The Forensic Service Act B.E. 2559 (2016) (พระราชบัญญัติการให้บริการด้านนิติวิทยาศาสตร์ พ.ศ. 2559) has been announced on the Royal Gazette on 3 August 2016, after the National Legislative Assembly passed it on 10 June 2016. As the regulations about the handling of forensic data are yet to be announced, we don’t have an exact idea yet on how the process and conditions will look like. What we know at the moment is who is going to responsible for the making of those regulations.
Specifying how the forensic data should be handled (Chapter 2)
Establishing Forensic Service Oversight Committee (คณะกรรมการกำกับการให้บริการด้านนิติวิทยาศาสตร์) who will regulating forensic standards, fees, appeal process, and the exchange of forensic data. (Chapter 3)
According to Section 3 of the Act, “data” in this Act means Any data that comes from the forensic service.
The “Data Chapter” or Chapter 2 of the Act is solely about the confidentially, preservation, and disclosure of data.
Section 8Data is confidential. Central Institute of Forensic Science has duty to preserve and destroy the data, according to the criteria, methods, and conditions that the Committee will specify by announcing in the Royal Gazette.
Section 9Data will only be disclose to the person who request for the forensic service. This should be done according to the criteria, methods, and conditions specified by the Committee. Exception is possible if it is a disclosure according to Court Order or Committee Resolution for the purpose of justice.
This means the details on conditions and process about the preservation and disclosure, or, in general, the life cycle of these potentially sensitive personal data are yet to be announced. All of them will be decided by the Forensic Service Oversight Committee, using the power given to them in Section 15 (4) [Preservation] and Section 15 (4/1) [Disclosure].
According to Section 10, the Committee will consist of
Ministry of Justice Permanent Secretary — as Chairperson
Director of Central Institute of Forensic Science (CIFS) — as Secretary
Commissioner-General of the Royal Thai Police
Director-General of Department of Medical Sciences
Secretary-General of Thai Industrial Standards Institute
Secretary-General of the National Human Rights Commission
Secretary-General of the Medical Council
Commissioner of the Royal Thai Police Office of Forensic Science
A group of expert committee members, not exceeding 5 people, appointed by the Minister of Justice. — The Minister should appointed expert committee member from people with knowledge or experience, at least one person each from these fields: forensic science, law, and investigation.
The Director of CIFS will also appointed no more than two officers from CIFS to act as Assistant Secretary for the Committee.
An expert committee member must be of Thai national and must be at least 35 years old (Section 11). He or she will serve for a period of 4 years and cannot serve for more than two terms (Section 12).
Noted that, if the [forensic] data is handled by a State agency, its privacy will be under the protection of the Official Information Act B.E. 2540 (1997). Yet, as you can see from Section 5 (5), the forensic service can be also come from private sector. But Thailand at the moment doesn’t have the law for general data protection outside the public sector yet.
The Data Protection Bill, which will fill the gap, has been proposed in different versions since more than a decade ago, but it is yet to be passed. The latest version of the Bill from July 2015, which has been reviewed by the Council of the State. It is expected to be submitted to NLA for hearing by the end of 2016.
So, keeps your eyes on the Forensic Service Oversight Committee and the forensic data regulations that they going to make. We hope they are going to have public consultations for that.
Quick points for my international friends who want to get some gists about the development of Thailand’s new amendment of Computer-related Crime Act, as of 14 June 2016. Here I discussed the timeline, small notes on two different revisions on April 2016, and points of concerns regarding freedom of expression, privacy, and encryption.
If you don’t have much time, look at Section 14 (1) [online defamation], 14 (2) [“public safety”], 15 para. 3 [burden of proof to the intermediary], 17/1 [Settlement Commission], 18 (7) [investigative power to access encrypted data-at-rest], 20 (4) [Computer Data Screening Committee can block content that is totally legal], and 20 para. 5 [will be used to circumvent data-in-transit encryption].
26 April 2016 — The Cabinet submitted the Bill to National Legislative Assembly (NLA).
28 April — NLA 1st hearing – approved the Bill in principles (160 to 0) and sent it to Review Subcommittee. The Subcommittee has 60 days to review, with possible 30 days extension if needed.
~26 June ~26 July — NLA should received the revised Bill and continue for the 2nd hearing. Updated: the Subcommittee decided to extended the review for another 30 days. Sections that got lots of comments are 14, 15, 16/1, 16/2, 18 (and in connection to 19), 20, and 21 (and in connection to 29).
There will be three hearings in NLA. In some cases, all the 1st, 2nd and 3rd hearings could be done in one day.
ICT Minister said the government willing to have all Digital Bills in effect by the end of 2016.
There was a revision approved by the Cabinet on 19 April 2006.
The 19 April and 26 April revisions are almost identical.
Except that Section 13 and Section 14 of 19 April revision (both amend Section 18 of 2007 Act) are merged and become single Section 13 of 26 April revision.
So the Section number starting from Section 14 is shifting up.
This note is based on 26 April 2016 revision.
To avoid confusion, it will refer to the number of the Section to be amended.
The Minister responsible for this Act will be the Minister of Digital Economy and Society (new name of Minister of ICT).
Points of Concerns
1. Criminalisation of Speech and Computer Data
Section 14 (1) — Online defamation: language still open for online defamation
Section 14 (2) — “Public safety”: Vague and general terms like “public safety” and “economic stability” in this Section are undefined specifically in any Thai criminal law, but will be used to criminalised computer data.
