Written by Electronic Frontier Foundation International Director Danny O'Brien. This article was originally published on the Electronic Frontier Foundation blog.
Thailand's censorship regime has grown ever more pervasive since the military took over last month, with punishments aimed at both speakers and consumers of prohibited media. On the streets, Thais have been arrested for wearing the wrong message on a T-shirt, or reading George Orwell's “1984” in public. Online, according to the regime's own reports, hundreds of new websites have been added to the Thai government's official blacklist including politics and news sites covering the coup. Now the authorities are deceiving Internet users into disclosing their personal details, including email addresses and Facebook profile information, when they try to visit these prohibited sites.
Under Thailand's national web blocking infrastructure, Net users attempting to visit blocked sites in Thailand are redirected to a government web landing page, managed by the country's Technology Crime Suppression Division (TCSD). After the coup, the Thai Netizen Network, a local digital rights group, noticed that the TCSD block page had sprouted two new graphics: a blue “close” button, and a “Login with Facebook” icon. Both lead to what appears to be a Facebook “Login” page, where users are asked for permission to hand over personal information stored in their Facebook profile — without any indication, in Thai or English, of where that data was being sent, or for what purpose. In fact, the “Login” app was being run by TCSD itself, which used Facebook's application platform to collect the details of Facebook users visiting to the landing page.
Thai authorities have long claimed that foreign companies should comply with all their demands for removing content and handing over personal data. Facebook has consistently refused such requests. By misleading users to click through the permissions-granting first page of its Facebook application, Thai authorities have been gathering the type of user information that Facebook's legal department has long refused to hand over.
On Friday, after days of online criticism, the TCSD belatedly posted a justification for their application, writing:
The collection of witness or user's data is a data collection procedure of TCSD.info, which is supported by Article 26 of Computer-related Crime Act (2007). This data collection is the same as other websites that use Facebook for their authentication. By this way, TCSD can handle more witnesses which can lead to more prosecutions and will make the online society more clean. We invite you to send information to https://www.facebook.com/jahooktcsd
Facebook's own public app statistics pages show that these two apps managed to scoop up hundreds of Thai email addresses before being shut down. Did these Internet users understand that they were handing over their names and email addresses as potential “witnesses” to future prosecutions?
This isn't the first time that we've seen governments adopt the techniques of phishing and spamming groups in order to collect information on their own citizens. While it is unsurprising that a military regime that has overthrown the rule of law might stoop to spy with a terms-of-service-violating social media app, it shows how determined the Thai government is to warp the Internet — including social media — to its own ends.