There is a strong reason to believe now that the traffic for our gateways is being managed by Netsweeper.

The research revolves around one of the key gateways that handles network traffic for Karachi, namely the following server:

khi77.pie.net.pk (202.125.134.154)

From within Pakistan, any attempt to access this server results in an access block.

However, when accessing this very same server from _outside_ of Pakistan such as the US, results in the following screen being rendered in browser (with a self signed certificate). Click on image below:

Netsweeper Image 150x150 Netsweeper in Use in Pakistan

If noted in the annotation, there is a clear graphic at the bottom indicating “Powered by Netsweeper”

If nothing else, this is clear evidence of Netsweeper’s software being installed on critical national network infrastructure. We anticipate that system administrators at PIE (Pakistan Internet Exchange) will be quick to block access to HTTPS on the gateway in question from the outside as well once access to it is publicized.

Imran Moinuddin is the Founder & CEO of NexDegree

Read More on Netsweeper:

June 20: Netsweeper in Pakistan?

Citizen Lab’s report on Netsweeper’s Presence in Pakistan

July 23: Letter to Canadian High Commission Seeking Disclosure on Netsweeper

September 9: Canadian Government Responds to Netsweeper’s Presence in Pakistan 

Over the last few years, Internet censorship and surveillance have been on the rise in Pakistan. International reports have pointed to the alleged presence of FinFisher (espionage and surveillance equipment) and Netsweeper (filtering and blocking equipment) in the country.  In recent months, Internet users have faced service disruptions – slow Internet speed as well the inability to access several websites.

Very recently, as  a result of an investigation into customer complaints,popular VPN service Spotflux officially announced that their data centers had been blocked by the government of Pakistan. Since 2012, when access to YouTube was blocked in Pakistan, Spotflux became one of the popular methods of circumventing the blockade.

The decision to block VPNs was first made in 2010 under the Monitoring & Reconciliation of International Telephone Traffic Regulations 2010 (MRITT).  An official notification of blocking VPN in Pakistan was issued  in July 2011.  The notification, issued by the Pakistan Telecommunication Authority (PTA),  cites “prohibition to use all mechanisms which conceal communication to the extent that prohibits monitoring”.

The regulation mandates the monitoring and blocking of any traffic (encrypted or not), including voice and data, originating or terminating in Pakistan. This includes all encrypted VoIP services. If followed strictly, the MRITT could legitimize blocking of Skype and other VoIP services like Viber [Read about Sindh Interior Ministry’s attempt to block Skype, Viber & Whatsapp]. Since the regulation requires Internet monitoring on a massive scale, it allows the blocking of VPN services as they are considered an interference with the ability to monitor Internet  traffic.

The implementation of this clause raises several concerns. It has the potential to hamper online businesses in Pakistan and violate the privacy rights of Pakistani citizens. Sub clause (6d) of clause 4 of Part II “Establishment, administration and features of the Monitoring System” mentions that licensee that deploy the monitoring system are responsible for providing data to the Authority when it is required.” This data includes a complete list of Pakistani customers and their details is included.

In 2011, the official announcement to ban VPN services was met with severe criticism from the business community, specially the banking sector.  Despite warnings by the PTA, a blanket ban on VPNs was never implemented. Instead, the regulation was only applied to commercial connections, where users were told to  register their IPs with PTA so that it could be added to the whitelist. If they were using VoIP or VPNs, it had to be with the explicit permission of the Authority.

A press release published in 2007 on PTA’s website, provides details of the agreement signed between Inbox Technologies,  developed  by NARUS, to acquire a system that enabled the authorities to monitor and block “grey traffic” at the IP level. Last year, PTA acquired new  filters to monitor grey traffic in an effort to boost the “anti-terror” fight. This was the result of the International Clearing House (ICH) Policy Directive issued by Ministry of in August, 2012.  The system, which is officially called Grey Traffic Mitigation System (GTMS) became operational in October 2013, as reported to the National Assembly.

It now appears that the ISI (Inter-Services Intelligence), and not ISPs or PTA, are managing these filters to monitor and block grey traffic. But what legal mandate does the ISI have to operate the filters?

IP-level blocking and the manner in which it is being implemented is posing several problems for Internet service providers, businesses and Internet users alike. The recent surge in blocking of websites and service disruption  has been reported by Internet users. PTA Chairman’s statement to the press suggests that the regulator is currently working on fixing the issues and reportedly working on getting the filtering equipment back under PTA’s control. However, housing the system under one authority vs another is not going to be enough. Acknowledging the importance of encryption, user privacy,  and the integrity and security of the banking sector and business and financial transactions, is essential.

Read ISPAK’s (Internet Service Providers Association of Pakistan) letter to the Ministry of Information Technology & Telecom regarding IP blocking below:

 

URGENT

No. 5(8)/2013-ISPAK

02 December 2013

Ms. Anusha Rahman Ahmad Khan

Minister of State for Information Technology

Ministry of IT

Government of Pakistan

Islamabad

Subject:          IP Blocking Issues for Broadband Operators, Call Centers and Internet Users

Dear Madam,

        Under the recently established system by the Government of Pakistan to curb grey traffic, IP addresses blocking on Internet backbone has been started. While the intentions for having such a system may be good, the Government has unfortunately done another experiment this time at the risk and cost of Internet users and broadband operators of the country by giving this systems in the hands of Inter Services Intelligence (ISI), an organization that has a different mandate altogether and has no mechanism in place to address various issues faced by the industry.

2.      Broadband operators and call centers are prime victim of this mechanism. Legitimate and even whitelisted IP addresses of operators are getting blocked without any reason. In last week, IP addresses of DNS, Authentication Servers and Core Routers of Qubee, a leading a WiMax operator, got blocked twice on the same day, resulting in jamming of country wide network and leaving thousands of customers screaming. IP addresses of the other operators including WiTribe, Linkdotnet, etc., are also getting blocked. Many customers use VPNs (virtual private networks) on Internet to connect to their proprietary and secure networks for various business applications. These VPNs, which are now integral part of any Internet connection, are also getting blocked left, right and center with no solution in place to allow legitimate users and filter grey traffic.

