[FACT comments: We have supplied appropriate emphasis in red to Don's article. This is exactly why FACT wants the Cybercrime Law repealed. There are far more fair ways of dealing with virtual problems. To expect webmasters or ISPs to act as cybercops is ludicrous and only serves to create a climate of fear.]
When webmasters end up in jail
DON SAMBANDARAKSA
Bangkok Post Database: June 11, 2008
http://www.bangkokpost.com/Database/11Jun2008_data010.php
Lunch at customer events is always interesting. These are real people doing real work without a PR person speaking for them, and at one recent lunch, the talk was all about how it was almost impossible to comply with the law.
One web developer spoke of how someone he knew spent a night in jail: A couple had an argument and the boyfriend proceeded to post compromising pictures of his girlfriend to a web site. The girlfriend went to the police and it was the webmaster who spent the night in jail, pending bail, for not being able to provide the logs and names necessary under the new law.
Indeed, the only thing the law has accomplished is to make it easy for people to attack their enemies by posting dubious content on web sites in order to get the hosting company in trouble.
Even the big operators are not immune. Pantip.com requires an ID card number to be registered before posting pictures, but one web developer said that someone had used his ID card number in an online game, a classic case of identity theft. Without a way to check someone’s identity, an ID card number is useless. But if the number could be checked easily, the opportunities to abuse the system are immense. If the Ministry of Interior opens up its database for webmasters to check ID numbers, then what is there to stop someone from mining the information. Just think of the value of a web board’s customer database, either to malicious webmasters or to someone who steals that database.
The problem here is that the industry players seem to think that the 13-digit number brings with it some magical seal of righteousness, oblivious to the fact that these numbers are rather easy to steal, and they last forever.
Another hosting company was effectively shut down when police raided it and seized its servers because one of its clients was selling counterfeit goods. All the other clients suffered too, but one wonders how police would treat a grid or a virtual machine running in a cloud of computers. Chances are they would probably seize it first and then come back asking how to turn it on later.
When the law first came into effect, the head of Thailand’s largest hosting company, ISSP, said that the law was a death sentence for small Thai hosts and that it would only drive the Internet economy overseas. In a draconian move, if the host is overseas, the onus of supplying a name to match an action then falls on the ISP.
So, what does the future hold for web development in Thailand? One of the developers said that everyone would have to use Windows Server 2008 in its fully secure mode, which provides a robust identity management system so that any action is logged in detail. But, it was pointed out, even MAC addresses can be re-flashed easily on today’s motherboards, so where does that leave the quality of those log files. No answer was forthcoming.
Obviously whoever interpreted the law this way would agree that having people roaming the streets at night is dangerous, either to themselves or to others, as they are obviously not up to any good and that society should implement a curfew or lock its citizens in cells for their own safety.
The gist of the problem is a clause in the logging section that ends with “and any other relevant information” to be kept.
“Any other relevant information” is a very ambiguous term. The nice people at Nectec, who drafted the initial version years ago, defended the law in that it should not be confined to certain technologies or protocols, and thus the clause was put in to make the law future-proof.
However, it was the police’s interpretation of that phrase that has led to the current situation. In a seminar, an officer said that as long as a webmaster can put a name to an action that is fine. However, if he can only provide logs of MAC addresses and headers but no name, then he may be liable to the half a million baht fine that the law calls for.
And therein lies the rub.
The current interpretation of the cybercrime law puts far too much emphasis on the medium; it punishes the messenger and ignores the message. It is convenient for law enforcement. It is perfect for a police state.
It makes for a situation where every hosting company and every ISP is operating in a grey area and the government of the day can pick and choose who to persecute, sorry, prosecute, at will. Since every forum is probably unable to prove compliance, governments can selectively turn a blind eye to pro-government sites and shut down those that are critical of its policies.
Indeed that is what happened prior to the incident involving Thai Insider. Before Thaiinsider.info, scores of smaller web sites had been shut down or censored, but when the Thaksin regime turned its sights on Thaiinsider, a web site run by a vehemently anti-Thaksin businessman, he had the resources to fight back and he called a press conference with a well-paid legal team explaining how unconstitutional it was to do that. The authorities relented and Thaiinsider.info remains online while scores of other smaller web sites, without the resources to call in the press and hire solicitors, have disappeared.
The rich can get away with everything; the poor are downtrodden. Freedom of speech exists only for those in power and those who can afford it, while the majority of the population remains blissfully unaware and happy as long as they can get to show off their iPhones to their friends. Only, unlocking an iPhone is also a crime under the Digital Millennium Copyright Act-style parts of the the Thai cybercrime law.
But of course, only those who use it to speak of things that the state disapproves of ever need fear prosecution.
