Censoring and spying–Malaysian Style


In 2 days time, the South-East Asian nation of Malaysia will go through its 13th General Election since 1955. Some might look negatively on the number 13, but for the vast majority of Malaysians the coming few days will either raise our hopes or shatter them.

Malaysia has had only 1 party in power since it’s independence—that’s a long time to be in power, and for the first time since 1955 the ruling party in Malaysia is under threat, not just to lose it’s 2/3rd majority in Parliament, but the entire elections altogether, and with it control of the Federal Government.

Starting to Censor the Internet

Shortly after the previous general elections, the Government issued a directive to all local ISPs to block access to Malaysia Today, a pro-opposition political blog. This was the first of many instances of the Government censoring the internet, which violated not just common notions of justice and fairplay but also broke a promise the government made several years before.

While trying to court foreign investment by Tech companies, the Malaysian Government started the Multimedia Super Corridor (MSC) which was meant to be a technological hub that would attract those much needed Tech dollars. However, realizing that most investors, would be wary of investing in a country that so rigidly controlled its media, particularly if those investors were from the technology sector, the Government sought to assuage those fears by implementing the MSC Bill of Guarantees—which among other things promised that the government wouldn’t censor the internet.

That promise was broken.

Ramping up the Censorship game

In the wake of the 13th General elections though, the ruling party has ramped up its game.

In March 2013, just 2 months before the 13th General elections, CitizenLabs reported that it had detected Finfisher servers on Malaysian IP addresses. FinFisher is marketed as a powerful tool for accessing the computers of suspected criminals and terrorists. Once it has infected a computer, FinFisher manages to elude anti-virus detection while performing task such as stealing password, hijacking e-mail accounts, wiretapping Skype calls, and even turning on your computer’s camera and microphone to record conversations.

Local media picked up the story and reported it as the “Malaysian Government was spying on its citizens”. I was quick to dismiss it as coincidence, as the presence of a Finfisher server in a country is hardly proof of such activities by the Government. The local regulators launched an immediate investigation–not into the Finfisher servers but on the local media that reported it–claiming the report was false.

Not your grandmothers DDOS attack

However, other stories begun to circulate, including reports from Malaysiakini, a popular online news portal, that its servers were sustaining massive DDOS attacks. On April 11th 3 Radio web-portals that openly criticize the government were also sustaining DDOS attacks, the scale of which reached 40 million hits an hour. In addition to the DDOS attacks, Radio Free Sarawak broadcasts over shortwave radio lost clear transmission after jamming with noise transmitted on the same shortwave frequency. All attacks were focused primarily on pro-opposition radio and web portals.

Regular DDOS attacks though, were just the beginning. With less than a week to the elections, a local internet forum soon posted details accusing Malaysia biggest ISP (Telekom Malaysia) of performing deep packet inspection (DPI) on internet traffic. Deep Packet inspection involves analysing internet traffic to determine not just the destination of the traffic (e.g. Facebook) but also the data sent to the destination, basically the ISP would be able to determine which particular page on Facebook you were visiting or which specific video you were watching on Youtube.

Popular videos on Malaysiakini were being blocked, particularly those implicating current Prime Minister Najib Razak to the death of a Mongolian women named Altantuya Shaariibuu. Facebook was working fine, but specific Facebook pages such as those of opposition political parties were ‘experiencing difficulties’, and Youtube experienced similar targeted blocks on political videos.

With elections just 5 days away though, my initially skepticism turned to Gospel-like belief. (Alleluia, I see the light kind of stuff)

Finfisher confirmed. Government spies among us

On the 1st of May 2013, Citizenlabs released a second report on Finfisher, not just highlighting the existence of Finfisher servers in Malaysia, but detailing a malicious document containing the spyware being spread via email to unsuspecting citizens. The document was written in Malay and titled“SENARAI CADANGAN CALON PRU KE-13 MENGIKUT NEGERI.” , which loosely translates to the “LIST OF CANDIDATES FOR THE 13th GENERAL ELECTION BY STATE”.

The title of the document clearly exposes the target demographic for infection—the average Malaysian Citizen!! Anyone claiming to be using Finfisher to target criminals or terrorist wouldn’t use such a generically titled document.

While none of this proved that Malaysian Government is involved, CitizenLabs states that “FinFisher is explicitly only sold to governments we think that it is reasonable to assume that some government actor is responsible”

The deep packet inspection of internet traffic, coupled with the spying of private citizens begs the question—what does the Government know? If the Government is able to determine what kind of pages you’re visiting on Facebook and what videos you’re watching on Youtube—let alone turn on your webcam to take a look at your face—couldn’t it quickly guess (quite accurately) who you’d be voting for? Doesn’t the thought a government knowing who you’ll be voting for even before you vote scare you?

The Government is too powerful

Anonymity is the cornerstone of any democratic election process–and  anonymity doesn’t exist in countries where the government is performing Deep Packet Inspection and running Spyware. Without anonymity a free and fair election is a wild dream, and without fair elections–what kind of democracy can possibly spring forth?

Companies that market Finfisher-like software claim its for the ‘good guys’ to catch the ‘bad guys’. Which is why it’s only sold exclusively to governments.

What happens though—when the Government IS the bad guy?

Add comment

Astound us with your intelligence