pk   Pakistan

Of 6,915,266 domains extracted from the 572 GiB Geedge Networks Leak (GNL), 298,955 censored domains (93.7% of all GNL-censored domains) appear in neither Tranco top-1M nor CitizenLab test lists. Measurements across China (Guangzhou/Nanjing), Myanmar, Pakistan, and Algeria confirmed censorship via DNS injection and SNI-based TLS connection termination. The GNL covers 25–62% of Tranco-censored domains across countries, showing substantial but incomplete overlap. This vendor-side ground truth reveals a censorship surface roughly two orders of magnitude larger than curated academic test lists.

2026-sheffey-geedge §4.1, Table 2 detection

The GNL reveals that Geedge actively maintains dedicated VPN-infrastructure tracking datasets. The China-specific component includes 7,016 domains in a "vpn-finder-plugins" repository (mesalab_git/intelligence-learning-engine), 4,810 NordVPN server domains, and a Pakistan-specific file listing 68 Psiphon CDN domains (geedge_docs/TSGEN/.../Psiphon-CDN_20240430.json) dated April 2024. A Myanmar deployment file (M22-VPN List.html, 27 domains) further confirms country-specific VPN blocklists are operationally maintained. The "Appsketch" program reverse-engineers VPN apps to extract domains and IP addresses for blocking.

2026-sheffey-geedge §4.2, Table 3 detection

The report documents IMSI-catcher and mobile-network interception deployments in Pakistan that complement fixed-line DPI infrastructure. Mobile broadband users (dominant internet access mode in Pakistan) face surveillance at both the carrier level and via OTT platform coercion, with major platforms (YouTube, Twitter/X, TikTok) receiving and complying with blocking and content takedown orders from PTA, reducing the scope of accessible content even for users not running circumvention tools.

2025-amnesty-pakistan-shadows §6 deployment

Pakistan's PECA (Prevention of Electronic Crimes Act) and PTA (Pakistan Telecommunication Authority) regulations grant authority to block content without court orders, enabling the deployment of a persistent national filtering infrastructure. The report documents 11,000+ URLs blocked by PTA and confirms that VPN use and circumvention tools are among the targeted categories, with blocking orders issued under national security grounds.

2025-amnesty-pakistan-shadows §2, §4 policy

Amnesty International's 102-page investigation identifies a multi-vendor surveillance stack deployed in Pakistan: Chinese DPI (Geedge/MESA-derived), Canadian social-media monitoring (Netsweeper), and Emirati commercial spyware (Pegasus and FinFisher). The system enables deep packet inspection, SNI-based filtering, and traffic-shape classification at national scale, including targeted interception of encrypted messaging apps and VPN traffic.

2025-amnesty-pakistan-shadows §3, §5 deployment

Internal Geedge documents confirm active contracts to deploy GFW-derived censorship and surveillance infrastructure in Myanmar, Pakistan, Ethiopia, Kazakhstan, and at least one additional unidentified country under the Belt and Road framework, in addition to domestic deployments in Xinjiang, Jiangsu, and Fujian. The exported product (the Tiangou Secure Gateway / TSG line) is not a stripped-down export variant — leaked TSG documentation shows DPI, active-probing, ML classifiers, and granular per-region traffic control rules that mirror the domestic GFW capability set.

2025-geedge-mesa-leak §5, §6 deployment

InterSecLab frames the Geedge/TSG export program as the commoditization of national firewall capability: rather than each censor state independently developing detection infrastructure, they contract Geedge for a turnkey system incorporating the cumulative R&D of MESA Lab (>10 years, National Science and Technology Progress Award winners). This structural shift means the marginal cost for an autocratic government to acquire GFW-grade censorship is now a procurement decision, not a multi-year engineering program. The report identifies that Geedge's relationship with the MESA Lab gives customer states indirect access to ongoing academic R&D improvements, not just a static product.

