Contending with Spyware and Oppression in Thailand
Justin Hendrix / Oct 16, 2022Audio of this conversation is available via your favorite podcast service.
Earlier this year, an investigation published in the New Yorkerby Ronan Farrow suggested that commercial spyware called Pegasus, developed by the Israeli firm NSO Group, is being used by governments in at least 45 countries around the world, including by U.S. and European intelligence and law enforcement services. The technology permits government agents to gain access to the contents of cell phones by exploiting flaws in device operating systems and software.
Apple and Facebook have filed lawsuits against NSO over the Pegasus technology. But while the company claims it has turned down many customers over ethical concerns, activists and human rights defenders around the world continue to be targeted, with especially dire consequences in authoritarian states or countries where democracy is weak or precarious.
In this podcast episode, we hear from three individuals in Bangkok, Thailand, pro-democracy activists who have seen their community targeted with Pegasus, part of a range of activities intended to discourage dissent and limit free expression.
- Yingcheep Atchanont, a program manager at iLaw
- Ruchapong Chamjirachaikul, advocacy officer at iLaw
- Darika Bamrungchok, a program manager at Thai Netizen Network
Thai dissidents learned their phones had been infected from emails sent from Apple from a no-reply account. An investigation into the extent of the Thai regime’s use of Pegasus was published this summer by iLaw, which is a nonprofit organization concerned with human rights, freedom of expression and advancing democratic reforms. Working in partnership with another Thai NGO, Digital Reach, and Canada’s Citizen Lab, and with support from Access Now, the report includes an analysis of the extent of the infiltration and calls for reform.
What follows is a lightly edited transcript of the discussion.
Justin Hendrix:
I appreciate you all joining me today. We're going to talk a little bit about Pegasus spyware, how it's been used to hack activists in Thailand, and what generally the situation is there, and go through some of the findings of the report that three of you have played some role in. And I think it might be helpful to listeners if perhaps one of you could give the lay of the land. What is the political context that we're in at the moment? What is life like there, the context in which this report came out?
Ruchapong Chamjirachaikul:
So basically Thailand is a country plagued with political instability. In 2014 we had, I think, our 13th or 14th coup. So that ranked us as one of the countries with the most coups in the world. And for the past seven years we have been under the rule of the military government. And in 2017 they had a referendum on the military draft constitution, which aimed to preserve their power in democracy, so-called democratic government. So they orchestrated referendums and they maintained their powers after the election in 2019. And then in 2020 there was an eruption of mass protest led by the youth– students and people calling for a monarchical reform– which is unprecedented in a country where the monarchy is regarded as untouchable. So by openly criticizing the monarchy, it is to check the Thai conservative institutions and that scares the elites.
So how we get to Pegasus is that in November last year, I think at least two dozen Thai activists, scholars and human rights defenders, as well as politicians, received an email from Apple that their product, the iPhone, is being targeted by the state sponsored attackers. So that's new for us because we haven't heard anything about spyware that has capabilities of hacking our phones. We trust the iPhone that we have and then something just happened. So we didn’t know what it's all about and we found that it's Pegasus spyware, which has been a major scandal elsewhere in the world, except in Thailand. So we haven't heard about this before; it’s a new thing that surprised us. So that's when we at the iLaw, two of our staff were also targeted, so were victims of Pegasus.
And then we started an investigation on this, and we tried to go to the suspected victims, have their phones analyzed to do the forensic analysis, and we determined whether they were infected with Pegasus or not. And what we found is that at least 35 people in Thailand were infected with Pegasus and all the timings of the attack appear to coincide with major political events such as protests. For example, after politicians talk about the monarchy in the parliament, they were infected with Pegasus. So it implies that the Thai government is somewhere behind this attack.
Darika Bamrungchok:
I can add on that I think the Pegasus spyware is one of the examples that we can see in terms of authoritarian actions in Thailand as well. But I would say that when I'm thinking about digital authoritarianism in Thailand, so that is the surveillance part and is one of the key factors. But also another key topic is that the Thai government, especially after the military coup in 2014, uses judicial harassment and then prosecution. So that's why I think iLaw is doing the documentation of that. I think that is the main tactic that the Thai government is using for targeting the human rights defenders and NGOs in Thailand. And also another part is about the internet media censorship. So I think this is another element that is part of the ecosystem when we talk about digital authoritarianism in Thailand.
