Violation of Personal Space
Samina W Perozani April 18, 2005
Tags: technology , policy , internet
Remember the aphorism "curiosity killed the cat?" As children, we were told that being needlessly curious doesn’t really pay. If anything, it only confounds your misery once you are older, and hopefully, a little wiser. Of course, all those lectures
about minding your own business and "101 ways to avoid being a Peeping Tom" usually make little or no difference.
When we were kids, we loved going through our sisters’ secret diaries, which can turn into full-blown nosiness with age. Let’s face it - we are sneaky creatures, forever trying to keep an upper hand over other people in every possible way. So, if there is a way to listen to a conversation not meant for us, watch the actions of others surreptitiously and read letters that belong to someone else, we will gladly do so.
It is perhaps for this reason that the Pakistani government’s recent admission, on the floor of the National Assembly, that it monitors and scans all emails in the country did not trigger a public furore. In fact, quite a few people responded lukewarmly to the news: "So what if they are doing it? My emails aren’t particularly exciting, you know," says one of my colleagues when he is asked to comment on the episode. "Besides, do you really think they have the resources to do something like that?"
My colleague may be right. The Pakistani government supposedly does not have the resources to get all emails generated in the country monitored and scanned. "Let’s be practical. The fact of the matter is that the Pakistani government simply cannot do real-time scanning," Dr Altamash Kamal of XIBER.COM (Pvt) Ltd tells Sci-tech World.
"The ISPs can do it for them but even that is quite difficult." Sifting through emails and then storing them would require a "supercomputer with infinite capacity, which is not available right now," explains V.A. Abidi, Secretary of the Internet Service Providers Association of Pakistan (ISPAK). Awais Ahmed Khan Leghari, Minister for Information Technology, initially also tries to dismiss the idea: "It isn’t possible for the Pakistani government to scan all emails, given the volume of internet traffic that is generated in the country.
However, he adds: "But the government has the ability and the right to monitor emails for national security. There is no harm in doing so, for it is happening all over the world. But right now nothing of the sort is happening in Pakistan."
What, then, is all the fuss about if the content of emails cannot be monitored in the country? It all sounds awfully similar to the stuff that conspiracy theories are made of, doesn’t it? Well almost, but not quite because internet users in Pakistan are being monitored through user activity logs.
User activity logs, contrary to popular belief, are not just about billing information and internet usage reports. These logs, as the name suggests, provide information about an internet user’s online activities, which can include anything from the IP addresses of websites visited to the number of times one’s inbox is accessed to destination addresses to which emails are sent. "There are thousands of user activity logs," explains Ansar-ul-Haq, Director and Chief Operating Officer of Cyber Internet Services (Pvt) Ltd. "However, the three basic types include access logs, used for determining the amount of time spent online, proxy logs that determine the IP addresses (websites) visited, and SMTP logs, which provide information about a user’s email."
Mr Haq says all ISPs in Pakistan keep user activity logs for a period of one month. The reason? Security, which makes sense because, given the increasing rate of cyber crimes all over the world, it’s only fair for ISPs in Pakistan to keep track of the users’ online activities and to do their bit in fighting hackers and terrorists.
Make no mistake, however, as the ISPs do not maintain user logs because they want to but because they have to. "For a while now, the Pakistan Telecommunication Authority has been pressurizing ISPs to maintain user logs," points out Mr Haq.
Interestingly enough, the legal provisions under which the PTA is making ISPs maintain user logs remain rather ambiguous. So while the Electronic Transactions Ordinance 2002 forbids access to private electronic communication, apparently this does not apply to people who are "authorized to gain access." It is perhaps for this reason that PTA feels obligated to behave in the manner it does.
To be sure, the Pakistan Telecommunication (Re-organization) Act 1996 does speak of the primacy of national security but in rather vague terms: "The Federal government may, as and when it considers necessary, issue policy directives to (PTA)...on matters relating to telecommunication policy... .
"The matters on which the Federal government may issue policy directives shall be...(among others) the requirements of national security and of relationships between Pakistan and the Government of any other country or territory outside Pakistan."
How does the PTA force ISPs to fall in line then? Consider Section 21(4)(c) of the same Act, which says: "Every licence granted under this Act may, inter alia, contain...conditions requiring the licensee to allow inspection by the Authority of any premises or telecommunication equipment, wherever situated, and to furnish to the Authority such information as may be required by the Authority."
