What would happen if a content filtration system such as the one The National ICT R&D Fund has advertised seeking proposals for were put in place? How would it affect the privacy of Internet users in Pakistan and what kinds of abuses would it invite? A discussion by a member on a social networking site sheds light on some of these questions and more….
(published as posted)
“So for all of those asking what is wrong with implementing such a system, let me put a few points out.”
1. The Government already has a tap on the International Fibers from the two peering points (TWA and PTCL), i.e. the two submarine cable operators in Pakistan.
2. All the traffic to/from Pakistan flows through these peering points and the two taps. The two taps go to “Government” where exactly (PTA? Military? Etc.) No one knows and no one wants to talk about it.
3. What happens with these existing taps? You can very well imagine, they can do DPI (Deep Packet Inspection) of all the traffic. What they cannot open right now are encrypted packets, such as packets by Skype, HTTPS sessions and VPN or other encrypted sessions.
4. Under the guise of blocking grey VOIP (voice over IP) traffic, etc. the various agencies (MI, ISI, IB, etc.) have already managed to get the taps and be able to look at the payload traffic (essentially peer into your traffic) be able to “assemble” your packet-stream and reconstruct your Web or Email or FTP session. This is very easy to do with the right tools, provided you have the ability to tap into the link. Currently Government uses Narus to do this. Remember the official story is that it is to curb Grey VOIP traffic that is supposedly causing loss to the national exchequer in the Million (Billions, etc.).
5. The government has been trying for a long time to tap into the VPN and encrypted
circuits. This they did with a legislation / circular by PTA to register ALL VPN circuits in the country. You can look at the current URL for more information (Virtual watchdog: Internet users banned from browsing privately for ‘security reasons’).
6. Now what remains to reign in the control is – blocking of URLs (porn? anti-state propaganda material, anti-Islam material?) All of these clauses are part and parcel of the various Data Communication Licenses that have been given to the various operators. So the way PTA sees it – this is something long overdue.
7. Under the guise of the URL filtering, HTTPS sessions would also be tapped. In order to do this, all HTTPS sessions would be subjected to something called Man In The Middle Attacks (MITM). This basically says, you proxy the original HTTPS certificate/session (say as given by Gmail) and provides the user a locally owned Certificate (lets call this Pakistan URL Filtering Certificate) and with this, you have essentially been able to now looking into HTTPS (Secure) traffic:
8. This is a huge issue. With all the dissidents, anti-state activists, persons of interests, political figures, etc. The government will be able to see the HTTPS traffic and be able to identify the sources.
9. With Gmail, it currently establishes an HTTPS session and obfuscates the Source IP of the sender of the email. This is a stone in the government’s shoe, they cannot “identify” where these people are, and with this HTTPS peering ability, they will be able to do this just so easily as they can do with HTTP sessions.
How this can be abused and misused:
11. Any blanket privacy you had with respect to HTTPS is gone. So Internet banking secures communication, email, etc. all out of the door.
12. They will be able to capture all your User IDs and Password and specific answers to secret questions that you are suppose to provide in order to recover access to your email accounts.
13. Anyone who is a whistle blower can be identified. Anyone who does not agree with the government can be identified. Anyone can be pressured. Think the McCarthyism – this is where we are heading. Big Brother is always watching and collecting information (personal dossiers) on its citizens. Now they can comfortably collect the “digital” information of its citizens.
14. The state should define and elaborate what it considers as anti-sate content. Is human rights violation in Baluchistan anti-state? Is illegal abduction and torture by intelligence agencies?
15. How does one challenge a wrong decision?
16. What are the repercussions of bypassing and viewing such content? Can it land you behind bars?
17. What / Where is the accountability factor in this?
18. How do we ensure privacy rights are not invaded when your conversations are accessible?
19. What about the MISUSE of the information collected? Pressure tactics, blackmail, etc
20. How does one challenge the government’s writ in such an implementation, which is a clear and gross violation of your basic fundamental rights?
21. Who / Where are the definitions of what is anti-state, anti-religious, anti-moral etc? How do you agree on a consensus of what a decision is? How do you challenge it? How do you modify it?
Currently the constitution states that ‘distribution’ of blasphemous and obscene content is illegal. However, such content available on the Internet is not ‘distributed’. The access is voluntary not imposing.
22. What about data-retention and data mining being done on this data collected?
23. What about Court-approved taps (such powers are supposed to be limited and only with a court-approved order are you able to insert taps). Most software vendors who provide such tapping software and reconstructions software for hand-off (technical term used in industry), have appropriate sections for implementing such Court-orders into the software for proper logging.
24. This LI (Lawful Intercept) is no longer lawful nor being monitored by any member of the legislative or court bodies. In fact it is hushed.
25. Such a system will give the government extra muscle to go after “activists” – “liberals” – “troublemakers” – You and I. Anyone who is a hindrance, becomes a target.