And then for the surveillance part, I think that I would add on in terms of it not just only the one because of spyware, but also the Thai government has also used a number of the tactics. Sometimes it's the low tech, the low budget technologies. For example, they use the GPS device to track the activist’s car, or use the CCTV to monitor the activist’s office. So that's the low technologies that have been used in terms of the surveillance as well. We were dealing with this before we got the notifications from Apple last year. So that changed the ways of the activists, and what we think about surveillance in Thailand..
Justin Hendrix:
I don't want to go into all of the detail here, but in the report you also lay out how a series of legal and policy changes have increased the government's capability to engage in surveillance and has generally negatively impacted freedom of expression. Are there a couple of key things that have happened perhaps at the legislative level or the regulatory level that you think are particularly important to highlight?
Darika Bamrungchok:
Probably for me that I think I will highlight is the Computer Crime Act. I think that is one of the problematic provisions that they already have been using– probably iLaw can add more detail, especially after the coup in 2014. And also I think what we have seen, especially– in the last two or three years– that they are using Computer Crime Act along with the Lèse-majesté, article 112. I think that is probably the key legal framework.
Justin Hendrix:
Great. And in your report I see that the revision to the Computer Crime Act allows state authorities to summon any person to give statements, summon traffic data from service providers, order service providers to submit information on users, duplicate data from any system, decrypt the computer data of any person, seize seize or attack any computer system for investigations. So really broad authority for the state to essentially surveil individuals that they may deem are working counter to their own interests.
So let's talk a little bit about the victims of the Pegasus infiltration if you will. What can you tell me about these 35 individuals, these activists, and what has been the implication for them? What has happened to them subsequent to the notification that they were under this surveillance?
Ruchapong Chamjirachaikul:
I think, well, some of them panicked when they received the email from Apple, and they posted it on Facebook. This is how we know that this email is real. I think many of us first thought that it's just some scam because you cannot imagine this thing. And then we see that many people got this, so this might be real. But in terms of the level of anxiety that ensued after the knowledge of the Pegasus attack, I think it depends on people. Because many of the activists, I think most of them already faced other intimidation from the state. They have faced some physical intimidation, they have faced judicial harassment, they have faced police following them around.
So I think many of the activists just think that this is just another intimidation by the state. They're not that concerned about it as much as the physical violence that could reach them at any time. But there's also other people who usually will, in the background, they don't show their face to the public and the public doesn't know them. These people tend to be the ones who provide donations to the democratic movement. They panicked because they always thought that the state doesn't know the existence, but then they just prove that the government authorities have a very good intelligence. They know the financial flows, where it's going, where it's coming from, and when they know that they're being attacked by the state sponsor, Pegasus spyware, they just get very anxious about it.
Justin Hendrix:
So tell me this, your report suggests that you've done this forensic review, you've reverse engineered to some extent what happened on these people's devices. And the report does go and list out the individuals, when they were likely infected, what events were occurring in Thailand that were perhaps associated with the timing of the infection. Are you able to definitively ascribe the use of Pegasus to the Thai government? Is that possible to do? I noticed in the report that the Thai government has of course denied that it's used Pegasus.
Ruchapong Chamjirachaikul:
Yeah, I think this is very complicated because it is impossible to say that the government is behind Pegasus definitively because we don't have the documented proof that they have targeted the phones of the victims. But we have contextual evidence that points to the Thai government. So the first one is that we know that the Pegasus is so early to the government clients, so only government agencies could buy this spyware. It's not that if you and me, we hate each other and I just want to have your phone because I want to know your secret, even though I have a billion dollars, I wouldn't be able to buy it because I'm not a government agency.
So the first one is that the government agencies have to be behind this attack. And the second one is that we cannot imagine any other government wanting to attack, spend so much, spend 10 million dollars just to hack a Thai activist. I think there's just no reason that would recruit this. And the third one is that there's a history of the Thai government doing business with the NSO Group, which is the one who manufactured the Pegasus spyware. So I think these two or three reasons just point to the Thai government that they are somehow complacent in this hacking.
Justin Hendrix:
So even despite the specific documentation, the smoking gun, it sounds like both the contextual information you have as well as the Occam's razor assessment of this points very significantly to the Thai government.
Yingcheep, I want to bring you in to speak perhaps about the implications of this for activists, how it's changed their behaviors and the way in which it has affected the opposition.
