Not so fast. Recall that India has implemented a similar regulation. Remember the whole dispute with RIM a while back? From the linked article:
the ISP license also bans internet providers from deploying 'bulk encryption' and further restricts the level of encryption for individuals, groups or organisations to a key length of only 40 bits in symmetric key algorithms or equivalents. Such weak encryption is easily broken, highly insecure and not suitable for e-commerce or any other sensitive applications. For the use of encryption equipment stronger than 40 bits, individuals, groups or organisations are required to obtain prior written permission and to deposit the decryption key, split into two parts, with the Department of Telecommunications.
IANANE, but the regulation does not appear to be as limited as you suggest. Part II, Section 4, Clause 5 states:
All landing station and infrastructure licensee(s) shall establish a Monitoring System with its interface to the Authority . . . for the purpose of monitoring of telecommunications traffic (voice and data) within one hundred and twenty (120) days . . . .
And later on in clause (6) it requires each system to have "the following features:"
Capability to monitor, control, measure and record traffic in real-time
The clause you are referring to (and the only reference to encryption) occurs on the next page:
The Licensee(s) and Access Provider shall ensure that signaling information is uncompressed, unencrypted, and not formatted in a manner which the installed monitoring system is unable to decipher using installed capabilities.
But the limitation of this clause to signaling information seems to conflict with the earlier statement that the monitoring system must be capable of recording voice and data traffic in real time. I suppose you could argue that turning over the encrypted stream is sufficient, but I wouldn't want to hang my hat on that.
It'll be interesting to see how this is enforced. My guess will be that if they take the position that it applies to VPNs, it will not be enforced against the foreign visitor. There are many internet cafes in Pakistan and many hotels with internet service so there would be a huge logistical problem to enforce it. Sadly, Pakistanis and long-term ex-pats who use a VPN from their home or office could be targeted, especially if they are government opponents or dissidents.
I've always considered Egypt to be on of the more progressive muslim states
Whaaaaat? Egypt is ruled by a dictator that tolerates no dissent. There has been a state of emergency there for 44 years! Let's see, where to start. In 2009, the U.S. Department of State Human Rights report had this to say:
Police, security personnel, and prison guards often tortured and abused prisoners and detainees, sometimes in cases of detentions under the Emergency Law, which authorizes incommunicado detention indefinitely, subject to a judge's ruling.
and
Police and the SSIS reportedly employed torture methods such as stripping and blindfolding victims; suspending victims by the wrists and ankles in contorted positions or from a ceiling or door frame with feet just touching the floor; beating victims with fists, whips, metal rods, or other objects; using electric shocks; dousing victims with cold water; sleep deprivation; and sexual abuse, including sodomy. There was evidence that security officials sexually assaulted some victims or threatened to rape them or their family members. Human rights groups reported that the lack of legally required written police records often effectively blocked investigations.
It just goes on and on. And, keep in mind, the U.S. DOS reports tend to be very conservative, so when this stuff ends up in a DOS report, things on the ground are much, much worse.
Enter the Monkeysphere, a project that leverages the GPG web of trust to build trust paths for secure browsing (among other uses). From the site:
When you direct the browser to an https site using the Monkeysphere plugin and validation agent, if the certificate presented by the site does not pass the default browser validation (using standard, hierarchical X.509), the certificate and site URL are passed to the validation agent. The agent then checks the public keyservers for keys with UIDs matching the site url (e.g. https://zimmermann.mayfirst.org./ If there is a trust path to that key, according to your own OpenPGP trust designations, the certificate is considered valid, and a browser 'security exception' is put in place to allow connections to the site.
I care deeply about personal privacy for the same reason I care deeply about gun rights - chances are that I will never carry a weapon in my life, but our society as a whole is made safer and more resilient by the fact that law-abiding citizens can own and use them in self defense.
Ummm, yeah, the shooter who killed 14 in NY state "had a permit for two handguns and wore body armor, indicating he was prepared for a confrontation with police."
source.
Get hold of portable property. -- Charles Dickens, "Great Expectations"