If a list were to be made of the most trending words in Pakistan in 2024, then “firewall” would be right at the top. The term became a part of the lexicon to refer to frequent and widespread internet outages, which evaded common comprehension due to its technicalities and the government’s deliberate obfuscation around the mechanism.
The buzz around “firewall” started earlier this year when government officials hinted a mechanism was being put in place to “regulate” the internet. In an interview with a private news channel on January 26, then-caretaker prime minister Anwaar-ul-Haq Kakar revealed that state authorities were planning to “regulate” social media in the country and a “national firewall” would soon be made operational. Other leaders also threw the jargon around without being very forthcoming about what was happening and how it would impact people.
What these officials failed to convey — or didn’t deliberately elaborate — was that a filtering system was already in place and it was being upgraded. It was only months later that the IT minister admitted that a “web management system” — which is already deployed — is being upgraded. This system was acquired for $18.5 million in 2018 from a Canada-based company, Sandvine
The tool is capable of DPI (deep packet inspection), measuring and recording traffic and call data, URL filtering, IP blocking, DNS filtering, and VPN whitelisting, all complex sounding terminologies which will be expanded on later in the story. These systems need to be upgraded periodically as technology evolves, and it is one of these updates that reportedly disrupted Pakistan’s internet.
While quoting industry sources, Dawn reported that the updated system could “throttle specific apps and block individual pieces of content”.
A report in The Express Tribune claimed that it is a “geo-fencing firewall” — just like the Great Firewall of China, which is capable of monitoring the traffic coming in and out of the country — installed at the landing stations of subsea cables managed by Transworld and PTCL. These are the gateways of the internet into Pakistan from where it gets to homes and offices via a number of internet service providers or ISPs.
Since most of this information came from unofficial sources, people were left looking for answers on their own, and so the firewall became an umbrella term to blame for everything: blocking of X, poor broadband speed, disruption of communication apps and frequent disconnections.
What is a firewall?
To understand the term, it is important to know what it means. In the real world, firewalls are used to contain the spread of a fire. Built from fire-resistant materials, they are used to restrict a blaze by isolating it to a specific area. This helps firefighters to more effectively extinguish the fire before it damages the larger infrastructure. This is where the internet firewall gets its name from.
The internet firewall has recently received negative publicity because it has been deployed for censorship in many countries — case in point, China. But two misconceptions should be cleared: it’s not a blocking tool or a censorship tool. Simply speaking, it is a security tool that combines a host of techniques to monitor incoming and outgoing traffic. From your office server to the national level, firewalls are used to stop malware from damaging digital and physical infrastructures and prevent losses.
Though it has been deployed for censorship in many countries.
How the internet works
To understand the functionalities of a firewall, you have to understand how the internet works.
Let’s say you want to watch a YouTube video and click on it. The video is either stored on a server housed in one of Google’s several data centres located across the world, or its cached version — more like a generic copy of that content — is stored by a content delivery network (CDN), which might be closer to your geographic location.
The CDNs are a scattered network of servers that speed up the internet by delivering content from a location closer to the user. For example, if you’re in Pakistan, and the YouTube video you want to see is stored at a data centre in California and also at a CDN in Dubai, it is faster to fetch the cache from Dubai than from the United States (US).
The link between these data centres and your device is the internet.
Every device connected to the internet — be it a PC, a laptop, a mobile phone, a WiFi router, a Smart TV, or even servers — has an Internet Protocol or IP address. It is a string of numbers that essentially work like addresses in the world of the internet.
To save the agony of remembering something like “192.0.2.1”, you have domain names like “youtube.com” or “instagram.com”. The mechanism that links domain names to the correct IP address is called the Domain Name System or (DNS) — a database of domain names and their corresponding IP addresses. This database is stored in DNS servers.
When you enter a URL, it is turned into an IP address and a DNS query is generated. When the query is finally resolved and the IP for the location of data you requested is found, the website loads on your screen.
This data arrives at your screen in the form of small data packets via several routers, cables and radio waves. These packets, which carry bits and pieces of the content you requested, arrive separately on your screen and are then reassembled in a form that you see. Each of these data packets has a “header” and a “payload”. The header contains the source IP, the server from where it is coming; the destination IP, your device; the source address as well as the protocol. The payload is the actual data.
At any of these stages, a content blocking mechanism, or in simpler terms, a firewall, could be deployed. The government might ask ISPs to block content, throttling could take place at the CDN level, access to individual apps could be blocked via traffic throttling, or there could be censorship based on deep packet inspection or DPI.
