State of Privacy Thailand
A study of privacy and surveillance issues in Thailand. The State of Privacy project was last updated on January 2019, unless otherwise provided on specific pages.
Introduction
Acknowledgment
The State of Surveillance in Thailand is the result of a collaboration by Privacy International and Thai Netizen Network.
Right to Privacy
The constitution
Thailand experienced a coup d'etat in May 2014. According to Mishari Muqbil and Arthit Suriyawongkul, “their [the junta's] modus operandi seems to be the direct command of ministries and semi-governmental organisations to carry out tasks irrespective of existing legislation.”
Following the coup, in July 2014, Thailand instituted an interim constitution.The interim constitution did not refer to privacy and data protection and the only mention of rights in it is in Section 4:
"Subject to the provisions of this Constitution, all human dignity, rights, liberties and equality of the people protected by the constitutional convention under a democratic regime of government with the King as the Head of State, and by international obligations bound by Thailand, shall be protected and upheld by this Constitution.”
A new constitution was then drafted and on 7 August 2016, it was put to a popular vote in a referendum. The constitution was approved with over 61% of the vote, although external observers criticized the lack of information publicly available about the constitution in the run-up to the referendum.
The new constitution specifically upholds the right to privacy. Section 32 reads: "A person shall enjoy the rights of privacy, dignity, reputation, and family. An act violating or affecting the rights of a person under Paragraph One, or the use of personal information for benefit by any means shall not be permitted, except by virtue of the provisions of the law specifically enacted as deemed necessary for the public interests."
Regional and international conventions
Thailand is a signatory to a number of human rights instruments with privacy implications including:
- The International Covenant on Civil and Political Rights;
- The International Covenant on Economic, Social and Cultural Rights; and
- The ASEAN Human Rights Declaration.
Communication Surveillance
Introduction
Mobile phones are very commonly used in Thailand. Since 2010, there are more mobile phone subscriptions in Thailand than there are Thai citizens: in September 2016, there were 82.8 million mobile subscriptions for 68 million people.
Of the total handsets sold in the first quarter of 2015, 76.5 % were smartphones, compared to 64.8 % in 2014.
Only 5.5 million people in Thailand (8 % of the total population) are subscribers of broadband (fixed-line) internet connections, with 53 % of these concentrated in Bangkok metropolitan area. According to Internet Live Stats, there are an etimated 29 million internet users in Thailand in 2016, which translates to a penetration rate of 42 % of the population.
Around 22 million users access social media sites daily. Popular mobile applications include Facebook, Line, WhatsApp, Google Maps, YouTube, and mobile games and music.
As of May 2016, Facebook was the most popular social media with 41 million subscribers, followed by Line with 33 million users, YouTube with 16 million users, Instagram with 7.8 million users and Twitter with 5.3 million users.
Thai Facebook users often choose pseudonyms instead of their real names and use pictures other than of their own faces for their Facebook accounts because of strict censorship of certain types of political speech, including criticising the king and royal family. The Japanese messaging application Line is also very popular, with around 33 million registered accounts.
There are ten internet exchanges in the country:
- State-owned internet provider CAT;
- TOT, an internet provider;
- IIR-NECTEC, an internet research lab;
- True, an internet provider;
- CSLOXINFO, a cloud computing service;
- TCC Technology, a company offering cloud-based solutions and hosting services;
- BB Connect, a gateway service provider;
- Symphony, a network provider;
- SBN, a network provider; and
- JasTel, a telecommunications company.
Surveillance laws
Section 25 of the Special Case Investigation Act addresses the interception of communications in postal, digital and telephonic forms. When there is a suspicion that a communication of any sort was used or may be used to commit a special case offence (serious crimes requiring an investigation as defined in section 21), the Special Case Inquiry Official from the Department of Special Investigation may ask the Chief Judge of the Criminal Court for an authorisation to obtain the information. When granting the permission, the Chief Judge has to justify the decision to prove that there is a reasonable ground that the person whose communication is being intercepted will or has committed a crime and that there is no other appropriate method to investigate the offence. The interception must never exceed 90 days.
However, the martial law that was declared after the coup in May 2014 is currently still in place. It grants the military the right “to inspect [any] message, letter, telegraph, package, parcel or other things transmitting within the area under the Martial Law.”
