A recent post on Slashdot reported a new set of regulations promulgated by Pakistan Telecommunication Authority on March 11, 2010, titled “Monitoring and Reconciliation of Telephony Traffic Regulations, 2010”. The post implied that through these regulations, Pakistan is banning the use of encryption. If true, this would effectively ban the use of popular software such as Skype and virtual private networks (VPNs) which use encryption. Encrypted VPNs form the backbone for conducting IT business operations securely. ”I would be concerned as that means access to our private networks using VPN will be compromised,” said Babar Khan, who runs TechArete, a tech-company in Pakistan.
The regulation came into effect on July 10, 2010 and overrides an earlier regulation promulgated on November 13, 2008, titled “Monitoring and Reconciliation of International Traffic Regulations, 2008″. Our reading of the 2010 regulations indicate that they allow the Pakistani Telecommunication Authority (PTA) to monitor and block any traffic (encrypted or not), including voice and data, originating or terminating in Pakistan. Further, through these regulations, PTA is banning the use of encryption for signaling information. In case, the user of a telephony or data provider needs to encrypt its signaling information, it must obtain explicit permission from PTA. Below, we quote verbatim from page 549 of the Gazette of Pakistan, that describes this regulation:
“(6) The Licensee(s) and Access Provider shall ensure that signaling information is uncompressed, unencrypted, and not formatted in a manner which the installed monitoring system is unable to decipher using installed capabilities.
(7) In case it is not possible to monitor the signaling information of some traffic at the Probe and the Authority has agreed to let the traffic pass through, the required signaling information shall be extended from the Licensee(s) and Access Provider(s) network’s premises, at their own cost, including but not limited to the required format conversions, hauling of data to the Authority designated location, and installation of additional equipment to achieve information as specified in sub regulation (6) above.”
So what is signaling information? A signaling information identifies who is calling or exchanging data with whom. For example, if a user A of cell phone provider 1 calls user B of cell phone provider 2, a CDR (call data record) is created in the database records of both providers. Similar records can be created for data (IP) traffic. The promulgated regulation practically bans the use of encrypted virtual private networks (EVPNs) by IT businesses unless an explicit permission is maintained by PTA. In simple terms, any IT business in Pakistan which wants to use EVPNs must obtain an explicit permission from PTA. According to a PTA memo date July 21, 2011 posted on this blog, PTA is enforcing this regulation by sending warnings to ISPs. However, does PTA have the man power to vet the legality of every EVPN?
Are there any other software besides EVPNs that encrypt signaling information? The answer is clearly yes. Skype is an example of a popular software which encrypts its signaling information for establishing a voice or video call. If PTA’s regulation were to be strictly enforced, it will ban the use of Skype in Pakistan.
Besides restricting signaling information from being encrypted, the regulation forces the providers of voice and data traffic to procure, establish, deploy, and maintain equipment for a monitoring system at their own costs. Below is the excerpt from the regulation:
- Capability to monitor, control, measure, and record traffic in real-time
- Capability for complete signaling record, including but not limited for billing
- Capability to accurately measure the quality of service
- A complete list of Pakistani customers and their details
- Complete details of capacity leased by the licensee(s) to their customers
- No person, except the authority shall be allowed to monitor, reconcile or block any traffic directly or indirectly on their own network or that of the other network in the manner prescribed in these regulations, without prior written approval of the Authority.
We note that (1) and (2) are not necessarily specific to Pakistan. Many countries have regulations in place which allow the competent authority to monitor the signaling record or intercept traffic. However, such snooping of traffic is usually accompanied by a court order. Therefore, the most worrisome part from the perspective of a Pakistani citizen is (6) which gives PTA the authority to monitor and block traffic. It is not clear whether PTA needs a court order to exercise this authority.
Has your online business being impacted by this law in any way? We invite you to post your experiences as comments.