Computer Crimes Act too ambiguous
Sawatree Suksri, a lecturer of the Faculty of Law, Thammasat University, who has studied computer-related law in Germany, talked to Prachatai about the 2007 Computer Crimes Act which she finds too ambiguous in many points, including, for example, national security, which has been subject to arbitrary interpretations by the authorities.
With regard to the recent arrests of four persons accused of spreading rumours that rocked the Thai stock market in mid-October, Sawatree said that the charges did not seem to be based on facts as the authorities should have established that the posts were made before the stock plunge. The law which should have been used first for alleged manipulation of stock prices is the 1992 Securities and Exchange Act, not the computer law. So it seems to her that stock market manipulation is not really the point of the arrests.
Sawatree also wondered why the authorities targeted only internet users and certain websites, instead of the news agency which provided the source article and other news outlets which published the news report. Perhaps the authorities intend to use Section 15 in which Internet Service Providers are held responsible, and then Section 20 to shut down websites, she said.
Section 14. If any person commits any offence of the following acts shall be subject to imprisonment for not more than five years or a fine of not more than one hundred thousand baht or both:
(1) that involves import to a computer system of forged computer data, either in whole or in part, or false computer data, in a manner that is likely to cause damage to a third party or the public;
(2) that involves import to a computer system of false computer data in a manner that is likely to damage national security or cause public panic;
(3) that involves import to a computer system of any computer data related to an offence against the Kingdom's security under the Criminal Code;
(4) that involves import to a computer system of any computer data of a pornographic nature that is publicly accessible;
(5) that involves the dissemination or forwarding of computer data already known to be computer data under (1) (2) (3) or (4);
Unofficial translation of the 2007 Computer Crimes Act by the Campaign for Popular Media Reform (CPMR)
The 2007 Computer Crimes Act is riddled with ambiguous legal terms. The ambiguous terms ‘national security’ and ‘public panic’ in Section 14 (2) are arbitrarily interpreted and easily manipulated to make charges.
The Kingdom's security in Paragraph 3 is clear as it is spelled out in Sections 107-135 of the Criminal Code, which clearly state what actions constitute an offence. Sawatree questioned whether the intent to include security in a separate paragraph was to allow leeway for the authorities.
And what is public panic? The term was too vague. A major principle in writing criminal law is ‘no law, no offence’; there has to be a law which states that a particular act constitutes an offence as well as its penalty. And a criminal law must contain clear-cut clauses, because the people have to know what exactly is prohibited by law, while the state can only do what is allowed by law, she said.
According to Sawatree, the drafters of the law claimed to base the law on the Council of Europe’s Convention on Cybercrime. And it is, in fact, a mix of Italian, Austrian, and South East Asian laws, she said.
In her view, Sections 5-13 are concerned with, in her own term, ‘classic’ or old types of computer crime, such as unauthorized access to information, spying, data interception, sabotage, the spreading of viruses or worms, etc.
Sections 14-17 are about cyber crimes committed through the internet or intranets, which involve more victims and wider damage.
The 2007 Computer Crimes Act focuses on the offence of disseminating information, while excluding other cyber crimes such as unauthorized online gambling and intellectual property piracy such as file sharing, bit torrent, etc.
The offence of spreading false information is already stipulated in Criminal Code Section 384, which is however a petty crime with a penalty of imprisonment up to one month or a fine up to 1,000 baht, while the Computer Crimes Act punishes offenders of the same crime with imprisonment up to 5 years or a fine up to 100,000 baht. Why such a discrepancy, she wondered.
‘This Section 14 (2) should be scrapped, as its ambiguity goes against the principle of the criminal code, and the penalty is far too harsh.’
This section is just one of many problematic clauses in this law.
Section 20. If an offence under this Act is to disseminate computer data that might have an impact on the Kingdom's security as stipulated in Division 2 type 1 or type 1/1 of the Criminal Code, or that might be contradictory to the peace and concord or good morals of the people, the competent official appointed by the Minister may file a petition together with the evidence to a court with jurisdiction to restrain the dissemination of such computer data.
If the court gives an instruction to restrain the dissemination of computer data according to paragraph one, the relevant competent official shall conduct the restraint either by himself or instruct the Service Provider to restrain the dissemination of such computer data.
What is ‘contradictory to the peace and concord or good morals of the people’? What is prohibited should be specified, she said.
In response to Prachatai’s question as to whether the Computer Crimes Act acts as an extension to the lèse majesté law (Section 112 of the Criminal Code), Sawatree referred to a document from a special committee whose members obviously said so.
Section 20 was added during the period of rule under the 2006 coup junta.
Previously, many websites were closed without public knowledge. And the authorities were just vague about what power authorized them to do this, until Announcement 5 of the 2006 coup perpetrators and subsequently Section 20 provided official authority.
Sawatree agreed on having a section to close down websites, but the purpose should be to leave them open, until they fall into certain limited exceptions. However, it turns out that the first step is closure.
In Germany in 2001-2005, there was a case where a few websites involved with Nazi propaganda were closed down. There was a serious debate as to whether the websites should be closed. Now it has been concluded that closure should be the final measure, after others, such as warnings, have been exhausted. But Thai law makers argued about who should have the power to close them, or whether to close websites partly or completely.
Under Section 20, the authorities have to ask for the approval of the ICT Minister, and then seek court orders. Sawatree suggested this should be instead in the power of a committee which many parties are represented, including, for example, ISPs, the Human Rights Commission, and internet users.
Section 15. Any service provider intentionally supporting or consenting to an offence under Section 14 within a computer system under their control shall be subject to the same penalty as that imposed upon a person committing an offence under Section 14.
This section amounts to self-censorship. It does not distinguish the types of service providers, which include content providers, host providers, or access providers, and inflicts too harsh a punishment.
All kinds of provider are scared of this sweeping punishment and the ambiguity tied to Section 14, resulting in self-censorship.
Sawatree asked whether service providers should be held responsible and penalized as much as those who commit the offences. There is no reason supporting this clause, she argued.
She felt disappointed with this law, after she had waited 9 years for it, she said.