Originally published at Siam Voices on February 20, 2015 In this part in our series examining the Thai military government’s new cyber laws, we look at the most controversial bill among the eight drafts: The Cyber Security Bill.
Any government nowadays has to adapt its laws and at the same to keep it up to date with technological advancement - which is a seemingly herculean task given their vastly contrasting respective pace. One issue many lawmakers are focusing on is cyber security. Given the growing reliance on internet access in our everyday lives and the increasing number cyber attacks, the legislative base to counter that are either still archaic (some by design) or in some cases simply non-existent.
Thailand is obviously not exempt and thus created the 2007 Computer Crime Act (CCA) - the problem is that the wording of the CCA is so vague that is has often been (ab)used for online censorship and the 2015 update doesn't fix these problems either (read previous part).
With the new Cyber Security Bill (full PDF and translation here), the current Thai military government is seemingly adding another legislative basis to combat cyber crime - but what it actually does is an assault on online freedom and personal privacy, starting with the creation of a new government agency:
Section 6: There shall be a committee called “The National Cybersecurity Committee” (NCSC) consisting of:
(1) Minister of Digital Economy and Society as Chairperson;
(2) Secretary of the National Security Council, Permanent Secretary of the Ministry of Digital Economy and Society, Permanent Secretary of the Ministry of Defence, Commander of the Technological Crime Suppression Division, the Royal Thai Police as 4 ex officio members;
(3) Not more than 7 qualified members appointed by the Council of Ministers (…)
As it can be seen from the make-up of the committee, its members are almost all from the military and police - all positions that have been or can be filled with people close to the current military government, who will be on the committee for 3 years (Article 9).
Section 7: The NCSC shall have the following powers and duties:
(1) to determine the approaches and measures for responding to and tackling cyber threats in the event of undesirable or unforeseeable situation or circumstance concerning security that affects or may cause significant or serious impact, loss or damage so that the NCSC becomes the centre of operation in the event of situation or circumstance concerning security in a timely and uniform manner, unless the cyber threat is such that affects military security, which is a matter within the powers of Defence Council or the National Security Council;
Section 14: The Office of the National Cybersecurity Committee shall be set up as a State agency having a juristic person, not being a State division or a State enterprise.
Section 17: The Office shall have the following powers and duties:
(1) to respond to and tackle cyber threats in the event of undesirable or unforeseeable situation or circumstance concerning security that affects or may cause significant or serious impact, loss or damage by issuing operation measures that take into account the degree of secrecy and the access to classified information; (…)
(3) to co-operate with State agencies or private agencies for the purpose of collecting information on cyber threats, the prevention and tackling of circumstances of cyber threat, and other information concerning the maintenance of Cybersecurity, to be analysed and submitted to the NCSC for consideration; (...)
(5) to monitor and speed up the operations of the State agencies involved in maintaining Cybersecurity, and report to the NCSC; (…)
(13) to perform other acts concerning national Cybersecurity as entrusted by the NCSC or the Council of Ministers.
While Article 7 and 17 are pretty much standard fare regarding its tasks, Article 14 hints that the NCSC has wider powers and fewer bureaucratic hurdles to overcome in order to act swiftly - which also potentially means less transparency. And whatever is meant in Article 17.13 with "other acts concerning national Cybersecurity as entrusted" by the Cabinet is highly unlikely to be ever publicly disclosed - maybe unorthodox ways to 'gain information'?
As the next excerpt shows, the NCSC will have so much power it can even take over command of other state agencies in a crisis:
Section 33: Upon the occurrence of an emergency or danger as a result of cyber threat that may affect national security, the NCSC shall have the power to order all State agencies to perform any act to prevent, solve the issues or mitigate the damage that has arisen or that may arise as it sees fit and may order a State agency or any person, including a person who has suffered from the danger or may suffer from such danger or damage, to act or co-operate in an act that will result in timely control, suspension, or mitigation of such danger and damage that have arisen. (...)
Section 34: In case where it is necessary, for the purpose of maintaining Cybersecurity, which may affect financial and commercial stability or national security, the NCSC may order a State agency to act or not to act in any way and to report the outcome of the order to the NCSC as required by the Notification of the NCSC.
Another interesting tidbit is in Article 18.3:
Section 18: For the purpose of the fulfilment of the objectives under Section 17, the Office shall have the following powers and duties:
(3) to enter into an agreement and co-operate with other organisations or agencies, both in the public and the private sectors, [both based domestic and abroad] in activities concerning the fulfilment of the Office’s objectives;
One way to interpret that is that the NCSC will seek "co-operation" from private corporations, including those providing social media platforms and messaging apps. In the past Thai authorities, in their quest to criminalize even mere Facebook 'likes' linked to unwanted content or dissent, tried to contact the company behind the messaging app LINE in order to access all messages - they didn't a reply, but nevertheless later boasted that they could monitor everything.
Nevertheless, Thai authorities would be empowered to snoop thanks to the already infamous Article 35:
Section 35 For the purpose of performing their duties under this Act, the Officials who have been entrusted in writing by the Secretary shall have the following powers: (…)
(3) to gain access to information on communications, either by post, telegram, telephone, fax, computer, any tool or instrument for electronic media communication or telecommunications, for the benefit of the operation for the maintenance of Cybersecurity.
The performance under (3) shall be as specified by the Rules issued by the Council of Ministers.
Yes, even the good old telegram is not safe from long arms of the authorities! It is self-evident that with that wording the NCSC will have far-reaching powers to look into the personal data of every Thai internet user. And given the paranoia of the military junta with social media, the potential for abuse of the law in the name of national (cyber-)security is nigh on endless. It remains to be seen if the aforementioned guidelines will ever be issued by the Cabinet when this bill is signed into law.