3.      Leading call centers and software houses of the country, including TRG, Ovex, Shellby and so many others are running from pillar to post to get their IPs whitelisted. PTA officials seem helpless because the system is not in their control and their requests for IP whitelisting are apparently not handled by the ISI in a timely manner. ISI is also reportedly dependent upon the vendor who have supplied this system. So the red-tape circle of whitelisting on IPs is extended from the customer to the operator, from the operator to PTA, from PTA to ISI and ISI to the vendor, and same return path. It is taking weeks to resolve the issues that should have been addressed in minutes.

4.      The whole Internet traffic of the country has been left at the mercy of a system that is being operated in an amateur manner and at snail pace in totally disregard to the agony faced by the operators, call centers and Internet users. Call centers are loosing huge foreign exchange revenue and Pakistan is getting bad publicity in international business community.

5.      The media has previously reported that US$27 million were unofficially diverted from controversial ICH Agreement to enable the purchase of IP Blocking system in total disregard to Public Procurement Rules and bypassing competitive bidding. The Internet industry has thus been kept hostage to a system whose origin is illegal and design and operations totally non-professional. The grey traffic is now reportedly being shifted to Ku band satellite dishes and legitimate Internet routes are being blocked.

6.      We request you to kindly look into the matter personally and get a proper standard operating mechanism in place where IPs are whitelisted and such lists are implemented within 48 hours with no whitelisted IPs subject to blocking. There should be no limit on the number of IPs got whitelisted by a licensed operator Complaints of operators should be addressed on 24 x 7 basis with resolution time and escalation levels defined. In case of blocking of whitelisted IPs of the operators, financial compensation should be given to the operators by the Ministry of IT as operators are now being asked by their customers for compensation.

With kind regards.

Yours sincerely,

Wahaj us Siraj

Convener

c.c.   Mr. Akhlaq Ahmad Tarar, Secretary, Ministry of IT, Government of Pakistan, Islamabad.

        Chairman PTA, Pakistan Telecommunication Authority, Islamabad

        Member Telecom, Ministry of IT, Government of Pakistan, Islamabad

        Member IT, Ministry of IT, Government of Pakistan, Islamabad

See timeline of encryption blockade in Pakistan:


With  legal research assistance from Nighat Dad, Digital Rights Foundation 

Taking cue from the brilliant team at Electronic Frontier Foundation, the Bolo Bhi team has come up with a scorecard for State Minister for Information Technology & Telecom, Ms Anusha Rahman Khan. The scorecard is based on the performance of key duties by the Minister in her first six months in office.  The collective score is based on input by industry and civil society members.

 

Criteria For Each Duty:

0-3: Showed effort

4-7: Followed through

8-10: Led to outcome

 

 

AnushascoreCardfinal 395x1024  State Minister Anusha Rahmans First Six Months in Office: A Performa

 

 

1. Fulfilled promises made as a member NA standing committee on IT

In the previous government, Ms Anusha Rahman Khan, was one of the most vocal members of the National Assembly’s Standing Committee on Information Technology. During her tenure as a parliamentarian, Ms Rahman spoke for the need to increase access to information, unblock YouTube and issue 3G licenses.

She was also involved in a series of discussions on proposed amendments to the Pakistan Electronic Crime Ordinance (PECO). Despite displaying an understanding of information technology issues, then, Ms Rahman’s time in office has hardly been reflective of the same zeal to resolve issues effectively.

2. Accessibility as a public official

Speak to people within the industry, and they will tell you the Minister just doesn’t respond to letters or emails. We’ve found that to be true as well. According to them, the few meetings that were held initially led to no results as their input was never considered seriously. It has become very apparent since, that input of stakeholders is of little or no importance. Instead, handpicked experts and their input carries more weight. Surprisingly, this has not only been noted by people within industry or civil society, but also fellow politicians and parliamentarians, who also say they’ve been given the cold shoulder.

3. Restoration of YouTube

Beginning with the announcement that we can block Google on her first day of office (allegedly misreported), to introducing filters to block content and eventually trying to go the localization route, the Minister has made various speeches in the Senate on this subject and issued press statements. However, to date no concrete measures have been taken to resolve the issue. All proposed solutions have been out of line with the direction the court has taken on the issue. In fact, despite being summoned multiple times, the Minister did not appear in court. Initially, even Google officials were given the cold shoulder, by the Minister and Ministry, with refusals to talk or meet. As for independent input, it has been completely shunned. Repeated attempts to apprise the Minister of the intricacies of the issue have been met with a stony silence.

4. Adoption of 3G Technology

Recent reports suggest that the government will hold the 3G auction in March 2014. The auction and issuance of 3G licenses is a matter that has been pending since 2008. Other than discussions and field visits since the beginning of the term at the Ministry, not much has been done. It was only after the Supreme Court, hearing a writ petition for early auctioning of 3G licenses, issued directions to the government to be quick about the appointment of PTA officials, that this matter moved along. Whether the Information Memorandum will be completed in time, and the auction held in March, now remains to be seen.

5. Increase Internet Penetration in underserved areas

In a surprise move, rather than utilizing National R&D (Research and Development) Funds and USF (Universal Services Fund) money to increase telecommunications and Internet penetration in the country, these funds – amounting in billions of rupees – were consolidated and moved out of accounts maintained separately for them. While these funds had been lying unused for quite a while, industry personnel argue the right thing to do was to utilize and spend them in underserved areas to improve infrastructure, etc. as opposed to housing them under the Ministry of Finance and putting them towards the paying off of circular debt. It must be noted that no efforts to better the existing infrastructure, either through policy or otherwise have been made.

6. Disclosure on filtering & surveillance equipment

Ever since the announcement that PTCL was ‘loaning’ the Ministry filters to block content, followed by a statement maintaining filters were not the solution, there has been no disclosure by the Ministry as to what has happened to these filters that were acquired. Not only that, but through what process they were acquired, at what cost, and what has been done with them; all these questions remain unanswered. There remains also no acknowledgment or clarification to date of the alleged presence of FinFisher control and command servers and Netsweeper in Pakistan.