On May 2014, the junta published Order 26/2014 on “the control and surveillance of the use of social media.” In this order, the government claims the right to “monitor and access the computer traffic, the use of websites, social media, photos, text, video and audio which are deemed to instigate violence and unrest, which are deemed to be unlawful and which violate the National Council for Peace and Order’s (NCPO) Orders.”
Use of evidence obtained from surveillance in court
Evidence obtained from surveillance can be used in court according to the Special Case Investigation Act. Since May 2014, 'lese-majeste' cases, which focus on alleged defamation of the Thai King and which often involved content posted online, are heard in military court.
Surveillance actors
Intelligence/security agencies
The main intelligence agencies in Thailand are the National Intelligence Agency (NIA), the Department of Special Investigation (DSI), the Directorate of Joint Intelligence of the Royal Thai Armed Forces and the Special Branch of the Royal Thai Police. The NIA was formed during World War II and the DSI in October 2002.
The Special Case Investigation Act defines the specific function of the DSI. More generally, the role of intelligence agencies is defined in the National Intelligence Act of 1985 that requires all agencies to submit reports of their work to the National Intelligence Agency. The same act mandates the NIA to:
- carry out intelligence-related work for security and civil defence;
- monitor what could affect the country's stability both domestically and abroad and report to the Prime Minister and the National Security Council;
- carry out research and development related to intelligence in order to enhance the performance of civilian security;
- coordinate the various intelligence agencies;
- propose policies and measures; and
- provide guidance and advice to the Prime Minister and the Council of National Security.
Law enforcement
The government has threatened to tighten its control over social media and the NCPO has asked the Ministry of ICT to come up with measures to this effect.
The Royal Thai Police is also drafting a new amendment on criminal procedure law. It will grant more power to the police to intercept communications in serious cases. The permit will be given by the chief judge and will be valid for only 90 days. This amendment is aimed at extending the police's investigative power.
The Technology Crime Suppression Division (TCSD) is involved in intelligence gathering, as suggested by a case in which a Facebook application was used to harvest user's information. In August 2013, the TCSD had also requested the messaging application Line to assist in the monitoring of Thai messages.
Surveillance capabilities
In December 2011, Deputy Prime Minister Chalerm Yubamrung announced the purchase of a “lawful interception system” for 400 million baht (over US$ 12 million) for use by the police and the Ministry of ICT. The system is based in the office of the Ministry of ICT and can intercept voice communications, emails, text messages and chat room messages. In an attempt to reassure Thai citizens, Siripong Timula, the then-Deputy Head of the Technology Crime Suppression Division, said that interception would only occur following the permission of court.
In 2013, the Ministry of Defence organised the “Defense and Security" trade show. The event promised to display “telecom and electronic defense equipment.” Talks on "cyber warfare" were also conducted during the conference. The conference counted many representatives from foreign defense agencies, including from the UK Trade and Investment Defence and the Director of Marketing and Communication of the Israeli Defence Ministry.
In April 2013, a Thailand-based reseller for American technology firm Blue Coat, which sells deep packet inspection technologies, organised a “i-Security Seminar” sponsored by US firm Blue Coat, among others. The guest speaker was Police Colonel Yanaphon Youngyuen.
The release of Hacking Team email server has revealed that Thailand had purchased the spyware Remote Control System for use in the restive south of the country.
Surveillance oversight, checks and balances
Reponsibility for Thailand's national security appears to be largely in the hands of the ruling military junta, the National Council for Peace and Order (NCPO).
Surveillance case law
Privacy International is not aware of any specific surveillance case law in Thailand. Please send any tips or information to: [email protected]
Examples of surveillance
The community of Thai Muslims who live in the far south of the country, at the border with Malaysia has been reported to be under high levels of surveillance. Generally, anyone who criticises the Royal Family even in a muted way can be considered a criminal and therefore a likely target of surveillance. The number of arrests for lese-majeste crimes has multiplied since the coup.
Since the coup, however, targets of surveillance have included political dissidents and more particularly, students and young persons. The arrests are occuring primarily in the streets when dissidents publicly display opposition or protest, such as raising three fingers, a protest gesture popularised by the Hunger Games film.
Data Protection
Data protection laws
Thailand does not have a formal data protection act governing data protection or privacy. Data protections are currently regulated by:
- The constitution;
- The Thai Civil and Commercial Code;
- Statutory laws in some specific areas, including telecommunications, banking and financial businesses; and
- The Official Information Act 1997.
