP or how they’re distributed among the ISP’s clients; only the ISP has that information. If this data were to be shared with the PTA, it could lead to the creation of a comprehensive database of users and their internet activities — a treasure trove susceptible to misuse by both internal and external actors.
Bolo Bhi, a digital rights non-profit, anticipated these problems in a June 2020 blog post. They cautioned that registering a VPN would not only associate the specific VPN service you use with your identity in the government’s database but also allow the government to request and access your data at will — data you intend to keep private. They warned that non-compliant VPN service providers could face service blocks from the government. Essentially, VPN registration could become a public surveillance tool that, under the guise of trust, infringes on personal liberties.
Moreover, businesses often rely on VPNs for international operations. In a statement earlier this month, the PTA chairman admitted that the ban will lead to the collapse of several IT businesses that operate on VPNs.
Another concerning aspect of the PTA’s regulations is the central DNS (Domain Name System) they control, which allows them to block unlawful content in real time. While this might sound like a measure to protect the public, it poses a risk to free expression and access to information, making the PTA’s rules decidedly anti-tech business.
Data localisation
The push for data localisation in Pakistan is a double-edged sword. The government wants both local and international companies to store data about Pakistani residents within the country, including cloud services. Yet, there’s no compelling evidence that this approach is the gold standard for security.
This is based on the state’s assumptions. In fact, according to Zahid Jamil, a cybercrime and technology lawyer with over a decade of international experience, “you are only telling your adversaries exactly where all your data is stored”, and it is especially dangerous when the copies of these data are also stored within the country. The entire point of cloud services is to ensure that important data survives hacks and attacks, with backup copies available to get organisations back on their feet quickly.
True data security isn’t about stashing everything in one place. It’s about smart encryption and using a web of network security tools to protect information. Even if hackers manage to break in, they shouldn’t be able to haul away all the sensitive data. Think about how ride-hailing companies can report a data breach yet assure customers their credit card information is safe. That’s because it’s stored with additional security layers in separate locations.
But Pakistan’s policies could be a dream come true for hackers as they now don’t have to spend hours, days, or weeks, trying to break into your network.
Pakistan also has a notoriously unreliable technology infrastructure, marred by frequent electricity shutdowns, unpredictable disruptions from city administrations cutting underground ISP cables, and a dismal track record in cybersecurity.
Bleep, not WhatsApp
The government is gearing up to launch Bleep, a new local communication app that it claims is strictly for official use but activists worry it might be a precursor to banning WhatsApp. The concern isn’t unfounded; WhatsApp services mysteriously went down for several hours in Pakistan on July 21, and the government brushed it off as a technical hiccup. No international media outlets reported this supposed glitch.
Historically, a government launching an app wouldn’t raise eyebrows, but with a track record of fibbing about internet restrictions, it’s hard not to be suspicious. Recent revelations show that agencies are collecting user metadata from apps like WhatsApp. Thankfully, its end-to-end encryption shields our private messages. But could Bleep be a backdoor for surveillance?
However, the government might be in for a rude awakening if they think they can simply replace WhatsApp with a domestic app. Scaling up to accommodate an entire nation’s communication needs is challenging. Just like popular clothing websites crash during sales due to high traffic, a new app would face similar problems with an influx of users. The myth that customer-facing apps and social media platforms are limitless playgrounds has been peddled by tech moguls, but the truth is that they are bound by the constraints of infrastructure.
In a world where technology is at our fingertips, it’s easy to forget that these platforms are not immune to limitations. The government may learn this the hard way if it attempts to substitute WhatsApp with a local alternative. As the situation unfolds, the public will be watching closely, wary of what’s to come.
If the government’s endgame is to ban WhatsApp and push Bleep into the limelight, how will it manage the technology infrastructure? Will the private sector be looped in, or perhaps international companies, including cloud giants? And if both are involved, how does that align with the government’s promise of enhanced security? Are we suddenly assuming that Pakistan or its local companies are paragons of internet security? There’s no evidence to support this. In fact, according to the UN’s International Telecommunication Union, Pakistan is ranked among the worst countries in global communication security rankings.
The obvious cannot be ignored: WhatsApp enables individuals and businesses to make international calls easily and affordably. If it gets banned, what’s the alternative? Struggling with Zoom calls on an internet connection that can barely load a webpage?
Pakistan often looks to countries like China to bring this kind of internet control. Even though China is no model for democracy or free speech, it does not pick bits and pieces from here and there to introduce legislation that can uproot the entire internet. Pakistan, on the other hand, does exactly that: not only does the government actively block out input from experts, it does not even do research.
Moreover, during a recent consultation on data localisation hosted by the IT ministry, the PTA chairman claimed that local servers would protect sensitive data. This assertion lacks factual backing. The National Telecom Corporation’s servers, where the government plans to store Bleep data, were compromised by the United States to spy on Pakistan’s political and military leadership, as reported by The Intercept in 2016.
What Pakistan needs to focus on is the internet and network security across its departments. By partnering with technology experts, they can provide essential training to employees. It should also act against people openly selling Nadra and SIM data of Pakistanis on Facebook and similar websites.
The reality is that the internet cannot be managed like a physical security asset. The internet was created to be shared, to be available to a common person. And now, there is no going back.
The government has to ask itself: are a bunch of people mocking politicians and expressing dissent more dangerous than the threat to the country’s network security? Is a political party more dangerous than hackers, independent or state-backed, that can and have in the past robbed people of their hard-earned money in a country always on the brink of an economic collapse?
In a country that offers little, the people have carved out their own dreams and realised them. Now, the state seems determined to undermine their progress. It’s time for the heads of technology in both large and small companies in Pakistan to speak up and protect their hard-won achievements.
Header image: This image was generated using AI on Bing.