Analysis on Digital Restrictions Including VPN Bans
Since the February 2021 coup, the coup leader State Administration Council (SAC) has been frequently and increasingly employing communication restrictions such as internet and mobile shutdowns and censorship of major social media websites. In their censorship efforts, blocking the use of Facebook, the primary social media platform in Myanmar, has been one of the junta’s purpose. Facebook-as-an-internet users and business owners have been resorting to the use of Virtual Private Networks (VPN) to continue accessing the platform. Facebook has been the primary social media platform in terms of civic engagement and sharing of news and information. And the SAC has been consistently trying to block the use of Facebook along with circumvention methods.
The following article is discussed in 3 parts: first we discuss about the motivations behind escalating censorship methods, followed by our cautionary suggestions as provided by the Justice for Myanmar (JFM)’s report upon the use of Chinese Surveillance Technology and frameworks and ending with the tips and recommendations for users for mitigation of risks imposed by the developing threat landscape (as well as VPN recommendations).
1. Exploring the Motivations Behind the Junta’s Censorship
In this part we explore the Junta’s internet censorship, blockage and persecution of VPN usage, the effects of VPN blockage and the motivations as the first part of this article.
(1.1) Why Block the VPN Access?
The use of VPN (Virtual Private Networks) has been blocked by the Junta starting the 2024 May 30. Myanmar internet users have been relying on the use of VPNs to bypass internet censorship and mitigate against the junta’s surveillance. Facebook, Instagram, Wikipedia, X (formerly Twitter) and independent media outlets and other multiple websites and services starting from February 2021.
Although the Junta has been continuously trying to enforce censorship on the net, we access this as a significant escalation of censorship methods by blocking the use of VPN’s which has been a critical privacy enhancement tool for Myanmar Internet Users. Khit Thit Media reported the Junta’s use of Firewall technology to block use of VPN’s as well as implementing partners in the Junta’s surveillance and censorship methods along with the implication of China’s involvement in the Junta’s iron rule on the digital space.
Justice For Myanmar’s The Myanmar junta’s partners in digital surveillance and censorship revealed more in depth capability of the Junta.
The situation indicates Junta’s strategy to fully control the digital space along with the surveillance and persecution of internet users in Myanmar.
(1.2) VPN Blocking and Its Impact on Security
Virtual Private Networks creates an encrypted tunnel between the user and the VPN’s servers to provide privacy and security for users. These encrypted tunnels rely on different VPN protocols to secure transmit data packets and some VPN providers rely on protocols with strong encryption. Use of VPN masks the user’s IP address by routing through VPN’s servers - anonymizing the user and user’s internet usage against websites and service providers.
SAC has been blocking not only the use but also the VPN providers’ websites, barring access to download the circumvention applications and programs. Using VPNs (Virtual Private Networks) masks your personal IP address by replacing it with the VPN server's IP address. This ensures that the websites you visit cannot identify your true identity or determine which country you are accessing them from.
The military regime has gone so far as to block access to websites that allow users to download and install VPNs (Virtual Private Networks) on their phones or computers. For users, finding and downloading a functioning reliable VPN has become more and more challenging. Additionally, relying on free VPNs often pose additional risks, such as data collection and weak encryption protocols, which fail to adequately secure internet traffic. As a result, users may encounter various unwanted online threats while attempting to circumvent such restrictions.
(1.3) What It Means for a Layperson
The safest option is to completely uninstall VPN apps, whether through the app itself or the device settings. Simply hiding the app is not enough to ensure security. Users are reminded again that concealing VPNs does not provide true protection.
2. China’s Involvement and Impact on Users
Reports have surfaced regarding the Myanmar military's purchase and use of surveillance and control technologies from China, which infringe upon press freedom, digital freedom, and free expression. Based on these findings, a detailed analysis is provided on the potential harm to the public and the broader implications of this technology.
(2.1) Analysis of Leaked Information
According to a report released by Justice For Myanmar on June 20, 2024, the military council has acquired and begun deploying high-powered surveillance and control technologies developed in China as of late May. Leaked project documents reveal the implementation of systems such as “Tiangou Secure Gateway” and “Cyber Narrator”.
Cyber Narrator is a system capable of continuously monitoring and analyzing network traffic while generating comprehensive reports. It analyses the network and collects information about the Domain Name System (DNS). By storing DNS records, it can identify websites visited and services accessed on the internet. These DNS records often include the IP addresses of the devices or routers used, making it possible to determine the user’s identity and location. Additionally, Cyber Narrator can monitor and log routes traversed through the Border Gateway Protocol (BGP). The BGP is a system used on the internet to identify the best and fastest routes between Anonymous Services (ASes). Cyber Narrator tracks these BGP routes, logs them, and provides visualized and analyzed data.
Through its capabilities, Cyber Narrator can monitor the paths of internet users, identify their routes, and even block certain pathways to restrict access as needed.
