My father retired as a senior official in the Police Service of Pakistan. Our parents had told my siblings and I since childhood that the state snoops on our phone calls, as a matter of routine. When I made phone calls to friends, often enough, I would hear a very distinct click, which meant that we were being listened to and/or recorded.

When my mother called her sister, *click*! When my brother called his friends, *click*! When my father got calls, *click*! Phone tapping just was there.

On October 24, Umer Ali and Ramsha Jahangir published a very well researched article titled, "Pakistan moves to install nationwide ‘web monitoring system’" (https://codastory.com/authoritarian-tech/surveillance/pakistan-nationwide-web-monitoring/) that has since been blowing up on Twitter. It reports Pakistan’s efforts to outsource web monitoring of Pakistan’s citizens using a technology called Deep Packet Inspection, or DPI, a Canada-based company called Sandvine and a Pakistan-based local partner.

To understand a concept as technical as DPI well enough to break it down for the general reader, I talked to Dr Muhammad Usman Ilyas, an electrical engineer who does research on networking. He explained that DPI involves the inspection and making sense of the packets of bits. Analogies are never perfect but if the packets of data going out and coming in to your computer are letters sent through the postal service, then you can think of DPI as the equivalent of the postal service reading the address label on your incoming and outgoing mail and opening and reading the contents. If the traffic is unencrypted, you essentially have someone sitting in between you and the Internet destination you are communicating with, reading everything.

Fortunately, sensitive communication like emails, online banking, instant messaging, voice/video messaging, etc is encrypted these days. In a browser you can tell your connection is encrypted from the small, closed lock on the address bar. You can think of encrypted communications as messages exchanged through the postal system, but sent in secure locked boxes. You might think that simply encrypting all traffic would solve all problems. It would certainly improve of privacy communication but it is not enough.

While encryption protects the content of communication from prying eyes, it still allows reading of the address label, i.e., a man in the middle can still tell who you are communicating with. You would be shocked how detailed a picture just that information can paint. In a surveillance state like the one we are slowly turning into, that can be enough to hold against you.

This kind of snooping on Internet users happens even without national scale DPI. Internet Service Providers, or ISPs, in the rest of the world snoop on their customers browsing history by monitoring something called ‘DNS requests,’ requests from your computer to translate website addresses to IP addresses. This information is a regular revenue stream for them, and I have no reason to believe that ISPs in Pakistan would lag far behind in this practice.

Ali and Jahangir’s report explains that the government has been trying to put in DPI probes at the national level since 2015. Dr Ilyas said that he was peripherally involved in efforts by the Pakistan Telecommunication Authority (PTA) as far back as 2011, which also included a company in Karachi, and another in the US. The motivation given then, as it is now, (predictably) was to block content deemed "blasphemous," "indecent," "immoral" and "anti-state."

Since then the PTA has been using ham-fisted approaches to block certain websites. The blocking of YouTube from 2012 to 2016 was only the most visible example, making global headlines. According to Ali and Jahangir, the list of websites blocked by the PTA in Pakistan runs approximately 925,000 long. I have little doubt that opponents of this surveillance capability will be smacked down with arguments about threats of terrorism and national security. Nevertheless, there are two major reasons why we should not ignore concerns about this surveillance:

First, our state has a long history of collecting compromising information about politicians and senior bureaucrats/civil servants that is kept handy when anyone steps out of line. Refer to my opening anecdote. Putting in DPI probes to monitor internet traffic amounts to blanket surveillance of everyone in the country, irrespective of whether it is warranted or not.

Second, our state has repeatedly proven itself to be spectacularly incapable of keeping data collected from citizens secure and safe from misuse. For example: consider the security breach of NADRA data involving the Punjab IT Board last year that gave hackers information to all citizens for months before it was detected.

Also, a few months ago, pictures taken with the much-trumpeted ‘Smart City’ system were circulating on Whatsapp. The pictures were of people driving in their cars at night, some as harmless as people snuggled up, some with ladies wearing clothes the conservative lot might consider "indecent," and some more compromising than that. In any other country no one would bat an eyelid at them, but the level of filth in the minds of too many makes them scandalous enough and worthy of Whatsapp circulation.

The recent blackmail scandal at the University of Balochistan, Quetta, is another example that demonstrates the laissez-faire attitude of authorities in charge of surveillance systems with regards to data security, privacy and confidentiality.

While the story out of Quetta is still developing, we are yet to hear of anyone having been held responsible for similar breaches on the NADRA/ PITB and Smart City stories. That is why I strongly oppose the deployment of DPI or any other surveillance system that makes it too easy for the state to snoop on citizens.

In conclusion, I would like to leave readers with something useful, four simple steps you can take to protect yourself and enjoy a more private browsing experience.

The easiest thing you can do is to install a browser plugin like ‘HTTPS Everywhere.’ If a website supports both unencrypted connections (via the HTTP protocol) and encrypted connections (via HTTPS), it will attempt to connect using encryption.

Ordinarily, when you connect to the Internet, your connection is configured to use the DNS server of whoever is providing you Internet access. However, you can override that DNS server with one of your own choice, anywhere else on the Internet that does not log your requests, and there are several to choose from, e.g., Quad9, DNSWatch, OpenDNS, Cloudflare DNS etc.

Many readers will also be familiar with the use of VPNs from the days that YouTube was blocked in Pakistan. YouTube access was possible because VPN services set up an encrypted connection between your computer and the VPN server, usually somewhere outside Pakistan that serves as an intermediary between your computer and the location you are trying to access.

The communication between you and the VPN server are encrypted and are opaque to a man in the middle, like a state-level DPI system or your ISP. This gives visibility of your browsing habits to the VPN service provider, which is moving the vulnerability downstream, and which is why it is important to pick a trustworthy service provider.

For those who wish to be even more careful and who do not want to put themselves at the mercy of a VPN service provider there is the Tor network. The Tor network uses a technique called ‘onion routing.’ It is free to use, albeit a little slow and unsuitable for audio and video communication and can be thought of as three VPN service providers chained together in a row, i.e., having three intermediaries instead of just one.

Your traffic is encrypted three times, passed from the first to the second, to the third along the chain, with the result that the first two do not know where you are sending your data to and where it is coming from. Tor is the communication channel of choice for journalists reporting from countries ruled by authoritarian regimes. If it is good enough for them, it will work for most of us.

The writer is an independent education researcher and consultant. She has a PhD in Education from Michigan State University. She can be reached at arazzaque@gmail.com