Why Pakistan's move against online crypto is a dangerous idea

Filed Under: Cryptography, Featured, Law & order, Privacy

Pakistan newspaper The Express Tribune reports from Karachi that the country's telecommunications regulator is pressing ISPs to comply with recent regulations which restrict the use of end-to-end encryption.

Any technology which conceals communications and prohibits monitoring, it seems, is off the menu.

The Tribune quotes a letter sent to it by an ISP which had been warned by the regulator:

In line with [the Monitoring & Reconciliation of International Telephone Traffic] Regulations 2010 and national security, [the Pakistan Telecommunication] Authority prohibited usage of all such mechanisms including encrypted virtual private networks (EVPNs) which conceal communication to the extent that prohibits monitoring.

The letter continues by reminding the ISP:

It is observed that the aforementioned directive has not been followed in true letter and spirit as EVPNs are heavily being used on the Licensees Network.

This concern over the inability of law enforcement to intercept or prevent communication between criminals and militants will no doubt resonate in other countries - notably in the UK, where services such as BlackBerry's instant messaging came under the spotlight after the recent riots there.

Unfortunately, however, an internet in which encryption was banned altogether would be even more dangerous than what we have today.

You've probably heard the gun lobby's truism that "if guns are outlawed, only outlaws will have guns." Yet there are many countries where private ownership of guns - handguns, at least - has been heavily regulated or even banned outright without a concomitant increase in gun crime.

It's tempting, therefore, to argue that if we can ban guns without endangering society, despite the vigorous warnings of a vocal minority, we can do the same with cryptography. Perhaps "if crypto is outlawed, only outlaws will have crypto" is just the crazy slogan of a bunch of libertarian survivalist cypherpunks with something to hide?

The problem is that banning every sort of 'communications concealing' technology online would destroy the very fabric of the internet's law-abiding use. There would be no SSH, no SSL, no TLS, no HTTPS. There would be no WiFi security. Online commerce would implode.

Whether the private ownership of weapons is as big a threat to society as some like to make out is an argument for another day, because cryptography on the internet isn't like handguns in the suburbs.

In most developed countries, you don't routinely need to pack a Browning Hi-Power when you visit your local bank branch. (Even in countries where that's legal, the bank would probably make you lock it in a safety deposit box at the entrance, anyway.)

In contrast, you do routinely need to use an SSL-protected tunnel to the bank when you transact online.

Significantly, the bank needs you to do so, as well. And if you don't, you're actually playing into the hands of the crooks.

So the next time you hear a nanny-state advocate oppose the general availability of strong crypto on the grounds that "if you've got nothing to hide, you don't need to hide anything", don't just sigh in dismay.

Confront them with the inanity of their remark. (Unless they've got a Browning Hi-Power. In that case, give a little smile and leave as soon as you can.)

* If you have nothing to hide, then it doesn't matter whether you choose to hide it or not, does it?

* Online, you do have things to hide. And if you and the rest of us don't hide it as a matter of course, the cybercrooks will plunder our economy more seriously than they're doing already.

In short, if you want to do away with online crypto, you're making things easier for the crooks, not harder. And that, I'm sorry to have to say, is a truism.

Take cryptography seriously. Protecting your own online assets helps protect everyone else, too.

PS. Why not try our Sophos Free Encryption software? Try our free download today - it's a direct download with no gates or forms to fill in. (Apologies to BSD, Linux and Mac users: Windows only.)

, ,

You might like

6 Responses to Why Pakistan's move against online crypto is a dangerous idea

  1. nzjourneyman · 968 days ago

    Interesting article, putting an ad at the end of your article pretty much removes most of the articles credibility though. This blog is a good security channel. Don't stuff it up by making it a sales channel too. Tempting though it may be.

    • Paul Ducklin · 968 days ago

      Hmmmmm. On what grounds does offering an entirely unambiguous free download "remove most of the credibility"?

      How does offering an unregulated download - just click and download, as promised - represent "a sales channel"?

      How - if the truth be told - would we have any idea who you are (except, I admit, via your IP number) if you were to download via the offered link?

      Here's a thought. Read the article. Ignore what you call "the ad". Did you find it informative in any way?

      • You advertised a free product in a fairly innocuous manner. You want people to use said product so they can gain the advantages of using said product. You might be hoping for costumer reviews so you can improve said product. This is the good form of advertising.

        In this day and age, any type of advertisement makes people suspicious. The communication systems allow abuse of lack of suspicion, so people have become overly suspicious. Advertisers use tricks to convince people that they have good intentions. A commercial may offer free computers to the first 1,000 callers. The people on the line try to get callers after the first 1,000 to buy a computer instead. The caller may not be able to afford a new computer but their hopes were brought up by the concept of a free computer.

        Even though your product is free, some readers may begin to suspect a hidden intention. Maybe, behind your product, there is a hidden money trap. A more technologically adept reader might recognize that there is no trick but your target audience is not just programmers and scientists.

        To a suspicious reader, your word is biased and you can't say anything to make them feel comforted. Mentioning products provided by other venders is probably the best thing you can do to ease suspicion.

  2. John R · 967 days ago

    While your comments are true for the current state of internet standards, there is no technical reason why security for activities such as e-commerce could not be done without concealing the data.

    For e-commerce, the key things you really need are authentication that the shop is really the shop, and that there is integrity of the data to and from the shop. Confidentiality is a separate feature of a security system.

    The only commonly standard for web security is TLS, which provides all three features linked together.

    While I'm personally stongly in favour of privacy and encryption, security of commerce and encryption are linked only because that's how current products work.

  3. Fred Morenberg · 938 days ago

    At first glance I would support your argument against blocking encryption. However you seem to say "but it’s OK when we restrict gun ownership". The fact is that restricting any form of self defense is detrimental to society, and that's what encryption really is.
    I would suggest you read "More guns, Less Crime" by John Lott before writing your next article on encryption.

  4. Concerned · 938 days ago

    Paul Ducklin and Sophos, just more anti-gun lobbyists using their posts to advertise and pander their Rhetoric...Boycott their products..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog