Case Study 1 from the Internet Policy and Advocacy: Research Methods Workshop for South and Southeast Asia Actors
10 April 2017 at National Law University Delhi
Arthit Suriyawongkul, Thai Netizen Network
#AsiaInternetPolicy
Mapping Stakeholders, Decision-makers, and Implementers in Thailand’s Cyber Policy
1. MAPPING STAKEHOLDERS, DECISION-MAKERS,
AND IMPLEMENTERS IN THAILAND’S CYBER POLICY
Internet Policy and Advocacy: Research Methods
Workshop for South and Southeast Asia Actors
10 April 2017 @ National Law University, Delhi
#AsiaInternetPolicy
@bact
Arthit Suriyawongkul
Thai Netizen Network
2. OUTLINE
➤ Visualizing power relations of
actors (data from Bills)
➤ Case: Personal Data Protection
Committee
➤ Case: NSRA’s Cybersecurity
Proposal
➤ Case: New digital regulation
structures (Digital Economy
Agenda)
➤ Case: Online media regulation
after the 2014 Coup
➤ Case: Computer-related Crime
Act Amendment / Campaign
3. ➤ Looking for relationships between entities in the document,
conversations, etc.
➤ Actor1 —Action—> Actor2 (Noun1 —Verb—> Noun2)
➤ A Director shall be appointed by the Board
➤ This can also be draw by tools like Gephi and NodeXL
DRAWING POWER RELATIONS
Noun1 Noun2
Verb
Board Director
appoints
6. PERSONAL DATA PROTECTION BILL (DEFINITION — SEC.5, 6)
➤ Section 5 — In this Act, […]
➤ “Committee” means the Personal Data Protection Committee;
➤ “Office” means the National Cybersecurity Agency;
➤ “Secretary-General” means the Secretary-General of the National
Cybersecurity Agency;
➤ “Minister” means the minister having the charge and control of
the execution of this Act.
➤ Section 6 — The Minister of Digital Economy and Society shall
have the charge and control of the execution of this Act.
8. PERSONAL DATA PROTECTION BILL (COMMITTEE — SEC.7)
➤ Section 7 — There shall be a committee called “Personal Data
Protection Committee”, consisting of:
➤ (1) a Chairperson appointed by the Cabinet from the persons having
distinguished knowledge, skills, and experience in the field of
personal data protection, or information and communication
technology, or any other field that is relevant and useful for the
protection of personal data;
➤ (2) 4 ex officio members consisting of the Permanent Secretary of the Office
of the Prime Minister, the Permanent Secretary of the Ministry of Digital
Economy and Society, the Permanent Secretary of the Ministry of Interior, and
the Secretary-General of the National Security Council;
➤ (3) not more than 4 qualified members, appointed by the Cabinet
[…]
10. PERSONAL DATA PROTECTION BILL (COMMITTEE — SEC.7 CONT.)
➤ The Secretary-General shall ex officio be member and secretary and
shall have the power to appoint assistant secretary as deemed
necessary.
➤ The rules and procedures on the selection of persons to be
appointed as Chairman and qualified members, including the
selection of persons to replace the qualified members who
vacate office before the expiration of the term under section
10, shall be as prescribed by the Rules issued by the Minister.
➤ The Office shall perform the duties as the secretariat office for the
Committee established under this Act […]
12. PERSONAL DATA PROTECTION BILL (CHAIRPERSON — SEC.10)
➤ Section 10 — In addition to vacating office upon the
expiration of the term under section 9, the Chairperson or a
member vacates office upon:
➤ (1) death;
➤ (2) resignation;
➤ (3) being dismissed by the Cabinet due to negligence in the
performance of duty, disgraceful behavior, or incapability;
➤ (4) being disqualified or under any of the prohibitions under
section 8.
15. CYBERSECURITY (DEFINITION — SEC.3, 4)
➤ Section 3 — In this Act:
➤ “Secretary-General” means Secretary-General of the National
Cybersecurity Agency.
➤ “Office” means the National Cybersecurity Agency.
➤ Section 4 — The Prime Minister shall have charge and control
of the execution of this Act.
