Technology

Despite denials, Thailand's online surveillance plans are alive and well

Originally published at Siam Voices on October 22, 2015 "We will not talk about this any more. If we say we won't do it, we won't do it," said Thai Deputy Prime Minister Somkid Jatusripitak at an economic forum in Bangkok last week. His decisive words were in response to the ongoing controversy over the Thai military government’s plans to introduce an online single gateway.

Last month, Thai internet users discovered a cabinet resolution surveying the implementation of a single online gateway ”to be used as a device to control inappropriate websites and flow of news and information from overseas through the internet system.” Subsequent resolutions ordered the Ministry of Information and Communication Technology (MICT) and related agencies to speed up their preliminary work.

If realized, Thailand’s internet traffic would be bottlenecked through a single gateway, making it possible for officials to filter and block undesirable content. This is in line with the military junta’s ongoing efforts to monitor and censor dissenting voices, both in real life and online, ever since it launched a military coup in May 2014.

Amidst widespread criticism and a coordinated mass-click-and-refresh bombardment that briefly knocked several government websites offline, Thai officials were scrambling to calm public opinion, only then to contradict themselves justifying why the junta wants to have a single gateway in the first place. The explanations varied from economic reasons, cybersecurity concerns and ultimately ending at Thai junta leader and Prime Minister General Prayuth Chan-ocha being initially ”worried” about the ”youth addiction to online games and access to inappropriate media”.

A week later, the government was hoping that the debate had died down. However, despite repeated statements insisting that it won’t pursue the single gateway plan anymore, not everyone is convinced by their declaration. And it seems there is more trouble coming the junta’s way:

Online activists have announced they will launch attacks against the government beginning Thursday after the prime minister said the project to route all internet traffic through a single point of control is still alive.

The coalition of anonymous internet users known as Citizens Against Single Gateway last night warned private sector operations with IT systems linked to government servers to transfer them to safe places before the assault on government systems begins at 10am on Thursday.

Those behind a crippling attack earlier this month, the Thailand F5 Cyber Army, issued the announcement yesterday after Prime Minister and junta chairman Prayuth Chan-ocha said agencies are still studying the project (…).

First Chapter of ‘Cyber War’ to Begin Thursday”, Khaosod English, October 21, 2015

The little detail that the government is "still studying" the single gateway plan is enough reason for opponents to distrust the Thai military government. But there are several more signs that justifies the continuous skepticism by many online users.

CAT TELECOM has announced that it will proceed with the plan to build a national Internet gateway, which it claims would help make Thailand a digital hub in Asean.

The aim of the project is not to control the flow of information into the country over the Internet as some fear, said CAT acting chief executive officer Colonel Sanpachai Huvanandana. He said a working committee for the project would be set up. Whether that committee is under the Information and Communications Technology Ministry or under the Digital Economy Committee is up to the ICT minister.

The national Internet gateway is one of two priorities for making Thailand a digital hub for the region by expanding capacity and reducing costs. The other is to have large content providers such as Facebook, Google and YouTube establish servers in Thailand.

Net gateway for digital hub”, The Nation, October 21, 2015

The other part of the plan to have internet tech giants like Google and Facebook setting up shop in Thailand (the latter already did) seems ambitious to say the least, given a potentially significant infrastructural disadvantage and previous persistent, but unsuccessful attempts by the military government seeking cooperation of these companies to censor posts deemed insulting to the monarchy and also identify their authors.

At the same time it is being reported that General Thaweep Netrniyom, the secretary-general of the Office of the National Security Council (NSC), could be appointed the head of the aforementioned CAT Telecom. It would be the first time that somebody from the NSC would take up that position at the state-owned telecommunication company and unsurprisingly his focus is expected be on cyber security - just as CAT’s current CEO (a Colonel nonetheless) announced they are still not giving up on the single online gateway.

However, as mentioned before, that is not the only measure by the military junta to control the flow of online information in Thailand. It already has blocked more than 200 websites deemed a threat to national security (source), ordered internet providers to censor on sight, reportedly also procured software to intercept encrypted SSL-connections and additional hacking and surveillance software, it is also in process of passing its so-called cyber laws, a set of bills aimed officially at “preparing Thailand for the digital economy”. But it also includes passages that enables widespread online surveillanceprosecution against intermediaries (e.g. website owners) and more legal uncertaintybenefitting the state more than Thai online users.

