Cyberbill outcry puts PM on defensive
Critics fear law would allow state snooping
A public outcry over fears the draft cybersecurity law will give wider powers to authorities at the expense of individual privacy has led Prime Minister Prayut Chan-o-cha to retreat and order a review.
The move comes a day after Gen Prayut defended the controversial bill on the grounds that cybersecurity is a global challenge and the government needs the law to protect the public.
Critics are concerned the draft law is illdefined, lacks check-and-balance mechanisms and might violate individuals’ rights and privacy.
Government spokesman Sansern Kaewkamnerd said yesterday the prime minister is aware of growing public concerns and has instructed legal experts to look into the matter.
Gen Prayut has yet to see a full report on the proposed law after its examination by the Council of State, according to the government spokesman.
Under the proposed law which is being tabled for public comments, a body known as the National Cybersecurity Committee will be set up to draw policies and action plans to boost cybersecurity.
Authorities would also have broad powers including searching and seizing computer systems without a court warrant in efforts to mitigate serious cybersecurity threats — elements that have sparked public concerns.
“If the draft law has details such as allowing officials to pry into personal information and private chats just because of security concerns, or searching and seizing devices without court approval or giving too much power to national security officials, these issues merit disagreement and thus the scope and criteria must be clearly defined,” Lt Gen Sansern said.
The government spokesman said the prime minister has also urged the public not to become anxious because the bill has not yet been approved.
On the contrary, the draft will be subjected to a more thorough review, especially in the area of officials’ use of power, he said.
Lt Gen Sansern said those in charge of examining the bill will also study cybersecurity laws in other countries, and ensure checks and balances are in place.
He said the public hearing process required by the new charter must be taken seriously and specialists may be invited to provide detailed information or answer people’s questions when the draft legislation is put up for public input.
“This is to make sure we have a comprehensive regulatory structure that can protect, is fair and does not pose any obstacles to national development,” he said.
Cybersecurity specialists are leading a campaign to put the brakes on the bill, saying the repercussions will be overwhelming if it is not revised.
Pol Col Yanapol Yangyuen, a member of a government-appointed committee on cybersecurity preparedness, said the new body is being given too much power in addressing cybersecurity threats.
He said the authorities are allowed to seize electronic devices, be they computers or smart phones, for examination for up to 30 days, and it does not matter if the devices belong to victims or suspected perpetrators.
He insisted a judicial review is necessary as a checks-and-balances tool while noting that penalties for non-compliance are also harsh with a proposed jail term of three years.
Anusorn Tamajai, dean of the economics faculty, Rangsit University, said the bill has several flaws that may hamper economic development, stifle innovation and undermine civil rights.
He said the bill fails to specify what the actual cybersecurity threats are while the creation of agencies responsible for critical information infrastructure is not comprehensive.
He suggested the draft law be put on hold and examined by the House of Representatives after the general election.
“The draft law should be put up for a wide debate and all stakeholders must get involved. Cybersecurity threats and cybersecurity must be clearly defined, for example, if online criticism against the government is considered a threat,” he said.
Deputy Prime Minister Wissanu Kreangam downplayed criticism of the bill, saying public feedback is welcome.
This year, the world has been looking out for evolving and more sophisticated cyber attacks, such as ransomware in the cloud and the weaponisation of artificial intelligence. Thailand’s cybersecurity bill should have been designed as a tool to prevent and handle these and other imminent threats against computer networks, telecommunications systems and infrastructure.
But the bill in its current form extends the mission beyond that territory, covering information deemed a threat to security.
Worse still, it grants excessive power to state authorities, paving the way for abuse while compromising the confidentiality and privacy of individuals and businesses.
Proposed under the military regime since 2015, the bill has previously drawn much criticism. As a result, it has been revised and was proposed for public hearings early this year. But its content remains controversial.
First of all, its content is too vague and broad when it comes to defining cybersecurity. Under the bill, authorities would be allowed to use their own discretion to determine what can be considered cyber threats.
The bill defines cybersecurity as measures and actions implemented to prevent, handle and reduce risks of any cyber attack that affects national security, economic security, military security and domestic peace and order.
In addition, its definition of “cyber” covers computer networks, systems and information. This means content used and stored on computers and online would be subject to this bill if authorities consider it a “cyber threat”.
This has prompted concern from netizens and activists who worry that the bill could be used as a tool by authorities to crack down on freedom of expression on the internet. In fact, the bill should not cover information and content which has already been covered by the data protection law. Without a revision to this provision, the bill will be misused in the same way as the Computer Crime Act, which has been wrongly used by security agencies to target political dissent, not computer crime.
This is worrying, especially given that the bill will establish a national cybersecurity committee, the majority of whose members hail from security agencies. Chaired by the prime minister, the committee includes the defence minister as first deputy chair and the minister of digital economy and society as second deputy chair. Other key members are the national police chief and the secretary-general of the National Security Council.
In addition to the committee, a cybersecurity agency will also be established with excessive authority. The agency can grant authorities the power to search, access and seize computer systems of individuals and companies without a court warrant. A civil court order will be needed only if the agency holds seized computers for more than 30 days.
Under such a provision, the bill risks compromising data confidentiality and privacy on the part of individuals and private organisations.
The devil is also in the details, or lack thereof.
The bill does not specify what level or type of cyber threats would command authorities to act. It only gives a broad definition that authorities can search, access and seize computer systems based on the “reasonable suspicion” that they constitute a cybersecurity threat.
This would allow state agencies to use their own discretion and interpretation of the law and creates too much room for abuse.
The bill needs a major overhaul and its revision must be transparent and open to the public.
Prime Minister Prayut Chan-o-cha and his cabinet must not submit the bill in its current form to the National Legislative Assembly, which is known for being a rubber stamp of the military regime, for further vetting and approval.
The country needs a cybersecurity law that can handle certain threats. But it does not need a law that paves the way for abuse and the disproportionate use of power by security agencies.