Thailand's Internet Law Begins Aug. 23 Requires User Tracking

[sriracha john]

Internet data law goes into force Aug 23

From Aug 23, private firms, organisations and government agencies will be required to store all internet traffic data for 90 days so it is available as digital evidence for police. Pol Col Yannapol Youngyuen, Commander of the Bureau of Technology and Cyber Crime at the Department of Special Investigation, said the IT Ministry order has no exceptions and will include banks, hotels, schools, and internet cafes. He said internet cafes will also be required to collect information to identify computer users, such as ID cards *passports?*, time of logging in, and sites visited. Shops that fail to heed the rules will face fines up to 500,000 baht, he said.

Continued here:

[kmart]

Sounds fairly authoritarian... If anyone in the "IT Ministry" could really be arsed to bother checking any of it..

(post the rest of the link please, john).

[simon43]

Jeez!! I run a hotel with wifi and adsl access. any suggestions as to a suitable software application that can meet this demand? Do they just need storage of the website urls versus date/time? (In any case, since any of customers can use the computer, how can they identify who visited which website?)

Simon

[cmsally]

I don't use public computers very often, but on the occasions I do, I always clear cache of history/passwords etc. This is pretty standard practice as you don't really want other people finding your user names and anything else that could have been saved (sometimes done without thinking). Does this mean I could cost someone 500k

Or are they going to have something that blocks clearing cache. In which case don't really want to use.

[think_too_mut]

Internet data law goes into force Aug 23

From Aug 23, private firms, organisations and government agencies will be required to store all internet traffic data for 90 days so it is available as digital evidence for police. Pol Col Yannapol Youngyuen, Commander of the Bureau of Technology and Cyber Crime at the Department of Special Investigation, said the IT Ministry order has no exceptions and will include banks, hotels, schools, and internet cafes. He said internet cafes will also be required to collect information to identify computer users, such as ID cards *passports?*, time of logging in, and sites visited. Shops that fail to heed the rules will face fines up to 500,000 baht, he said.

Continued here:

Cointinued where? Looks more like a windup.

I can't believe this is true and what they can do with it. Where do people keep the data? Who will pay for extra storage hardware?

More dangerous is if somebody, from a public phone booth, calls a mobile phone that detonates a bomb. Who is checking their IDs and passports?

[sriracha john]

Apologies all around for not getting the link in earlier. I was about to finish the post when the Gestapo entered the internet cafe I was at which made me quickly abort the posting process. I've sneaked over to a different cafe in order to complete the OP.

http://www.bangkokpost.com/130808_News/13Aug2008_news11.php

p.s. I'm spoofing, of course, but when this thing goes into effect, the above scenario is altogether too real.

[ovenman]

I especially liked the bit in the article about assessing fines of up to 500,000 baht for non-compliance. This in a country where you could probably get caught dumping barrels of mercury in a river and get slapped on the wrist with a 2,000 baht fine.

[sriracha john]

Jeez!! I run a hotel with wifi and adsl access. any suggestions as to a suitable software application that can meet this demand? Do they just need storage of the website urls versus date/time? (In any case, since any of customers can use the computer, how can they identify who visited which website?)

Some of what's available:

Web Site Trackers

http://www.cryer.co.uk/resources/websitetracking.htm

A discussion on Thailand Outlook indicated that what will be required are individual logs of each computer in the cafe and the user who is on it when he starts and stops and the sites visited during his time on that individual computer. This would provide the police with the definitive and specific information they want to track.

[Samuian]

Unreal!

Will we soon have to body search our customers if they maybe hide their PDA, Blueberry, iPhone or notebook and log in "illegally" into our free WI-Fi System?

whoooohahahahahaha!

And who is going to control all of it?

Right they need a new agency have some german ancestors... they still know about how the GESTAPO worked!

And many of the recent re-united germans have some great knowledge of the STASI and how they controlled the states citizen!

[sriracha john]

Jeez!! I run a hotel with wifi and adsl access. any suggestions as to a suitable software application that can meet this demand? Do they just need storage of the website urls versus date/time? (In any case, since any of customers can use the computer, how can they identify who visited which website?)

