Thailand's Internet Law Begins Aug. 23 Requires User Tracking

[Crushdepth]

From Aug 23, private firms, organisations and government agencies will be required to store all internet traffic data for 90 days

Does anyone know exactly what 'internet traffic data' means? Does it mean that we are expected to store all of the webpages, email, instant messages, files and random packets that are sent over the network? Or just 'who visited what, when'? And how do you log all of the packets? Would that be a job for Wireshark, or is there an easier way?

[niller74]

From Aug 23, private firms, organisations and government agencies will be required to store all internet traffic data for 90 days

Does anyone know exactly what 'internet traffic data' means? Does it mean that we are expected to store all of the webpages, email, instant messages, files and random packets that are sent over the network? Or just 'who visited what, when'? And how do you log all of the packets? Would that be a job for Wireshark, or is there an easier way?

I am fairly sure they are looking for connection logs. Most routers should be able to generate these log files.

Example from IPtables below

Oct  4 00:44:28 debian gconfd (vivek-4435): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2
Oct  4 01:14:19 debian kernel: IN=ra0 OUT= MAC=00:17:9a:0a:f6:44:00:08:5c:00:00:01:08:00 SRC=200.142.84.36 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=18374 DF PROTO=TCP SPT=46040 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Oct  4 00:13:55 debian kernel: IN=ra0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:18:de:55:0a:56:08:00 SRC=192.168.1.30 DST=192.168.1.255LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=13461 PROTO=UDP SPT=137 DPT=137 LEN=58

[12DrinkMore]

One question I,d like to ask you is- I was at an internet cafe with a visitor friend of mine.

He turned to me and said " I want to show you something cool" he then went and showed me all the emails, inbox,outbox, etc of people made for that computor that day.

I could of read all that they had written.

is that how he did it-this key lock thing? Is there anyway to get around this?

He said he could do that at any email centre in bangkok.When I asked the owner they tried to avoid the question.

This is easily done, no keyloggers involved.

Under "File" you can turn the browser to "Work offline".

Now using the "back" and "forward" buttons you can flip through loads of pages that are still in the cache, including email. You can even try it now

There are still pages that cannot be recalled because of the way they have been programmed, for example you should NEVER be able to use this method to flip through internet banking data.

It is a major security risk, and you should ALWAYS clear ALL local data, before leaving the computer. I am a little paranoid about this, and normally take my laptop with me when travelling and use it in the internet cafes, when I can't access a WLAN from the hotel room.

From Aug 23, private firms, organisations and government agencies will be required to store all internet traffic data for 90 days

Does anyone know exactly what 'internet traffic data' means? Does it mean that we are expected to store all of the webpages, email, instant messages, files and random packets that are sent over the network? Or just 'who visited what, when'? And how do you log all of the packets? Would that be a job for Wireshark, or is there an easier way?

"All internet data" is its broadest sense means exactly that. It is an impossible task, firstly from the amount of data involved and secondly it would slow the internet access times down to zilch, if the TOT, for example, stored every piece of data that went throught them. And there is no way that the BIBs could extract anything useful from it anyway.

As I said earlier, although on the surface the law sounds reasonable, as soon as you spend more than 1 second thinking about the ramificactions it is an utterly stupid idea. Similar to the "no alcohol sales between 12:00 and 17:00", which is fresh in my mind because I had to wait 10 minutes at 7/11 yesterday to buy my beer.

This is so "Typical Thai", as long as there is a superficial gloss they are happy, what exists beneath doesn't really matter and is best left untouched.

[petitechevre]

i suggest everyone buys a VPN.. about 500baht/month.. encrypts everything.

[sriracha john]

Sorry for the computer offtopic talk, I just want make everone aware that all data can easily be logged on a computer if a dishonest person *or a governmental ministry* installs a logger on a computer. It is not totally safe to use a internet cafe.

