The Thailand government has a long history of online surveillance of its citizens, and a new report out Thursday suggests Microsoft may be inadvertently facilitating such government monitoring.
A new report from Privacy International entitled “Who’s That Knocking at My Door? Understanding Surveillance in Thailand” says a Microsoft policy involving root certificates enables the state to monitor encrypted communications sent via email or posted on social media sites. Microsoft says that the certificate meets the company’s standards.
The privacy campaign group accuses Microsoft of being the only internet company that automatically trusts a root certificate issued by the Thai government. By doing so, it could allow the government to target Windows users by manipulating websites and capturing login credentials for email, social media sites, and other online services.
“We have very concrete examples of wrongdoing on behalf of the Thai government, as an attempt to spy on communications,” Privacy International research officer Eva Blum-Dumontet told VICE News. “How do you come to the conclusion that such an authority is reliable to issue a certificate?”
A root certificate tells your computer that a website you visit or a message you receive is untampered with and can be trusted. They’re issued by authorities who check and validate the authenticity of the site or sender. While Apple’s macOS does not include the Thai root certificate by default, Microsoft Windows does, and Privacy International says this leaves users of that operating system open to attack or surveillance. Windows accounts for over 85 percent of the desktop computing market in Thailand, according to StatCounter.
The report reveals that other internet service providers — including Google, Apple and Mozilla, maker of the hugely popular Firefox browser — do not trust the certificate issued by the Electronic Transactions Development Agency on behalf of the Thai government.
Microsoft says it has done nothing wrong.
“Microsoft only trusts certificates issued by organizations that receive Certificate Authority through the Microsoft Root Certificate Program,” the company said in a statement emailed to VICE News. “This program is an extensive review process that includes regular audits from a third-party web trust auditor. Thailand has met the requirements of our program.”
The company pointed VICE News to two independent auditor reports (here and here) that were carried out by a Malaysian company called BDO, and appear to cover the same time period (September 2015 to August 2016). The audits say the EDTA has given “reasonable assurance” that “the integrity of keys and certificates it manages is established and protected.”
However, the audits also highlight that the EDTA’s ability to meet these criteria may be limited. “Controls may not prevent or detect and correct, error fraud, unauthorized access to systems, and information or failure to comply with internal and external policies and requirements.”
As Blum-Dumontet points out, “Once the audit has been passed, there is literally nothing to prevent Thailand from misusing the certificate.”
Currently there is no concrete evidence that the root certificate has been misused, but there are well-documented examples of how other governments have previously exploited this vulnerability. In Tunisia, as the Arab Spring revolt was beginning in 2011, the the Ben Ali regime used a fake certificate to create websites that looked exactly like Facebook, Gmail, and Yahoo but were designed to steal the username and passwords of users who thought they were accessing the real sites.
The new report details how the government works closely with internet service providers in the country in an attempt to gain access to customer data, without the need for warrants or judicial oversight.
The problem for the Thai government is that ISPs cannot give access to encrypted information. With a trusted certificate, the government could easily mimic what was done in Tunisia to circumvent encryption and gain full access to citizens’ online communications.
Blum-Dumontet calls Microsoft’s response to the report “disappointing,” adding: “They are not at all questioning their process. They are not addressing the fact that other companies are not trusting [the root certificate].”
Microsoft has an office in Thailand, and one source with knowledge of the situation, speaking to VICE News on the condition of anonymity, believes that it is not in Microsoft’s financial interest to reject the Thai government’s certificate. “The reason [it doesn’t reject the certificate] is that it doesn’t cost anything for Microsoft to trust it. By rejecting it, [Microsoft] would create tension with the Thai government.”
This is not the first time Microsoft has come under fire for potentially aiding the Thai government. In 2015 another Privacy International report highlighted the fact that the company had handed over the crucial information about one of its customers to the government. Microsoft claimed it was simply following Thai law.