16. Cabinet
National
Cybersecurity Agency
Secretary-
General
Minister of Digital
Economy & Society
Digital
Min
Personal Data
Protection Committee
Chair
Secretariat Office
Secretary
Ex officio
member
Cybersecurity
Bill
Personal Data
Protection Bill
Prime
Minister
In charge of
In
charge
of
Establish
Appoint
Terminate
Establish
17. CYBERSECURITY (COMMITTEE — SEC.6)
➤ Section 6 — There shall be a committee called the “National
Cybersecurity Committee” (NCSC) consisting of:
➤ (1) Minister of Digital Economy and Society as Chairperson;
➤ (2) Secretary-General of the National Security Council, Permanent Secretary
of the Ministry of Digital Economy and Society, Permanent Secretary of the
Ministry of Defense, Commander of the Technological Crime Suppression
Division of the Royal Thai Police as 4 ex officio members;
➤ (3) Not more than 7 qualified members appointed by the Cabinet […];
➤ The Secretary-General shall ex officio be member and secretary, and
assistant secretary shall be appointed as deemed necessary.
➤ The selection of the qualified members in paragraph 1 shall comply
with the Procedures specified by the Cabinet […]
18. Cabinet
National
Cybersecurity Agency
Secretary-
General
National
Cybersecurity Committee
Chair
Minister of Digital
Economy & Society
Digital
Min
Personal Data
Protection Committee
Chair
Secretariat Office
Secretariat Office
Secretary Secretary
Ex officio
member
Ex officio
member
Cybersecurity
Bill
Personal Data
Protection Bill
Prime
Minister
In charge of
In
charge
of
Establish
Establish
Appoint
Terminate
Establish
Ex officio
member
19. CYBERSECURITY (SECRETARY-GENERAL — SEC.21)
➤ Section 21 — There shall be a Secretary-General who is directly
reported to the Chairperson of the NCSC as regards the operation
of the Office and supervises the Officials and employees of the
Office.
➤ As regards activities dealing with third parties, the Secretary-
General shall represent the Office. […]
➤ The Committee shall have the power to nominate, appoint and
remove the Secretary-General.
20. Cabinet
National
Cybersecurity Agency
Secretary-
General
National
Cybersecurity Committee
Chair
Minister of Digital
Economy & Society
Digital
Min
Personal Data
Protection Committee
Chair
Secretariat Office
Secretariat Office
Secretary Secretary
Ex officio
member
Ex officio
member
Cybersecurity
Bill
Personal Data
Protection Bill
Prime
Minister
In charge of
In
charge
of
Establish
Establish
Appoint
Terminate
Establish
Nominate
Appoint
Terminate
Reported to
Ex officio
member
21. Cabinet
National
Cybersecurity Agency
Secretary-
General
National
Cybersecurity Committee
Chair
Minister of Digital
Economy & Society
Digital
Min
Personal Data
Protection Committee
Chair
Under
Secretariat Office
Secretariat Office
Secretary Secretary
Ex officio
member
Ex officio
member
Cybersecurity
Bill
Personal Data
Protection Bill
Prime
Minister
In charge of
In
charge
of
Establish
Establish
Appoint
Terminate
Establish
Nominate
Appoint
Terminate
Reported to
Ex officio
member
28. Cabinet
National
Cybersecurity Agency
Secretary-
General
Minister of Digital
Economy & Society
Digital
Min
Personal Data
Protection Committee
Chair
Secretariat Office
Secretary
Ex officio
member
Cybersecurity
Bill
Personal Data
Protection Bill
Prime
Minister
In charge of
In
charge
of
Establish
Appoint
Terminate
Establish
29. Cabinet
National
Cybersecurity Agency
Secretary-
General
National
Cybersecurity Committee
Chair
Minister of Digital
Economy & Society
Digital
Min
Personal Data
