Computer Crime Act B.E. 2550 (2007)& Ministry of ICT Notification

Computer Crime Act B.E. 2550 (2007) & Ministry of ICT Notification A Presentation to the AMCHAM ICT Committee & Internet Service Providers Tim Bass CISSP, (ISC)2 Executive Vice President ACIS Professional Center Co . , Ltd . Email : [email_address] Mobile: +6683-297-5101

Our Agenda

Introduction

English Versions of the CCA and MICT Notification

Example of CCA Laws in Other Countries

Summary Road Map of the CCA

Summary Road Map of the MICT Notification

Discussion

Note: Due to our 30 minute time constraint today we will not read each section of the CCA in detail.

Disclaimer The information contained in this presentation is based on two UNOFFICAL English translations of the Thai language Computer Crime Act B.E. 2550 (2007) and one UNOFFICIAL English translation of the Thai language Annex Notification of the Ministry of Information and Communication Technology Re: Criteria concerning Archiving of Computer Traffic Data of Service Provider B.E. 2550. ACIS Professional Center Co. Ltd. advises all concerned to refer to the OFFICIAL Thai language version of these documents. ACIS Professional Center Co. Ltd. nor their employees are responsible for errors or omissions in the UNOFFICIAL English translations of these Thai language documents.

Computer Crime Act B.E. 2550 (2007) – Unofficial English Versions

Three Known English CCA-Related Docs (CCA / MICT)

Computer Crime Act B.E. 2550 (2007) High Quality , Unofficial Translation CCA Criteria concerning archiving Computer Traffic Data of Service Provider B.E. 2005 (with Annex A & B) Unofficial Translation (MICT Notification) MICT Computer-Related Crime Act B.E. 2550 (2007) Unofficial Translation CRCA Name, Version Document

Computer Crime Act B.E. 2550 (2007) – Foreign Influences

Example Foreign Influence to Thai CCA

Courtesy of Internet Thailand Public Company Ltd. (www.inet.co.th)

Virginia CCA http://www.scstatehouse.net/code/t16c016.htm US South Caroline CCA http://www.scstatehouse.net/code/t16c016.htm US Sri Lanka CCA http://www.icta.lk/InsidePages/downloadDocs/Computer_Crimes_Act_No_24_of_2007(E).pdf LK Computer Crime Act 1997 (Act 563) http://www.ktak.gov.my/system/uploaded/files/Computer%20Crimes%201997%20-%20Act%20563.pdf MY Law (Act) Country

Our Agenda

Introduction

Summary Road May of the MICT Notification

Discussion

Computer Crime Act B.E. 2550 (2007) – A Road Map

30 Total Sections

Section 4 authorizes the current Notification of the Ministry of ICT (the details) that we will discuss later.

Gives the Ministry of ICT charge, control and regulatory power over the act. 4 Name, Date, Definitions 1-3 Roadmap Summary of CCA Section(s)

Computer-Crime Act B.E. 2550 (2007) – A Road Map

Part 1 Computer-Related Offences (summary)

60K Baht 3 years Unauthorized interception of data 8 40K Baht 2 years Unauthorized access of data (Bypassing controls) 7 20K Baht 1 year Unauthorized disclosure of controls 6 100K Baht 5 years Unauthorized damage, destruction, obstruction interference, etc. to data 9 6 months Jail Unauthorized system access Summary 10K Baht 5 Fine Section

Computer Crime Act B.E. 2550 (2007) – A Road Map

300K Baht 3-15 years If death: 10-20 years System or data damage (Sec. 9/10) that damages national security, public safety, economical stability, critical infrastructure. 12 (2) 200K Baht 10 years System or data damage (Sec. 9/10) that injures the general public 12 (1) 100K Baht n/a Impersonation, faking source of disruptive behaviour 11 5 years Jail Unauthorized delay, disruption, suspension, obstruction, interference, etc. to systems Summary 100K Baht 10 Fine Section

Computer-Related Crime Act B.E. 2550 (2007) – A Road Map

100K Baht 5 year Inserts fake or false data that violates national security or anti-terrorism laws 14 (3) 100K Baht 5 year Inserts fake or false data that could undermine national security or public safety 14 (2) 100K Baht 5 year Inserts fake or false data that can damage another person or the public 14 (1) 1 year Jail Selling or disseminating malicious code (Sections 5-11) Summary 20K Baht 13 Fine Section

100K Baht 5 years Intentional support by service provider to Section 14 Crimes 15 60K Baht 3 years Inputs, to a public computer, altered photos that impair or damage another, cause hate, contempt, humiliation, etc. with malicious intent 16 100K Baht 5 years Forwards or publishes data with full knowledge of subsections 1-4 14 (5) 100K Baht 5 years Inputs pornographic data into publicly accessible systems 14 (4) Jail Summary Fine Section