Accountability mechanisms
Freedom of Information
Thailand has a Freedom of Information Law. The exceptions to this law are:
- Any official information that may jeopardise the Royal Institution;
- Information that would jeopardise the national security, international relations, or national economic or financial security;
- Information that would lead to decline in the efficiency of law enforcement or failure to achieve its objectives, whether or not it is related to litigation, protection, suppression, verification, inspection, or knowledge of the source of the information;
- An opinion or advice given within the State agency with regard to the performance of any act, not including a technical report, fact report or information relied on for giving opinion or recommendation internally;
- Information that would endanger the life or safety of any person;
- A medical report or personal information the disclosure of which will unreasonably encroach upon the right of privacy;
- An official information protected by law against disclosure or an information given by a person and intended to be kept undisclosed; and
- Other cases as prescribed in the Royal Decree.
Data breaches: case law
Privacy International is not aware of any specific case law related to data breaches in Thailand. Please send any tips or information to: [email protected]
Examples of data breaches
In March 2016, a database containing the personal details of 2,000 expatriates was leaked online. The site developer admitted he had published the database by mistake while testing a website comissioned by the immigration police.
Identification Schemes
ID cards and databases
All Thai citizens over 15 and under 70 years of age must have an identity card. The first law on identity cards was passed in 1963. The current laws concerning identity cards entered into force in 1984. Since 2005, Match-on-Card technology provided by the company Precise Biometrics has been used on Thai national ID cards. Precise Biometrics also sold 36,000 fingerprint scanners to Thailand. They expected that within three years every Thai citizen would have a biometric ID card. The Ministry of ICT was responsible for carrying out the project, which was launched to combat identity theft and false or multiple identities.
The Department of Provincial Administration is in charge of managing the ID cards. In order to access the internet in cybercafes, users are asked to show their ID, which is recorded before access is granted. Furthermore, sources have reported on Telecomasia.net, that the Ministry of ICT was in June 2014 consulting vendors to develop a technical strategy to “lock the Internet.” The plan was reported to be to require every Thai citizen to systematically authenticate their details every time they logged on to the internet using their ID card. It was unclear how foreigners would manage to access the internet when visiting Thailand.
Voter registration
Privacy International is not aware of any privacy issues related to voter registration in Thailand. Please send any tips or information to: [email protected]
SIM card registration
In June 2014, a request from the National Broadcasting and Telecommunications Commission made it mandatory for operators to register SIM cards on their networks. SIM vendors use an application downloaded on their own smartphone to register the SIMs. In order to register a SIM card, the vendor takes a picture of the code on the SIM card and a picture of the buyer's ID card with the application, which then sends the information to the NBTC server. Once the information is approved, the NBTC sends back a message to the vendor allowing him or her to activate the SIM card. In an attempt to address privacy concerns, the NBTC has explained that the application automatically deletes the pictures from the vendor's phone. Foreigners who do not have a Thai ID card may use their passport.
Policies and Sectoral Initiatives
Cybersecurity policy
Cybersecurity is the responsibility of the Technology Crime Suppression Division. On June 2014, the division was reported to have created a fake Facebook application that harvested users' private information.
Eight new cyber security bills are currently at various stages of deliberation.
Thailand has a CERT (Computer Emergency Response Team) that offers free assistance in dealing with computer security incidents for the government, the private sector, organisations, universitites and internet service providers.
Cybercrime
After a nine year drafting process, the Thai Parliament passed the Computer Crime Act in 2007. The act contains provisions allowing access to and collection of data by authorized authorities.
“If there is reasonable cause to believe that there is the perpetration of an offence under this Act, then a relevant competent official shall have any of the following authorities only as necessary to identify a person who has committed an offence in order to:
(1) issue an inquiry letter to any person related to the commission of an offence under this Act or summon them to give statements, forward written explanations or any other documents, data or evidence in an understandable form.
(2) call for computer traffic data related to communications from a service user via a computer system or from other relevant persons.
