.jpg)
.jpg)
State of Surveillance: Thailand
Source: Privacy International
March 2, 2016
Acknowledgement:
The State of Surveillance in Thailand is the result of an ongoing collaboration by Privacy International and Thai Netizen Network.
COMMUNICATIONS LANDSCAPE
Mobile phone use is very common in Thailand. Since 2010,1 there are more mobile phone subscriptions in Thailand than Thai citizens: in October 2015, there were 86 million mobile subscriptions for 67 million people. At 84 %,2 pre-paid subscriptions dominate over pay-as-you-go subscriptions.
Of the total handsets sold in the first quarter of 2015, 76.5 % were smartphones, compared to 64.8 % in 2014.3
Only 5.5 million people in Thailand (8 % of the population) are subscribers of broadband (fixed-line) internet connections, with 53 % of these concentrated in Bangkok metropolitan area.4
Internet penetration is estimated at 27.65 million or 41 % of the population.5 Around 22 million users access social media sites daily. Popular mobile applications include Facebook, Line, WhatsApp, Google Maps, YouTube, and mobile games and music.6
96 % of Internet users in Thailand have a Facebook account and 76 % have used it in the past month. Google+ comes second in popularity with 69 % of internet users having an account, though only 36 % are reported to have used it in the past month. Similarly, 57 % have a Twitter account but only 32 % are reported to have used it in the past month.7
Thai Facebook users often choose pseudonyms instead of their real names and use pictures other than of their own faces for their Facebook accounts.8 The Japanese messaging application Line is very popular, with around 33 million registered accounts.9
LEGAL LANDSCAPE
International conventions on privacy and human rights in general
Thailand is a signatory to a number of human rights treaties including:
The International Covenant on Civil and Political Rights;
The International Covenant on Economic, Social and Cultural Rights; and ASEAN Human Rights Declaration.
Constitution
Thailand experienced a coup d'etat in May 2014. According to Mishari Muqbil and Arthit Suriyawongkul, “their [the junta's] modus operandi seems to be the direct command of ministries and semi-governmental organisations to carry out tasks irrespective of existing legislation.”10
Following the coup, in July 2014, Thailand instituted an interim constitution.The constitution does not refer to privacy and data protection and the only mention of rights is as follows:
“Section 4. Subject to the provisions of this Constitution, all human dignity, rights, liberties and equality of the people protected by the constitutional convention under a democratic regime of government with the King as the Head of State, and by international obligations bound by Thailand, shall be protected and upheld by this Constitution.”11
Interception and surveillance
Section 25 of the Special Case Investigation Act addresses the interception of communications in postal, digital and telephonic forms. When there is a suspicion that a communication of any sort was used or may be used to commit a special case offence (serious crimes requiring an investigation as defined in section 21), the Special Case Inquiry Official from the Department of Special Investigation may ask the Chief Judge of the Criminal Court for an authorisation to obtain the information. When granting the permission, the Chief Judge has to justify the decision to prove that there is a reasonable ground that the person whose communication is being intercepted will or has committed a crime and that there is no other appropriate method to investigate the offence. The interception must never exceeds 90 days.12
However, martial law was declared after the coup in May 2014 and is currently still in place. It grants the military the right “to inspect message, letter, telegraph, package, parcel or other things transmitting within the area under the Martial Law.”13
On May 2014, the junta published an Order 26/2014 on “the control and surveillance of the use of social media.” In this order, the government claims the right to “monitor and access the computer traffic, the use of websites, social media, photos, text, video and audio which are deemed to instigate violence and unrest, which are deemed to be unlawful and which violate the National Council for Peace and Order’s (NCPO) Orders.”
Operating licenses
Licenses were normally issued by the National Telecommunication Committee.14 However, the Computer Crime Act contains some technical requirements for data retention with which internet service providers (ISPs) and telecommunications service providers must comply:
“A service provider must store computer traffic data for at least ninety days from the date on which the data is input into a computer system. However, if necessary, a relevant competent official may instruct a service provider to store data for a period of longer than ninety days but not exceeding one year on a special case by case basis or on a temporary basis.
