Mozilla, Google Ask Mauritius Gov't To Abandon Its Plan To Intercept, Decrypt All Social Media Traffic Originating In The Country

from the little-on-the-heavy-handed-side,-Mauritius dept

The government of small African island nation Mauritius seems to want to entirely upset the internet applecart for a number of poorly explained reasons. Its Information & Communications Technologies Authority (ICTA) has bundled together some bad ideas and is presenting these as a cure-all for everything social media related -- including "fake news" and the distribution of content considered illegal by the Mauritius government.

As the ICTA's proposal notes, it's difficult for the country's government to persuade social media platforms to take down unlawful content since not a single one of them has an office located in the small island nation. To fix this, the government wants to amend existing law to give the government the ability to take down content without having to ask for help from outsiders.

The solution proposed by the government is truly astounding:

Incoming and outgoing Internet traffic in Mauritius will first need to be segregated, that is, only social media traffic will need to be routed to the technical toolset (proxy server). All social media traffic will be decrypted so that when a complaint regarding social media is received, the following actions can be effected:

a. Blocking of the incriminated social media web page without blocking the whole social media site;

b. Blocking of a fake profile page and determine who created the fake profile (without the need to contact social media administrator);

c. Regarding offensive comments posted, let’s say on a newspaper social media webpage, blocking of its page is not envisaged. In this case, with the technical toolset, it will be possible to determine the originating IP address of the person who posted the offensive comment; and

d. Once decryption is done, copy and send decrypted traffic to the data analysis software with an advanced reporting feature to be able to drill into the decrypted traffic to search specific keywords, comments posted, etc and correlate with originating IP addresses.

That's right. The government wants to be able to decrypt all web traffic so it can perform takedowns on its own, without the assistance of the platforms carrying it. As if that wasn't bizarre enough, the government also believes it can then re-encrypt the intercepted content and allow it to continue to its social media destination if it passes inspection.

Another important feature of the technical toolset is the need to re-encrypt the decrypted social media data with the self-signed digital certificate of the proxy server before reaching out to or originating from the social media servers. This is a one-off operation to be done by each user from Mauritius trying to access social media websites for the first time via the proxy server. The envisaged operational scenario is that the social media end user from Mauritius should be prompted for the automatic installation of this self-signed certificate on his workstation/device when he will try to access the social media website for the first time via the proxy server. He will also be informed in the prompt that it is only after having successfully installed the self-signed certificate of the proxy server on his workstation/smart phone, that he will be able to access his chosen social media platform.

Pretty much straight-up insanity. The only way to achieve this would be to subject everyone (and every site) to bulk removal of protections most people (and sites) use to protect themselves and their users.

That's why Mozilla and Google have taken advantage of the commenting period to tell the government of Mauritius just how terrible and harmful this proposal is.

In their current form, these measures will place the privacy and security of internet users in Mauritius at grave risk. The blunt and disproportionate action will allow the government to decrypt, read and store anything a user types or posts on the internet, including intercepting their account information, passwords and private messages. While doing little to address the legitimate concerns of content moderation in local languages, it will undermine the trust of the fundamental security infrastructure that currently serves as the basis for the security of at least 80% of websites on the web that use HTTPS, including those that carry out e-commerce and other critical financial transactions.

Mozilla and Google suggest literally anything else as an alternative to this approach. First and foremost, request cooperation from other governments and their law enforcement agencies if there's truly illegal content that needs to be removed and social media companies aren't getting it done. Or better yet, work directly with the companies the government feels aren't responsive enough and see if they can address these concerns. Stripping everyone in Mauritius of the protection of encryption (and promising the government will just slap some encryption on communications and content once its done looking at them) isn't the answer.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: censorship, encryption, interception, mauritius, social media, takedowns


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    That One Guy (profile), 19 May 2021 @ 4:01am

    'If you're not stupid you're malicious, so... please be stupid?'

    I'm honestly not sure which is a more disturbing explanation for this, whether they really are that stupid that they think that such a plan is at all viable and not going to cause immense harm or if they're just using this as an excuse for getting rid of encryption because much like a number of other governments they don't like the idea that any communications might be outside their reach.

    Whatever the case this is a really bad idea and hopefully they'll face enough backlash to back down from it.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 May 2021 @ 4:34am

    yet again, what has been used to bribe another government, another country to take these steps? i dont believe for a second that these are precautions against terrorism or protecting the children! it's all about whatever lies and bullshit the USA entertainment industries and USA govt can put out under threat of something or other!

