Thailand's Internet Law Begins Aug. 23 Requires User Tracking

[onethailand]

I'm assuming Simon's providing access through his rooms - thus he would automatically know which guest accessed what site, without requiring the user to provide further ID or login.

[bino]

I'm assuming Simon's providing access through his rooms - thus he would automatically know which guest accessed what site, without requiring the user to provide further ID or login.

How? If guests connect their own laptops to the hotel network (wireless or ethernet- same same), they would get a "local" network IP address assigned automatically via DHCP from the router. There would still need to be some way to know who was assigned to each local IP.

[ace]

I'm assuming Simon's providing access through his rooms - thus he would automatically know which guest accessed what site, without requiring the user to provide further ID or login.

How? If guests connect their own laptops to the hotel network (wireless or ethernet- same same), they would get a "local" network IP address assigned automatically via DHCP from the router. There would still need to be some way to know who was assigned to each local IP.

I suppose if one really were to use this law then the log could be analysed for source MAC.

[ulath]

I'm assuming Simon's providing access through his rooms - thus he would automatically know which guest accessed what site, without requiring the user to provide further ID or login.

How? If guests connect their own laptops to the hotel network (wireless or ethernet- same same), they would get a "local" network IP address assigned automatically via DHCP from the router. There would still need to be some way to know who was assigned to each local IP.

Depending on the network gear he using (eg the switch) the switch can act as a dhcp server and assign the ip address to a certain port on the switch, the wire runs from the switch to the room so they know which room number it is.

If there using wirless as well ,most probably easier to provide them with a login when they check in even if they dont use it or not.

[ulath]

I couldnt find simons43 post to quote it, good on you for writing the app, but there are serveral out there that will do this already which are gpl-ed if you have a look at them it might save you some work eg squid proxy even apache webserver can be configured to do it

If somone is not that tech inclined smoothwall and ipcop provide this and more and its bascially plug and play, adsl router in one port inside network on another network port and bobs ya uncle

Smooth wall is also capable of Instant message logging, (have a think about that next time you send confidential stuff in a IM in a netcafe) *shudder*

[onethailand]

How? If guests connect their own laptops to the hotel network (wireless or ethernet- same same), they would get a "local" network IP address assigned automatically via DHCP from the router. There would still need to be some way to know who was assigned to each local IP.

By ethernet, you would connect via a cable - which is obviously connected to a hardware port - so any time a connection is made you already know which room is connecting - and as hotels are also required by law to collect ID of the occupant of each room upon checkin, you would know who is connecting. The MAC address is irrelevant. Even the actual IP is irrelevant so long as you can trace it to the port which was being used at the time.

Wireless, however, would be a problem, because you could pick up signals from the next room and hook in through there.

[unomi]

How? If guests connect their own laptops to the hotel network (wireless or ethernet- same same), they would get a "local" network IP address assigned automatically via DHCP from the router. There would still need to be some way to know who was assigned to each local IP.

By ethernet, you would connect via a cable - which is obviously connected to a hardware port - so any time a connection is made you already know which room is connecting - and as hotels are also required by law to collect ID of the occupant of each room upon checkin, you would know who is connecting. The MAC address is irrelevant. Even the actual IP is irrelevant so long as you can trace it to the port which was being used at the time.

Wireless, however, would be a problem, because you could pick up signals from the next room and hook in through there.

This would be the death of open wifi, even WPA or WEP encrypted wifi would be hard to offer as you still need to log activity and link it to a particular person/computer.

I design and install HotSpot systems that allow for such logging and user authentication. I can also deploy such logging/authentication systems for wired networks. Send me a PM if interested. No, its not that expensive.

[bino]

I suppose if one really were to use this law then the log could be analysed for source MAC.

This still wouldn't work... what if the guest and their laptop / MAC have flown back to Farangland? How would you identify them 90 days later? Conversely, in an internet cafe where the IP / MAC get used by many people, how would you know?

Depending on the network gear he using (eg the switch) the switch can act as a dhcp server and assign the ip address to a certain port on the switch, the wire runs from the switch to the room so they know which room number it is.

This would work well and seamlessly for a wired network... the room number would match up to the hotel register and ID provided at check in.

If there using wirless as well ,most probably easier to provide them with a login when they check in even if they dont use it or not.

This would work too... similar to other hotels paid service. If Simon / the hotel doesn't want to charge for the service, they can just provide the login info. However, it won't be seamless / invisible because it will still involve the implementation of some kind of access control / login management.

smoothwall and ipcop provide this and more and its bascially plug and play, adsl router in one port inside network on another network port and bobs ya uncle

Tks for these. They look interesting- on cursory inspection! I'm going to study them bit more!