The service provider must keep the necessary information of the service user in order to be able to identify the service user from the beginning of the service provision, and such information must be kept for a further period not exceeding ninety days after the service agreement has been terminated.”
The NCPO announced on August 2013 that NBTC would have to postpone auction for spectrum licenses for a year commencing from the Order date (Order no. 94/2557). Lawyer Thitirat Thipsamritkul suspects this may announce a change for future licenses.15
Use of evidence obtained from surveillance in court
Evidence obtained from surveillance can be used in court according to the Special Case Investigation Act.16 Since May 2014, 'lese-majeste' cases, which focus on alleged defamation of the Thai King and which often involved content posted online, are heard in military court.
Future measures
The government has threatened to tighten its control over social media and the NCPO has asked the Ministry of ICT to come up with measures to accomplish this task.
The Royal Thai Police is also drafting a new amendment on criminal procedure law. It will grant more power to the police to intercept communications in serious cases. The permit will be given by the chief judge and will be valid for only 90 days. This amendment is aimed at extending the police's investigative power.17
POLICIES
Cybercrime
After a nine year drafting process, the Thai Parliament passed the Computer Crime Act in 2007. The act contains provisions allowing access to and collection of data by authorized authorities.
Chapter 2, section 18 reads:
“If there is reasonable cause to believe that there is the perpetration of an offence under this Act, then a relevant competent official shall have any of the following authorities only as necessary to identify a person who has committed an offence in order to:
(1) issue an inquiry letter to any person related to the commission of an offence under this Act or summon them to give statements, forward written explanations or any other documents, data or evidence in an understandable form.
(2) call for computer traffic data related to communications from a service user via a computer system or from other relevant persons.
(3) instruct a service provider to deliver to a relevant competent official service users- related data that must be stored under Section 26 or that is in the possession or under the control of a service provider;
(4) copy computer data, computer traffic data from a computer system, in which there is a reasonable cause to believe that offences under this Act have been committed if that computer is not yet in the possession of the competent official;
(5) instruct a person who possesses or controls computer data or computer data storage equipment to deliver to the relevant competent official the computer data or the equipment pieces;
(6) inspect or access a computer system, computer data, computer traffic data or computer data storage equipment belonging to any person that is evidence of, or may be used as evidence related to, the commission of an offence or used in identifying a person who has committed an offence, and instruct that person to send the relevant computer data to all necessary extent as well;
(7) decode any person’s computer data or instruct any person related to the encryption of computer data to decode the computer data or cooperate with a relevant competent official in such decoding;
(8) seize or attach the suspect computer system for the purpose of obtaining details of an offence and the person who has committed an offence under this Act.”
A service provider is a broadly-defined term that lacks the required accuracy for effective implementation of the law. It may refer to anything ranging from a satellite link provider to a cafe offering Wi-Fi access.18
Data protection
Chapter 3 of the 1997 Official Information Act deals with state responsibility regarding personal data. Section 24 contains clear provisions relating to the access and disclosure of data to law enforcement and authorized authorities. State agencies shall not disclose any personal data unless it is for the following purposes (among others): “planning, statistics or censuses and [the agencies] have the duty to keep the personal information undisclosed”, “preventing the violation of law or non-compliance with the law, conducting investigations and inquiries or instituting legal actions of any type whatsoever”, “preventing or eliminating hazards to the life or health of persons”, “the disclosure to the Court, State officials, State agencies or persons having the power under the law to make a request for such information.”19
Freedom of information
Thailand has a Freedom of Information Law. The exceptions to this law are:
Any official information that may jeopardise the Royal Institution;
Information that would jeopardise the national security, international relations, or national economic or financial security;
Information that would lead to decline in the efficiency of law enforcement or failure to achieve its objectives, whether or not it is related to litigation, protection, suppression, verification, inspection, or knowledge of the source of the information;
An opinion or advice given within the State agency with regard to the performance of any act, not including a technical report, fact report or information relied on for giving opinion or recommendation internally;
Information that would endanger the life or safety of any person;
A medical report or personal information the disclosure of which will unreasonably encroach upon the right of privacy;
An official information protected by law against disclosure or an information given by a person and intended to be kept undisclosed; and Other cases as prescribed in the Royal Decree.20
ACTORS
Regulatory bodies
The official regulatory body for telecommunications is the National Broadcasting and Telecommunications Commission (NBTC). The NBTC introduced the plan for SIM card registration. The NBTC originally had a mission to protect privacy. Section 27 of the law establishing the NBTC states:
“(13) To protect the people's rights and liberty from being exploited by operators; protect individual right of privacy and freedom to communicate by means of telecommunications; promote right, freedom and equality of the people in the access to, and use of frequencies in audio broadcasting, television broadcasting and telecommunications services;”21
The ministry in charge of IT and communications in Thailand is the Ministry of ICT. One of their “strategies” is to “develop information and communication technology system for management on security and safety of the country.”
