Academics have slammed the draft Thailand Cybersecurity bill as an unaccountable, all-powerful tool to enable mass surveillance rather than anything to do with actually promoting Thailand’s digital economy efforts.
The draft Cybersecurity bill and the recently passed Computer Crime Act were the topics of a recent panel discussion by THNIC and Thammasat University Lampang campus in the far north of Thailand.
Assistant Professor Thotsaphon Tassanakulapan from Chiang Mai University’s faculty of law set the tone for the event saying that Thailand wanted to mimic China and its great firewall with the new Cybersecurity bill.
The difference is that Thailand’s digital economy is a fraction that of China’s. He said that what the government did not seem to understand is that national security comes from a healthy, growing economy and that the draconian, authoritarian nature of the Cybersecurity Act (CSA) is having a chilling effect on the startup Thailand digital economy that the government is so eager to talk about.
He went so far as to say that the CSA was not so much about cybersecurity, but more about cyber warfare.
Thotsaphon said that a proper cybersecurity law should be about reducing the risk that businesses face. It should be about sharing best practices and security notifications. At most it should be about risk assessment. Instead Thailand has openly admitted to drafting the CSA after the United States’ Homeland Security Act and Patriot Act.
“These are not about security. These are about countering terrorism. Are we in a state of emergency?” he asked.
Article 3 of the Cybersecurity bill allows the Cybersecurity Commission almost unlimited power to infringe on civil liberties if they deem that something is a threat to cybersecurity. The problem is that nowhere in the act is the concept of what constitutes a threat to clearly defined. He said that the law would seem to apply equally to someone taking an axe to fibre-optic cable, a computer hacker or even anti-government protests.
Article 34 allows the Cybersecurity Commission to set standards for cybersecurity. This means that companies operating in Thailand can be forced to implement surveillance by design. The commission can tell any operator to look into and tap any means of communication. In 35(3) it explicitly expands the remit of article 34 to include even analogue forms of communications such as fax or letter.
Thotsaphon said that the Cybersecurity Commission itself was not subject to any checks and balances in the law and it is unclear even if the orders from the Commission could be challenged in the administrative court or not. There is no prescribed way to appeal any order from the Commission.
“Section 33 of the bill allows the Cybersecurity Commission to order the private sector to do anything or refrain from doing anything in the name of cybersecurity. This will lead to surveillance by default. It is very dangerous,” he said.
Other problems with the Cybersecurity Bill include a lack of clarity on who gets to see its annual report, and a lack of linkage to non-governmental expert bodies.
Bhume Bhumiratana, a senior consultant at system integrator G-Able, said that he has been involved in advising the government about the Cybersecurity Act from day one and his biggest concern was that what they are saying in public has little correlation to what is being encoded into law.
Bhume said that from the start they claimed it was a law to promote Thailand’s Digital Economy efforts, but nothing in the latest draft is about creating confidence in the Digital Economy, rather each and every part of the law is about giving more power to the state.
Cybersecurity for the Digital Economy is about making businesses confident in investing and carrying out business, it is not about the government controlling your business.
He said that he asked experts drafting the law why so much of the Cybersecurity law overlapped with the Computer Crime Act (CCA). The answer was that after years of using the CCA, it proved ineffective so they needed the CSA to make it even easier to arrest people who have done something wrong. However, 99% of cyber attacks are from outside of Thai jurisdiction and creating tougher domestic laws accomplishes nothing.
The reason given for the overwhelming power is ostensibly that getting court approval takes too long and there is an immediate need to gather evidence – or gather evidence in advance via mass surveillance.
He also noted that the CSA was drafted after the US Homeland Security Act which came about after 9/11 as an anti-terrorist law, not a law to promote the digital economy.
“This law is about mass surveillance, but we know that mass surveillance does not work. The NSA’s PRISM does not work and we know that thanks to Snowden, yet Thailand is going down that path,” he said.
Finally, Bhume warned of the extreme centralisation of this all-powerful Cyber Security Commission. The chairman is the Digital Economy Minister. Three other commissioners are the National Security Council Secretary-General, the Digital Economy Permanent Secretary, the Defence Permanent Secretary and the Commander of the Technology Crime Suppression Division. The other seven members are appointed directly by the Cabinet of Ministers without any selection guidelines making it unlikely that anyone outside of the state security apparatus will get in and provide any balance.