The State of Internet Censorship in Thailand
Kay Yen Wong (Sinar Project), Maria Xynou (OONI), Arturo Filastò (OONI), Khairil Yusof (Sinar Project),Tan Sze Ming (Sinar Project), Thai Netizen Network
2017-03-20
Image: Block page in Thailand
A research study by the Open Observatory of Network Interference (OONI), Sinar
Project, and the Thai Netizen Network.
Table of contents
Country: Thailand
Probed ISPs: Triple-T Internet (AS45758), True Internet Co. Ldt (AS17552),
JasTel Network International Gateway (AS45629), Realmove Company Limited
(AS132061), Advanced Wireless Network Company Limited (AS131445), Symphony
Communication (Thailand) PLC. (AS132280), AIS Fibre (AS133481), TOT Public
Company Limited (AS23969), Total Access Communication PLC. (AS24378), CAT
TELECOM Public Company Ldt. (AS131090), UIH/ BB Broadband (AS38794), TRUE
INTERNET Co., Ldt. (AS7470), SBN-ISP/AWN-ISP, maintained by Advanced Wireless
Network Company Limited (AS45458), DTAC Broadband (AS132032), The Communication
Authority of Thailand, CAT (AS9931), TOT Public Company Limited (AS56120).
OONI tests: Web Connectivity, HTTP Invalid Request Line, HTTP Header Field
Manipulation, Vanilla Tor, WhatsApp, Facebook Messenger.
Testing period: 6th November 2016 - 27th February 2017.
Censorship method: DNS hijacking, HTTP transparent proxies (delivering block pages).
Key Findings
New OONI data
reveals the blocking of 13 websites in Thailand across 6 different ISPs, between
6th November 2016 and 27th February 2017. Thai ISPs appear to primarily be
implementing censorship through DNS hijacking and through the use of middle boxes (HTTP transparent
proxies) which serve block pages.
The blocked sites include:
Since these sites were not found to be blocked across all 16 ISPs where tests
were run, service providers in Thailand may be in a position to filter online
content at their own discretion.
WhatsApp, Facebook Messenger, and the Tor network
appear to have been
accessible
across all tested networks throughout the testing period. Previously blocked
sites, such as prachatai.com, were also found to be accessible.
Introduction
Multiple censorship events in Thailand have been reported over the last decade.
More than 10,000 URLs were reportedly blocked in 2010 on the grounds of
national security. Further restrictions on freedom of speech and the press
appear to have taken place following Thailand’s most recent coup d’etat, as
reported by the Citizen Lab which found 56 websites to be blocked between May
to June 2014. Independent news outlets, such as
Prachatai, have also been
blocked in the past.
In an attempt to examine the current state of internet censorship in Thailand,
the Open Observatory of Network Interference (OONI), Sinar Project
and the Thai Netizen Network collaborated on a joint
study to examine whether internet censorship events were persisting in the
country through the collection and analysis of network measurements.
The aim of this study is to increase transparency of internet controls in
Thailand and to collect data that can potentially corroborate rumours and
reports of internet censorship events. The following sections of this report
provide information about Thailand’s network landscape and internet penetration
levels, its legal environment with respect to freedom of expression, access to
information and privacy, as well as about cases of censorship and surveillance
that have previously been reported in the country. The remainder of the report
documents the methodology and key findings of this study.
Background
Thailand is a constitutional monarchy in Southeast Asia with a population of around
68 million. Geographically, it is bordered to the north by Myanmar
and Laos, to the east by Laos and Cambodia, to the south by the Gulf of Thailand
and Malaysia, and to the west by the Andaman Sea.
The majority of Thailand’s population is made up by the Thais (95.9%), the Burmese
(2%), and the remaining 1.3% constituting of other ethnic groups. Thailand’s
official religion is Buddhism with 93.6% of its population identifying as
Buddhists. Muslims constitute the second largest religious group (4.9%),
followed by Christians (1.2%).
Historically, Thailand has had a strong economy due to its free-enterprise
economy, well-developed infrastructure and generally pro-investment policies.
However, it has experienced slow growth from 2013 to 2015 as a result of its domestic political
turmoil. Thailand ranked low in the 2016 Corruption Perceptions Index, ranking 101
out of 176. Human rights violations and systematic denial of basic rights such
as freedom of expression, association, and assembly, occurred with regularity during the military junta’s rule of the
country since 2014.
Politically, Thailand is a constitutional monarchy where the Prime Minister is
the head of government and a hereditary monarch is the head of state. However,
Thailand has oscillated between being ruled by a parliamentary democracy and
military junta for decades, with the latest military coup being in May 2014 in which
the army chief, General Prayut Chan-o-cha, was elected as Prime Minister and the
National Council for Peace and Order (NCPO) was established.
Unlike previous coups, there have been significant delays in the return to
civilian rule. Promises had been made by the NCPO to hold new elections only after a new constitution was enacted. However, the
general elections have repeatedly been delayed by events such as the rejection of the initial draft
by government officials in 2015, issues of succession to the throne of Thailand
following the Thai monarch’s death at the end of 2016, and the newly crowned
King Vajiralongkorn’s refusal to put the new constitution into effect
until amendments were made. Such proposed provisions would be
aimed at expanding his powers, from allowing him to spend time abroad without
the appointment of a regent, to absolving the need for a countersignature on all
royal acts which would give him the disproportionate power of signing executive
orders and decrees individually. Currently, general elections in Thailand are
expected to be held in mid-2018.
Network landscape and internet penetration
The Thai government has long held expansive control over the internet,
largely facilitated by its various relationships with Internet Service
Providers (ISPs) and telecommunication companies. Amongst more than ten
International Internet Gateways (IIGs) in the country, CAT and TOT,both state-owned, are still two of the largest.
