How Myanmar’s military moved in on the telecoms sector to spy on citizens

By Fanny Potkin and Poppy McPherson

SINGAPORE/BANGKOK (Reuters) -In the months before the Myanmar military’s Feb. 1 coup, the country’s telecom and internet service providers were ordered to install intercept spyware that would allow the army to eavesdrop on the communications of citizens, sources with direct knowledge of the plan told Reuters.

The technology gives the military the power to listen in on calls, view text messages and web traffic including emails, and track the locations of users without the assistance of the telecom and internet firms, the sources said.

The directives are part of a sweeping effort by the army to deploy electronic surveillance systems and exert control over the internet with the aim of keeping tabs on political opponents, squashing protests and cutting off channels for any future dissent, they added.

Decision makers at the civilian Ministry of Transport and Communications that delivered the orders were ex-military officials, according to one industry executive with direct knowledge of the plans and another briefed on the matter.

“They presented it as coming from the civilian government, but we knew the army would have control and were told you could not refuse,” the executive with direct knowledge said, adding that officials from the military-controlled Ministry of Home Affairs also sat in on the meetings.

More than a dozen people with knowledge of the intercept spyware used in Myanmar have been interviewed by Reuters. All asked to remain anonymous, citing fear of retribution from the military junta.

Neither representatives for the junta nor representatives for politicians attempting to form a new civilian government responded to Reuters requests for comment.

Budget documents from 2019 and 2020 for the previous government led by Aung San Suu Kyi that were not disclosed publicly contain details of a planned $4 million in purchases of intercept spyware products and parts as well as sophisticated data extraction and phone hacking technology. The documents were provided by activist group Justice for Myanmar and were independently verified by Reuters.

Reuters was not able to establish to what extent senior non-military people in Suu Kyi’s government had been involved in the order to install the intercept.

The idea of a so-called ‘lawful intercept’ was first floated by Myanmar authorities to the telecommunications sector in late 2019 but pressure to install such technology came only in late 2020, several sources said, adding that they were warned not to talk about it.

The intercept plans were flagged publicly by Norway’s Telenor in an annual update on its Myanmar business, which is one of the country’s biggest telecom firms with 18 million customers out of a population of 54 million.

Telenor said in the Dec. 3 briefing and statement posted on its websites that it was concerned about Myanmar authorities’ plans for a lawful intercept able to “directly access each operator and ISP’s systems without case-by-case approval” as Myanmar did not have sufficient laws and regulations to protect customers’ rights to privacy and freedom of expression.

In addition to Telenor, the affected companies include three other telecom firms in Myanmar: MPT, a large state-backed operator, Mytel, a venture between Myanmar’s army and Viettel which is owned by Vietnam’s defense ministry, and Qatar’s Ooredoo. MPT and Mytel are now under the full control of the junta, the sources said. There are about a dozen internet service providers.

Telenor declined to respond to questions from Reuters for this article, citing unspecified security concerns for its employees.

MPT, Mytel and Ooredoo did not respond to requests for comment. Japanese trading house Sumitomo Corp, which together with wireless carrier KDDI Corp announced in 2014 planned investment of $2 billion in MPT, declined to comment. KDDI and Viettel did not respond to requests for comment.

Many governments allow for what are commonly called ‘lawful intercepts’ to be used by law enforcement agencies to catch criminals. But in most democratic countries and even some authoritarian regimes, such technology is not ordinarily employed without any kind of legal process, cybersecurity experts say. The Myanmar military, in contrast, is directly operating invasive telecoms spyware without legal or regulatory safeguards to protect human rights in place, according to industry executives and activists.

Even before the coup, Myanmar’s military wielded outsized influence in the democratically elected civilian government led by Suu Kyi. It had an unelected quota of 25% of parliamentary seats and the constitution gave it control of several key ministries. It also had extensive sway at the communications and other ministries through the appointment of former army officers. That has become total control since the coup.

