CIVICUS speaks about the use of surveillance technology against civil society activists in Thailand with Sutawan Chanprasert, founder and executive director of DigitalReach, a civil society organisation (CSO) that promotes digital rights, human rights and democracy in Southeast Asia.
What is DigitalReach working on?
DigitalReach is a digital rights organisation working in southeast Asia. We are looking at the impact of technology on human rights and democracy in the region. We initiated this project with a focus on the use of Pegasus spyware in Thailand and reached out to The Citizen Lab and iLaw for collaboration. This is because iLaw is a well-known organisation based in Thailand with a great connection with local activists, and The Citizen Lab is well-known for its expertise in spyware investigation.
What were the main findings of this research?
Pegasus spyware, which is produced by NSO group and sold only to state agencies, can infect devices (both iOS and Android) through a technology called ‘zero click’, which means that it needs no action on the part of the targeted user. Once the spyware is installed, it can gain access to everything on the device, including photos and text messages, and can turn the camera and microphone on and off.
In Thailand, this spyware has been used against at least 35 iPhone users: 24 activists, three CSO workers, three academics and five opposition politicians. These infections happened between October 2020 and November 2021, which was peak time for the democracy movement.
There were three reasons why the spyware was used against dissidents: to monitor protesters’ online activity, to monitor the protests and to find out more about the movement’s funding. On the basis of forensic evidence, The Citizen Lab confirmed that zero-click technology was used, exploiting vulnerabilities in the system to gain access to the devices.
This was likely not the first time spyware was used against activists in Thailand, but we have no evidence to confirm this suspicion. Other digital surveillance tools have also been used: as detailed in our report, GPS devices were found attached to some dissidents’ vehicles during democracy mobilisations.
How did the government react to your findings?
On 22 July the Prime Minister said in parliament that he does not know anything about this spyware, and he added that such spyware would be unnecessary as we all knew what was going on from social media. The Deputy Minister of Defence also declared in parliament that it is not the government’s policy to use spyware against people or ‘generally’ violate their rights. Meanwhile, the Minister of Digital Economy and Society stated in parliament that spyware technology had been purchased but not by a department or agency under his authority. However, he referred to it generically as ‘spyware technology’, without ever confirming that he was referring to Pegasus.
Is there anything CSOs and activists can do to counter spyware?
Spyware is considered a dual-use item, which means it can also be useful in criminal investigations. However, we all know this is not always the case. In Thailand and many other countries, spyware has been used against dissidents and members of the opposition, which means that the technology needs to be strictly regulated so it’s not abused. However, it’s hard to see that happening under the current administration, as the government itself is the likely perpetrator. Only policymakers who care about human rights will be able to make progress on this.
As for individual activists, there is no total solution to prevent a device from being infected by this kind of spyware. However, exposure to this threat can be reduced in several ways, such as by using two-factor authentication, using a security key or an authenticator app rather than an SMS, using a messaging platform with the disappearing message feature and by enrolling in Google’s Advanced Protection Program.
What can the international community do to support Thai activists facing surveillance?
This is a tricky question. Thailand doesn’t currently have an active local digital rights organisation, so working on this would be a good first step to increase digital security protection. The global community that works on digital security can play an important role. However, training activities offered in Thailand must be conducted in the local language and customised to fit the Thai context.
There’s also a need for digital security work in Thailand that goes beyond training, including monitoring to watch for emerging digital threats against dissidents, more research and work with local activists and organisations to ensure their long-term digital safety with a sustainable approach. Funding is also needed because local activists and organisations must buy tools to support their digital security.
Civic space in Thailand is rated ‘repressed’ by the CIVICUS Monitor.
Follow DigitalReach via its website and follow @DigitalReachSEA on Twitter.