Most recently, Defense Minister General Prawit Wongsuwan announced on Tuesday the creation of a new ”Army Cyber Center” specifically to ”protect” the Thai monarchy and to ”keep track of information on media and social media and to sort them out systematically,” essentially underlining their priorities. In August this year, two people were sentenced to a record 28 and 30 years in prison respectively for allegedly posting Facebook messages deemed insulting to the monarchy.

Thailand's new cyber laws - Part 3: Far-reaching cyber snooping

Originally published at Siam Voices on February 20, 2015 In this part in our series examining the Thai military government’s new cyber laws, we look at the most controversial bill among the eight drafts: The Cyber Security Bill.

Any government nowadays has to adapt its laws and at the same to keep it up to date with technological advancement - which is a seemingly herculean task given their vastly contrasting respective pace. One issue many lawmakers are focusing on is cyber security. Given the growing reliance on internet access in our everyday lives and the increasing number cyber attacks, the legislative base to counter that are either still archaic (some by design) or in some cases simply non-existent.

Thailand is obviously not exempt and thus created the 2007 Computer Crime Act (CCA) - the problem is that the wording of the CCA is so vague that is has often been (ab)used for online censorship and the 2015 update doesn't fix these problems either (read previous part).

With the new Cyber Security Bill (full PDF and translation here), the current Thai military government is seemingly adding another legislative basis to combat cyber crime - but what it actually does is an assault on online freedom and personal privacy, starting with the creation of a new government agency:

Section 6: There shall be a committee called “The National Cybersecurity Committee” (NCSC) consisting of:

(1) Minister of Digital Economy and Society as Chairperson;

(2) Secretary of the National Security Council, Permanent Secretary of the Ministry of Digital Economy and Society, Permanent Secretary of the Ministry of Defence, Commander of the Technological Crime Suppression Division, the Royal Thai Police as 4 ex officio members;

(3) Not more than 7 qualified members appointed by the Council of Ministers (…)

As it can be seen from the make-up of the committee, its members are almost all from the military and police - all positions that have been or can be filled with people close to the current military government, who will be on the committee for 3 years (Article 9).

Section 7: The NCSC shall have the following powers and duties:

(1) to determine the approaches and measures for responding to and tackling cyber threats in the event of undesirable or unforeseeable situation or circumstance concerning security that affects or may cause significant or serious impact, loss or damage so that the NCSC becomes the centre of operation in the event of situation or circumstance concerning security in a timely and uniform manner, unless the cyber threat is such that affects military security, which is a matter within the powers of Defence Council or the National Security Council;

Section 14: The Office of the National Cybersecurity Committee shall be set up as a State agency having a juristic person, not being a State division or a State enterprise.

Section 17: The Office shall have the following powers and duties:

(1) to respond to and tackle cyber threats in the event of undesirable or unforeseeable situation or circumstance concerning security that affects or may cause significant or serious impact, loss or damage by issuing operation measures that take into account the degree of secrecy and the access to classified information; (…)

(3) to co-operate with State agencies or private agencies for the purpose of collecting information on cyber threats, the prevention and tackling of circumstances of cyber threat, and other information concerning the maintenance of Cybersecurity, to be analysed and submitted to the NCSC for consideration; (...)

(5) to monitor and speed up the operations of the State agencies involved in maintaining Cybersecurity, and report to the NCSC; (…)

(13) to perform other acts concerning national Cybersecurity as entrusted by the NCSC or the Council of Ministers.

While Article 7 and 17 are pretty much standard fare regarding its tasks, Article 14 hints that the NCSC has wider powers and fewer bureaucratic hurdles to overcome in order to act swiftly - which also potentially means less transparency. And whatever is meant in Article 17.13 with "other acts concerning national Cybersecurity as entrusted" by the Cabinet is highly unlikely to be ever publicly disclosed - maybe unorthodox ways to 'gain information'?

