New Internet Law

[Crushdepth]

Privacy laws? Thailand? cheesy.gif

It was just a thought

[drake]

hm, here the Bangkok-Post "promotion"...

http://www.bangkokpost.com/130808_News/13Aug2008_news11.php

and the Computer Crime Act legislation.

http://multimedia.prachatai.com/doc/2007/C...E._2550_Eng.pdf

be careful with open WiFi !

drake

[Crushdepth]

Thanks for that, very useful. If this tranlation is accurate, then contrary to some newspaper articles it looks like businesses that provide internet facilities purely for *their own staff* don't have to keep records as they don't fall in the definition of 'service provider'. Most likely an open residential wifi access point wouldn't either. Unfortunately, internet cafes do.

“Service Provider” shall mean:

(1) A person who provides service to the public with respect to access to the Internet or other mutual communication via a computer system, whether on their own behalf, or in the

name of, or for the benefit of, another person

(2) A person who provides services with respect to the storage of computer data for the benefit of the other person

The definition of 'computer system' would cover nearly any modern electronic device from your mobile phone down to some advanced coffee makers :-)

[niller74]

According to that article in Bangkok Post they claim that all traffic should be stored.. That cannot possible be true.

"required to store all internet traffic data for 90 days"

Can anyone confirm this?

[TheWalkingMan]

Are these pronouncements passed along to each city office to make sure that all registered businesses know about it? Or is it just the old, ignorance of the law is no excuse. I would be willing to bet that a vast majority of internet cafes, wifi hotspot sponsors, hotels, guesthouses etc have no clue that this is now on the books. This is going to be a nice little earner for some people.

TheWalkingMan

[onethailand]

Yikes.... this law looks more nasty than I thought - thanks for the links, Drake.

I note that the definition of "service provider" requires provision of services to the "public" - but note that public is not defined. Thus, even on a private network, like for a company, you may find that the term "public" can be loosely interpreted.

Furthermore, if you store data for the other person - you are also a service provider. Think "email".

I am still skimming the translation - but read Section 17 - if you commit an offence outside the Kingdom against the Thai Government or a Thai person, and you are not Thai, you will be penalized within the Kingdom - meaning don't come back if you want to stay free. If you are Thai, you will be punished for committing an offense against people outside the Kingdom.

Most of the rest basically covers hacking - but Section 13 covers the use of a tool (read: proxy) to commit an offense. Section 16 - don't alter stuff like photos which can cause embarrassment to the other person - except when they deem it is a "trustworthy" act LOL...

This is a nasty law. I don't think most people need to worry too much about hacking or alteration of photos in a non-trustworthy act - but Section 17 is going to cover spreading of rumours, lese majeste... etc - and if you operate an email server, be forewarned that the law is not as clear as it appears and you could get into trouble.

[Prasert]

I've been reading the document, but it is still not clear to me what needs to be logged.

A transparent proxy is capable of logging the requested url with a timestamp and IP address. But only for normal web traffic (as ssl is encrypted end-to-end).

The problems from the last months with TOT's smtp traffic are another example: I suspect that TOT is logging every single mail offered at their mail server from their customers. Or at least they're trying to.

But what do they want? There's a hel_l of a lot more on the internet than just websites! Skype totally behaves like a peer2peer application, try logging those sessions. What about telnet sessions, do they want transcripts? What about ftp, usenet, vpn's to name a few?

It's a nice try from the government to enact this act, and the very last paragraph (Remark) describes the government's motivation. But they totally fail to specifically state what they want the internet cafes / service providers to log. So if it's not stated, you can't be blamed for not having it.

If the government wants a list of logged traffic, supply a list of what to log. And do that the same way the internet actually runs: by indicating which IP-numbers, protocol-numbers and port-numbers they want logged. The only problem is that detailed information like this is probably way beyond the knowledge of the average internet cafe owner.

[unomi]

Everytime you log into an ISP, the ISP also records the IP address - so no matter how many times a day you get a new IP, the ISP knows its you.

