June 24, 2014 | By Danny O'Brien

Thai Junta Used Facebook App to Harvest Email Addresses

Thailand's censorship regime has grown ever more pervasive since the military took over last month, with punishments aimed at both speakers and consumers of  prohibited media. On the streets, Thais have been arrested for wearing the wrong message on a T-shirt, or reading George Orwell's "1984" in public. Online, according to the regime's own reports, hundreds of new websites have been added to the Thai government's official blacklist including politics and news sites covering the coup. Now the authorities are deceiving Internet users into disclosing their personal details, including email addresses and Facebook profile information, when they try to visit these prohibited sites.

Under Thailand's national web blocking infrastructure, Net users attempting to visit blocked sites in Thailand are redirected to a government web landing page, managed by the country's Technology Crime Suppression Division (TCSD). After the coup, the country's digital rights group, the Thai Netizen Network, noticed that the TCSD block page had sprouted two new graphics: a blue "close" button, and a "Login with Facebook" icon. Both lead to a misleading-titled "Login" Facebook page, where users were asked for permission to hand over personal information stored in their Facebook profile — without any indication, in Thai or English, as where that data was being sent, or for what purpose. In fact, the "Login" app was being run by TCSD itself, which used Facebook's application platform to collect the details of Facebook users visiting to the landing page1.

Screenshot of Thai government's Facebook AppA warning from the Thai Netizen Network, showing the deceptive Facebook application.

The Thai authorities have long claimed that foreign companies should comply with all their demands for removing content and handing over personal data. Facebook has consistently refused such requests. By misleading users to click through the permissions-granting first page of its Facebook application, the Thai authorities has been gathering what Facebook's legal department have refused to hand over.

A deceptive Facebook app without a clear privacy policy or embedded explanation is a violation of Facebook's own platform policies, and the Crime Suppression Division's app has now been suspended by Facebook at least twice. The first "Login" app was removed shortly after the Thai Netizen Network published details of its deceptive appearance. An identical app which subsequently replaced it on the page was suspended by Facebook after less than a week of operation.

On Friday, after days of online criticism, the TCSD belatedly posted a justification for their application, writing:

The collection of witness or user's data is a data collection procedure of TCSD.info, which is supported by Article 26 of Computer-related Crime Act (2007). This data collection is the same as other websites that use Facebook for their authentication. By this way, TCSD can handle more witnesses which can lead to more prosecutions and will make the online society more clean. We invite you to send information to https://www.facebook.com/jahooktcsd

Facebook's own public app statistics pages show that these two apps between them managed to scoop up hundreds of Thai email addresses before being shut down. Did these Internet users understand that they handing out their names and email addresses as potential "witnesses" to future prosecutions?

This isn't the first time that we've seen governments adopt the techniques of phishing and spamming groups in order to collect information on their own citizens. While it is unsurprising that a military regime that has overthrown the rule of law might stoop to spy with a terms-of-service-violating social media app, it shows how determined the Thai government is to warp the Internet — including social media — to its own ends.

  • 1. Facebook applications are third-party services that can be embedded within and interact with Facebook's own site. They are carefully sandboxed to prevent them taking over a user's browser, but can ask for, and receive, permission from the user to access his or her Facebook details. Facebook apps are different from the "login with Facebook" buttons that are frequently offered on external sites, and which the TCSD appear to be imitating.

Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

Tomorrow at @sfiaf in San Francisco, join EFF for "Edward Snowden Revelations and the Public Right to Know." https://eff.org/r.v9n2

May 29 @ 4:33pm

EFF supporters get 20% off registration for @ISSALA's Information Security #Summit7 next week: https://eff.org/r.s2qt

May 29 @ 1:36pm

Higher max sentences for "material support" won't prevent terrorism—but will chill First Amendment rights. https://eff.org/r.x49r

May 29 @ 1:19pm
JavaScript license information