Pakistan May Have to Abandon Cryptography Ban

As other countries have discovered, businesses need encrypted communications.

Sep 2, 2011

This week, a Pakistani Internet service provider (ISP) leaked a government regulatory memo requiring all ISPs to block encrypted communications sent over virtual private networks (VPNs).

The leak set off debate over government-imposed limitations on privacy in Pakistan and elsewhere. But even as the debate continues, the new regulation could prove impractical because of the harm it is liable to inflict on many businesses, security experts say.

According to the memo, the intent of the ban is to prevent militants from using secure connections to relay information to one another. But it will affect many ordinary citizens’ communications. And it’s likely to have an even greater impact on businesses, which regularly use VPNs to conduct e-commerce and send internal communications securely, says Rainer Enders, chief technology officer of NCP Engineering, a German provider of VPN software.

“The business use of the Internet requires encryption and requires authentication and security and confidentiality, so this does not make any sense,” says Enders. “It is a very questionable move.”

The OpenNet Initiative, an academic group that studies Internet censorship and surveillance, recently conducted a survey of policy in 15 nations, including Pakistan. All the countries surveyed censor Internet access in some way, but, the group found, most allow the use of encryption. Even in the wake of protests across the Middle East, which led many countries to curtail Internet access, they did not limit encryption. The Chinese government censors the Internet heavily, but it still allows the use of virtual private networks, and the technology is widely used by Chinese businesses.

Moxie Marlinspike, chief technology officer and co-founder of Whisper Systems, a firm focused on securing smart-phone communications, says about the Pakistani ban, “I kind of felt like these tactics were kind of over. It is very difficult to restrict the distribution of cryptography. Regulating information is really hard.”

Pakistan may eventually follow the lead of the U.S. and other governments, says Marlinspike, switching focus away from deciphering data in transit and toward gaining access to stored data. “All this information accumulates at Google, at Facebook, at Yahoo Mail—wherever,” he says. “Governments are moving to the end point where information naturally accumulates and doing what they are going to do there. It is a more indirect strategy.”

In the 1990s, the U.S. government attempted to restrict the use of encryption—but it faced opposition from civil-liberties groups and ultimately found the regulation impractical to enforce, in part because of encryption’s business applications. Nowadays, U.S. intelligence agencies eavesdrop on international communications, but domestic law enforcement generally relies on subpoenas to gain access to stored communications. In support of that strategy, over the last decade the U.S. Department of Justice has pushed to require Internet service providers to hold onto data for at least a year.

The best way for citizens and businesses to deal with the ban in Pakistan, says NCP’s Enders, is to continue to use encrypted communications for legitimate purposes—in effect passively resisting the restrictions. It would be hard, he says, to use technology to circumvent the ban. Software that enables steganography—hiding messages in innocuous-seeming forms of communication—is freely available and would allow people to communicate without tipping off the authorities, but it is far more complicated to use than a VPN.

“There are various ways to get around technical bans, but this is mainly a way to instill fear,” Enders says. “I don’t think it will be very successful. It’s not something that they can easily enforce.”