Wednesday, January 09, 2008

Cybercrime law : Privacy is a right, not a privilege

Database News : Thursday December 06, 2007


Cybercrime law : Privacy is a right, not a privilege


The ICT industry has already felt the cost of the new cybercrime law as a large number of Thai hosts are selling up to larger players or moving out of the company because the cost of compliance and risks involved are too high.

It was over lunch on the fifth and final day of an information packed ICT Forum that I found myself on the same table as the speakers from the recently concluded panel on the implications of the cybercrime law,'s Pawood Pongitayapanu, Police Colonel Darun Chatcharoen of the Police High-Tech crime division and most of the ATCI.

Months ago, just after the cybercrime bill had been passed, one of the major hosting providers, ISSP, predicted that the result of this law would be the death of the domestic hosting market. The 90-day log rule in particular and the draconian 500,000 baht fine for failing to provide "relevant" information would make complying with the law simply too expensive and it would be cheaper to use US-based hosts rather than comply with the regulation.

Pawood told us that in fact that scenario is already playing out. His company, a mid-scale player, is buying up the small guys who have taken one look the new law and decide to sell their customers and equipment to him for cheap.

So in effect, the law is forcing consolidation, killing off the small entrepreneurs and letting only the larger companies who can afford the cost of keeping those logs to survive.

Whether this is a good or bad thing is debatable. Darun seems to be of the opinion that this is a natural evolution and that system administrators need to grow up and become more professional. I feel that growing up is fine, but not at the cost of killing off all innovation and not at this early stage in our ICT development.

But whether hosting a server overseas actually works or not is open to debate. By doing so, the onus of identifying an action is shifted to the ISP.

Darun said that if the server is overseas and is owned and run by a foreigner, there is not much he can do about it. But if it is registered in a foreigner's name as a proxy and is really owned, run and operated by someone in Thailand in order to avoid the law, then he said the law has provisions to come down very hard on that person.

But there are so many grey areas. The whole idea of the logs (as explained by Darun in the main session) was to keep enough information to identify and put a name on anyone who posts, uploads or sends something. While that fits the paradigm of someone running a copy of PHP Nuke on one machine with a local MySQL database server, today we can accomplish as much, if not more, with services.

What if we run a discussion on Google Groups, a service rather than a dedicated server. Or rather than a dedicated web board, we post comments to Picasaweb or Flickr? A lot of the cybercrime bill's provisions could easily be broken (defaming, altered images) and we would not have a server or server log to supply the police? Is then the person who creates the group or album to be held responsible?

The point here is that the cybercrime law simply kills off the small operators and leaves only the large ones.

Then there is the concept of seizing machines for evidence. Pawood's site was shut down once when policed seized them on a counterfeit copyright infringement charge as one of his users was selling counterfeit goods. That bought his entire business to a stop while the evidence was gathered.

Now luckily, that was just one server running one website. What if multiple websites shared a virtual server? What if we have a proper data centre with VMWare shifting virtual machines around the data centre. One aberrant seller managed to take down the entire market website for selling counterfeit goods, so imagine what would happen to all the other users if police seize machines for evidence. How many other users will be effected?

The other point I find very unreasonable is that as a Thai citizen, I have to give up my private key or password to help police in their investigation. What ever happened to "you have the right to remain silent, anything you say can and will be used against you in a court of law?" The privacy implications of this are enormous. Privacy is a right, not a privilege. It should not be a crime.

Again, on a practical note, when I send encrypted email (which I do a lot), I never encrypt to myself. Meaning only my recipient can read it and that no matter what I do, I cannot retrieve it as I do not have a private key to decrypt it. Enigmail encrypts to self by default, so turning that off might be sensible in light of this law, even if it does make going back on important email all but impossible.

Also debatable is the way Thai criminal law require intent for a crime. He said that posting or emailing a list of illegal websites without the illegal content itself is illegal, but that in his opinion, a search engine like Google returning those results is not as an automated system does not have any intent behind it.

On the one hand, it silences freedom of opinion if referring to an illegal link itself is illegal.. On the other, it almost begs the business model where someone creates a automated system that unintentionally breaks the law and benefits from it from some banner ads in the process.

In the end there was very little I found myself agreeing with when it comes to how the law on stage that day. My only solace is that the law has yet to be tested and interpreted in court, and perhaps the judges will have a more reasonable interpretation of the law than the police.

By : Bangkok Post

No comments: