MAPPING STAKEHOLDERS, DECISION-MAKERS, AND IMPLEMENTERS IN THAILAND’S CYBER POLICY
Internet Policy and Advocacy: Research Methods Workshop for South and Southeast Asia Actors
10 April 2017 @ National Law University, Delhi #AsiaInternetPolicy
@bactArthit Suriyawongkul Thai Netizen Network
OUTLINE
➤ Visualizing power relations of actors (data from Bills)
➤ Case: Personal Data Protection Committee
➤ Case: NSRA’s Cybersecurity Proposal
➤ Case: New digital regulation structures (Digital Economy Agenda)
➤ Case: Online media regulation after the 2014 Coup
➤ Case: Computer-related Crime Act Amendment / Campaign
➤ Looking for relationships between entities in the document, conversations, etc.
➤ Actor1 —Action—> Actor2 (Noun1 —Verb—> Noun2)
➤ A Director shall be appointed by the Board
➤ This can also be draw by tools like Gephi and NodeXL
DRAWING POWER RELATIONS
Noun1 Noun2
Verb
Board Director
appoints
PERSONAL DATA PROTECTION
COMMITTEE
Personal DataProtection Committee
Personal Data Protection Bill
Establish
PERSONAL DATA PROTECTION BILL (DEFINITION — SEC.5, 6)
➤ Section 5 — In this Act, […]
➤ “Committee” means the Personal Data Protection Committee;
➤ “Office” means the National Cybersecurity Agency;
➤ “Secretary-General” means the Secretary-General of the National Cybersecurity Agency;
➤ “Minister” means the minister having the charge and control of the execution of this Act.
➤ Section 6 — The Minister of Digital Economy and Society shall have the charge and control of the execution of this Act.
NationalCybersecurity Agency
Secretary-General
Minister of Digital Economy & Society
Digital Min
Personal DataProtection Committee
Personal Data Protection Bill
In charge of
Establish
PERSONAL DATA PROTECTION BILL (COMMITTEE — SEC.7)
➤ Section 7 — There shall be a committee called “Personal Data Protection Committee”, consisting of:
➤ (1) a Chairperson appointed by the Cabinet from the persons having distinguished knowledge, skills, and experience in the field of personal data protection, or information and communication technology, or any other field that is relevant and useful for the protection of personal data;
➤ (2) 4 ex officio members consisting of the Permanent Secretary of the Office of the Prime Minister, the Permanent Secretary of the Ministry of Digital Economy and Society, the Permanent Secretary of the Ministry of Interior, and the Secretary-General of the National Security Council;
➤ (3) not more than 4 qualified members, appointed by the Cabinet […]
Cabinet
NationalCybersecurity Agency
Secretary-General
Minister of Digital Economy & Society
Digital Min
Personal DataProtection Committee
Chair
Personal Data Protection Bill
In charge of
Establish
Appoint
PERSONAL DATA PROTECTION BILL (COMMITTEE — SEC.7 CONT.)
➤ The Secretary-General shall ex officio be member and secretary and shall have the power to appoint assistant secretary as deemed necessary.
➤ The rules and procedures on the selection of persons to be appointed as Chairman and qualified members, including the selection of persons to replace the qualified members who vacate office before the expiration of the term under section 10, shall be as prescribed by the Rules issued by the Minister.
➤ The Office shall perform the duties as the secretariat office for the Committee established under this Act […]
Cabinet
NationalCybersecurity Agency
Secretary-General
Minister of Digital Economy & Society
Digital Min
Personal DataProtection Committee
Chair
Secretariat Office
Secretary
Ex officiomember
Personal Data Protection Bill
In charge of
Establish
Appoint
PERSONAL DATA PROTECTION BILL (CHAIRPERSON — SEC.10)
➤ Section 10 — In addition to vacating office upon the expiration of the term under section 9, the Chairperson or a member vacates office upon:
➤ (1) death;
➤ (2) resignation;
➤ (3) being dismissed by the Cabinet due to negligence in the performance of duty, disgraceful behavior, or incapability;
➤ (4) being disqualified or under any of the prohibitions under section 8.
Cabinet
NationalCybersecurity Agency
Secretary-General
Minister of Digital Economy & Society
Digital Min
Personal DataProtection Committee
Chair
Secretariat Office
Secretary
Ex officiomember
Personal Data Protection Bill
In charge of
Establish
AppointTerminate
This National Cybersecurity Agency is to be established by another law.