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 May 2021 @ 8:17am

      Re:

      While technically possible, it's still insane in many regards:

      • technically, because it undermines the security of the application protocol
      • politically, because it tramples on the confidentiality of communication and seeks to do suspicionless surveillance
      • culturally, because the government wants to eradicate speech that they don't like

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 May 2021 @ 5:57am

    ZScaler has a platform for this...(https://help.zscaler.com/zia/about-ssl-inspection), so this isn't as 'insane' technically as it sounds; at least for desktop computers. I'm not sure how it works for adding certificates to a mobile device...

    Regardless, this is massive overreach by the government...

    reply to this | link to this | view in chronology ]

    • icon
      Scary Devil Monastery (profile), 20 May 2021 @ 2:57am

      Re:

      That's my take here as well. Lobbying to ensure a small national government will be retaining an expensive suite of services for many years to come? Sounds like a win for the market.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 May 2021 @ 4:04pm

      Re:

      Incoming and outgoing Internet traffic in Mauritius will first need to be segregated, that is, only social media traffic will need to be routed to the technical toolset (proxy server). All social media traffic will be decrypted

      a. Blocking of the incriminated social media web page without blocking the whole social media site;

      b. Blocking of a fake profile page and determine who created the fake profile (without the need to contact social media administrator);

      c. Regarding offensive comments posted, let’s say on a newspaper social media webpage, blocking of its page is not envisaged. In this case, with the technical toolset, it will be possible to determine the originating IP address of the person who posted the offensive comment; and

      d. Once decryption is done, copy and send decrypted traffic to the data analysis software with an advanced reporting feature to be able to drill into the decrypted traffic to search specific keywords, comments posted, etc and correlate with originating IP addresses.

      Another important feature of the technical toolset is the need to re-encrypt the decrypted social media data with the self-signed digital certificate of the proxy server before reaching out to or originating from the social media servers.

      This is literally what things like Lightspeed filters in various US school districts do to all web traffic. Just replace the words social media with web site, and Mauritius with US and you're golden.

      I'm not sure how it works for adding certificates to a mobile device...

      I'd imagine they could use the various Device Administrator / MDM functions on Apple and Android devices. Works better under Apple devices though, as with Android devices the web browser needs to trust the system's cert store and any user configured certificates. One of Android's newer features allows apps to opt-in to trusting the system certificate storage and any user-configured certs. Firefox for Android is a web browser that doesn't opt-in, and for those even more paranoid, doesn't really let you change the built-in store at all due to a long standing bug. Just an FYI for those wanting security over government intrusion.

      reply to this | link to this | view in chronology ]

  • icon
    sumgai (profile), 19 May 2021 @ 10:06am

    I see a lot of wee-wee'ing going on here, but I'd prefer one or more proposed solutions. My suggestions:

    In the vein I usually mine, I look for the loopholes and such. First option: Don't send any traffic to the island. They aren't any kind of sizable player in the planet's overall traffic schema, so set every switch (non-nerds should think "big boy routers" here) to avoid sending any and all traffic to Mauritius. The answer to their outrage: "Oops, sorry Mr. Gubbermint Man, but it's damnably difficult to separate out your government communications from those of the ordinary citizens of your country. We just figured that if you want them to be cut off, you meant for us to cut of the whole country!"

    Next option: Flood the country's incoming servers. Literally, DDOS them with absolutely everything that comes on to the wire (I mean, the entire internet), no matter what the protocol or where it originated. I'll lay long odds that they won't last an hour before they wave the white flag.

    And finally, my personal favorite: open up every communication inward bound to M., and insert the goatse image... you know what I mean. That should show them what the rest of the world thinks of them, no?

    reply to this | link to this | view in chronology ]

  • identicon
    Bobvious, 19 May 2021 @ 2:19pm

    cut off, .... the whole country!

    Ah. You mean Mauritius Compliance!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 May 2021 @ 6:33pm

    It's a small country google could block it and simply refuse to Cooperate and ignore it, social media company's have moderators and methods to block or remove content
    It seems to work for the rest of the world
    Give in to this and other Counyrys will follow
    Banks and finance company's rely on enctryption to protect their customers data
    This request should be not be even considered

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 May 2021 @ 5:33am

    There is a US navy base on Diego Garcia.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.