Based on the technical information provided in the consultation paper, S. Moonesamy developed a proof of concept and confirms that it is possible to decrypt the login credentials of social media users.
To some of us, in the IT industry, S. Moonesamy is a well-known figure. For the sake of clarity though, I will briefly introduce him in this post.
S. Moonesamy is a recognized member of the DNS community. He has been a Trusted Community Representative (TCR) DNSSEC Root Zone since 2010.
As part of the joint effort to secure the domain name system (DNS) and the Root DNSSEC key management process, a number of persons acting as trusted representatives of the Internet community participate in the root key generation and signing ceremonies. These persons are called Trusted Community Representatives (TCRs).
He is the author of three approved RFCs, Internet standards for the Internet Engineering Task Force (IETF), and has drafted several others, among which my favorite is the draft on traffic peeking.
He currently also serves as the Board Chairman for AFRINIC.
S. Moonesamy published his conclusion on the ICT Authority's consultation paper on 3 May 2021.
Disclaimer: Please note that S. Moonesamy's thoughts are not endorsement from organizations he represents.
S. Moonesamy starts his report with an introduction of the consultation paper published by the Information & Communication Technologies Authority of Mauritius.
The report shows a screenshot of a mobile browser showing a security notification when visiting fb.com
saying that the website maybe impersonating www.fb.com
to steal financial information.
What is the meaning of the screenshot? It appears to be a proof-of-concept showing what does the browser do if the chain of trust with regards to HTTPS websites is broken. It alerts the user of an impersonation attempt.
He then comments on measures taken by other countries, namely Germany, United Kingdom (UK), France, and the European Union (EU). The EU & the mentioned countries were referred as examples in ICTA's consultation paper.
Commenting on measures taken by NetzDG in Germany through the Network Enforcement Act, S. Moonesamy, refers to a research report by William Echikson and Olivia Knodt of the Counter Extremism Project. In their report Echikson & Knodt conclude that it remains "uncertain whether NetzDG has achieved significant results in reaching its stated goal of preventing hate speech".
In Mauritius, the ICT Act was amended in 2016, and it became more stringent. Did the amendment help to deter cyber bullying or cyber crime?
S. Moonesamy commented on the United Kingdom's Online Harms White Paper specifying that content published by newspapers on the websites will be outside the scope of the regulatory framework.
ICTA's consultation paper, on the other hand, despite saying "social media platforms" and specifying in the communiques that only Facebook will be subject to "filtering", does not amount to enough assurance. The consultation paper itself refers to Section 18(1)(m) of the ICT Act as the mandate of the authority and the reason behind this proposal to regulate social media. However, Section 18(1)(m) is not limited to "social media platforms" but it mentions the Internet and other information and communication services.
While commenting on how social media related offences are handled in Mauritius, S. Moonesamy referred to Section 46 of the ICT Act and said that in some cases the court relied on the dictionary definition of the word « annoyance » because the Act does not define the word.
The lack of a definition causes uncertainty and puts a common person using social media at a significant risk given that it is difficult for the person to know what is permissible.
He refers to a similar provision in the Information & Communications Act of Kenya, which was struck out by the Kenyan High Court on the grounds that individuals do not know the parameters within which their communication falls.
Based on the technical information provided in the consultation paper, S. Moonesamy developed a proof of concept and confirms that it is possible to decrypt the login credentials of social media users.
Cover photo by Markus Winkler on Unsplash.