On 4 June 2020, media reported the mysterious abduction and potential assassination of Wanchalerm Satsaksit, a Thai dissident exiled in Phnom Penh. Wanchalerm was a prominent critic of the Thai military and is the latest in a series of Thai activists who have disappeared abroad, often in violent circumstances. Among the charges he fled was an alleged violation of the Computer Crimes Act for posting “distorted” online content about the military government. He was reported to have also been charged with lese-majeste, but authorities have denied this.
The military-led government is generally envisioned as the perpetrator behind acts of online surveillance and censorship in Thailand. However, proprietary internet service providers (ISPs) can play an intermediary role in the suppression of freedom of speech. In the past, ISPs have relinquished identifying data to law-enforcement authorities, broaches of privacy that can lead directly to the persecution of dissidents.
Surveillance and censorship: the legal landscape
In Thailand, various laws oblige ISPs to relinquish users’ data to the authorities during the course of criminal investigations. Article 112 of the Criminal Code (the lese-majeste law) is infamously Thailand’s harshest censorship law. Over the past two decades, individuals found to have “defamed, insulted or threatened the King, the Queen, the Heir-apparent or the Regent” have been sentenced to up to 60 years in prison. Since the coronation of Rama X however, officials have shifted away from using the lese-majeste law to charge critics of the monarchy, exhibiting a preference instead for computer-related laws.
The 2017 Amended Computer Crimes Act (CCA) is now arguably the authorities’ repressive tool of choice when it comes to online dissidence. The CCA threatens prison sentences of up to five years for users who use digital devices to upload “false information” or information “contrary to peace and order.” Its provisions allow law-enforcement authorities almost unfettered access to metadata stored by ISPs and other internet intermediates (metadata refers to data that may give insights into the identities of end-users. Examples of metadata include the subject line of emails, the length of a mobile call, or a user’s location when communicating and who they communicated with.) Section 26 further mandates that ISPs collect and/or retain metadata for 90 days to 1 year in order to be eligible for operating licenses issued by the government. Section 18 allows law-enforcement authorities to access this stored data, including via the seizure of users’ computer systems that sometimes involves breaking encryption.
In the past, law-enforcement authorities usually charged dissidents who criticised the monarchy with lèse-majesté alongside the CCA. In March 2011 for example, Thantawut Thaweewarodomkul (also known as Noom Rednon), a web designer for a pro-Red-Shirt webpage, was found guilty and sentenced to 13 years in prison (10 for lese-majeste and 3 for violating the CCA) in relation to comments posted to the website. According to the news-site Prachatai, Triple T Broadband, a Thai ISP, revealed an IP address belonging to Thantawut that was connected to the website.
The same year, Anthony Chai, a Thai-born American citizen operating a computer store in California, filed a lawsuit against Netfirms accusing the Canadian ISP of breaking US law by sharing two email addresses associated with his IP address with Thai officers without his knowledge. According to the lawsuit against Netfirms, users in Chai’s shop posted anonymous online comments critical of lese-majeste in 2005. When Chai arrived at a Bangkok airport in May 2006, Department of Special Investigation officers pulled him aside for interrogation, confiscated his computer and detained him, before releasing him under the threat of a potential re-arrest if he returned to Thailand. Chai’s case shows how even international ISP companies have chosen to share the data of alleged dissidents with law-enforcement officials.
Other oppressive cyber-related laws such as the 2019 Cybersecurity Act and the 2019 Personal Data Protection Act (PADA) further authorise sweeping powers for law-enforcement authorities to snoop on any user on the mere grounds that they are a ‘suspect.’ This can involve seizing users’ computers for up to 30 days and making copies of their computer systems without a court warrant. PADA additionally permits the government to harness data from journalists (including that relating to anonymous sources) and dissidents without court warrants. Authorities also rely on executive directives (such as “junta head orders”) and subordinate legislation to oblige ISPs to handover data, as seen in the aftermath of the May 2014 coup when the military ordered all ISPs to monitor and censor content critical of the military.