Now if you run a cafe, the ISP fingers your address, then at your cafe you will need to produce additional logs to narrow it down to a particular customer - otherwise you take the blame and pay 500K in fines.

Anyone knows software which can do the job ?

I came across this : http://www.bahtsold.com/detail.php?id=33187 which claims to do just that. I havent looked at it so ymmv.

Aside from the program above.

As I understand it you need to put a server between your client computers and the ADSL router that would log addresses and timestamps for connections to outside computers, then attach that info to the proof of identity that the client gives you. I would say having such a server is not a bad idea in general as it allows you to do bandwidth shaping and accelerating web proxys not to mention catch malware and viruses as they come in.

It would also be possible to 'sniff' traffic as long as you use a network hub rather than router (or your router is set up to allow it.)

I assume you are using some kind of cafe admin system already? if so which one?

I am a computer programmer with extensive network experience, let me know if you need assistance.

PS. a bit worrying that this post has so few replies when the unsurprising and somewhat insignificant flight of thaksin has 600+

[ace]

How many are actually storing logs now?

And what are you storing?

Nothing. I still don't know how. Wireshark? Also, does thailand have any privacy laws where we might get our <deleted> sued by members of the public for attempting to comply with other (conflicting) legilsative requirements?

You see it depends on the wording of the law, and that is not clear. Connection only information can be logged thru SYSLOG or a variant depending on your router/ADSL modem OS. Doesn't included data though, and the wording would indicate the retention of all data. Which is plainly ridiculous.

[Crushdepth]

According to that article in Bangkok Post they claim that all traffic should be stored.. That cannot possible be true.

"required to store all internet traffic data for 90 days"

Can anyone confirm this?

According to the translation (PDF link above), internet traffic data is just the sites visited, time, who etc, not the actual data/content itself.

Furthermore, if you store data for the other person - you are also a service provider. Think "email".

Fortunately, my work is already compliant with this. We use Google Apps for our email and Google is the provider!

The problems from the last months with TOT's smtp traffic are another example: I suspect that TOT is logging every single mail offered at their mail server from their customers. Or at least they're trying to.

Might explain some of the smtp slowdowns that have been observed over the last few months. (Or maybe its just that bad normally )

[unomi]

>A transparent proxy is capable of logging the requested url with a timestamp and IP address. But only for >normal web traffic (as ssl is encrypted end-to-end).

If you have a computer between the adsl modem and the clients (or run a custom firmware on the modem) you can log all transactions; not the content necessarily, but the source and destinations, which I believe is what they want.

>But what do they want? There's a hel_l of a lot more on the internet than just websites! Skype totally >behaves like a peer2peer application, try logging those sessions. What about telnet sessions, do they >want transcripts? What about ftp, usenet, vpn's to name a few?

Section 26. A service provider must store computer traffic data for at least ninety days

from the date on which the data is input into a computer system.

“Computer Traffic Data” means data related to computer system-base

communications showing sources of origin, starting points, destinations, routes, time, dates

volumes, time periods, types of services or others related to that computer system’

communications.

So just 'metadata', not the actual 'payload' that was sent from or to your computer.

If that is a correct interpretation on my side then gathering this information is not all that difficult, but would require modification to the network, either by routing all traffic thru a computer that does the logging, or modifying the firmware of the modem to stream logs to such a computer.

VPN is encrypted, yes, but the 'next' destination is still known.

>It's a nice try from the government to enact this act, and the very last paragraph (Remark) describes >the government's motivation. But they totally fail to specifically state what they want the internet >cafes / service providers to log. So if it's not stated, you can't be blamed for not having it.

It is totally obscene that they enact this, but what they want seems pretty clear, what I find much more worrying is the section pertaining to drawing public attention to insecure computers.

>If the government wants a list of logged traffic, supply a list of what to log. And do that the same way >the internet actually runs: by indicating which IP-numbers, protocol-numbers and port-numbers they >want logged. The only problem is that detailed information like this is probably way beyond the >knowledge of the average internet cafe owner.

They want it all.