Meanwhile, the absence of clear provisions over the issue has perhaps prompted the government to include, in the final draft for the Electronic Crimes Bill 2004, the following words: "The Federal government may compel a service provider, within its existing or required technical capability, to collect or record through the application of technical means or to cooperate and assist any law enforcement or intelligence agency in the collection or recording of traffic data in real-time, associated with specified communications transmitted by means of an electronic system."
The draft bill, following due vetting, has been forwarded to the cabinet for approval, Mr Leghari tells Sci-tech World. "The bill is expected to be adopted for implementation shortly."
Once enforced, the bill will provide all regulatory bodies and government agencies with the much-needed legal cover to peek through emails (among other things). In fact, real-time monitoring of emails will not remain a distant possibility, if and when the bill is enforced.
However, an anonymous source claims that even today, the content of emails is being monitored. "This isn’t a distant possibility. This is already happening. There are at least two places in Pakistan where the content of all emails is screened carefully."
Not only that but, says Mr Abidi of ISPAK, there are organizations which keep all emails in a compressed form. It appears, then, that email scans are not just conceivable but they are a sad truth which most of us are unable to come to terms with. Evidently, Big Brother has already sneaked his way into Pakistan and is here to stay, whether we like it or not.
Even though most ISPs try to defend their actions by claiming that maintaining user logs is standard practice and is done all over the world, isn’t this a violation of an individual’s personal space? Is it too much to ask for online privacy simply because it does not exist anywhere in the world?
"These logs must be maintained for security reasons," points out Mr Abidi. "ISPs must do whatever they can to fight crime and protect national interest." Mr Haq seems to concur, but at the same time, he feels that there are certain problems which the government has failed to address so far.
For starters, the Pakistani government does not provide a well-defined mechanism under which information may be procured by the concerned agencies. "There is no framework in place, no governing body that oversees all issues related to cyber crime and internet security," laments the owner of an ISP, who also chooses to remain anonymous. "There is no harm for us in providing such information but we need to know the mechanism by which we are supposed to do so."
As mentioned, the authorities have thus far been unable to formulate required provisions, which means that just about anyone who is a member of a law-enforcing agency can seek information from an ISP. Although ISPAK maintains that it works under the Evidence Act (that is, whenever a policeman or an officer from a similar agency asks for specific user log information, it demands proof of any suspicious activity before handing the data over) many ISPs complain that security officials visit them all too frequently to demand various pieces of information.
"I try my best to ward off such ridiculous demands. In fact, PTA and ISI officials have often harassed and threatened people here at Cyber.Net because we refuse to comply," says Mr Haq candidly. "We will provide them with information only if they have relevant documents or at least some sort of incriminating evidence. How can we be expected to hand over information just like that?"
Mr Haq’s grievances hold water but Dr Kamal feels a little differently on the subject: "These ISPs really don’t have a choice. The licence agreements issued by PTA clearly mention that ISPs must provide them with such information, whenever they are asked to do so. Thus, it’s unfair to blame the ISPs for everything." As with most other things in Pakistan, it seems, survival takes precedence over moral and ethical norms and so ISPs must do whatever they can to stay afloat.
In spite of all this, one would have thought that at least some Pakistani ISPs are relatively more secure than others. That, of course, may be wishful thinking because chances are that if you are online, then someone out there knows the exact details of your activities. All ISPs, networks and email accounts are reportedly vulnerable, regardless of the service that you subscribe to:
"There is no security. Gmail may perhaps give a hard time to the officials but even their security system can be breached if one is persistent enough," clarifies Dr Kamal. So, while most ISPs and web-based email service providers make tall claims about superior security, these are just that - tall claims. Why wouldn’t these be, for ISPs are required to provide their encryption keys to relevant authorities, whenever the need arises.
"There isn’t much that anyone can do about it. If you want to function as an ISP, you have to do their bidding. There is simply no way to get around it," confides another anonymous source. At best, this is a form of "benevolent dictatorship," reminiscent of the British monarchy’s imperialist days.
It all bodes very well for national security. But, what about consumer interests? What about the infringement of one’s privacy? Most importantly, where do we draw the line? When is it all right for ISPs to give user logs and other information to government agencies?
The parameters are blurred and there is no method to this madness. At the very least, if government agencies feel compelled to monitor emails and to seek confidential information from ISPs, they should, if nothing else, do it the right way.
previously published in Sci-tech World (April 9, 2005), Dawn’s weekly magazine on science and technology
When we were kids, we loved going through our sisters’ secret diaries, which can turn into full-blown nosiness with age. Let’s face it - we are sneaky creatures, forever trying to keep an upper hand over other people in every possible way. So, if there is a way to listen to a conversation not meant for us, watch the actions of others surreptitiously and read letters that belong to someone else, we will gladly do so.