Former politicians, military officers, or members of their families also
hold key positions
in large telecommunication companies. Under telecommunication law, all
service providers are subjected to license suspensions or revocation if
found not cooperating with the regulator in law enforcement, which
also includes network shutdowns.
More frequently, ISPs are asked
“informally”
to block certain content.
The internet and mobile service providers of Thailand are a mix of state-owned
companies and private operators. The three fixed line operators in Thailand are
True Corporation, TT&T, and the state-owned TOT. The number of fixed lines is
gradually declining with the expansion of mobile phone services in Thailand
which have experienced significant growth with market penetration peaking at
146% in 2014, and declining to 128% in 2016
due to market consolidation. The three major private mobile carriers are AIS,
DTAC, and TrueMove.
Mobile Operators/ISPs | Fixed Internet | Mobile Internet |
---|
True Corporation | X | X |
3BB | X | |
Telephone Organization of Thailand Public Company Limited (TOT) | X | X |
Advanced Info Service Public Company Limited (AIS) | X | X |
DTAC | X | X |
CAT Telecom | X | X |
TT&T Public Company Limited | X | X |
As of 2016, 60.1% of Thailand’s
population has access to the internet. According to the 2016 Thai Information and Communication Technology Survey in Household, there were 32.3% computer users,
47.5% internet users and 81.4% mobile phone users from a population of 62.8
million aged 6 years and up in 2016. Most Thai internet and smartphone users
reside in municipal areas, which have a higher average household income. The
proportion in internet use has
increased from 37.7% in 2012 to 57.4% in 2016 for municipal areas, and from
20.5% from 2012 to 39.5% in 2016 for non-municipal areas.
Social media is widely utilised in Thailand, with
Bangkok topping the global Facebook users list by city, and Siam
Paragon, a shopping mall in Bangkok being the most Instagrammed location on Earth. According to the 2016 Thai Information and Communication Technology Survey in Household, 91.5% of internet users utilised the
internet for social networking.
Percentages of households with ICT devices from 2012 to 2016 are illustrated
below.
Year | Households | Fixed Telephone (%) | Computer (%) | Internet (%) |
---|
2012 | 20025.4 | 15.6 | 26.9 | 18.4 |
2013 | 20121.4 | 14 | 28.7 | 23.5 |
2014 | 20564.7 | 14.4 | 33.9 | 34.7 |
2015 | 20642.9 | 12.3 | 29.5 | 52.2 |
2016 | 21367.2 | 12.2 | 28.4 | 59.8 |
Source: Thai Information and Communication Technology Survey in Household
Of the households with internet access in 2016, 70.6% used mobile internet, and
23.3% utilised fixed broadband.
Legal environment
Freedom of expression
Thailand Penal Code, Section 112 (Lèse-majesté)
Section 112 of the Thai Penal Code penalises anyone who “defames, insults or
threatens the King, the Queen, the Heir-apparent or the Regent” with a
punishment of imprisonment of three to fifteen years. Lèse-majesté defendants
are routinely denied bail, and convictions often result in heavy sentences in
most cases. Lèse-majesté or defamation complaints can be lodged by any one
citizen against another, and such compliments always require formal
investigation from authorities. This brings about the potential for abuse in
imposing systematic restrictions of information control to limit social
mobilisation around key political events.
On 2nd December 2016, BBC Thai published a profile of Thailand’s new King which was shared widely on
social media. Some Thais criticized its content for being insulting to the new
king, and the Thai Ministry of Digital Economy reportedly blocked a
link to the profile on the BBC’s Thai website on the grounds of displaying
“inappropriate content”. Two months later, OONI tests found this site to be accessible in tested networks, but it remains unclear how
long this site may have been blocked for. In December 2016, the police and some
soldiers subsequently visited the BBC’s office in Bangkok, and a Thai democracy
activist was temporarily arrested for sharing a link to the BBC profile.
Computer Crime Act
Article 14(1) of the 2007 Computer Crime Act (CCA) penalises
individuals found to have uploaded content deemed to be “forged”, “false”, or
which is likely to “cause damage to a third party” with an imprisonment of up to
5 years along with a maximum fine of 100,000 Thai Baht. Such broad and ambiguous
language opens up the law to abuse. Article 14(1) of the CCA has long been
utilised against journalists, activists and internet users for content
considered to be damaging by government sanctioned authorities.
The 2017 amendment
to article 14(2) of the CCA broadens the scope, incriminating those
found guilty of uploading information that would “damage the maintenance
of national security, public safety, national economic security or
public infrastructure serving national’s public interest or cause panic
in the public”, and expanding the power authorities have in abusing a
person’s exercise of their protected right to freedom of expression.
Internal Security Act 2008
Under the 2008 Internal Security Act, the
ISA would establish The Internal Security Operations Command (ISOC), a situation
monitoring center in every province which would have the authority to respond to
alleged threats to national security. The ISOC would be authorised to exercise
its powers with respect to situations affecting the national security where a
state of emergency has not been declared yet, bypassing the role of parliaments
and courts in reviewing or approving the necessity of such abuses of power.
Press freedom
Press freedom in Thailand has been severely restricted post military coup
following the military junta’s creation of the National Council for Peace and
Order (NCPO) tasked with enforcing widespread censorship.
NCPO Order 97⁄2014
The NCPO announced order 97⁄2014, “Cooperating
with the Work of the National Council for Peace and Order(NCPO) and the
Distribution of News to the Public” which prohibits publication or broadcast of
criticisms of the military authorities from print media, radio, TV, and online
media. The NCPO has sole discretion in determining what content falls within
prohibited categories. Violations of provisions in this announcement could
result in prosecution under the law, and the immediate suspension of the
publication or program.