Not off-topic at all and appreciate the additional information you provided as my addition to your post makes it more real.

[db1tau]

Well we've got the same law in the EU, they call it the telecom data retention law and all connection data must be saved for 6 months starting from 2009. There was a lot of protest against that law of course.

The goal is to prohibit anonymous internet access. Of course this will never be 100% possible and if you don't need high connection speeds, you still can use a vpn from another country (outside EU) to be anonymous. The only people they can really track down with that are the peer-to-peer filesharers.

The downside is that all open Wifi services are outlawed and have to be closed. If someones does something illegal via your Wifi, you as the operator are responsible because they track your IP. (this not only covers Wifi, but the also "ADSL hookup" n many serviced apartments) Internet cafes have to log id and passport data (that already happens e.g. in italy). SIM cards that provide GPRS or 3G services must be registered to the holder with id or passport. That already happens in switzerland for a long time and a law like this even exists in thailand (but not enforced).

It is in fact a stupid law, because if you are really a criminal or a terrorist, you still can find a way to anonymously use the internet. Useful services like Wifi in hotels or bars have to shut down. I don't think they will enforce it (like the "register your SIM" law), but if they really did and closed all loopholes, I could not travel to thailand anymore, because I rely on WiFi Services for my work.

[Jimjim]

"Hey Somchai, let's have a look at you log files then, Khrap"

"Duh?"

"That'll be 500 Baht / month online service fee then"

It's a 500,000 baht fine if they don't maintain logs.

He was talking about tea money, meaning it could be another excuse for police to collect mob-like protection payments of 500 baht/month.

I think we are getting there:

Judge Orders YouTube to Give All User Histories to Viacom

By Ryan Singel EmailJuly 02, 2008 | 7:16:54 PMCategories: Copyrights and Patents

Google will have to turn over every record of every video watched by YouTube users, including users' names and IP addresses, to Viacom, which is suing Google for allowing clips of its copyright videos to appear on YouTube, a judge ruled Wednesday.

I was wondering if this information isn't kept on servers all over the planet already (all international traffic goes through CAT isn't? They could keep records)

As for The goal was for the Thai Government to have a record of everybody's SIM card as there was the fear mobile phones could be used to trigger bombs.

Forget the last part: having your SIM card number and your ID allows you to be tracked to the nearest pole (if you are in reach that is) where ever you are as long as your phone is in stand by mode.

So what they are after NOW are the occasional internet shop visitors.

What you're missing is that in the interest of privacy Google and Viacom came to an agreement a week or two later that meant all the private information (IPs, user ids, etc.) provided by Google to Viacom will be anonymous. In effect, all the private info is given a "pseudonym" of sorts so privacy triumphed here and now everyone need not worry about this case.

As for porn, I understand Thailand's official conservative stance but my goodness they could spend their time on a lot more pertinent issues. Waste of time and money to worry about adult porn when there's a lot of violent crime to worry about, etc. Absolutely ridiculous. How can you convict anyone for this? Just about everyone does it. At my last job in Thailand the managers were looking at porn on work computers in full view of many. Men and women stood around looking and making jokes. Guess they like to do things like this as Big Brother says it is "bad".

Edited August 14, 2008 by Jimjim

[12DrinkMore]

Guess they like to do things like this as Big Brother says it is "bad".

No, it's a lot simpler.

They just like doing it.

[Crushdepth]

i suggest everyone buys a VPN.. about 500baht/month.. encrypts everything.

I'm currently looking at the Relakks anonymizing service, which is 5 Euros a month and gives you a Swedish IP (Sweden has fairly tough privacy laws).

[Hawkup2000]

"Buy" VPN tunnel/500 baht/month? Thats would be expensive even if they had MPPE 128 or tripple DES krypto. Shop around it is not that expensive .

Can we talk about VPN on this forum? Because is it almost same as proxies (even if the moderator may not know it) and that not allowed...

