Elephant procession in Thailand honouring Bhumibol Adulyadej
UK charity Privacy International has accused Microsoft of aiding the Thai military government in spying on its citizensReuters

Privacy International is accusing Microsoft of helping Thailand’s military government to spy on citizens by trusting the Thai national root certificate by default, which enables nation state hackers to potentially meddle with the certificate and use it to sneakily access private user data.

Certificate authorities are trusted organisations that routinely issue root SSL certificates, which are small data files that protect users’ data on websites and enable HTTPS encryption. You probably know of HTTPS as the little ‘padlock’ symbol that comes up on the address bar in a web browser, indicating that a connection to a website is secure. This keeps your financial transactions on websites safe, for example during online shopping.

Certificate authorities are mostly companies, such as Microsoft, GoDaddy, VeriSign, Visa, Comodo and AOL, but there are also some certificate authorities that are incumbent state telecoms providers, which means that the government is in some way involved in the running of the company.

The idea is that certificates are issued to the owners of domains to verify that a website is safe to visit. However, if a certificate is incorrectly issued to an attacker’s website, for example, then computers will think that the site is safe to visit, even if it isn’t.

With a maliciously issued root certificate, hackers could easily intercept your communications and conduct man-in-the-middle attacks to secretly alter the regular communications you are making over your Wi-Fi network with websites for nefarious purposes.

Thai government accused of manipulating root certificates

Privacy International claims in a new report that Thailand’s military government is using its control of the Electronic Transaction Development Agency (ETDA) certificate authority to spy on its citizens, and by trusting this root certificate by default, Microsoft is turning a blind eye to blatant government mass surveillance.

Of course, Microsoft has categorically denied Privacy International’s claims, saying in a statement: “Microsoft only trusts certificates issued by organisations that receive Certificate Authority through the Microsoft Root Certificate Programme. This programme is an extensive review process that includes regular audits from a third-party web-trust auditor.

“Thailand has met the requirements of our programme and you can review the details of the latest audits here and here. This thorough review, backed by contractual obligations, is not reflected in Privacy International’s assessment of the risks.”

Web browsers get to decide whether they want to trust a specific certificate authority’s certificates, and are always on the lookout for potentially malicious ones. Currently, neither Mozilla (Firefox) or Google (Chrome) are trusting the ETDA root certificate, and neither is Apple for its Mac OS X operating system. In fact, Google has now become a certificate authority itself in order to better secure Google domains, rather than rely on third party certificate authorities.

Privacy International argues that if Apple isn’t trusting the root certificate to keep Mac users secure then no one else should, and asserts that Microsoft is putting Windows users at risk, because if the operating system trusts the root certificate, then the browser is less likely to alert the user to a problem.

The Thai government has purchased spying equipment

Privacy International says it has evidence that the Thai government previously tampered with SSL-type encryption, for example conducting downgrade attacks in September 2014 to force users to send emails over unencrypted channels that could easily be spied on.

An all-in-one SMS server package (IMSI catcher)
An IMSI catcher sold by a Chinese firm, which comes with an all-in-one SMS server package: A laptop, GSM mobile phone and SMS server for RM 45,000Trend Micro

The organisation says it also has government documents proving that since 2015, the Thai government has purchased nine IMSI catchers (fake mobile base stations that can intercept all data sent from smartphones to their provider) from Swiss companies and six licences for telecommunications interception equipment from UK companies.

“Privacy International is concerned about the increasing monitoring of social media and other internet-based communications services for the purpose of identifying political dissent,” Privacy International concludes.

“Surveillance in Thailand is not necessarily carried out using expensive and highly technical infrastructures… it is also achieved by establishing a political system and a legal framework that allows informal and easy access to communication service providers. The government can therefore force companies to ‘behave’, for example by threatening exclusion from spectrum licence auctions.

“The evidence of the revolving door between the corporate sector and the government means that those at the head of communication service providers are always in close contact with the government, thus enabling softer forms of political influence to surveil people and ultimately erode people’s privacy.”

Privacy International is calling on tech companies to develop technologies that ensure default end-to-end encryption on all websites, and to be more discerning about trusting root certificates. The advocates also want to see more warnings given to users by email clients, web browser and operating systems to let them know when connections are untrusted.