On a national level, content filtering/blocking is done via a host of different techniques. The common ones are:
- IP address filtering
- DNS and URL filtering
- Deep Packet Inspection (DPI)
According to the Internet Society, these blocking techniques “target the elements of a typical end-user cycle of finding”. Simply put, all these techniques are commonly used for censorship because they stop the users from accessing the content rather than taking action against the content at the source — the location where it is stored.
IP address filtering
This is one of the simplest content-blocking techniques where users’ access to a particular IP address is blocked. A government or an enterprise can create a list of IP addresses that they deem to be hosting harmful content and want to stop access to it. If the IP is blocked, the DNS query will not be resolved; hence, you won’t be able to access the content.
However, this blocking technique leads to certain complications because a server hosts multiple websites. A 2022 analysis by Cloudflare found that only 10.7 million IP addresses can be used to reach over 255 million domain names. So, any attempt to block a website featuring objectionable content through IP filtering might impact other legitimate websites.
According to Tariq Mustafa, a telecom expert, now that most data hosting has moved to public cloud networks such as Amazon Web Services or Google, when IPs are blocked, it also disrupts access to other important content.
It gets even more complicated when some part of the content is distributed via a CDN. Now, the IP address of the server might be blocked, but not of the CDN.
DNS and URL filtering
DNS and URL filtering block content based on the input we give to the browser. If a domain (for example, “xyz.com”) is blocked, the DNS query — the matching of the domain with the corresponding IP address — will not be resolved. Hence, the website will not load.
DNS filtering puts an entire website under the chopping block. A website has a domain and a number of subdomains. For example, “wikipedia.org” is a domain, but “wikipedia.org/wiki/Firewall_(computing)” is a subdomain. A DNS filter will blacklist the domain to stop connections to it and all of its subdomains.
An example of this blanket ban can be found from 2006 when the Pakistan government, under pressure from the public and courts, tried to block access to websites hosting “blasphemous” content. One of the websites was hosted on Blogspot — an online content management system. Since PTCL, the leading ISP at that time, blocked the entire domain “blogspot.com”, thousands of blogs hosted on the domain were also blocked for many months, according to an analysis by the OpenNet Initiative.
A variation of DNS filtering is URL filtering. It is a way to block “wikipedia.org/wiki/Firewall_(computing)”, while keeping “wikipedia.org” and its other subdomains accessible.
URL blocking is done by filtering the web traffic and checking it against the database of blocked URLs. If the requested URL is blacklisted, the filter will block the connection to the requested web server. This type of blocking is also carried out on a category basis where several URLs hosting a similar type of content, say gambling websites, are grouped and blocked altogether.
Deep Packet Inspection (DPI)
Deep Packet Inspection, or DPI, is a method of examining the several data packets that transmit your requested information. A simple packet inspection means looking into its header to find out where it is coming from and where it is going. In DPI, the packet’s payload (content) is also checked against a set of predefined rules. If the data is found to be unwanted, the filter will drop the packet, and it will have to be retransmitted from the source IP.
In simplest terms, it is like opening the mail and checking its contents. However, it has some limitations for when the mail is marked “confidential” or when the data is encrypted.
This is also one of the biggest concerns prevalent among internet users in Pakistan. Can DPI filter encrypted data like WhatsApp calls and messages?
The answer to that question is no. All communication on WhatsApp is end-to-end encrypted and can’t be monitored, irrespective of the nature of the firewall, according to Aftab Siddiqui, a senior manager at Internet Society.
The only way for the governments to read WhatsApp messages is to ask the company for decryption keys. However, WhatsApp has shown little inclination to accept such demands made by governments. Last year, Will Cathcart, the head of WhatsApp, said the messaging service would not comply with requirements in the new UK government’s regulation to outlaw end-to-end encryption.
In fact, most data transmitted on the internet these days is end-to-end encrypted due to HTTPS, which, simply put, is an internet protocol that encrypts messages or data as they are being transferred from the source to the user.
A Google report earlier this year said that in January, over 94 per cent of web pages were loaded over HTTPS in Chrome on the three major platforms — Android, Windows and iOS. It essentially means their content was encrypted.
The data transferred over HTTPS protocol can’t be decrypted by any firewall. However, the way around it is issuing fake SSL certificates, something which China tried a few years ago.
Even with fake certification, only a small percentage of traffic could be intercepted, Siddiqui told Digital Rights Monitor (DRM).
Firewalls around the world
A report released by Freedom House in October revealed that global internet freedom declined for the 14th consecutive year. Of the 72 countries covered in the report, conditions for human rights online deteriorated in 27.