2025-interseclab-internet-coup §2, §6–§7 (InterSecLab report) policy

InterSecLab's 76-page analysis of the Geedge/MESA leak (based on nine months of indexing and translating >100,000 documents) characterizes the Tiangou Secure Gateway (TSG) product line as a commercially deployable detection stack that combines deep packet inspection, real-time mobile subscriber monitoring, active probing, ML-based traffic classifiers, and granular per-region rule sets. TSG is not a research prototype — leaked documentation includes deployment timelines and client government interactions for Kazakhstan, Ethiopia, Pakistan, Myanmar, and one unnamed country, with censorship rules explicitly tailored to each region.

2025-interseclab-internet-coup §3–§5 (InterSecLab report) detection

FilterMap identified 90 blockpage clusters from 90 vendors and actors across 103 countries using 374 million measurements from ~45,000 vantage points against 18,736 sensitive domains; 87 of these signatures were previously unknown. Commercial filters were detected in 36 out of 48 countries rated 'Not Free' or 'Partly Free' by Freedom House, with Fortinet alone present in at least 60 countries.

2020-raman-measuring §V deployment

The 30 key ASes computed from globally popular sites also intercept over 90% of paths to country-specific popular sites in nine censorious nations (China, Venezuela, Russia, Syria, Bahrain, Pakistan, Saudi Arabia, Egypt, Iran), covering 93.3% of paths to the top-50 country-specific sites. The same key AS set remained stable across repeated experiments conducted four months apart, suggesting durability over time.

2017-gosain-devil-s §6.1–6.2, Figure 8 evaluation

China's Great Firewall adds sites to its blacklist within hours of their becoming newsworthy and drops them again just as quickly; conversely, Pakistan's pornography crackdown used a rarely-updated blocklist, causing 50% of consumption to shift to unlisted sites. An outdated probe list will therefore underestimate GFW effectiveness and overestimate effectiveness in countries with static lists.

2017-weinberg-topics §1 detection

Time-series analysis across five ISPs over six months reveals a near-universal stasis in January–February where blocklist changes were negligible for all ISPs, followed by significant fluctuations (e.g., a +20–35% swing in TCP unreachability between February and March for PTCL, Wateen, Qubee, and WiTribe). A ubiquitous drop in TCP-unreachability outcomes occurred December–January, suggesting a seasonal or policy-driven relaxation followed by re-tightening.

2016-aceto-analyzing §V-A evaluation

DNS tampering in Pakistan takes at least two distinct sub-forms: WiTribe and Nayatel redirect blocked domains to explicit block-page IPs (DNS resolution returns a routable address that serves a block page), while PTCL returns both failing IPs and explicit block pages, indicating that PTCL applies DNS tampering without user notification in some cases (NXDOMAIN-like) and with a block page in others. Qubee passes DNS entirely and applies content-level HTTP tampering at roughly 80% of measurements for blocked URLs.

2016-aceto-analyzing §V detection

Across five Pakistani ISPs measured over six months (Oct 2013–Mar 2014), censorship splits cleanly by ISP: WiTribe, PTCL, and Nayatel block via DNS tampering, while Wateen and Qubee block via HTTP content tampering. The two techniques do not overlap within a single ISP, demonstrating that Pakistan's censorship infrastructure is ISP-heterogeneous rather than centrally normalized.

2016-aceto-analyzing §V evaluation

A university closed survey of 64 Pakistani users found that 51% evade censorship using VPNs (Hotspot Shield being the most prominent), 25% use web proxies, 17% use Tor/onion routing, and approximately 7.2% use CDNs, mirror sites, search-engine caches, or web-based DNS lookup services.

2016-aceto-analyzing §V-B evaluation

For the same blocked resource (YouTube) in Pakistan, UBICA found at least three distinct ISP-level techniques in parallel: Micronet Broadband and Witribe Pakistan use DNS injection redirecting to explicit blockpages; Pakistan Telecom Company Ltd. returns DNS responses yielding only 11.7% plausible IPs; while Transworld Associates and National Wi-Max/IMS apply HTTP tampering with no DNS interference, confirmed by passing TCP reachability tests but failing content-size ratio checks.

