The draft cyber security law has raised the concerns of netizens that the state will have more power to seize data from the private sector and individuals. Some fear the law, which still has no clear limits, will be used on a daily basis.
On October 11, the Electronic Transactions Development Agency (ETDA) organised a public hearing on the Cyber Security Bill. The details triggered fears among Thais that their privacy will be breached.
Netizens and stakeholders expressed concern that ambiguous wording on protecting ‘cyber security’ gives too much power to the state to monitor and collect data across many sectors. Many also fear that it could be used to eliminate political opponents.
As the wave of criticism grew stronger, junta leader Gen. Prayut Chan-o-cha ordered a review of the law. But he insisted that a law is necessary in the present day.
Introduction to the Cyber Security Bill: What, Who, How?
What: Defending against incoming cyber threats.
The draft’s general concept is to have a law that allows the state to address, solve and decrease the risk of cyber threats. It calls for cooperation between the public and private sectors by establishing an office and committee to act as policymaker.
There are 4 definitions that you need to know before we dig into more details: Critical Information Infrastructure (CII), Critical Infrastructure (CI), cyber threat and information assets.
CII: A computer or computer system operated by the public or private sector. The system has to be related to the state, the public, or economic security.
CI: IT infrastructural services provided by public or private organizations. The draft defines 8 areas:
- state security
- important public services
- IT or telecommunications
- energy and public utilities
- logistics and transportation
- public health
- Others as deemed necessary by the NCPO
Cyber Threat: An action or event that takes place via a computer or electronic means in order to disrupt or gain access to information assets or attempt to do so, resulting in damage to or destruction of the information assets.
- Computer networks, computer systems and IT systems
- Computers computer equipment, backup tools etc.
- IT data, electronic and computer data.
For example: A hospital (CI) uses a computer network (CII) to store and manage patient records (Information assets). Cyber threats may include activities that damage the functioning of the CII by, for example, hacking, viruses, or DDOS.
Who: A committee and office to be established, with seemingly unlimited oversight of data.
The draft states that a National Cyber Security Committee (NCSC) will be established, along with a supporting office, chaired by the Prime Minister with 13 members: the Ministers of Defence and of Digital Economy and Society, the Permanent Secretary of the Ministry of Justice, the Commissioner-General of the Royal Thai Police, the Secretary-General of the National Security Council, the Governor of the Bank of Thailand and 6 experts in cyber protection, IT technology and communication, privacy data protection, science, engineering, law or other related fields. One member will be appointed Secretary-General.
The position will be given a wide-range power from the draft.
The NCSC Office will coordinate cyber security, through surveillance, warnings, and assistance in defending against, dealing with and decreasing the risk of cyber threats, and disseminating information, studies and research and development.
The Office has the status of a juristic person, not a government agency. It receives an annual budget from the state, but it does not have to send any income from its services or assets back to the treasury as government income.
Article 17 grants the office power to serve as a joint venture or partnership with private companies or other juristic persons with the same objectives, to borrow money in order to achieve its objectives and collect fees, subscriptions, compensation and service charges in its operations.
How: Broad powers to enter homes and seize computers without court orders but low accountability
The draft grants are worrying powers to the Office with reference to ‘cyber threats’ that are vaguely defined. Article 46 empowers the Secretary General to issue letters requesting cooperation in accessing information on:
- the architecture and configuration of the CII and information on related networks
- the function log of the CII or its related networks
- any other data deemed necessary for CII cyber protection
When the Office recognizes or predicts a cyber threat, the draft empowers them to:
- call relevant people to give information about the threat
- request data, documents or copies of these that are in the possession of other people
- question thise who have information on or an understanding of the situation
- access property or premises that is implicated or thought to be implicated with the permission of the owners.
The draft does not specify or give examples of cyber threats, so it cannot be said that sending e-mails, posting on Facebook or the content of videos are not cyber threats. It also pays little attention to the potential misuse of the data it acquires, saying only that the Office has to take care that the data is not used in such a way as to cause damage.
The draft contains preparations for worst case scenarios or serious cyber threats, which means incidents which:
- risk significant damage to IT assets or disrupt CII services
- threaten national security, national defence, international relations, the economy, public health, public safety or public order
- are severe enough to damage or have the potential to cause serious damage to individuals or essential IT assets.
In such cases, the Secretary-General ias empowered to command or direct relevant state agencies to protect against, address and mitigate the threats.
Article 57 empowers the Secretary-General to order owners or users suspected of involvement with cyber threats to:
- monitor computers or computer systems for a certain period.
- check computers or computer systems to look for security breaches.
- take action to resolve threats; clear examples given of this include deleting malicious commands, improving software, temporarily disconnecting computers, changing the routing of malicious data or commands.
- shut down computers or computer systems.
- if necessary, officers can ask for assistance in accessing the suspected computer or computer systems.
Article 58 gives the Secretary-General oppressive powers to protect against, address and mitigate cyber threats by accessing people or physical equipment without a prior request to the court in the following case.
- check facilities with a warning letter to the owners.
- access and make copies of IT assets, screening for suspected IT data or computer programmes.
- test suspected computers or computer systems
- seize any computers or equipment believed to be related to cyber threats for examination and analysis within 30 days, extended for up to 90 days with a request to the civil court.
In emergency cases, the Secretary-General has the authority to request real time data from relevant persons.
The punishments for violating the law are also heavy. Those who fail to act according to orders of the Office and Secretary-General may be fined 100,000-300,000 THB (about 3,000 - 9,000 USD), and a maximum 10,000 THB daily fine from the date of the order to the date action is taken and/or a maximum of 3 years in jail.
The draft barely mentions punishment for the Secretary-General and other officials. Since the Office does not have the status of a state agency, it is not clear whether it is subject to criminal law on the abuse of official power (Article 157).
During the public hearing on Oct 11, many people raised concerns that the law gave the Office and Secretary-General powers that are broad and excessive. Its legal status is also a problem allowing officials to benefit from operations without the restrictions that apply to other state agencies.
Participants also said that the Secretary-General should get permission from the courts before accessing data, facilities and seizing the computer equipment, because the same powers under the Computer Crime Act require court approval.