Thailand's Internet Law Begins Aug. 23 Requires User Tracking

[johnwills]

Ah Thailand the Land of Smiles, well this certainly maybe me laugh, good luck in enforcing this new law.

Edited August 25, 2008 by johnwills

[onethailand]

I stand corrected re the requirement to log name and id/passport (thanks for that translation!)

In any case, I spent a few hours adding this functionality to my software. Now, whenever the browser is launched, it 'forces' the user to a log-in page. Once the name/id have been submitted, the user is able to browse to other pages. The user details and subsequent website visits are all logged/timestamped

Of course, what my software cannot handle are wifi connections - because my software is actually installed into the desktop PC. So a 'casual' user with their laptop and wifi connection will not be logged etc.

Simon

I assume you've got a few PCs running somewhere in the hotel - and not providing access room by room via cable. If you want to handle both wireless and cabled connections, what you really need to do is setup an intermediary server between your network and the router - as suggested by someone else - and force them to log in via a web page. Some routers, I believe, have the capability to do this as well, redirecting all connections to a page on the Net if not yet approved (or cookied) - and forcing users to authenticate themselves to gain wider access to the rest of the Net.

Another method would be to force them to get a login ID and password from reception. I assume your software can be easily modified to handle something like this. And of course, assuming that you don't have outside vistors, mostly only hotel guests that need access, your ID requirement will be much simpler as you already know who they are when they checked in.

[simon43]

Hi Onethailand - it's not an issue for my own hotel because I can certainly implement server-side logging, proxies etc. I'm trying to devise a simple solution that can be easily implemented in ALL hotels and internet cafes...

Simon

[Honolulu]

I personally like the idea of some Thai cops coming into my shop, demanding to see my "LOG". They are so cute in those uniforms

[onethailand]

Hi Onethailand - it's not an issue for my own hotel because I can certainly implement server-side logging, proxies etc. I'm trying to devise a simple solution that can be easily implemented in ALL hotels and internet cafes...

Simon

Good luck mate - maybe you can also make it workable for internet cafes - expand your market

[simon43]

Yep - got it all working ok now with name/passport logging/sign-in etc etc. Just testing it now to see if I can make it 'fall over'

Simon

[12DrinkMore]

A lot of discussion over websites and loggin visits/usernames.

The "law" requires logging all internet traffic.

Websites are not the whole internet. Presumably dns, smtp and ftp traffic must also be logged. In particular when I update my websites using my favourite ftp client, who is logging this? I can open up a Command window on my notebook and start "ftp", and using very basic commands upload and download data files, encrypted or not.

Then there are the bittorrent clients which also act as servers. Are these being logged? I guess not, if the logging works through a browser interface. And I will not even mention the "p" word, because the powers around TV will delete my post.

The whole thing is unworkable, but, on the positive side, I expect the BIBs will be easily satisfied with a few simple log files along the lines suggested in the posts in this thread.

Now, to take an example, some police agency outside of Thailand comes up with evidence that a dynamically assigned public ip-address has been downloading suspicious data. Now the organisation that assigns this public ip-address address in Thailand has been keeping logs of all the data, and can show from these logs which data came from this ip-address (in itself a massive task for the TOT or whichever organisation to store all this data). And then it comes down to the hotel, internet cafe or private client (like me for TOT) to show the logs and work out which dynamically assigned private ip-address was receiving/sending the data at that time and find the human behind the keyboard. HAH! No way, Jose. To match up all the time stamps/data/ip-addresses/username/id and end up with a person in Thailand is just about impossible.

AH! You say, how did they catch those naughty people in the UK for downloading music etc. Easy, the bittorrent clients broadcast your ip-address when you allow the client to source the files. This easily allows the police to find out who is in the UK and what files they are sourcing. And then they knock on your door. A different kettle of fish entirely.

So in the end the law just makes our lives a little more restricted, causes more costs for the companies involved, which will then filter down to us. The only benefit is for the government departments set up to combat the perceived threat, more staff more salaries, and the companies who come along with solutions to to implement the government policies. Even more taxes and expenses with no real positive results for the general population.

[ignis]

Sometimes you do a search and come up with a website that you did not want.. is this a threat ? happens many times

EG: Just yesterday.. Looking for a Saab 9-3 or 900, this is a motorcar, the better ones have a name behind the number… Draken is a 3 door hatch manual or Auto, Super Draken is a 3door turbo manual only, both have leather cream seats + body kit, the Viggan also has cream leather seats + more kit and is 5 door

So search Saab+Draken or Viggan+Thailand, up comes pages of the Thai Military Fighter planes..!! [before yeasterday had no idea the Fighter jets in Thailand were Saab]

So arriving at this by accident is this seen as a treat to Thailand’s National Security??

[12DrinkMore]

So arriving at this by accident is this seen as a treat to Thailand's National Security??

You've been logged and the BIBs are watching your every move. Better keep the rocket launcher hidden for a while.