National security appears to be largely in the hands of the junta, the National Council for Peace and Order (NCPO). Cybersecurity is the responsibility of the Technology Crime Suppression Division. On June 2014, the division was reported to have created a fake Facebook application that harvested users' private information.22
Communications Service Providers
The main three mobile service providers in Thailand are:
Advanced Info Service (AIS). AIS was founded by Thailand's former prime minister Thaksin Shinawatra. It is now controlled by Intouch PLC which is headed by Temasek Holdings, an agency owned by the Singaporean government.
DTAC (formerly TACl). DTAC is now owned by Norwegian company Telenor.
True. True is owned by CP Group, a Thailand-based Asia leading conglomerate. China Mobile holds 18 % of its shares.23
Thailand has a variety of internet service providers (ISPs). Among the largest are True, TOT (state-owned) and 3BB (owned by Jasmine International).
The independent publication Prachatai reported that, according to sources, the government started implementing in September a surveillance device to sniff internet traffic. Sources suggest that the device was purchased to track lese-majeste content online. Sources have also suggested the device selected would allow the breaking of encryption protocols.
The NCPO is however not the first government to threaten its citizens with surveillance. In 2010, the Ministry of ICT had already announced a plan to force all ISPs to install so-called “sniffer tools” (which may signify deep packet inspection tools). The project had apparently backfired after having caused outrage among the population and the media.24
In 2013, the government was reported to be planning to collaborate with popular messaging application Line to monitor message content. Pol Maj Ge Pisit Pao-in, then-commander of the TCSD, had admitted to having failed to obtain the authorisation from major social media networks based in the West.25
While there was never a clear outcome concerning the possible surveillance of Line, Pol Maj Ge Pisit Pao-in nevertheless made concerning announcements, stressing how little the pre-coup government cared about privacy and the rule of law. "We are not violating anybody's rights, as the checking is being done overseas. So you can't really attack me for this," said Pol Maj Ge Pisit Pao-in to the Nation. "Nowadays people use smart phones like a mobile computer. They use it to take videos, upload information, transfer money and connect to social networks. Therefore, we have to investigate information being sent via smart phones as well," he said. "If I want, I can investigate all the information on smart phones. We can investigate all the crimes done via computer systems."26
Security and law enforcement agencies
The main intelligence agencies in Thailand are the National Intelligence Agency (NIA), the Department of Special Investigation (DSI), the Directorate of Joint Intelligence of the Royal Thai Armed Forces and the Special Branch of the Royal Thai Police.
The NIA was formed during World War II.27 The DSI was founded in October 2002.28 According to a thesis published in 2009, the NIA commanded a budget of around US$ 263 million and had over 2,400 staff members.
