06/24/2022

Pakistan’s Mandatory VPN Registration Disregards The Need For Privacy

On August 8, 2021, the former Prime Minister Imran Khan tweeted a TikTok video of an Olympics race, with the caption, “you only lose when you give up.” Khan habitually used cricket lingo for his political sloganeering, so the tweet did turn heads. However, the tweet came when TikTok was banned in Pakistan, and the only way you could access the app was through a Virtual Private Network (VPN) – that, too, is subject to regulations in Pakistan. 

The Pakistan Telecommunication Authority (PTA) ordered internet service providers (ISPs) in 2011 to prevent their users from surfing the internet through VPNs or any other encryption software. Then, in 2020, PTA asked users to register their VPNs with the authority if they want to continue using them or any encryption software without being penalised. Concerns about internet freedom and privacy were raised by activists, but the PTA claims that it is only to stop illegal Voice over IP (VoIP) traffic.

Why ban VPN?

The PTA said that the ban is aimed at curbing illegal VoIP  traffic, also known as grey traffic. VoIP is a technology that allows users to make a call, including on a landline or mobile number, from a computer software. Like when customer service representatives call you for a credit card offer, you will notice that the number appears to be a regular landline number, but if you dial back, you will get a message saying that the number is not correct. These calls are made through a VoIP service that masks the identity of the caller. 

Where it becomes illegal is when a person makes an international call to a local number and uses a shortcut to dodge legitimate telecom checkpoints. This helps the business make money by avoiding any international calling charges and causes a huge monetary loss to the national exchequer. The PTA says illegal VoIP traffic causes losses worth billions of rupees to Pakistan.

PTA says ban only for illegal VoIP users

The PTA clarified in a press release in 2020 that the registration requirement will not disrupt the services of legitimate users since the only focus is to contain grey traffic which is affecting legal businesses. This was issued in response to a story by Profit, a Pakistan-based business publication, which said that the VPN ban could affect small businesses. The story had claimed that the process for VPN registration is long and cumbersome, but PTA, in a reply to the story, said users simply have to fill in a form and apply via their ISPs.

A senior telecom professional, on the condition of anonymity, said that the ban is a very “raw way” of controlling grey traffic. “It was always a bad idea,” he said. “Previously, the financial incentive for telecom companies to cheat was very high due to high international call rates [imposed by Pakistan]. But now, he added, the rates introduced by the government are low. With high taxes like in Pakistan, there is always an incentive to cheat, he claimed.

“But now, this senseless ban makes less and less sense.”

In the US, VoIP services providers are expected to contribute to the national exchequer via the Universal Service Fund, which is a telecommunication fee system managed by the US government to ensure universal access to telecom services. In addition, the European Court ruled in 2019 that any software companies, like Skype, are bound by relevant telecom regulation in EU countries if they provide VoIP services as well. There is no ban or a requirement for mandatory registration of VPN in these countries. In Pakistan, the PTA has tried to monitor grey traffic using different technologies, such as the Grey Traffic Monitoring System, which has the capability to automatically block IPs not on the whitelist. The whitelist is a list that includes all registered IPs for legal use of VPNs.

However, globally, a ban or scrutiny of encryption is seen by activists as a violation of privacy rights. In 2017, Amnesty International called VPNs a “vital defence against censorship.” Interestingly, a press release by PTA said that the mandatory VPN registration is being done to promote legal telecom and IT services, and “for the safety of telecom users.” The PTA has previously also banned dating apps and online streaming services, citing immorality and vulgarity as its reasons. Due to this, it has invited the ire of Pakistanis for trying to act like a parent to the citizens, rather than focus on actual telecom and IT security issues.

VPNs and Privacy

The PTA wants to ban VPNs because the virtual networks mask a user’s IP details that travel through an information system. IP address is a unique identifier of every device that connects to any internet network. VPNs bar an ISP from viewing details about their client’s actual IP address as it has been masked by a new temporary one. For example, it can no longer see whether a client is surfing the internet or making a Zoom call. And so, it will not be able to tell whether a client is operating an illegal VoIP service.

VPNs enable many around the world to conceal their identity for both good and bad reasons. Where it has been a mainstream tool for criminals to conceal their identity and their traffic data to conduct illegal activities online, they also allow rights activists and journalists working on sensitive stories to ensure their internet access is free from unwanted surveillance. 

Ali Javed, a Lahore-based lawyer, says it is important to explore whether anonymity on the internet can be considered a right according to rights already laid down in the Constitution of Pakistan. He says, “The Constitution allows freedom of expression and the right to privacy as fundamental, so any restriction to compel someone to not be anonymous could go against the latter.” However, he says, “There don’t exist any court judgements in Pakistan specifically on internet anonymity, that could be referred to or set a precedent.” What needs to be seen though is whether the state ensures the “least restrictive” way to regularise any illegal activities, in this case, grey traffic; but according to Javed, the VPN ban is a “smokescreen”.

Javed says, “It is blanket surveillance to ask ISPs to monitor their [clients].” While monitoring is a fundamental part of IT and network security to ensure an organisation’s systems are protected from any hacking and other similar external intrusion, it does not allow for blanket surveillance. For example, an IT administrator in a company can block harmful websites for all users, but they cannot actively monitor their chats and other activities done on their computers. The former is an essential security practice, the latter is an unacceptable privacy violation.

The mandatory registration of VPNs had invited criticism from rights activists and internet users. The registration comes in the backdrop of an increasingly unsafe environment for media, activists and journalists in recent years. In addition, Pakistan does not have a data protection law, and there have been multiple cases of data dumps and hacks of  NADRA, the country’s central database system, as well as the recent cyber attack on the Federal Board of Revenue’s computer networks. Further, the government reportedly used surveillance systems used by the country’s intelligence service, ISI, to monitor coronavirus cases. 