Some of what's available:

Web Site Trackers

http://www.cryer.co.uk/resources/websitetracking.htm

A discussion on Thailand Outlook indicated that what will be required are individual logs of each computer in the cafe and the user who is on it when he starts and stops and the sites visited during his time on that individual computer. This would provide the police with the definitive and specific information they want to track.

Sorry Simon, but I gave you a bum lead. I was informed the link I provided doesn't do what the ICT and police want as they are for tracking web hits and monitoring google ads and such...

[sriracha john]

I don't use public computers very often, but on the occasions I do, I always clear cache of history/passwords etc. This is pretty standard practice as you don't really want other people finding your user names and anything else that could have been saved (sometimes done without thinking). Does this mean I could cost someone 500k

Or are they going to have something that blocks clearing cache. In which case don't really want to use.

My understanding is that it wouldn't matter if at the end of your session you clear cache, etc. as the sites visited would have already been recorded on an undeletable file... in the order you visited them and the amount of time spent on each.... along with your passport number, name, and whatever info they require.

[cmsally]

I don't use public computers very often, but on the occasions I do, I always clear cache of history/passwords etc. This is pretty standard practice as you don't really want other people finding your user names and anything else that could have been saved (sometimes done without thinking). Does this mean I could cost someone 500k

Or are they going to have something that blocks clearing cache. In which case don't really want to use.

My understanding is that it wouldn't matter if at the end of your session you clear cache, etc. as the sites visited would have already been recorded on an undeletable file... in the order you visited them and the amount of time spent on each.... along with your passport number, name, and whatever info they require.

An interesting prospect for anyone that thinks its safe to do internet banking on public computers.

[mizzi39]

Big brother has arrived!

[12DrinkMore]

Unworkable. These guys are clueless about the technology.

The website tracker mentioned by another poster resides on the webserver and tracks page requests for THAT website. This is easy to implement with standard tools. It will log page requests down to the ip-address of the client, but a lot, probably the majority, of ip-addresses from clients are allocated dynamically. Also 99.999999999% of these websites are outside Thailand where the BIBs have no jurisdiction to look at log files.

Logging user requests from EVERY computer inside of Thailand, associating them with a user/time frame and being able to trace that user? Impossible. A few examples

1. Buy a GPRS modem, no way to trace that.

2. Use any of the non-secured Wireless LAN Access Points, there must be thousands and thousands of these.

3. Go through a proxy server to access the websites even the "Thought Police" have blocked from Thailand.

It does, however, provide an possible source of extra income for the BIBs.

"Hey Somchai, let's have a look at you log files then, Khrap"

"Duh?"

"That'll be 500 Baht / month online service fee then"

Internet banking will be a secure as before. The data is encrypted/decrypted inside the browser and the data that goes out on the network would take a massive amount of computing power and resources to make use of.

One big problem of using internet cafes is they may have installed a key logger, which logs all your keyboard clicks, including passwords and usernames. So be careful in these places.

It's another well thought out law from the combined cranial capacity of the BIBs, similar to the one forbidding alcohol sales between 14:00 and 17:00.

[kmart]

Sounds like some sort of style-over-substance edict by the MIT to justify their existence, rather than any sort of cohesive, all-encompassing law.

The BiB will no doubt use it to try and extort money from private companies / people who work for a living. As they do...

[sriracha john]

Logging user requests from EVERY computer inside of Thailand, associating them with a user/time frame and being able to trace that user? Impossible. A few examples

please re-read... it's not for every computer in Thailand.

"Hey Somchai, let's have a look at you log files then, Khrap"

"Duh?"

"That'll be 500 Baht / month online service fee then"

It's a 500,000 baht fine if they don't maintain logs.

Edited August 13, 2008 by sriracha john

[12DrinkMore]

please re-read... it's not for every computer in Thailand.

Yes it is, well except for those not attached to the internet, before somebody takes me up on that,

You have an internet conection which presumably uses TOT or AIS or which ever provider.

By law all private firms, organisations and government agencies are now required to store all internet traffic.

This law encompasses all internet providers in Thailand. Which in turn means all computers connected to the internet through them, including mine and yours.

Otherwise it would not just be a stupid law, but an REALLY stupid law.