As the next excerpt shows, the NCSC will have so much power it can even take over command of other state agencies in a crisis:

Section 33: Upon the occurrence of an emergency or danger as a result of cyber threat that may affect national security, the NCSC shall have the power to order all State agencies to perform any act to prevent, solve the issues or mitigate the damage that has arisen or that may arise as it sees fit and may order a State agency or any person, including a person who has suffered from the danger or may suffer from such danger or damage, to act or co-operate in an act that will result in timely control, suspension, or mitigation of such danger and damage that have arisen. (...)

Section 34: In case where it is necessary, for the purpose of maintaining Cybersecurity, which may affect financial and commercial stability or national security, the NCSC may order a State agency to act or not to act in any way and to report the outcome of the order to the NCSC as required by the Notification of the NCSC.

Another interesting tidbit is in Article 18.3:

Section 18: For the purpose of the fulfilment of the objectives under Section 17, the Office shall have the following powers and duties:

(3) to enter into an agreement and co-operate with other organisations or agencies, both in the public and the private sectors, [both based domestic and abroad] in activities concerning the fulfilment of the Office’s objectives;

One way to interpret that is that the NCSC will seek "co-operation" from private corporations, including those providing social media platforms and messaging apps. In the past Thai authorities, in their quest to criminalize even mere Facebook 'likes' linked to unwanted content or dissent, tried to contact the company behind the messaging app LINE in order to access all messages - they didn't a reply, but nevertheless later boasted that they could monitor everything.

Nevertheless, Thai authorities would be empowered to snoop thanks to the already infamous Article 35:

Section 35 For the purpose of performing their duties under this Act, the Officials who have been entrusted in writing by the Secretary shall have the following powers: (…)

(3) to gain access to information on communications, either by post, telegram, telephone, fax, computer, any tool or instrument for electronic media communication or telecommunications, for the benefit of the operation for the maintenance of Cybersecurity.

The performance under (3) shall be as specified by the Rules issued by the Council of Ministers.

Yes, even the good old telegram is not safe from long arms of the authorities! It is self-evident that with that wording the NCSC will have far-reaching powers to look into the personal data of every Thai internet user. And given the paranoia of the military junta with social media, the potential for abuse of the law in the name of national (cyber-)security is nigh on endless. It remains to be seen if the aforementioned guidelines will ever be issued by the Cabinet when this bill is signed into law.

Translated sections of draft bills by Thai Netizen Network. You can read complete translations here.

THAILAND'S NEW CYBER LAWS: Part 1: Introduction - Part 2: Changes to Computer Crime Act - Part 3: Far-reaching and all-encompassing cyber security

Thailand's new cyber laws - Part 2: Changes to the Computer Crime Act

Originally published at Siam Voices on February 17, 2015 With the passing of eight new draft bills under the banner of "Digital Economy" by the Thai junta cabinet and awaiting approval by the ersatz-parliament, the National Legislative Assembly (NLA), the main focus of criticism is aimed at the cyber security bill and the amendments to the 2007 Computer Crime Act (CCA).

In this part, we take a look at the most crucial changes to the Computer Crime Act.

The old Computer Crime Act was itself a problematic piece of legislation when it was passed in 2007 due to the vague wording of certain sections. Particularly there’s a high legal ambiguity in Article 12.2, which punishes anything that is "likely to damage computer data or a computer system related to the country’s security, public security and economic security or public services" with 3-15 years in prison, and Article 14, which punishes any computer-related act that causes "damage the country's security or causes a public panic" (especially if it is "related with an offense against the Kingdom's security under the Criminal Code") with a maximum of five year in prison.

That led to many cases where people were charged for political expressions made online that were deemed by the authorities as lèse majesté, which almost doubles the potential punishment of the accused (as mentioned in our introduction previously).

Now these two passages has been mashed together into into one Article, which says:

Section 14/1 - Any person committing an offence that involves import to a computer system of false computer data in a manner that is likely to damage the country's security or cause a public panic must be subject to imprisonment for not more than three years or a fine of not more than sixty thousand baht [US$1,843] or both.

Section 14/2 - Any person committing an offence that involves import to a computer system of any computer data related with an offence against the Kingdom's security under the Criminal Code must be subject to imprisonment for not more than five years or a fine of not more than one hundred thousand baht [US$3,070] or both.

