Ecology of Intrusion: Report Details Thai State’s Assault on Internet Privacy

Original image: Diliff / Wikimedia Commons

BANGKOK — When Facebook abruptly vanished from virtual Thailand in 2014, it was as if the social media-addicted masses were exposed to the vacuum of space.

The gasping lasted about 30 minutes until access was restored, and suspicion immediately turned to the military, which only six days prior staged a coup d’etat and had long sought control of the internet.

Theories about why – and how – the new regime pulled the plug became widely debated, but the truth of what happened that day is laid out in a new report from a London-based nonprofit which lifts the veil on how online surveillance in the kingdom relies on control of the infrastructure and those who operate it, feeble rule of law and even indirect help from the world’s largest software company – Microsoft.

The author of the report published Thursday by Privacy International said it all adds up to willful disregard of the public’s expectation of privacy and legal obligations.

Advertisement

“When they can intercept communications without having a legal framework that allows companies to refuse this, it means they have open-door access to people’s information,” Eva Blum-Dumontet said. “It’s a clear violation of people’s rights to privacy and [the government’s] international agreements.”

Read: Thailand’s New Online Fad: Social Surveillance

The report relies on well-placed sources, media reports, government records and technical analyses to lay out the cultural, structural and technological means by which the authorities surreptitiously assault security.

Representatives of the government said they either could not or would not discuss the issues raised in the report.

‘You arrive in power, and the first thing you try to do is shut down Facebook? That reveals a poor understanding of the internet.’

The Facebook Experiment

Most alarming perhaps are indications the government has systematically sought to defeat the encryption used to keep web traffic private – what to most is the difference between an http or https in a URL.

That was the goal, the report alleges, when all of Thailand’s service providers secretly complied with a regime request to shut Facebook down on May 28, 2014.

It cites a source in the telecommunications sector, an account confirmed by someone then at the former ICT Ministry, who said the regime wanted Facebook traffic to be rerouted over http instead of its encrypted https connection.

“My source told them this was not something that could be done; this was not how it worked,” Blum-Dumontet said.

The attempt did not seem successful or well-conceived, she said.

“You arrive in power, and the first thing you try to do is shut down Facebook?” she said. “That reveals a poor understanding of the internet.”

In the immediate aftermath, the ICT Ministry’s permanent secretary was blunt in comments to the media: He said Facebook had been shut down until the regime could win its “cooperation” in censoring criticism.

Military reps quickly hand-waved those comments away, insisting it was the result of an unintended technical glitch.

The revised story unraveled two weeks later when the Norwegian owner of one of those ISPs, DTAC, disclosed its role in shutting down Facebook on order of the junta. Telenor Asia Vice President Tor Odland said the company was put in a difficult position between upholding human rights and complying with a government where it does extensive business.

Hill & Knowlton, which handles publicity for Facebook in Thailand, said the California-based social media giant did not respond to forwarded inquiries.

‘Door-Knocking Surveillance’

How did authorities so easily win the cooperation of private enterprise to act against their customers’ interests?

The report attributes that to incestuous public and private sectors in which the same well-connected people move between – or are appointed to – top government and corporate positions.

State-owned enterprises own and operate the nation’s international telecoms infrastructure, and the report notes even private telecommunications companies are entangled with the state.

“While CAT Telecom and TOT are state-owned, successive Thai governments over the past few decades have maintained close relationships with private telecommunication companies and ISPs through appointments which starkly exemplify the revolving door between the government and the private telecommunications sector,” the report reads.

No. 1 telecom AIS and other early data services firms were founded by Thaksin Shinawatra, who went on to become prime minister. After he was ousted by a 2006 coup, the military claimed telecoms had been used to spy on those investigating Thaksin for corruption.

No. 3 True Corp. is part of Charoen Pokphand, one of the world’s largest conglomerates. CP is in the hands of the Chearavanont family, which the report notes has close ties to the current regime.

It was No. 2 DTAC whose European parent company blew the lid off the secret shutdown order, which its CEO then had to grovel in apology for – without ever retracting the facts of what happened.

And recently the internet backbone has been further brought into the fold of the national security infrastructure.

In October 2015, after hacktivists first assaulted government servers to protest a plan to route all traffic through a single point of control, the government rebranded the effort as a business-friendly policy to promote a “digital economy.”

Just as CAT Telecom was to be handed the reins of that effort, the military’s top national security official, Gen. Thawip Netrniyom, was installed as board chairman. It was the first time the head of the National Security Council took such a position.

With friends and family holding the keys, the government, Privacy International says, doesn’t need to break down doors – just knock politely.

Junta spokesman Col. Winthai Suvaree could not be reached for comment Thursday.

Asked about the Privacy report, government spokesman Sansern Keawkamnerd said, “it’s not an issue in Thailand though a lot of people try to make it one.”