Protection Committee
Chair
Secretariat Office
Secretariat Office
Secretary Secretary
Ex officio
member
Ex officio
member
Cybersecurity
Bill
Personal Data
Protection Bill
Prime
Minister
In charge of
In
charge
of
Establish
Establish
Appoint
Terminate
Establish
Ex officio
member
30. Cabinet
National
Cybersecurity Agency
Secretary-
General
National
Cybersecurity Committee
Chair
Minister of Digital
Economy & Society
Digital
Min
Personal Data
Protection Committee
Chair
Secretariat Office
Secretariat Office
Secretary Secretary
Ex officio
member
Ex officio
member
Cybersecurity
Bill
Personal Data
Protection Bill
Prime
Minister
In charge of
In
charge
of
Establish
Establish
Appoint
Terminate
Establish
Nominate
Appoint
Terminate
Reported to
Ex officio
member
31. Cabinet
National
Cybersecurity Agency
Secretary-
General
National
Cybersecurity Committee
Chair
Minister of Digital
Economy & Society
Digital
Min
Personal Data
Protection Committee
Chair
Under
Secretariat Office
Secretariat Office
Secretary Secretary
Ex officio
member
Ex officio
member
Cybersecurity
Bill
Personal Data
Protection Bill
Prime
Minister
In charge of
In
charge
of
Establish
Establish
Appoint
Terminate
Establish
Nominate
Appoint
Terminate
Reported to
Ex officio
member
32. Cabinet
National
Cybersecurity Agency
Secretary-
General
National
Cybersecurity Committee
Chair
Minister of Digital
Economy & Society
Digital
Min
Personal Data
Protection Committee
Chair
Under
Secretariat Office
Secretariat Office
Secretary Secretary
Ex officio
member
Ex officio
member
Cybersecurity
Bill
Personal Data
Protection Bill
Prime
Minister
In charge of
In
charge
of
Establish
Establish
Appoint
Terminate
Establish
Nominate
Appoint
Terminate
Reported to
Ex officio
member
Tightly knitted,
concentrated
33. NOT-SO-INDEPENDENT DATA PROTECTION COMMITTEE
➤ Network of powers go more on the left (cybersecurity) side
➤ What if the conflicted parties included a member of the
Cabinet (or the Government in general)?
➤ the Cabinet can terminate the term of the Data Protection Committee’s Chairperson; the whole
Committee is under Digital Ministry structure
➤ What if Cybersecurity Committee has different opinion from
the Data Protection Committee? Will Cybersecurity Agency
staffs, who got assigned to work for Data Protection
Committee, still supporting the matter?
➤ the staffs have to report to the Secretary-General, which in turn directly report to Cybersecurity
Committee Chairperson; and Data Protection Committee depends on resources from
Cybersecurity Agency
➤ Sometimes those two Committees’ mandates can be conflicted
35. Cabinet
National
Cybersecurity Agency
Secretary-
General
National
Cybersecurity Committee
Chair
Minister of Digital
Economy & Society
Digital
Min
Personal Data
Protection Committee
Chair
Under
Secretariat Office
Secretariat Office
Secretary Secretary
Ex officio
member
Ex officio
member
Cybersecurity
Bill
Personal Data
Protection Bill
Prime
Minister
In charge of
In
charge
of
Establish
Establish
Appoint
Terminate
Ref: Personal Data Protection Bill (reviewed by
the Council of State - Sep 2015) / Cybersecurity
Bill (approved in principle by Cabinet - Jan
2015) / National Reform Steering AgencyEstablish
Nominate
Appoint
Terminate
Council of State rev. Sep 2015
Reported to
Ex officio
member
36. Cabinet
National
Cybersecurity Agency
Secretary-
General
National
Cybersecurity Committee
Chair
Minister of Digital
Economy & Society
Digital
Min
Personal Data
Protection Committee
Chair
Ex officio
member
Under
