Physical Address

304 North Cardinal St.
Dorchester Center, MA 02124

What kind of ‘firewall’?

AT a recent meeting of the Senate’s Standing Committee on Information Technology and Telecommunication, the state minister for IT and telecom requested that a briefing on the ‘firewall’ be deferred to the next meeting but that it should be “in camera” as it was a “sensitive” matter.
For over a month now, news of the installation of a ‘firewall’ has created a storm. While it is good that there has been a lot of media attention on the issue, in the absence of any disclosure by the Pakistan Telecommunication Authority (PTA) or the government, and silence by telcos and internet service providers, information regarding what is being, or has been, tested, procured, deployed or its technical capability remains shrouded in secrecy and speculation.
The information minister recently remarked that the installation of a firewall had to do with cyber and data security, and not with freedom of speech. Typically, a firewall exists on devices such as laptops to enable protection against harmful network traffic. The ‘firewall’ being referred to in Pakistan serves no protective purpose and seeks to restrict the flow of information as a tool of political control.
The minister further remarked that during his trip to China, not once did he hear the words ‘fire’ and ‘wall’ together. All he saw was the Great Wall. The term ‘firewall’, in an information-control context, is derived from ‘The Great Firewall’ or the ‘Chinese Golden Shield’. Was the minister also using a VPN in China as he does in Pakistan to circumvent the ban on X?
The recent WhatsApp disruption was the first insight into the level of network filtering possibly being done in Pakistan. Users complained about being unable to download or transfer media via WhatsApp using mobile data. This included images, videos, stickers and audio notes. If they used a VPN or connected to broadband, this was not the case. Since media transfers and downloads worked via broadband and VPNs, this proves there was no technical glitch at the app level either. Had there been, it would have been reported globally.
While the information minister attributed this to a global issue — specifically the CrowdStrike disruption — it had nothing to do with it. This was verified by Meta in a comment to Geo Fact Check claiming everything was working fine on Meta’s end and whatever happened, was “the country’s internal internet issue” and a “local fault”.
What was witnessed recently with WhatsApp seems closer to the UAE model than the Chinese one where foreign apps don’t work at all. In the UAE, while WhatsApp chat and media work, voice calls do not, as Voice Over Internet Protocol is restricted. The WhatsApp disruption in Pakis­tan was at an app functionality level. But how?
One theory is this was done by identifying WhatsApp media servers. This doesn’t necessarily mean the content can be viewed but that delivery was disrupted. Disrupting the flow of information whether through throttling or reducing internet speeds fits a pattern.

A lot has been attributed to the ‘firewall’, perhaps too much — from blocking specific accounts and posts on platforms to tracing IPs and blocking VPNs. But what else will happen in an environment where assuming the worst is usually closer to the truth because political control and lack of transparency are the order of the day?
Technical experts seem fairly confident that with encryption getting better over the years, TLS (transport layer security) and SSL (secure sockets layer) cannot be breached — especially at scale. If specific pieces of content cannot be restricted on platforms such as X (hence the ban), Facebook, YouTube etc, the next step is company cooperation.
Companies can restrict or remove content at their end. This is not invasive though it raises freedom of expression concerns. Typically, notice-and-takedown regimes exist, which are guided by legislative instruments. Prohibited content is defined, a process is outlined and an authority identified that can make these requests to platforms.
Platform compliance depends on various factors, ranging from the applicability of a country’s laws to internal due diligence processes — in some instances requiring court orders — or assessing requests against company rules or guidelines. User notification is a practice some platforms, such as X, follow. A user is notified even if a request is received but no action is taken. When action is taken, the user is provided with an opportunity to appeal. Transparency reports reflect the degree of compliance.
It is assumed that no foreign intermediary is providing backdoor access or sharing encryption keys with the government. What is understood about end-to-end encryption today is that only the sender and recipient have access to chat content; even the company does not have access to encryption keys for chats. Spyware and malware on devices is another story. However, companies hold a significant amount of user data — even metadata — which, if shared under some circumstances, can compromise user privacy.
Which is why the launch of messaging app Beep is being viewed with trepidation. To the extent it is for public sector use, that is fine. But if mandated for Pakistani citizens as a replacement for encrypted messaging apps of choice, this would be a problem.
Local apps raise concerns regarding the level of government access to user data, given the (over)compliance by the private sector in a coercive environment. If a data protection regime, which protects users rather than facilitates government access to their data and requires data localisation — as the present data protection bill does — is absent, then Pakistani citizens’ data is up for grabs, enabling breach of privacy and political victimisation.
Without credible information, speculation will increase and distrust will grow. Citizens have a right to know what additional curbs are being placed on their freedom of expression and privacy.
The writer is a co-founder of Bolo Bhi, an advocacy forum for digital rights.
Published in Dawn, August 2nd, 2024

en_USEnglish