Smooth wall is also capable of Instant message logging, (have a think about that next time you send confidential stuff in a IM in a netcafe) *shudder*

*shudder* indeed!

I'm curious about this not because I'm a hotelier or internet cafe operator, but would like to know what is involved / needed to comply with the law, draconian as it is. We do have a dozen networked workstations in our office, and know that the employees spend a lot of time on "personal" surfing endeavours. Hate to have the BIB show up for a donation (or worse)!

[onethailand]

This would be the death of open wifi, even WPA or WEP encrypted wifi would be hard to offer as you still need to log activity and link it to a particular person/computer.

Basically, you're right. The only people that would be able to use such a network would be people who have already provided ID at some stage, and/or have to log in to get access to the network.

[unomi]

This would be the death of open wifi, even WPA or WEP encrypted wifi would be hard to offer as you still need to log activity and link it to a particular person/computer.

Basically, you're right. The only people that would be able to use such a network would be people who have already provided ID at some stage, and/or have to log in to get access to the network.

and then there is this: http://www.thaivisa.com/forum/Law-Requirin...an-t207958.html

and : http://www.thaivisa.com/forum/Internet-Law....html&st=25

MODs, any chance we can merge all these threads?

[simon43]

Some interesting technical solutions suggested, but I think you are all missing the point

Firstly, only internet cafes are required to log the user's name and passport/id number. Hotels are only required to log the urls and date/timestamp them.

Secondly, for internet cafes, you could enter 'Mickey Mouse' as your name etc, because the internet cafe owner is under no obligation to actually validate the name/passport number.

Thirdly, do you really think that the BIB (or anyone else) has the slightest interest in the actual detail of your logs? This is an ill-thought up law that only has one practical and possible purpose; that is, as a means of tea-money for the BIB. If you can show logfiles to the BIB then you will be fine

If the government had really wanted to implement a practical logging requirement, where the logged data was of actually some value in tracing persons etc etc, then they would have put a lot more thought into the detail and requirements of this new law.

If I get a visit and demand to show my logfiles, then I can do just that, and these logfiles will comply with the regulations 100%. Bu they will about as useful to the BIB as condoms at a catholic seminar (no offence intended!)

Simon

[sriracha john]

Secondly, for internet cafes, you could enter 'Mickey Mouse' as your name etc, because the internet cafe owner is under no obligation to actually validate the name/passport number.

Not sure of that assumption as its not been specified. They could simply require the internet cafe themselves to enter all the identifying information on the log directly from your passport/ID. It could easily become the standard operating procedure for internet cafes to greet all foreign-looking customers with "Passport please."

Thirdly, do you really think that the BIB (or anyone else) has the slightest interest in the actual detail of your logs? This is an ill-thought up law that only has one practical and possible purpose; that is, as a means of tea-money for the BIB. If you can show logfiles to the BIB then you will be fine

If the government had really wanted to implement a practical logging requirement, where the logged data was of actually some value in tracing persons etc etc, then they would have put a lot more thought into the detail and requirements of this new law.

Until its published somewhere in its entirety, we're not exactly sure of precisely what details and requirements there are with this new law.

If I get a visit and demand to show my logfiles, then I can do just that, and these logfiles will comply with the regulations 100%. Bu they will about as useful to the BIB as condoms at a catholic seminar (no offence intended!)

Simon

There was a post earlier in the thread regarding the sign that an internet cafe had displayed to comply with the law. Some other literal reports of what other internet cafes around the country are doing, now that the law is in effect, might be beneficial.

Edited August 25, 2008 by sriracha john

[Crushdepth]

But once they got the internal log from a company where all the clients are assigned IPs from the DHCP server what are they going to do?

Ha ha ha!! I hadn't thought of that. If the lease time was short they could still use it as a toilet roll

OK - for all hotel/guesthouse owners, I have a solution smile.gif Although I'm the boss of a hotel in Phuket, my previous life was as a software/telecoms consultant. I have written a FREE application that will automatically log all website visits and store them with a date/time-stamp. This application is suitable for hotels because it does not require the user to enter their name/ID card number.

Thanks, good one!

[deeveloper]

Nonsense law.

Creates inconvenience, and a higher probability of backlash.

ISP's implementing it may be drinking their own poison?

"I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say 'Daddy, where were you when they took freedom of the press away from the Internet?'"

--Mike Godwin, Electronic Frontier Foundation

--

STOP TERRORISM.

STOP TERRORISING

http://www.infowars.com

http://www.prisonplanet.tv

[unomi]

Some interesting technical solutions suggested, but I think you are all missing the point

Firstly, only internet cafes are required to log the user's name and passport/id number. Hotels are only required to log the urls and date/timestamp them.

