This article was originally published in French in L’express.
On 17 May, 2020, The Internet Society, alongside the IGF Mauritius, submitted a response to the call to the government of Mauritius’ call to provide input to the proposed amendments to the ICT ACT for regulating the use and addressing the abuse and misuse of Social Media in Mauritius. If implemented, these amendments will have serious consequences for all Internet users in Mauritius. Other high profile organizations, including AccessNow, Mozilla, and Google also made submissions outlining how the proposal would disproportionately harm Internet security.
Mauritius is known to have a strong and flourishing economy and has always been highly ranked for democracy, economic and political freedom. In the latest Internet freedom report from the Freedom House, Mauritius ranks first in Africa and is considered to be a “free country” with decent scores in political rights and civil liberties. The country might not be a full signatory of Article 19 of the Universal Declaration of Human Rights, but freedom of expression is enshrined in Article 12 of the country’s Constitution.
However, and as it has been the case for many “democratic” countries, Mauritius is not being spared from increasingly stringent Internet regulations. Past amendments to the ICT Act have made it more difficult for people to express themselves freely and securely online. And it seems that more restrictions are lurking with the Mauritian ICT Authority’s (ICTA) proposed new amendments to surveil social media traffic.
The aim of the proposal is to “regulate or curtail [the] harmful and illegal contents on the Internet,” namely on social media platforms. To achieve this goal, the ICTA proposes establishing a National Digital Ethics Committee whose role would be to identify and flag such content. Furthermore, it proposes that a Technical Enforcement Unit would be setup to operate a surveillance mechanism that will essentially eavesdrop on all social media traffic.
Major websites and social media platforms have implemented secure communication channels (HTTPS) to encrypt the traffic between the end user’s device and the server. No one, not even an Internet Service Provider (ISP), can access the content of the traffic transiting through its network. The technical toolset proposed by the ICTA would decrypt, store, and then re-encrypt web traffic between an end user in Mauritius and the social media platforms by using a proxy server. The latter would act as a middlebox between the end users and the Internet, capturing, archiving, and forwarding all traffic passing through it. In technical terms, this amounts to performing a “machine-in-the-middle (MITM)” attack.
To comply with the ICTA’s proposal, if implemented, all ISPs in Mauritius would need to instruct their users to install a custom certificate which contains a unique but unverifiable key to enable the redirection of the social media communications to the ICTA server. Without this certificate installed, access to selected websites would be denied.
However, anyone with the private key of this certificate will be able access, read, and potentially edit the encrypted traffic of any Mauritian citizen. This poses a major threat to Internet users in Mauritius as all traffic between a user and social media sites – including login details, passwords, financial transactions, and private messages – would be made accessible, which could be disastrous if accessed by unauthorized individuals. And it is almost impossible to discern social media traffic from other business and personal traffic from the perspective of a network operator.
Questions should also be raised on the long-term effectiveness of such a scheme. There is the possibility of a boycott by major browsers as has been the case in the past: both Google and Mozilla implemented techniques to reject the self-signed certificate ordered by authoritarian governments. Additionally, criminals can easily make use of technologies, such as VPN and Tor, to circumvent surveillance and will eventually make the proposed mechanism ineffective. Further, the proxy server could itself become a target of “state-sponsored” cyber attacks and the consequences of a data leak could be very damaging.
There is no doubt that we need to address the proliferation of hate speech, fake news, and other forms of illicit online activities, and Mauritius is not the first country to try to do so. However, the proposal made by the ICTA is disproportionate to the risks it introduces with regards to the privacy and security of Internet users in Mauritius. Such measures will not help Mauritius to be portrayed as an attractive business destination at a time when the country is considered as “high-risk” by the EU due to deficiencies in its Anti Money-Laundering and Counter Financing Terrorism (“AML/CFT”) regime. It will also heavily discourage tech companies from setting up offices in Mauritius to benefit from the highly skilled labor force and beneficial tax rules. The outcome would be a major setback to Mauritius’ digital transformation while having very little effect on the perpetrators that the proposal hopes to catch.
If the ICTA’s proposal is implemented, the end result will be an uneven, fragmented and unsafe Internet in Mauritius. There will also be long-lasting consequences to the online safety and privacy of all Internet users in Mauritius as well as to the trust in the country’s ability to uphold the rights of the individual to hold opinions without interference.
Image by Rodion Kutsaev via Unsplash