7. Headway on Stakeholder Draft of E-crime Legislation

For quite some time now, there has been a fair amount of back and forth between the Ministry and stakeholders on the amendments to what was previously PECO (Pakistan Electronic Crimes Ordinance). Through multi-stakeholder input, various meetings with the previous Standing Committee on IT and even more meetings with the current Minister and Ministry officials, the PECB (Pakistan Electronic Crimes Bill) 2014 still has a long way to go it seems. After near unanimous approval of the draft by stakeholders, the Ministry allegedly decided to dish out some $20,000, it is said, to appoint an international expert to point out why the proposed legislation would not work.

Will this piece of legislation see the light of day, or will a government draft make it into law, remains to be seen. The Prime Minister’s office commissioned its own version of a cybercrime law – which has been criticized heavily for lack of safeguards and knowledge of technology. Why the wastage of funds and efforts when there already exists a piece of legislation that has been debated to no end?

What kind of coordination is there between the Ministry of IT and the PM’s office?

8. Headway on Privacy Legislation

According to the Constitution of 1973, the right to privacy is an inviolable right. Despite that, Pakistan still lacks laws that protect citizens’ right to privacy. An effective legislation that will help minimize monitoring by the government, regulate surveillance by corporates and ensure that personal information of citizens’ is properly protected remains missing. Despite Snowden revelations, the authorities have not shown any commitment to protect personal data of citizens. In the past year, legislations such as the ‘Investigation for Fair Trial Act’ have been given a clean chit by the National Assembly and the Senate, further increasing the risk of legitimizing blanket surveillance by law-enforcement agencies, without accountability.

Comments: As someone everyone had high hopes from, the Minister has only disappointed. A month or two ago, many were still willing to give the Minister a chance. Yet, with every statement and action, the Minister only sunk their hopes of betterment. Bring up the Minister in conversation now, and there is a decided tone one hears, of utter frustration and anger. As a public official, she is expected to be more approachable.

It is pertinent to mention that be it over the blocking of YouTube, issuance of 3G licenses, spectrum allocation and use or relocating of USF/R&D funds, the government has been dragged into court for either non-responsiveness or contestable policies. A clear indication that nothing is right with policy-making or the approach towards it in this sector.

Going forward, what is expected of the Minister is to take seriously those outside the immediate bureaucratic and political circles. There is a lot of valuable input that has and can be provided further on issues of vital importance to industry and citizens. They deserve a hearing, and that input  needs to be factored into policy.

 

Introduction:

An article published in yesterday’s Dawn provided great detail of a cybercrime legislation drafted by Akram Sheikh Associates, commissioned by the government. Following are some initial and immediate concerns that the proposed legislation raises.

Conclusion:

The proposed legislation does not reflect a clear understanding of digital space or medium, and lacks adequate safeguards that should be in place to curb violations and excesses which have been committed in the past, under the Prevention of Electronic Crimes Ordinance, which is what led to its redrafting.

Other than the vague definitions, what this proposed legislation misses is description and detail of processes by which a crime is to be determined. In the electronic and digital medium, the process that leads to an action is of utmost importance. Determination of the crime is directly linked to that. Failure to establish a chain of deliberate and intentional events that lead to an action undermine the strength of the case.  And so, with the processes and methods of determination undefined, the legislation remains open-ended and liable to misuse. This could potentially cause innocents to be charged and tried – a concern that has been highlighted in the past.

This brings us to the proportionality of punishments as well as the method of investigation and trial. Firstly, it is questionable whether some offences listed in this legislation should be considered offences in the first place.  Many of them, elsewhere, are considered as Tort. Secondly, the authorities constituted and the functions and powers ascribed appear to be too wide-ranging.

The manner of their constitution, appointment, functioning and decision-making is centralised, with the controls in the hands of the federal government. The little representation of private entities for which provision is created is also left to the discretion of government authorities, allowing them  to handpick candidates.  The authorities are created with the goal of empowering them to be the law unto themselves, instead of creating a system of checks and balances. Instead of devolving authority so as to require warrants, and establish a clear method of investigation and trial that should include a documented procedure that is to be followed, no boundaries have been ascribed to the authorities.

There is no consideration of the event that if the said authorities were to overstep their mandate – which in fact is not clearly defined – how is that event to be dealt with. While there are punishments for citizens, nothing is prescribed for authorities and officials when they commit a mistake or deliberately misuse authority.

Most disturbing are some of the functions which are unheard of, and can only undermine the security and integrity of information systems in the country. To this extent, certification accreditation and cryptography are of great concern.

It is quite startling to see that various portions of this proposed legislation have been replicated in their entirety from the Information Technology Act of 2000 of India. For example: Section 44 is a copy of Section 43 of the IT Act 2000 of India, Section 45 is a copy of Section 66 of the IT Act, and Section 54 and 55 are mere offshoots of Section 67 of the IT Act of 2000. It would be unwise to consider the Information Technology Act of 2000 as a stepping stone, as the Act was heavily criticized for infringing upon the personal liberties of Indian citizens. Moreover, it did not take into consideration evolving technologies and new forms of communication which is why in 2008, the Information Technology Act of 2000 was heavily amended by the Indian Parliament and the Amended IT Act of 2008 was introduced.

Similarly, the Prevention of Electronic Crimes Ordinance, when first proposed received heavy criticism from civil advocacy and industry groups due to the degree to which it ignored civil liberties, business continuity and a sheer disregard of international practices. The legislation aimed to instill upon the citizens a harsh brand of justice, which was evidence of not a democratic and aware society but more of a police state. This ultimately led to its redrafting.

Any proposed legislation should ensure it is not violative of due process and fundamental rights considerations. These should be at the very center of lawmaking. The uncanny resemblance of the proposed legislation under discussion in this paper, the discarded Indian IT Act and PECO indicates that little or no attention was paid to the concerns raised previously.
The approach to lawmaking in the digital space, as we have seen repeatedly, is undertaken with little or no knowledge of the nature of digital mediums and devices. It is futile to draw from existing frameworks and replicate those for electronic/digital media. Unless very specific, practical, implementable aspects of the functioning of these mediums take into consideration, laws will continue to remain irrelevant, unsound and repressive. Sound technical knowledge along with clear standards of rights and privacy are the very first requirement for law-making in this space. This expertise, as we have seen in the past, remains missing within the policy-making circles. The multi-stakeholder input is the only way forward. And we expect that when the time to table legislation arrives, the multistakeholder approach is the one adopted over political expediency.