Secretariat Office
Secretariat Office
Secretary Secretary
Ex officio
member
Ex officio
member
Cybersecurity
Bill
Personal Data
Protection Bill
Prime
Minister
In charge of
In
charge
of
Establish
Establish
Appoint
Terminate
Ref: Personal Data Protection Bill (reviewed by
the Council of State - Sep 2015) / Cybersecurity
Bill (approved in principle by Cabinet - Jan
2015) / National Reform Steering AgencyEstablish
Nominate
Appoint
Terminate
Ministry of
Defense
Defense
Min
Vice Chair
Ex officio
member
NRSA Proposal Nov 2016
Reported to
37. LESS POWER FOR THE DATA PROTECTION COMMITTEE
➤ Relatively to the National Cybersecurity Committee
➤ Getting worse that the original bills
➤ If the NCSC is chaired by the Prime Minister
➤ If the Ministry of Defense is also one of the two vice chairs
➤ Militarized-Cybersecurity Mechanism vs Resourceless Data
Protection Committee
➤ Looks like data protection mechanism is structurally designed
to fail
39. DIGITAL BILLS (2014-)
1. Ministry of Digital for Economy and Society Bill+
2. National Digital Committee for Economy and Society Bill*+
3. Digital Economy Promotion Bill*+
4. Digital Development for Economy and Society Fund Bill*+
5. Broadcasting and Telecommunication Regulator Bill (amendment)+
6. Computer-related Crime Bill (amendment)+
7. Cybersecurity Bill
8. Personal Data Protection Bill
9. Electronic Transaction Bill (amendment)
10.Electronic Transaction Development Agency Bill (amendment)
(+ = passed, * = merged together)
40. NEW STRUCTURES OF DIGITAL DEPARTMENTS
Showing new bodies to be created by proposed bills and changing relationships between Ministry of Digital
Economy and Society (MDES, formerly Ministry of ICT), National Digital Economy and Society
Committee (NDESC, new), and the National Broadcasting and Telecommunications Commission (NBTC).
MDES NBTCNDESC
Digital
Development
Fund
42. MICT Order No.
163/2014
Appointment of
Working Group
for Online Media
Monitoring System
Testing
➤ to test SSL encrypted
online media
monitoring system
➤ to coordinate with
international internet
gateways
43. NCPO Annc.
12/2014
Social media
provider to stop
anti-NCPO content
NCPO Annc.
14/2014 Prohibits
media to interview
civil servants, indi
bodies, academics
NCPO Annc.
17/2014
ISP to monitor and
censor content that
may cause unrest
NCPO Annc.
18/2014 Prohibits 7
types of information
on media
NCPO Annc.
26/2014
Setting up Online
Social Media
Monitoring
Working Group,
to monitor/block
online content
NCPO Annc.
22/2014 (amended
with 34/2014)
MICT is under
NCPO Security
Cluster
NCPO Annc. 80/2014 (amend
Broadcasting and Telecom
Commission Act) Add Defense
Min. Perma. Sec. to committee
of R&D Fund, reduce number of
expert committee members
from 5 to 2 (w/o specifying
areas of expertise)
NCPO Annc. 97/2014
(amended with Annc.
103/2014) Prohibits 7 types
of information: False info
that may incite monarchy,
national security, official
secret, confusing news,
criticism of NCPO, etc.
NCPO Annc.
23/2014
Conditions to air
analog TV/radio
NCPO Annc.
27/2014
Conditions to air
digital/cable/
satellite TV
NCPO Annc.
79/2014
Conditions to air
experimental
(community) radio
NCPO Chief Order
41/2016
NBTC can shut
media down w/o
criminal/civil/
admin liability
NCPO Order
(Specific) 12/2014
Appoint Information
Publicity Monitoring
Committee
members
(5 media types)
Info Publicity
Monitoring Committee
Order 3/2014
Appoint Online
Media Monitoring
Working Group
NCPO Annc.
33/2014
Prohibits court, indi
bodies, local admin.