It’s not much different than the previous versions in terms of punishment, but the problematic vague wording (e.g. what constitutes "false computer data"?) remains. What's worse is the following Article 15:

Section 15 -  Any service provider intentionally supporting or consenting to an offence under Section 14/1 or Section 14/2 within a computer system under their control must be subject to the same penalty as that imposed upon a person committing an offence under Section 14/1 and Section 14/2.

If any service provider can prove that they follow the instruction to restrain the dissemination of such computer data or destroy such data from a computer system as required by a Minister, the perpetrator is not guilty.

Under the new law, the intermediaries are subject to prosecution as well. Basically, if for example a webmaster has content that's deemed offensive on their site and doesn't remove it, then they can be charged - even if they didn't write it themselves. That’s exactly what happened to Prachatai webmaster Chiranuch Premchaiporn, who was accused of not deleting online comments from her website quickly enough that were deemed lèse majesté. The main problem in this case was how long is too long for somebody not to remove something seemingly offensive. In Chiranuch's case, it seemed the prosecutors more or less expected every webmaster to anticipate it even before the offense happens and to preemptively act against it. She was convicted and given a suspended jail sentence in 2012.

One of the major changes are the amendments to Article 18:

Section 18 of the Computer Crime Act of B.E. 2550 (2007) is added the following provisions as paragraph two and paragraph three:

"For the benefit of investigation and inquiry, in case there is a reasonable cause to believe that there is the perpetration of an offence to computer system, computer data, or any computer data storage devices under any laws, the superior administrative or police official under the Criminal Procedure Code or the competent official under other laws shall perform under this Act only the necessities for the benefits of using as evidences related to the commission of an offence or searching for an offender under the competent authorities indicated in paragraph one, paragraph two and paragraph three. The aforementioned officials shall request the relevant competent official to take action provided that their power of authority is limited under this Act.”

In simple words, authorities still need a court order in order to intercept online communication and it has to be specific. However, as the watchdog organization Thai Netizen Network points out, there's no limitation on how long these interceptions can take as compared to e.g. Article 25 of the 2008 Special Investigation Act, which allows access of 90 days (but permits unlimited extensions).

Also, Article 12 in the new CCA will punish cases which involves hacking of computer systems "that is likely to damage computer data or a computer system related to the country's security, public security and economic security" with up to 15 years in prison.

And finally in this short look, Article 31 already hints at the next part we'll be examining:

Section 31. Nation Cyber Security Committee (NCSC) shall be the central agency to control, monitor and assess operational performance of the competent official under this Act.

In the next part, we will look at the controversial new Cyber Security Bill, which seemingly could allow intrusive actions by the Thai authorities against internet users and the aforementioned National Cyber Security Committee will be an integral part of it.

Translated sections of draft bills by Thai Netizen Network. You can read complete translations here.

THAILAND'S NEW CYBER LAWS: Part 1: Introduction - Part 2: Changes to Computer Crime Act - Part 3: Far-reaching and all-encompassing cyber security

LINE denies Thai junta’s claim it is monitoring popular chat app

Originally published at Siam Voices on December 23, 2014 Claims by the Thai military junta that it is monitoring the popular chat app LINE for content deemed insulting towards the monarchy have been refuted by South Korea-based parent company Naver.

The Thai Minister for Information and Communication Technology (MICT) Pornchai Rujiprap stated on Monday that the authorities can "monitor all the nearly 40 million LINE messages sent by people in Thailand each day." LINE has at least 24 million registered users in Thailand, according to the company's latest figures in August - while Pornchai estimated the number to be at 33 million users, based on his own claims.

He continued:

"We can see what type of messages are being forwarded," Pornchai told reporters, "We focus especially on those that are libelous, anti-monarchy, or threatening national security." (...)

"The suspects cannot claim that they were not aware of the consequences of their actions, because the law regards them as conspirators in the crimes," Pornchai said, "Therefore, if you receive [anti-monarchy] messages, you should not forward them."

The Minister also vowed to seek IP addresses and other information about anti-monarchy websites from foreign companies that host their servers, though he admitted that the process could take a long time.

"It could take a long while because there needs to be a negotiation. Some countries have cultures that are different to Thai," Pornchai explained.

