All hell broke loose when Facebook was inaccessible for 30 minutes in Thailand, six days after the 2014 coup. Speculation emerged as people panicked. However, they had to panic over on Twitter instead of Facebook, the usual venue for hysteria.
Privacy International (PI), a human rights NGO focused on privacy issues, recently published a report called “Who’s that knocking at my door? Understanding Surveillance In Thailand” which analyzed the methods of surveillance that Thai authorities have been using to monitor the internet. It suggested that the Facebook shutdown was “typical of Thailand’s long history of internet censorship.”
On May 28, 2014, Facebook users in Thailand couldn’t access the site for half an hour. At first, Ministry of information and Communication Technology (ICT) told Reuters that the government had blocked the site and planned to ask other social media giants for cooperation to “stop the spread of critical messages about the coup,” because of the circulating call for protest against the army.
Not long after, however, the military government denied the statements by ICT. A Junta spokesperson told the media that “there’s been some technical problems with the internet gateway.”
The report described the sketchy shutdown as a “door-knocking strategy.” It went on to explain that the government can lawfully ask Internet Service Providers (ISPs) to hand over the tools to see what you are up to at any time.
While ISPs could technically deny the authorities’ prying requests, none of them likely would. The Communication Authority of Thailand (CAT) and Telephone Organization of Thailand (TOT) are state-owned providers, thus they automatically comply with any governmental request.
Private companies like True and AIS work hard to maintain a good relationship with the military government and so likely did as they were asked. The Norwegian-owned DTAC publically apologized after revealing that the military requested, and was granted, access to the Facebook information of DTAC customers.
But being able to acquire tools for finite periods is not as convenient as completely removing doors. PI’s information source at ICT confirmed that the military government even considered requesting that Facebook route their traffic over an “http” protocol instead of “https,” the more secure choice for sending information.
And Thai government didn’t stop with local providers. Since 2013, Yingluck Shinawatra’s government has attempted to convince LINE, the ever-popular Japanese chatting application with over 33 million Thai users, to release user information. Although Thailand claims that the company was willing to cooperate, LINE denied that claim. Today, it’s well-publicized that LINE messages are encrypted and even LINE staff can’t unencrypt them.
If these stories make you uncomfortable with the government’s reach, you might understand why PI became even more worried when they discovered that Microsoft has done did the cyber equivalent of letting a burglar install your home security system by trusting the military government’s secure website certifications.
Certification is one of the best ways to ensure that the website you are visiting is the real one, not an ill-intentioned imposter. Certificates are commonly seen on your banking sites, social media and other places where you send personal details. The certificates are issued by a certificate authority that confirms the authenticity of a domain, and prevents internet users from giving personal information to fake websites that can use that information illegally such as a site pretending to be Paypal or your bank.
While it is not uncommon for the state to act as a certificate authority, PI’s concerns are that the Thai military government could use such authority as another form of surveillance and intimidation. The report points out that Microsoft is the only large IT company that places trust in the Thai government’s certification. This means that, if the Thai government uses their certificate authority status maliciously, Mac users would be alerted of an untrusted connection while Windows users would not and could put themselves at risk.
While we may never know for sure what happened for those 30 minutes that Facebook went dark in Thailand in 2014, the IP report poses some very real — and scary — theories.
Reader Interactions