Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Pakistan May Have to Abandon Cryptography Ban

As other countries have discovered, businesses need encrypted communications.

This week, a Pakistani Internet service provider (ISP) leaked a government regulatory memo requiring all ISPs to block encrypted communications sent over virtual private networks (VPNs).

The leak set off debate over government-imposed limitations on privacy in Pakistan and elsewhere. But even as the debate continues, the new regulation could prove impractical because of the harm it is liable to inflict on many businesses, security experts say.

According to the memo, the intent of the ban is to prevent militants from using secure connections to relay information to one another. But it will affect many ordinary citizens’ communications. And it’s likely to have an even greater impact on businesses, which regularly use VPNs to conduct e-commerce and send internal communications securely, says Rainer Enders, chief technology officer of NCP Engineering, a German provider of VPN software.

“The business use of the Internet requires encryption and requires authentication and security and confidentiality, so this does not make any sense,” says Enders. “It is a very questionable move.”

The OpenNet Initiative, an academic group that studies Internet censorship and surveillance, recently conducted a survey of policy in 15 nations, including Pakistan. All the countries surveyed censor Internet access in some way, but, the group found, most allow the use of encryption. Even in the wake of protests across the Middle East, which led many countries to curtail Internet access, they did not limit encryption. The Chinese government censors the Internet heavily, but it still allows the use of virtual private networks, and the technology is widely used by Chinese businesses.

Moxie Marlinspike, chief technology officer and co-founder of Whisper Systems, a firm focused on securing smart-phone communications, says about the Pakistani ban, “I kind of felt like these tactics were kind of over. It is very difficult to restrict the distribution of cryptography. Regulating information is really hard.”

Pakistan may eventually follow the lead of the U.S. and other governments, says Marlinspike, switching focus away from deciphering data in transit and toward gaining access to stored data. “All this information accumulates at Google, at Facebook, at Yahoo Mail—wherever,” he says. “Governments are moving to the end point where information naturally accumulates and doing what they are going to do there. It is a more indirect strategy.”

In the 1990s, the U.S. government attempted to restrict the use of encryption—but it faced opposition from civil-liberties groups and ultimately found the regulation impractical to enforce, in part because of encryption’s business applications. Nowadays, U.S. intelligence agencies eavesdrop on international communications, but domestic law enforcement generally relies on subpoenas to gain access to stored communications. In support of that strategy, over the last decade the U.S. Department of Justice has pushed to require Internet service providers to hold onto data for at least a year.

The best way for citizens and businesses to deal with the ban in Pakistan, says NCP’s Enders, is to continue to use encrypted communications for legitimate purposes—in effect passively resisting the restrictions. It would be hard, he says, to use technology to circumvent the ban. Software that enables steganography—hiding messages in innocuous-seeming forms of communication—is freely available and would allow people to communicate without tipping off the authorities, but it is far more complicated to use than a VPN.

“There are various ways to get around technical bans, but this is mainly a way to instill fear,” Enders says. “I don’t think it will be very successful. It’s not something that they can easily enforce.”

Want to go ad free? No ad blockers needed.

Become an Insider
Already an Insider? Log in.
Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.