to express opinions
MICT Order 163/2014
Set up Working Group
to test encryption
(SSL) circumvention
equip., coord. net
gateways
Charter Sec.279
All annc./orders of NCPO/NCPO
Chief are legal and constitutional
under new Constitution. To amend,
it must be passed by the National
Assembly. (Senate 200; Parliament 500)
Charter Sec.269
First 5 years will have 250
Senate members. All
selected by NCPO. (From a list
proposed a NCPO-appointed committee)
CCA Draft (Apr2016) S.20 Para 5
Ministerial reg. for suppression/
deletion of data, according to
changing tech (encryption)
44. Adapted from a table by POSTgraphics / from Pirongrong Ramasoota. Media tremble at NBTC's Section 44 powers.
Bangkok Post. 16 Jul 2016 http://www.bangkokpost.com/opinion/opinion/1037021/media-tremble-at-nbtcs-section-44-powers
Section 37 of the
2008 Broadcasting Act
(pre-2014 coup)
• Inciting the abolishment
of constitutional
monarchy
• Bearing negative
consequences for
national security, public
order, or good morals
• Containing obscene or
pornographic content
that may risk the mental
or physical health of the
people
Section 3 (1-7) of
NCPO Announcement No. 97/2014
(post-2014 coup)
1. False statements that could defame or incite hatred of
the monarchy, the heir-apparent, or any member of the
royal family
2. Information deemed detrimental to national security,
including those that are defamatory to other people
3. Criticism of the NCPO, its official or related people
4. Confidential information (in all forms) of state agencies
5. Information the could lead to confusion, conflict, or
social divisions
6. Incitement of unrest or resistance against the
government or the NCPO
7. Threat to harm any person that could lead to panic or
fear among the public
45. Peace and Order Division Public Administration Division
Security Cluster
Ministries of Defence,
Interior, Foreign Affairs,
ICT
Information
Operations /
Public Relations
Media Monitoring
Office of the Secretary-General of the National Council for Peace and Order
Ministry of Foreign Affairs. One month progress report of NCPO.
http://www.mfa.go.th/main/en/media-center/3756/47354-One-month-progress-report-of-NCPO.html
ประกาศคสช. 22+34/2557
ให้กระทรวงไอซีทีอยู่ใต้
กลุ่มงานความมั่นคงของคสช.
NCPO Annc. 22+34/2014
Ministry of ICT under
NCPO Security Cluster
47. COMPUTER-RELATED CRIME BILL (DATA BLOCKING/REMOVAL — SEC.20)
➤ […] When the Court issues a warrant to suppress the
distribution or to remove such data per Paragraph One or
Two, the competent official may suppress the distribution or
remove the computer data themselves or instruct the service
provider to suppress the distribution or remove the computer
data in their behalf. The Minister may determine the procedure,
duration and guidelines for the service provider to suppress the
distribution or remove the computer data, and they shall be made
compatible to each other and in response to the changing
technology, except when the Court makes any exemption. […]
48. 2007 Computer-related Crime Act CCA Amendment Draft (2017 Act) Rationale
Section 20 Section 14 to amend Section 20
49. 2007 Computer-related Crime Act CCA Amendment Draft (2017 Act) Rationale
In order to successfully suppress
the dissemination of data that
is encrypted by SSL technology,
which designed to increase
communication safety on the
internet and has public-key
encryption, it is necessary to
has special methods and tools.
51. Desire to circumvent encryption is shown in a presentation
on the amendment of Computer-related Crime Act by the
Ministry of ICT to National Legislative Assembly.
52. ➤ End-to-end encryption makes
it difficult to get meaningful
access to data-in-transit.
➤ Hacking Team’s
Remote Control System
(RCS) can do just that.
➤ Another option is to go to
one of the ends, to get
access to data-at-rest.
53. CONTENT MONITORING — POINTS OF CONTROL
(online intermediary)
(transmission/device level)
(individual content providers—users)
The deeper layer the control digging down, the more
collateral damage, the more innocent people got affected.
➤ Content
regulation
turns
Surveillance
➤ Web 2.0: Lots of
content creators
— govt can’t
afford to control
at Content level
➤ Intermediary
liability
introduced —
but it only
works within
jurisdiction
➤ The control is
moving towards
Network level,
interference
54. One who wants data.
One who approves.
One who process the request.
All-in-One.
55. LIVE BROADCASTING OF THE HEARING
➤ Invited-only “public hearing”
from the National Legislative
Assembly
➤ Live commentary from a cafe
in downtown Bangkok
➤ “Ministerial Announcement”,
legislative power in CCA and
separation of powers
explained
➤ Using materials and
explanations from previous
examples