You are here

Press Release: New Privacy International investigation details Microsoft's role in state surveillance in Thailand

26 January 2017

Key Points

  • The investigation details methods of state surveillance in Thailand.
  • The investigation documents Microsoft's default trust of the Thailand national root certificate. The company is likely to be the only internet company who trusts such information by default. This means that those using the internet in Thailand on Microsoft Windows machines are left vulnerable to the Thai Government manipulating websites. This manipulation could enable the capturing of people's log-in details, for example on their social media, their online banking details, and other sensitive and confidential accounts.
  • The investigation raises an alternative explanation for the Thai Government's blocking of Facebook after a military coup on 28 May 2014, which may have been an unsuccessful attempt to circumvent the platform's encryption in order to better spy on its users
  • The investigation documents how the Thai military government conducted downgrade attacks. This means the security of people's email communications was likely compromised, and their emails re-routed through insecure channels. This weakened security may have allowed the Thai Government to access the content of the emails.

Press requests: or +44 (0) 20 3422 4321

Microsoft's Trust By Default

Privacy International's new investigation "Who's That Knocking At My Door?: Understanding Surveillance In Thailand", shows that Microsoft is likely to be the only internet company whose products by default trust the Thailand national root certificate. This means that people using the internet in Thailand on Microsoft Windows machines, which is the most common operating system in the country, are left vulnerable to the Thai Government manipulating websites, and that the government is potentially able to capture people's log-in details to social media accounts, online banking accounts, and more. No other company has been identified in the research which trusts Thailand's national root certificate by default. Those who do not trust the root certificate by default include Apple, Google Chrome, and Mozilla.

This comes at a time when the country is in the midst of a year-long period of mourning for the late King Bhumibol Adulyadej. During this period, surveillance and arrests of suspects of lese-majeste (speaking ill of the Thai monarchy) has increased, and the military government has been engaging both local and international internet service providers, such as Facebook and Google, to request information on users who are speaking out against the establishment.

Thai Government's Blocking of Facebook

The investigation highlights that contrary to initial reports, rather than attempting to censor Facebook users, the Thai Government's blocking of Facebook, 6 days after the military coup on 28 May 2014, may have been an attempt to circumvent the platform's encryption and spy on its users. This comes from a source in the telecommunications sector with whom Privacy International spoke. The source was approached by the military government and was told to ask Facebook to circumvent Facebook's default Secure Socket Layer encryption. This attempt was confirmed by a second source with whom Privacy International spoke. There is no evidence, however, that the attempt to contact Facebook was successful or that the Thai Government managed to circumvent encryption.

What Privacy International is calling for
Privacy International is calling on Microsoft to change course and refuse to trust the country's root certificate. We call on the Thai Government to uphold its international obligations to protect the right to privacy and ensure that all communication interception activities comply with the international principles of legality, proportionality, and necessity.

PI Research Officer Eva Blum-Dumontet said:
"It is concerning to see that Microsoft trusts the Thai national root certificate by default when every other company we looked at, Apple, Mozilla and Google, appears to have made the decision not to trust it. This decision creates a serious risk that those using Microsoft Windows are vulnerable to invasion of their privacy and to state surveillance, should the Thai military government misuse the root certificate. The surveillance of communications and internet traffic by past and current governments has been widely documented and we highlight instances in this report. Trusting a national root certificate from a country whose governments have a history of human right violations and a poor record on civil rights and freedom of speech should not be taken lightly.

Our investigation also adds new insight regarding the shutdown of Facebook on 28 May 2014. While many may have assumed this was a freedom of speech issue, our conversations with sources close to the case have revealed a more complex picture where far from wanting to prevent communications, the newly in power military government was in fact trying to spy on them. This discovery raises vital questions regarding the motivation for internet shutdowns in the rest of the world and demands that closer attention be paid to their potential role in facilitating surveillance."