Edited August 14, 2008 by Hawkup2000

[Hawkup2000]

.

Edited August 14, 2008 by Hawkup2000

[niller74]

"Buy" VPN tunnel/500 baht/month? Thats would be expensive even if they had MPPE 128 or tripple DES krypto. Shop around it is not that expensive .

Can we talk about VPN on this forum? Because is it almost same as proxies (even if the moderator may not know it) and that not allowed...

We cannot talk about proxies/vpn? Says who?

[Crushdepth]

You can talk about VPNs and proxies in 'legitimate' contexts such as computer security and privacy and this has been acknowledged by the ICT ministry in interviews with the press.

But you can't advise people on how to circumvent government censorship controls (as lame as they are), and in theory you can be legally compelled to hand over encryption keys/decrypt data.

[sibeymai]

it was mentioned earlier in this thread that if accessing the internet through a GPRS modem on your mobile phone that this could not be traced. I assume this would be because a different IP address would be allocated for each connection session. Correct ?

However, the sites visited could presumably be linked to the handset telephone nimber which would be just as effective as a land line ADSL with a static IP address to identify the user. Agreed ?

Edited August 14, 2008 by sibeymai

[db1tau]

Of course they can track GPRS connections to a SIM and IMEI number. But since you don't have to show your passport when buying a SIM and you always can buy second hand phones or use foreign phones, there is no way to connect that IP to a specific person.

[sibeymai]

so as long as you're on a pre-paid "no fixed address" basis you're ok. But if you're on a regular billing plan then not so.

[TAWP]

This is why one uses encrypted connections bouncing off some other serves in other countries if needed.

[Farma]

Interesting to see suggestions of using secondhand sims etc.

One of the methods used recently by the security agency in a certain country to track and catch hundreds of deviants aka terrorists was to allow a batch of unregistered sim cards to be sold under the counter. Each sim was then location tracked and all communication recorded.

Hiding isn’t as easy as we think.

[sibeymai]

actually, being on pre-paid GPRS is not very anonymous. Once the telephone number is known so are all the numbers dialled and received as well as SMS. Very likely at least one of those contacts will be able to identify the number.

[Nickthegreek]

I read this yesterday in the Post and at this point in time own two internet game online cafes,which cater to the Thai market and the odd occasional tourist/teacher.

I no longer work in the shops,but I am watching this with baited breath, as we at this point in time have had no information given to us as to how this would work by Thai officials..

Judging by most of the game online shops in my area,most of them do not even know how to print,so god knows how they will back up data on a day to day basis..

Its fair to say that I cannot be bothered to do this and will just delete the function of Internet from the computers,if this becomes enforced and only allow gaming..

I think this must be a wind up..because I struggle to see how this will be inforced.

waiting for something concrete...

Edited August 14, 2008 by Nickthegreek

[12DrinkMore]

Of course they can track GPRS connections to a SIM and IMEI number. But since you don't have to show your passport when buying a SIM and you always can buy second hand phones or use foreign phones, there is no way to connect that IP to a specific person.

Don't understand all this about second hand phones and second hand sims. You can buy brand new ones without showing id.

[Kerryd]

Don't understand all this about second hand phones and second hand sims. You can buy brand new ones without showing id.

True enough.

I've bought at least 3 SIM cards since that "law" came into effect, and never been asked to show ID or fill out any registration form. And I never registered the SIM I had at the time (when it was mentioned that if you didn't register it by a certain time, it would no longer work).

The whole idea was looney to begin with, as this one sounds to be. What's the point of only (essentially) capturing data from places like internet cafes, which must represent a small portion of overall internet use ?

Would Thais be required to enter an ID Card number, and foreigners their passport number each time they logged in ? Or is it like the SIM card law where (originally) we were told that only foreigners had to register their SIMs (as though the systems would be able to tell the difference between a SIM bought by a Thai or a foreigner).

