Computer Crime Act

Thailand’s Computer Crime Act B.E. 2550 (A.D. 2007) took effect on July 19, 2007. However, the requirements of the Act only became universally effective to ‘all service providers’ on August 24, 2008. Many companies are still wondering about the real impact of the Act on their businesses and whether they are considered as ‘service providers’ under the Act or not.

At first many companies seemed to believe that the definition of service providers under the Act only meant ‘Internet Service Providers (ISPs)’. But the Ministry of Information and Communication Technology (MICT) issued a Notification on Criteria Concerning Archiving of Computer Traffic Data of Service Providers on August 21, 2007, which provided technical clarifications to the Computer Crime Act (CCA) regarding the various categories of Internet service and content providers and how the requirements of the CCA apply to them.

The Notification distinguishes between five categories of service providers as follows:

1-telecommunication and broadcast carriers (such as CAT);
2-access service providers;
3-hosting service providers;
4-Internet shop operators and;
5-content and application service providers.

As a result of such clarification, it appears that ‘service providers’ include ‘access service providers’ (category 2); that is to say, any type of business providing access to Internet or computer communication.

The CCA provides the following broad definition of ‘service provider’: a service provider shall mean either (1) a person who provides Internet access or computer communication to ‘other persons’ or (2) a person who provides services of storing computer data for the benefit of ‘other persons’.

The MICT is taking a very broad interpretation of the term ‘other person’ so as to include a company’s own employees. As a result all entities that provide Internet access, computer communication or data storage to their employees in Thailand fall within the CCA requirements. Therefore all businesses that provide Internet access in Thailand are subject to the provisions of the Computer Crime Act.

How Does It Affect Business?

So what are the main requirements of the CCA that companies and individuals must comply with?

The main requirement to service providers is the data retention provision. Section 26 of the Computer Crime Act makes computer traffic data retention mandatory for at least ninety (90) days from the date of which the data is input into or accessed through a computer system. That means that service providers (including businesses) must keep records of their user’s Internet access and usage for at least 90 days, and for up to one year if so requested by the authorities.

Service providers could be subject to a fine of up to THB 500,000 if they cannot provide these records. If a company has intentionally supported a crime under the Act or an action resulting in the death of a person, the penalty includes imprisonment of up to 20 years.

Companies must therefore check if they comply with the provisions of the Act to avoid being fined if authorities knock at their door requesting their computer traffic data records.

The data retention provision is quite controversial as it goes further than other computer crime legislations abroad, which usually apply to public service providers only.

Penalties

The Act also establishes a number of criminal offences which fall into two categories:

Computer crime offences, whereby a computer/computer system is the target of an offence. Such offences include illegal access (hacking, eavesdropping), dissemination of information to allow illegal access, interception and stealing of information, data interference causing damage to a computer or computer system or network.
Penalties for these offences include maximum imprisonment of six months to five years and maximum fines of THB 10,000 to THB 100,000.

Computer-related crime offences, whereby computers or computer systems are used to commit fraud. Such offences include sending spam, disseminating instructions to commit computer crime offences, importing to a computer system forged computer data to cause damage to another person or the general public, damage country security or cause public panic. They further include lèse-majesté, import data of pornographic nature that is publicly accessible, import to a computer system pictures of another person which have been created, edited, modified, or altered in a manner that is likely to cause that person to be discredited, insulted or humiliated (for example a pornographic picture of another person).
Penalties for these offences include maximum imprisonment of one year to twenty years and maximum fines of THB 20,000 to THB 300,000.

Moreover, Section 17 of the Computer Crime Act provides extra-territorial applicability. Any person committing an offence against the Act outside the Kingdom and (1) the offender is Thai and the government of the country where the offence has occurred or the injured party is required to be punished or; (2) the offender is a non-citizen and the Thai government or Thai person who is an injured party or the injured party is required to be punished shall be penalised within the Kingdom. Foreign operators like Hotmail, Yahoo or Ebay could therefore be potentially liable.

