Stamping out the flawed tech bills
The proposed digital legislation needs a rethink to prevent abuses of power, writes Sriwipa Siripunyawit
Imagine this scenario: you wake up one morning looking forward to your daily blog; then you discover that your personal information has been accessed, without your knowledge or permission, by the cybersecurity authorities, who require additional information in the name of “national security”.
If this sounds like an Orwellian nightmare, it could become reality if a draft cybersecurity bill becomes law. The bill, hatched by the Electronic Transactions Development Agency (ETDA) and supported by the Information and Communication Technology Ministry, would give wide discretionary powers to authorities to access information from individuals, groups and businesses under the nebulous aegis of national security.
Access can be made without a court order, and state officials have the power to suspend or halt online operations. This naturally has many business operators and privacy advocates concerned, as the law raises widespread questions about the possible violation of personal data or trade secrets.
Section 35 of the National Cybersecurity bill would let government officials access the information of any individual, company or group through any communication channel — post, telephone, telegraph, facsimile, computer, electronic device or IT media — without a court order. It is one of 10 bills recently drafted as part of the government’s digital economy push.
From an overall perspective, the 10 bills are a good start. But on closer scrutiny, the private sector and internet users must wonder if the bills would drive the digital economy or in fact obstruct it.
Some sections are open to abuse of power, granting enormous leeway to government officials at the ETDA and the National Cybersecurity Agency (NCSA).
More than 20,000 people have signed an online petition against the cybersecurity bill through the Change.org website. Last week, Sarinee Achavanuntakul, representative of the Thai Netizen Network and chairwoman of the Foundation for Internet and Civic Culture, submitted the petition to Chumpol Rodkhamdee, chairman of the National Reform Council’s media and information technology reform panel.
“It requires trust to develop a digital economy,” Ms Sarinee says. “That means personal information or business confidentiality must be protected from hacking or spying. But, given the bills, how can trust be achieved?”
Besides National Cybersecurity, other draft bills include Personal Data Protection, Promotion of Digital Economy, Computer Crime, Electronic Transactions, and Organisation to Allocate Radio Frequencies and Regulate Broadcasting and Telecommunications Business. Some received preliminary approval in early January.
Legal and IT experts say that while the bills are well intentioned, they lack checks and balances between judicial and executive power.
“Allowing any official unlimited access to people’s personal data will only defeat the purpose of the Personal Data Protection bill,” says Dhiraphol Suwanprateep, a partner at Baker & McKenzie.
Paiboon Amonpinyokeat, an e-commerce lawyer at P&P Law Firm, says the 10 bills are likelier to promote national security over the digital economy. “Actually, the private sector had expected to see some laws and regulations related to tax advantages, cheaper hosting fees or Board of Investment privileges to promote e-commerce,” he says, adding that public hearings should be held before any further drafting.
Pawoot Pongvitayapanu, president of the E-Commerce Association, says the bills have made foreign investors reconsider investment in Thailand for fear that their privacy and business confidentiality could be violated.
The rising opposition has forced the ETDA to hold a weekly open forum for all parties to voice concerns about the issue.
“Now we only hope that all comments and suggestions voiced by concerned parties will be taken into account by the government,” Mr Pawoot says.
BILL VERSUS BILL
It’s laudable that the government is moving forward with the Personal Data Protection bill, as the country has waited for almost two decades. The objective is to protect the right of communication between individuals.
But the National Cybersecurity bill seems at odds with the Personal Data Protection bill, letting officials snoop around in communications without court approval.
“And eavesdropping will even become lawful,” Mr Paiboon says.
Moreover, the NCSA — which includes officials from the Defence Ministry, the Technology Crime Suppression Division and the proposed Digital Economy Ministry — would be the agency in charge of carrying out two bills with entirely different mandates.
In international practice, an independent agency is usually in charge of overseeing personal data protection laws.
Mr Dhiraphol suggests the authority include the National Human Rights Commission and the Office of the Ombudsman among its members.
FINDING A BALANCE
Cybersecurity law has long been put into practice in developed countries. For instance, according to Mr Paiboon, the USA Patriot Act of 2001 authorises the director of the Federal Bureau of Investigation to apply for a court order before requesting business records. Britain grants its Defence Ministry similar powers.
For accessing personal information under Thailand’s National Cybersecurity bill, local legal experts recommend requiring a court order — one that states probable cause and limits the access time period.
“Also, the bill should add punishment for officials who abusively exercise power or use information wrongfully and illegally,” Mr Paiboon says.
But Surangkana Wayuparb, the ETDA’s executive director and chief executive, says the Council of State has already amended the bill to require officials to obtain a court order before taking action. She admits that the legislation was rushed and that the lack of a court order clause was an oversight.
Even so, Mrs Surangkana insists that officials should be protected by the law if they act according to the law: “If we authorise the power, we also need to protect them when exercising this power.”
All the draft bills are under the scrutiny of the Council of State.
POWER GAME
Other draft bills include Electronic Transactions and Promotion of Digital Economy, which would make the ETDA a national agency and the Software Industry Promotion Agency (Sipa) a part of the Digital Economy Promotion Agency.
Mr Paiboon says Section 34/1 of Electronic Transactions gives too much power to ETDA officers, who would be allowed to do searches and seizures of evidence without a court order.
“This section lets ETDA officers do what is usually the duty of police officers, but with an even greater power, as no court order is required,” he says.
The bill also grants the ETDA and its officials immunity from any liability or court prosecution.
Mr Paiboon says this clause should be scrapped, “as even the prime minister can face a lawsuit”.
The bill states that the government will financially support the agency, which is not required to submit its revenue to the state. The Promotion of Digital Economy bill has similar details.
Mrs Surangkana argues that the ETDA and NCSA must empower officers equipped with technical knowledge.
“That’s because computer crimes these days are so advanced that we need someone with this knowledge,” she says.
Up to now, ETDA officers lacked the authority to take action to prevent further damage when they uncovered cyberattacks.
“We could only notify the attacked parties, but they often ignored us or didn’t react accordingly to fix problems or prevent further loss,” Mrs Surangkana says. “Some even tried to cover up that their systems had been hacked. So we really need to give authority to NCSA officials. Don’t we look at the victim’s side at all?”
She says that exempting officers from liability and court execution is commonplace for government agencies, that the ETDA’s annual revenue is minimal (about 10 million baht), and that the revenue “should remain with the agency as an incentive motivating its officers”.
It requires trust to develop a digital economy SARINEE ACHAVANUNTAKUL Thai Netizen Network