 

Find our analysis here and below. Find the proposed legislation under discussion here.

As published by Dawn Magazine Special Report on 20th Oct’2013 

They say they’re lifting the ban on YouTube. The government has apparently come up with a brilliant plan so that just that silly video, The Innocence of Muslims, is blocked, and we can enjoy the rest of the gazillions of videos in peace. What is this plan? In order to even to begin to tell you about it, I’ll first have to explain how YouTube works.

YouTube, like other more secure websites these days, uses HTTPS instead of HTTP. When you look at the address bar in your browser when you’re at such a website, you’ll probably see a lock symbol and https://yoursiteaddress, rather than the usual http://blahblahblah. What does this mean? When you go to an HTTPS website, there is a certain exchange of certificates between your browser and the server where the site is hosted. Your browser acts a bit like an immigration officer, “May I see your passport, please?” The server says, “Here you go, sir!” And if everything looks ok, your browser allows you to view the site’s contents. These HTTPS certificates are only granted to an extremely limited number of servers across the world, and much like the holographic image on a valid visa on your passport, it would be next to impossible to fake, and all information in such exchanges with HTTPS servers is encrypted.

Now blocking access to an entire website using its root addresses (https://youtube.com, etc.) is one thing, and can be done by our Internet Service Providers (ISPs). But blocking access to a particular video on that site would mean screwing with this hardcore HTTPS protocol. Actually, the method that the ISPs have been using to block our access to YouTube, porn and a lot of sites which nobody has any idea why they have been banned in the first place, already puts our internet privacy at risk. This method allows them to keep track of what and when an internet user accesses on the internet, unless it’s done through HTTPS. And now that we’re moving against an actual HTTPS site, this will only make matters worse!

What options did we have in dealing with this issue?

  1. Unblocking YouTube outright.
  2. Working with Google, YouTube’s parent company, to block access to the video in Pakistan (like Indonesia, India, Jordan, Malaysia, Russia, Saudi Arabia, Singapore and Turkey already have).
  3. Installation of filtering and surveillance software on users’ computers.
  4. A Machine/Man-In-The-Middle (MITM) attack.

The case for unblocking

Because of the high number of complaints against this video, YouTube shows its users a notification before allowing them to watch the video. This is explained in the following excerpt from the letter they sent to Mr Yasser Hamdani, the lawyer representing Bytes for All in the Lahore High Court case to unban the site:

“In some cases, content may not breach the global guidelines but may still be flagged as particularly sensitive for some viewers. This is the case, for example, with the Innocence of Muslims video. In this case, we add a warning interstitial page that users see before they accept to continue through to the video itself.

The warning states: “The following content has been identified by the YouTube community as being potentially offensive or inappropriate. Viewer discretion is advised”. It was on the basis of this interstitial page that the government of Bangladesh, for example, lifted its earlier ban on YouTube.”

Working with Google

Google has ruled out cooperating in this regard until the company is offered Intermediary Liability Protection (ILP) through a legislative amendment which shields it from any legal repercussions resulting from any user of the website uploading content that’s considered unlawful in Pakistan. Following is the text regarding this issue from the same letter to Mr Hamdani:

“In some countries, YouTube has additional functionality and customisation that allows for the highlighting to users of local content within a country. You can see a list of these countries in the ‘country’ menu at the bottom of a YouTube page. The decision as to whether to offer this service is a business, legal and commercial decision, and takes into consideration, for example, whether there is adequate legal certainty and protections for the provision of such online services in the country.

We have been discussing this in the context of the need for intermediary liability protection for online platforms and a clear notice-and-take-down mechanism in Pakistan to bring these provisions into line with international best practice (such as the OECD guidelines). For example, any notice-and-take-down requirements should be based on legal process, address individual video URLs as opposed to requiring broad general monitoring and pre-emptive removals, and allow for counter-notice from content owners. Whilst, without prejudice to any jurisdictional argument, we are grateful for any offer to provide additional legal certainty and protections, we believe that only a legislative change such as a clarification within appropriate legislation would ensure the necessary consistency across multiple judicial bodies and address the international best practice requirements above. The provision of such legal certainty would also, we respectfully suggest, open up the broader exciting opportunities of the digital economy to Pakistan.”

In layman’s terms, Google would only consider taking the video down for Pakistan if such protection was offered to them at a legislative level. The Lahore High Court in May agreed to do this, but nothing seems to have been done about that as of yet.

The software route

There are certain HTTPS-based software which can take care of this issue. These can be installed voluntarily by all internet users in the country, or the government could launch a sort of spyware campaign, forcedly installing it on everyone’s computers. According to reports, our government is already involved in such activity, but hopefully only against certain individuals and not the public at large.

MITM

In the meanwhile, the method that our government seems to favour is this one: the Man-In-The-Middle attack effectively puts a proxy server between all of Pakistan’s computers and YouTube. So instead of many of us going to proxy server sites to watch YouTube videos, the government is going to do us a solid and set up a lovely proxy server for us. This server will filter the videos that are deemed not fit to watch in Pakistan. And to use the immigration analogy from the beginning of this article, our government is possibly getting into the business of printing fake visas. They’re going to have to use a Certificate that our browsers will trust as legitimate. Most probably the browsers won’t, and will ask us, “Are you sure about this?” And we, in our desperation, will be willing to click “Yes!” to just about anything at that point.

First of all, the whole point of HTTPS is that it is secure. When you compromise its security, you’re compromising the privacy and security of all Pakistani internet users’ internet transactions and data. Banking pins, email and social media passwords, and secure messaging, could all be monitored, logged and analysed, turning Pakistan into a surveillance state. And what if this national proxy server is hacked? We can say with certainty, that if this method is used, our entire online lives would be at risk.

The best option would be to work with Google on this. We need to speed up the legislative process regarding the ILP issue. Even though this would mean that the government would be controlling YouTube’s activity according to our local laws, which would still be unacceptable to many of us. But still, at least we’ll have YouTube without as much risk!

