Why is Deep Packet Inspection a risk to internet users in Pakistan?
For the past few weeks, the phrase deep packet inspection (DPI) has been circulating quite a bit. However, very few people understand what it means and, more significantly, what risks it poses to our online security. This phrase entered our popular vernacular after recent revelations that the government of Pakistan has acquired DPI technology to monitor digital spaces and employ this technology to implement the Prevention of Electronic Crimes Act (PECA) 2016, particularly the powers of blocking and removing content vested in the Pakistan Telecommunications Authority (PTA) under Section 37.
Why is DPI a risk to internet users in Pakistan? Well, DPI may be used by the government for very invasive surveillance across the board. DPI is a very powerful tool, and in the hands of the State, it has the potential to curtail the average citizen’s right to expression in digital spaces. However, before we explore the rights-based implications of a system such as this, it is important to understand the technology itself.
Before we can talk about what deep packet inspection is, we need to break down what a ‘packet’ is. Everything you do on the internet has something to do with packets. Packets carry vital information relating to the transfer of data and information. They carry data regarding IP addresses and the payload (or actual data). These packets are released whenever you open an email or access a webpage.
As citizens of Pakistan, we should demand that the State make its aims public. It is the interest of our right to privacy and our right to expression that the government should share the extent of its DPI capabilities with the public. They need to answer questions regarding what they can see, as well as what their parameters of surveillance will be.
Most of us have interacted with simple packet filters in the form of internet firewalls. Deep packet inspection takes the basic internet firewall and increases its scope and impact. As the name suggests, this inspection has the ability to see the contents of each packet that passes through a server. It has the ability to do this in real-time and to perform a ‘deep’ analysis of content and information. A lot of sources online compare DPI to opening a sealed envelope and reading the contents of a letter, whereas regular firewalls can only filter based on the sender’s address on the envelope. DPI technology was initially created for managing internet traffic. However, due to how powerful it is, it has major usages in surveillance.
The extent of DPI’s power depends on how one chooses to use it. At a basic level, it can pull out all the packets of information generated from a device using the IP address. DPI can check the entirety of a data packet against predefined rules. Ideally, these rules would relate to malicious software and viruses. However, how the criteria are written is at the discretion of the administrator.
For example, in China, DPI rules are defined in such a way as to track corruption among government officials. It is also used to track anti-state sentiments. They do this by tracking ‘buzz words’, for instance ‘Hong Kong’. The China model is one of the most sophisticated examples of DPI. Its complexity comes from its ambiguity. China uses DPI to track its population in general, however, it is also used to track and watch over specific groups of people.
Some years ago, it was discovered that Iran had also bought DPI capabilities from service providers like Nokia Siemens Security Network. Iran, at the time, did not state why and what it was going to use DPI for. However, it was widely believed that it was for surveillance. With DPI, Iran could spy on internet calls, internet searches and even see the contents of unencrypted emails. Interestingly, the US has also been using similar DPI capabilities. This was partly exposed with the Wikileaks revelations.
In contrast, DPI is used very differently in the European Union. It has been used as part of mechanisms to clamp down on drug trafficking and child pornography. When the EU established their intent, they were also quick to also enforce laws that controlled the use of data. The law enshrines that this data collection is used lawfully and without infringing upon the ordinary citizen’s life. This consideration falls under the ambit of the General Data Protection Regulation (GDPR), a comprehensive set of laws that protect EU citizens and their sensitive data.
In Pakistan, DPI is supposedly being used to implement PECA 2016, particularly filtering and blocking of material deemed to be against the “interest of the glory of Islam, or the integrity, security or defence of Pakistan[..], public order, decency or morality, or in relation to contempt of court or commission or incitement to an offence” under PECA. Unfortunately, this is all the information we have regarding the implementation of DPI in Pakistan. Currently, we do not have details on the intricacies of how the DPI systems will work here.
The company Pakistan is buying the DPI technology from is called Sandvine. They claim to be a ‘network intelligence company’ working out of Canada. According to their website, they have the ability to filter dangerous links and URLs, they can also help manage traffic, thereby protecting selected systems from attacks. Furthermore, their technology allows for the identification of infected devices, and can also notify users of the problem.
Given the dearth of information, it is difficult to say with absolute authority as to what the state can monitor and what it cannot. One thing that comes up in a lot of research is how DPI can break through the encrypted HTTPS protocol that a lot of us rely on for ‘secure’ browsing on the internet. Also, the ability to track VoIP (WhatsApp calls and Skype etc) calls is something that is consistent across all contexts where DPI has been used by the State.
As citizens of Pakistan, we should demand that the State make its aims public. It is in the interest of our right to privacy and our right to free expression that the government should share the extent of its DPI capabilities with the public. They need to answer questions regarding what they can see, as well as what their parameters of surveillance will be. Without giving this information, the State is defining for itself what is considered to fall under PECA laws, thereby stripping people of their basic rights such as privacy which are enshrined in the constitution of Pakistan.
The author is a digital security expert at Digital Rights Foundation.