2015-aceto-monitoring §3.1 evaluation

Pakistan Telecom Company Ltd. implemented DNS injection by returning 127.0.0.1 (localhost) for blocked domains, so TCP connections and HTTP requests appeared to succeed ("Content available" near 100%) while no legitimate content was served. Only 11.7% of DNS resolutions yielded a plausible IP address, yet the symptom is a silent local service response rather than an explicit blockpage, misleading users and confusing automated detection tools that rely on TCP reachability.

2015-aceto-monitoring §3.1 evaluation

Applying a regional binomial hypothesis test (p=0.7, significance 0.05) to Encore measurements independently confirmed censorship of youtube.com in Pakistan, Iran, and China, and of twitter.com and facebook.com in China and Iran, validating passive cross-origin measurement against prior independent reports of filtering.

2015-burnett-encore §7.2 evaluation

Encore collected 141,626 measurements from 88,260 distinct IPs in 170 countries over seven months (May 2014–January 2015) using as few as 17 volunteer webmaster deployments, demonstrating that passive cross-origin measurement can achieve broader geographic vantage-point coverage than custom-software deployments without recruiting individual end-users.

2015-burnett-encore §7 evaluation

The Encore system collected censorship measurements from 88,260 distinct IP addresses across 170 countries over seven months via installations by at least 17 volunteer website operators. China, India, the United Kingdom, and Brazil each contributed at least 1,000 measurements; Egypt, South Korea, Iran, Pakistan, Turkey, and Saudi Arabia each contributed more than 100.

2015-narayanan-no Introduction evaluation

Routing traffic from a user on ISP-B through a peer relay on ISP-A (which applied only HTTP-level filtering and permitted HTTPS) produced the smallest page load times in most cross-ISP comparison runs, beating both HTTPS/domain-fronting and Tor. The performance gain is attributed to lower end-to-end latency on the intra-country cross-ISP path relative to international relay routes.

2015-nisar-case §3.2 / Figure 2c / Insight-3 evaluation

Direct circumvention via HTTPS/domain-fronting from Pakistan achieved an average throughput of ≈1.5 Mbps, whereas static proxies located in the US, Europe, and Asia yielded less than 0.9 Mbps in most cases. Page load times for the YouTube homepage (≈360 KB) were significantly lower under the direct method, and a TCP slow-start model predicts throughput could reach ≈2 Mbps if the flow completed within slow start.

2015-nisar-case §3.2 / Figure 1 / Table 2 evaluation

Across two major Pakistani ISPs, blocking mechanisms varied substantially for the same URL: ISP-A applied HTTP-level blocking with redirection to a block page, while ISP-B deployed multi-stage blocking combining DNS-level resolution to localhost and independent HTTP/HTTPS request dropping. A single ISP also used different filtering techniques for different URL categories (e.g., YouTube vs. HTTPS-accessible sites).

2015-nisar-case §3.2 / Table 1 evaluation

In experiments using 200 back-to-back fetches of the YouTube homepage (≈360 KB), HTTPS produced lower page load times than Tor in most cases because Tor circuits do not optimize for performance and often select longer paths. Tor's page load times varied widely as circuits changed approximately every 10 minutes, producing a heavy tail in the latency distribution.

2015-nisar-case §3.2 / Figure 2a evaluation

Before censorship the local ISP resolver handled ≥99% of SOHO DNS queries for blocked categories; post-YouTube block, local ISP resolver usage fell to 68–74%, with Google Public DNS rising to 14–19% of queries and OpenDNS/LEVEL-3 also gaining significant share. Simultaneously, unique web-proxy domains in SOHO traffic averaged only 1 pre-block, jumped to 41 on average post-block, and peaked at 114 unique proxy domains on the block day itself.