This has prompted activists to express concerns over the mandatory registration, saying it will create a “government database” of internet users, and that too without any data protection law in place. Bolo Bhi, a digital rights non-profit, said in a June 2020 blogpost, “Registering your VPN would not only link the exact VPN service you [have] subscribed to your identity in the government’s database, but will allow them to request & access data about you at will – data that you want to protect from them. Non-compliant VPN service providers can have their services blocked by the government. VPN registration is a public surveillance tool which asks for our trust & then infringes liberties in return.” Pakistani authorities, through their regressive control on social media platforms and internet traffic of citizens in the country, appear to create a regime restrictive of digital freedoms, much like countries like China, Iran and Russia that it draws inspiration from.

The concerns over data protection arise because the PTA wants access to user’s IP details that it automatically does not have access to. Here is how it works: the PTA has the authority to assign a pool of IPs to a particular ISP. The ISP then assigns an IP from that pool to its user, through a formula. The user could be an individual or a business. Therefore, the PTA does not automatically know who exactly is using what IP and how the IPs are distributed among the hundreds of the ISP users; only the ISP does. Sharing all these details with the PTA can create a database of users and their internet traffic details, which is susceptible to misuse by internal or external actors.

The notification by PTA about VPN registration states that users who want to use these virtual networks for “legitimate” purposes must register their VPNs with the authority, and that “illegal use of unregistered VPNs” can mean PTA can suspend their services and initiate legal action too. But much like various other legal documents and directives, the notification or subsequent communication regarding this fails to mention what “legitimate purpose” means.

Lawyer Ali Javed says that ambiguity in any communication from the authorities has proven to have been used against citizens and their guaranteed rights, He says, “It is important that the state defines whether a regulatory authority can ask for data of a user [that can identify his internet particulars and use in some way], without defined data protection mechanisms in place.”

Businesses are not the only ones impacted

Nayal, a teacher based in Karachi, was recently diagnosed with attention deficit hyperactivity disorder, or ADHD, a neurodevelopmental condition. To understand what he was going through, he attempted to do his own research but found that websites with medical information, including www.adhdadulthood.com, were blocked. 

Nayal deduced that this was because of the word “adult” in the URL that led to the blocking of this website. The PTA had banned over 800,000 porn and “adult” websites, and perhaps through an algorithm, that resulted in the blocking of many websites with legitimate and useful information, including scientific research as in the case of Nayal, and others including small businesses as well. To further investigate a potential reason for this blocking, Digital Rights Monitor tried to access www.adultchildrend.org, a website for support groups for children of dysfunctional families, on various ISPs and found it to be blocked as well. However, the same websites are accessible via VPNs, a tool that Pakistanis have used liberally to bypass censorship in the country. Similarly, Nayal was able to access these websites through a VPN as well. 

The use of commercial VPNs, much like the ones used by businesses, surpasses the need to conceal identities on the internet or to conduct fraud. They are a routine method to access censored or blocked information that is critical for them. 

One may ask then: Is this a “legitimate” use of a VPN?

Various websites containing the term “adult” were found to be blocked on multiple ISPs.

ISPs unhappy over PTA’s demand

When the PTA first asked ISPs to monitor grey traffic in 2011, ISPs said it is expensive to do so on their part and that the PTA should do it. The Internet Services Providers of Pakistan group had said that the authority also blocks IPs without any intimation. A manager at a major ISP, on the condition of anonymity, confirmed to the Digital Rights Monitor that when PTA detects grey traffic, it blocks the IP through its own mechanism, but the ISP does not get any intimation notice. In a press release dated April 12, 2022, PTA said that it has set up a “mechanism to curb pornographic content” on the internet. The Central Domain Name System (C-DNS), the authority said, has been introduced to supplement the powers given to PTA under section 37 of Prevention of Electronic Crimes Act (PECA), 2016 that enables it to block unlawful online content. According to the press release, the mechanism will “ensure the automated effective and seamless blocking of unlawful content in real-time.”

The source at the major ISP further added that in case an IP is blocked, the IP holder or a consumer files a complaint with the ISP about service disruption. The ISP then contacts PTA, which confirms if the authority has blocked the IP due to illegal traffic. The IP holder then has to submit a written apology and a justification, if any, and the ISP sends it to the PTA on their behalf. Unblocking or keeping the IP blocked is the decision of PTA, informs the source.

PTA’s Public Relations Director, Khurram Mehran, did not return the request for comment for the article.

Beyond bans

The mandatory registration and the PTA’s casual dismissal of privacy concerns is part of larger issues in Pakistan: defective legislation, lack of accountability of regulatory and investigative authorities, and the government’s failure to take steps for information literacy before introducing tough laws governing the internet.

While previously, the most liberally used tactic was to ban everything, such as the three-year long YouTube ban, the past three years also saw particularly draconian rules and laws, such as the social media rules, 2020, and the Peca amendment, 2022 (which was struck down by a court). Throughout, the stakeholders have complained that the laws were finalised and passed without properly considering stakeholder input. Lawmakers like Farhatullah Babar have said that passing any cybercrime law, without a data protection law, basically opens the door for investigation agencies to operate with impunity.

What Pakistan needs is a holistic approach to digital rights, which includes detailed review of legislation, the functions and purview of investigation and regulatory authorities, and a mass awareness campaign on information literacy that goes beyond text message by the PTA.

Sindhu Abbasi is a Karachi-based freelance journalist who reports on gender, internet and society, and digital rights. She has previously worked for Geo, and has bylines in Dawn and Hamara Internet.

No comments

leave a comment