This article originally appeared on VICE News. The Thailand government has a long history of online surveillance of its citizens, and a new report out Thursday suggests Microsoft may be inadvertently facilitating such government monitoring.A new report from Privacy International entitled "Who's That Knocking at My Door? Understanding Surveillance in Thailand" says a Microsoft policy involving root certificates enables the state to monitor encrypted communications sent via email or posted on social media sites. Microsoft says that the certificate meets the company's standards.
Advertisement
The privacy campaign group accuses Microsoft of being the only internet company that automatically trusts a root certificate issued by the Thai government. By doing so, it could allow the government to target Windows users by manipulating websites and capturing login credentials for email, social media sites, and other online services."We have very concrete examples of wrongdoing on behalf of the Thai government, as an attempt to spy on communications," Privacy International research officer Eva Blum-Dumontet told VICE News. "How do you come to the conclusion that such an authority is reliable to issue a certificate?"A root certificate tells your computer that a website you visit or a message you receive is untampered with and can be trusted. They're issued by authorities who check and validate the authenticity of the site or sender. While Apple's macOS does not include the Thai root certificate by default, Microsoft Windows does, and Privacy International says this leaves users of that operating system open to attack or surveillance. Windows accounts for over 85 percent of the desktop computing market in Thailand, according to StatCounter.The report reveals that other internet service providers—including Google, Apple and Mozilla, maker of the hugely popular Firefox browser—do not trust the certificate issued by the Electronic Transactions Development Agency on behalf of the Thai government.
Advertisement
Microsoft says it has done nothing wrong.
Advertisement
The new report details how the government works closely with internet service providers in the country in an attempt to gain access to customer data, without the need for warrants or judicial oversight.The problem for the Thai government is that ISPs cannot give access to encrypted information. With a trusted certificate, the government could easily mimic what was done in Tunisia to circumvent encryption and gain full access to citizens' online communications.Blum-Dumontet calls Microsoft's response to the report "disappointing," adding: "They are not at all questioning their process. They are not addressing the fact that other companies are not trusting [the root certificate]."Microsoft has an office in Thailand, and one source with knowledge of the situation, speaking to VICE News on the condition of anonymity, believes that it is not in Microsoft's financial interest to reject the Thai government's certificate. "The reason [it doesn't reject the certificate] is that it doesn't cost anything for Microsoft to trust it. By rejecting it, [Microsoft] would create tension with the Thai government."This is not the first time Microsoft has come under fire for potentially aiding the Thai government. In 2015 another Privacy International report highlighted the fact that the company had handed over the crucial information about one of its customers to the government. Microsoft claimed it was simply following Thai law.