Article 5 of the Head NCPO Order 3⁄2015
Under Article 5 of the Head NCPO Order 3⁄2015, NCPO officers are
authorised to issue orders prohibiting the distribution of press items,
or the sale of any publication or material that is deemed to have the
potential to cause public alarm, or which contains false information
likely to cause public misunderstanding, or which threatens public order
or national security.
Official Information Act 1997
The 1997 Official Information Act gives Thai citizens the right to request for the
disclosure of official government information from state agencies. However,
authorities have the right to reject requests for the disclosure of information
under Article 15 of the act, under unclear and overly broad reasons such as the
“decline in efficiency of law enforcement, risk to national security, and
endangerment of life or safety to any person”. Although citizens have the right
to appeal the rejection, appeals submitted to the committee take a long time to
be considered and process, making access difficult for citizens.
In addition, the Act does not cover information in the possession of private
entities, which has led to ongoing disputes over whether independent public
agencies such as the National Anti-Corruption Commission (NACC), the Office of
the Election Commission, and the Office of the Auditor General fall under the
scope of the Act.
Privacy
Constitution of the Kingdom of Thailand
The 2007 Constitution of the Kingdom of Thailand provides
citizens with the right to privacy. Under Article 35 of the constitution, “A
person’s family rights, dignity, reputation or the right of privacy shall be
protected. The assertion or circulation of a statement or picture in any manner
whatsoever to the public, which violates or affects a person’s family rights,
dignity, reputation or the right of privacy, shall not be made except for the
case which is beneficial to the public”.
Following the 2014 military coup, an interim constitution was enacted, in which almost all of
the provisions of the original constitution were suspended. There is no longer
an explicit provision related to the right to privacy.
While there is no comprehensive general data protection law in Thailand,
personal data in the public sector is at some level protected by the
Official Information Act B.E. 2540 (1997) which obligates state agencies
to allow individuals to correct personal data that is maintained by the
agencies. Personal information in the private sector, such as credit
information, patient data, and telecommunication data, is regulated by
sectoral laws, like the 2008
Credit
Information Business Act, the 2007 National Health Act, and the 2006
Notification of the National Telecommunications Commission (on measures
to protect the rights of telecommunication consumers in the areas of
personal data, right to privacy, and freedom of communication via
telecommunication networks).
Censorship and surveillance
2017 Computer Crime Act, Article 20
Under Article 20 of the 2017 Computer-related Crime Act (CCA), the
“Computer Data Screening Committee”, a 9 member panel appointed by the
government would have the power to suggest the court to suppress or
remove computer data that is “deemed to be a breach to the public order
or moral high ground of the people.” Due to the broadness of this
definition, this allows authorities to act as moral crusaders, giving
them a wide latitude to suppress online content that does not violate
any laws, but that they deem to be a breach of public morals.
2017 Computer Crime Act, Article 18
Articles 18(2) and 18(3) of the 2017 Computer Crime Act (CCA) would
allow user-related data and traffic data to be accessed by authorities without a
court order under probable cause to assist with investigations related to an
offense under the CCA or other laws.
Article 18(7) would allow authorities with a court order to compel service
providers in assisting with the decryption of encoded data, undermining the use
of encryption tools as a protection of user privacy.
Reported cases of internet censorship and surveillance
Multiple cases of internet censorship and surveillance have been reported in
Thailand over the last decade. According to the Thai Netizen Network, more than 10,000 URLs were blocked in 2010 on the grounds of national
security, even though many of them expressed criticism towards the Abhisit
Vejjajiva administration. Prachatai, an independent
news outlet, was amongst the many sites that were blocked without transparency.
Below we highlight a few cases of internet censorship and surveillance in
Thailand, as reported over the last few years.
Censorship following Thailand’s 2014 military coup
Thailand’s most recent May 2014 coup d’etat signaled further restrictions on
freedom of speech, association, and the press. According to network measurement
tests performed by the Citizen Lab between May to June 2014, 56 URLs were found to be blocked.These sites included domestic independent news outlets,
international media critical of the coup, social media accounts sharing anti-
coup material, as well as censorship circumvention tools. Facebook was blocked
for approximately 40 minutes on 28th May 2014, possibly in an attempt to stop
the spread of anti-coup messages. A report by Privacy International however suggests
that Facebook may have accidentally been blocked in an attempt to circumvent SSL
encryption which would direct traffic over unencrypted HTTP instead of HTTPS,
enabling government spying efforts.
Since the 2014 military coup, access to political and social content has
increasingly being blocked in Thailand on the grounds of national security and
lèse majesté, according to Freedom House. The Royal Thai Police, the Communications
Authority of Thailand, and the Ministry of Information and Communication
Technology (MICT) have regularly arrested activists and internet users under
lèse majesté (Section 112 of the Thai Penal Code) for criticisms of the
monarchy, and Article 14 of the Computer Crime Act (CCA) which relates to
content deemed to affect “national security”, in addition to imposing systematic
restrictions of information control to limit social mobilisation around key
political events.
Hacking Team Surveillance Software
Leaked Hacking Team
emails in 2015
revealed that the Royal Thai Army and the Corrections Department of the Royal
Thai Police had spent €286,482 and €360,000 respectively in 2014 to purchase a
surveillance program called Remote Control System (RCS) from Hacking Team, an
Italian spyware company. The spyware is designed to monitor the communications
of internet users, evade encryption and remotely collect information from a
target’s computer. In their correspondence, the National Security Council had
specifically asked
Hacking Team if their product was capable of targeting LINE, WeChat, and
WhatsApp (instant messaging apps used widely in Thailand).