As published by Dawn Magazine Special Report on 20th Oct’2013 

They say they’re lifting the ban on YouTube. The government has apparently come up with a brilliant plan so that just that silly video, The Innocence of Muslims, is blocked, and we can enjoy the rest of the gazillions of videos in peace. What is this plan? In order to even to begin to tell you about it, I’ll first have to explain how YouTube works.

YouTube, like other more secure websites these days, uses HTTPS instead of HTTP. When you look at the address bar in your browser when you’re at such a website, you’ll probably see a lock symbol and https://yoursiteaddress, rather than the usual http://blahblahblah. What does this mean? When you go to an HTTPS website, there is a certain exchange of certificates between your browser and the server where the site is hosted. Your browser acts a bit like an immigration officer, “May I see your passport, please?” The server says, “Here you go, sir!” And if everything looks ok, your browser allows you to view the site’s contents. These HTTPS certificates are only granted to an extremely limited number of servers across the world, and much like the holographic image on a valid visa on your passport, it would be next to impossible to fake, and all information in such exchanges with HTTPS servers is encrypted.

Now blocking access to an entire website using its root addresses (https://youtube.com, etc.) is one thing, and can be done by our Internet Service Providers (ISPs). But blocking access to a particular video on that site would mean screwing with this hardcore HTTPS protocol. Actually, the method that the ISPs have been using to block our access to YouTube, porn and a lot of sites which nobody has any idea why they have been banned in the first place, already puts our internet privacy at risk. This method allows them to keep track of what and when an internet user accesses on the internet, unless it’s done through HTTPS. And now that we’re moving against an actual HTTPS site, this will only make matters worse!

What options did we have in dealing with this issue?

  1. Unblocking YouTube outright.
  2. Working with Google, YouTube’s parent company, to block access to the video in Pakistan (like Indonesia, India, Jordan, Malaysia, Russia, Saudi Arabia, Singapore and Turkey already have).
  3. Installation of filtering and surveillance software on users’ computers.
  4. A Machine/Man-In-The-Middle (MITM) attack.

The case for unblocking

Because of the high number of complaints against this video, YouTube shows its users a notification before allowing them to watch the video. This is explained in the following excerpt from the letter they sent to Mr Yasser Hamdani, the lawyer representing Bytes for All in the Lahore High Court case to unban the site:

“In some cases, content may not breach the global guidelines but may still be flagged as particularly sensitive for some viewers. This is the case, for example, with the Innocence of Muslims video. In this case, we add a warning interstitial page that users see before they accept to continue through to the video itself.

The warning states: “The following content has been identified by the YouTube community as being potentially offensive or inappropriate. Viewer discretion is advised”. It was on the basis of this interstitial page that the government of Bangladesh, for example, lifted its earlier ban on YouTube.”

Working with Google

Google has ruled out cooperating in this regard until the company is offered Intermediary Liability Protection (ILP) through a legislative amendment which shields it from any legal repercussions resulting from any user of the website uploading content that’s considered unlawful in Pakistan. Following is the text regarding this issue from the same letter to Mr Hamdani:

“In some countries, YouTube has additional functionality and customisation that allows for the highlighting to users of local content within a country. You can see a list of these countries in the ‘country’ menu at the bottom of a YouTube page. The decision as to whether to offer this service is a business, legal and commercial decision, and takes into consideration, for example, whether there is adequate legal certainty and protections for the provision of such online services in the country.

We have been discussing this in the context of the need for intermediary liability protection for online platforms and a clear notice-and-take-down mechanism in Pakistan to bring these provisions into line with international best practice (such as the OECD guidelines). For example, any notice-and-take-down requirements should be based on legal process, address individual video URLs as opposed to requiring broad general monitoring and pre-emptive removals, and allow for counter-notice from content owners. Whilst, without prejudice to any jurisdictional argument, we are grateful for any offer to provide additional legal certainty and protections, we believe that only a legislative change such as a clarification within appropriate legislation would ensure the necessary consistency across multiple judicial bodies and address the international best practice requirements above. The provision of such legal certainty would also, we respectfully suggest, open up the broader exciting opportunities of the digital economy to Pakistan.”

In layman’s terms, Google would only consider taking the video down for Pakistan if such protection was offered to them at a legislative level. The Lahore High Court in May agreed to do this, but nothing seems to have been done about that as of yet.

The software route

There are certain HTTPS-based software which can take care of this issue. These can be installed voluntarily by all internet users in the country, or the government could launch a sort of spyware campaign, forcedly installing it on everyone’s computers. According to reports, our government is already involved in such activity, but hopefully only against certain individuals and not the public at large.

MITM

In the meanwhile, the method that our government seems to favour is this one: the Man-In-The-Middle attack effectively puts a proxy server between all of Pakistan’s computers and YouTube. So instead of many of us going to proxy server sites to watch YouTube videos, the government is going to do us a solid and set up a lovely proxy server for us. This server will filter the videos that are deemed not fit to watch in Pakistan. And to use the immigration analogy from the beginning of this article, our government is possibly getting into the business of printing fake visas. They’re going to have to use a Certificate that our browsers will trust as legitimate. Most probably the browsers won’t, and will ask us, “Are you sure about this?” And we, in our desperation, will be willing to click “Yes!” to just about anything at that point.

First of all, the whole point of HTTPS is that it is secure. When you compromise its security, you’re compromising the privacy and security of all Pakistani internet users’ internet transactions and data. Banking pins, email and social media passwords, and secure messaging, could all be monitored, logged and analysed, turning Pakistan into a surveillance state. And what if this national proxy server is hacked? We can say with certainty, that if this method is used, our entire online lives would be at risk.

The best option would be to work with Google on this. We need to speed up the legislative process regarding the ILP issue. Even though this would mean that the government would be controlling YouTube’s activity according to our local laws, which would still be unacceptable to many of us. But still, at least we’ll have YouTube without as much risk!

As published by Dawn Magazine Special Report on 20th Oct’2013 

“There was life before YouTube you know” … say those trying to smooth my ruffled feathers when I express frustration at not being able to access it. Quite true … but the same is true of life before cars or television or the light bulb or toilet that can be flushed or even sliced bread! Why doesn’t everyone go back to it because all of these things offend someone or the other’s sensibilities at some stage?