Secondly, for internet cafes, you could enter 'Mickey Mouse' as your name etc, because the internet cafe owner is under no obligation to actually validate the name/passport number.

I am not sure where you get the idea that hotels do not need to save the ID.

Please reread the following section:

The service provider must keep the necessary information of the service user in

order to be able to identify the service user from the beginning of the service provision, and

such information must be kept for a further period not exceeding ninety days after the service

agreement has been terminated.

This pretty clearly states that YOU as a SERVICE PROVIDER *MUST* be able to identify positively the user who was responsible for the traffic in the logs.

Thirdly, do you really think that the BIB (or anyone else) has the slightest interest in the actual detail of your logs? This is an ill-thought up law that only has one practical and possible purpose; that is, as a means of tea-money for the BIB. If you can show logfiles to the BIB then you will be fine

Read the above section, again.

The whole idea is that if some unlawful activity is noticed at the receiving end, be it a hacked server or libellious post on a forum, logs would show which internet account enabled the transactions, this *could* be traced back to your hotel internet account, in turn *to protect yourself* you need to be able to come up with records showing who actually did the deed, otherwise *you* could be held responsible.

a translation of the law is available here: http://multimedia.prachatai.com/doc/2007/C...E._2550_Eng.pdf

If the government had really wanted to implement a practical logging requirement, where the logged data was of actually some value in tracing persons etc etc, then they would have put a lot more thought into the detail and requirements of this new law.

The law is pretty well written albeit absolutely f*cked up.

If I get a visit and demand to show my logfiles, then I can do just that, and these logfiles will comply with the regulations 100%. Bu they will about as useful to the BIB as condoms at a catholic seminar (no offence intended!)

Condoms reduce the spread of aids from priests to altar boys, don't knock 'em

The technical solutions are not that difficult to implement and the biggest single expense would in most cases be a scanner.

[geriatrickid]

If the intent is to stop hackers or e-criminals it is a wasted effort. As long as there is wifi, there will be programs and intelligent minds that can circumvent the wifi passwords. Even in an internet cafe, nothing stops someone from using a bogus id card or passport. It's not like they will be verifying accuracy of the documents.

Stupid law. Stupid intent.

In 12 months time this will be another unenforced law that will make Thailand a laughingstock.

[unomi]

Now all this should only happen if there is suspicion of illegal activity as described in the law. However, Section 18, 3 whereby the 'competent official' can ask to *see* the logs is not dependant on a court order. This means that a competent official, yes needs to show a badge showing them to be from their equivalent of Computer Crimes Department, but doesn't have to prove to you that there is a court order for the information.

So spurious spot checks are not impossible; and the fine that can be levied is not for interfering with an investigation, but failure to comply with the logging/user verification in general.

As much as some might say that the law is unclear or the information is impossible to gather; neither seem to be true.

500,000 baht seems an expensive way to find out.

Lets be clear about this: *should* an investigation that results in a court order for the copying of your logs be warranted, 'tea money' probably won't cut it. On the flip side, what are the odds.

Who knows, maybe this will all blow over and nothing will come of it, I certainly hope so but doubt it.

Disclaimer: I am not a lawyer, I am talking out of my @$$.

Edited August 25, 2008 by unomi

[deeveloper]

The whole idea is that if some unlawful activity is noticed at the receiving end, be it a hacked server or libellious post on a forum, logs would show which internet account enabled the transactions, this *could* be traced back to your hotel internet account, in turn *to protect yourself* you need to be able to come up with records showing who actually did the deed, otherwise *you* could be held responsible.

Well it's even more of a pointless law then right? If it is a matter of responibility, then consider this; Not even some of the best hackers or law enforcement IT specialists are immune from having their IT security compromised. This now leaves you, the ISP, hotel owner or service provider at risk of litigation.

I have a solution.. everybody turn your computer off.. LOL, or use a private wireless WAN.

--

STOP TERRORISM.

STOP TERRORISING.

"I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say 'Daddy, where were you when they took freedom of the press away from the Internet?'"

--Mike Godwin, Electronic Frontier Foundation

http://freenetproject.org

http://www.infowars.com

http://www.prisonplanet.tv

[unomi]

Well it's even more of a pointless law then right? If it is a matter of responibility, then consider this; Not even some of the best hackers or law enforcement IT specialists are immune from having their IT security compromised. This now leaves you, the ISP, hotel owner or service provider at risk of litigation

Absolutely. Agree 100%.

[unomi]

Considering the importance and that it affects all TV users and more, It would be interesting if TV or one of its sponsors could post here legal advice and interpretation of their lawyers.

