The government in Thailand has, this week, passed a hugely controversial new cyber-security law which is so loosely written that it poses a serious risk to the online security of Thai citizens and others visiting the country.
The bill (PDF in Thai) was passed by a majority of 133 votes, with no-one daring to vote against it, although there were sixteen absentees. It is worth remembering at this point that the Thai Government was put in place following a military coup which overthrew the democratically elected government in 2014.
It hands Thai authorities a number of sweeping new powers which are combined with woefully ineffective oversight measures and accountability. It seems almost inevitable that the law will drive more Thai internet users to use VPNs.
Thailand already has one of the highest ratios of VPN use in the world thanks to the country’s overbearing online censorship regime and excessive laws such as lèse-majesté, which can see Thai people jailed for years if they are deemed to have insulted the royal family.
ExpressVPN is the most popular VPN in Thailand at the moment, thanks in no small part to its combination of fast speeds, strong encryption, and large server network with multiple server locations across south-east Asia.
But there are other VPNs which have also made inroads in the Thai market including NordVPN and IPVanish. All of these providers will expect to see a spike in users in Thailand ahead of this new law coming into effect as people seek to protect their online rights and mitigate the risk of prosecution.
What the new law will bring
That risk is substantial as the new cyber-security law hands sweeping new powers to the Thai Government.
It gives them the power to search and seize internet data and equipment without the need for a court order or any independent approval in the case of a national emergency.
This power could see the government monitoring all internet traffic, accessing private and corporate data, and even attempting to access encrypted communication, without any obvious oversight whatsoever being put in place.
It also gives them the power to summon individuals for interview, enter private property without a warrant and make copies of any information they want. Anyone who fails to comply with these demands will face criminal sanctions.
The likelihood of this power being used seems high, especially given the loose definition of national emergency used in the law and the fact that Thailand is still run by the military.
There are also concerns over the role of the country’s National Cybersecurity Committee. This committee, which is chaired by the country’s Prime Minister holds the bulk of enforcement power over the new law.
However, its composition is weighted heavily in favour of the Thai government and there have been calls from all sides for greater representation from both the IT industry and civil society groups in Thailand to be included.
When the bill was first introduced into the Thai Parliament last year, it received widespread criticism. There have been some amendments and changes since then, but none of these has tackled the issues that most concern people.
As Arthit Suriyawongkul, an advocate for the Thai Netizen Network, told Reuters, “despite some wording improvements, the contentious issues are all still there.”
Industry bodies have been equally critical of the new laws. Jeff Paine, managing director of Asia Internet Coalition which represents the likes of Apple, Google, and Facebook in this part of the world released a strongly-worded statement condemning it.
“The Asia Internet Coalition is deeply disappointed that Thailand’s National Assembly has voted in favour of a Cybersecurity Law that overemphasizes a loosely-defined national security agenda, instead of its intended objective of guarding against cyber risks,” the statement read.
“The Law’s ambiguously defined scope, vague language and lack of safeguards raises serious privacy concerns for both individuals and businesses, especially provisions that allow overreaching authority to search and seize data and electronic equipment without proper legal oversight.”
There has also been fairly vocal online opposition to the new law too, with the hashtag #พรบไซเบอร์ trending on Twitter in Thailand.
No turning back
But the new law has been passed and seems certain to come into effect soon. The handful of people who have spoken out in support of it argue that it puts Thailand on a par with neighbouring countries in the region.
This is certainly true with neighbouring Vietnam bringing similarly controversial laws into effect at the start of this year. But Vietnam is a one-party Communist state that can be expected to follow China’s lead on these issues. The idea that Thailand should be heading down this same path is deeply troubling for a great many people.
But the reality is that they are and if Thai people want to keep their online activity private and secure online, the only real way they can do so now is to funnel everything they do through a VPN with a reliable no user logs policy and then be sure to regularly delete data on their own devices too.