Some provisions of the Act also seem to be too broad compared to existing Thai laws or other jurisdictions. For instance, penalties may seem harsh compared to existing Criminal Code penalties regarding defamation. According to the Act, sending an email containing a picture impairing someone’s reputation may expose the sender to up to three years in jail. Posting improper contents (lèse-majesté or pornographic content) may also expose the sender to up to five years in jail.

Police Power

The powers of the competent officers under the Act are also quite significant:

Without any Court approval, a competent officer can summon parties concerned to give statements, clarification, send documents and evidence, request computer traffic and service user data that is required to be kept under Section 26.

After obtaining approval from the Court, a competent officer can further copy computer data from computer system, and seize the computer data or equipment storing the computer data from the possessor or controller. It can also inspect or access a computer system, computer data or decrypt computer data.

While overall enforcement of the law remains to be seen, there have been several arrests and imprisonment of bloggers in Thailand who posted lèse-majesté comments.

In September 2008, the MICT also announced that it had detected more than 1200 websites that violated the CCA, of which 344 had content deemed insulting the monarchy. The Minister of ICT said the court issued three orders shutting about 400 websites, some of pornographic or religious content.

Many internet cafés, hotels and restaurants in Thailand now require users to provide their identification card number. Such identification requirements also apply to wi-fi or wireless internet access. Service providers are required to keep a record of each user’s identity, log-in times and sites visited.

One can see the controversial character of such a law and various journalists and freedom of speech activists have raised strong concerns that the CCA is a law restrictive of privacy rights. It is also possible that some of the provisions of the law may be declared unconstitutional for infringing personal rights and freedoms.

Although the legislative intent in enacting the Computer Crime Act may have been to protect all users, the actual impact of its provisions remain unknown. It is also questionable whether the Act will significantly help the Thai authorities to curb down the real behaviors detrimental to businesses such as hacking, spam and virus attack.

Industry View

Bernard Collin, managing director, Safecoms

Why was this law created? Obviously to stop computer crime, and to identify and punish those who commit these crimes. So the law started with a definition of the crime and then who could be considered a perpetrator. You are not a criminal, nor are your employees, so why would you care?

The best way to solve a problem is to avoid it in the first place. This would be my advice with compliance to the CCA. Yes, it is important to clarify the exact implication of the law, however understanding the real purpose of the Act is paramount to the compliance exercise.

Compliance (“Ignorance of the law does not excuse” )

The best policy is to demonstrate that you are taking all reasonable measures to comply with law.

Because it’s so new, the Computer Crime Act is a bit of a puzzle and it’s difficult to know if you are in compliance or not. While there is still some debate, the law seems reasonably clear on what data you need to keep and for how long. In this respect, it’s a hardware and methodology issue.

What you need to do is first to restrict all access to the Internet the traditional way, meaning free access through your firewall for your employees or visitors.

The next step is to install a relay (proxy server) that will redirect all connection via a login system that will require identification of each individual with certainty.

The third step is to record all information about each communication, but not the communication itself. You need exact details as defined in the Act, and precise information like the exact time of each communication. The Act requires that you synchronise your recorder with a public time server and maintain precision in the logs.

The fourth step is to section the logs into readable chunks and store them safely, and maintain a backup remotely. Criminals have the ability to find where you log your communication and their trojans often perform a clean up task after the act. It would be sad to go to a lot of expense to find that in the end that your logs are empty or deleted just for the time of the crime.

Will this be enough?

Like newly enacted laws in many other countries, Thailand’s Computer Crime Act has ‘a few bugs’ that will need to be worked out, and unfortunately, 100% compliance is not possible. In the meantime, being secure enough to keep the criminals out, and demonstrating that you have acted according to the requirements and to the best of your capability is probably the best you can do.

Aung Kyaw Moe, managing director, SinaptIQ

We embrace the new Cyber Crime Act. Existing laws do not cover abuses related to computers and computer networks such as hacking, spamming, phishing, etc –They are not regarded as ‘theft’, ‘mischief’ or ‘trespass’ under Thai Penal Code. We have financial transactions passing through our system every single minute and various attempts to abuse sensitive information are a part of our day to day business. With this new Act, we can fight against fraudsters and really take action.