NationalCybersecurity Agency
CYBERSECURITY (DEFINITION — SEC.3, 4)
➤ Section 3 — In this Act:
➤ “Secretary-General” means Secretary-General of the National Cybersecurity Agency.
➤ “Office” means the National Cybersecurity Agency.
➤ Section 4 — The Prime Minister shall have charge and control of the execution of this Act.
Cabinet
NationalCybersecurity Agency
Secretary-General
Minister of Digital Economy & Society
Digital Min
Personal DataProtection Committee
Chair
Secretariat Office
Secretary
Ex officiomember
Cybersecurity Bill
Personal Data Protection Bill
Prime Minister
In charge of
In charge
of
Establish
AppointTerminate
Establish
CYBERSECURITY (COMMITTEE — SEC.6)
➤ Section 6 — There shall be a committee called the “National Cybersecurity Committee” (NCSC) consisting of:
➤ (1) Minister of Digital Economy and Society as Chairperson;
➤ (2) Secretary-General of the National Security Council, Permanent Secretary of the Ministry of Digital Economy and Society, Permanent Secretary of the Ministry of Defense, Commander of the Technological Crime Suppression Division of the Royal Thai Police as 4 ex officio members;
➤ (3) Not more than 7 qualified members appointed by the Cabinet […];
➤ The Secretary-General shall ex officio be member and secretary, and assistant secretary shall be appointed as deemed necessary.
➤ The selection of the qualified members in paragraph 1 shall comply with the Procedures specified by the Cabinet […]
Cabinet
NationalCybersecurity Agency
Secretary-General
NationalCybersecurity Committee
Chair
Minister of Digital Economy & Society
Digital Min
Personal DataProtection Committee
Chair
Secretariat Office
Secretariat Office
Secretary Secretary
Ex officiomember
Ex officiomember
Cybersecurity Bill
Personal Data Protection Bill
Prime Minister
In charge of
In charge
of
Establish
Establish
AppointTerminate
Establish
Ex officiomember
CYBERSECURITY (SECRETARY-GENERAL — SEC.21)
➤ Section 21 — There shall be a Secretary-General who is directly reported to the Chairperson of the NCSC as regards the operation of the Office and supervises the Officials and employees of the Office.
➤ As regards activities dealing with third parties, the Secretary-General shall represent the Office. […]
➤ The Committee shall have the power to nominate, appoint and remove the Secretary-General.
Cabinet
NationalCybersecurity Agency
Secretary-General
NationalCybersecurity Committee
Chair
Minister of Digital Economy & Society
Digital Min
Personal DataProtection Committee
Chair
Secretariat Office
Secretariat Office
Secretary Secretary
Ex officiomember
Ex officiomember
Cybersecurity Bill
Personal Data Protection Bill
Prime Minister
In charge of
In charge
of
Establish
Establish
AppointTerminate
Establish
NominateAppointTerminate
Reported to
Ex officiomember
Cabinet
NationalCybersecurity Agency
Secretary-General
NationalCybersecurity Committee
Chair
Minister of Digital Economy & Society
Digital Min
Personal DataProtection Committee
Chair
Under
Secretariat Office
Secretariat Office
Secretary Secretary
Ex officiomember
Ex officiomember
Cybersecurity Bill
Personal Data Protection Bill
Prime Minister
In charge of
In charge
of
Establish
Establish
AppointTerminate
Establish
NominateAppointTerminate
Reported to
Ex officiomember
(REPEAT)
Personal DataProtection Committee
Personal Data Protection Bill
Establish
NationalCybersecurity Agency
Secretary-General
Minister of Digital Economy & Society
Digital Min
Personal DataProtection Committee
Personal Data Protection Bill
In charge of
Establish
Cabinet
NationalCybersecurity Agency
Secretary-General
Minister of Digital Economy & Society
Digital Min
Personal DataProtection Committee
Chair
Personal Data Protection Bill
In charge of
Establish
Appoint
Cabinet
