Thailand’s Cybersecurity Bill and Internet Censorship

Introduction

One of the early promises of the National Council for Peace and Order (NCPO), who seized power through a coup d’état in May 2014, was the development of a digital economy in Thailand. The Thai Government is currently considering a package of eight digital economy bills ranging from electronic transactions to cybersecurity to make Thailand more competitive and better equipped to compete in the global digital economy. You can find the full list of bills and translation of some of them here.

Update April 9, 2015:

Three of the digital economy bills, the Information and Communication Technology Ministry Reform Bill, the Digital Economy Bill, and the NBTC Bill, will be forwarded to the National Legislative Assembly next month and expected to be enforced by the end of 2015.

The other five digital-economy bills are currently at the Council of State consideration stage and expected to be passed to the National Legislative Assembly within the coming three months.[1]

Background

Due to a large rural population the Internet penetration in Thailand remains low at around 29% in 2013.[2] However, Thailand has recently seen a large increase in mobile penetration, mobile Internet, and social media adoption – especially among the young urban population. With 28 million Facebook users, one in three Thais has a Facebook account, making Thailand the ninth biggest Facebook country worldwide. Twitter is not as large, but also growing with around 4.5 million users.[3]

Besides Western social networks, the Japanese instant communications app Line has also reached immense popularity with over 24 million users in 2014, allowing instant communication through text and VOIP.[4]

The opportunities of mobile Internet and social media applications offer the Thai population a greater diversity of content and debate than previously available through traditional media. This has unfortunately also prompted the Thai Government to increase its efforts to control and censor information available on the Internet.

The lèse-majesté law, Article 112 of the criminal code, can be used to give up to 15 years in prison for anyone who “defames, insults, or threatens the King, Queen, the Heir-apparent, or the Regent” and has also been put to use on information and opinion published online. Similarly, the 2007 Computer Crimes Act (CCA) can give up to five years imprisonment for publication of content that jeopardises individuals, the public, or national security, or acts as a proxy to access restricted material.[5] The CCA also holds computer users liable for any content they import into a computer system as well as holds internet service providers at all levels liable for content published on them.[6]

The Cyber Security Operations Center (CSOC) established in 2011 the Ministry of Information and Communication Technology has the authority to shut down and block websites without a court order.[7] The CSOC extensively monitors the Thai Internet space and has forced Thai ISPs to block access to hundreds of websites including independent news websites, Government critics, and even social media sites such as Facebook.[8]

The harsh environment of censorship and stark punishments has stifled online discussion, increased self-censorship, and severely harmed Thai Internet freedom.

Reception

The Digital Economy Bills have been met with widespread skepticism and criticism from both domestic and international actors. The bills have been accused of being overly broad, vague, and too lenient in giving the government additional power in the Internet sphere. A wide range of critics voiced concerns that rather than being designed to invigorate the Thai digital economy, the bills seemed to be an attempt by the military government to take control of both private and corporate information by opening loopholes for increased surveillance, censorship, and blocking of websites.[9, 10, 11, 12]

The National Cybersecurity Bill, designed to complement the Computer Crimes Act, received the bulk of the criticism. The bill would establish a government-run cybersecurity committee charged with detecting and countering online threats to national security and give far reaching power to the officials tasked with cybersecurity work.[13]

NCPO chief Prayut Chan-O-Cha has insisted that the National Cybersecurity Bill is a necessary tool to protect the nation and eloquently explained to reporters that:

“We need to have national security otherwise everybody does what they want.”

However, he also reassured critics that the bill would only be used on occasions when the authorities suspect Thailand’s national security is at risk – a comfortably vague statement on multiple counts.[14]

The main issue with the bill is that it would give government officials de facto authority to read and seize virtually any communication transmitted over any digital means at the discretion of the National Cybersecurity Committee – without the need for a court order.

The strong opposition to the bill has forced the Thai Government to revise the current draft and it has promised that the new revision will have stronger checks and balances of the National Cybersecurity Committee’s powers. However, it remains to see if the government actually delivers on its promises as the latest draft of the National Cybersecurity Bill has yet to be revealed to the public. In the meantime, a closer reading of the current draft will reveal why the bill is so problematic and potentially harmful to Thai Internet freedom.

The National Cybersecurity Bill

The National Cybersecurity Bill (draft approved by the Cabinet on 6 January 2015) opens with a vague, and quite unusual, definition of cybersecurity.