This decline can be attributed to a number of reasons, chiefly to widespread online censorship by governments around the world. China has been the worst country for online freedom for the past 10 years, but for the first time in 2024, Myanmar shared the top position in 2024.
Firewalls and other censorship tools are used by a number of countries, including China, Myanmar, Russia, the UAE, North Korea, Kazakhstan, Turkmenistan, Saudi Arabia, Iran, Turkey, Cuba, etc.
The Chinese censorship regime is one of the most sophisticated in the world. The Great Firewall deploys a number of tools to block its population’s access to foreign services and also to content critical of the government. It filters out any popular foreign services along with all traffic that comes into the country, greatly limiting what people can see. It also filters traffic based on keywords, stopping its residents from searching, talking about, and accessing certain topics and events.
Myanmar, since the military takeover in 2021, has built a mass censorship and surveillance regime to suppress the activities of pro-democracy activists and resistance groups. The military government also blocks VPNs to stop users from bypassing censorship.
In Russia, the use of VPNs is blocked as well. It employs a combination of a decentralised censorship model — where ISPs block content — and TSPU, a local DPI tool controlled by the state regulator, Roskomnadzor.
The UAE is another country with a stringent online censorship regime. The centralised nature of its internet infrastructure — with only two ISPs, both state-run — allows the government to exert control online. For example, the regulator blocks VoIP services like WhatsApp voice calls, Viber, and FaceTime. ISPs are also mandated to block content falling under any of the 19 prohibited categories, including offences against the UAE and public order, as well as contempt of religion, according to Freedom House.
What’s happening in Pakistan?
The government has admitted that it is upgrading the content filtering system but didn’t explicitly link recent internet disruptions to it. Instead, they blamed the “excessive use” of VPNs and faults in two sub-sea cables landing in Pakistan — SMW4 or South East Asia-Middle East-West Europe 4 and AAE1 or Asia-Africa-Europe 1.
There’s no clarity over the nature of these faults as the Pakistani company, PTCL, which is part of the consortium managing both cables, hasn’t issued a statement.
While such cable faults are a regular occurrence and could have resulted in some disruption of internet services, it is hard to believe that this was the sole reason.
Experts have told DRM that seven international undersea optic fibre cables connect Pakistan with the world, with three more being laid. This can be termed as “more than enough capacity”, and even if one or two cables develop a fault, it won’t have a big impact, according to Parvez Iftikhar, an international ICT consultant.
Doug Madory, Director of Internet Analysis at Kentik and whom the Washington Post called “the man who can see the Internet”, agreed that the reported cable fault did occur, but it started in June or July and “wouldn’t account for a recent change” people are experiencing with regards to the internet in Pakistan, he added.
It is very likely that the government planned to upgrade the web management system at a time when Pakistan was already facing issues with internet speeds due to cable faults. The timing multiplied the problems faced by users.
The disruptions were consistent with the characteristics of a content filtration system, “traffic shaping,” and other forms of system interference, a technical analysis by Bytes 4 All in August found.
According to the report, VPN users got better internet connectivity than non-VPN connections, as the former were able to circumvent the local internet route. One of their findings was a high latency rate between 196 and 203 milliseconds on non-VPN connections. Ideally, it should be within the range of 20ms to 40ms for a stable internet connection.
A high latency rate — the delay between users performing an action; for example, entering a URL, and the result appearing in front of them — can be an “indicator of traffic inspection or routing issues, which are often associated with DPI or poorly configured firewalls,” the report said.
On non-VPN connections, the retransmission rate of data packets was also very high, which, the report said, could be due to “network congestion or throttling”
“If a DPI system is slowing down or inspecting packets, this could cause delays that lead to retransmissions,” it said, adding that firewalls might also drop packets they deem suspicious, leading them to be retransmitted.
Infrastructure constraints
Even in normal circumstances, without any disruptions, Pakistan is among the countries with the slowest internet speeds — both broadband and mobile data — in the world. This is because of a plethora of infrastructure issues plaguing the internet in Pakistan. One of them is the restricted point of access.
According to Madory, Pakistan has only two international gateways, which leads to congestion. “Historically, anytime there is a submarine cable issue anywhere, Pakistan has always been sensitive to it, and it seems to get affected worse than other countries in the region.”
Most of the seven cables currently landing in Pakistan are centred along the busy trade route of the Red Sea or the Gulf of Oman — a region that remains volatile due to tensions in the Middle East. Earlier in February, an airstrike by the Yemen-based Houthis targeting a cargo ship in the Red Sea allegedly damaged three submarine cables. The geo-political tensions also delayed the work to fix the fault, and it wasn’t until July that the cables were repaired.