Told a reporter was calling from Khaosod English, Sansern declined to speak further.

“I am available to talk, but I won’t talk to you because I have no faith in your organization, the same way some of your editors have no faith in the government.”

In the past, officials have made the case that they need better tools to police the internet against threats to national security, mainly those who would defame the monarchy and cyber criminals who operate in or through Thailand. And everything, they routinely say, is done in according with the law.

‘Microsoft has not been keen to answering these questions’

Misplaced Trust?

One month after the Facebook outage, a fresh scandal erupted when Facebook users were redirected to a fake Facebook login screen which collected their usernames and passwords.

That shouldn’t be possible because of a security system by which sites and computer operating systems use independently signed digital certificates to attest to their validity. Go to Pantip.com and the website will present a certificate verified by Comodo Group, a so-called Certificate Authority that issues certificates worldwide.

While defeating the system should be impossible, it happened in Tunisia during the Arab Spring, when Privacy International said websites that “looked exactly like Facebook, Gmail and Yahoo were created to steal the username and passwords of Tunisian users.”

Tunisia did that by using a root certificate to trick people’s browsers into wrongly trusting the bogus sites.

The Thai government also has its own root certificate.

Source: Digital Certificate Search / crt.shNeither Apple, Firefox-maker Mozilla, nor Java automatically trusts it, however. The only widely used platform that does? Microsoft Windows.

That means trying to use a spoofed website signed with the government certificate would return an error for someone on a Mac while Windows users wouldn’t notice a thing.

Blum-Dumontet suggests users who get certificate warnings trying to access known websites should not dismiss the warnings and press on. She said they should stop and use another encryption layer provided by something like Tor. Those who’ve accepted dodgy certificates should change their passwords, she added.

No smoking gun connects the spoofed Facebook page with Thai authorities, and Privacy does not present any evidence of the government’s certificate being abused.

“We’re aware of the potential for abuse, and we know it’s been abused in other countries,” Blum-Dumontet said. “We think it’s significant that Apple and Mozilla have refused the certificate. Up to now, at least, Microsoft has not been keen to answering these questions.”

An inquiry with Michael Karimian, human rights program manager at Microsoft went unreturned. Afterward, Blum-Dumontet said she received a statement from the Redmond, Washington-based software company.

“Microsoft does not disclose its internal decision making process, but the overall process can be found on our website, http://aka.ms/rootcert,” read the forwarded statement. “Generally speaking, Microsoft looks at the [Certificate Authority’s] Certificate Policy, Certificate Practices, and then consider the benefits and risks to Microsoft’s customers.”

On Thursday, Microsoft issued a statement to the media saying it “only trusts certificates issued by organisations that receive Certificate Authority through the Microsoft Root Certificate Programme” in a process that is regularly audited by a third party.

“Thailand has met the requirements of our program and you can review the details of the latest audits here and here (PDF),” it continued. “This thorough review, backed by contractual obligations, is not reflected in Privacy International’s assessment of the risks.”

If the junta sees any charity on Microsoft’s part, it would be a rare accommodation by a tech world that has otherwise rebuffed its requests for special treatment.

Over the years, the regime’s repeated efforts to win cooperation of providers such as Facebook, Google and Line have been rebuffed.

After seizing power in the May 2014 coup, the junta dispatched Maj. Gen. Pisit Pao-in, formerly head of the Technology Crime Suppression Division, to win the cooperation of those three companies in censoring and gaining access to users’ social media accounts. He continued in similar roles into early 2016.

Reached for comment, Pisit, who currently serves on the National Reform Steering Assembly, said he was just a middleman helping the government reach out. He said he was unaware of any attempts at direct surveillance.

“You need to ask those in the government who is responsible for it,” he said Thursday.

Cache and Sniff

Privacy International, which in September released a report on the government’s use of “social surveillance,” said people should be concerned because smoking guns have been found of government attempts to defeat email encryption.

Analyses of the conversation that happens between an email client such as Microsoft Outlook, and a mail server in late 2014 found “the military government was conducting downgrade attacks” to force them to connect via an unencrypted channel.

“There was an active attempt to reroute the traffic,” Blum-Dumontet said.

She suggested a simple safeguard: “Just use webmail.”

More low-tech but effective tools have been acquired by Thai authorities over the years.

Between 2012 and 2015, Thailand has spent more than 62 million baht on International Mobile Subscriber Identity devices, , according to mandatory disclosures by the governments of Switzerland and the United Kingdom.

Advertisement

The devices mimic cell phone towers. When mobile phones are in range, they will begin talking and sharing their data which can then be recorded.

In its report, Privacy called on Thai authorities to live up to its obligations under Section 32 of the charter adopted by referendum in August and international agreements. The London-based organization’s work in Thailand began prior to the coup with the support of the Swedish International Development Cooperation Agency.

Additional reporting Sasiwan Mokkhasen