 “Cybersecurity” means measures and operations that are conceived in order to maintain national Cybersecurity, enabling it to protect, prevent or tackle circumstances of cyber threats which may affect or pose risks to the service or application of computer network, internet, telecommunications network, or the regular service of satellites in ways that affect national security, which includes military security, domestic peace and order, and economic stability.

Unlike more traditional definitions of cybersecurity that typically encompass the confidentiality, availability and integrity of information, the bill’s definition puts cybersecurity in direct relation to national security. It also gives astonishing leeway in the interpretation of permissible ‘measures and operations’ as well as the range of services, applications, or networks it can apply to – in essence giving the interpreter (in this case the National Cybersecurity Committee) the power to justify anything as being required for national cybersecurity.

The bill also harbours several sections that are cause for concerns, in particular section 30, 33, 34, and 35.

Section 30 basically implies that the prime minister has unchecked power over cybersecurity in Thailand as well as direct control over the National Cybersecurity Committee and the operational officials under it. Recalling the broad and vague definition of cybersecurity within the bill this is a worrying display of executive power, in particular in relation to the Prime Minister’s de facto authority to deem any Internet-related communication a cybersecurity matter and thus under the purview of this bill. The Prime Minister also has the power and responsibility to appoint the operational officials under the National Cybersecurity Bill.

Section 30
The Prime Minister shall be in command with powers to control and direct the maintenance of Cybersecurity across the country in accordance with the operation plans on the maintenance of Cybersecurity and this Act. For this purpose, the Prime Minister shall have the power to command and order the persons responsible for the operation under Section 28 across the country.

The amount of executive power becomes increasingly troublesome when put in relation to sections 33 and 34.

Section 33
Upon the occurrence of an emergency or danger as a result of cyber threat that may affect national security, the NCSC shall have the power to order all State agencies to perform any act to prevent, solve the issues or mitigate the damage that has arisen or that may arise as it sees fit and may order a State agency or any person, including a person who has suffered from the danger or may suffer from such danger or damage, to act or co-operate in an act that will result in timely control, suspension, or mitigation of such danger and damage that have arisen.

Section 33 gives authority to the National Cybersecurity Committee to act in the event of an emergency or danger as the result of a cyber threat affecting national security. As we already know the definition of cybersecurity is incredibly wide and there are no further explanations on what constitutes as an ‘emergency’, ‘danger’, or ‘cyber threat’ – it will be up to the Committee (or the Prime Minister to decide.

The second part of section 33 is even worse. The National Cybersecurity Committee is supposed to have the power to, in the event of an emergency of the aforementioned kind, order all state agencies or any person to perform any act necessary to solve or mitigate the issue of national security. Read that sentence again. It is in essence a legal carte blanche for the Committee to do anything in the name of national cybersecurity.

Section 34 then extends this authority to include private corporations:

In case where it is necessary, for the purpose of maintaining cybersecurity, which may affect financial and commercial stability or national security, the NCSC may order a private sector to act or not to act in any way and to report the outcome of the order to the NCSC as required by the notification of the NCSC.

Finally, the section that has received most attention – section 35.

For the purpose of performing their duties under this Act, the Officials who have been entrusted in writing by the Secretary shall have the following powers:

(1) to issue letters asking questions or requesting a State agency or any person to give testimony, submit an explanation in writing, or submit any account, document, or evidence for the purpose of inspection or obtaining information for the benefit of the execution of this Act;

(2) to issue letters requesting State agencies or private agencies to act for the benefit of the NCSC’s performance of duty;

(3) to gain access to information on communications, either by post, telegram, telephone, fax, computer, any tool or instrument for electronic media communication or telecommunications, for the benefit of the operation for the maintenance of cybersecurity.

This is the section that gives the legal right to officials under the National Cybersecurity Committee to read and seize virtually any communication transmitted over any digital means without the need for a court order.

In Thailand, where insulting the Thai Royal Family is illegal and considered a threat to national security, there is little doubt this law will be used to identify and prosecute perceived critics of the monarchy. Not to mention stifling political opposition and dissent targeted towards the military government.

The recent development of Internet availability and social media have opened up new information channels and spaces for discussion of politics and controversial topics in Thailand. The Cyber Security Act and the other Digital Economy bills now run the risk of instead developing an Internet space with censorship and tight political control.