[Nickthegreek]

I have been watching this thread closely,as I previously mentioned I have two online game/internet cafes..

I mentioned that no one had made us aware about this, so yesterday we took it upon ourselves to go the local office where we have to register our internet/game shops. Surprise Surprise they were not able to give us any information about what was expected and told us that nothing had been formalised as yet, as to how this would work in Ayutthaya..!!!

This may not be the same everywhere, I am still waiting to see how they will enforce and monitor this...

[niller74]

A lot of discussion over websites and loggin visits/usernames.

The "law" requires logging all internet traffic.

Websites are not the whole internet. Presumably dns, smtp and ftp traffic must also be logged. In particular when I update my websites using my favourite ftp client, who is logging this? I can open up a Command window on my notebook and start "ftp", and using very basic commands upload and download data files, encrypted or not.

Then there are the bittorrent clients which also act as servers. Are these being logged? I guess not, if the logging works through a browser interface. And I will not even mention the "p" word, because the powers around TV will delete my post.

The whole thing is unworkable, but, on the positive side, I expect the BIBs will be easily satisfied with a few simple log files along the lines suggested in the posts in this thread.

Now, to take an example, some police agency outside of Thailand comes up with evidence that a dynamically assigned public ip-address has been downloading suspicious data. Now the organisation that assigns this public ip-address address in Thailand has been keeping logs of all the data, and can show from these logs which data came from this ip-address (in itself a massive task for the TOT or whichever organisation to store all this data). And then it comes down to the hotel, internet cafe or private client (like me for TOT) to show the logs and work out which dynamically assigned private ip-address was receiving/sending the data at that time and find the human behind the keyboard. HAH! No way, Jose. To match up all the time stamps/data/ip-addresses/username/id and end up with a person in Thailand is just about impossible.

AH! You say, how did they catch those naughty people in the UK for downloading music etc. Easy, the bittorrent clients broadcast your ip-address when you allow the client to source the files. This easily allows the police to find out who is in the UK and what files they are sourcing. And then they knock on your door. A different kettle of fish entirely.

So in the end the law just makes our lives a little more restricted, causes more costs for the companies involved, which will then filter down to us. The only benefit is for the government departments set up to combat the perceived threat, more staff more salaries, and the companies who come along with solutions to to implement the government policies. Even more taxes and expenses with no real positive results for the general population.

As a matter of fact the things you mentioned are fairly easy to log with a transparent proxy on your router.

Log output from IPTables (NEW chain) along with logs from a transparent proxy will give a qualified tech enough data to investigate http, https, ftp, dns, smtp and even some instant message traffic. With a little extra work (http://www.ntop.org or similar) you can in fact log quite a lot of torrent traffic.

When that is said, I shall be the first to admit that far from all traffic is easy to log, but the most commonly used is indeed. One of the almost impossible tasks would be to log Skype traffic.

[12DrinkMore]

As a matter of fact the things you mentioned are fairly easy to log with a transparent proxy on your router.

Log output from IPTables (NEW chain) along with logs from a transparent proxy will give a qualified tech enough data to investigate http, https, ftp, dns, smtp and even some instant message traffic. With a little extra work (http://www.ntop.org or similar) you can in fact log quite a lot of torrent traffic.

When that is said, I shall be the first to admit that far from all traffic is easy to log, but the most commonly used is indeed. One of the almost impossible tasks would be to log Skype traffic.

Only if they are using linux. And this is not a trivial task to set up and analyse.

Most places use Windows anyway.

[deeveloper]

Sound familiar folks??

Reminds me of when the anti-smoking laws were pushed in Thailand.. I believe i was in 3 different countries when they introduced anti-smoking laws.. must be the international bankers forcing their mandates on indebted countries again.. watch out for your freedoms.. before you have none...

UK government goes on with its plan for data retention

European Digital Rights

August 27, 2008

UK government intends to oblige ISPs and telephone companies to keep Internet personal data traffic for at least 12 months and local, health authorities and lots of other public bodies are to be given access to details of everyone’s personal Internet information.

On 15 August 2008, the Home Office published a consultation paper which makes clear that the personal data will now be available for crime and public order investigations and may even be used to prevent people self-harming. Furthermore, as the measure is the result of an EU directive, the data will be made available to public investigators across Europe.

The measure will cover VOIP as well and access to personal Internet and text data will be available to all public bodies licensed under the 2000 Regulation of Investigatory Powers Act (RIPA), meaning that hundreds of public bodies including local councils, health authorities, the Health and Safety Commission, the Food Standards Agency or Ofsted (the education standards watchdog), may require telecom companies to hand them over the personal data.

UK government intends to go further by introducing a draft communications bill this autumn which would require all the telecommunications companies to hand over this data to one central "super" database. The police and other public authorities will be able to access this database directly without having to make a request to the company which keeps the records.