[sriracha john]

I agree it's a stupid law, but it doesn't apply to home usage as I understand it from the television news that discussed it at length. I'll see if I can find an additional article that clarifies that it is for businesses.

[OlRedEyes]

Your ISP will fall under the law.

[britmaveric]

Well Thai(s) hate paperwork, so dare say this one will be ignored.

[sriracha john]

Perhaps not... not when 1/2 million baht is at stake, that and the ability to maintain it all on digital files and not some big hand-written ledger.

Edited August 13, 2008 by sriracha john

[webfact]

Regarding the ISP’s they don’t even have proper hardware, software and tech support to provide reliable service… “sir your phone line is no good, Internet is working” and now they additionally must log a gigantic amount of data every month? Maybe store all the illegally sent pornographic pictures as evidence for the sake of national security?

I bet we will have a lot of “fun” soon to come.

[niller74]

I have to agree that this law is absolutely some of the most stupid I have heard in a long time.

I am fairly sure what they request are connection logs, which every decent router can provide easily. It is not a big deal to store these. If they however want the data stored it is a whole other situation. I doubt however that they are THAT stupid.

But once they got the internal log from a company where all the clients are assigned IPs from the DHCP server what are they going to do? The leaches will most likely have expired or been overwritten, so all they can conclude is that some ip xxx.xxx.xxx.xxx established this connection at a specific date/time, but that is all.

[Spee]

I have to agree that this law is absolutely some of the most stupid I have heard in a long time.

I am fairly sure what they request are connection logs, which every decent router can provide easily. It is not a big deal to store these. If they however want the data stored it is a whole other situation. I doubt however that they are THAT stupid.

But once they got the internal log from a company where all the clients are assigned IPs from the DHCP server what are they going to do? The leaches will most likely have expired or been overwritten, so all they can conclude is that some ip xxx.xxx.xxx.xxx established this connection at a specific date/time, but that is all.

I also agree that this is pretty silly. Network Admin 101 says it's not worth implementing a policy that isn't analyzed and checked periodically. As others have said, the level of effort required for the government to fairly and regularly audit companies for this information is immense.

On the political and economic side, it is also silly and short-sighted and at the same time scary. The scary part is the likely random and biased manner in which the regulations could be enforced. It appears to be another vehicle for an already corrupt police and political structure to become more so. There are so many ways to imagine how easily this could get out of hand and just become another quasi-legal shakedown.

Economically, it is stupid and short-sighted. To implement these policies is to require companies to expend labor and capital resources, i.e., people to actually set up and do the work, and hardware and software to gather and store the data. When governments start telling companies how to run their businesses and forcing new regulations upon them, these actions inevitably lead to higher costs, those costs being passed on to the customer, and increasing customer dissatisfaction with the company.

[Seizhin]

Didnt like this law.

It benefits big corporations but only give loss and loss to the smaller groups or even consumers.

A government official telling a businessman of how to do business is simply a sign of idiocy.

[intumult]

Regarding the ISP's they don't even have proper hardware, software and tech support to provide reliable service… "sir your phone line is no good, Internet is working" and now they additionally must log a gigantic amount of data every month? Maybe store all the illegally sent pornographic pictures as evidence for the sake of national security?

I bet we will have a lot of "fun" soon to come.

So, when they see me sending those illegal bedroom photos of my g/f's they will come down on me hard? Or will they get hard looking at them??

P.S. Mr. Police, not that I have photos of my ladies

[peter991]

I wonder if this will go the way of Mobile Phone Registration procedure. A lot of hype to start with. The idea being that if you wanted a NEW SIM card in Thailand, you had to produce your passport or ID card. To enable your current SIM card to work, it was supposed to be registered and so on.

The goal was for the Thai Government to have a record of everybody's SIM card as there was the fear mobile phones could be used to trigger bombs.

How long did THAT idea last? Two days after it was supposed to be introduced, I walked into a Pattaya mobile phone shop, bought a 2nd hand mobile phone and a SIM starter pack - no questions asked - no request for any ID.

Amazing Thailand.

Peter

[ourmaninbangers]

Unworkable. These guys are clueless about the technology.