NationalCybersecurity Agency
Secretary-General
Minister of Digital Economy & Society
Digital Min
Personal DataProtection Committee
Chair
Secretariat Office
Secretary
Ex officiomember
Personal Data Protection Bill
In charge of
Establish
Appoint
Cabinet
NationalCybersecurity Agency
Secretary-General
Minister of Digital Economy & Society
Digital Min
Personal DataProtection Committee
Chair
Secretariat Office
Secretary
Ex officiomember
Personal Data Protection Bill
In charge of
Establish
AppointTerminate
Cabinet
NationalCybersecurity Agency
Secretary-General
Minister of Digital Economy & Society
Digital Min
Personal DataProtection Committee
Chair
Secretariat Office
Secretary
Ex officiomember
Cybersecurity Bill
Personal Data Protection Bill
Prime Minister
In charge of
In charge
of
Establish
AppointTerminate
Establish
Cabinet
NationalCybersecurity Agency
Secretary-General
NationalCybersecurity Committee
Chair
Minister of Digital Economy & Society
Digital Min
Personal DataProtection Committee
Chair
Secretariat Office
Secretariat Office
Secretary Secretary
Ex officiomember
Ex officiomember
Cybersecurity Bill
Personal Data Protection Bill
Prime Minister
In charge of
In charge
of
Establish
Establish
AppointTerminate
Establish
Ex officiomember
Cabinet
NationalCybersecurity Agency
Secretary-General
NationalCybersecurity Committee
Chair
Minister of Digital Economy & Society
Digital Min
Personal DataProtection Committee
Chair
Secretariat Office
Secretariat Office
Secretary Secretary
Ex officiomember
Ex officiomember
Cybersecurity Bill
Personal Data Protection Bill
Prime Minister
In charge of
In charge
of
Establish
Establish
AppointTerminate
Establish
NominateAppointTerminate
Reported to
Ex officiomember
Cabinet
NationalCybersecurity Agency
Secretary-General
NationalCybersecurity Committee
Chair
Minister of Digital Economy & Society
Digital Min
Personal DataProtection Committee
Chair
Under
Secretariat Office
Secretariat Office
Secretary Secretary
Ex officiomember
Ex officiomember
Cybersecurity Bill
Personal Data Protection Bill
Prime Minister
In charge of
In charge
of
Establish
Establish
AppointTerminate
Establish
NominateAppointTerminate
Reported to
Ex officiomember
Cabinet
NationalCybersecurity Agency
Secretary-General
NationalCybersecurity Committee
Chair
Minister of Digital Economy & Society
Digital Min
Personal DataProtection Committee
Chair
Under
Secretariat Office
Secretariat Office
Secretary Secretary
Ex officiomember
Ex officiomember
Cybersecurity Bill
Personal Data Protection Bill
Prime Minister
In charge of
In charge
of
Establish
Establish
AppointTerminate
Establish
NominateAppointTerminate
Reported to
Ex officiomember
Tightly knitted, concentrated
NOT-SO-INDEPENDENT DATA PROTECTION COMMITTEE
➤ Network of powers go more on the left (cybersecurity) side
➤ What if the conflicted parties included a member of the Cabinet (or the Government in general)? ➤ the Cabinet can terminate the term of the Data Protection Committee’s Chairperson; the whole
Committee is under Digital Ministry structure
➤ What if Cybersecurity Committee has different opinion from the Data Protection Committee? Will Cybersecurity Agency staffs, who got assigned to work for Data Protection Committee, still supporting the matter? ➤ the staffs have to report to the Secretary-General, which in turn directly report to Cybersecurity
Committee Chairperson; and Data Protection Committee depends on resources from Cybersecurity Agency
➤ Sometimes those two Committees’ mandates can be conflicted
NEW CYBERSECURITY PROPOSAL
FROM NATIONAL REFORM STEERING ASSEMBLY
Cabinet
NationalCybersecurity Agency
Secretary-General
NationalCybersecurity Committee
Chair
Minister of Digital Economy & Society
Digital Min
