VPNs to the rescue…Dr M Usman Ilyas


When the internet arrived in Pakistan in the mid-90s, access was unfettered because decision-makers were (thankfully) decades away from understanding its implications. That slowly changed as new web technologies enabled social media platforms that gave every Internet user the power to easily publish views and opinions.

Pakistans early brush with internet censorship came in 2005 stemming from a Supreme Court judgment to block content created with the intent to provoke and offend Muslims. Unaware of the implementation details, the court ordered the Pakistan Telecommunications Authority (PTA) to block offending sites which it did by blocking entire domains so if the offending content was on a blog post, the PTA blocked the entire blogging site hosting hundreds of thousands of blogs.

Let me offer a non-technical explanation for the layperson reader, as simplified as I can manage. When you access a service on the web, your computer (or phone) starts with a domain name: for example, thenews.com.pk or google.com. The first thing it needs to do is convert that domain name into a set of numbers called an Internet Protocol (IP) address. Think of an IP address as GPS coordinates a set of numbers that allow it to reach a unique network interface of a computer on the internet. Once your computer has that IP address, it can establish a connection for whatever service or content it provides.

This translation service from domain names to IP addresses is provided by a network of servers called Domain Name Service (DNS) servers. When your device connects to the internet, one of the first pieces of connection configuration information it receives is the DNS server that will provide this translation service.

When a device sends a lookup request for a domain to its network-assigned DNS, the DNS responds with an IP address. Your history of DNS lookup requests is a coarse version of your internet browsing history. If an ISP wants to deliberately deny access to a service or website, a simple way would be to provide no response (technically a Denial of Service or DoS) or false information that directs the user to a different IP.

This is a simple and inexpensive way to block websites. In February 2008, this was the PTAs approach when ordered to block access to YouTube in Pakistan. While this misdirection by DNS was intended only for Pakistani internet users, an incorrect router configuration allowed it to get out and spread, leading to a global YouTube outage that lasted around two hours. However, unless disabled, users can circumvent this kind of censorship by using a public DNS server anywhere on the internet instead of the network default.

Months later, the PTA acquired the ability to block traffic to specific IP addresses. Now, even if a user could acquire DNS lookup services from elsewhere, all traffic to an intended destination could be blocked. This was how the PTA blocked access to YouTube (and other websites) from 2012 to 2016. This is more computationally expensive because it requires inspecting IP addresses in all packets.

For a determined user, the challenge then becomes to hide the IP address of the destination computer. Enter, Virtual Private Networks (VPN). To understand how VPN connections work and their upside and downside, I will use an analogy that feels uncomfortably fitting.

Assume you are in (internet) jail and can only communicate with the outside world through snail mail. Jail authorities can read sender and receiver addresses and destroy letters to/from anyone deemed unacceptable. To circumvent this censorship, you engage the services of a lawyer who will serve as an intermediary for your correspondence. Now, you write your letters, put them in an envelope addressed to the recipient, and put this envelope inside another addressed to your lawyer.

When your lawyer receives your letter, s/he will open it and post the real letter to the intended recipient. When s/he receives a reply for you, s/he will put it in a new envelope and mail it to you. From the jail authorities perspective, all your letters coming and going will be from/to your lawyer nothing suspicious. The lawyer is the VPN provider, postal addresses are IP addresses, jail authorities are the nanny state, and the prisoner is every internet user in Pakistan.

Using a VPN is not an oddity but good cyber hygiene that is recommended for all. In addition to hiding your browsing history from immediate and upstream Internet Service Providers (ISP), VPNs hide locations from websites you visit. Unless local laws prohibit it, ISPs sell their customer browsing history to data brokers (a revenue stream). Using VPNs puts an end to that. The downside is that it only shifts the visibility of customer browsing history from the local ISPs to VPN providers (operating in foreign jurisdictions).

VPN providers, like ISPs, may sell browsing histories to anyone willing to pay. This is especially true for free VPN services. Like everything on the internet, if you are not paying for it with money, you are paying for it with your privacy. Early this year, it was reported that the US National Security Agency admitted to regularly purchasing data from data brokers, including about its own citizens, in order to avoid having to obtain court orders.

If foregoing VPNs is not an option because of censorship, and using a VPN only moves monitoring of browsing history to someone else, where does the regular internet user go to avoid being tracked? The answer is something called the Tor network, which you can think of as a VPN that uses a VPN which in turn uses a third VPN and is completely free. But more on that another time.

Censorship by IP blocking is not the end. Blocking Twitter suggests that censorship is still an objective, but history and recent developments suggest an enhanced scope that includes surveillance.

Most traffic in the early internet was unencrypted, meaning anyone snooping could see a lot of the information being sent across the internet. Gradually, the share of encrypted internet traffic began to rise. In 2011, that percentage stood at around 40 per cent. Today, various sources put encrypted web traffic using HTTPS protocol (successor of unencrypted HTTP) between 93 and 96 per cent.

Decrypting an encrypted data stream is not trivial and we can assume that the state does not have this capability. Nevertheless, over time, there is a lot that can be learned from the statistics and metadata of an Internet users (encrypted) traffic and usage patterns. One of the technologies employed for that is Deep Packet Inspection (DPI). The government has been exploring acquiring DPI capabilities at scale since at least 2011, but the price tag of systems capable of handling traffic at the desired data rates was out of its range. Note that this was around the time reports about the US collecting metadata began emerging.

DPI systems can be deployed to passively analyze traffic on a link by feeding it a mirrored stream.

This way, even if the traffic becomes too much and analysis begins to lag behind, there is no effect on the actual flow of internet traffic. Alternatively, DPI solutions can be deployed in-line. Then it becomes critical that each packet be analyzed and the decision of what action to take (drop packet) or not (do nothing) be performed without adding significant delay.

Given the current censorship and disruptions (intended or unintended) of websites and services, I would not be surprised if we learn that we are experiencing a poorly planned and executed rollout of some kind of DPI-based system. The people who ordered and are performing the rollout are not forthcoming with any explanations. If the implementation is distributed across ISPs and telcos, they should have definite answers. Yet, in a country where all other news leaks from a sieve, no one is making a peep on this.

The honourable minister of IT&T has not been able to make up her mind about how she wants to explain away these recent disruptions. She has my sympathies because she does not appear to be in charge and is being given bad advice. Meanwhile, the government is scapegoating the poor sharks of the Arabian Sea.

In 2013, a family home in Long Island, NY was raided because the mother had used her work computer to search for a pressure cooker (to make quinoa) and a backpack (for her husband), two items that were used in the Boston Marathon bombing a little earlier. Does this mean it is acceptable for countries to spy on all citizens? No, but there is a difference between taking a closer look at people searching for IED components and making it impossible for an entire country to view the days cat videos and right now every internet user in this country is being treated like an enemy.

The writer holds a doctorate

from Michigan State University and is the PG Program Director of Computer Science at the University of Birmingham, Dubai. He can be reached at: m.ilyas@bham.ac.uk

Courtesy The News