Yingcheep Atchanont:
I'm actually one of the victims. I'm also one of the people who received an email from Apple and posted it online, and then we started looking for more information on “what is Pegasus?” and then we started working more on this. And then we know a lot. It is also very difficult to change our online behavior before we know that Pegasus exists. We are really aware of our privacy, many of us using things like VPN or to 2-Step Verification, whatever tools that exist in the digital security manual. I myself wasn't a good one, but not a bad one. I try to exercise caution, but if I have to do more I think it also creates a lot of burden for me when we work or when we communicate. But what Peagasus taught us is that nothing is private. Everything we do, someone can know, someone can have access to it. Anything.
And after we know that Pegasus is in our phones, during the first month we were anxious. Again the phone is here and then we put it away for sometime when we have to discuss something sensitively or when we stay together and we are talking on some specific issues, we have to say that, "Oh no, don't talk because someone is listening in my phone." Things like this. And what I cannot really change is I cannot take my phone away when I am living in my private life, in my bedroom, I still need it. I still need to play some games or check some emails or watch some video clips before I go to bed. That's difficult. And then I have to live with it. I have to live with awareness that even before my bedtime, even in the toilet, someone is watching. That's how I changed my life to be more aware, but I still have to keep the phone with me.
Justin Hendrix:
Are there others that you know who received that email from Apple who have also had to change their pattern of life or their behaviors? Are there folks who've maybe even been more extreme in their response than you have?
Yingcheep Atchanont:
Yeah, we have heard that many of them changed their phones, but later we know that it doesn't help so much. We know that some of them changed their phone numbers, which helps for a while. Someone keeps changing his numbers, in a couple of months he has to buy a new sim card, which creates a lot of burden for people to contact him to find where he is. That's also annoying. In many meetings, mostly in the activist meetings, we have to keep the phone outside the room, but there will be someone who basically tries to bring the phone in the room. This is confusing and creates a lot of discussion in our community.
Justin Hendrix:
And there are individuals referenced in the report whose phones appear to have been infected more than a dozen times over the span of several months. So it does appear that even once it's been discovered, like a bad infection it continues to come back.
Has there been any communication with NSO itself on the part of activists? I know that you've had multiple NGOs and other groups, Amnesty International for instance, Thai Lawyers for Human Rights, others who have been essentially working on your behalf. Has there been any attempt to go to the source on this?
Ruchapong Chamjirachaikul:
I think I have to say that the NSO has no legal entity in Thailand. They have no official representative in my country. And we also learn that the NSO group often does not do business directly with the clients. They often do business through some intermediaries, which is very hard to track. And from what we learn in the Western countries, the NSO usually denies any allegations, and they'll just say that we have our policies that follow human rights standards. So we do not expect much from them. Yeah, I think we do not expect anything from the NSO Group, but we expect from the government to say something even though we actually got them to say something though, because after we review our report, one of the opposition MPs also talk about this during the parliamentary debate in the no confidence debate. And he accused the government of being behind this Pegasus.
And one of the ministers, the Minister of Digital Economy and Society, he admitted that this technology exists in Thailand, but just not under his authority, just someone else in the government has it. And then the next day, one of the ministers came up and said that it is not the government's policy to use the spyware against the general public, which is confusing and vague because who's general public? Are the activists the general public? So do normal people not-
Yingcheep Atchanont:
Which means they are using it against someone. Not the general public. Actually the spyware cannot be used against the general public. Right?
Ruchapong Chamjirachaikul:
Yeah. And the next day, the same minister who admitted on the first day came up and said, "Oh, I don't mean that. We don't have this spyware." Yeah. So it's confusing, even though the government response is vague, but we are pretty sure that they do not expect this to be reviewed and that's why their response is not clear.
Justin Hendrix:
And has there been any further word from Apple or from any other technology firm? You got that original email, have there been subsequent emails or any effort by the tech firms to help to secure your phones?
Ruchapong Chamjirachaikul:
We have not heard from Apple, right?
Yingcheep Atchanont:
I did try myself couple of times, but in the threat notification email it said, "Don't reply." We cannot reply to that email. So most certainly, I try to contact the Apple service in Bangkok via the channels that they provide for customers. And I asked someone, the only question, "Is this email true? Can you provide more information on the details of the state sponsored attackers?" And maybe someone who is behind that counter is a bot or something and we haven't received any good response yet.
Even the first question, that is, “is the warning email true?” they cannot answer me anything. So this is the response from Apple so far. But for NSO it doesn't have a counter service for us to contact. If there is money in Bangkok, I would love to walk there myself and ask them to show me something, but we don't know how to contact them. So if they are listening, please give me some channel to contact you to talk to you. I would love to, if NSO provides me some email or channel to discuss more. If NSO knows that you are not doing something wrong to violate my privacy, just provide me some evidence or contact please. I would love to talk to them.
