The death of privacy-Bangkok Post
December 2, 2007
[FACT comments: Now we can see the real direction in which the Computer-Related Crimes Act will be enforced. Do Thair people really need government monitors to all Internet activity? This law is signals the death of democracy, privacy and free expression in Thailand. FACT demands the repeal of this law by the next government.]
Cyber crime blitz:
Get ready to make some sacrifices as the new cyber crime law kicks in
Bangkok Post Database: November 28, 2007
The general public will have to make some sacrifices in terms of privacy and convenience so that the new cyber crime law can help protect society, according to a police officer at the forefront of fighting computer related crime in Thailand.
Speaking at a panel discussion on the impact of the cyber crime law at the recent ICT Forum, Police Lieutenant Colonel Darun Chadharoen from the High-Tech Crime Centre of the Royal Thai Police fielded questions from ATCI director Sutee Sathanasathaporn and and Tarad.com webmaster Pawoot Pongvitaypanu to clarify many of the questions regarding how the new cyber crime law would be put into practice.
Darun said that the law was a long time coming and that prior to its passage on 18 July this year, there were many crimes that could not be prosecuted as they did not break any law, such as domain name theft, stealing credit card information and phishing through email scams.
The new law requires all Internet access providers to keep a log for 90 days. An access provider can include a company that allows its employees to access the Internet or even a dormitory or coffee shop that does the same. Darun explained that while the law seemed to be open ended, calling for “any relevant information”, in practice what it meant was that as long as a name could be provided to match an action, that would be enough.
He said that a network administrator keeping details of MAC addresses (hardware serial numbers associated with a network card) is useless if he cannot provide a name to that address.
“The idea is that people will be protected, but in return, you need to identify yourself. These are the rules you will have to follow for us to protect everyone in society,” he said.
For a small organisation, the logs could even be a paper log with people signing in with their ID card details, but the ICT Ministry has been asked to create a standard piece of software to capture this information and distribute it to all cyber cafes and companies to use free of charge. Today if someone uses an Internet access point and the shopkeeper does not take down the name of the user, then the access provider is breaking the law.
It is not just access but all Internet services will need to keep a log with the name of whoever is transacting. This means a web board needs to keep names of anyone who posts a comment, an FTP server needs to keep names of anyone who uploads files and an email provider needs to be able to match emails and names.
Darun suggested that email logs should keep only headers and names and not the content because if the private content is leaked, it would open up the email provider to legal action.
However, when Sutee asked if data from instant messaging clients such as MSN needed to be kept, Darun drew a blank. “When we get an MSN log, it always is an MSN server overseas. It’s very hard to do anything with that,” he said, implicitly admitting that the law was powerless when a foreign server or user was involved.
Darun explained that article 9 of the criminal code clearly says that a criminal act has to be intentional. Thus a trained Windows Server administrator who totally messes up an Ubuntu Linux server installation due to incompetence should be safe from prosecution under the cyber crime law.
However, on the other hand, he said that system administrators posting parts of their network topology onto a web board asking for technical assistance could be in breach of article 6 of the cyber crime law that prevents dissemination of information of a computer system’s protection. This was originally intended to cover posting or emailing usernames and passwords.
When Sutee asked if stealing a hardware dongle or USB key with passwords would be illegal, Darun said that he did not need the cyber crime law for that and he could arrest the perpetrator for theft right away. He reminded people that many crimes already were covered by existing laws and the cyber crime law was meant to plug the gaps, not replace existing laws.
Article 16 – often referred to as the “Photoshop Clause” – makes it illegal to post an altered image that is damaging to a person’s reputation or embarrassing. Darun made a couple of observations on this clause. First, it went beyond the protection given by existing laws that only covered defamation. Article 16 adds embarrassment, a term which he said would be quite hard to rule on in a legal context. He also questioned if a series of normal, unaltered pictures of girls followed by a picture of another, totally unrelated girl’s underwear would be illegal under article 16. None of the images were altered and it is the implication connecting the faces to the underwear that causes the embarrassment, not the wording or any one particular image.
Pawood said that he was once subjected to a raid under copyright law where the police seized his servers and effectively shut down his entire web site because one of his clients was found to be selling counterfeit goods. Was there a way to prosecute that user without shutting down his business, he asked?
Darun responded that with a court order, police had the right to seize evidence, but it was up to the investigating officer whether he actually needed to take the physical servers in or simply ask for a copy of the log file and a letter certifying that it was true. This would depend largely on whether the computers seized were from a suspect or a witness.
Finally, Darun reminded us to think of the victims before complaining about freedom of speech. “One woman broke up with her boyfriend and in retaliation he sent nude pictures of her to all her work colleagues. This girl almost went mad. She once had a good career ahead of her, but now does not dare look at any man in the face and is going crazy.”