Additionally, OTT (Over the Top) services, which are popular internet-based applications, can be categorized and managed. OTT services include applications that operate over the internet, and they list services frequently accessed by users. This approach can be understood as a method used to block increasingly popular VPNs. Cyber Narrator also includes a feature called Network Entity Profiling, which collects and analyzes various data points such as the domain names visited by internet users, online interactions, applications used, IP addresses, user behavior, connections, and usage times. This technology can : Group and categorize internet users, Map the connections of a group, Identify user names, and more.
TSG (Tiangou Secure Gateway) incorporates a system known as DPI (Deep Packet Inspection) for in-depth monitoring. Using a Next Generation Firewall, TSG can allow or block over a thousand applications as needed. This capability enables the restriction of access to specific websites within the country.By monitoring network traffic routes and using DPI, TSG can intercept and analyze emails, messages, and other data transmitted through these routes. It can decrypt and inspect protected encryption systems. In situations where decryption is challenging, TSG can collect metadata from transmitted files, such as file sizes, transmission times, and the IP addresses of senders and recipients.
(2.2) Ground-Level/Daily Risks
The use of VPNs carries risks in ground-level situations, such as investigations or guest list inspections, which are justified under the unofficial draft Cyber Law. On the ground, young people are being targeted, and phones are being searched for VPNs, regardless of whether they are installed or not, often leading to arrests. Although the military council denies these actions, it is evident that phones with VPNs are being exploited for extortion and intimidation.
Even without a legally defined framework, searching phones for VPNs often escalates into further investigations of chat apps, galleries, recycle bins, and other data stored on the device. In such cases, it is essential to approach the hiding of sensitive VPNs or applications with caution, as inspections now also include hidden apps, gallery “hidden folders,” and recycle bins. Reports indicate that these inspections uncover hidden apps and stored data, prompting individuals at high risk to take precautions and prepare appropriately before going out. It is strongly advised to uninstall sensitive apps and data, particularly for individuals who may be at risk. For those in such vulnerable positions, simply hiding apps or sensitive chat data is insufficient; careful preparation is required to avoid unnecessary exposure. Additionally, planning your security measures based on personal risk levels is vital.
When preparing security measures, tools like password managers can be helpful. Additionally, using backup phones that are free from the risk of surveillance by the military council can also provide a simple yet effective security strategy. This allows for secure management without the need for daily attention. For such "risk-free phones," creating and using decoy accounts with harmless data can further enhance security and provide greater peace of mind.
Ultimately, sensitive apps and data that could expose movements should be stored at a safe distance during high-risk situations. Simply hiding information is not enough; individuals should question whether their current security measures are genuinely effective.
Additionally, nighttime inspections, home visits, and searches of devices can occur without prior warning, necessitating constant preparedness. Keeping spare phones and clearing data from daily-use computers is crucial. Moreover, in emergency situations, it’s essential to have a plan to quickly delete sensitive data and apps to minimize risks.
(2.3) Alternative Social Networks
Given the current situation, some online business operators and artists are shifting towards apps that do not require VPNs. Meanwhile, alternative social networks have also been introduced. However, these apps raise concerns regarding data collection and the permissions they request, which pose potential security risks.
Social networks rely on active users, and platforms without a user base are essentially empty shells. Therefore, the public should collectively boycott such apps. To avoid losing access to information and to ensure the flow of communication, it is recommended to continue using reliable VPNs to monitor Facebook and other primary social media platforms.
3.What You Need to Know About VPNs in Myanmar
The third section will detail the difficulties users are facing with VPNs due to the military council's oppression and explore possible solutions.
(3.1) What Kind of VPNs Can Be Used Safely and Reliably?
It is advisable to use VPNs developed by reputable companies and organizations. For instance, Psiphon is an independent organization specifically dedicated to providing VPN services. Similarly, Avira produces VPNs alongside other security products. If you decide to use a particular VPN, you should visit the provider’s official website to research its background thoroughly. Additionally, when downloading from platforms like Google Playstore or Apple Appstore, it’s important to examine whether the developers exclusively produce VPNs or if they also offer unrelated products such as sports betting or non-security-related items. It is also essential to verify whether the service is entirely free, as free services can pose potential risks. Careful examination and scrutiny are necessary, and extra caution should be exercised when using free services.
(3.2) What Should You Look for in a VPN?
When using a VPN, all your connections are managed by the VPN provider you choose. Therefore, trust in the VPN company you use is of utmost importance.
(3.3) Are Free VPNs reliable?
The services provided by free VPNs do not offer complete security. Some free VPNs collect and sell user data. Others may appear to provide legitimate services but instead collect and monitor user information. This is often referred to as a "Honey Pot" in the tech world, a deceptive trap that lures users and exploits their devices for malicious purposes.
While VPNs are used to protect IP addresses, some free VPNs may fail to hide your original IP address effectively. As a result, free VPNs are generally considered less reliable in terms of security and protecting personal information. Additionally, the encryption protocols used by free VPNs are often weak and lack robustness, making them less secure.
(3.4) What Kind of VPN Should Be Used?
It can be a bit challenging to give a precise answer to which VPN should be used. This is because factors like an individual user's technical and financial accessibility can influence which VPNs they are able to use. As a result, there may be limitations when recommending specific VPNs.