The database had been planned to be bundled with the EU Data Retention Directive that is to be legally implemented in UK by March 2009. The consultation paper published by the Home Office is meant to transpose the Directive as a standalone statutory instrument. Laws made by statutory instruments do not need a Parliament vote.

Home Office civil servants are working on plans for the central database within the Interception Modernisation Programme (IMP). The IMP budget was part of the intelligence agencies’ undisclosed funding bid to the Comprehensive Spending Review last year. Sources disclosed that secret briefings gave a cost for the database that could reach nine figures.

The proposition faces opposition as many fear that a single database under Government’s control would be vulnerable to attacks or errors that may lead to information leaks.

Chris Huhne, the Liberal Democrats’ home affairs spokesman, said the government could not be trusted with sensitive data. "We will be told it is for use in combating terrorism and organised crime but if Ripa powers are anything to go by, it will soon be used to spy on ordinary people’s kids, pets and bins" he said.

In the consultation paper, the Home Office also gave an estimation of a cost of over 60 million euro that the storage of such an amount of Internet data may be imposed on the Internet industry. Besides, the Home Office admitted that the companies might have to store "a billion incidents of data exchange a day". The Government has already paid about 23 million euro over five years to telecom companies for access to data about citizens’ use of phones and the Internet.

‘Snooper’s charter’ to check texts and emails (13.08.2008)

http://www.guardian.co.uk/uk/2008/aug/13/p...liberties/print

Home Office - A consultation paper - Final phase of the transposition of Directive 2006/24/EC (08.2008)

http://www.statewatch.org/news/2008/aug/uk...nd-ret-interne…

Government pays telcos £18.5 million for records retention (7.08.2008)

http://www.out-law.com/page-9333

UK.gov to spend hundreds of millions on snooping silo (19.08.2008)

http://www.theregister.co.uk/2008/08/19/ukgov_uber_database/

EDRIgram: UK Government will store all phone, Internet traffic data (21.05.2008)

http://www.edri.org/edrigram/number6.10/uk-isp-traffic-data

EDRIgram: ICO worried about a UK Government-owned traffic data database (4.06.2008)

http://www.edri.org/edrigram/number6.11/ico-uk-govt-database

Pasted from:

http://www.infowars.com/?p=4183

[bino]

Now that this law has been in effect for a few months, I thought I would give it bump and ask the question...

Is your business complying with it??

If yes, what system are you using to collect the log data?

[simon43]

Not surprisingly (for Thailand), the free logging software that I wrote to comply with these new regulations has seen few downloads. Clearly, the BiB are not bothered to check internet shops for compliance....

Simon

[DP25]

Never seen an internet cafe complying with this and I doubt I ever will. The law is a joke and everyone knows it. Seriously, showing your passport to use the internet? Ridiculous.

[BigSnake]

I don't use public computers very often, but on the occasions I do, I always clear cache of history/passwords etc. This is pretty standard practice as you don't really want other people finding your user names and anything else that could have been saved (sometimes done without thinking). Does this mean I could cost someone 500k

Or are they going to have something that blocks clearing cache. In which case don't really want to use.

Maybe I am wrong but I think this rule/law also apply to Private Computer(PC)????

[aromsia]

Jeez!! I run a hotel with wifi and adsl access. any suggestions as to a suitable software application that can meet this demand? Do they just need storage of the website urls versus date/time? (In any case, since any of customers can use the computer, how can they identify who visited which website?)

Some of what's available:

Web Site Trackers

http://www.cryer.co.uk/resources/websitetracking.htm

A discussion on Thailand Outlook indicated that what will be required are individual logs of each computer in the cafe and the user who is on it when he starts and stops and the sites visited during his time on that individual computer. This would provide the police with the definitive and specific information they want to track.

Funny how so few realize that this is all about the Thai authorities tracking down people who are challenging the right to one person one vote.. It's the final assault on democracy..dressed up as attempts at anti-cyber crime and anti-pornogaphy, or whatever.

When in Thailand I now make sure I forward all such pro-democracy postings offshore 'just in case' .. if they are deleted later, it's harder for them to BS with allegations they never existed..

[britmaveric]

One net cafe (high end) never asked for anything. Pharmacy/Net Cafe - signed a log sheet no ID required. So to answer your question - think most ignore this.

[RPCVguy]

My home system went down in September, so I went back to the Internet Cafe I'd used previously. Bumped into the new paperwork of supplying name address and more. This gave me an ID to use when logging into one of 20 computers, which also tracks my time use against credits paid. So far annoying, but even the step-daughter says she and all her friends supply ID.

Okay, but here's the rub. Since then my spam count has gone from near zero to and through the roof, and even my cell phone has started getting hit with those pesky text message ads. Sorry, I don't use those accounts anywhere to have started the marketing blitz - so the coincidence is very suspicious for me.

Edited October 4, 2009 by RPCVguy

[gmac]

The thing about many laws in Thailand is that they are hardly enforced....but they are still there. Great source of tea money on the day they decide to have a crackdown!