From our communication with the lawmaker, they said this is meant to be for the crime against computer system of public infrastructure. If that’s the case, it can be better written in the draft, using terms like “critical infrastructure” or “critical information infrastructure”.
Section 15 paragraph 2 — Blanket power: Minister power to issue additional procedural rules, which may additionally limits civil rights but require no review from Parliament.
Section 15 paragraph 3 — Burden of proof: if service provider follows the Ministerial procedural rules, they may exempted from penalty, but service provider has to prove their innocence.
Section 3 — No differentiation of intermediary types: Section 3 (since 2007 version) do defined two different types of “service providers”, but for the rest of the Act it does not really differentiated them. Every service providers got the same level of penalty.
We should at least differentiated between “mere conduit” and “hosting”.
Section 17/1 — Settlement Committee: for offences with 2 years or less jail term. Not sure what is the consequence, but definitely will creates unpredictability of law enforcement
The Settlement Committee will be appointed by the Minister. It will be consisted of three persons, one of whom has to be an inquiry official according to the Criminal Procedure Code. No other requirements stated in the Bill.
4. Expanded Investigative Power — Access to Encrypted Data-at-Rest
Section 18 — Expands investigative power of Section 18 to non-CCA offences
The entire Section 18 in 26 April 2016 revision of CCA amendment is almost identical to the 2007 CCA in use currently, except mainly this expansion.
Section 18 (together with Section 19, which are conditions in order to use the power in Section 18) in the current 2007 CCA is already a problem in itself, particularly about the authorisation of power. When compared to similar law on investigative power to gather electronic evidence like one in Section 25 of Special Investigation Act, Sections 18+19 of CCA required lesser check and balance.
Section 18 (7) is about accessing encrypted computer system or data.
5. Expanded Information Control
Section 20 — Expands blocking and data removal power to non-CCA offences
Section 20 (4) — Blocking of content that is totally legal:Computer Data Screening Committee may ask Court the block/remove data that breach “public order” or “moral high ground of people” even its not illegal
The Computer Data Screening Committee will be appointed by Minister. Will consisted of five persons. Two must come from relevant private sector. No other requirements stated in the Bill.
Thai Journalist Association is very concerned about this.
Film industry associations, like Motion Picture Association (regional) and Federation of National Film Associations of Thailand (local), support the expansion of Section 20 to also include site-blocking if copyright infringement occurs.
They also citing the damages from Facebook Live and call for measures to takedown such streaming, or any new technology that may infringe intellectual property rights, on social media.
6. Disintegrity of Secured Communication
Section 20 paragraph 5 — Additional technological measures to censor encrypted data: Minister can issue additional rules to facilitate data blocking/removal “in response to changing technology”
In the “reasons for amendment” document attached with the draft submitted to NLA, it said to block a web page that use public-key encryption a “special method and tools” are needed (see page 28-30 of the documents submitted to NLA, in the last column. You will see the keywords like “SSL”).
In order to block a specific URL, the URL has to be known first. The ISP will compare the URL with its blacklist. If matched, it will tell the user that the access is not allowed.
For an HTTPS encrypted webpage, the ISP know only first part of URL (the domain name). For example, if the entire URL is https://www.facebook.com/thainetizen, ISP will see only https://www.facebook.com. So they cannot compare and cannot block the URL specifically. They can block the entire www.facebook.com, but that will be very unpopular.
It is possible to circumvent the encryption, so ISP can block a specific URL again.
But this will affect confidentiality and integrity of the data on the network, as well as its availability (as the data may be blocked and inaccessible).
The same tool can also use for the surveillance of private communication.
“People disclose the phone numbers that they dial or text to their cellular providers, the URLS that they visit and the e-mail addresses with which they correspond to their Internet service providers, and the books, groceries and medications they purchase to online retailers . . . I would not assume that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection.” United States v. Jones, 565 U.S. ___, 132 S. Ct. 945, 957 (2012) (Sotomayor, J., concurring).
อ้างจาก International Principles on the Application of Human Rights to Communications Surveillance
“ผู้คนเปิดเผยหมายเลขโทรศัพท์ที่พวกเขาโทรหรือส่งข้อความ ให้กับผู้ให้บริการโทรศัพท์มือถือ เปิดเผยตัวชี้แหล่งในอินเทอร์เน็ต (URL) ที่พวกเขาเข้าชมและที่อยู่อีเมลที่พวกเขาติดต่อด้วย ให้กับผู้ให้บริการอินเทอร์เน็ต และเปิดเผยถึงหนังสือ ของชำ และยาที่พวกเขาซื้อ ให้กับผู้ขายปลีกทางอินเทอร์เน็ต … ศาลไม่เชื่อว่าข้อมูลทั้งหมดที่มีการเปิดเผยโดยสมัครใจให้กับสมาชิกบางคนในพื้นที่สาธารณะเพื่อจุดประสงค์เฉพาะอย่าง ไม่ควรได้รับการคุ้มครองตามข้อแก้ไขรัฐธรรมนูญครั้งที่ 4 (Fourth Amendment) เพียงเพราะเหตุผลนั้นเพียงอย่างเดียว” United States v. Jones, 565 U.S. ___, 132 S. Ct. 945, 957 (2555) (Sotomayor, J., พิพากษายืน).