[froggshw]

So it sounds like the Thai Gov wants all internet cafes to pay a 50,000baht fine...because I can guarantee most dont know about this law yet.

Froggs

[Crushdepth]

The stupid thing about this kind of legislation is that eventually it will trigger a backlash by developers. Industrial-strength encryption will become the default and then governments will find it considerably more difficult to invade people's privacy. They'd be far better off pretending they aren't interested in sticking their noses in where they aren't wanted (since they already do anyway).

[unomi]

http://www.thaivisa.com/forum/Thailand-s-I....html&st=25

this thread for more

[onethailand]

It's definitely not the payload they want, it's the data on what connections are being made. The only time a payload is likely to be a problem is if you are moving certain types of restricted files - in which case it might be a problem only if you are storing this information for someone else.

A computer between your network and your router is - um - a proxy server But in this case it looks like a workable solution as the proxy isn't meant to hide anything.

[Prasert]

Section 26. A service provider must store computer traffic data for at least ninety days

from the date on which the data is input into a computer system.

“Computer Traffic Data” means data related to computer system-base

communications showing sources of origin, starting points, destinations, routes, time, dates

volumes, time periods, types of services or others related to that computer system’

communications.

So just 'metadata', not the actual 'payload' that was sent from or to your computer.

If that is a correct interpretation on my side then gathering this information is not all that difficult, but would require modification to the network, either by routing all traffic thru a computer that does the logging, or modifying the firmware of the modem to stream logs to such a computer.

VPN is encrypted, yes, but the 'next' destination is still known.

As I said before, nice try.

Let's see:

sources of origin, starting points - I guess these are the same, why mention it twice?

destinations - fine. IP address or hostname? Logging the IP address is simple, finding out which website was requested requires reading the payload and finding host-header-information (only possible with webtraffic)

routes - internet route to the destination? Impossible as this would require a traceroute for every connection logged. It's a description which leaves too much questions and is not specific enough.

time, dates, - fine

volumes - volume of data transfers?

time periods - duration of each session? As this is about "Computer Traffic Data" I don't think they mean the time a customer spends behind a computer. And logging how long it takes before the requested data arrives can turn out to be very embarrassing for Thai ISPs (the logs will show: way too long).

types of services - I'll log the TOS values of each session. But since this value is discarded when a packet is routed to the next ISP, I fail to see the use of logging it.

or others - uhm....but of course!

By the way, as Thaivisa.com is used by lots of people in Thailand, this site can be regarded as an "extraterritorial application" even when it's hosted outside Thailand. So I guess every user in Thailand has to upload a copy of his/her passport?

Technically, logging is possible. But technical solutions require clearly defined boundaries, which is not the case in this law.

[MaxLee]

How is anyone gonna check so much random data in those 90 day period? Do you know how much work that is???? We have so many Internet users around the world who do everything they want. You can practically arrest the "whole world" for committing "supposed crimes"... How would it be possible with such random change of many worldwide Internet users to find criminals???

So suppose IF for example, those Internet police forces of Thailand find somebody who is recording farts on youtube, can they arrest this person for that???

[singa-traz]

How is anyone gonna check so much random data in those 90 day period? Do you know how much work that is???? We have so many Internet users around the world who do everything they want. You can practically arrest the "whole world" for committing "supposed crimes"... How would it be possible with such random change of many worldwide Internet users to find criminals???

So suppose IF for example, those Internet police forces of Thailand find somebody who is recording farts on youtube, can they arrest this person for that???

On the road, you are supposed to drive below 90km/h. Does that mean that the police check the speed of every car ? ...

[ilyushin]

If they ever kick my door down and haul me off. I hope they take my computer and list all the sites I have visited not just what they want to publish. The reason being is most of it is Intel/research on the very people who will kick the door down.

They can choke on keyboard and swallow my mouse. Also shove my UPS up their ... ( this is where your imagination kicks in)

I recently saw a sticker "Thinking is still legal, but for how long?"

Supporter of "Freedom of correct information"!!!