However, when selecting a VPN, it's important not to simply use any VPN you come across online, as this could lead to security risks rather than providing protection. Instead, I recommend considering the following basic points:
VPNs with strong encryption protocols such as "OpenVPN," "IKEv2," or "Wireguard" are suitable for users.
A good VPN should also have a "No-logs Policy," meaning it doesn’t record users’ data in the background.
Another consideration is the location of the VPN service provider’s headquarters. Companies are subject to the laws of the country they are based in. If a provider is located in a country with strict data monitoring laws, it could be a cause for concern.
VPNs equipped with a "Kill Switch" feature, which prevents data leaks in the event of a connection drop, offer a higher level of security.
Should also consider the transparency of the VPN provider regarding their policies and operations. VPNs endorsed by independent and reliable research organizations are more trustworthy.
Another feature to consider is "Stealth/Obfuscation Functionality." This ensures that the data being transmitted looks like normal traffic to a popular website, making it harder for network analysis and monitoring to detect VPN usage. This functionality helps conceal the fact that a VPN is being used.
When choosing a VPN, you should take these factors into account. The more a VPN aligns with these criteria, the safer it will be for users.
(3.5) Can All VPNs Be Blocked?
The current actions of the military council make it evident that there is an ongoing effort to block VPNs. However, there are still functional VPNs available. Even in China, which is known for its "Great Firewall," there are VPNs that users can still access. Regardless of the circumstances, it is believed that censorship can always be bypassed using VPNs or similar technologies. The reliability and security of these accessible VPNs remain a topic for further consideration.
(3.6) Is It Safe to Use a VPN? What About Not Using One?
Using VPNs that operate with secure protocols can provide safety. However, there is a need to consider whether the VPN provider will share data with the military council or if internet traffic is being shared with the VPN company itself. If insecure VPNs are used, the data could be exploited for the company’s benefit.
On the other hand, if a VPN is not used, all online activities and internet traffic will pass through the "Firewall system" and be directly accessible to the military council. In such cases, choosing whom to entrust with your data becomes the main decision.
Additionally, it's important to note that even without using a VPN and relying solely on regular phone calls and SMS, these communication methods do not include any security measures. Reports from late 2021 revealed the implementation of "keyword recognition" systems that automatically detect and record sensitive words or phrases in text messages and conversations.
(3.7) The Implications and Considerations of DPI (Deep Packet Inspection)
DPI (Deep Packet Inspection) is a technology that allows inspection of data, known as "payload," within network packets. In regular internet usage, websites are accessed securely using SSL (Secure Socket Layer) and TLS (Transport Layer Security) certificates, which provide security between the user and the website or service. This is referred to as "client-to-server encryption." Popular platforms like Facebook, Gmail, and Telegram operate using such encryption. However, DPI can potentially decrypt and monitor data transmitted through these encrypted communication services, websites, emails, and online platforms.Services such as ProtonMail and Signal, which support end-to-end encryption (E2EE), can offer protection against inspection systems like Deep Packet Inspection. E2EE ensures security from one endpoint to another, making data inaccessible to intermediate parties.
TSG's DPI, as described on their website, claims to have the capability to bypass SSL/TLS encryption, allowing it to inspect, analyze, and scrutinize payload (data) thoroughly. This enables the monitoring of users' internet activities and detailed online behavior. For instance, it can detect if a user is accessing a blocked website through a VPN connection.
Although DPI is commonly used in commercial-grade network systems, technologies like TSG, developed for government use, present challenges in obtaining detailed information due to limited access for testing and analysis. This makes it difficult to provide precise conclusions about its full capabilities.
Other Considerations
Currently, there are personal solutions for using VPNs, whether free or paid. It’s important to pay attention to these. For example, using solutions like private servers such as “V2ray/V2box” or protocols like “zero trust” requires caution. In such protocols, the “log policy” is entirely dependent on the server administrator’s preferences, meaning your internet usage could potentially be monitored by the server owner.
Another challenge is the difficulty with payment. Currently, Myanmar’s local Visa cards face issues when purchasing foreign services. As a result, people rely on resellers on the internet to make such purchases. This creates not only security concerns but also the risk of being scammed. Purchasing premium VPN services independently is not feasible for everyone.
Digital Security Clinic
Just as people visit clinics for medical treatment when they are unwell, a "Digital Security Clinic" has been established to support the public facing digital oppression. This clinic addresses digital security issues, providing remedies for the mental and physical impacts of digital repression. It aims to treat digital security vulnerabilities and distress caused by such repression.
Due to the ongoing need for assistance among those affected by digital repression, the clinic operates 24/7, offering free consultations and solutions provided by experts. It is designed to ensure security and confidentiality.
For immediate assistance,
the clinic encourages contacting their Telegram account at
The "Digital Security Clinic" provides consultations on digital security matters, including VPN-related issues. Journalists and those working in the media can also utilize the clinic’s services to address digital security concerns and to seek advice relevant to their profession. Additionally, the clinic offers tailored support and answers to queries necessary for safe and secure operations.
Comments