Mozilla, Google Ask Mauritius Gov't To Abandon Its Plan To Intercept, Decrypt All Social Media Traffic Originating In The Country
from the little-on-the-heavy-handed-side,-Mauritius dept
The government of small African island nation Mauritius seems to want to entirely upset the internet applecart for a number of poorly explained reasons. Its Information & Communications Technologies Authority (ICTA) has bundled together some bad ideas and is presenting these as a cure-all for everything social media related — including “fake news” and the distribution of content considered illegal by the Mauritius government.
As the ICTA’s proposal notes, it’s difficult for the country’s government to persuade social media platforms to take down unlawful content since not a single one of them has an office located in the small island nation. To fix this, the government wants to amend existing law to give the government the ability to take down content without having to ask for help from outsiders.
The solution proposed by the government is truly astounding:
Incoming and outgoing Internet traffic in Mauritius will first need to be segregated, that is, only social media traffic will need to be routed to the technical toolset (proxy server). All social media traffic will be decrypted so that when a complaint regarding social media is received, the following actions can be effected:
a. Blocking of the incriminated social media web page without blocking the whole social media site;
b. Blocking of a fake profile page and determine who created the fake profile (without the need to contact social media administrator);
c. Regarding offensive comments posted, let’s say on a newspaper social media webpage, blocking of its page is not envisaged. In this case, with the technical toolset, it will be possible to determine the originating IP address of the person who posted the offensive comment; and
d. Once decryption is done, copy and send decrypted traffic to the data analysis software with an advanced reporting feature to be able to drill into the decrypted traffic to search specific keywords, comments posted, etc and correlate with originating IP addresses.
That’s right. The government wants to be able to decrypt all web traffic so it can perform takedowns on its own, without the assistance of the platforms carrying it. As if that wasn’t bizarre enough, the government also believes it can then re-encrypt the intercepted content and allow it to continue to its social media destination if it passes inspection.
Another important feature of the technical toolset is the need to re-encrypt the decrypted social media data with the self-signed digital certificate of the proxy server before reaching out to or originating from the social media servers. This is a one-off operation to be done by each user from Mauritius trying to access social media websites for the first time via the proxy server. The envisaged operational scenario is that the social media end user from Mauritius should be prompted for the automatic installation of this self-signed certificate on his workstation/device when he will try to access the social media website for the first time via the proxy server. He will also be informed in the prompt that it is only after having successfully installed the self-signed certificate of the proxy server on his workstation/smart phone, that he will be able to access his chosen social media platform.
Pretty much straight-up insanity. The only way to achieve this would be to subject everyone (and every site) to bulk removal of protections most people (and sites) use to protect themselves and their users.
That’s why Mozilla and Google have taken advantage of the commenting period to tell the government of Mauritius just how terrible and harmful this proposal is.
In their current form, these measures will place the privacy and security of internet users in Mauritius at grave risk. The blunt and disproportionate action will allow the government to decrypt, read and store anything a user types or posts on the internet, including intercepting their account information, passwords and private messages. While doing little to address the legitimate concerns of content moderation in local languages, it will undermine the trust of the fundamental security infrastructure that currently serves as the basis for the security of at least 80% of websites on the web that use HTTPS, including those that carry out e-commerce and other critical financial transactions.
Mozilla and Google suggest literally anything else as an alternative to this approach. First and foremost, request cooperation from other governments and their law enforcement agencies if there’s truly illegal content that needs to be removed and social media companies aren’t getting it done. Or better yet, work directly with the companies the government feels aren’t responsive enough and see if they can address these concerns. Stripping everyone in Mauritius of the protection of encryption (and promising the government will just slap some encryption on communications and content once its done looking at them) isn’t the answer.