Among the sea of information released by Edward Snowden in his infamous data leaks, it emerged that the National Security Agency (NSA) of the United States considered Pakistan the second most surveilled nation in the world.
This implies that Pakistanis are more susceptible to surveillance not just from their own government but also from right under the nose of the said government. This also means that Pakistan’s national level cybersecurity is not only compromised but may possess serious flaws.
So how does a common Pakistani counter this problem? An obvious solution comes to mind and that solution is changing and masking your IP address. A common tool employed by many for this purpose is called a Virtual Private Network (VPN). Now this could be reason enough, there is more than one way in which changing an IP address can benefit a user.
Yet for the most part, VPNs in Pakistan are used to bypass bans. Perhaps nothing is more blatant in this regard than the ban on Twitter. The government has blocked access to the social media platform in the country, but everyone gets across the block through a VPN. This is true even with government officials and politicians, who run their own accounts from behind a paywall.
That is why, perhaps, the PTA has hinted at banning VPNs all across Pakistan. While the statement was later retracted by the PTA chairman, Profit delves deeper into how such a step can be orchestrated? Is it even possible? How? and what impacts could it have on the day to day business in Pakistan?
How do VPNs work?
While some of the more technologically astute readers would already be aware of the purposes a VPN serves, following is a simple explanation for the readers who do not:
Think of the internet as a busy public space where anyone can see what you are doing—like browsing websites, sending emails, or making transactions. Without protection, your online activities can be monitored by others, including hackers, advertisers, or even government agencies.
A VPN creates a secure tunnel, of sorts, between your device and the internet. This means that when you connect to a VPN, all the data you send and receive is encrypted, meaning it is scrambled into a code that is difficult for anyone else to read. This keeps your online activities private and prevents unauthorised access to your personal information, such as passwords, banking details, and other sensitive data.
Additionally, a VPN masks your real location by changing your IP address. IP address is a unique number that identifies your device on the internet. For example, if you are in Karachi but connect to a VPN server located in London, it will appear as though you are browsing from London. The VPN changes your IP address by routing your internet traffic through one of its servers, which is located at a different site in the world. This server gives you a new IP address, masking your real IP address and location. This feature is the reason why VPN use allows users to access content that might be restricted in their actual location, such as certain websites, or online services.
The usage of VPN is done either for the protection of one’s privacy or for enhanced security or by bypassing one’s geographical location. VPNs are especially vital for businesses for safeguarding confidential information and ensuring secure communication for remote employees.
Usually, VPN service providers charge money to their consumers, however there are free VPN service providers in the market, which make money by either selling user data or displaying ads or both.
How can VPN traffic be monitored?
Apart from many users wanting to access blocked content or wanting to mask their activities, VPNs have a strong case for businesses. Many overseas call centre businesses as well as software houses use VPNs to emulate the IPs of countries in which they are selling their services. Big companies with overseas employees also have specific virtual networks for employees overseas to ensure that the company data remains on their secure servers and is not compromised.
The PTA has categorically stated that it understands the use case of VPNs by businesses such as software houses and other businesses and it does not want to curb the legitimate use of VPN. So it came up with an ingenious solution in 2020.
Earlier in 2020, the PTA provided corporate businesses with this opportunity for the first time, asking them to register their IPs that they would mask via VPN. Later in 2021, it provided another few days’ window to small businesses to comply with this registration.
The question is, why did the PTA, all of a sudden, want people to register VPNs? The pretext was to stop illegal telephony traffic (VoIP) which caused losses to their licensees and the national exchequer in terms of revenues and taxes. At least this is what the PTA said at the time.
Now after a series of internet blackouts and banning of social media websites, at a time where the functionality of VPNs has become more vital, the PTA has once again asked businesses, companies and freelancers to register, this time by submitting the details digitally.
According to a recent briefing to the senate’s standing committee on cabinet secretariat, the chairman PTA Major General (Retd) Hafeezur Rehman around 20,500 VPN using IPs have been registered and once the process is complete, only the whitelisted IPs will be allowed to use VPN while the “illegal” use of VPN would be stopped. In the same briefing he also pointed out that the overall user base of X had decreased since the ban despite a surge in the number of VPN users who are trying to access X.
There are a number of things wrong with the chairman’s statement. First of all, what is the illegal use of a VPN? As of right now, the use of VPNs without registering it with the PTA is not considered illegal by law. It is not in the penal code and there is no specific punishment for just the use of VPN. Does that mean that Pakistan will introduce a criminal penalty on unsanctioned VPN use once the registration process is over?
A digital rights organisation “Bolo Bhi” in a 2020 article states that “Pakistan has an extensive history of cracking down on dissidents through enforced disappearances, narrowing down patriotic definitions to put individuals at risk, & delivering mob justice upon accusation. VPN registration can be misused to increase & legitimise instances of such nature in the future.”
It is important to note here that other countries that have such laws include the likes of North Korea and Turkmenistan.
Secondly, up until now it was being assumed that the VPN registrations had to do with the curbing of VoIP traffic. Why then is the question of X usage relevant in the chairman’s briefing? The question is telling in itself what the state has in mind.
And thirdly, how will they block the non-whitelist VPN user? According to a senior stakeholder at an ISP who wishes to remain anonymous, the PTA does not currently have the capability of doing that. The Web Monitoring System (WMS) that Pakistan currently possesses to monitor and sometimes block traffic, is not efficient in the surveillance or even the identification of encrypted traffic.
For that purpose, Pakistan needs something more potent. A technology often termed as Deep Packet Inspection (DPI). Hence in saying that Pakistan will block unauthorised VPNs, the chairman actually does reveal the acquisition or presence of some form of the rumoured DPI (firewall) technology similar to China’s.