On top of building this punitive legal framework, Thai authorities have purchased surveillance tools (such as its “lawful interception” system) to expand their capacity to monitor digital communications and internet traffic for criticism. Reports from digital rights research centres and watchdogs have found that the authorities employ a variety of surveillance hardware and software (which are not limited to the following list.) Since 2010, the government has essentially coerced ISPs into installing “sniffer tools” which enable them to collect, log, and analyse network traffic. Some ISPs also employ PacketShaper, a network traffic shaping tool that is used to monitor encrypted traffic, censor websites and store internet traffic. ISPs are compelled to install such censorship infrastructure by Section 15 of the CCA, which holds them under intermediary liability. ISPs, websites and social media platforms can be subject to “the same punishment as the criminal” for any unlawful information, data and content shared by end-users using their services.
A final cause for further investigations into the complicity of ISPs in the suppression of freedom of speech are their cozy ties, both personal and business, with the Thai government. Such connections are particularly thick when it comes to True Corporation, owned by the major conglomerate Charoen Pokphand (CP). The family behind CP, for example, has close links to government officials through marriage. True has also benefitted from lucrative government contracts and monopolies. In 2016, True Group announced it would provide the WiFi infrastructure for all police stations nation-wide. True’s victory in auctions for 4G and 5G licenses in 2015 and 2020 respectively have made it the most powerful tech conglomerate in the country.
Ways forward for dissident internet users
The news of disappeared political exiles has drawn the public’s attention to lese-majeste. After the news of Wanchalerm’s disappearance broke, the Twitter hashtag #Saveวันเฉลิม (#SaveWanchalearm) was trending with more than 530,000 retweets, followed by the hashtag #ยกเลิก112 (#Abolish112) with more than 605,700 retweets. A few years ago, this mass online dissent would have been unthinkable. The rise of online political resistance, while a potentially powerful force for change, raises the stakes of issues of privacy and digital rights.
When I interviewed Wanchalerm, he was aware of the asymmetrical power between the Thai state and ISPs, and believed the relationship had led to the exposure of other dissidents. According to Wanchalerm, “As far as I know [from a source inside of the government], law-enforcement officers discovered many people’s IPs around 1 or 2 days following the Emergency Decree announcement, because on 25 May , the NCPO summoned 128 Thai ISP operators. Then, they started arresting around 100 citizens who posted content on Facebook. They were arrested by the TCSD [Technology Crime Suppression Division of the Royal Thai Police] at home without warrants.”
Wanchalerm believed the arrests were partially facilitated by ISPs, including True, relinquishing personal data to TCSD officials: “True revealed information like IP addresses which should have been hidden by VPNs [Virtual Private Networks]. Authorities found out users’ IP addresses from True WiFi modems. Although the VPN masks the IP address, it doesn’t conceal the serial numbers on a modem. So identities can be traced through the WiFi of a user’s residence.”
Wanchalerm did not reveal which ISP he himself was using and it is difficult to corroborate his belief that True shared dissidents’ metadata with law enforcement. I include his statements only to show that dissidents are aware of the regimes of censorship and surveillance that they face, a factor shaping how and if they express politically. What we know is that the Amended Computer Crimes Act obliges internet intermediaries to store user data and that all Thailand-based ISPs are obliged to share the metadata of their clients—activists, journalists, academics, human rights defenders, and so on—with officials. In the case of Wanchalerm, that possibility was among the factors which motivated him to flee Thailand.
The collection of facial recognition data to identify separatist insurgents in the deep south will only feed distrust towards the Thai state.
First, users should utilise encryption and alternatives (such as Signal and Jitsi) during mobilisation, organisation and protests. Rather than simply omitting locations when posting Facebook statuses or using an avatar or pen name, other privacy measures can be more effective: using non-commercial VPNs, adding another layer of security with Two-Factor-Authentication (2FA), decompartmentalising online accounts by separating email addresses, among others. Second, users should only turn to commercial platforms when publicising campaigns. To avoid being disrupted by repressive state apparatuses, they should use open source alternatives when privately organising protests. Finally, pro-democracy civil society organisations should support a long-term campaign to raise awareness of issues of digital privacy, cybersecurity as well as reform of the punitive legal apparatus that compels ISPs to participate in state repression.