No one does … because we are not meant to; we are meant to go forward, embrace change and reap its benefits. As with most things, nothing is good or bad in itself. The usage makes it so. It’s difficult to understand for people who are the progeny of those who labelled first the loudspeaker, then the radio, and then the TV/VCR, etc. as ‘Satanic devices’ but is simple for anyone with common sense.

YouTube is a platform; much like a blackboard, or a loudspeaker. It provides an opportunity for people to post video content on it. Yes, it has the good, the bad and the ugly sides, depending on who is watching what, but what it does NOT have is the ability to force you to see what you think is inappropriate.

What it does is that it allows students sitting in an impoverished part of the world to gain access to resources and guidance material developed by the best educational institutions in the world.

It allows musical prodigies like Usman Riaz from Pakistan to unlock their talent and reach the world stage. It allows people like Salman Khan of Bangladesh to set up his amazing www.khanacademy.org which has delivered over 300 million lectures across the world.

Then we have our very own www.sabaq.pk which has the complete curriculum of maths right up to Matric available on YouTube videos for students the world over.

It has delights such as www.toffeetv.com, which entertains and educates little children, and on the other end of the spectrum it had offered a free platform to our Virtual University to post all its educational content on it.

Then we had the innovative platform for webtv that was offered by www.247online.tv to engage the youth that does not watch television.

What about the harm this ban has done to initiatives like www.daestv whose entire business model was based on the availability of this free platform?

And what about the wealth of content that our specialist universities like the NED used to access from MIT or Air University? And medical students watching complicated surgeries and learning from them?

As was explained by Farieha Aziz of Bolobhi, the amicus curie for the Lahore High Court hearing the petition against YouTube ban, filed by BytesforAll, Pakistan [a human rights organisation with a focus on Information and Communication Technologies], there were 13,049,489 views on YouTube for videos from just six educational institutions in Pakistan that used the website to place their video lectures. The institutions included the Virtual University of Pakistan, The Institute of Chartered Accountants Pakistan, Lahore University of Management Sciences, Quaid-i-Azam University Islamabad, National University of Sciences and Technology.

For those who adopt a dismissive attitude about the art, music and other entertainment resources, even though they are just as important as components of a holistic education, how can they not value the resources that are there in the form of advocacy videos on health, fitness, environment, religion, cooking, DIY tips, advocacy videos put up there by various organisations. What about political and social activism? None of these would have been possible without this free medium.

Data submitted to the Lahore High Court also lists down some very clear contrasts. Total number of views for Islamic and educational content on YouTube were 1,199,368,564, while the total worldwide views of the objectionable film, The Innocence of Muslims, on YouTube were 1,965,186, which is just 0.164 per cent of the former.

Of course, the figures for the offending film owe a lot to the violent protests in Muslim countries which spiked the interest in this very amateurish video which had remained obscure until all hell broke loose here. It probably would have remained so had it been ignored, but what is past is past.

What is the way forward? Is there a way forward in a country where policies are made hostage to violent street protest and where rational discourse is decapitated?

For those who do not seem to understand the way the new medium of the internet works, it is impossible to block something. There are ways to get around these bans. People have found them in countries like China and Iran too.

Such bans encourage people to use proxies. This exposes their computers to the risk of viruses. Offices and institutions certainly will not allow that even if it means not being able to benefit from online resources.

But this does not mean that people are going to stay away. As posted by http://www.infopakistan.pk, the search trends about Pakistanis on YouTube have not changed from what they were in 2012. This means that just about the same number of people are accessing the medium as before the ban.

There are good and bad people, good and bad books, good and bad movies, restaurants and theatre. Similarly there is good and bad content on the internet. However, you can keep yourself out of harm’s way by not accessing it. No one is going to force it on you.

So go ahead, use a Virtual Private Network (VPN) if you can afford to. Otherwise, just Google Youtube unblockers and choose from any number of ways to access YouTube, after making sure your computer is secured against viruses, etc. Watch all that is best on YouTube as it is NOT bad for you!

Published in The News on Sunday on October 13th – Special Report

Ask the people on the streets about the proposed VoIP ban, and the response is rather mixed
By Ammar Shahbazi

The Sindh government’s proposal to ban instant messaging and voice over internet protocol (VoIP) applications, such as Skype, WhatsApp, Tango and Viber for three months has drawn anger and ridicule from the public.940937 01 02 Typed out and that’s all

Internet users are enraged at their utter helplessness, as the government, flaunting its power, comes up with blanket measures — citing the ever-deteriorating law and order situation in the province.

They say government machinery, which is made up of grey-haired politicians and bureaucrats, is yet to comprehend the dynamics of internet.

“They are at a complete loss,” says Kashfia Altaf, a university student, “You cannot treat internet users like this. It’s a different world. The government is totally clueless when it comes to handling internet.”

At a press conference last week, Sindh Government’s information minister, Sharjeel Memon, called the proposed ban an inevitable step to curb criminals from making extortion calls through these Apps — a norm in the provincial capital Karachi during EidulAzha. He was of the view that the decision would complement the ongoing targeted operation in the city.

However, regular internet users see such an idea as a severe infringement of their right to benefit from the World Wide Web.

In the past several years, the use of VoIP apps like WhatsApp and Skype increased manifold. People have set up home-based business through Skype, where WhatsApp and Viber also became a crucial part of their lives.  

“Banning these Apps will affect people in different ways,” explains Khurram Ishtiaq, a software developer who works for a foreign company from his home in Karachi. “The world in general takes this Apps for granted now. There are e-businesses established on the basis of these tools. It’s like banning electricity for three months, because there is an increase in incidents of electrocutions.”

However, the proposal has its supporters, including the patron-in-chief of Pakistan People’s Party (PPP), Bilawal Bhutto, who famously tweeted: “Dear Burgers, Sorry abt Skype/Viber/Whatsapp. Excuse us while we catch some terrorists and save some lives. SMS for 3 months. Sincerely BBZ.”

There are also some who like to believe that the use of VoIP Apps in Pakistan is exaggerated. And the wave of criticism on twitter against the decision was overly dramatic.

“Ask the people on the street, they won’t even know what Tango is or how WhatsApp works, even I don’t know,” says Shahid Idrees, another university student. “These Apps became trendy just a few years back, and the idea some of these arm-chair twitter-based activists are trying to give is that we cannot live without them. This is ridiculous. Why does everything becomes a life and death issue?”