Can VPNs be Blocked?
While talking to Profit, one of the sources who is an internet governance expert and wishes to stay anonymous stated that, “It is tough to ban VPNs. Bans are countered with the resilience of the digital ecosystem all over the world. The China Firewall is almost 20 years old and VPNs, while technically legal, are tricky to use due to extreme surveillance. But VPNs are still used.
Complete ban might not be possible even if a particular VPN service and or VPN ports are blocked, the VPN landscape is also very rapidly evolving. The decentralised VPNs eliminate the need for centralisation so it is very hard to track and monitor.”
But that is one aspect of this conundrum. Even with a highly sophisticated DPI, blocking VPNs is not a piece of cake. The possibility comes with additional risks. Risks that Pakistan is especially vulnerable towards.
To understand this, let us look at what we learned earlier. What does a VPN claim to do? It provides you a safe pathway into the worldwide web without the fear of a security breach or someone spying on your browsing activity.
As sanctioned as it may be, this spying has no exception for the state itself. So any VPN worth its salt is basically rated on how well it hides you, even from your own government. In some cases, especially from your own government.
While it can hardly be said for any country that a full blown VPN blockade works over there, there are countries that have had some success in controlling the use of VPNs. These countries include China, Saudi Arabia, North Korea, Turkey and UAE etc.
Most of these countries not only pose a high penalty on people who use VPNs but also employ a number of techniques to keep VPNs at bay. By embedding DPI capabilities into the network’s infrastructure, ISPs can detect specific patterns associated with VPN protocols, such as OpenVPN, L2TP, IKEv2, etc. This enables them to block, throttle, or disrupt VPN traffic as soon as it is detected.
Moreover, a lot of these countries that have some success in blocking VPN traffic, possess a centralised internet gateway. If a government controls the gateway entirely, it can block VPN traffic from entering or leaving the country. The problem for PTA is that it simply does not have that kind of centralised control. While it can impress upon the ISPs or the telcos to do its bidding, for these (mostly) private entities to bear this additional burden would require legislation.
However, there is a slight apprehension in this assessment. The Pakistan Electronic Crime Prevention Acts of 2016, allow the PTA to issue directives to these companies to block or remove content if it is deemed obscene, defamatory, blasphemous or threatening to national security. But even if the PTA is able to use this excuse, it does not get to fully stop the rogue VPN traffic.
Successful VPNs use stealth techniques like obfuscation and domain fronting. A simple way to put it would be that the traffic simply doesn’t get recognised as VPN traffic.
Even if it is possible to identify VPN traffic, in a system like Pakistan’s it becomes very difficult to attribute it to the host (user device) making it difficult to administer punishment, if any.
Mostly, governments resort to simpler solutions like blocking domain or known VPN IP at network level. They can also make a white list of government approved IPs to access VPN, which is what PTA seems to be doing. Needless to say, these protocols can easily be circumvented by a VPN using various techniques. VPN providers can have rotating IPs themselves or use technologies like server hopping wherein the traffic switches between multiple servers in quick succession.
Sometimes, governments can even have VPN service providers on board and would only allow the use of those VPNs that have agreed to share user data, while other times, they can ingeniously make their own VPNs which the desiring national can use, knowing that their data can be viewed by the government at the very least.
To answer the question on the top is, Yes a VPN can be blocked but no it cannot be absolute. That is one of the reasons why countries like the UAE, where VPN usage is banned and apps like Whatsapp are closed, are also some of the biggest markets for VPN service providers. According to Forbes “62% of the United Arab Emirates (UAE) population downloaded a VPN in 2023” making it the world’s second most adoptive VPN market.
The problem is, if Emirates Telecom (e&), worth more than $40 billion USD cannot do much about it, PTA surely cannot.
Complications in blocking
There is however one thing that PTA can do, and that is to make things worse. The GoPs network security hasn’t always been great. As pointed out by Dawn in a latest news piece, citizen data from NADRA, including personal details of citizens, has previously been up for sale on social media platforms. The National Telecommunications Corporation (NTC) , a company responsible for providing communication channels and data services exclusively to government organisations, has often had question marks on its server security.
Typically the government does not have access to the IP addresses of individuals, that data is maintained by the ISPs who are provided a range of IPs to distribute among customers. However, as soon as IPs are registered, the government gets that data and it gets stored somewhere on the servers designated for PTA.
If a hacker were to gain access to that data, not only will it risk businesses, but can cause serious financial damage. Such vulnerability hence seems like a large price to pay for curbing politically dissenting voices.
While talking to Profit, a tech business owner stated that, “If a small business is a tech business that needs a VPN to connect it is severely impacted by these bans. However I see a bigger impact on businesses that thrive on and use digital marketing for promotions and selling. For the 5 million SME in Pakistan, digital platforms are the most ideal to market. With the slowing down of some apps and the restrictions of VPNs there have been incidents of a lot of SME and digital marketing companies losing out on business. The intended audience is not being reached out to on specific platforms and that just leaves these businesses leaps and bounds behind the competition.”
In principle, it must also be noted that whether the people prefer it or not, the state does need some form of surveillance to avoid crimes of various nature. It is just the lack of information regarding these systems and the closed doors on what the fate is going to be that makes matters so much worse.
As one of our sources pointed out that “Dubai has registered and allowed VPNs and that has not discouraged them to do business there. In India too VPNs need to be registered, and they even passed a law where all VPNs operating on servers inside India will have to store their data for 5 years.
I feel the business environment and the associated issues are much bigger than VPN registration. For the time being the registration might support the business. How much monitoring and surveillance happens though is an issue that time would tell. It is internet shutdowns, complete blackouts and uncertainty that harms businesses more than monitoring does.”