Mozilla, Google Ask Mauritius Gov't To Abandon Its Plan To Intercept, Decrypt All Social Media Traffic Originating In The Country

from the little-on-the-heavy-handed-side,-Mauritius dept

The government of small African island nation Mauritius seems to want to entirely upset the internet applecart for a number of poorly explained reasons. Its Information & Communications Technologies Authority (ICTA) has bundled together some bad ideas and is presenting these as a cure-all for everything social media related — including “fake news” and the distribution of content considered illegal by the Mauritius government.

As the ICTA’s proposal notes, it’s difficult for the country’s government to persuade social media platforms to take down unlawful content since not a single one of them has an office located in the small island nation. To fix this, the government wants to amend existing law to give the government the ability to take down content without having to ask for help from outsiders.

The solution proposed by the government is truly astounding:

Incoming and outgoing Internet traffic in Mauritius will first need to be segregated, that is, only social media traffic will need to be routed to the technical toolset (proxy server). All social media traffic will be decrypted so that when a complaint regarding social media is received, the following actions can be effected:

a. Blocking of the incriminated social media web page without blocking the whole social media site;

b. Blocking of a fake profile page and determine who created the fake profile (without the need to contact social media administrator);

c. Regarding offensive comments posted, let’s say on a newspaper social media webpage, blocking of its page is not envisaged. In this case, with the technical toolset, it will be possible to determine the originating IP address of the person who posted the offensive comment; and

d. Once decryption is done, copy and send decrypted traffic to the data analysis software with an advanced reporting feature to be able to drill into the decrypted traffic to search specific keywords, comments posted, etc and correlate with originating IP addresses.

That’s right. The government wants to be able to decrypt all web traffic so it can perform takedowns on its own, without the assistance of the platforms carrying it. As if that wasn’t bizarre enough, the government also believes it can then re-encrypt the intercepted content and allow it to continue to its social media destination if it passes inspection.

Another important feature of the technical toolset is the need to re-encrypt the decrypted social media data with the self-signed digital certificate of the proxy server before reaching out to or originating from the social media servers. This is a one-off operation to be done by each user from Mauritius trying to access social media websites for the first time via the proxy server. The envisaged operational scenario is that the social media end user from Mauritius should be prompted for the automatic installation of this self-signed certificate on his workstation/device when he will try to access the social media website for the first time via the proxy server. He will also be informed in the prompt that it is only after having successfully installed the self-signed certificate of the proxy server on his workstation/smart phone, that he will be able to access his chosen social media platform.

Pretty much straight-up insanity. The only way to achieve this would be to subject everyone (and every site) to bulk removal of protections most people (and sites) use to protect themselves and their users.

That’s why Mozilla and Google have taken advantage of the commenting period to tell the government of Mauritius just how terrible and harmful this proposal is.

In their current form, these measures will place the privacy and security of internet users in Mauritius at grave risk. The blunt and disproportionate action will allow the government to decrypt, read and store anything a user types or posts on the internet, including intercepting their account information, passwords and private messages. While doing little to address the legitimate concerns of content moderation in local languages, it will undermine the trust of the fundamental security infrastructure that currently serves as the basis for the security of at least 80% of websites on the web that use HTTPS, including those that carry out e-commerce and other critical financial transactions.

Mozilla and Google suggest literally anything else as an alternative to this approach. First and foremost, request cooperation from other governments and their law enforcement agencies if there’s truly illegal content that needs to be removed and social media companies aren’t getting it done. Or better yet, work directly with the companies the government feels aren’t responsive enough and see if they can address these concerns. Stripping everyone in Mauritius of the protection of encryption (and promising the government will just slap some encryption on communications and content once its done looking at them) isn’t the answer.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Mozilla, Google Ask Mauritius Gov't To Abandon Its Plan To Intercept, Decrypt All Social Media Traffic Originating In The Country”

Subscribe: RSS Leave a comment
14 Comments
This comment has been deemed insightful by the community.
That One Guy (profile) says:

'If you're not stupid you're malicious, so... please be stupid?'