TRACINGS AND INTERCEPTIONS

According to three sources at firms with knowledge of the surveillance system, not every telecom firm and internet service provider has installed the full intercept spyware. Reuters was not able to establish how broadly it has been installed and deployed.

But military and intelligence agencies are conducting some tracing of SIM cards and interception of calls, two of those sources said. One source said calls being redirected to other numbers and connecting without a dial tone were among the signs of interception.

A legal source with knowledge of cases against people involved in the protests also said there was evidence of monitoring spyware being used to prosecute them. Reuters has not seen any documents supporting the claim.

A senior civil servant who is aiding ousted politicians seeking to form a parallel government also said their group has been warned by people working for the junta but sympathetic to protesters that phone numbers are being traced.

“We have to change SIM cards all the time,” the senior civil servant said.

According to Amnesty International’s Security Lab and three other tech experts, the intercept products outlined in the government budget documents would enable the bulk collection of phone metadata – data on who users call, when they call and for how long – as well as targeted content interception.

CABLES CUT, ACTIVISTS’ PHONES BLOCKED

Among the military’s first actions on Feb. 1 was to direct armed soldiers to break into data centers nationwide at midnight and slash internet cables, according to employees at three firms who showed Reuters photos of severed cables.

At one data center where employees resisted, soldiers held them at gunpoint and also smashed monitors to threaten them, said one source briefed on the matter.

Though the internet was mostly restored with hours, the army began shutting it down nightly. Within days, the army had secretly ordered telecom firms to block the phone numbers of activists, junta opponents and human rights lawyers, providing the firms with lists, according to three industry sources briefed on the matter. Those orders have not been previously reported.

The sources added that operators are required by law to share customer lists with authorities.

The army also directed the blocking of specific websites. Facebook, which was used by half the country and quickly became crucial to protest organizers, was among the first to be banned, followed by news sites and other social media platforms.

When opposition grew in March, the military cut access to mobile data altogether, leaving most in Myanmar without access to the internet.

“Firms have to obey the orders,” one industry source said. “Everyone knows that if you don’t, they can just come in with guns and cut the wires. That’s even more effective than any intercept.”

Telenor and Ooredoo executives who protested were told to stay quiet or the companies would face losing their licenses, four sources said.

THE ARMY’S TIGHTENING GRIP

Under previous juntas that ruled between 1963 and 2011, activists and journalists were routinely wiretapped and smartphones were scarce.

As Myanmar opened up, it became a telecoms success story with a thriving, if nascent, digital economy. Mobile phone penetration, in 2011 the second-lowest in the world after North Korea at 6.9%, soared to stand at 126% in 2020.

The civilian government’s first known move towards nationwide surveillance came in 2018, with the establishment of a social media monitoring system it said was aimed at preventing the influence of foreign forces. It followed that with a biometric SIM card registration drive last year, saying multiple SIM card use was undesirable and a central database was necessary.

Authorities are now seeking still more power over telecommunications.

The communications ministry proposed a new law on Feb. 10 that states internet and telecom firms will be required to keep a broad range of user data for up to three years and remove or block any content deemed to be disrupting “unity, stabilization, and peace”, with possible jail terms for those who don’t comply.

In late April, the junta began ordering telecom operators to unblock certain websites and apps, starting with the apps of local banks, said three people briefed on the development. Microsoft Office, Google’s Gmail, Google Drive and YouTube have also since been unblocked.

Asked about the unblocking, a Microsoft representative said the company had not engaged with officials in Myanmar. Google did not respond to requests for comment.

Industry sources and activists believe these moves are part of an attempt by the junta to establish its version of the internet, akin to what China has done with the “Great Firewall.”

“The military wants to control the internet so it will be a safe zone but only for them,” said one industry executive. “We’ve gone back five years in time.”

(Reporting by Fanny Potkin and Poppy McPherson; Additional reporting by Sam Nussey and Yuka Obayashi in Tokyo; Editing by Jonathan Weber and Edwina Gibbs)