It is perhaps for this reason that the Pakistani government’s recent admission, on the floor of the National Assembly, that it monitors and scans all emails in the country did not trigger a public furore. In fact, quite a few people responded lukewarmly to the news: "So what if they are doing it? My emails aren’t particularly exciting, you know," says one of my colleagues when he is asked to comment on the episode. "Besides, do you really think they have the resources to do something like that?"
My colleague may be right. The Pakistani government supposedly does not have the resources to get all emails generated in the country monitored and scanned. "Let’s be practical. The fact of the matter is that the Pakistani government simply cannot do real-time scanning," Dr Altamash Kamal of XIBER.COM (Pvt) Ltd tells Sci-tech World.
"The ISPs can do it for them but even that is quite difficult." Sifting through emails and then storing them would require a "supercomputer with infinite capacity, which is not available right now," explains V.A. Abidi, Secretary of the Internet Service Providers Association of Pakistan (ISPAK). Awais Ahmed Khan Leghari, Minister for Information Technology, initially also tries to dismiss the idea: "It isn’t possible for the Pakistani government to scan all emails, given the volume of internet traffic that is generated in the country.
However, he adds: "But the government has the ability and the right to monitor emails for national security. There is no harm in doing so, for it is happening all over the world. But right now nothing of the sort is happening in Pakistan."
What, then, is all the fuss about if the content of emails cannot be monitored in the country? It all sounds awfully similar to the stuff that conspiracy theories are made of, doesn’t it? Well almost, but not quite because internet users in Pakistan are being monitored through user activity logs.
User activity logs, contrary to popular belief, are not just about billing information and internet usage reports. These logs, as the name suggests, provide information about an internet user’s online activities, which can include anything from the IP addresses of websites visited to the number of times one’s inbox is accessed to destination addresses to which emails are sent. "There are thousands of user activity logs," explains Ansar-ul-Haq, Director and Chief Operating Officer of Cyber Internet Services (Pvt) Ltd. "However, the three basic types include access logs, used for determining the amount of time spent online, proxy logs that determine the IP addresses (websites) visited, and SMTP logs, which provide information about a user’s email."
Mr Haq says all ISPs in Pakistan keep user activity logs for a period of one month. The reason? Security, which makes sense because, given the increasing rate of cyber crimes all over the world, it’s only fair for ISPs in Pakistan to keep track of the users’ online activities and to do their bit in fighting hackers and terrorists.
Make no mistake, however, as the ISPs do not maintain user logs because they want to but because they have to. "For a while now, the Pakistan Telecommunication Authority has been pressurizing ISPs to maintain user logs," points out Mr Haq.
Interestingly enough, the legal provisions under which the PTA is making ISPs maintain user logs remain rather ambiguous. So while the Electronic Transactions Ordinance 2002 forbids access to private electronic communication, apparently this does not apply to people who are "authorized to gain access." It is perhaps for this reason that PTA feels obligated to behave in the manner it does.
To be sure, the Pakistan Telecommunication (Re-organization) Act 1996 does speak of the primacy of national security but in rather vague terms: "The Federal government may, as and when it considers necessary, issue policy directives to (PTA)...on matters relating to telecommunication policy... .
"The matters on which the Federal government may issue policy directives shall be...(among others) the requirements of national security and of relationships between Pakistan and the Government of any other country or territory outside Pakistan."
How does the PTA force ISPs to fall in line then? Consider Section 21(4)(c) of the same Act, which says: "Every licence granted under this Act may, inter alia, contain...conditions requiring the licensee to allow inspection by the Authority of any premises or telecommunication equipment, wherever situated, and to furnish to the Authority such information as may be required by the Authority."
Meanwhile, the absence of clear provisions over the issue has perhaps prompted the government to include, in the final draft for the Electronic Crimes Bill 2004, the following words: "The Federal government may compel a service provider, within its existing or required technical capability, to collect or record through the application of technical means or to cooperate and assist any law enforcement or intelligence agency in the collection or recording of traffic data in real-time, associated with specified communications transmitted by means of an electronic system."
The draft bill, following due vetting, has been forwarded to the cabinet for approval, Mr Leghari tells Sci-tech World. "The bill is expected to be adopted for implementation shortly."
Once enforced, the bill will provide all regulatory bodies and government agencies with the much-needed legal cover to peek through emails (among other things). In fact, real-time monitoring of emails will not remain a distant possibility, if and when the bill is enforced.
