Thai Junta Used Facebook App to Harvest Email Addresses

A warning from the Thai Netizen Network, showing the deceptive Facebook application.

A warning from the Thai Netizen Network, showing the deceptive Facebook application.

Written by Electronic Frontier Foundation International Director Danny O'Brien. This article was originally published on the Electronic Frontier Foundation blog.

Thailand's censorship regime has grown ever more pervasive since the military took over last month, with punishments aimed at both speakers and consumers of  prohibited media. On the streets, Thais have been arrested for wearing the wrong message on a T-shirt, or reading George Orwell's “1984” in public. Online, according to the regime's own reports, hundreds of new websites have been added to the Thai government's official blacklist including politics and news sites covering the coup. Now the authorities are deceiving Internet users into disclosing their personal details, including email addresses and Facebook profile information, when they try to visit these prohibited sites.

Under Thailand's national web blocking infrastructure, Net users attempting to visit blocked sites in Thailand are redirected to a government web landing page, managed by the country's Technology Crime Suppression Division (TCSD). After the coup, the Thai Netizen Network, a local digital rights group, noticed that the TCSD block page had sprouted two new graphics: a blue “close” button, and a “Login with Facebook” icon. Both lead to what appears to be a Facebook “Login” page, where users are asked for permission to hand over personal information stored in their Facebook profile — without any indication, in Thai or English, of where that data was being sent, or for what purpose. In fact, the “Login” app was being run by TCSD itself, which used Facebook's application platform to collect the details of Facebook users visiting to the landing page.

Thai authorities have long claimed that foreign companies should comply with all their demands for removing content and handing over personal data. Facebook has consistently refused such requests. By misleading users to click through the permissions-granting first page of its Facebook application, Thai authorities have been gathering the type of user information that Facebook's legal department has long refused to hand over.

A deceptive Facebook app without a clear privacy policy or embedded explanation is a violation of Facebook's own platform policies, and the Crime Suppression Division's app has now been suspended by Facebook at least twice. The first “Login” app was removed shortly after the Thai Netizen Network published details of its deceptive appearance. An identical app which subsequently replaced it on the page was suspended by Facebook after less than a week of operation.

On Friday, after days of online criticism, the TCSD belatedly posted a justification for their application, writing:

The collection of witness or user's data is a data collection procedure of, which is supported by Article 26 of Computer-related Crime Act (2007). This data collection is the same as other websites that use Facebook for their authentication. By this way, TCSD can handle more witnesses which can lead to more prosecutions and will make the online society more clean. We invite you to send information to

Facebook's own public app statistics pages show that these two apps managed to scoop up hundreds of Thai email addresses before being shut down. Did these Internet users understand that they were handing over their names and email addresses as potential “witnesses” to future prosecutions?

This isn't the first time that we've seen governments adopt the techniques of phishing and spamming groups in order to collect information on their own citizens. While it is unsurprising that a military regime that has overthrown the rule of law might stoop to spy with a terms-of-service-violating social media app, it shows how determined the Thai government is to warp the Internet — including social media — to its own ends.

1 comment

Join the conversation

Authors, please log in »


  • All comments are reviewed by a moderator. Do not submit your comment more than once or it may be identified as spam.
  • Please treat others with respect. Comments containing hate speech, obscenity, and personal attacks will not be approved.