Justin Hendrix:
There's no genius bar for the NSO group it seems like. So I want to get into a part of the conversation about what you hope could be done. It sounds like to some extent, you've learned to alter your behaviors as much as you can without yet giving up on the idea of having smartphones. And so you're very aware that the device could be listening, tracking your movement; I'd love to ask if there are other steps you imagine taking in order to protect your freedom of expression, your freedom of assembly, or is this just the status quo that you imagine living with now for the foreseeable future?
Ruchapong Chamjirachaikul:
So yeah, I think when people heard about this Pegasus spyware many people think about how to protect yourself. Do we need to install this software? Do we need to enable this function in our phones? But the main problem about Pegasus is not a technical problem. The heart of it is a political problem. The Pegasus spyware is just a fraction of what the Thai government is doing to suppress the freedom of expression. Even if we somehow find magical measures to protect us against spyware, there will be something else. They'll find something else to get to us. So what we need to do is we also need to protect ourselves, but if you want to have an actual solution, we have to pass legislation, we have to increase the transparency of the government, we have to increase the public scrutiny on the security' authorities which have been given freehand under the military government.
They have operated in secrecy and the public is shielded away from what they're doing. So we have succeeded in a way, because after our revelations, the parliament just cut the budget of the Royal Thai Police who tried to buy another spyware for 10 million dollars. They have been cut in the parliament. But this is just a stop gap. This is not a long lasting solution. Our election is coming at the beginning of next year and I think that would be crucial because if we are able to return to a real democracy in Thailand, it is just a first step out of the fight, and we still need to do something more.
Darika Bamrungchok:
So probably I can add on it. As a digital security trainer, I would like to echo what he's already mentioned, because for the training we have been saying that you have to use a password for the VPN or you have to communicate by using the Signal application, which is end to end encryption. But with Pegasus spyware the big question for the individual activists is what can we do? And then they feel really hopeless and also powerless, as well, when it's come to the level of that specific spyware. But I would like to mention this is just one of the examples I would say, because before the NSO, we know the hacking team based in Italy, that is one of the technology companies that is the support for the authoritarian government.
So that's why I would like to highlight, in terms of the big topic when we talk about unregulated surveillance technologies that give... Before no one cared about the small country Thailand. We are not China, we are not the US, we are not the Israeli government. So what kind of level of technology can the government can do? The government does have high tech people or a tech team, they just pay the money and then they can import that kind of technology to use for their targeting of citizens. So that's why I would like to add on for the larger point that was already mentioned. We have to have a collective effort; it is one thing to talk about the national level, but at the same time, because the Thailand is the one example of the biggest targeting, we still have another country that has the experience as well.
So I think that I would like to mention in terms of the national level and then how we can regulate civil technology companies or even the commercial ones they target to sell to the government. So I think for now that may be no more NSO after the US government is maybe the blacklist or something, but it's going to be another new company after NSO, after the hacking team anyway. So I think that the big thing is how the international level can discuss and bring this on the table.
And then when we talk about that spyware, we can say that it's a the weapon as well or not, this is one of the weapons that we have to regulate or not. I think it's a big thing, that the international community has to discuss that. I'm sure that they already discussing this topic as well, but I think in terms of the countries in Southeast Asia here or other authoritarian countries, I think that is a big thing because it's not enough to do only our domestic advocacy, because I think this one is really quite a big topic, that we need a global collective effort on this.
Justin Hendrix:
NSO group is a company that operates in a democratic context, in a democracy. Its offices and people are largely enjoying the fruits of the democracies that they live in. What does it feel to be in a country that's struggling for its democracy and to know that essentially these other democratic governments are allowing this company to exist and to engage in these practices?
Darika Bamrungchok:
Yeah, and especially for authoritarian countries, and in Thailand as well, for me when I'm thinking of the technologies like spyware it's not just all authoritarian governments that are using this. Some of even the democratic countries, European countries, we have seen some of the examples using spyware. And then also we know that for the NSO group, that they have a good relationship with the Israeli government which means that the government has to sign off or approve before they sell this spyware for other countries. Which means that in terms of the diplomacy and international relations that is involved on that, and that's why Ruchapong has already mentioned, it's not just about the technical level, but it's also the political landscape and also the international relations.
