Thai authorities are deceiving Internet users into disclosing their personal details, including email addresses and Facebook profile information, when they try to visit prohibited sites.

By Danny O’Brien

Thailand’s censorship regime has grown ever more pervasive since the military took over last month, with punishments aimed at both speakers and consumers of prohibited media. On the streets, Thais have been arrested for wearing the wrong message on a T-shirt, or reading George Orwell’s “1984” in public. Online, according to the regime’s own reports, hundreds of new websites have been added to the Thai government’s official blacklist including politics and news sites covering the coup. Now the authorities are deceiving Internet users into disclosing their personal details, including email addresses and Facebook profile information, when they try to visit these prohibited sites.

Under Thailand’s national web blocking infrastructure, Net users attempting to visit blocked sites in Thailand are redirected to a government web landing page, managed by the country’s Technology Crime Suppression Division (TCSD). After the coup, the country’s digital rights group, the Thai Netizen Network, noticed that the TCSD block page had sprouted two new graphics: a blue “close” button, and a “Login with Facebook” icon. Both lead to a misleading-titled “Login” Facebook page, where users were asked for permission to hand over personal information stored in their Facebook profile — without any indication, in Thai or English, as where that data was being sent, or for what purpose. In fact, the “Login” app was being run by TCSD itself, which used Facebook’s application platform to collect the details of Facebook users visiting to the landing page.

The Thai authorities have long claimed that foreign companies should comply with all their demands for removing content and handing over personal data. Facebook has consistently refused such requests. By misleading users to click through the permissions-granting first page of its Facebook application, the Thai authorities has been gathering what Facebook’s legal department have refused to hand over.

A deceptive Facebook app without a clear privacy policy or embedded explanation is a violation of Facebook’s own platform policies, and the Crime Suppression Division’s app has now been suspended by Facebook at least twice. The first “Login” app was removed shortly after the Thai Netizen Network published details of its deceptive appearance. An identical app which subsequently replaced it on the page was suspended by Facebook after less than a week of operation.

On Friday, after days of online criticism, the TCSD belatedly posted a justification for their application, writing:

The collection of witness or user’s data is a data collection procedure of TCSD.info, which is supported by Article 26 of Computer-related Crime Act (2007). This data collection is the same as other websites that use Facebook for their authentication. By this way, TCSD can handle more witnesses which can lead to more prosecutions and will make the online society more clean. We invite you to send information to https://www.facebook.com/jahooktcsd

Facebook’s own public app statistics pages show that these two apps between them managed to scoop up hundreds of Thai email addresses before being shut down. Did these Internet users understand that they handing out their names and email addresses as potential “witnesses” to future prosecutions?

This isn’t the first time that we’ve seen governments adopt the techniques of phishing and spamming groups in order to collect information on their own citizens. While it is unsurprising that a military regime that has overthrown the rule of law might stoop to spy with a terms-of-service-violating social media app, it shows how determined the Thai government is to warp the Internet — including social media — to its own ends.