And the huge amounts of data that would be stored. Even targeted searches (i.e. for visits to specific websites) would be of little use. What's the point of finding out that Mr Bloggins (passport #ABC123456) visited "DirtySanchez.com" 72 days ago, when Mr Bloggins left the country 67 days ago ?

This law might have some (limited) use though. For example, trying to track paedo's. If word got out (i.e. through police channels) that various paedo sites were getting a lot of hits from certain Thai IPs, the police could locate those IPs, search the logs and try to find who/when was visiting those sites.

That would still take a lot of work (for little reward).

Or this could end up being one of those laws that gets put on the books and forgotten about, until such time as they need it to help with a prosecution (say they arrest someone for something, but it's a flimsy case. Then they add a violation of this law and maybe others to the list of charges. Offer to drop this (and some other charges) to try to get the "perp" to plead guilty to one charge.)

Again, not likely.

But you have to think, if the lawmakers weren't busy making up stuff like this, they could be doing doing even sillier things !

[petitechevre]

i suggest everyone buys a VPN.. about 500baht/month.. encrypts everything.

I'm currently looking at the Relakks anonymizing service, which is 5 Euros a month and gives you a Swedish IP (Sweden has fairly tough privacy laws).

i have tried a lot of vpn's for work here in thailand

relakks has been everything but good. slow connection time.. often lags out. same with one of the other major.

currently im using my friend's company. they offer 21$ usd for 3months(own private non shared ip) and everytime u get to choose between german or usa address meaning u can stream on sites like abc.com/fox.com every tv show in high quality.. it's the only one that doenst lag out. but i wont need it anymore since im paying 3500 baht for TOT business and everything works almost fine

[12DrinkMore]

I've bought at least 3 SIM cards since that "law" came into effect

Wandering off topic a bit here, bit now we don't seem to hear that the bombs in the south are being set off by mobile phones. I can think of two possible reasons.

1. The law was a huge success and scared the terrorists into thinking they could be identified

2. The number of unsolicited SMS messages has become too risky for them

[chevykanteve]

I agree it's a stupid law, but it doesn't apply to home usage as I understand it from the television news that discussed it at length. I'll see if I can find an additional article that clarifies that it is for businesses.

It WILL later if the PAD and/or other advocates of Confucian philosophical "morals" have anything to say/rally regarding the issue.

[whatsoever]

My dear friends and admirers,

Due to the new rules on internet privacy i wish to inform you that any views i may express in future posts will be totaly tongue in cheek. My previous postings were made from a totaly deluded pre - new - world - order - facist point of view. Future postings will be made with the understanding that facist monitoring will dictate my view point

[Crushdepth]

it was mentioned earlier in this thread that if accessing the internet through a GPRS modem on your mobile phone that this could not be traced. I assume this would be because a different IP address would be allocated for each connection session. Correct ?

I think the phone company would probably log your IP and would be able to associate it with your account, just like a regular ISP. If you want privacy you need some kind of encrypted connection extending out past the area you are concerned about - whether its just the hotspot at the local cafe or right through through to (say) your bank.

[chevykanteve]

Agree 100% with whatsoever. In actual fact, ALL my previous postings were in fact tongue-in-cheek. No negative comments I made concerning the PAD, Gestapo, Confucian-inspired Nazis and their rally-weltanschauung, etc., were other than dallying attempts at humor.. Really. ching ching

Edited August 14, 2008 by chevykanteve

[whatsoever]

THINK: internet - (intern - net)

[sriracha john]

as we at this point in time have had no information given to us as to how this would work by Thai officials..

That's no excuse! You will comply within 9 days... and you can't use the lame excuse of not knowing what in the world the officials want.... Just comply.... somehow.... someway!! BUT DO IT SOON!!!!

I'm totally kidding, of course, but it does appear that is the government's mindset. I wish you the best of luck in your difficult position of trying to implement a program without any guidance whatsoever from those that are demanding your compliance.