Rights groups and IT industry advocates are calling on Thai lawmakers to amend a new Cybersecurity Act that they say gives the government virtually unchecked power to monitor online data.
The law sailed through an appointed Parliament unopposed in February, in the final months of the military junta that seized power from an elected government in 2014. It took effect in May, after a tainted general election in March that returned coup leaders to power.
Despite the return of civilian rule, dissidents hiding abroad have continued to disappear or be forced back to Thailand, opposition lawmakers have come under sustained legal pressure, and the government’s most vocal critics have suffered a spate of violent, unsolved attacks by armed gangs.
“When we saw the Cybersecurity Act, we (were) like, ‘OK, it’s another tool that the government is going to misuse to silence human rights defenders, to silence human rights activists,'” said Emilie Pradichit, director of Manushya, a local rights group.
The new law breaks cyber threats into three categories based on their level of risk or severity: non-critical, critical and crisis. It gives the government the authority to act on crisis threats without a court order and denies anyone targeted by the law in the cases of a crisis or critical threat the right to any appeal.
Critics also complain that the act offers vague definitions for each threat level or what counts as “national security,” leaving it open to abuse.
In April, Manushya took the lead in bringing together rights groups, industry advocates and cyber experts to draw up a list of proposed amendments that might help check the government’s worst tendencies and safeguard online privacy. Among those who joined was the Asia Internet Coalition, which represents Google, Facebook and other industry leaders.
Their report, released Monday in Bangkok, recommends dozens of changes. They include making a court order mandatory even in crisis cases, giving all targets the right to appeal, and setting up an independent and diverse oversight body to monitor the government’s work. The recommended changes would also force the government to provide evidence of a threat before it could act.
“Without clear definitions and without monitoring and oversight of what the government is doing, they could seize any computer and could consider any threat as a crisis-level threat,” Pradichit said at a news conference.
Bhume Bhumiratana, who advised the government in drafting the act, praised officials for making it one of the first laws in Thailand to attempt a separation of powers.
The act sets up three committees to enforce the law, each with a different role. Bhume conceded that the upshot would be compromised by the fact that the committees will share some members, “but at least it’s a good concept,” he said.
He also called the act a “blunt tool” that needed “sharpening,” but was still “liveable.”
Arthit Suriyawongkul, co-founder of the Thai Netizens Network, disagreed.
He said the overlap between the committees made the promise of a separation of powers “practically impossible,” and that the exemption of the Cybersecurity Act from the purview of another new law, the Personal Data Privacy Act, only added to the risk of abuse.
“In the end, the safeguard that we believed that’s going to be in place is actually not there anymore,” he said. “I think … we actually have a very, very legitimate reason to worry.”
Thailand is the latest country in the region to introduce new laws to combat the growing threat from cyberattacks, many of them similarly rebuked for going too far, including Bangladesh and Vietnam.
Kees Rade, the Netherlands’ ambassador to Thailand, who hosted the April meeting on Thailand’s Cybersecurity Act, said states had every right and reason to arm themselves against those threats.
“What should always come first is the privacy of citizens, and also the political possibility for citizens to express their opinions,” he said.
“And unfortunately, especially in this part of the world, we’ve seen recently that some states are really using all these instruments we have in terms of monitoring the internet to basically do exactly just that, which is limit the freedom of their citizens to express themselves.”
Raman Jit Singh Chima, Asia policy director for Access Now, a U.S.-based digital rights group, said cybersecurity laws worldwide could stand for improvement but that the best of them had at least one thing in common.
“The countries that have good national cybersecurity laws are ones where there is honest trust between government, law enforcement, civil society, including human rights activists — passing the most extreme human rights activists — and media,” he said. “And countries where that doesn’t happen, there’s a problem that needs to be addressed.”
Thailand would seem to be among the latter.
Pradichit told VOA that government officials were invited to April’s meeting, but none showed up. Having repeatedly failed to engage the government on the issue, she said those pushing to amend the Cybersecurity Act would work through opposition parties in Parliament.
A lawmaker for the opposition Future Forward Party at Monday’s news conference said the party hoped to introduce bills amending the act and other laws when Parliament convenes in November.
Getting the bills through could prove tough. The opposition parties hold just under half the seats in the House of Representatives. Any legislation that makes it out must also pass the Senate, which was wholly appointed by the military junta before it stepped down.
Government spokeswoman Narumon Pinyosinwat could not be reached for this story. The Ministry of Digital Economy and Society, which is taking the lead on the Cybersecurity Act, did not reply to a request for comment. Calls to the head office went unanswered.