Non-Thai citizens outside of the Kingdom subject to extradition and punishment if the injured person is Thai. 17 (2) Thai citizens outside of the Kingdom subject to extradition and punishment 17 (1) Summary Section

Part 2 Competent Officials (summary)

Copy computer and traffic data from service provider when there is probable cause 18 (4) Require submission of Section 26 and other stored information 18 (3) Require computer traffic data from service provider 18 (2) Receive computer and traffic data, or computers, from service provider 18 (5) Notify or summon potential violations in writing to give statements, forward explanations, documents, data 18 (1) Summary – Competent Officials Powers Section

Details legal and court procedures for Section 18 (4-8) powers (not the subject of this briefing) 19 Seize computer systems from service provider 18 (8) Decrypt computer data when required 18 (7) Power to suspend or block data dissemination 20 Access and receive computer systems, traffic and computer data 18 (6) Summary – Competent Officials Powers Section

Archival specifics for service provider including 90 day requirement. Authority to MICT to further regulate. Specifies fine up to 500,000 Baht (See MICT document) 26 Data seized by illegal means not admissible in court 25 Specifies various penalties for disclosure of data to third parties by competent officials 22-24 Specifies failure-to-comply penalties for Section 18, 20, 21 as up to 200,000 Baht plus 5,000 Baht per day 27 Power to prevent sale, stop use of, or destroy undesirable computer programs and data 21 Summary – Competent Officials Powers Section

Specifies that the competent official must present official ID card in the course of their actions 30 Specifies that competent officials are deemed to be a senior administrative or police officer with relevant authority to receive complain, investigate, and interrogate. Power to coordinate arrest, confine, search, and seizure with appropriate investigative officials. Specifies Prime Minister with a Minister will control and supervise the Royal Thai Police regarding criminal procedures 29 Specifies MICT shall appoint officials who have computer expertise, as determined by MICT 28 Summary – Competent Officials Powers Section

Our Agenda

Introduction

Discussion

Computer Crime Act B.E. 2550 (2007) – A Road Map – MICT Notification

Expands on CCA Section 26 and carries with it the same force of law as the CCA

10 Total Sections + Annex “A” and Annex “B”

Service and content provider types and examples of each Annex A Date and log types and examples of each Annex B Name, Date, general definitions, data archiving requirements, 1-10 MICT Notification Roadmap Summary Section(s)

Computer-Crime Act B.E. 2550 (2007) – A Road Map to the MICT Notification

Criteria for Service Provider, Archiving Computer Traffic

Specifies Annex B Section 5(1) (a-d) and 5(2) service provider responsibilities 7 Specifies Annex B for examples of data archiving requirements 6 Further defines service provider and context provider per Annex A examples, authorized by CCA Section 26 5 Discusses data integrity, confidentiality, availability, authentication and identity responsibilities 8 Name, Date, Authority, Definitions Summary 1-4 Section

Computer-Crime Act B.E. 2550 (2007) – A Road Map to the MICT Notification

Criteria for Service Provider, Archiving Computer Traffic

Specifies archival periods and effective date: Specifies Annex B for examples of when CCA archiving requirements are effective: 1. Section 5(1)(a) 30 days (Passed Sep. 2007) 2. Section 5(1)(b) 180 days (Passed Feb. 2008) 3. Everyone else 1 year (Coming Aug. 24, 2008) 10 Specifies time synchronization of network services Summary 9 Section

Our Agenda

Introduction

Annex A

Annex B

Discussion

Annex A Annex Notification of the Ministry of Information and Communication Technology Re: Criteria concerning Archiving of Computer Traffic Data of Service Provider B.E. 2550

1. Service Provider who, either in his own name or in the name or for the benefit of other persons, provides to other persons with access to internet or the ability to communicate by other means through computer system under 5(1) falls into 4 types as below

Annex A Annex Notification of the Ministry of Information and Communication Technology Re: Criteria concerning Archiving of Computer Traffic Data of Service Provider B.E. 2550 1. Fixed line Service provider 2. Mobile Service Provider 3. Leased Circuit Service Provider included Fiber optic, ADSL (Asymmetric Digital Subscriber Line), Frame Relay Provider, ATM (Asynchronous Transfer Mode) excluded Physical media provider or Cable (Dark Fiber provider that does not contain Internet or IP traffic) 4. Satellite Services Provider. a. Telecommunication and Broadcast Carrier Example of Type Type

Annex A Annex Notification of the Ministry of Information and Communication Technology Re: Criteria concerning Archiving of Computer Traffic Data of Service Provider B.E. 2550 1. Internet Service Provider both wire or wireless 2. Operators who provide Internet access in office/room, rental room, hotel or restaurant 3. Computer network access Service Provider for organizations such as governmental department, company or academic institution. b. Access Service Provider

Annex A Annex Notification of the Ministry of Information and Communication Technology Re: Criteria concerning Archiving of Computer Traffic Data of Service Provider B.E. 2550 1. Web hosting or rental web hosting 2. File Server or file share 3. Mail Server service provider. 4. Internet Data Center. c. Hosting Service Provider

Annex A Annex Notification of the Ministry of Information and Communication Technology Re: Criteria concerning Archiving of Computer Traffic Data of Service Provider B.E. 2550 1. Internet Café. 2. Game online. d. Internet Café

Annex A Annex Notification of the Ministry of Information and Communication Technology Re: Criteria concerning Archiving of Computer Traffic Data of Service Provider B.E. 2550

2. Content Service Provider for the benefit of the third party under 5(2) is

Web board or Blog.

