Internet Shutdowns in Thailand: Technical Methods and Historical Pattern

Thailand has deployed internet restrictions at least seven documented times since 2010, typically in response to political events or national examinations. Unlike wholesale national blackouts seen in countries such as Myanmar or Belarus, Thai shutdowns have generally been selective by geography, service type, or platform—a technical distinction that reflects both political calculation and the actual capabilities of Thai network operators.

The Thai regulatory framework for internet control centers on the Computer Crime Act (2007), the Emergency Decree on Public Administration in Time of Emergency (2005), and the Ministry of Digital Economy and Society (MDES), which oversees the National Broadcasting and Telecommunications Commission (NBTC). These instruments provide legal cover for restrictions, though the technical execution typically involves coordination with state-owned enterprise CAT Telecom and major private operators True Corporation, dtac, and AIS.

The 2010 shutdown following the military coup and subsequent red-shirt protests represents the earliest large-scale documented case. Access Now's historical records and contemporaneous reporting indicate that restrictions lasted approximately 5–7 days and targeted websites perceived as threatening to state security. The 2013–2014 period saw repeated throttling incidents surrounding the 2013 constitutional court dissolution of Parliament and the May 2014 military coup. According to KeepItOn's database, these events involved DNS-level filtering and selective IP blacklisting rather than wholesale circuit termination. ISPs received informal directives (often without published legal orders) to block specific domains associated with opposition media and protest coordination platforms.

The 2017 constitutional referendum and the 2019 general election triggered measurable connectivity disruptions. During the August 2016–September 2017 period, the Thai government implemented sustained throttling of messaging applications—particularly Telegram and Signal—using deep packet inspection (DPI) to identify and rate-limit protocol traffic. OONI network measurement data from Thailand during this window shows characteristic DPI signatures: connection timeouts on specific ports associated with encrypted messaging, combined with occasional HTTP injection of blocking pages. The throttling was not uniformly applied; measurements suggested that state-owned CAT Telecom applied more aggressive filtering than some private operators, indicating either inconsistent policy compliance or deliberate differentiation by network.

The 2019 election cycle produced more targeted restrictions. Following the March 24, 2019 election, reports from international observers and local journalists documented blocking of social media platforms—particularly Facebook and YouTube—on some networks for approximately 6–12 hours. The technical mechanism appeared to involve SNI-based TLS filtering rather than IP-level blocking, allowing operators to block specific domains without severing broader HTTPS connectivity. This represents a refinement in Thai blocking infrastructure: operators could restrict access to specific services without triggering widespread collateral outages.

The 2020 pro-democracy protests introduced another variation. Documented instances of throttling targeted encrypted messaging applications and live-streaming platforms during periods of mass mobilization. Specifically, reports indicate selective rate-limiting of WhatsApp and Telegram traffic during July–October 2020, consistent with DPI-based traffic shaping rather than wholesale blocking. The National Examination Center also requested mobile operators implement bandwidth limitations during the Ordinary National Educational Test (O-NET) in May 2020 and subsequent examination windows—a semi-regular practice justified as preventing cheating via mobile data.

OONI's ongoing measurement infrastructure in Thailand has documented DNS filtering, IP-level blocking, and DPI-based throttling as the primary technical methods. Notably, there is no publicly documented evidence of BGP-level route hijacking or AS-level internet fragmentation in Thailand, distinguishing it from shutdowns in China or the former Kazakhstan. The Thai approach remains within the bounds of ISP-level filtering using commercially available DPI appliances and DNS resolver manipulation.

From a technical circumvention perspective, the specific blocking method matters significantly. DNS filtering is vulnerable to DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) queries to resolvers outside Thailand, though not all Thai networks permit outbound DNS traffic to non-standard ports. SNI-based blocking can be circumvented using HTTPS with Encrypted Client Hello (ECH), though ECH adoption on target services remains limited. DPI-based throttling of encrypted protocols is more resistant to circumvention; it relies on traffic pattern recognition rather than payload inspection. Protocols such as WireGuard, OpenVPN with obfuscation (obfs4), or MASQUE tunneling can be effective, though their utility depends on whether the underlying transport (UDP, TCP) is also rate-limited. Tor's pluggable transports, particularly Snowflake and WebTunnel, have been documented as functional in Thailand during periods of selective throttling, though no comprehensive audit of their reliability exists.

Thai shutdowns have consistently been narrower in scope than in neighboring countries—geographic fragmentation has been minimal, national blackouts brief, and technical methods relatively unsophisticated by comparison to state-level DPI deployed in China or Iran. This reflects both political constraints (Thailand maintains tourism and financial services dependent on continuous connectivity) and technical limitations (the fragmented ISP landscape prevents uniform policy implementation). The pattern suggests an apparatus optimized for targeted suppression rather than wholesale severance.