The Special Case Investigation Act defines the specific function of the DSI. More generally, the role of intelligence agencies is defined in the National Intelligence Act of 1985 that requires all agencies to submit reports of their work to the National Intelligence Agency.29 The same act expects the NIA to:
carry out intelligence-related work for security and civil defense;
monitor what could affect the country's stability both domestically and abroad and report to the Prime Minister and the National Security Council;
carry out research and development related to intelligence in order to enhance the performance of civilian security;
coordinate the various intelligence agencies;
propose policies and measures; and
provide guidance and advice to the Prime Minister and the Council of National Security.
Other government agencies
The case of the Facebook applicated harvesting user's information mentioned above suggests that the Technology Crime Suppression Division (TCSD) is involved in intelligence gathering. In August 2013, the TCSD had also requested the messaging application Line to cooperate with it to allow for the monitoring of Thai messages.30
Other government agencies
The case of the Facebook applicated harvesting user's information mentioned above suggests that the Technology Crime Suppression Division (TCSD) is involved in intelligence gathering. In August 2013, the TCSD had also requested the messaging application Line to cooperate with it to allow for the monitoring of Thai messages.30
TECHNOLOGIES
Internet infrastructure
There are ten internet exchanges in the country: 31
State-owned internet provider CAT;
TOT, an internet provider;
IIR-NECTEC, an internet research lab;
True, an internet provider;
CSLOXINFO, a cloud computing service;
TCC Technology, a company offering cloud-based solutions and hosting services;
BB Connect, a gateway service provider;
Symphony, a network provider;
SBN, a network provider; and
JasTel, a telecommunications company.
Monitoring centres and interception tools
In December 2011, Deputy Prime Minister Chalerm Yubamrung announced the purchase of a “lawful interception system” for 400 million baht (over US$ 12 million). The system was to be used by the police and the Ministry of ICT.32 The system is based in the office of the Ministry of ICT and can intercept voice communications, emails, text messages and chat rooms.33 In an attempt to reassure Thai citizens, Siripong Timula, then Deputy Head of the Technology Crime Suppression Division, said that interception would only occur following the permission of court.
National databases
All Thai citizens over 15 and under 70 years of age34 must have an identity card. The first law on identity cards was passed in 1963. The current laws concerning identity cards entered into force in 1984. Since 2005, Match-on-Card technology provided by the company Precise Biometrics has been used on Thai national ID cards. Precise Biometrics also sold 36,000 fingerprint scanners to Thailand. They expected that within three years every Thai citizen would have a biometric ID card. The Ministry of ICT was responsible for carrying out the project,35 which was launched to combat identity theft and false or multiple identities.
The Thai government planned that the ID cards would serve as education ID cards and general government ID cards as well. In its press release, Precise Biometrics stated that the card could also be used for commercial uses, for example, so shops could verify the identities of potential phone purchaser.36
The Department of Provincial Administration is in charge of managing ID cards. In order to access the internet in cybercafes, users are asked to show their ID, which is recorded, before access is granted. Furthermore, according to online publication Telecomasia.net, sources have reported that the Ministry of ICT was in June 2014 consulting vendors to develop a technical strategy to “lock the Internet.” The plan was reported to be to require every Thai citizen to systematically authenticate their details every time they logged on to the internet using their ID card. It was unclear how foreigners would manage to access the internet when visiting Thailand.37
In June 2014, upon a request from the National Broadcasting and Telecommunications Commission, operators started demanding SIM card registration. SIM vendors use an application downloaded on their own smartphone to register the SIMs. In order to register a SIM card, the vendor takes a picture of the code on the SIM card and a picture of the buyer's ID card with the application, which then sends the information to the NBTC server. Once the information is approved, the NBTC sends back a message to the vendor allowing him or her to activate the SIM card. In an attempt to address privacy concerns, the NBTC has explained that the application automatically deletes the pictures from the vendor's phone. Foreigners who do not have a Thai ID card may use their passport.38
Other surveillance technologies
Thailand is equipped with CCTV in public places.
