Thai cybercrime law: Long overdue or a threat to the industry?

One Internet service provider has described Thailand's new cybercrime law as akin to scratching the wrong place to get rid of an itch, while a leading content provider said it may spell the end of Thailand's fledgling Internet industry as we know it. At the other end, a leading security consultant has welcomed the new cyber law as long overdue.

Prinya Home-Anek, CEO of ACIS, a leading Thai security training and consultant firm, explained how the new law now requires certain categories of Internet service to keep logs of up to 90 days with a minimum of IP address and header information (so that pages visited can be identified). For casual browsing, a name does not need to be saved, but for posting messages, forums will need a very robust membership scrutinizing system and to provide names.

This has been watered down from initial drafts that demanded that the payload itself be kept, which was deemed technically infeasible.

The four categories immediately affected are telecom operators, Internet service providers (which includes public access sites, universities, schools, Starbucks, and companies that allow their employees to access the Internet), Web hosting services and content providers (portals).

Failure to provide the logs to authorities on demand carries a maximum fine of half a million baht.

Prinya said that anyone doing a mash-up using Web services will also have to log the necessary data before passing it on to the foreign service.

The law will also go into detail about certifying authorities, which can seize computers and which will now have to be trained in IT forensics. Computers and data can now be seized for 30 days with a possibility of an extension of up to 90 days in total.

Prinya said that ICT Ministry is also expected to upgrade the e-commerce committee into a Department-level organization with a director-general to oversee the implementation of the new law alongside the Electronic Transactions Act B.E, 2544 (2001).

Asked if this move was too draconian, Prinya defended the law, saying that it was better than anarchy and that it has been nine years in the making. "Let's get the law passed first and work out the details later," he urged.

A source within the ICT Ministry expressed concern that many people were already misinterpreting the new law. For instance, on the day the bill was passed, senior police officers said that the law would be used to prosecute anyone bypassing state controls to access banned Web sites. However, he pointed out that the clause the police was referring to was intended to allow police to prosecute hackers breaking into an organization's network, rather than citizens breaking out of the state's control. But he admitted that at a glance it could be interpreted that way.

Some of the changes made in the legislature did take power away from police and the ICT ministry and put them in the hands of the courts, which he feels is a good move to prevent the law being abused.

"The law was a mess from day one, and everyone somehow expected Parliament to fix the mess in the sub-committees over the years. For some reason, that did not happen and now it is up to the ICT ministry to enact ministerial regulations that actually make sense and are reasonable," he said. Meanwhile, hosting company Internet Solution Provider (ISSP) chairperson Kanokwan Wongwatanasin said that she has always stood for freedom and said that even viewed in a positive light, the best she could describe the new law was "scratching an itch in the wrong place".

"I agree that we need some regulation. However, this law is too late and it is fixing yesterday's problems. We are not addressing the real problem. Most of the problem sites are overseas. If you can control Google and Yahoo, then fine, but if you can't then this is not the final answer," she said.

Wongwatanasin also pointed out that even though Web sites providers are required to keep logs, it would be a trivial matter for a hacker to tamper with those logs in a compromised system anyway.

"The law will be a huge burden for those who try to comply, and the problem will still come from those who do not comply anyway. I hope the government will look at it from a practical point of view," she said.

The CEO of popular portal Sanook.com, Torboon Puangmaha, warned that the law would only punish the good guys trying to comply and would damage Thailand's fledgling Internet industry.

"I agree that we need some regulation, and my company can keep logs for 90 days. However, it will increase our costs and we will have to find a way to recuperate these costs," he said.

He said that studies have shown that countries that have a closed Internet suffer in terms of industry growth compared to those with an open policy. Also, the industry in Thailand is only beginning to learn how to make money and he warned that harsh regulation too soon might kill it off entirely.

"If we can't make money, there's a chance that the operators will all disappear," he said.

C.J. Hinke, a lecturer from Thammasat University's Faculty of Liberal Arts and founder of Freedom Against Censorship Thailand, condemned the law as a blow to freedom of speech and of academic freedom.

Hinke objected to how the law now makes ISPs complicit in the elimination of privacy and for censorship, as ISPs are now legally responsible for what transits their servers. He said his is the opposite of what most countries do and will have a negative impact on free and open business competition.

Recently the Supreme Court in Germany ruled that a citizen has the right to ask their ISP to delete all their personal data, including search keywords and access history. "What we've done in Thailand is completely the opposite and ISPs are now forced to retain that data," he said.

Hinke said the law is a polar opposite to another law guaranteeing academic freedom and that it should be challenged in court. "If there is no academic freedom, no press freedom, we will have a Thai public that is not fully informed and cannot make informed decisions. That will result in bad government like we have had recently."

National Science and Technology Development Agency assistant president Dr Rom Hiranpruk expressed concern that the law differentiates between regular police and cyber cops, who are trained in computer forensics. With all aspects of life today involving a computer, the lack of enough cyber cops to collect forensic evidence may render the law unenforceable in the real world.

However, he said much now depends on how the ICT Ministry will issue ministerial decrees to enforce the law and that he would reserve final judgment until later.