Reports Claim That Pakistan Is Trying To Ban Encryption Under Telco Law

from the yvxr-gung-jvyy-jbex dept

As various governments have tried to clamp down, censor and/or filter the internet, all it's really done is increase interest and usage of encryption tools such as VPNs. Every so often we have commenters who insist that outlawing encryption is the obvious next step for governments, though that suggests an ignorance of the practical impossibility of truly banning encryption -- which, after all, is really just a form of speech. The US, of course, famously toyed with trying to block the export of PGP in the 90s, but finally realized that it would likely lose big time in a court battle. While I could certainly see some politicians here trying to ban certain forms of encryption, I couldn't see any such effort being successful long term.

In other countries, however, they seem ready to make a go of it. Privacy International is reporting that Pakistan is trying to ban the use of encryption, including for VPNs, as part of the implementation of a new telco law (pdf) which requires telcos to spy on their customers. Obviously, encryption makes that tougher, so the response is just to ban it entirely.

But here's the big question: can any such ban really be effective? I mean, if you and I agree on using a simple cipher between us, that's "encryption," but is indistinguishable from "speech" in most contexts. That means any such ban on encryption is effectively and practically useless the moment it goes into effect. There will always be incredibly simple ways around it. Trying to ban encryption is like trying to ban language. You can't reasonably do it.

Filed Under: encryption, pakistan

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    aldestrawk (profile), 29 Jul 2011 @ 5:19pm

    It's not about banning cryptography

    My reading of the regulation is that Pakistan is requiring that all traffic can be monitored and that the signaling information cannot be encrypted. I could be wrong, but my understanding of the term "signaling information" is the set of mechanisms and algorithms allowing for call setup and breakdown, billing, and administrative functions. It seems to me the actual traffic, be it voice or data, can be encrypted but their has to be a way for the monitoring system to understand it (i.e. a backdoor).

    This backdoor is what a lot of governments desire. It is a way to obtain a key for any cipher used. This will make it far easier to track and prosecute or persecute all criminals, both real and political. This is not foolproof. If illegal encryption is used, the government could possibly identify the communication endpoints and prosecute just on the basis of utilizing an illegal cipher. Smart criminals and dissidents will resort to using strong, illegal encryption along with steganography and traffic obfuscation (i.e. Tor Onion Routers). The technology that would make the system functional on a general basis is automatic flagging or filtering of packets identified as using illegal encryption. In the U.S., considering that the NSA is already monitoring all our communications, this is not far-fetched.

    When strong encryption, encryption that the U.S. federal government couldn't defeat, became available to the masses in the early '90s, the U.S. became involved in two separate struggles. One was the export of strong cryptography and the main battle was with PGP and Phil Zimmermann. The feds dropped their indictment of Mr. Zimmermann without any comment. The code had been exported, but it was not clear that Phil was instrumental in doing that. Later, court precedents did allow algorithms for strong cryptography to be published and exported, protected as free speech by the first amendment. The feds did relax the rules on export, recognizing their futility because of the free speech aspect and also recognizing that it hurt U.S. business by restricting the use of strong encryption in international transactions.

    The other front in the strong cryptography battle was the feds attempt to put backdoors in any system using cryptography. The Clipper chip was an effort to do this for voice transmission. It was not mandatory, and the existence of alternatives and the fact that the algorithms behind clipper were classified and could not be independently evaluated for vulnerabilities led to it's demise.

    Why wouldn't the U.S. government be successful in making backdoors mandatory for all strong ciphers? Business needs strong encryption for both domestic and international transactions. A U.S. business might not trust having a backdoor available even if that backdoor is supposedly restricted with a key escrow system. More importantly, would a foreign business trust the U.S.? Such a requirement would have put U.S. businesses at a disadvantage in international competition.

    France, in the mid '90s had very strong restrictions on the use of cryptography. France's decision to drop their strict cryptography laws came about because of lobbying from businesses. This link briefly describes that decision and humorously gets the French Finance Minister's gender wrong (it was Dominique Strauss-Kahn, yes, that DSK!).

    If you think that the U.S. will never have laws restricting the use of cryptography, think again. There have been laws introduced that would make the use of cryptography an enhancement when committing a felony. Consider also, the slow but steady expansion of CALEA regulations.

    The following is a good summary of existing crypto-law in various contries:

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.