Idrees, however, does not support Sindh government’s security strategy. He says the provincial government has a history of taking such extreme measures that only lead to problems for people.

The people of Sindh had in the last PPP-led government braved the most number of mobile service cancellations — spending whole days without connections. Then the YouTube ban followed.

The people in general have resorted to a muted response. The rage is usually typed out, and that’s all. Be it a cell phone network or a website, apart from twitter and other social media outlets, the government’s clampdowns never really propel a massive outrage — not even a memorable public demonstration against such trampling of individual rights. “This goes on to show how much YouTube, Skype or Tango is relevant to the majority of Pakistanis,” adds Idrees.

The ban is still a proposal. The federal interior minister, Chaudhry Nisar, has voiced his disagreement over the idea, saying that he is personally against such an extreme measure. It may be mentioned that banning of websites or applications falls beyond the purview of the provincial government. It’s the federal interior minister who will give the final nod. The net-savvy Skype, WhatsApp users are using their Apps while the federal government makes up its mind.

 

 

 

Republished from The News On Sunday – As Published on th 13th Oct’2013 

The world over, there has been a breach of trust between the public and government on issue of online surveillance
By Bushra Sultana

 

Ever since the invention of the internet there were idealistic hopes attached to the freedom and anonymity it afforded to its users. In the last decade of 20th century, internet was promoted as a bastion of free speech and limitless possibilities in a world still recovering from the secrecy of the Cold War.Bushra Surveillance, elsewhere

Unfortunately though, it wasn’t long before the utopian dream started unravelling. In a little over the last decade, companies like Google and Amazon entered the market with their overwhelming capacity to collect data about their users. This corresponded with massive increase in the amount of data available online. According to Science magazine, even till 2000, only 25 per cent of the world’s data was stored digitally. But by 2013, over 98 per cent of the data was digitally formatted and stored.

This reflects a huge shift in the way we interact with information. More importantly, the kind of information that is now recordable has changed. Many services, such as medical and educational records, and personal correspondence, including pictures and videos are increasingly being stored online. Thus, a tremendous amount of information is now susceptible to third parties.

“The minute you switch on your cell phone it is registered on the network,” says Fouad Bajwa, an international governance consultant. “Even if you switch off your location services, your location and movement is being mapped on the servers. Similarly, when you go online from your computer, it is registered and given an IP address. From there everything you do is traceable.”

Incidentally, the rise of big data — the sheer volume of information stored online — has corresponded with the global war on terror. Countries that were hit by terrorism saw an opportunity for a new kind of surveillance that put less lives in risk and was comparatively faster in yielding results.

Thus, the governments not only set up their own divisions but also got other companies, such as Google and Facebook, to grant them access to their records.

In light of Edward Snowden’s disclosure, it is now clear that the amount of surveillance being done by the US and the UK is overwhelming, to say the least.

According to The New York Times, the US government monitors almost all email content that crosses the US borders. This surveillance was allowed through a 2008 law, the FISA Amendment Act, that authorised the government to monitor its citizens without a warrant as long as the “target” was a non-citizen abroad.

The United Kingdom isn’t far behind. At the time Snowden revealed the National Security Agency’s (NSA’s) Prism programme, he also gave information about Tempora, a similar operation run by the UK spy agency Government Communications Headquarters (GCHQ) since 2011. GCHQ also monitors almost all data transmitted through telephone and Internet lines across continental Europe and the Atlantic. Additionally, GCHQ shared the data it collected with the NSA in a collaborative attempt to fight terrorism.

Since these revelations, media reports have disclosed how other European governments are involved in online surveillance. France has a surveillance programme. Netherlands’ local media have reported that the government may have access to the data collected through the NSA programme. Earlier this year, the Indian government also introduced a centralised monitoring system for calls and internet communications without being clear on how the individual rights would be protected.

Advanced spyware Finfisher, developed by a UK-based company, has been found on servers on a network owned by PTCL as reported by The Citizen Lab of the University of Toronto. However, it is still not clear whether the spyware is being used by the Pakistani government or is being used by another government on the PTCL networks.

Proponents of internet surveillance argue that this monitoring saves lives. But how much success has this kind of surveillance had for the American government?

In June, 2013, NSA Director Gen. Keith Alexander, told a congressional committee that the NSA’s surveillance programme has till date helped stop over 50 terror plots in the US and abroad. These figures quantify the results of such surveillance tactics. But the inherent murkiness of the procedures raises legitimate concerns about the absence of control on the spying agencies.

In the aftermath of Snowden’s leaks, elected officials on both sides of the Atlantic — the UK and the US— have either claimed ignorance about the existence of such programmes or have asserted that they were not aware of the extent of surveillance. As Nighat Dad, executive director of Digital Rights Foundation based in Pakistan, says, “those responsible for governance have frequently been left uninformed, or under-informed, or in some cases openly lied to about what programmes were in operation.”

While discussing the need for a balance between the necessity of surveillance and rights to privacy, Emma Carr, deputy director of the UK-based civil rights advocacy group Big Brother Watch, admits “the internet can and should be used as a tool for targeted and investigative-led surveillance in order to catch terrorists and individuals involved in serious crime.” However, Carr argues, the UK parliament did not intend for these laws to permit agencies to gather details of every communication we send, which includes content. “Those responsible for oversight have failed,” she says.

Dad agrees there has been a breach of trust between the public and government on issue of online surveillance. “Civil society… has, for years, accepted that the ‘necessary and proportionate’ clauses [to monitor] were being introduced in good faith,” she says. “That is, that some level of state surveillance/interception must be allowed, but that it would be constrained and properly managed.” However, Dad says, it was later found out that such provisions were exploited to “practice unconstrained mass interception”.

Dad gives the example of Foreign Intelligence Surveillance Court (FISC). “In some cases, it is not possible to tell whether what is being done is legal or not (because the laws governing its operation are secret).” She is referring to the courts that operate under FISA. These courts work ex parte, which means during the hearings there is no one present except for the judge and the government to make the case. Also, the courts have approved more than 99 per cent of the request brought for them.