And then I think that that is a big thing behind, but I think the one thing when we talk about living in an authoritarian country, and that's why it's difficult for us because we cannot ask for accountability, transparency from the government. Although we try so hard in terms of the civil society community, but it seems like we are talking to the wall. We never get back an answer from the government or the state agency. All we do, we try every single thing that we can do. But living in the authoritarian country compared to the democratic society, that accountability and that transparency is a big problem for us.
Ruchapong Chamjirachaikul:
It has been reported that the FBI has it. The agencies of the United States of America who claim that they are the beacon of democracy, have it. But the NSO Group’s software, right now, because of them being blacklisted by the US government is not due to the awareness, somehow the realization of the US government that this is wrong. Rather, this is a great example of the power of civil society and individuals who believe in democracy. If you recall, the first agencies to expose the Pegasus scandals is the media. And then there are civil society groups who investigated, who have been following the NSO Group for years, that broke the news, and this put the pressure on the government, whether it would be democratic authoritarians. This is an example of “we the people” have the power to do something right. If you believe this is wrong, I think democracy is not going to pop out by itself, but we have to build it, we have to keep it, we have to scrutinize it and we have to share it. Because in an authoritarian country like Thailand, we know how precious democracy is and without it we are getting arrested, we are getting harassment.
Justin Hendrix:
There are probably people listening to this who are policymakers in the United States or in Europe. Perhaps an NSO executive may be forced to listen to this podcast to hear what claims are being made about that company. What would you say to them? Maybe I'll give each of the three of you an opportunity to address those two audiences. What would you like policy makers outside of Thailand to do, and what would you say to the NSO group or to the people that are working there and making a decision to do business with your government?
Yingcheep Atchanont:
I just want everyone in the world to acknowledge and be aware that Thailand is not a democratic country. We are living under military rule with a very close relationship with the monarchy and there are a lot of human rights abuses in this country. Regardless of what the law said, they don't really care that the laws, maybe most of them written by the military government, whatever the law said, maybe they don't really care because they are the one who own power. They own power to write laws by themselves and they own power to exercise laws by themselves. And they also take control of all check and balance mechanisms so they can do anything.
It’s not only the Pegasus issue, there are so many other human rights violation issues in the country, including the exercise of Lèse-majesté law, which can punish people for many years in prison for talking or criticizing the monarchy or calling for monarchy reform. And this has been happening in the country for years. Whenever people stood up and tried to fight against the regime, we faced more intimidation. We faced new human rights abuses.
Once we found out that we are facing this Pegasus spyware, and we also think that there are still more that we haven't known yet, there might be something else that the government is using. So please look at this country as being like our neighboring countries, like Burma, Cambodia, Laos, Vietnam, who are facing the same situation, that the authoritarian government is doing whatever that they want to stay in power.
Ruchapong Chamjirachaikul:
So for the foreign government, for the western democracies, I think what I want to say to them is that with the rapid advance of technologies, we have been thrown into some chaotic situations because there's no rules to regulate these technologies and our rules are not keeping up with these technologies. So I think what we are facing right now is that we lack real leadership to tackle this challenge. And so given all political things that are happening right now, anyone who wants to claim that they will be the leader of this new era of the world, they will have to propose, they will have to lead, they will have to come up with some ideas for us, some framework for us to leave with these technologies which can be double edge sword.
We have to get to some memorandums for people to sign to ensure that this technology would be used for the benefit of the mankind; not to suppress people, not to put people into jail, not to monitor, not to know where they're going to sleep this night, where they were last night, or what they're going to eat this dinners. But for the NSO group, I have nothing to say to them just because they don't want to say anything to us.
Justin Hendrix:
Thank you.
Darika Bamrungchok:
Okay, for me I will say this. So the technology changes over time, but the target of the government and the state often stays the same. We don't know what source of the technology in the future we bring, maybe it will be even better than this. But we do know today, taking the example of Thailand and many other authoritarian countries, that the same individual or the group of the people, the human rights organizations that the authoritarians or even the state see as the threat are being target again and again. But dealing with the technologies, software or that kind of development of the technology is getting more advanced and more sophisticated over time.
So that's why, if I may say to the international communities like government, and also for the tech companies… I think the tech companies should be one of the key actors for this as well. So that how we can talk in terms of the accountability of the technologies and also we have to highlight in terms of the visit and human rights, especially when we have to regulate private companies and then do not normalize surveillance practices and technology. I think that is a big issue for the international community.
Justin Hendrix:
I want to thank you all for speaking to me today.
Darika Bamrungchok:
Thank you.
Ruchapong Chamjirachaikul:
Thank you.
Yingcheep Atchanont:
Yeah, thank you Justin, for hosting this.