Pakistan is more vulnerable to these faults as a high percentage of traffic goes overseas due to a lack of local hosting. While CDNs such as Akamai and Cloudflare have their presence in Pakistan and companies, including Facebook, YouTube and Netflix, have local caches with ISPs, public clouds such as Azure, AWS, and Google Cloud Platform aren’t located in Pakistan, according to Madory.
The impact of these issues could be mitigated if Pakistan had a robust overland border connectivity with neighbouring countries, where the flow of information could be rerouted in case of any fault in the undersea cable system. But Pakistan doesn’t have a formidable cross-border overland connectivity network with its neighbouring countries.
Iftikhar told DRM that over land, Pakistan is connected to Afghanistan, China and Iran, but not to India. “There was a connection with India a few years back, but that wasn’t really used.” Afghanistan, being a landlocked country, is already dependent on Pakistan for its bandwidth needs, so Pakistan’s only functional overland connection is with China.
There are also issues with domestic connectivity, according to Iftikhar, as there are only four to five Long Distance International (LDI) licensees who have laid fibre optic cables for intercity connectivity.
“Within the cities, there are bigger issues. In affluent areas of big cities, you get reasonable penetration of optic fibres, but not in low-income areas. In the smaller cities, you might get a good connection in main commercial areas but not in most of the other parts.”
The problems stem from a lack of investment in the information and communication technology (ICT) infrastructure, Iftikhar said, adding that the government has completely forsaken its responsibility to build any ICT infrastructure and left it entirely to the private sector.
He cites the example of mobile towers, which should ideally be connected to optic fibre cables for high-speed data transmission. However, only 13.5 per cent of towers in Pakistan have optic fibre connectivity while the rest rely on microwaves radios, “which used to be good for voice but not for data”.
With these infrastructure issues, it is given that any attempt to throttle or filter data would only create more problems for the users.
According to Madory, even China, which is the “gold standard” for the most sophisticated national firewall, “gets overwhelmed trying to keep up with the volume of traffic”.
What works in China’s favour is that it has a number of domestic services, which “work for their population who use those services”.
“Pakistan doesn’t have the same number of services. So, they need that international connection to work well,” Madory says.
Collateral damage
There are widespread concerns over how official actions would impact the internet in Pakistan and, by extension, the businesses that rely on internet connectivity. Unreliable internet jeopardises the entire ecosystem built over it, be it software houses, fintech, blockchain or banking applications.
“What PTA is doing is tinkering with key internet protocols like VPN and DNS,” Mustafa, the telecom expert, says. “This concerns global companies. In Pakistan, the internet is shaping up in such a way that it will soon be non-identifiable to the world.”
Meanwhile, officials call the “web management system” a necessity for improving cyber security and filtering harmful content. However, none of these content filtering techniques can be carried out without creating collateral damage.
There are also no clear laws and rules to regulate content filtering and blocking. For example, the Removal and Blocking of Unlawful Online Content (Procedure, Oversight and Safeguards) Rules, 2021 uses vague terminologies like the “glory of Islam”, “security of Pakistan”, “public order”, “decency and morality” and “integrity or defence of Pakistan” to describe content that warrants throttling.
Experts warn against such actions on the user end and instead suggest purging the content at the source. Siddiqui of Internet Society said social media companies like Facebook, TikTok, and YouTube, as well as CDNs such as Cloudflare and Akamai, block content at Pakistan’s request.
“To what level they listen to Pakistan [government], it is debatable,” he says, adding that these services require official content takedown requests, but in Pakistan, most of these requests are made by unofficial institutions.
He said India “makes a lot of official requests” on which service providers take action and publish data about these content takedown requests in their reports.
The decentralised nature of the internet means that any single-point content filtering mechanism will always remain vulnerable to disruption and can have disastrous consequences for people and businesses. Even sophisticated systems like the ones in China, Russia and the UAE often get overwhelmed and can be bypassed. As evidenced by the recent disruptions, the authorities lack the infrastructure, and the sophistication require to check the content coming in and out of a country of 250 million people. While the government’s concerns regarding cybersecurity and malicious content could be genuine, a firewall is certainly not the method to address them. The focus should be on robust and decentralised cybersecurity mechanisms, with inputs from all stakeholders. There is a need for liaison with social media services and content hosts to strike harmful content at its source rather than disrupting the end user’s experience.