Before we continue, we would like to reiterate that we are not politically aligned or motivated. The author of this post voted for Barisan Nasional in the last general elections. However we need to address some scary developments that don’t seem to be getting the attention it deserves.
With all the Snowden revelations, we often think that it’s only the US’s NSA and the UK’s GCHQ that is spying on us. Even recent news that China was spying on Malaysian users and even possibly classified government networks went relatively unnoticed.
However evidence is mounting to point that government surveillance of Malaysian citizens is a very real possibility. We’ll deal with these telltale signs one by one.
Finfisher: Spying malware that is used by governments
Click to watch Finfisher’s promotional video
Finfisher is a malware that can pretend to be recognized software (such as Firefox), when what it does is that it can steal passwords, taps Skype phone calls, turns on your camera and microphone to record video and audio without you knowing. Finfisher is not created by some renegade hacker group but by a professional surveillance company which markets Finfisher to law enforcement agencies. Finfisher is sold exclusively to governments. It has been sold to repressive regimes to control its populations and political dissidents and both Egypt and Ethiopia have confirmed cases of Finfisher being used by governments.
The common perception is that Malaysia isn’t competent enough to do such things, but if countries like Egypt and Ethiopia can implement it, there’s no reason why our government can’t. There is some strong circumstantial evidence that this may have happened already. Citizen Lab has identified in 2013 a Finfisher server being operated in Malaysia. This alone does not confirm whether this was run by the Malaysian government. However, they also found an election-related document that is infected by Finfisher that appears to be targeted to Malay speaking users that were interested in the general elections. Given that Finfisher is sold only to governments, there’s strong evidence that some government is involved that was interested in spying on the Malaysian electorate.
Deep Packet Inspection by our ISPs: Big Brother knows what you’re doing on the internet
Deep packet inspection (DPI) is a technique whereby ISPs can identify the content of what you are posting automatically on a large scale. DPI can be configured to detect keywords, links, digital signatures and how you’re using the internet. Wired Magazine has an excellent article on how DPI works.
DPI was probably originally introduced in around 2007 by Telekom to combat P2P downloaders by identifying P2P traffic like torrents, eMule etc and purposely throttling it down to save them costs from having to expand their bandwidth capacity but there has been reports that DPI has been used in the latest General Election to block access to opposition sites and media. Rizvanrp seems to have confirmed this from his investigation showing that viewing certain political videos were being MITMed (man in the middle) and disrupted.
Combine the fact that your ISP knows who is using what IP on it, it is trivial for them to see what you’re doing on the internet unless you’re using a VPN or TOR to hide your internet activity.
Changes to the law to curtail internet freedom and to monitor/retain data
In 2013, Paul Low, the minister in charge of fighting graft announced that the Malaysian government was considering implementing phone tapping and internet monitoring to combat graft. He mentioned that the government was in the planning stages of coming out with legislation that would allow the government to conduct widespread internet monitoring. It appears that this was already in the works when he mentioned this as seen in the rapid passing of new laws over the past few years to crack down on internet freedom and to monitor/retain data. This period saw a rapid replacement of the old guard of ministers, but has since gone pretty quiet despite serious corruption allegations. Combat on graft or weeding out political opponents?
a) S.114A Evidence Act: Guilty until proven innocent on online publications/postings
S114A was introduced in 2012. The normal rule of law is that you’re innocent until proven guilty. However S.114A introduced a reverse presumption in the following circumstances:
- If your name, photograph or pseudonym appears in a publication, which depicts yourself to have some connection with the publication, either you as the owner, editor or etc., you are presumed to have published or re–published the contents of the publication;
- If a publication originates from a network service that you have registered and subscribed to, you are presumed to have published or re-published the contents of the publication; or
- If a publication originates from a computer which you have custody or control on it, you are presumed to have published or re-published the contents of the publication.
Credits to Loyar Buruk for the above summary.
What this means is that you’re presumed to be a criminal unless you prove that you aren’t. A horrible example is this: if someone registered a fake profile with your name and picture and then posted some illegal material, you are deemed to be responsible for it unless you can prove it wasn’t you. Now how would you prove that?
How is this relevant to the current discussion on government spying? If we examine the motive behind this amendment, this seems to be targeted at online publications and to control social media postings.
The Inspector-General of Police himself said that he has 126,000 police personnel available
to check round the clock on all writing, postings, Twitter and social media. To be fair, this doesn’t appear to be a specialized unit but rather the sum of the total police force in Malaysia, however gives an idea on our law enforcement’s priorities.
b) Sedition Act Strengthened
The Sedition Act instead of being repealed as promised, was strengthened with the excuse to protect domestic harmony. For sedition, there is no requirement to prove intention to be seditious, merely that the court is satisfied that is a seditious tendency. Unfortunately, the definition of sedition isn’t very clear leaving it open to interpretation and abuse. Note that the Sedition Act was actually created by our British colonial masters to combat the rising dissent against the British. Oh, wait…sorry, we were apparently never colonised….merely a protectorate.