Where does the road lead from here? There is uniformity in the suggested solutions, no matter which country is under discussion.

Sana Saleem, co-founder and director of Pakistani advocacy internet group Bolo Bhi, believes that before any policy on internet regulation is formulated in Pakistan, there is a need to ensure constitutional safeguards for people’s rights. Carr agrees when she says that the European laws are dated and cannot be applied to the completely different world of online surveillance today.

Dad claims the US has a bigger problem when it comes to the laws governing interception and surveillance. “For instance,” she says, “there is disagreement, right up to the Supreme Court, about whether there is any general right to privacy arising out of the US Constitution (particularly the 4th Amendment).”

A coherent and fruitful debate about Internet governance, it seems, can occur only when the individual rights of people are redefined within a framework that reflects the new realities of the digital age.

 

 

 

Republished from The News On Sunday – As Published on th 13th Oct’2013 

One view is that blocking communication channels would do
nothing more than what ban on pillion-riding has to curb crime
By Shahzada Irfan Ahmed

Pakistanis widely share a joke on what their government would have done had 9/11 terrorist attacks taken place in Pakistan — it would have imposed a ban on pillion riding. Years down the road, the state is accused of curbing civic liberties in the name of security and morality.

Such knee-jerk reactions are often taken without taking all stakeholders on board. The most recent example is that of the Sindh government deciding to block voice over internet protocol (VoIP) communication channels for three months.Skype Viber Whatsapp1 A block and ban story

Earlier measures include frequent suspension of cellular phone services, banning of Facebook and YouTube (still inaccessible) and blocking of hundreds of thousands of Universal Resource Locator (URL) addresses declared harmful for various reasons.

The history of mobile and internet networks is a decade old in Pakistan. In the 1990s, the only private sector cell phone company of that time had to foot the bill of multi-million rupee scanner. The Karachi police required this equipment to track mobile phone calls made on this company’s network, which operated on a high frequency.

The government, which would deny it, was spying on internet users. It made its ideas public in the first quarter of 2012. Through the Ministry of Information Technology (IT) and the National ICT Research and Development (R&D) Fund, it advertised a request for proposals in national dailies for the development, deployment, and operation of a national level website URL filtering and blocking system. This move was condemned by internet rights activists and others who wrote to international companies, asking them not to participate in this bidding.

This leads to the question of internet censorship capabilities of the government. Fouad Bajwa, an IT expert who has been part of several multilateral consultations on the issue, explains the situation. He says such regulations are being implemented without a proper legislation. These regulations, he says, result in censorship of online content through filtering and blocking of websites, IP addresses, and in some cases, various services, such as VoIP services.

The execution role is primarily led by the Pakistan Telecommunication Authority (PTA) at the Pakistan Internet Exchange (PIE) through which all incoming and outgoing Pakistani internet and communications traffic passes and is sufficiently monitored or recorded.

The technical design of the system is to deploy a national level system that trickles down to the internet service provider (ISP) level, turning them into points of presence (POPs) where content can be blocked. “If the parent body puts in a URL for blocking, the POPs will automatically be updated and ISPs will automatically begin to block the content,” he adds. A prominent example of this is blocking of thousands of pornographic content websites by adding their URLs to the list one by one.

According to newspaper reports, a fifteen-year-old Pakistani student compiled and sent forward a list of 780,000 pornographic websites to PTA for blocking them. Though hard to believe, he claimed he had visited each of them to verify the nature of content displayed there.

The Pakistan Telecommunication (Re-organisation) Act 1996 clearly states: “Notwithstanding anything contained in any law for the time being in force, in the interest of national security or in the apprehension of any offence, the Federal Government may authorise any person or persons to intercept calls and messages or to trace calls through any telecommunication system.”

Article 19 of the Constitution grants citizens the right to express and access information except when it compromises national security, public morality, etc. Similarly, Article 31 makes it government’s duty to promote unity and observance of the Islamic moral standards in the country. Different bans have been enforced by referring to these provisions.

Furhan Hussain, Coordinator Advocacy and Outreach at Bytes For All (B4A), an internet advocacy group, contests this logic, saying these terms can be deciphered by the government to justify whatever coercive measure it takes. “National security, public morality, and religion are dear to every citizen but why is it so that the state monopolizes and manipulates them,” he says.

His organisation has filed cases in the Lahore High Court (LHC), including those on banning of YouTube and installation of internet surveillance softwares. Hussain says they have pleaded in the court that they be provided complete list of the URLs blocked by the government. “We are sure there are a large number of harmless websites which have been blocked but nobody knows about them. Websites expressing political dissent have been blocked for obvious reasons.”

No doubt, choices for the government are tough to make but guaranteeing citizens their rights is also its prime responsibility. It will have to be very careful while declaring if a content is harmful or not in political and national security categories.

Similarly, security content may cover national security, anti-state content, separatist movements, terrorist activities and everything usually deemed against a state’s or nation’s constitution. Several websites run by Baloch nationalists and separatists have been blocked on these grounds.

Shahida Saleem, ex-chair of Federation of Pakistan Chambers of Commerce and Industry’s (FPCCI’s) Standing Committee of IT, condemns internet censorship policy of the government and terms it a conspiracy to disconnect Pakistanis from the world. “We (as business community) are already at a disadvantage due to our security situation, power crisis, etc. Now the government wants to cripple us in terms of global connectivity as well.”

She says the business community is worried as it cannot talk to their local and international clients via Skype. Most of their operations, she says, are Skype-based as it’s a great way to stay connected with team members, hold video conferences, and even demonstrate products and services to prospective customers.

Saleem complains the business community was not taken on board. “While the terrorists and extortionists may switch to alternative means of communication, we have no alternative in sight.”

“By blocking these services,” she believes, “the government will lose a source of tracking criminals through their communication and the IP addresses they use to interact with each other. Now they will use proxies, which hide the exact geographical location of users of these services.”

The solution, experts suggest, lie in cooperation of state pillars and coordination on a single policy by political actors and law enforcement agencies, regardless of their affiliations and building public consensus to curb violence.

It’s time for the government to realise blocking communication channels would do nothing more than what ban on pillion-riding has to curb terror and crime.

shahzada.irfan@gmail.com