"ICT Pledges To Sniff Out Anti-Monarchy Chat Messages", Khaosod English, December 23, 2014

The South Korean parent company of LINE has been quick to dismiss the junta's claims:

“No monitoring by the Thailand government has been conducted,” Nam Ji Woong, a spokesman for South Korea-based Naver Corp., which owns Line Corp., said by e-mail today. “Line considers consumers’ privacy as a top priority.”

"Line Application Denies Reports Thailand Is Monitoring Messages", Bloomberg News, December 23, 2014

The draconian lèse majesté law criminalizes perceived criticism of Thailand's monarchy and carries a maximum sentence of 15 years in jail. Charges based on this law, where every citizen can file a complaint against anyone and police are obliged to investigate every one of them, have seen a rampant rise in recent years and even more so since the military coup of May 22, 2014. According to the Thai legal watchdog ilaw at least 22 people have been arrested on lèse majesté charges since the coup and also on the equally draconian yet vague worded Computer Crimes Act, which also penalizes digital content deemed a threat to national security.

The military junta - more than ever the self-proclaimed protector of the Thai monarchy and intolerant of dissent and criticism - has also imposed widespread media censorship and set up its own media watchdogs. Not only has the junta reactivated the 'cyber-scout' program, which recruits volunteer students to monitor the Internet, it even considered launching its own national social network, and it has also reportedly implemented the technical capabilities for widespread online surveillance.

This is not the first time that LINE and its Thai users have been targeted by Thai authorities. Last year, an overzealous Police Maj.-Gen. Pisit Pao-in of the Technology Crime Suppression Division (TCSD) of the Royal Thai Police has also sought access to user information and chat logs of the messaging app and was even considering criminalizing Facebook users for 'liking' what he thinks is "unlawful" content. Ultimately he was unsuccessful - so much so that even the hawkish then-ICT minister Anudith Nakorn-thap chided him for his overeagerness.

The biggest irony of the junta's boisterous claims that it is able to monitor LINE (that is unless the parent company is cooperating after all or the junta has found another way) is that it was made at the same event when the military junta was presenting series of LINE 'stickers' representing the junta's proclaimed and much touted "12 core values" (more on that in a future Siam Voices post), aimed at instilling what they think makes a "good Thai" like showing respect to superiors, resisting the temptation of “religious sins”, upholding “Thai customs and traditions”, and sacrificing oneself for the good of the country.

In their continuous, widespread media campaign - including commissioning propaganda short movies (one of which gained infamy for a brief, but bizarre Hitler scene) - the military government hopes (after it has spend 7 million baht or almost $213,000 on them) that LINE users will promote these "12 core values" by sending the stickers to each other - if only the junta can find a way to make sure that actually happens...

UPDATE [Dec 24]: ICT Minister Pornchai Rujiprapa has practically backtracked his boisterous claims:

He said it was merely a misunderstanding that the MICT can monitor ‘Line’ and that it is much easier to find evidences lese majeste and others cases via Facebook and websites which the IP address can be tracked. If he ministry need information on Line, it will have to cooperate with its headquarter.

“I merely said don’t send the [lese majeste] messages via Line because the police can make arrests when people file complaints with the messages as evidences. Not that the MICT was monitoring the chat traffic on Line. And warn people to be careful not to share the [lese majeste] messages because it is illegal according to 2007 Computer Crime Act.” Prachatai quoted Pornchai as saying.

"Thai authorities say no surveillance on popular chat app", Prachatai English, December 24, 2014

The Thai office of LINE has also emphasized that there's no surveillance and the Thai authorities need a court order to do so.

And in somewhat related news and ironic timing, LINE Thailand has a job opening for a "Content Editor and Monitoring"...

Thailand's junta extends censorship with mass online surveillance

Originally published on Siam Voices on September 19, 2014 Thailand's ruling military junta is further tightening its grip on the public discourse by heightening its censorship measures, going as far as reportedly implementing widespread surveillance of Thai Internet users. The new measure seeks to crush criticism at the military government and  to crack down on anything that is deemed insulting to the royal institution - also known as lèse majesté.

When the Thai military declared martial law two days before it launched the coup of May 22, 2014, one of the main targets was the complete control of the broadcast media, which resulted in the presence of soldiers at all major television channels and the shutdown of thousands of unlicensed community radio stations and over a dozen politically partisan satellite TV channels, primarily those belonging to the warring street protest groups.