2014-khattak-look §6.2, Table 9 evaluation

Pakistan's censorship used layered, evolving mechanisms: DNS redirection by local ISP resolvers appeared in all post-block traces, supplemented by HTTP 3XX redirection to a local provider's error page in Sep 2012 and shifting to RST injection by Aug 2013 (where ≈95% of YouTube HTTP requests received no response, vs. ≈2% pre-block). Porn blocking similarly combined DNS redirection with IP blocking (41% blacklist overlap) in Sep 2012 and RST injection in Aug 2013.

2014-khattak-look §4.2–4.3, Table 4 detection

Before censorship, porn traffic averaged 8.4–11.5% of HTTP bandwidth across residential and SOHO users respectively. Post-censorship, this fraction fell to ≈3.5–4.0% for residential and ≈2.0–3.7% for SOHO users. Even after accounting for traffic shifted to unblocked alternate porn domains and the contemporaneous SSL/VPN increase, porn traffic did not return to pre-block levels, suggesting censorship achieved partial demand suppression despite being bypassable via alternate DNS resolvers.

2014-khattak-look §6.1, Table 7, Table 11 evaluation

On the day of YouTube's block in Pakistan (18 Sep 2012), SOHO users' HTTP:SSL traffic ratio collapsed from ~38:1 pre-censorship to ~3.2:1, and remained at ~3.25 eleven months later (Aug 2013), indicating rapid and sustained mass adoption of SSL-based circumvention. A supplementary survey of ~700 Pakistani users confirmed 57% used SSL-based VPN software (UltraSurf, OpenVPN, Hotspot Shield) to access YouTube.

2014-khattak-look §6.1, Table 7 evaluation

YouTube held an average of ~97% of SOHO video bandwidth across four pre-block traces. On the block day (18 Sep 2012) this dropped to 15.8%, with DailyMotion absorbing ~82% of 'Others' traffic. Eleven months later (Aug 2013), YouTube's unencrypted video share reached 0%, with Tune.pk at 57.6% and DailyMotion at 40.9% of total video bandwidth, reflecting a durable market reallocation among video platforms.

2014-khattak-look §7.1, Table 8 evaluation

All 307 blocked websites in Pakistan's test dataset were accessible via CoralCDN (by appending .nyud.net to the hostname) and via Google, Bing, and Internet Archive search-engine caches at the time of the study (2013), representing simple but underutilized bypass vectors. The paper flags these as 'surprisingly unexplored' circumvention options.

2013-nabi-anatomy §5.2, §5.3 defense

A controlled survey of 67 technically literate users in Pakistan found that ~45% primarily use public VPN services (Hotspot Shield, Spotflux), 24% use web proxies, and 11% use HTTP proxies such as Ultrasurf to bypass censorship. The survey population skews technical, so real-world adoption of low-friction tools among average users is likely higher.

2013-nabi-anatomy §4.3 evaluation

Pakistan's pre-April 2013 ISP-level censorship used DNS injection (spoofed NXDOMAIN) as the primary mechanism, affecting 60.91% of the 307 tested websites on the university network. Critically, the DNS injection extended to public resolvers including Google DNS (8.8.8.8) and Level3 (209.244.0.3), meaning switching to a well-known public resolver does not bypass the block.

2013-nabi-anatomy §4.1.1 detection

Every website blocked at the DNS level in Pakistan was also blocked by a secondary HTTP-layer mechanism, ruling out the use of alternative DNS resolution (web-based lookup tools or user-generated content hosting DNS records) as a standalone bypass. Multi-IP shared-service sites such as YouTube and Wikipedia were blocked only at the HTTP level, where a Host-header match triggered censorship regardless of the destination URL.

2013-nabi-anatomy §5.1 detection

In April 2013 Pakistan transitioned from fragmented ISP-level HTTP 302 redirect blocking to centralized IXP-level fake HTTP 200 response injection (attributed to the Canadian firm Netsweeper), resulting in a uniform warning page across all test networks except one still transitioning ISP. Post-transition, 58.30% of the 307 test sites were blocked by DNS and 1.62% by fake HTTP 200 injection; IP and URL-keyword filtering remained at zero.

2013-nabi-anatomy §4.2 evaluation