New cyberlaw ripe for abuse, activists warn
Election candidates urged to push for changes to prevent misuse by officials.
RIGHTS ORGANISATIONS and activists have red-flagged the recently approved cybersecurity law and are urging candidates in the March 24 election to push for amendments to narrow its interpretation and guard against infringements on freedom of expression and freedom of privacy.
While legislators insist that the law’s objective is to prevent attacks on the national computer system and would likely have no effect on online content, freedom watchdog group iLaw cites issues with Article 59 of the bill.
One clause lists challenges to peace and social order and to national security among cyberthreats.
The group says the clause could be interpreted to allow state action against any online content deemed offensive, and perhap also give the authorities access to the personal data of government critics. It could thus be abused to curtail freedom of expression, iLaw said.
It also sees potential for infringements on individual privacy.
Articles 61, 65 and 67 could enable the authorities to seize citizens’ personal communications devices if there was perception of a cyberthreat, iLaw said.
Court authorisation of such actions in the form of warrants could be issued retroactively, after the fact, and any data retrieved could be used to prosecute the device’s owner, it said – and in any criminal matter, not just instances of cybersecurity.
Sarinee Achavanuntakul, a champion of internet rights, echoed the concerns, stressing that the law requires stricter, narrower definitions. The legislation will have a significant impact on society and sets out hefty penalties for anyone convicted of crimes, Sarinee pointed out. Any possibility of the law being abused must be eliminated.
Proponents of the law have argued that the rights activists were simply biased towards the government, but Sarinee countered that anti-government groups had already learned the hard way that such legislation can be and is abused by people in authority.
She noted that the Computer Crime Law prohibits posting false information online to protect citizens from scams, but instead the junta-led government has often used it to silence and harass its critics, including former politicians and activists.
“I see this law as the product of some tug-of-war between security officials and legislators who knew more about the computer system,” Sarinee said. “Clearly, the computer experts lost, but they must have known that this goes far beyond merely protecting the computer system.”
So it’s crucial that the law be red-flagged now, she said. It has already been passed and awaits royal endorsement, but she urged citizens and the news media to keep their eyes on related organic laws to prevent further infringements on rights.
Sarinee said the political parties whose members had fallen prey to abuses of similar laws should press for amendments to this one.
People who work in data collection say the law is aimed at protecting the cyber infrastructure and would have no direct impact on online content.
The Personal Data Protection Act, also approved last week, would protect all of the individual information kept by service providers, said Apisilp Trunganont, co-founder and managing director of Pantip.com.
Patterned on strict European regulations, it has two main principles, he said. It requires data keepers to inform owners what they have stored and why, and it gives users the right to access their data and to ask that it be corrected or removed at any time.
Apisilp said Pantip.com planned to adjust its data collection to be in compliance with the new law. It will need a new feature allowing users to inform the site administrators that they don’t want their personal data stored.
“It’s an extra cost for further development, but not much,” he said. “It’s just a matter of adjusting the web page to display information about the law.”
Pantip has 5 million users, counting by ID or login. Their personal data includes email addresses and an ID number. Messages and comments posted are not considered personal data.
The site deletes within 15 days other personal data shared during registration.
The Computer Crime Law requires the site to store users’ traffic data for 90 days.