(3) instruct a service provider to deliver to a relevant competent official service users- related data that must be stored under Section 26 or that is in the possession or under the control of a service provider;
(4) copy computer data, computer traffic data from a computer system, in which there is a reasonable cause to believe that offences under this Act have been committed if that computer is not yet in the possession of the competent official;
(5) instruct a person who possesses or controls computer data or computer data storage equipment to deliver to the relevant competent official the computer data or the equipment pieces;
(6) inspect or access a computer system, computer data, computer traffic data or computer data storage equipment belonging to any person that is evidence of, or may be used as evidence related to, the commission of an offence or used in identifying a person who has committed an offence, and instruct that person to send the relevant computer data to all necessary extent as well;
(7) decode any person’s computer data or instruct any person related to the encryption of computer data to decode the computer data or cooperate with a relevant competent official in such decoding;
(8) seize or attach the suspect computer system for the purpose of obtaining details of an offence and the person who has committed an offence under this Act.”
A service provider is a broadly-defined term that lacks the required accuracy for effective implementation of the law. It may refer to anything ranging from a satellite link provider to an internet cafe offering Wi-Fi access.
Encryption
A report leaked by Thai Netizen Network suggests that the Thai government intends to propose an amendment to Article 20 of the Computer Crime Act to allow the Ministry of Information and Communication Technology to "access, block or delete encrypted content on websites."
The document points specifically to Secure Sockets Layer (SSL) saying that "to delete or stop the dissemination of data under this protocol, the Ministry requires special methods and mechanisms."
Licensing of industry
The three main mobile service providers in Thailand are:
- Advanced Info Service (AIS). AIS was founded by Thailand's former prime minister Thaksin Shinawatra. It is now controlled by Intouch PLC which is headed by Temasek Holdings, an agency owned by the Singaporean government.
- DTAC (formerly TACl). DTAC is now owned by Norwegian company Telenor.
- True. True is owned by CP Group, a Thailand-based Asia leading conglomerate. China Mobile holds 18 % of its shares.
Thailand has a variety of internet service providers (ISPs). Among the largest are True, TOT (state-owned) and 3BB (owned by Jasmine International).
The NCPO is not the first Thai government to threaten its citizens with surveillance. In 2010, the Ministry of ICT had already announced a plan to force all ISPs to install so-called “sniffer tools” (which may signify deep packet inspection tools). The project had apparently backfired after having caused outrage among the population and the media.
The independent publication Prachatai reported that in September 2015 the government started using a surveillance device to 'sniff' internet traffic. Sources suggest that the device was purchased to track lese-majeste content online. Sources have also suggested the device selected would allow the breaking of encryption protocols.
In 2013, the government was reported to be planning to collaborate with popular messaging application Line to monitor message content. Pol Maj Ge Pisit Pao-in, then-commander of the TCSD, had admitted to having failed to obtain the authorisation from major social media networks based in the West.
While there was never a clear outcome concerning the possible surveillance of Line, Pol. Maj. Ge Pisit Pao-in nevertheless made concerning announcements stressing how little the pre-coup government cared about privacy and the rule of law. "We are not violating anybody's rights, as the checking is being done overseas. So you can't really attack me for this," he said to the Nation. "Nowadays people use smart phones like a mobile computer. They use it to take videos, upload information, transfer money and connect to social networks. Therefore, we have to investigate information being sent via smart phones as well," he said. "If I want, I can investigate all the information on smart phones. We can investigate all the crimes done via computer systems."
Licenses to operate are normally issued to service providers by the National Telecommunication Committee. However, the Computer Crime Act contains some technical requirements for data retention with which internet service providers (ISPs) and telecommunications service providers must comply:
“A service provider must store computer traffic data for at least ninety days from the date on which the data is input into a computer system. However, if necessary, a relevant competent official may instruct a service provider to store data for a period of longer than ninety days but not exceeding one year on a special case by case basis or on a temporary basis.
The service provider must keep the user's information of the service user in order to be able to identify the service user from the beginning of the service provision, and such information must be kept for a further period not exceeding ninety days after the service agreement has been terminated.”
The NCPO announced on August 2013 that NBTC would have to postpone auction for spectrum licenses for a year commencing from the Order date (Order no. 94/2557).
E-governance/digital agenda
Privacy International is not aware of any privacy issues related to e-governance in Thailand. Please send any tips or information to: [email protected]
Health sector and e-health
Thailand has three different types of health services: the Universal Coverage Health Scheme (UCS), the Civil Servant Medical Benefit Scheme for civil servants only and the private medical sector. All services require registration, and in order to access free healthcare with the UCS, it is mandatory to have a UCS card.