Edited August 25, 2008 by ilyushin

[monty]

How is anyone gonna check so much random data in those 90 day period? Do you know how much work that is???? We have so many Internet users around the world who do everything they want. You can practically arrest the "whole world" for committing "supposed crimes"... How would it be possible with such random change of many worldwide Internet users to find criminals???

They don't want to check all traffic. They just want a way to back trace certain events to a person.

e.g.

Somebody complains about a private nud_e picture been uploaded to the net (happened recently in Thailand!).

They ask the site to give the IP address and date/time stamp from where the picture was uploaded.

They end up at a Thai ISP, so they ask the ISP which customer was assigned that IP address at that particular time (hence the additional law about all computer systems having to run perfectly synced with the Thai military time servers, a few seconds off anywhere along the line and they might end up at the wrong place)!

IP address ends up for example being assigned to an internet cafe.

Previously this was where the problem started, they only could hope the internet cafe has a CCTV system and keeps the video long enough. Then hope they might identify the perpetrator from the video. They actually did it this way with the bloke blackmailing Tesco lotus with poisoning their food...

From now on, they just have to go to the internet cafe/hotel/office, ask the logs and they will see exactly who (copy id card/passport) uploaded that picture at the exact date/time stamp...

You run an open wifi point at home? Better don't do it, with this law you have NO excuse anymore.

Run a hotel? Better start logging lest one of your customers might be up to something from the privacy of his room. You have no excuse anymore. They might no be able to charge you with uploading the offending picture, but they can slap you with a cool half million Baht fine!

[unomi]

I am not going to claim that I have definitive answers here but I'll take a stab at it:

sources of origin, starting points - I guess these are the same, why mention it twice?

if you are an isp you tend to 'route' from one computer to another so you have sources of origin, not necessarily the true starting point.

If you have a computer cafe you have starting points.

destinations - fine. IP address or hostname? Logging the IP address is simple, finding out which website was requested requires reading the payload and finding host-header-information (only possible with webtraffic)

Considering that this covers all internet traffic I think you have answered your own question.

routes - internet route to the destination? Impossible as this would require a traceroute for every connection logged. It's a description which leaves too much questions and is not specific enough.

What IS known is the next hop.

volumes - volume of data transfers?

Yes.

time periods - duration of each session? As this is about "Computer Traffic Data" I don't think they mean the time a customer spends behind a computer. And logging how long it takes before the requested data arrives can turn out to be very embarrassing for Thai ISPs (the logs will show: way too long).

The law concerning all computers must be set to the same time underscores that it is exactly the duration of traffic that is wanted here.

types of services - I'll log the TOS values of each session. But since this value is discarded when a packet is routed to the next ISP, I fail to see the use of logging it

It is potentially assigned a new one by the router, which would have the ability to log the state of the old one.

Technically, logging is possible. But technical solutions require clearly defined boundaries, which is not the case in this law.

Perhaps it would have been more clear if they had stated outright that they wanted the ability to do statistical traffic analysis to catch people who used VPN and TOR to try to avoid the prying eyes of the state.

Welcome.

Edited August 25, 2008 by unomi

[Prasert]

Well, I guess it's not up to us anyway to determine what the government wants.

Now back to what's happening. My (Thai) partner called several family members who run internet cafes in Bangkok. They have no clue on how to achieve the requirements in the new law, so they are driving the ministry crazy with questions about how to do it. Sofar, the ministry has no clue either, but most people were told that CAT is already taking care of the majority of those requirements.

Bangkok will probably the first place where anything will happen, if anything ever happens. Until then, I will be logging visited websites from my network using Squid (transparent proxy). If an official shows up requesting the logs, I'll print them out for him (1 baht per page of course).

[onethailand]

Well, I guess it's not up to us anyway to determine what the government wants.

Now back to what's happening. My (Thai) partner called several family members who run internet cafes in Bangkok. They have no clue on how to achieve the requirements in the new law, so they are driving the ministry crazy with questions about how to do it. Sofar, the ministry has no clue either, but most people were told that CAT is already taking care of the majority of those requirements.

