Quick points for my international friends who want to get some gists about the development of Thailand’s new amendment of Computer-related Crime Act, as of 14 June 2016. Here I discussed the timeline, small notes on two different revisions on April 2016, and points of concerns regarding freedom of expression, privacy, and encryption.
If you don’t have much time, look at Section 14 (1) [online defamation], 14 (2) [“public safety”], 15 para. 3 [burden of proof to the intermediary], 17/1 [Settlement Commission], 18 (7) [investigative power to access encrypted data-at-rest], 20 (4) [Computer Data Screening Committee can block content that is totally legal], and 20 para. 5 [will be used to circumvent data-in-transit encryption].
Thai Netizen Network also made some recommendations to the Bill (updated 28 June 2016).
- 26 April 2016 — The Cabinet submitted the Bill to National Legislative Assembly (NLA).
- 28 April — NLA 1st hearing – approved the Bill in principles (160 to 0) and sent it to Review Subcommittee. The Subcommittee has 60 days to review, with possible 30 days extension if needed.
~26 June~26 July — NLA should received the revised Bill and continue for the 2nd hearing. Updated: the Subcommittee decided to extended the review for another 30 days. Sections that got lots of comments are 14, 15, 16/1, 16/2, 18 (and in connection to 19), 20, and 21 (and in connection to 29).
- There will be three hearings in NLA. In some cases, all the 1st, 2nd and 3rd hearings could be done in one day.
- ICT Minister said the government willing to have all Digital Bills in effect by the end of 2016.
Read the Bill (in English)
- Read Computer-related Crime Act (CCA) amendment (26 April 2016 draft) and its English translation, side by side.
- There was a revision approved by the Cabinet on 19 April 2006.
- The 19 April and 26 April revisions are almost identical.
- Except that Section 13 and Section 14 of 19 April revision (both amend Section 18 of 2007 Act) are merged and become single Section 13 of 26 April revision.
- So the Section number starting from Section 14 is shifting up.
- This note is based on 26 April 2016 revision.
- To avoid confusion, it will refer to the number of the Section to be amended.
- The Minister responsible for this Act will be the Minister of Digital Economy and Society (new name of Minister of ICT).
Points of Concerns
1. Criminalisation of Speech and Computer Data
- Section 14 (1) — Online defamation: language still open for online defamation
- Section 14 (2) — “Public safety”: Vague and general terms like “public safety” and “economic stability” in this Section are undefined specifically in any Thai criminal law, but will be used to criminalised computer data.
- From our communication with the lawmaker, they said this is meant to be for the crime against computer system of public infrastructure. If that’s the case, it can be better written in the draft, using terms like “critical infrastructure” or “critical information infrastructure”.
- Read iLaw analysis on this (in Thai)
2. Disproportionate Intermediary Liability
- Section 15 paragraph 2 — Blanket power: Minister power to issue additional procedural rules, which may additionally limits civil rights but require no review from Parliament.
- Section 15 paragraph 3 — Burden of proof: if service provider follows the Ministerial procedural rules, they may exempted from penalty, but service provider has to prove their innocence.
- Section 3 — No differentiation of intermediary types: Section 3 (since 2007 version) do defined two different types of “service providers”, but for the rest of the Act it does not really differentiated them. Every service providers got the same level of penalty.
- We should at least differentiated between “mere conduit” and “hosting”.
- EU E-Commerce Directive has three: “mere conduit” (Article 12), “caching” (Article 13) and “hosting” (Article 14).
- See Manila Principles on Intermediary Liability
3. Unpredicability of Law — Judicial Process
- Section 17/1 — Settlement Committee: for offences with 2 years or less jail term. Not sure what is the consequence, but definitely will creates unpredictability of law enforcement
- The Settlement Committee will be appointed by the Minister. It will be consisted of three persons, one of whom has to be an inquiry official according to the Criminal Procedure Code. No other requirements stated in the Bill.
4. Expanded Investigative Power — Access to Encrypted Data-at-Rest
- Section 18 — Expands investigative power of Section 18 to non-CCA offences
- The entire Section 18 in 26 April 2016 revision of CCA amendment is almost identical to the 2007 CCA in use currently, except mainly this expansion.
- Section 18 (together with Section 19, which are conditions in order to use the power in Section 18) in the current 2007 CCA is already a problem in itself, particularly about the authorisation of power. When compared to similar law on investigative power to gather electronic evidence like one in Section 25 of Special Investigation Act, Sections 18+19 of CCA required lesser check and balance.
- Section 18 (7) is about accessing encrypted computer system or data.
5. Expanded Information Control
- Section 20 — Expands blocking and data removal power to non-CCA offences
- Section 20 (4) — Blocking of content that is totally legal: Computer Data Screening Committee may ask Court the block/remove data that breach “public order” or “moral high ground of people” even its not illegal
- The Computer Data Screening Committee will be appointed by Minister. Will consisted of five persons. Two must come from relevant private sector. No other requirements stated in the Bill.
- Thai Journalist Association is very concerned about this.
- Film industry associations, like Motion Picture Association (regional) and Federation of National Film Associations of Thailand (local), support the expansion of Section 20 to also include site-blocking if copyright infringement occurs.
- They also citing the damages from Facebook Live and call for measures to takedown such streaming, or any new technology that may infringe intellectual property rights, on social media.
6. Disintegrity of Secured Communication
- Section 20 paragraph 5 — Additional technological measures to censor encrypted data: Minister can issue additional rules to facilitate data blocking/removal “in response to changing technology”
- In the “reasons for amendment” document attached with the draft submitted to NLA, it said to block a web page that use public-key encryption a “special method and tools” are needed (see page 28-30 of the documents submitted to NLA, in the last column. You will see the keywords like “SSL”).
- In order to block a specific URL, the URL has to be known first. The ISP will compare the URL with its blacklist. If matched, it will tell the user that the access is not allowed.
- For an HTTPS encrypted webpage, the ISP know only first part of URL (the domain name). For example, if the entire URL is https://www.facebook.com/thainetizen, ISP will see only https://www.facebook.com. So they cannot compare and cannot block the URL specifically. They can block the entire www.facebook.com, but that will be very unpopular.
- It is possible to circumvent the encryption, so ISP can block a specific URL again.
- But this will affect confidentiality and integrity of the data on the network, as well as its availability (as the data may be blocked and inaccessible).
- The same tool can also use for the surveillance of private communication.
- Read Thai Netizen Network analysis on this Section 20 and how it related to MICT Order No. 163/2557 and the “Single Gateway” project (in Thai).
- See also The Right to Privacy in Thailand and State of Surveillance: Thailand reports.
Don’t agree with the Amendment proposal?
Sign the Petition: https://change.org/singlegatewayreturn
and keep spread it around.