Microsoft’s assistance in Thai government surveillance by omission
According to a Privacy International report, the Thai government has the potential
to misuse their root certificate and impersonate an intended website with a
falsified certificate to intercept apparently secure communications or for the
injection of false, malicious content such as malware. Microsoft was the
only certificate authority entitled to sign a root
certificate that
included the Thai national root certificate in their OS and
browser by default.
A spokesperson from Microsoft
defended the decision, citing their “extensive review
process that includes regular audits from a third-party web trust auditor”.
Microsoft’s decision would leave Thai Windows users vulnerable to government
surveillance should the Thai government choose to misuse their root certificate.
Technology Crime Suppression Division (TCSD)
Aside from the use of surveillance technology, Thailand’s Information and
Communication Technology Ministry has dedicated human resources invested in the
monitoring of online activities, with a longstanding 30-person Technology Crime
Suppression Division (TCSD) team which scans online posts and follows up on
public complaints on cyber crimes and lèse-majesté content, according to the former Minister of ICT in August 2015.
Cyber Scout program
In another instance of state-sponsored surveillance, the Cyber Scout program,
initially launched in 2010 by the Ministry of Justice and Ministry of ICT was
aimed at recruiting and training students to monitor and report online content
that could be deemed as offensive, or a threat to national security,
particularly lèse-majesté content. The Cyber Scout program was
reintroduced following the 2014
military coup with the Ministry of ICT cooperation with 200 schools, training
school children to restrict criticism and dissent by the military junta’s
values. By 2015, the program had recruited over 120,000 cyber scouts nationwide,
spanning across 88 schools.
Examining internet censorship in Thailand
The Open Observatory of Network Interference (OONI), in collaboration with Sinar Project and the Thai Netizen Network, performed a study of internet censorship in
Thailand. The aim of this study was to understand whether and to what extent
censorship events occurred in Thailand during the testing period.
The sections below document the methodology and key findings of this study.
Methodology
The methodology of this study, in an attempt to identify potential internet
censorship events in Thailand, included the following:
A list of URLs that are relevant and commonly accessed in
Thailand was created by the Citizen Lab in 2014 for the purpose of enabling
network measurement researchers to examine their accessibility in Thailand. As
part of this study, this list of URLs was reviewed to include additional URLs
which - along with other URLs that are commonly accessed around the world
- were tested for blocking based on OONI’s free software tests. Such tests were run from
local vantage points in Thailand, and they also examined whether systems that
are responsible for censorship, surveillance and traffic manipulation were
present in the tested network. Once network measurement data was collected from
these tests, the data was subsequently processed and analyzed based on a set of
heuristics for detecting internet censorship and traffic manipulation.
The testing period for this study started on 6th November 2016 and concluded on
27th February 2017.
Review of the Citizen Lab’s Thai test list
An important part of identifying censorship is determining which websites to
examine for blocking.
OONI’s software (called
OONI Probe) is designed to examine URLs contained in specific lists (“test
lists”) for censorship. By default, OONI Probe examines the “global test list”,
which includes a wide range of internationally relevant websites, most of which
are in English. These websites fall under 31 categories, ranging from news media, file sharing and
culture, to provocative or objectionable categories, like pornography, political
criticism, and hate speech.
These categories help ensure that a wide range of different types of websites
are tested, and they enable the examination of the impact of censorship events
(for example, if the majority of the websites found to be blocked in a country
fall under the “human rights” category, that may have a bigger impact than other
types of websites being blocked elsewhere). The main reason why objectionable
categories (such as “pornography” and “hate speech”) are included for testing is
because they are more likely to be blocked due to their nature, enabling the
development of heuristics for detecting censorship elsewhere within a country.
In addition to testing the URLs included in the global test list, OONI Probe is
also designed to examine a test list which is specifically created for the
country that the user is running OONI Probe from, if such a list exists. Unlike
the global test list, country-specific test lists include
websites that are relevant and commonly accessed within specific countries, and
such websites are often in local languages. Similarly to the global test list,
country-specific test lists include websites that fall under the same set of 31 categories, as explained previously.
All test lists are hosted by the Citizen Lab on
GitHub, supporting OONI and other
network measurement projects in the creation and maintenance of lists of URLs to
test for censorship. As part of this study, OONI reviewed the Citizen Lab’s test
list for Thailand by adding more URLs to be tested for censorship. Overall, 420 URLs that
are relevant to Thailand were tested as part of this study. In addition, the
URLs included in the Citizen Lab’s global list (including 1,105 different URLs) were
also tested.
It is important to acknowledge that the findings of this study are only limited
to the websites that were tested, and do not necessarily provide a complete view
of other censorship events that may have occurred during the testing period.
OONI network measurements
The Open Observatory of Network Interference (OONI) is a free software project that aims to
increase transparency of internet censorship around the world. Since 2012, OONI
has developed multiple free and open source software tests designed to examine the
following:
Blocking of websites.
Blocking of censorship circumvention tools (such as Tor).
Blocking of instant messaging apps.
Detection of systems responsible for censorship, surveillance, and traffic
manipulation.
As part of this study, the following OONI software tests were run from 16 different
local vantage points in Thailand:
The Web Connectivity test was run with the aim of examining whether a set of
URLs (included in both the “global test list” and the recently updated “Thai test list”) were
blocked during the testing period and if so, how. The Vanilla Tor test was run
to examine the reachability of the Tor network,
while the WhatsApp and
Facebook Messenger
tests were run to examine whether these instant messaging apps were blocked in
Thailand during the testing period.
The HTTP invalid request line and HTTP header field manipulation tests were run
with the aim of examining whether “middle boxes” (systems placed in the network
between the user and a control server) that could potentially be responsible for
censorship and/or surveillance were present in the tested networks.
The sections below document how each of these tests are designed for the purpose
of detecting cases of internet censorship and traffic manipulation.