Home Minister Datuk Seri Dr Ahmad Zahid Hamidi’s statement on the same is telling: “Last time, there was no Internet and non-verbal communication over social media. Those days, we didn’t have groups of people inciting people (in Sabah and Sarawak) to get out of Malaysia.”Among the many amendments, one is squared solely on online publications. It allows the court to issue an order to remove seditious content from publications issued by electronic means, such as online publications. Those who are found to be “propagating” seditious messages can be prohibited from accessing any electronic device. Thankfully, government criticism is still allowed though the Sedition Act had been used as a weapon to stamp out government opposition before the amendments were passed.
The vague terminology given to what is ‘propagation’ of seditious speech would mean a Facebook share or a retweet could also be caught as seditious. We are now looking at these changes possibly coming into force in June.
c) Security Offences (Special Measures Act) 2012 – Ability to intercept and log communication as per police discretion without your knowledge
Although the Internal Security Act has been repealed, the act that replaced it, the Security Offences (Special Measures Act) 2012 allows a public prosecutor to intercept your postal letters, your instant messaging, your email and what you surf. They can even require communications providers like Maxis, Telekom, Digi etc etc to intercept and retain data without your knowledge. Given that everything passes through your internet service provider, they will have quite a comprehensive picture of your online activity. Such activities do not have to be approved by a court but merely by a public prosecutor (which includes deputy public prosecutors which are police officers). All that is required is for the public prosecutor if he ‘considers it is likely that it may contain any information in relation to a security offence’. This all happens silently without your knowledge.
d) Prevention Against Terrorism Act
Although not targeting online activity, this newly passed bill does raise serious questions whereby it allows the arrest without trial or judicial review (meaning you can’t challenge it in court). This trust is placed in a ‘Anti Terrorism Board’ consisting of at least 5 and not more than 8 members who will decide whether they can detain you without trial. Each detention can last up to two years upon which the Board can choose to renew it indefinitely for further two year periods if it feels it necessary to renew it.
Our growing chummy relationship with the USA
Malaysia was originally a target of internet surveillance with evidence that Australian intelligence, a member of the Five Eyes signals intelligence alliance have been spying and bugging Malaysian ministers since the early 1990s. It was also in partnership with British, American and Singaporean intelligence agencies to tap undersea fibre optic telecommunications cables through South East Asia. After U.S. surveillance of Malaysia was exposed, Malaysia’s foreign ministry sent a written protest to the U.S. ambassador to Malaysia. Malaysian Prime Minister Najib Razak said that the surveillance infringed upon national sovereignty and that the Malaysian government firmly opposed all forms of U.S. monitoring activities in Malaysia.
Yet as pictures of our prime minister playing golf with Obama are shared, we can’t help but notice how chummy we have become with the US. A joint statement issued by the White House confirms this including in areas of defense and security.
A few months later it was reported that Malaysia offered to host US spy planes according to statement by Admiral John Greenert (US Chief of Naval Operations) which was later denied by our defense minister and said it had only agreed to do joint military training.
Most worryingly, Malaysia is a big supporter of the US-led secretive Trans Pacific Partnership agreement, and it could require ISPs to ‘police’ user activity which would mean data logging. Although this data is collected seemingly for the purpose of preventing copyright infringements, such data can easily be used to monitor citizens.
Although there is a great deal of speculation here, the growing cooperation in areas of defense and security could mean that our governments are already cooperating in the areas of internet surveillance. This is not from the realm of fiction as it has been done before with other countries. Germany was in close cooperation with the US’s NSA and only recently has stopped sharing its electronic surveillance intelligence with them that is probably also partly due to the fact that the NSA had spied on Angela Merkel’s personal phone.
The debate is still out as to whether the Malaysian government is performing mass surveillance on its citizens but it is almost certain that our internet communications are being intercepted and monitored to a certain extent. It is also very clear that the Malaysian government does have the capabilities and tools to effect such surveillance easily and its expansion of its powers in the internet realm is telling as to its intentions. Search histories, e-mails, instant messages, phone calls can no longer be considered private.
Using a VPN should be part of an overall measure to protect your internet freedom and privacy and we will delve into how you can do this in detail at a later date. Using BolehVPN will prevent your ISPs or governments from tracking your internet movements as all they will see is an encrypted connection to our VPN servers.
Thankfully although BolehVPN is a Malaysian company, only one of our VPN servers is located in Malaysia and the rest of the servers and customer database are all outside jurisdiction so they are unable to do this silently without our knowledge. Our warrant canary also does offer some protection against this and we are taking steps to protect our customer’s privacy.
Stay tuned for some wide sweeping security changes that we would be making to our customer portal and VPN system that we hope to roll out this month and we hope that you will be patient when we do implement such changes.