Nearly five months later, most of these satellite TV channels (with one notable exception) are back on the air but have been renamed and had to considerably toned down their political leanings before they were allowed to broadcast again. The TV hosts who were last year's heavy-hitting political TV commentators are now hosting entertainment programs or, if they're lucky, return to a talk show format, but only in the name of national "reform" and "reconciliation".

But the military junta, also formally known as the “National Council for Peace and Order” (NCPO), still has a firm grip on the media, as it has set up specific monitor watchdogs for different media platforms (and also specifically for foreign news outlets) to screen out critical content against the NCPO. Furthermore, it has practically issued a gag order to the Thai media - only then to reiterate that while criticism against the military junta is allowed,  it should only be done "in good faith".

The censorship measures and the monitoring efforts also extend online. Unlike during the last military coup in 2006, the emergence of social media networks makes it a daunting uphill battle for the junta to control the narrative. Nevertheless, the authorities have always been eager to have more control to filter and censor online content and have blatantly resorted to phishing for user information, and even considered launching its own national social network. And there was this:

In late May, a brief block of the social network Facebook sparked uproar online, while statements by the Ministry for Information and Telecommunication Technology (MICT) and the NCPO over whether or not the Facebook-block was ordered or it was an “technical glitch” contradicted each other. It emerged later through a the foreign parent company of a Thai telco company that there actually was an order to block Facebook, for which it got scolded by the Thai authorities.

"Thailand’s junta sets up media watchdogs to monitor anti-coup dissent", Siam Voices/Asian Correspondent, June 26, 2014

The junta also reactivated its "Cyber Scout"-initiative, recruiting school children and students to monitor online content for dissidents, and announced plans for internet cafes to install cameras so that parents can remotely monitor what their kids are doing.

The towering motive of the junta's online monitoring efforts has been recently laid out by outgoing army chief, junta leader and Prime Minister General Prayuth Chan-ocha:

Gen. Prayuth outlined a strategy to "defend" the monarchy in a speech (...) [its] transcript describes the monarchy as an important element of Thai-style democracy and an institution that the Royal Thai Government is obliged to uphold "with loyalty and defense of His Majestic Authority."

"We will use legal measures, social-psychological measures, and telecommunications and information technology to deal with those who are not mindful of their words, are arrogant at heart, or harbour ill intentions to undermine the important Institution of the nation," the speech reads.

Under Section 112 of Thailand's Criminal Codes, insulting the royal family is a criminal offense punishable by up to 15 years in prison. The law, known as lese majeste, has been harshly enforced since the military staged a coup against the elected government on 22 May. (...)

"Prayuth Vows Tougher Crackdown On Anti-Monarchists", Khaosod English, September 11, 2014

And in order to achieve this, the junta reportedly doubled down its online monitoring earlier this week:

Thai authorities reportedly planned to implement a surveillance device starting from 15 September to sniff out Thai Internet users, specifically targeting those producing and reading lèse majesté content, a report says. Although the report is yet to be confirmed, it has created greater climate of fear among media.

Prachatai has received unconfirmed reports from two different sources. One said the device targets keywords related to lèse majesté and that it is relatively powerful and could access all kinds of communication traffic on the internet. Another source said it could even monitor communications using secured protocols.

After learning about this, a national level Thai-language newspaper editorial team has reluctantly resorted to a policy of greater self-censorship. Its editor warned editorial staff not to browse any lèse majesté website at work and think twice before reporting any story related to lèse majesté.

"Thai authorities reportedly to conduct mass surveillance of Thai internet users, targeting lèse majesté", Prachatai English, September 10, 2014

On Wednesday, it was reported that amidst severe internet slowdowns across Southeast Asia due to a damaged undersea connection cable extra internet filtering in Thailand has been activated.

There is no doubt that Thailand's military junta is determined to go forward with its own, very exclusive way of governing and tightly controlling the narrative through widespread media censorship and massive online surveillance. By invoking the need to "protect the monarchy", the military has a convenient weapon to act against dissidents in real life and in the virtual domain as well, no matter where they are.

According to the legal watchdog NGO iLaw, over 270 people have been detained by the junta between May 22 and September 5. Eighty-six of them are facing trial, most of them before a military court. Fifteen of those are cases concerning lèse majesté.