Web Connectivity test
This test examines whether
websites are reachable and if they are not, it attempts to determine whether
access to them is blocked through DNS tampering, TCP/IP blocking or by a
transparent HTTP proxy. Specifically, this test is designed to perform the
following:
Resolver identification
DNS lookup
TCP connect
HTTP GET request
By default, this test performs the above (excluding the first step, which is
performed only over the network of the user) both over a control server and over
the network of the user. If the results from both networks match, then there is
no clear sign of network interference; but if the results are different, the
websites that the user is testing are likely censored.
Further information is provided below, explaining how each step performed under
the web connectivity test works.
1. Resolver identification
The domain name system (DNS) is what is responsible for transforming a host name
(e.g. torproject.org) into an IP address (e.g. 38.229.72.16). Internet Service
Providers (ISPs), amongst others, run DNS resolvers which map IP addresses to
hostnames. In some circumstances though, ISPs map the requested host names to
the wrong IP addresses, which is a form of tampering.
As a first step, the web connectivity test attempts to identify which DNS
resolver is being used by the user. It does so by performing a DNS query to
special domains (such as whoami.akamai.com) which will disclose the IP address
of the resolver.
2. DNS lookup
Once the web connectivity test has identified the DNS resolver of the user, it
then attempts to identify which addresses are mapped to the tested host names by
the resolver. It does so by performing a DNS lookup, which asks the resolver to
disclose which IP addresses are mapped to the tested host names, as well as
which other host names are linked to the tested host names under DNS queries.
3. TCP connect
The web connectivity test will then try to connect to the tested websites by
attempting to establish a TCP session on port 80 (or port 443 for URLs that
begin with HTTPS) for the list of IP addresses that were identified in the
previous step (DNS lookup).
4. HTTP GET request
As the web connectivity test connects to tested websites (through the previous
step), it sends requests through the HTTP protocol to the servers which are
hosting those websites. A server normally responds to an HTTP GET request with
the content of the webpage that is requested.
Comparison of results: Identifying censorship
Once the above steps of the web connectivity test are performed both over a
control server and over the network of the user, the collected results are then
compared with the aim of identifying whether and how tested websites are
tampered with. If the compared results do not match, then there is a sign of
network interference.
Below are the conditions under which the following types of blocking are
identified:
DNS blocking: If the DNS responses (such as the IP addresses mapped to host
names) do not match.
TCP/IP blocking: If a TCP session to connect to websites was not established
over the network of the user.
HTTP blocking: If the HTTP request over the user’s network failed, or the HTTP
status codes don’t match, or all of the following apply:
The body length of compared websites (over the control server and the network of
the user) differs by some percentage
The HTTP headers names do not match
The HTML title tags do not match
It’s important to note, however, that DNS resolvers, such as Google or a local
ISP, often provide users with IP addresses that are closest to them
geographically. Often this is not done with the intent of network tampering, but
merely for the purpose of providing users with localized content or faster
access to websites. As a result, some false positives might arise in OONI
measurements. Other false positives might occur when tested websites serve
different content depending on the country that the user is connecting from, or
in the cases when websites return failures even though they are not tampered
with.
HTTP Invalid Request Line test
This test tries
to detect the presence of network components (“middle box”) which could be
responsible for censorship and/or traffic manipulation.
Instead of sending a normal HTTP request, this test sends an invalid HTTP
request line - containing an invalid HTTP version number, an invalid field count
and a huge request method – to an echo service listening on the standard HTTP
port. An echo service is a very useful debugging and measurement tool, which
simply sends back to the originating source any data it receives. If a middle
box is not present in the network between the user and an echo service, then the
echo service will send the invalid HTTP request line back to the user, exactly
as it received it. In such cases, there is no visible traffic manipulation in
the tested network.
If, however, a middle box is present in the tested network, the invalid HTTP
request line will be intercepted by the middle box and this may trigger an error
and that will subsequently be sent back to OONI’s server. Such errors indicate
that software for traffic manipulation is likely placed in the tested network,
though it’s not always clear what that software is. In some cases though,
censorship and/or surveillance vendors can be identified through the error
messages in the received HTTP response. Based on this technique, OONI has
previously detected the use
of BlueCoat, Squid and Privoxy proxy technologies in networks across multiple
countries around the world.
It’s important though to note that a false negative could potentially occur in
the hypothetical instance that ISPs are using highly sophisticated censorship
and/or surveillance software that is specifically designed to not trigger errors
when receiving invalid HTTP request lines like the ones of this test.
Furthermore, the presence of a middle box is not necessarily indicative of
traffic manipulation, as they are often used in networks for caching purposes.
This test
also tries to detect the presence of network components (“middle box”) which
could be responsible for censorship and/or traffic manipulation.
HTTP is a protocol which transfers or exchanges data across the internet. It
does so by handling a client’s request to connect to a server, and a server’s
response to a client’s request. Every time a user connects to a server, the user
(client) sends a request through the HTTP protocol to that server. Such requests
include “HTTP headers”, which transmit various types of information, including
the user’s device operating system and the type of browser that is being used.
If Firefox is used on Windows, for example, the “user agent header” in the HTTP
request will tell the server that a Firefox browser is being used on a Windows
operating system.
This test emulates an HTTP request towards a server, but sends HTTP headers that
have variations in capitalization. In other words, this test sends HTTP requests
which include valid, but non-canonical HTTP headers. Such requests are sent to a
backend control server which sends back any data it receives. If OONI receives
the HTTP headers exactly as they were sent, then there is no visible presence of
a “middle box” in the network that could be responsible for censorship,
surveillance and/or traffic manipulation. If, however, such software is present
in the tested network, it will likely normalize the invalid headers that are
sent or add extra headers.