Personal DataProtection Committee
Chair
Under
Secretariat Office
Secretariat Office
Secretary Secretary
Ex officiomember
Ex officiomember
Cybersecurity Bill
Personal Data Protection Bill
Prime Minister
In charge of
In charge
of
Establish
Establish
AppointTerminate
Ref: Personal Data Protection Bill (reviewed by the Council of State - Sep 2015) / Cybersecurity Bill (approved in principle by Cabinet - Jan 2015) / National Reform Steering AgencyEstablish
NominateAppointTerminate
Council of State rev. Sep 2015
Reported to
Ex officiomember
Cabinet
NationalCybersecurity Agency
Secretary-General
NationalCybersecurity Committee
Chair
Minister of Digital Economy & Society
Digital Min
Personal DataProtection Committee
Chair
Ex officio member
Under
Secretariat Office
Secretariat Office
Secretary Secretary
Ex officiomember
Ex officiomember
Cybersecurity Bill
Personal Data Protection Bill
Prime Minister
In charge of
In charge
of
Establish
Establish
AppointTerminate
Ref: Personal Data Protection Bill (reviewed by the Council of State - Sep 2015) / Cybersecurity Bill (approved in principle by Cabinet - Jan 2015) / National Reform Steering AgencyEstablish
NominateAppointTerminate
Ministry of Defense
Defense Min
Vice Chair
Ex officiomember
NRSA Proposal Nov 2016
Reported to
LESS POWER FOR THE DATA PROTECTION COMMITTEE
➤ Relatively to the National Cybersecurity Committee
➤ Getting worse that the original bills
➤ If the NCSC is chaired by the Prime Minister
➤ If the Ministry of Defense is also one of the two vice chairs
➤ Militarized-Cybersecurity Mechanism vs Resourceless Data Protection Committee
➤ Looks like data protection mechanism is structurally designed to fail
NEW DIGITAL REGULATION STRUCTURES
DIGITAL BILLS (2014-)
1. Ministry of Digital for Economy and Society Bill+
2. National Digital Committee for Economy and Society Bill*+
3. Digital Economy Promotion Bill*+
4. Digital Development for Economy and Society Fund Bill*+
5. Broadcasting and Telecommunication Regulator Bill (amendment)+
6. Computer-related Crime Bill (amendment)+
7. Cybersecurity Bill
8. Personal Data Protection Bill
9. Electronic Transaction Bill (amendment)
10.Electronic Transaction Development Agency Bill (amendment)
(+ = passed, * = merged together)
NEW STRUCTURES OF DIGITAL DEPARTMENTS
Showing new bodies to be created by proposed bills and changing relationships between Ministry of Digital Economy and Society (MDES, formerly Ministry of ICT), National Digital Economy and Society Committee (NDESC, new), and the National Broadcasting and Telecommunications Commission (NBTC).
MDES NBTCNDESC
Digital Development Fund
THAILANDMEDIA REGULATIONS
AFTER THE 2014 COUP
MICT Order No. 163/2014 Appointment of Working Group for Online Media Monitoring System Testing
➤ to test SSL encrypted online media monitoring system
➤ to coordinate with international internet gateways
NCPO Annc. 12/2014
Social media provider to stop
anti-NCPO content
NCPO Annc. 14/2014 Prohibits media to interview civil servants, indi
bodies, academics
NCPO Annc. 17/2014
ISP to monitor and censor content that may cause unrest
NCPO Annc. 18/2014 Prohibits 7 types of information
on media
NCPO Annc. 26/2014
Setting up Online Social Media Monitoring
Working Group, to monitor/block online content
NCPO Annc. 22/2014 (amended
with 34/2014)MICT is under NCPO Security
Cluster
NCPO Annc. 80/2014 (amend Broadcasting and Telecom
Commission Act) Add Defense Min. Perma. Sec. to committee
of R&D Fund, reduce number of expert committee members from 5 to 2 (w/o specifying
areas of expertise)
NCPO Annc. 97/2014 (amended with Annc.
103/2014) Prohibits 7 types of information: False info that may incite monarchy, national security, official secret, confusing news, criticism of NCPO, etc.