However, an anonymous source claims that even today, the content of emails is being monitored. "This isn’t a distant possibility. This is already happening. There are at least two places in Pakistan where the content of all emails is screened carefully."
Not only that but, says Mr Abidi of ISPAK, there are organizations which keep all emails in a compressed form. It appears, then, that email scans are not just conceivable but they are a sad truth which most of us are unable to come to terms with. Evidently, Big Brother has already sneaked his way into Pakistan and is here to stay, whether we like it or not.
Even though most ISPs try to defend their actions by claiming that maintaining user logs is standard practice and is done all over the world, isn’t this a violation of an individual’s personal space? Is it too much to ask for online privacy simply because it does not exist anywhere in the world?
"These logs must be maintained for security reasons," points out Mr Abidi. "ISPs must do whatever they can to fight crime and protect national interest." Mr Haq seems to concur, but at the same time, he feels that there are certain problems which the government has failed to address so far.
For starters, the Pakistani government does not provide a well-defined mechanism under which information may be procured by the concerned agencies. "There is no framework in place, no governing body that oversees all issues related to cyber crime and internet security," laments the owner of an ISP, who also chooses to remain anonymous. "There is no harm for us in providing such information but we need to know the mechanism by which we are supposed to do so."
As mentioned, the authorities have thus far been unable to formulate required provisions, which means that just about anyone who is a member of a law-enforcing agency can seek information from an ISP. Although ISPAK maintains that it works under the Evidence Act (that is, whenever a policeman or an officer from a similar agency asks for specific user log information, it demands proof of any suspicious activity before handing the data over) many ISPs complain that security officials visit them all too frequently to demand various pieces of information.
"I try my best to ward off such ridiculous demands. In fact, PTA and ISI officials have often harassed and threatened people here at Cyber.Net because we refuse to comply," says Mr Haq candidly. "We will provide them with information only if they have relevant documents or at least some sort of incriminating evidence. How can we be expected to hand over information just like that?"
Mr Haq’s grievances hold water but Dr Kamal feels a little differently on the subject: "These ISPs really don’t have a choice. The licence agreements issued by PTA clearly mention that ISPs must provide them with such information, whenever they are asked to do so. Thus, it’s unfair to blame the ISPs for everything." As with most other things in Pakistan, it seems, survival takes precedence over moral and ethical norms and so ISPs must do whatever they can to stay afloat.
In spite of all this, one would have thought that at least some Pakistani ISPs are relatively more secure than others. That, of course, may be wishful thinking because chances are that if you are online, then someone out there knows the exact details of your activities. All ISPs, networks and email accounts are reportedly vulnerable, regardless of the service that you subscribe to:
"There is no security. Gmail may perhaps give a hard time to the officials but even their security system can be breached if one is persistent enough," clarifies Dr Kamal. So, while most ISPs and web-based email service providers make tall claims about superior security, these are just that - tall claims. Why wouldn’t these be, for ISPs are required to provide their encryption keys to relevant authorities, whenever the need arises.
"There isn’t much that anyone can do about it. If you want to function as an ISP, you have to do their bidding. There is simply no way to get around it," confides another anonymous source. At best, this is a form of "benevolent dictatorship," reminiscent of the British monarchy’s imperialist days.
It all bodes very well for national security. But, what about consumer interests? What about the infringement of one’s privacy? Most importantly, where do we draw the line? When is it all right for ISPs to give user logs and other information to government agencies?
The parameters are blurred and there is no method to this madness. At the very least, if government agencies feel compelled to monitor emails and to seek confidential information from ISPs, they should, if nothing else, do it the right way.
Times viewed:4248
interact 
read comments 5
Similar Articles
- Let’s not Barter Away Our Food Security for GM Crops Kamal Siddiqi
- What Ails the BPO Industry in Pakistan? Noman Faisal
- Electric Illusion Fozan Zahoor
- Computer Literated: Writing Preliterated? Junaid Sadiq
- An Interview with Avnish Bajaj Rakesh Mani
US Elections 2008 Primaries
Get Chowk RSS FeedTHEMES
Latest Interacts
- hamidm2: here is how you... Dr Afia Siddiqui's Case
- masadi: Maj writes "I am... There is no ‘honour’
- tahmed32: hamidm: i am not... US Commando Strike in
- tahmed32: #157 thanks for your... US Commando Strike in
- Cobra: Ironic thing is B'deshi... Is Mumbai a hub
- quest: Re: # 5 one extreme... Dr Afia Siddiqui's Case
- Dinaric: Re: # 4 Loha The... Is Mumbai a hub
- iron_mask: okay Uppal, tell us... Is Mumbai a hub
