Thailand passes new cybercrimes law
Today the Bangkok Post reported that the Thai National Legislative Assembly (NLA) approved the Cyber Crimes Bill in a nearly unanimous vote. Nearly a year has passed since the military coup overthrowing former Prime Minister Thaksin Shinawatra, and the current NLA is made up of legislators appointed by the new government.
Since the coup, Thai citizens no longer have a constitution that guarantees or upholds their fundamental rights, and many provisions of this new law add to the uncertainty. ONI conducted a quick analysis based on a translated draft version of the bill from last fall provided by the Freedom against Censorship in Thailand coalition.
Of particular importance to users, accessing certain types of content has been brought into the broad scope of cybercrimes. In addition to facing prison terms for possessing child pornography, an individual is now prohibited from accessing a computer system to acquire data of a pornographic nature, data that is likely to harm national security or cause public panic, or data relating to a criminal offense against the security of the Kingdom (Article 13). This leaves anyone who attempts to access content filtered by the government without public consultation or stated legal authority vulnerable to criminal prosecution. ONI testing has found that pornography, sites relating to separatist conflict and domestic security, and content relating to lese majeste (hence the blocking of YouTube) are filtered in Thailand.
In the translated draft bill, the definition of "service provider" is broad and inclusive. A Thai government official stated that the definition covered a wide range of players, including cybercafes. From a reading of Article 3, service provider also appears to include any individual or entity that provides a service enabling any mutual communication via a computer system, which could bring e-mail providers and others under the scope of the law.
A range of service providers (to be identified later by a Minister) are required to store traffic data for a minimum of 30 days (Article 24), and competent officials have the right to demand user-related and user-identifying information from anyone (Article 16). The law was amended to require officials to secure court authorization in order to obtain this data.