Depending on whether the HTTP headers that are sent and received from a backend
control server are the same or not, OONI is able to evaluate whether software –
which could be responsible for traffic manipulation – is present in the tested
network.
False negatives, however, could potentially occur in the hypothetical instance
that ISPs are using highly sophisticated software that is specifically designed
to not interfere with HTTP headers when it receives them. Furthermore, the
presence of a middle box is not necessarily indicative of traffic manipulation,
as they are often used in networks for caching purposes.
Vanilla Tor test
This test examines the
reachability of the Tor network, which is
designed for online anonymity and censorship circumvention.
The Vanilla Tor test attempts to start a connection to the Tor network. If the
test successfully bootstraps a connection within a predefined amount of seconds
(300 by default), then Tor is considered to be reachable from the vantage point
of the user. But if the test does not manage to establish a connection, then the
Tor network is likely blocked within the tested network.
WhatsApp test
This test is designed to examine the
reachability of both WhatsApp’s app and the WhatsApp web version within a
network.
OONI’s WhatsApp test attempts to perform an HTTP GET request, TCP connection and
DNS lookup to WhatsApp’s endpoints, registration service and web version over
the vantage point of the user. Based on this methodology, WhatsApp’s app is
likely blocked if any of the following apply:
TCP connections to WhatsApp’s endpoints fail;
TCP connections to WhatsApp’s registration service fail;
DNS lookups resolve to IP addresses that are not allocated to WhatsApp;
HTTP requests to WhatsApp’s registration service do not send back a response to
OONI’s servers.
WhatsApp’s web interface (web.whatsapp.com) is likely if any of the following
apply:
TCP connections to web.whatsapp.com fail;
DNS lookups illustrate that a different IP address has been allocated to
web.whatsapp.com;
HTTP requests to web.whatsapp.com do not send back a consistent response to
OONI’s servers.
Facebook Messenger test
This test is designed to
examine the reachability of Facebook Messenger within a tested network.
OONI’s Facebook Messenger test attempts to perform a TCP connection and DNS
lookup to Facebook’s endpoints over the vantage point of the user. Based on this
methodology, Facebook Messenger is likely blocked if one or both of the
following apply:
Data analysis
Through its data pipeline,
OONI processes all network measurements that it collects, including the
following types of data:
Country code
OONI by default collects the code which corresponds to the country from which
the user is running OONI Probe tests from, by automatically searching for it
based on the user’s IP address through the MaxMind GeoIP database. The collection of country codes is
an important part of OONI’s research, as it enables OONI to map out global
network measurements and to identify where network interferences take place.
Autonomous System Number (ASN)
OONI by default collects the Autonomous System Number (ASN) which corresponds to
the network that a user is running OONI Probe tests from. The collection of the
ASN is useful to OONI’s research because it reveals the specific network
provider (such as Vodafone) of a user. Such information can increase
transparency in regards to which network providers are implementing censorship
or other forms of network interference.
Date and time of measurements
OONI by default collects the time and date of when tests were run. This
information helps OONI evaluate when network interferences occur and to compare
them across time.
IP addresses and other information
OONI does not deliberately collect or store users’ IP addresses. In fact, OONI
takes measures to remove users’ IP addresses from the collected measurements, to
protect its users from potential risks.
However, OONI might unintentionally collect users’ IP addresses and other
potentially personally-identifiable information, if such information is included
in the HTTP headers or other metadata of measurements. This, for example, can
occur if the tested websites include tracking technologies or custom content
based on a user’s network location.
Network measurements
The types of network measurements that OONI collects depend on the types of
tests that are run. Specifications about each OONI test can be viewed through
its git repository, and details about what collected network measurements entail can
be viewed through OONI Explorer
or through OONI’s measurement API.
OONI processes the above types of data with the aim of deriving meaning from the
collected measurements and, specifically, in an attempt to answer the following
types of questions:
Which types of OONI tests were run?
In which countries were those tests run?
In which networks were those tests run?
When were tests run?
What types of network interference occurred?
In which countries did network interference occur?
In which networks did network interference occur?
When did network interference occur?
How did network interference occur?
To answer such questions, OONI’s pipeline is designed to process data which is
automatically sent to OONI’s measurement collector by default. The initial
processing of network measurements enables the following:
Attributing measurements to a specific country.
Attributing measurements to a specific network within a country.
Distinguishing measurements based on the specific tests that were run for their
collection.
Distinguishing between “normal” and “anomalous” measurements (the latter
indicating that a form of network tampering is likely present).
Identifying the type of network interference based on a set of heuristics for
DNS tampering, TCP/IP blocking, and HTTP blocking.
Identifying block pages based on a set of heuristics for HTTP blocking.
Identifying the presence of “middle boxes” within tested networks.
However, false positives can emerge within the processed data due to a number of
reasons. As explained previously (section on “OONI network measurements”), DNS
resolvers (operated by Google or a local ISP) often provide users with IP
addresses that are closest to them geographically. While this may appear to be a
case of DNS tampering, it is actually done with the intention of providing users
with faster access to websites. Similarly, false positives may emerge when
tested websites serve different content depending on the country that the user
is connecting from, or in the cases when websites return failures even though
they are not tampered with.
Furthermore, measurements indicating HTTP or TCP/IP blocking might actually be
due to temporary HTTP or TCP/IP failures, and may not conclusively be a sign of
network interference. It is therefore important to test the same sets of
websites across time and to cross-correlate data, prior to reaching a conclusion
on whether websites are in fact being blocked.
Since block pages differ from country to country and sometimes even from network
to network, it is quite challenging to accurately identify them. OONI uses a
series of heuristics to try to guess if the page in question differs from the
expected control, but these heuristics can often result in false positives. For
this reason OONI only says that there is a confirmed instance of blocking when a
block page is detected.
