'Single gateway' all over again
published : 26 May 2016 at 20:24
writer: Online Reporters
The information and communication technology minister will be able to access encrypted computer data of anyone with the help of internet service providers if the amendment bill to the Computer Crime Act is passed, Thai Netizen Network warned on Thursday.
The group said it found an official document in which the ICT ministry stated the reasons for the amendment.
"To stop dissemination of or to block computer data...the [ICT] Minister may set criteria, periods and guidelines to do so in line with changing technologies," read the document.
The ministry cited as an example SSL (Secure Sockets Layer) technology, the standard security technology for establishing an encrypted link between a web server and a browser.
"In order to effectively screen and block online content, 'special methods and tools' are required to achieve the goal."
- See also: E-payment mandatory by 2019
SSL and TLS (Transport Layer Security) technologies encrypt data. A user knows when the connection is secure when the URL of the website begins with https://.
The amendment bill also requires ISPs to comply with the minister's announcements.
As well, the proposal is in line with the ICT Ministerial Order No. 163/2557 dated Dec 15, 2014, which appoints a panel to test an online media surveillance system.
The order reads: "There are obstacles in checking and blocking websites encrypted by SSL so the ICT Ministry proposed the procurement and testing of an online media surveillance system for effective operation of the online media working committee."
The panel monitors the testing of the surveillance of SSL-encrypted online media and evaluate it to find the most effective system for Thailand.
Another duty of the panel is to coordinate with operators of internet service or international internet gateway services in testing the systems.
Network security experts commented that cooperation from ISPs was critical because one way to access encrypted data was "man-in-the-middle" attack. With the ISPs' help, the move will be seamless.
Since Section 15 of the bill punishes service providers who "cooperate, allow or tolerate wrongdoings", the private operators will have no choice but to comply.
Websites today are blocked by comparing URLs against the block list. But if a connection is made in "https://", the ISP won't see the full URL, only the domain name. If authorities want to block a page, it will have no choice but to block the entire domain, affecting other pages as well.
To block a website by page, one therefore needs to decrypt it first to know what the target page is.
The methods and tools that can encrypt such data can crack all encrypted data as well, including money transfer transactions or online purchase orders.
The bill was approved in principle by the NLA in April. A panel should finish vetting it in late June after which it will be considered in the second and third readings.
Arthit Suriyawongkul, a co-founder of the Foundation for Internet and Civic Culture and a coordinator for Thai Netizen Network, told Prachatai attempts to decrypt SSL data brought to mind the single gateway initiative last year.
Back then, netizens rose up in arms against the government, which ordered that the single gateway to be established in its cabinet meeting minutes.
The prime minister and the ICT minister backed down after the public outcry and protests, also joined the Anonymous, an international group of hacktivists.