Thai Junta Used Facebook App to Harvest Email Addresses
Thailand's censorship regime has grown ever more pervasive since the military took over last month, with punishments aimed at both speakers and consumers of prohibited media. On the streets, Thais have been arrested for wearing the wrong message on a T-shirt, or reading George Orwell's "1984" in public. Online, according to the regime's own reports, hundreds of new websites have been added to the Thai government's official blacklist including politics and news sites covering the coup. Now the authorities are deceiving Internet users into disclosing their personal details, including email addresses and Facebook profile information, when they try to visit these prohibited sites.
Under Thailand's national web blocking infrastructure, Net users attempting to visit blocked sites in Thailand are redirected to a government web landing page, managed by the country's Technology Crime Suppression Division (TCSD). After the coup, the country's digital rights group, the Thai Netizen Network, noticed that the TCSD block page had sprouted two new graphics: a blue "close" button, and a "Login with Facebook" icon. Both lead to a misleading-titled "Login" Facebook page, where users were asked for permission to hand over personal information stored in their Facebook profile — without any indication, in Thai or English, as where that data was being sent, or for what purpose. In fact, the "Login" app was being run by TCSD itself, which used Facebook's application platform to collect the details of Facebook users visiting to the landing page1.
The Thai authorities have long claimed that foreign companies should comply with all their demands for removing content and handing over personal data. Facebook has consistently refused such requests. By misleading users to click through the permissions-granting first page of its Facebook application, the Thai authorities has been gathering what Facebook's legal department have refused to hand over.
On Friday, after days of online criticism, the TCSD belatedly posted a justification for their application, writing:
The collection of witness or user's data is a data collection procedure of TCSD.info, which is supported by Article 26 of Computer-related Crime Act (2007). This data collection is the same as other websites that use Facebook for their authentication. By this way, TCSD can handle more witnesses which can lead to more prosecutions and will make the online society more clean. We invite you to send information to https://www.facebook.com/jahooktcsd
Facebook's own public app statistics pages show that these two apps between them managed to scoop up hundreds of Thai email addresses before being shut down. Did these Internet users understand that they handing out their names and email addresses as potential "witnesses" to future prosecutions?
This isn't the first time that we've seen governments adopt the techniques of phishing and spamming groups in order to collect information on their own citizens. While it is unsurprising that a military regime that has overthrown the rule of law might stoop to spy with a terms-of-service-violating social media app, it shows how determined the Thai government is to warp the Internet — including social media — to its own ends.
- 1. Facebook applications are third-party services that can be embedded within and interact with Facebook's own site. They are carefully sandboxed to prevent them taking over a user's browser, but can ask for, and receive, permission from the user to access his or her Facebook details. Facebook apps are different from the "login with Facebook" buttons that are frequently offered on external sites, and which the TCSD appear to be imitating.