OONI’s methodology for detecting the presence of “middle boxes” - systems that
could be responsible for censorship, surveillance and traffic manipulation - can
also present false negatives, if ISPs are using highly sophisticated software
that is specifically designed to not interfere with HTTP headers when it
receives them, or to not trigger error messages when receiving invalid HTTP
request lines. It remains unclear though if such software is being used.
Moreover, it’s important to note that the presence of a middle box is not
necessarily indicative of censorship or traffic manipulation, as such systems
are often used in networks for caching purposes.
Upon collection of more network measurements, OONI continues to develop its data
analysis heuristics, based on which it attempts to accurately identify
censorship events.
Findings
As part of this study, network measurements were collected
through OONI Probe software tests
performed across 16 different local vantage points in Thailand between 6th
November 2016 to 27th February 2017.
Upon analysis of the collected data, the
findings
illustrate that ISPs in Thailand are primarily implementing censorship through DNS hijacking and through
the use of middle boxes (HTTP transparent proxies) which serve block pages.
OONI’s HTTP invalid request line test, in particular,
revealed the
presence of middle boxes in many networks, which intercepted the HTTP requests
that were sent to echo servers. OONI’s Web Connectivity test, on the other hand,
revealed that
many ISPs served block pages for 13 different sites.
The types of sites that were found to be blocked as part of this study include:
The table below illustrates all of the sites that we confirmed to be blocked
across ISPs as part of our testing and data analysis.
Internet Service Providers (ISPs) | Blocked websites | Categories | Date of blocking |
---|
DTAC (AS24378) | http://www.nypost.com | News media | 2/23/2017 |
DTAC (AS24378) | http://xhamster.com | Pornography | 2/10/2017 |
TOT 3BB (AS23969) | http://www.dailymail.co.uk | News media | 2/20/2017 |
TOT 3BB (AS23969) | http://www.hotspotshield.com | Anonymity and censorship circumvention | 2/20/2017 |
Realmove Company Limited (AS132061) | http://www.wikileaks.org | News media | 2/14/2017 |
Realmove Company Limited (AS132061) | http://anonymouse.org | Anonymity and censorship circumvention | 2/14/2017 |
Triple-T Internet Co., Ldt (AS45758) | http://ultrasurf.us | Anonymity and censorship circumvention | 2/22/2017 |
Triple-T Internet Co., Ldt (AS45758) | http://pridetube.com | Pornography | 2/14/2017 |
Triple-T Internet Co., Ldt (AS45758) | http://www.naughty.com | Pornography | 2/22/2017 |
Triple-T Internet Co., Ldt (AS45758) | http://www.livejasmin.com | Pornography | 2/24/2017 |
True Internet CO., LDT (AS17552) | http://redtube.com | Pornography | 2/22/2017 |
True Internet CO., LDT (AS17552) | http://xhamster.com | Pornography | 2/16/2017 |
JasTel Network International Gateway (AS45629) | http://youjizz.com | Pornography | 2/14/2017 |
Following a meeting in early 2015 between Thailand’s National Broadcasting and
Telecommunications Commission (NBTC), various Internet Service Providers (ISPs),
and the police’s Special Branch, Thai ISPs were “authorised” to block online content at their own discretion. This appears to be corroborated by
our findings, which show different sites being blocked by different ISPs across
time, indicating that service providers may have flexibility in terms of what
they can filter.
New York Post, for example, was only found to be blocked in one mobile network
(DTAC), while being accessible across all other ISPs where tests were run.
Similarly, WikiLeaks was only found to be blocked
by one provider (Realmove Company Limited). This indicates that ISPs were
probably not ordered to block WikiLeaks on the grounds of “national security”,
but rather that one provider likely chose to block the site at its own
discretion.
Anonymouse.org was found to be blocked twice, while the rest of the sites in
the table above were found to be blocked only
once. However, as the measurements were run quite sporadically across different
networks, it remains quite unclear whether and to what extent some of these
sites remain blocked.
On a positive note, OONI’s
WhatsApp and Facebook Messenger tests show
that the apps appear to have been accessible in Thailand throughout the testing
period.
OONI data shows that DTAC, Thailand’s second largest GSM mobile phone provider,
blocked access to nypost.com in February 2017. The site though was found to be
accessible across other ISPs. While the company’s motivation remains unclear, it
may have chosen to block access to this news outlet if it was publishing
information that was viewed as offensive under lese majeste laws. Similarly, TOT
3BB blocked access to dailymail.co.uk, but rather than serving a block
page, dailymail.co.uk was found to be blocked based on DNS censorship.
Internet Service Providers (ISPs) | Blocked media sites | Date of blocking |
---|
DTAC (AS24378) | http://www.nypost.com | 2/23/2017 |
TOT 3BB (AS23969) | http://www.dailymail.co.uk | 2/20/2017 |
Realmove Company Limited (AS132061) | http://www.wikileaks.org | 2/14/2017 |
WikiLeaks is a multi-national media organization that is known for publishing
large datasets of restricted official materials involving war, spying, and
corruption. In 2008, WikiLeaks released a list of blacklisted websites by
Thailand’s Ministry of Information and Communication Technology (MICT).
Wikileaks.org was subsequently
blocked in Thailand less than two years later
under the 2005 emergency decree.
Our findings show that while wikileaks.org was accessible across 15 ISPs during
our testing, it was recently found to be blocked in February 2017 by Realmove Company Limited.
Anonymity and censorship circumvention
On a positive note, the Tor network appeared to
be accessible across all ISPs in Thailand where OONI tests were run as part of this study.
Other sites, however, for anonymity and censorship circumvention were found to be blocked, as
illustrated in the table below.
