If readers in Thailand are wondering why their internet connections are slower than usual, this may be the explanation. It’s from today’s Bangkok Post (in the computer section). I’ll post the article in full as Bangkok Post on-line articles have a habit of disappearing.
Net slowdowns suggest Govt is monitoring traffic
Thailand’s Internet is stuttering with a series of unexplained outages and slowdowns that suggest that the government is running a far-reaching programme to monitor its citizens’ online activities, one similar to the US Carnivore email policeware programme.
This can be seen in the way YouTube is now all but unusable for TOT subscribers, and how sending large email messages through a foreign server on port 25 often fails, while encrypted, non-standard ports or VPN access over the same network works fine.
A former security-consultant-turned-businessman in Thailand, speaking on condition of anonymity, said that the entire situation was seriously damaging business confidence and may be on the verge of being illegal, especially for foreign businesses operating in Thailand.
In many industries, a user has a duty to alert his company or his authorities if he knows that data has been compromised. But what if the leak is to a foreign government? That said, in most countries, national security laws override privacy laws.
There are legal ramifications on contract law, especially if the businessman is doing business with the Thai government or military.
“If you are going to do it, do it properly,” the former security consultant suggested.
China and Singapore, for instance, use a monitoring software package from a company called Xacct Technologies from Israel which is capable of far more than email logging and can scale better than the system that he believes is in place now. Another packet monitoring system that is in use and can scale well is Phorm.
He first noted earlier this year that email sending slows down as the work day progresses and fails almost entirely around lunchtime. His company uses a corporate email server located overseas. Analysis of the traffic suggest that the authorities are intercepting anything on standard SMTP port 25, regardless of the destination IP address. He said he has the IP numbers he suspects to be the sniffing machines as the latency incurred there is far too long to be a regular switch.
To circumvent this monitoring, users can simply use a VPN to access their corporate network overseas, use SSL encrypted email ports or even encrypt on an end-to-end fashion. Gmail remains secure when accessed via HTTPS, although he did question what went on behind the scenes when Thailand lifted the ban on Google’s YouTube and if any agreements had been struck.
That said, the former security consultant said that there was a legitimate need for governments to monitor email for national security but that the way the Thai government had done it had failed miserably.
“How hard is the system to circumvent? I have to circumvent it as otherwise I have no way of getting my email, by going to http://www.mail2pda.com or using HTTPS for Gmail. Then what’s the point? Already the government has lost the ability to gather intelligence.”
Rather it should have been done professionally and be totally invisible without the terrorists or the public knowing.
From the business point of view, it was just another in a long list of questionable decisions “that makes Thailand look positively Mickey Mouse,” he said.
Rather than announce to the world that they were intercepting and monitoring email and thus making everyone use encryption, it would have been much better if the government had kept quiet and had done traffic pattern analysis on individuals to learn more about their network, he said.
For instance, if one person was using encryption all the time, the government should keep a close eye on him and who he contacts, but by botching up this project, it means that everyone has to use encryption and VPN and thus the government has lost its ability to gather information and protect the people.
The consultant also questioned the legality of the recent Thai cybercrime law in the context of European privacy laws.
In a seminar soon after the law was passed, police said that as long as a server host or ISP could provide a name to an activity, that would satisfy the 90-day log retention requirements.
However, according to European privacy law, putting a name to an activity requires user consent. Quite how this would affect Europeans doing business here, or Thais doing business in the EU, was still unclear, he said.
Another question was who had access to the information being gathered. In the past, the US government launched Echelon and Carnivore, projects aimed at wiretapping the Internet in the name of security. But at least they had clear objectives and responsibilities, unlike the clandestine Thai system that appeared to be in place, he noted.
The consultant saw three possible scenarios: “If the reason is to spy by the government, then you (a journalist) are at great risk personally. If it was decided it was important to monitor all email and someone in government screwed up, this is fine and people should be happy. But if the reason is commercial and you are exposing someone’s email to somebody in the government, this is bad,” he said. Finally, he had a piece of advice he would like to pass on to the government: “The effort involved in censorship is far greater than the effort required to monitor, and monitoring gives you more information. Censorship blocks, monitoring gains intelligence.
“In Europe, authorities infiltrated a major paedophile ring. They worked for 18 months, infiltrating and learning about the network, which operated in cells. Many of the operatives are still in therapy. But by taking that route, they were able to expand their reach through the cells and gather evidence they could use in court. In the end, they arrested hundreds of people and more importantly, they pulled 26 children out of that network who were being abused.
“If they had taken the approach that this server has paedophilia and it has to be shut down, they might cut off access to 10 paedophiles but they would not have saved any children,” he said.