Not so fast. Recall that India has implemented a similar regulation. Remember the whole dispute with RIM a while back? From the linked article:

the ISP license also bans internet providers from deploying 'bulk encryption' and further restricts the level of encryption for individuals, groups or organisations to a key length of only 40 bits in symmetric key algorithms or equivalents. Such weak encryption is easily broken, highly insecure and not suitable for e-commerce or any other sensitive applications. For the use of encryption equipment stronger than 40 bits, individuals, groups or organisations are required to obtain prior written permission and to deposit the decryption key, split into two parts, with the Department of Telecommunications.

IANANE, but the regulation does not appear to be as limited as you suggest. Part II, Section 4, Clause 5 states:

All landing station and infrastructure licensee(s) shall establish a Monitoring System with its interface to the Authority . . . for the purpose of monitoring of telecommunications traffic (voice and data) within one hundred and twenty (120) days . . . .

And later on in clause (6) it requires each system to have "the following features:"

Capability to monitor, control, measure and record traffic in real-time

The clause you are referring to (and the only reference to encryption) occurs on the next page:

The Licensee(s) and Access Provider shall ensure that signaling information is uncompressed, unencrypted, and not formatted in a manner which the installed monitoring system is unable to decipher using installed capabilities.

But the limitation of this clause to signaling information seems to conflict with the earlier statement that the monitoring system must be capable of recording voice and data traffic in real time. I suppose you could argue that turning over the encrypted stream is sufficient, but I wouldn't want to hang my hat on that.

It'll be interesting to see how this is enforced. My guess will be that if they take the position that it applies to VPNs, it will not be enforced against the foreign visitor. There are many internet cafes in Pakistan and many hotels with internet service so there would be a huge logistical problem to enforce it. Sadly, Pakistanis and long-term ex-pats who use a VPN from their home or office could be targeted, especially if they are government opponents or dissidents.

Whaaaaat? Egypt is ruled by a dictator that tolerates no dissent. There has been a state of emergency there for 44 years! Let's see, where to start. In 2009, the U.S. Department of State Human Rights report had this to say:

and

It just goes on and on. And, keep in mind, the U.S. DOS reports tend to be very conservative, so when this stuff ends up in a DOS report, things on the ground are much, much worse.

Enter the Monkeysphere, a project that leverages the GPG web of trust to build trust paths for secure browsing (among other uses). From the site:

When you direct the browser to an https site using the Monkeysphere plugin and validation agent, if the certificate presented by the site does not pass the default browser validation (using standard, hierarchical X.509), the certificate and site URL are passed to the validation agent. The agent then checks the public keyservers for keys with UIDs matching the site url (e.g. https://zimmermann.mayfirst.org./ If there is a trust path to that key, according to your own OpenPGP trust designations, the certificate is considered valid, and a browser 'security exception' is put in place to allow connections to the site.