Internet Service Providers (ISPs) | Blocked anonymity & circumvention sites | Date of blocking |
---|
TOT 3BB (AS23969) | http://www.hotspotshield.com | 2/20/2017 |
Realmove Company Limited (AS132061) | http://anonymouse.org | 2/14/2017 |
Triple-T Internet Co., Ldt (AS45758) | http://ultrasurf.us | 2/22/2017 |
HotSpot Shield is a free Virtual Private Network (VPN) that enables its users to
enhance their online privacy and to circumvent online censorship. The testing of
hotspotshield.com showed that TOT 3BB served a block page in February
2017. Similarly, the testing of anonymouse.org and ultrasurf.us also showed that
providers (Realmove Company Limited and Triple-T Internet Co., Ldt) served block
pages.
Pornography
Thailand’s Prevention and Suppression of Temptations to Dangerous Behaviors Bill aims to prohibit specific types of
pornography. As part of our testing, we found the following pornographic sites
to be blocked in Thailand.
Internet Service Providers (ISPs) | Blocked porn sites | Date of blocking |
---|
Triple-T Internet Co., Ldt (AS45758) | http://pridetube.com | 2/14/2017 |
Triple-T Internet Co., Ldt (AS45758) | http://www.naughty.com | 2/22/2017 |
Triple-T Internet Co., Ldt (AS45758) | http://www.livejasmin.com | 2/24/2017 |
True Internet CO., LDT (AS17552) | http://redtube.com | 2/22/2017 |
True Internet CO., LDT (AS17552) | http://xhamster.com | 2/16/2017 |
JasTel Network International Gateway (AS45629) | http://youjizz.com | 2/14/2017 |
DTAC (AS24378) | http://xhamster.com | 2/10/201 |
Acknowledgement of limitations
The findings of this study present various limitations and do not necessarily
reflect a comprehensive view of internet censorship in Thailand.
The first limitation is associated with the testing period. While OONI network
measurements have been collected from Thailand since 2014 and continue
to be collected on the day of the publication of this report, this study only
takes into account and analyzes network measurements that were collected between
6th November 2016 and 27th February 2017. This study is limited to this time
frame because we aim to examine the most recent censorship events and because
there was a significant increase in the collection of network measurements
during this period, in comparison to previous months and years. As such,
censorship events which may have occurred before and/or after the testing period
are not examined as part of this study.
Another limitation to this study is associated to the amount and types of URLs
that were tested for censorship. As mentioned in the methodology section of this
report (“Creating a Thai test list”), OONI’s Web Connectivity test was run to examine
the accessibility of 420 URLs that are more relevant to the Thai context and
of 1,105 internationally relevant sites. While a total of 1,525 URLs were tested for
censorship as part of this study, we did not test all of the URLs on the
internet, indicating the possibility that other websites not included in tests
lists might have been blocked.
Finally, while network measurements were collected from 16 different local
vantage points in Thailand, OONI’s software tests were not run consistently
across all networks. Stable measurements were collected from certain vantage
points throughout the testing period, but less stable measurements were also
collected from a number of other vantage points following the launch of OONI’s mobile app on 9th February
2017. In other words, once OONI Probe became easier to install and run via its mobile version for Android and
iOS, we received an increased amount of sporadic measurements from various new
networks. In some of these networks we were able to identify additional cases of
censorship, but since tests were not always run consistently, our ability to
evaluate whether censorship cases were persistent was limited.
Conclusion
Multiple censorship events have been reported in Thailand over the last
decade, particularly since the latest military coup in the country in May 2014,
involving the blocking of news outlets and sites that express political
criticism.
The objective of this study is to gain a better understanding of internet
censorship events in Thailand through the collection and analysis of network
measurements. To this end, OONI software tests were run across 16 different
local vantage points in Thailand with the aim of collecting and analyzing
network measurement data that could help examine whether sites, instant
messaging apps, and censorship circumvention tools were blocked. Some of the
tests that were also run are designed to
examine whether systems (“middle boxes”) that could be responsible for
censorship, surveillance, and traffic manipulation were present in the tested
networks. Overall, the accessibility of 1,525 sites was tested,
and the network measurement data collected
between 6th November 2016 to 27th February 2017 was analyzed.
The key findings
of this study show that Thai ISPs appear to primarily be implementing censorship
through DNS hijacking and through the use of middle boxes (HTTP transparent proxies) which serve block
pages, while in fewer cases, ISPs appear to be implementing DNS-based censorship
(in the case of the blocking of dailymail.co.uk, for example). It’s worth
noting that Thai ISPs appear to be implementing censorship at their own
discretion, since the types of sites blocked vary across ISPs.
As part of this study, 13 sites were confirmed to be blocked across 6 ISPs
(DTAC, Realmove Company Limited, TOT 3BB, Triple-T Internet Co., Ltd, True
Internet Co., Ltd, JasTel Network International). These sites include news
outlets (nypost.com and dailymail.co.uk), wikileaks.org, the sites of
circumvention tools (such as hotspotshield.com), and pornography. The fact that
these sites were not blocked across all networks leads us to believe that Thai
service providers may be filtering content based on broad government orders to
block content that is deemed to violate lese majeste rules. On a positive note,
WhatsApp, Facebook Messenger, and the Tor network
appeared to be
accessible
across 16 networks throughout the testing period.
Given the limited transparency around information controls in Thailand and the
potential implications they may have on human rights, we encourage ISPs to
disclose their motivation and justification behind the blocking of sites and
services. We also encourage public debate based on the
findings of this
study around the necessity and proportionality of information controls.
Acknowledgements
We thank the Open Technology Fund (OTF) and
Access Now for funding this research. We also
thank all the anonymous and brave volunteers in Thailand who have run and
continue to run OONI Probe, thus making this research possible.
Note: This report was updated on 20th March 2017, following its publication.