Bangkok will probably the first place where anything will happen, if anything ever happens. Until then, I will be logging visited websites from my network using Squid (transparent proxy). If an official shows up requesting the logs, I'll print them out for him (1 baht per page of course).

Haha...

The ISPs are all in compliance - but the cafes will still need to record personal details at least once for every customer. Otherwise, the cafe at the end point is one IP - and if that is the source of the illegal activity and the cafe owner cannot prove that it wasn't him, in the end it is still his name on the registration and thus he will be liable.

It's basically that simple - rather than worry about complying with the technical requirements of the law, the cafe owner should be concerned about making sure that he is not implicated in any activity which contravenes the new law. For most operators, that will mean taking ID (or requiring a one-time membership) - and maintaining logs of all activity by that ID or member for 90 days. This will be sufficient to prove that it wasn't the cafe owner who did it.

As my ISP friend also said to me, in his own situation, "IP is sufficient" - in his case, it is because every IP is automatically tracked to an account. If that account belongs to a cafe, the ISP is still in compliance because he can point to the origin of any activity from his standpoint. Thus, from the cafe, they will need to be able to point to the origin of any activity from their standpoint.

Strangely enough, I wouldn't expect the people at ICT to know what they were talking about anyhow so don't expect any answers from that quarter!

In short, it's not so much about complying with the law, so much as protecting their own asses, that cafe owners should be worried about.

[Phil Conners]

This may actually be a good little opportunity for someone with a little Linux/Network experience. Setup a small Linux based router with the appropriate logging set up, perhaps mysql based with a daily cron job to clear out logging data that's more than 90 days old and some preset queries... Would probably cost 3-4K for the hardware, sell for 10K a pop, x number of Internet cafes and hotels with Internet access .... easy money .... who'll get to market first?

Edited August 25, 2008 by Phil Conners

[Crushdepth]

In short, it's not so much about complying with the law, so much as protecting their own asses, that cafe owners should be worried about.

So true...

[Veazer]

This may actually be a good little opportunity for someone with a little Linux/Network experience. Setup a small Linux based router with the appropriate logging set up, perhaps mysql based with a daily cron job to clear out logging data that's more than 90 days old and some preset queries... Would probably cost 3-4K for the hardware, sell for 10K a pop, x number of Internet cafes and hotels with Internet access .... easy money .... who'll get to market first?

Looks like somene has found another way to profit from the new law:

http://www.kpmg.co.th/service/advisory/Computer Crimes Act 2007_Compliance Review Services _final.pdf://http://www.kpmg.co.th/service/advis...ices _final.pdf

[Phil Conners]

KPMG is not going to provide any solution at the 10K price range!!

[Veazer]

KPMG is not going to provide any solution at the 10K price range!!

I didn't mean to imply they would, I was simply stating that others have found ways to profit from the law, or at least try. A network appliance and a company-wide IT policy audit/review are not comparable.

[brfsa2]

Welcome to the New World Order:

- Absolute power from the goverment.

- Food Crisis.

- Internet control.

- Oil Prices at high.

- The Rich gets Richer and Poor gets poorer

[brfsa2]

This may actually be a good little opportunity for someone with a little Linux/Network experience. Setup a small Linux based router with the appropriate logging set up, perhaps mysql based with a daily cron job to clear out logging data that's more than 90 days old and some preset queries... Would probably cost 3-4K for the hardware, sell for 10K a pop, x number of Internet cafes and hotels with Internet access .... easy money .... who'll get to market first?

Looks like somene has found another way to profit from the new law:

http://www.kpmg.co.th/service/advisory/Computer Crimes Act 2007_Compliance Review Services _final.pdf://http://www.kpmg.co.th/service/advis...ices _final.pdf://http://www.kpmg.co.th/service/advis...ices _final.pdf://http://www.kpmg.co.th/service/advis...ices _final.pdf

It is actually very easy to set a fast and secure Internet Log server Linux based machine.

Just for under 8000 Baht.

I have 8 years experience with linux.