The smell of fresh coffee. The friendly chime of windows opening up. Dingeling-ding-ding! Secretaries are snuggling up in their chairs with the inevitable pillow on their stomach. It’s another lovely Thai office morning like any other in all the tens of thousand of offices all over the smiling Kingdom of Thailand.
Suddenly, all these tens of thousands of offices in Thailand are turned into cyber criminals. Any minute, the police could charge through the front door – no search warrant needed – and slam a fine of half a million Thai Baht on the owner of the office.
Is that true?
Yes. Thai companies live happily unaware that every time their staff turns on their computers and downloads their email or goes to a web page without the company keeping an electronic record of what mails they send and receive or what pages they look at during the day, they actually break the law.
“Wow! Then we can see who is logging into JobsDB three times a day,” the boss may joke in a staff meeting.
The fact is that it is no joke. The law is already in effect and the fine is very real. But nobody complies with it. Half a million Thai Baht in fine for not snooping into the privacy of the employees is simply too absurd to be taken seriously.
“After all, our company is just an ordinary company like tens of thousands of ordinary companies out there. Surely the law must mean special computer related companies like internet access companies and that kind?”
Nope.
Around fifty members of the four Nordic Chambers of Commerce in Thailand attended a breakfast meetng on Wednesday 29 October with lawyer Yingyong Karnchanapayap of Tilleke and Gibbins to learn the chilling fact that they all have to comply with this new law. Khun Yingyong wasn’t even selling anything. A company had asked him to please mention that they offered a solution that will log all data traffic of the company, but he didn’t even mention the name of the company.
He explained the law.
It was passed last year and became effective on 18 july 2007. A clarification was issued later saying that first all telecom and broadcast companies had to comply with the law. That was on 22 September 2007. Next, as of 19 February this year, all internet service providers and public service providers for access to the internet like internet cafe’s etc. had to comply. Finally, as of 23 August 2008, the law came into effect for also all other access service providers, which is explicably meant to be the broadest possible interpretation, including any company where an individual can access the internet through a computer.
The first part of the law is not different from similar laws in most other countries. There are things you are forbidden to do to a computer, like hacking into it, and there are things you are forbidden to do with a computer, like spamming the world.
The kind of data that is specifically illegal to transfer according to the law is false information that may damage the security of Thailand and create panic, data related to terrorism and spreading of pornography. It is also specifically illegal to enter pictures that are modified in a way likely to cause damage to a person.
Doing any of this is punishable from 6 month in prison to death sentence accoring to the severity of the crime. The death sentence is applicable in a severe case where the act further caused loss of life.
Apart from the severity of the penalty, the law is so far not much different from similar computer crime laws enacted in most other countries in the world.
The issue starts with section 26. Here it says, that a service provider (read: a company where the staff can access the internet through a computer) must store computer traffic data for at least ninety days from the date the data is input into the computer system. And a company that fails to comply with this must be subject to a fine of “no more than five hundred thousand Baht”.
What data to log is different from each category of service provider in question. Ordinary companies must as a minimum log and keep for ninety days IP header data and for email communication all the SMTP information, sender, receiver, IP of clients, userID, and more. For web traffic all ftp logs, access logs, source IP, username, chat, etc.
The bad news is, that police does not need a court warrant to inquire into the data traffic of a company or summon the director of the company for questioning and request the 90 days of data logging and data on all users with access to the company’s computer system. Refusing to cooperate with the police wil give a fine of 200.000 baht and further a 5.000 baht fine per day untill the company complies.
Good news is a court order is required if the police wants to access trhe computer system or take the computers away for examining elsewhere or if they want to block the company’s IP address. The advice that Yingyong Karnchanapayap of Tilleke and Gibbins had for the fifty Nordic executives attendng the breakfast meeting was to find a solution to the logging requirement and furthermore inform the staff.
“You should issue a policy of the company, maybe have staff sign off to acknowledge the policy, that they must not commit any of the crimes mentioned in section 14 of the law as mentioned before – like email information that may dammage a person or the general public or damage the security of Thailand and information related to terrorism and not email pornographic images or modified pictures making fun of anyone.”
Companies should also explain to the staff that user name and passwords are for real – if someone uses the username of another employee to do any of the criminal acts covered by the law, the owner of the username will be held responsible unless they can prove themselves innocent, he added. Employees should not to forward emails where they don’t know the person who sent it to them and not click on links in emails they are not sure of, and not send emails to anyone if they are not sure it is safe according to the criminal content listed in the law.
From an employee point of view there is, however, also plenty of benefit in the new law. According to Yingyong Karnchanapayap, the boss should think twice before he or she opens the computer of an employee and reads emails or files that he or she does not have legitimate access to. If the person has protected the folder on the computer with an access code, it would be an even more severe crime, although the boss cannot use the information without revealing that it was obtained through illegitimate access to the computer. The ultimate crime would be if the boss tampers with your CV or deletes a file on your computer.
Enjoy your morning coffee and feel safe that big brother is watching you.