I’m honestly not sure which is a more disturbing explanation for this, whether they really are that stupid that they think that such a plan is at all viable and not going to cause immense harm or if they’re just using this as an excuse for getting rid of encryption because much like a number of other governments they don’t like the idea that any communications might be outside their reach.

Whatever the case this is a really bad idea and hopefully they’ll face enough backlash to back down from it.

Anonymous Coward says:

yet again, what has been used to bribe another government, another country to take these steps? i dont believe for a second that these are precautions against terrorism or protecting the children! it’s all about whatever lies and bullshit the USA entertainment industries and USA govt can put out under threat of something or other!

Anonymous Coward says:

Re: Re:

While technically possible, it’s still insane in many regards:

  • technically, because it undermines the security of the application protocol
  • politically, because it tramples on the confidentiality of communication and seeks to do suspicionless surveillance
  • culturally, because the government wants to eradicate speech that they don’t like
Anonymous Coward says:

Re: Re:

Incoming and outgoing Internet traffic in Mauritius will first need to be segregated, that is, only social media traffic will need to be routed to the technical toolset (proxy server). All social media traffic will be decrypted

a. Blocking of the incriminated social media web page without blocking the whole social media site;

b. Blocking of a fake profile page and determine who created the fake profile (without the need to contact social media administrator);

c. Regarding offensive comments posted, let’s say on a newspaper social media webpage, blocking of its page is not envisaged. In this case, with the technical toolset, it will be possible to determine the originating IP address of the person who posted the offensive comment; and

d. Once decryption is done, copy and send decrypted traffic to the data analysis software with an advanced reporting feature to be able to drill into the decrypted traffic to search specific keywords, comments posted, etc and correlate with originating IP addresses.

Another important feature of the technical toolset is the need to re-encrypt the decrypted social media data with the self-signed digital certificate of the proxy server before reaching out to or originating from the social media servers.

This is literally what things like Lightspeed filters in various US school districts do to all web traffic. Just replace the words social media with web site, and Mauritius with US and you’re golden.

I’m not sure how it works for adding certificates to a mobile device…

I’d imagine they could use the various Device Administrator / MDM functions on Apple and Android devices. Works better under Apple devices though, as with Android devices the web browser needs to trust the system’s cert store and any user configured certificates. One of Android’s newer features allows apps to opt-in to trusting the system certificate storage and any user-configured certs. Firefox for Android is a web browser that doesn’t opt-in, and for those even more paranoid, doesn’t really let you change the built-in store at all due to a long standing bug. Just an FYI for those wanting security over government intrusion.

sumgai (profile) says:

I see a lot of wee-wee’ing going on here, but I’d prefer one or more proposed solutions. My suggestions:

In the vein I usually mine, I look for the loopholes and such. First option: Don’t send any traffic to the island. They aren’t any kind of sizable player in the planet’s overall traffic schema, so set every switch (non-nerds should think "big boy routers" here) to avoid sending any and all traffic to Mauritius. The answer to their outrage: "Oops, sorry Mr. Gubbermint Man, but it’s damnably difficult to separate out your government communications from those of the ordinary citizens of your country. We just figured that if you want them to be cut off, you meant for us to cut of the whole country!"

Next option: Flood the country’s incoming servers. Literally, DDOS them with absolutely everything that comes on to the wire (I mean, the entire internet), no matter what the protocol or where it originated. I’ll lay long odds that they won’t last an hour before they wave the white flag.

And finally, my personal favorite: open up every communication inward bound to M., and insert the goatse image… you know what I mean. That should show them what the rest of the world thinks of them, no?

Anonymous Coward says:

It’s a small country google could block it and simply refuse to Cooperate and ignore it, social media company’s have moderators and methods to block or remove content
It seems to work for the rest of the world
Give in to this and other Counyrys will follow
Banks and finance company’s rely on enctryption to protect their customers data
This request should be not be even considered

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...