NCPO Annc. 23/2014
Conditions to air analog TV/radio
NCPO Annc. 27/2014
Conditions to air digital/cable/satellite TV
NCPO Annc. 79/2014
Conditions to air experimental
(community) radio
NCPO Chief Order 41/2016
NBTC can shut media down w/o
criminal/civil/admin liability
NCPO Order (Specific) 12/2014 Appoint Information Publicity Monitoring
Committee members
(5 media types)
Info Publicity Monitoring Committee
Order 3/2014Appoint Online
Media Monitoring Working Group
NCPO Annc. 33/2014
Prohibits court, indi bodies, local admin. to express opinions
MICT Order 163/2014 Set up Working Group
to test encryption (SSL) circumvention
equip., coord. net gateways
Charter Sec.279 All annc./orders of NCPO/NCPO Chief are legal and constitutional
under new Constitution. To amend, it must be passed by the National Assembly. (Senate 200; Parliament 500)
Charter Sec.269First 5 years will have 250
Senate members. All selected by NCPO. (From a list
proposed a NCPO-appointed committee)
CCA Draft (Apr2016) S.20 Para 5 Ministerial reg. for suppression/deletion of data, according to changing tech (encryption)
Adapted from a table by POSTgraphics / from Pirongrong Ramasoota. Media tremble at NBTC's Section 44 powers.Bangkok Post. 16 Jul 2016 http://www.bangkokpost.com/opinion/opinion/1037021/media-tremble-at-nbtcs-section-44-powers
Section 37 of the 2008 Broadcasting Act(pre-2014 coup)
• Inciting the abolishment of constitutional monarchy
• Bearing negative consequences for national security, public order, or good morals
• Containing obscene or pornographic content that may risk the mental or physical health of the people
Section 3 (1-7) ofNCPO Announcement No. 97/2014 (post-2014 coup)1. False statements that could defame or incite hatred of
the monarchy, the heir-apparent, or any member of the royal family
2. Information deemed detrimental to national security, including those that are defamatory to other people
3. Criticism of the NCPO, its official or related people
4. Confidential information (in all forms) of state agencies
5. Information the could lead to confusion, conflict, or social divisions
6. Incitement of unrest or resistance against the government or the NCPO
7. Threat to harm any person that could lead to panic or fear among the public
Peace and Order Division Public Administration Division
Security Cluster
Ministries of Defence, Interior, Foreign Affairs,
ICT
Information Operations /
Public Relations
Media Monitoring
Office of the Secretary-General of the National Council for Peace and Order
Ministry of Foreign Affairs. One month progress report of NCPO.http://www.mfa.go.th/main/en/media-center/3756/47354-One-month-progress-report-of-NCPO.html
ประกาศคสช. 22+34/2557ให้กระทรวงไอซีทีอยู่ใต้
กลุ่มงานความมั่นคงของคสช.NCPO Annc. 22+34/2014
Ministry of ICT underNCPO Security Cluster
CAMPAIGN AGAINST“SINGLE GATEWAY”
(COMPUTER-RELATED CRIME ACT AMENDMENT)
COMPUTER-RELATED CRIME BILL (DATA BLOCKING/REMOVAL — SEC.20)
➤ […] When the Court issues a warrant to suppress the distribution or to remove such data per Paragraph One or Two, the competent official may suppress the distribution or remove the computer data themselves or instruct the service provider to suppress the distribution or remove the computer data in their behalf. The Minister may determine the procedure, duration and guidelines for the service provider to suppress the distribution or remove the computer data, and they shall be made compatible to each other and in response to the changing technology, except when the Court makes any exemption. […]
2007 Computer-related Crime Act CCA Amendment Draft (2017 Act) Rationale
Section 20 Section 14 to amend Section 20
2007 Computer-related Crime Act CCA Amendment Draft (2017 Act) Rationale
In order to successfully suppress the dissemination of data that is encrypted by SSL technology, which designed to increase communication safety on the internet and has public-key encryption, it is necessary to has special methods and tools.
2007 Computer-related Crime Act CCA Amendment Draft (2017 Act) Rationale
Desire to circumvent encryption is shown in a presentation on the amendment of Computer-related Crime Act by the
Ministry of ICT to National Legislative Assembly.
➤ End-to-end encryption makes it difficult to get meaningful access to data-in-transit.
➤ Hacking Team’s Remote Control System (RCS) can do just that.
➤ Another option is to go to one of the ends, to get access to data-at-rest.
CONTENT MONITORING — POINTS OF CONTROL
(online intermediary)
(transmission/device level)
(individual content providers—users)
The deeper layer the control digging down, the more collateral damage, the more innocent people got affected.
➤ Content regulation turns Surveillance
➤ Web 2.0: Lots of content creators — govt can’t afford to control at Content level
➤ Intermediary liability introduced — but it only works within jurisdiction
➤ The control is moving towards Network level, interference
One who wants data.
One who approves.
One who process the request.
All-in-One.
LIVE BROADCASTING OF THE HEARING
➤ Invited-only “public hearing” from the National Legislative Assembly
➤ Live commentary from a cafe in downtown Bangkok
➤ “Ministerial Announcement”, legislative power in CCA and separation of powers explained
➤ Using materials and explanations from previous examples
ONLINE CAMPAIGN https://change.org/singlegatewayreturn