Thanks in Advance.

[grantbkk]

I think we can get to the bottom if this by marching into our local police stations and request clarification on the requirements of this new law. If anyone really does this please get back to me when you get out.

[niller74]

Something just isn't right.

It seems as if people failing to provide sufficient log information are punished harder than the actual criminals.

Edited August 25, 2008 by niller74

[unomi]

The detailed information that the law requires, combined with the law mandating that all computers are time synced points to the government wanting to bring statistical analysis to bear on people using 'anonymous proxies'; onion routers such as TOR and encrypted lines of communication such as VPN.

This would mean that posting to a message board; uploading indescent material or organizing political rallies *could be* traced, even if VPN and / or TOR are used.

There are ofcourse ways to hinder statistical analysis. But if I explained that in detail I might be held liable

The implications for our ability to bring about a better, freer world however we might envision it to be are staggering.

Revolution now, or never.

[deeveloper]

The detailed information that the law requires, combined with the law mandating that all computers are time synced points to the government wanting to bring statistical analysis to bear on people using 'anonymous proxies'; onion routers such as TOR and encrypted lines of communication such as VPN.

This would mean that posting to a message board; uploading indescent material or organizing political rallies *could be* traced, even if VPN and / or TOR are used.

There are ofcourse ways to hinder statistical analysis. But if I explained that in detail I might be held liable

The implications for our ability to bring about a better, freer world however we might envision it to be are staggering.

Revolution now, or never.

Could persuade a lot of IT people to boycott or cease services in/to Thailand over this...

Maybe an internet strike / blackout week for Thailand would show who really controls the internet?

Set a date for the blackout, and start the press release machine...

Hear ye... Hear ye... Internet blackout in Thailand...

[niller74]

The detailed information that the law requires, combined with the law mandating that all computers are time synced points to the government wanting to bring statistical analysis to bear on people using 'anonymous proxies'; onion routers such as TOR and encrypted lines of communication such as VPN.

This would mean that posting to a message board; uploading indescent material or organizing political rallies *could be* traced, even if VPN and / or TOR are used.

There are ofcourse ways to hinder statistical analysis. But if I explained that in detail I might be held liable

The implications for our ability to bring about a better, freer world however we might envision it to be are staggering.

Revolution now, or never.

Could persuade a lot of IT people to boycott or cease services in/to Thailand over this...

Maybe an internet strike / blackout week for Thailand would show who really controls the internet?

Set a date for the blackout, and start the press release machine...

Hear ye... Hear ye... Internet blackout in Thailand...

I'd be there. Just don't think it will have any impact.

Edited August 25, 2008 by niller74

[onethailand]

Firstly, only internet cafes are required to log the user's name and passport/id number. Hotels are only required to log the urls and date/timestamp them.

Simon, I think you're wrong here. I assumed that you were providing access in a manner which could still be tracked backed to a hotel guest.

You may not be required to log the user's name and passport id/number at time of access - but you will still need to be able to link any access to a particular person. In other words - you may not need to actively require ID upon each access - but a guest will still need to provide ID at check-in - which by default also grants them access to the network.

[deeveloper]

http://www.infowars.com/?p=4054

ROARRRRRRRRRRRRRRRRR

that 2nd video works me up.

GO ALEX!

Complain to your ISP,

cancel your service if you have to.

Edited August 25, 2008 by deeveloper

[simon43]

I stand corrected re the requirement to log name and id/passport (thanks for that translation!)

In any case, I spent a few hours adding this functionality to my software. Now, whenever the browser is launched, it 'forces' the user to a log-in page. Once the name/id have been submitted, the user is able to browse to other pages. The user details and subsequent website visits are all logged/timestamped

Of course, what my software cannot handle are wifi connections - because my software is actually installed into the desktop PC. So a 'casual' user with their laptop and wifi connection will not be logged etc.

Simon

[a2396]

If the intent is to stop hackers or e-criminals it is a wasted effort. As long as there is wifi, there will be programs and intelligent minds that can circumvent the wifi passwords. Even in an internet cafe, nothing stops someone from using a bogus id card or passport. It's not like they will be verifying accuracy of the documents.

Stupid law. Stupid intent.

In 12 months time this will be another unenforced law that will make Thailand a laughingstock.

Agreed. Absolute & complete idiocy. Anyone know of any other countries in the world doing this? Can you imagine the mountain of stored electronic data required to retain this information.

[Seizhin]

Had to agree, this is another complete idiocy.

Last I heard those minister went on TV and said that it's possible, while actual people who deals with the matter are struggling to satiate these 'authority' hungry minister.