The website tracker mentioned by another poster resides on the webserver and tracks page requests for THAT website. This is easy to implement with standard tools. It will log page requests down to the ip-address of the client, but a lot, probably the majority, of ip-addresses from clients are allocated dynamically. Also 99.999999999% of these websites are outside Thailand where the BIBs have no jurisdiction to look at log files.

Logging user requests from EVERY computer inside of Thailand, associating them with a user/time frame and being able to trace that user? Impossible. A few examples

1. Buy a GPRS modem, no way to trace that.

2. Use any of the non-secured Wireless LAN Access Points, there must be thousands and thousands of these.

3. Go through a proxy server to access the websites even the "Thought Police" have blocked from Thailand.

It does, however, provide an possible source of extra income for the BIBs.

"Hey Somchai, let's have a look at you log files then, Khrap"

"Duh?"

"That'll be 500 Baht / month online service fee then"

Internet banking will be a secure as before. The data is encrypted/decrypted inside the browser and the data that goes out on the network would take a massive amount of computing power and resources to make use of.

One big problem of using internet cafes is they may have installed a key logger, which logs all your keyboard clicks, including passwords and usernames. So be careful in these places.

It's another well thought out law from the combined cranial capacity of the BIBs, similar to the one forbidding alcohol sales between 14:00 and 17:00.

yes, I agree, its just window dressing. Pointless.

Its so easy to get around things like the ID issues. Go to kao-san road.And,remember, this is thailand. I thought we were supposed to have ID to get a sim card- nobody asks me.

Theres also a company which sells legal 'cover" passports from countrys that no longer exist, they say it can be used if one faces a kidnap situation and one does,nt want to look from US, UK, etc.They work. 99% of interent owners would,nt question it.

One question I,d like to ask you is- I was at an internet cafe with a visitor friend of mine.

He turned to me and said " I want to show you something cool" he then went and showed me all the emails, inbox,outbox, etc of people made for that computor that day.

I could of read all that they had written.

is that how he did it-this key lock thing? Is there anyway to get around this?

He said he could do that at any email centre in bangkok.When I asked the owner they tried to avoid the question.

[tartempion]

I think we are getting there:

Judge Orders YouTube to Give All User Histories to Viacom

By Ryan Singel EmailJuly 02, 2008 | 7:16:54 PMCategories: Copyrights and Patents

Google will have to turn over every record of every video watched by YouTube users, including users' names and IP addresses, to Viacom, which is suing Google for allowing clips of its copyright videos to appear on YouTube, a judge ruled Wednesday.

I was wondering if this information isn't kept on servers all over the planet already (all international traffic goes through CAT isn't? They could keep records)

As for The goal was for the Thai Government to have a record of everybody's SIM card as there was the fear mobile phones could be used to trigger bombs.

Forget the last part: having your SIM card number and your ID allows you to be tracked to the nearest pole (if you are in reach that is) where ever you are as long as your phone is in stand by mode.

So what they are after NOW are the occasional internet shop visitors.

Edited August 14, 2008 by tartempion

[Hawkup2000]

One question I,d like to ask you is- I was at an internet cafe with a visitor friend of mine.

He turned to me and said " I want to show you something cool" he then went and showed me all the emails, inbox,outbox, etc of people made for that computer that day.

I could of read all that they had written.

is that how he did it-this key lock thing? Is there anyway to get around this?

He said he could do that at any email center in Bangkok.When I asked the owner they tried to avoid the question.

Most likely there is a keylogger installed (hardware/software) on the computer that your friend found. The keylogger takes screencaps of all actions in the computer. The program is like a small hidden camera in a room that records everything. The logger also reveals user IDs, password ect. The easiest ways a check this is to see if there is a logger installed is if visible under processes, but it could be hidden under some other process. You can also do a hijackThis logg (google).

Of course the owner did try to avoid your question. It is like asking a shopkeeper why they have a hidden cam at the womens toilet. He violates the privacy for all end users in his network.

Sorry for the computer offtopic talk, I just want make everone aware that all data can easily be logged on a computer if an dishonest person install a logger on a computer. It is not totally safe to use a internet cafe.

Edited August 14, 2008 by Hawkup2000