Smart policing
Privacy International is not aware of any smart policing issues in Thailand. Please send any tips or information to: [email protected]
Transport
Transportation systems sometimes require users to acquire and use ID cards or other tokens that can collect data about them. Bangkok's public transport users rely on the Skytrains and the Metro. Regular users can purchase a 30-Day SmartPass for 15, 25, 40 and 50 trips. The fare for each trip is based on distance travelled. The SmartPass contains an electronic chip that stores data but it is unclear what data is stored.
Smart cities
In early 2012 Thailand launched the Smart Thailand project to increase internet penetration in underserved parts of the country. The first phase of the project was to upgrade the existing network so that the internet would be available to 80 % of the population. The second phase, planned for from 2016 to 2020, will see the installation of fibre optic networks. The goal for that phase of the project is to increase internet penetration in Thailand to 95 % of the population.
As part of the project, state and private companies set up a joint venture company – NBNCo – in order to reduce the duplication of investment in fibre optic networks among networks and telecom operators. NBNCo was expected to manage and operate the network for service providers.
In order to democratise internet access, the ICT Ministry also planned to initiate free Wi-Fi projects in remote areas and in cities across the country. The initial phase aimed to create 20,000 Wi-Fi hot spots in public locations such as airports, public transportation venues, government offices, and universities. This service was to be provided by TOT Corporation and CAT Telecom, two state-owned providers.
The second phase of the free Wi-Fi project aims to create 250,000 free Wi-Fi hot spots across the country by 2017 and to involve private companies.
Smart Thailand is, however, not limited to developing internet access. The other goal of the project is to develop a “Smart Government.” The Smart Government initiative aims to put all government services (about 800 in total) online. The project was divided into four areas: education, health, government service and agriculture. The government referred to the Revenue Department's online tax service and the Passport Division's passport services as successful examples of “Smart Government.”
Migration
Since 2005, Thailand has been issuing e-Passports with biometric data including fingerprints and facial features.
Since 2015, the Thai government has worked with United Nations High Commissioner For Refugees (UNHCR) to roll-out a plan to identify refugees in Thailand. Thailand has nine camps for refugees from Myanmar.
The plan aims to use biometrics to verify and update the records of the estimated 110,000 total registered and unregistered refugees living in Thailand. Data such as family composition, births, deaths and marriages will be recorded. Fingerprints and iris scan of refugees would be collected and are stored on an online database accessible from anywhere in the world. All refugees are supposed to receive a smart card with their photograph and the biometrics details of all their family.
The UN is planning a global roll-out of this biometrics plan; Thailand was the first country to see it deployed.
Emergency response
Privacy International is not aware of any privacy issues related to emergency response in Thailand. Please send any tips or information to: [email protected]
Humanitarian and development programmes
Privacy International is not aware of any privacy issues related to humanitarian and development programmes in Thailand. Please send any tips or information to: [email protected]
Social media
In late May, Pol. Maj. General Pisit Paoin, now head of the junta-appointed working group responsible for censoring the internet, told Thai media that “the Ministry plans to spy on popular social media and chat applications in order to identify and arrest people who spread illegal content.” He stated: “we’ll send you a friend request. If you accept the friend request, we’ll see if anyone disseminates information which violates the National Council for Peace and Order (NCPO) orders. Be careful, we’ll soon be your friend.”
The NGO iLaw has reported multiple arrests based on content posted on Facebook. Some of the posters of this content may have been denounced by those “fake friends.” The likeliness of befriending a “fake friend” in Thailand is high because many people do not use their real names on Facebook and it is not uncommon for people to accept a friend request thinking it might be someone that they know.
Since the beginning of the unrest, there have been few cases that suggest a clear link to arrests based on surveillance. One such case regards the high-profile activist Sombat Boonngamanong. Boonngamanong had gone into hiding and had posted a message on Facebook addressing the authorities: “Catch me if you can.”
Military officials claim they have managed to locate him based on his IP address the time of his posts. Internet activists Mishari Muqbil and Arthit Suriyawongkul expressed their concerns about the implication of such a statement, because when settings are carefully set up, Facebook and Twitter (the two means of communications Sombat was using) should not reveal your location and run over encrypted HTTPS connections.