In early 2012 Thailand launched the project Smart Thailand as a response to the poor internet penetration in most parts of the country. The first phase aimed to upgrade the existing network so that the internet could be available to 80 % of the population. The second phase planned for 2016 to 2020 aimed to install fibre optic networks. The goal for that phase of the project was to increase internet penetration in Thailand to 95 % of the population.
As part of the project, the state and private companies set up a joint venture company – NBNCo -- in order to reduce the duplication of investment in fibre optic networks among networks and telecom operators. NBNCo was expected to manage and operate the network for service providers.
In order to democratise internet access, the ICT Ministry also planned to initiate free Wi-Fi projects in remote areas and in cities across the country. The initial phase aimed to create 20,000 Wi-Fi hot spots at public areas such as airports, public transportation venues, government offices, and universities. This service was to be provided by TOT Corporation and CAT Telecom, two state-owned providers.
The second phase aimed to create 250,000 free Wi-Fi hot spots across the country by 2017 and to involve private companies.
Smart Thailand was, however, not limited to developing internet access. The other goal of the project was to develop a “Smart Government.” The Smart Government initiative aimed to put all government services (about 800 in total) online. The project was divided into four areas: education, health, government service and agriculture. The government referred to the Revenue Department's online tax service and the Passport Division's passport services as successful examples of “Smart Government.”39
Surveillance companies
In 2013, the Ministry of Defence organised the “Defense and Security" trade show. The event promised to display “telecom and electronic defense equipment.”40 Talks on "cyber warfare" were also conducted during the conference. The conference counted many representatives from foreign defense agencies, including from the UK Trade and Investment Defence and the Director of Marketing and Communication of the Israeli Defence Ministry.
In April 2013, a Thailand-based reseller for American technology firm Blue Coat, which sells deep packet inspection technologies, organised a “i-Security Seminar” sponsored by – among others – Blue Coat. The guest speaker was Police Colonel Yanaphon Youngyuen.
EXAMPLES OF SURVEILLANCE
The community of Thai Muslims who live in the far south of the country, at the border with Malaysia has been reported to be subjected to high levels of surveillance. Generally, anyone criticising the Royal Family, even in a muted way, can be considered a criminal and therefore a likely target of surveillance. The arrests for lese-majeste crimes have multiplied since the coup.40
Since the coup, however, the main target has become any political dissident and more particularly, students and young persons. The arrests are occuring primarily in the streets when dissidents display any form of public opposition or protest, such as raising three fingers, a protest gesture popularised by the Hunger Games film.
Facebook has nevertheless been a central focus in the fight against dissent. In one case, a fake application sniffed data that was used to identify and track dissidents. But in late May, Pol Maj General Pisit Paoin, now head of the junta-appointed working group responsible for censoring the internet, told Thai media that “the Ministry plans to spy on popular social media and chat applications in order to identify and arrest people who spread illegal content.” He stated: “we’ll send you a friend request. If you accept the friend request, we’ll see if anyone disseminates information which violates the National Council for Peace and Order (NCPO) orders. Be careful, we’ll soon be your friend.”41
The NGO iLaw has thus reported multiple arrests based on content posted on Facebook. Some may have been denounced by those “fake friends.” The likeliness of befriending a “fake friend” in Thailand is increased because most people do not use their real name on Facebook and it is not uncommon for people to accept a friend request thinking it might be someone that they know.
The Thai government is also suspected to be using Hacking Team's Remote Control Server, based on a report by The Citizen Lab.42
Since the beginning of the unrest, there have been few cases that suggest a clear link to arrests based on surveillance. One such case regards the high-profile activist Sombat Boonngamanong. Boonngamanong had gone into hiding and had posted a message on Facebook addressing the authorities: “Catch me if you can.”43
Military officials claim they have managed to locate him based on his IP address the time of his posts. Mishari Muqbil and Arthit Suriyawongkul expressed their concerns about the implication of such a statement, because when settings are carefully set up, Facebook and Twitter (the two means of communications Sombat was using) should not reveal your location and run over encrypted HTTPS connections.44
FOOTNOTES:
1 https://www.techinasia.com/thailand-internet-report/
2 http://www2.nbtc.go.th/TTID/mobile_market/subscribers/
3 http://www.bangkokpost.com/tech/local-news/568071/4g-smartphones-enjoy-s...
