Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Data Encryption Ban? Really? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Data Encryption Ban? Really?

On Friday an article appeared on techdirt.com claiming that Pakistan is trying to ban encryption under their new Telco law.
In the article the author suggests that encryption is "really just a form of speech" and that "trying to ban encryption is
like trying to ban language".  

I find the banning of encryption interesting in light of the number of United States compliance standards and laws governing
the use of encryption to protect financial data (PCI) and medical records (HIPPA) among them. These laws require that the
data be protected in place and in transit.  Does the proposed Telco Law in Pakistan mean that the US will not be able to
exchange data with them?  How will laws like this effect world trade?

All of the work that has been done to establish world economy could come crashing down if laws like this stand. It will be
interesting to see how this develops. Many businesses today operate in the Internet, many are moving to the cloud.  These businesses and organizations need to protect their data to protect their financial stability. So in this Handler's opinion, ban encryption will never happen. Others may not agree with me.  Let me hear from you.  Can we or should we ban encryption?
 

www.techdirt.com/articles/20110729/03142715310/reports-claim-that-pakistan-is-trying-to-ban-encryption-under-telco-law.shtml

 

Deb Hale

Deborah

278 Posts
ISC Handler
That would mean the end of any SSL web site in Pakistan. That, in itself, would seem to make it a no-go. I can't imagine banks and the like liking that at all.
Bill

5 Posts
From the document at : http://www.pta.gov.pk/media/monitoring_telephony_traffic_reg_070510.pdf

Page 5, 5.6

The Licensee(s) and Access Provider shall ensure that signaling information
is uncompressed, unencrypted and not formatted in a manner which the
installed monitoring system is unable to decuipher using installed
capabilities.

So I guess they could still use SSL, but intercept (and take the entire point of SSL away).

The document also states that this must be in place 120 days after this publication, which was March 15. - 2010
gs

1 Posts
Not relay a great surprise !
Globally, the governments and intelligence agencie juggernauts seem to be inexorably moving towards mandatory decryption and/or key disclosure (or they throw you in jail until you do - now where have I heard this before ? ) -or- they ban anything that will deny them access to any electronic media or communication.

Remember the UAE ban on BlackBerry ?
Karl

14 Posts
I think that encryption is a point of dynamic tension between the corporate world which wants/needs to have data be private and (parts of) governments which want to know everything.

Some people might suggest that it's ok if it's only the government that knows the key - as long as it's not a market competitor or something. But that's like saying that your firewall is perfectly secure, after all the only open port is port 80...

Personally, I vote for privacy.
Tim

3 Posts
My opinion is this regulation doesn't actually ban encryption; it says signalling information must be provided unencrypted. In the telco world, "Signalling" information refers to such information as the originating number and the terminating number of the phone call; there doesn't appear to be any mention that the "payload transmitted over the channel" cannot contain any encrypted information.

Signalling information is data transmitted between point A and point B on the provider's telco network, that the end users never see, some signalling info is exchanged between carriers for billing; if you have say an internet connection on an OC48.... you the end user never see the signalling information, how your circuit is built, or what path through the telco network it takes, only the telco sees these signalling details.



"The Licensee(s) and Access Provider shall ensure that signaling information is uncompressed, unencrypted and not formatted in a manner which the installed monitoring system is unable to decuipher using installed capabilities."

Is that what this is about, really?
"Licensees for the purpose of these regulations the licensee means LDI, Infrastructure and/or Landing Station License"

"LDI: ... a person licensed under the act to establish, maintain and operate a public fixed switched network for provision of nation-wide long distance and international telephony"

"Landing Station License... an authorization granted by the authority to establish, maintain and operate private or public landing station.... which it connects Pakistan directly or indirectly with foreign countries.. in Pakistan"


Where do we see any discussion/regulation about contents of _user transmitted data_, IP headers, datagram contents, etc?

Mysid

146 Posts
Wasn't PGP under export law's by the USA? Data Encryption Ban? Really? ;-)

Mysid
27 Posts
The Pakistani government is renown for its exercise of poor judgment. When a purported 'ally' harbors the likes of OBL, I think trade considerations are the least of our concerns. This is similar to the tree that falls in the forest... If Pakistan bans encryption, will anyone notice? ... or care?
Kilroy

4 Posts
I would say this is exactly how a rumor mill works. The story was tweeted and then it caught fire - apparently very few people actually looked at the law that it was referring. Here is some of my observation on the story:

1 - This is 16 month old law.
2 - The intent was to monitor and control grey traffic - traffic which is illegal in one country while legal in other. VoIP essentially. The pdf also indicates to that monitoring telephony traffic!!
3 - It does not talk about banning any sort of traffic. However it does talk about moving the traffic that cannot be converted to approved standard for archival at the Authority - this would be the encrypted traffic. Still it does not say it should be blocked by default.
4 - The law it seems is designed to control illegal VoIP operators, to ensure the licensed parties are not put on a disadvantage - however the technology required by this law can be of dual use. This part is most alarming. Privacy is the major concern as Bill indicated in his post.
5 - Concerns should be if in US such powers resulted in abuse - what can we expect in a nation which has much lower legal standards and almost no oversight. What happens to the right of the citizens to privacy?
6 - I do not think this will result in banning of encryption in Pakistan - I highly doubt that and definitely this law does not indicate as such.
7 - We should also perhaps look into how rumor are started especially through social media and what is their net effect on our understanding of the issues.
Kilroy
1 Posts

Sign Up for Free or Log In to start participating in the conversation!