Internet banking or Electronic payment service provider.

Web Services.

E-Commerce or E-Transaction.

Content And Application Service provider Example of Type Type

Annex B 5(1) Archival Requirements Date and time of the initial activation of the service and the location label (Cell ID) Name, Address of subscriber or registered User - Telephone number or circuit ID including optional services such as line transfer services and the transferred number including telephone number which is called from the transferred line. - Fixed Network Telephony and Mobile Telephony. A. Data that could be identifiable and traceable to the source of origin, source address, destination address and route traversal of computer system communication. List of Data Traffic Type

Annex B 5(1) Archival Requirements 2. Mobile phone physical location that connect to Cell ID during communication. C. Data which can be specified the location of the use of mobile phone or mobile communication equipment. 3. To provide caller tracking system 1. Original Cell ID of the communication. Fixed Network Telephony and Mobile Telephony, the Date and time of the start and end of the communication) B. Data that can be specified date, time and usage time of computer system communication.

Annex B 5(1)(B & C) Logging Requirements 2) Date and Time of the connection of client to Server 1) Access logs specific to Authentication and Authorization servers such as: TACACS (Terminal Access controller Access Control System) or RADIUS (Remote Authentication Dial-in User Service) or DIAMETER ( Used to Control to Access to IP Router or Network Access Servers) A. Internet logging List of Data Traffic Type

Annex B 5(1)(B & C) Logging Requirements 2) IP Address of Client Connected to Server B. E-mail 1) Simple Mail Transfer Protocol : SMTP log - Messages ID - Sender E-mail Address - Receiver E-mail Address - Status Indicator. 5) Calling Line Identification. 4) Assigned IP Address 3) User ID

Annex B 5(1)(B & C) Logging Requirements 6) POP3 (Post Office Protocol version 3) log or IMAP4 ( Internet Messages Access Protocol version 4) log 5) User ID 4) IP Address of Sending Computer 3) Date and Time of Connection of the Client Connected to Server. B. E-mail (continued)

Annex B 5(1)(B & C) Logging Requirements 5) Path and Filename of Data Object Uploaded or Downloaded. 4) User ID 3) IP source Address 2) Date and Time of Connection of Client 1) Access log C. FTP log

Annex B 5(1)(B & C) Logging Requirements 5) URI ( Uniform Resource Identifier ) 4) Instruction. 3) Source IP Address 2) Date and time of connection of client 1) Access log D. Web Traffic log

Annex B 5(1)(B & C) Logging Requirements F. Internet Relay Chat (IRC) or Instance Messaging (IM) Date and Time of Connection of Client to Server and Hostname and IP address. 5) Posted Message ID 4) Host Name 3) Protocol Process ID 2) Date and time of Connection of Clients to Server 1) NNTP Network News Transfer Protocol log E. Usenet

Annex B 5(1)(D) Logging Requirements

3. Prepare computer logging regard to 5(1) d the following must be kept.

User must be identified.

Usage time

IP Address.

Internet Cafe List of Data Traffic Type

Annex B 5(3) Logging Requirements

4. Prepare computer logging regard to 5(2) the following must be kept.

If provider is Web Blog or Web Board the posted message must be kept. Log in Time Seller User ID and Buyer User ID and E-mail Content Service Provider. List of Data Traffic Type

CCA Solutions and Services

Many CCA solutions are becoming available:

Gap analysis and security architecture assessment

Managed CCA services (outsource)

Technology solutions (hardware and software)

Compliance certification

AMCHAM member companies provide some or all of the above services

The bottom line: AMCHAM members can help!

AMCHAM Discussion and Issues

English language translations of CCA and MICT Notifications not “official”

How can we coordinate closer between MICT and AMCHAM?

How do we better educate the AMCHAM community?

What is the best way to provide feedback to MICT for clarifications and concerns of AMCHAM members?

Computer Crime Act B.E. 2550 (2007) & Ministry of ICT Notification A Presentation to the AMCHAM ICT Committee & Internet Service Providers Revision 1.1 Tim Bass CISSP, (ISC)2 Executive Vice President ACIS Professional Center Co . , Ltd . Email : [email_address] Mobile: +6683-297-5101