4 http://www2.nbtc.go.th/TTID/fixed_line_market/penetration_per_population/
5 http://www2.nbtc.go.th/TTID/Internet_market/Internet_users/
6 https://www.idc.com/getdoc.jsp?containerId=prTH25649115
7 http://blog.hootsuite.com/social-media-in-thailand/
8 Information obtained based on an interview with Arthit Suriyawongkul conducted by Privacy International.
9 As of 9 October 2014 https://linecorp.com/en/pr/news/en/2014/845
10 https://giswatch.org/en/country-report/communications-surveillance/thailand
11 http://lawdrafter.blogspot.co.uk/2014/07/translation-of-constitution-of-...
12 http://thailaws.com/law/t_laws/tlaw0294_2.pdf
13 http://www.thailawforum.com/laws/Martial%20Law.pdf
14 http://internet.nectec.or.th/document/pdf/210908080401.pdf
15 Information obtained from an interview Privacy International conducted with Thitirat Thipsamritkul.
16 Information obtained from an interview Privacy International conducted with Thitirat Thipsamritkul
17 http://thailaws.com/law/t_laws/tlaw0294_2
18 http://www.asianlii.org/th/legis/consol_act/oia1997197/
19 https://giswatch.org/en/country-report/communications-surveillance/thail...
20 http://www.asianlii.org/th/legis/consol_act/oia1997197/
21 http://www.nbtc.go.th/wps/wcm/connect/a0726c804a97b6209a1edfb1f5b6d48d/%...
22 https://www.eff.org/deeplinks/2014/06/thai-junta-used-facebook-app-harve...
23 http://prepaidwithdata.wikia.com/wiki/Thailand and http://www.bigmangoproperties.com/thailand/living/what-mobile-service-providers-are-available-thailand
24 http://prachatai.org/english/node/433
25 http://www.nationmultimedia.com/politics/Police-seek-to-check-Line-posts...
26 http://www.nationmultimedia.com/politics/Police-seek-to-check-Line-posts...
27 http://www.nia.go.th/niaweb/content/showsubdetail.asp?fdcode=21112121151...
28 http://www.dsi.go.th/view.aspx?tid=T0000008
29 http://www.nia.go.th/FileRoom/CABFRM01/DRAWER01/GENERAL/DATA0017/00017367.PDF
30 http://www.zdnet.com/article/thai-police-seeking-to-monitor-line-messages/
31 http://internet.nectec.or.th/webstats/home.iir
32 http://thailandnow.info/400-million-baht-in-the-fight-against-lese-majes...
33 http://www.sampsoniaway.org/blog/2012/01/11/thailand-cyber-surveillance-...
34 http://203.155.220.230/m.info/bmaservice/02/2_09.html
35 http://www.secureidnews.com/news-item/thailand-introduces-national-id-wi...
36 http://www.precisebiometrics.com/sites/default/files/Precise_CaseStudy_T...
37 http://www.telecomasia.net/blog/content/thai-junta-holding-mother-all-ga...
38 http://www.nationmultimedia.com/business/App-based-mobile-SIM-card-regis...
39 http://www.nationmultimedia.com/technology/SMART-THAILAND-PROJECT-ON-TRA...
40 http://www.asiandefense.com/?cid=2023326
40 http://www.bbc.co.uk/news/world-asia-29628191
41 http://www.prachatai.com/english/node/4140
42 https://citizenlab.org/2014/02/mapping-hacking-teams-untraceable-spyware/
43 http://www.bbc.co.uk/news/world-asia-27727510
44 https://giswatch.org/en/country-report/communications-surveillance/thailand
