June 19, 2020 - Comments Off on Virtual ‘Private’ Networks no Longer Private as PTA Requires Registration
Areeba Jibril is a DRF intern focusing on issues related to privacy, free speech, and elections. She tweets at @AreebaJibril
Finding a Virtual Private Network (VPN) provider in Pakistan is easy. A quick google search will pull up multiple free services. Casual internet users may register for these services to circumvent paywalls and access online content that has been blocked in Pakistan. They can do this without even really knowing what they’re signing up for. More sophisticated users may use VPNs to ensure that their IP addresses, and therefore their geographical location and identity, remain hidden from the websites they visit.
What casual users likely don’t know is that the Pakistan Telecommunication Authority (PTA) has announced a registration requirement for all Virtual Private Networks (VPNs) by 30th June 2020. This is twenty-two days after they first posted a public service announcement on their website. The PTA regulations do not ban the use of VPNs entirely, but they do require users to register their VPN use with their Internet Service Providers (ISPs). To do this they must share their CNIC number, the purpose for which they would like to use a VPN, and which IP address they will be using their VPN with. The privacy intrusion is not limited to this information. –The notification is vague, therefore it is difficult to say with authority the extent of the privacy intrusions that may come about. There is online speculation about the extent of information that the government can feely request from non-VPN users and whether the same practices will apply to VPN-users as well.
The Pakistani government claims they’ve added this requirement to support the Information and Communications Technology (ICT) industry and promote the “safety of telecom users.” But requiring registration of VPNs defeats the purpose for which VPNs were created. VPNs cannot be private if they must be registered with ISPs, who are then required to share the information with the government. The information flow doesn’t stop there – the government has contracted with Sandvine Corporation, a US-based company, to monitor ‘grey’ internet traffic.
The 10th June announcement isn’t forthcoming regarding the significance of this announcement, by claiming that this is “not new”. It’s true that users have been reporting that their VPNs had suddenly stopped working since 2011. However, this new announcement includes the threat of legal consequences, without much clarity on what these consequences will be. The drastic consequences to privacy do not need to be new to be concerning. The PTA claims to be using its authority under clause 4(6) of Monitoring and Reconciliation of Telephony Traffic Regulations (MRITT), 2010.
VPNs can be helpful for the average internet user when they want to access content such as television shows that aren’t otherwise available in Pakistan. But they serve a much more important purpose in promoting freedoms of opinion and expression by protecting the privacy of users. By using a VPN, users can ensure that the websites they visit and the content they post cannot be traced back to them. For many, anonymity is an important part of what makes the internet a safe place.
David Kaye, the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, noted, “Encryption and anonymity provide individuals and groups with a zone of privacy online to hold opinions and exercise freedom of expression without arbitrary and unlawful interference or attacks… A VPN connection, or use of Tor or a proxy server, combined with encryption, may be the only way in which an individual is able to access or share information in [environments with prevalent censorship].”
As the list of registered VPN users will be shared with ISPs, the risk of private information being accessed by those with malicious intent will increase dramatically. Without the ability to hide their physical location, users will be in greater danger if they use the internet to communicate discontent with the government and seek help anonymously.
Some users may decide they cannot risk this intrusion to their privacy and refuse to register their VPNs. It is unclear how these users will be treated. The government can request that non-registered users have their VPNs blocked. However, they have also said that users who fail to register their VPNs can face legal consequences if they cause “loss to the national exchequer.” They maintain that they are adding this requirement to terminate “illegal traffic.” These vague terms should be a great cause of concern. What is illegal traffic? What will be considered a “loss to the national exchequer”? When will users be held legally accountable for failing to register their VPNs? The lack of guidance increases the risk that these laws will be used to target political dissidents and unpopular speech.
The notification concerning VPNs, coupled with the news from a few months back regarding ‘Deep Packet Inspection’ (DPI) poses a serious threat to online privacy and security for the common Pakistani citizens. DPI allows unprecedented access to a private individual’s activity online. The added issue with the DPI technology is the fact that the government has been incredibly silent on how they plan on using the technology and what the purpose of it is. This silence and general vagueness is somewhat similar to what we’re witnessing nowadays when it comes to this notification regarding VPNs in the country.
Pakistan is not alone in regulating the use of VPNs. Belarus, China, Iran, Turkey, Iraq, Syria, Oman, Russia, Uganda, the UAE, and Venezuela have either introduced some measures to restrict the use of VPNs or banned the use outright. Iran allows the use of VPNs, but only if providers are Iranian while Russia bans VPN usage for sites that have previously been blocked by Russia’s governing body for telecommunications and mass media communications. Consequences for using VPNs are also wide-ranging. In China, the government has gone so far as to arrest a VPN provider. In Oman, private users face a 500 rial fine ($1300USD).
Given the human and digital rights track record of these countries, this is not a list of countries that Pakistan should want to be on.
https://www.pta.gov.pk/en/media-center/single-media/public-notice---get-your-vpn-registered-080620 http://tickets.nexlinx.net.pk/index.php?/News/NewsItem/View/45 https://www.dawn.com/news/1512784 https://www.pta.gov.pk/en/media-center/single-media/public-notice---get-your-vpn-registered-080620