Feed Aggregator Page 1
Rendered on Mon, 24 Oct 2016 19:30:12 GMT
Rendered on Mon, 24 Oct 2016 19:30:12 GMT
via Schneier on Security by Bruce Schneier on Mon, 24 Oct 2016 11:03:26 GMT
Josephine Wolff examines different Internet governance stakeholders and how they frame security debates. Her conclusion: The tensions that arise around issues of security among different groups of internet governance stakeholders speak to the many tangled notions of what online security is and whom it is meant to protect that are espoused by the participants in multistakeholder governance forums. What makes...via Schneier on Security by Bruce Schneier on Sat, 22 Oct 2016 13:47:31 GMT
Yesterday's DDoS attacks against Dyn are being reported everywhere. I have received a gazillion press requests, but I am traveling in Australia and Asia and have had to decline most of them. That's okay, really, because we don't know anything much of anything about the attacks. If I had to guess, though, I don't think it's China. I think it's...via Schneier on Security by Bruce Schneier on Fri, 21 Oct 2016 21:00:23 GMT
Interesting article listing the squid species that can still be ethically eaten. The problem, of course, is that on a restaurant menu it's just labeled "squid." As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. EDITED TO ADD: By "ethically," I meant that the article discusses which...via Schneier on Security by Bruce Schneier on Fri, 21 Oct 2016 14:18:44 GMT
Interesting research....via News by editor on Fri, 21 Oct 2016 09:58:03 GMT
Press contact: +44 (0) 20 3422 4321 and press@privacyinternational.org
Key points
In a highly significant judgment released today, The Investigatory Powers Tribunal has found that the UK’s intelligence agencies were secretly and unlawfully collecting bulk data on people in the UK without adequate safeguards or supervision for over a decade. This is one of the most significant indictments of the secret use of the Government’s mass surveillance powers since Edward Snowden first began exposing the extent of US and UK spying in 2013.
The Tribunal, which is tasked with hearing complaints against the security and intelligence services, concluded that the two regimes, which permitted the collection of vast amounts of communications data (Bulk Communications Data) and large datasets with personal information (Bulk Personal Datasets), were unlawful for over a decade.
The case exposed inadequate safeguards against abuse, including warnings to staff not to use the databases created to house these vast collections of data to search for and/or access information ‘about other members of staff, neighbours, friends, acquaintances, family members and public figures’. Internal oversight failed, with highly sensitive databases treated like Facebook to check on birthdays, and very worryingly on family members for ‘personal reasons’.
The Tribunal ruled that “we are not satisfied that … there can be said to have been an adequate oversight of the BCD system, until after July 2015” with “no Codes of Practice relating to either BCD or BPD or anything approximating to them.” There was no statutory oversight of BPD prior to March 2015 and there has never been any statutory oversight of BCD.
Noting the highly secretive nature of the illegal BCD regime, the Tribunal ruled “it seems difficult to conclude that the use of BCD was foreseeable by the public when it was not explained to Parliament”.
The judgment does not specify whether the unlawfully obtained, sensitive personal data will be deleted.
Despite the Tribunal finding the regimes to be lawful after their respective “avowals” in 2015, Privacy International argues that they remain inadequate. There is no requirement for judicial or independent authorisation. Supervision by a member of the executive (i.e. a Government Minister) does not provide the necessary guarantees that surveillance operations that could impact on millions of people are necessary and proportionate. There is no procedure for notifying victims of any use or misuse of bulk communication data so they can seek an appropriate remedy. Entire databases of BCD and BPDs can be shared with foreign partners, ‘industry partners’ and other Government agencies. And the Tribunal has not assessed the necessity and proportionality of gathering such intrusive data about UK residents in bulk.
Mark Scott of Bhatt Murphy Solicitors, instructed by Privacy International in the legal challenge, said:
“This judgment confirms that for over a decade UK security services unlawfully concealed both the extent of their surveillance capabilities and that innocent people across the country have been spied upon.”
Millie Graham Wood, Legal Officer at Privacy International said:
“Today’s judgment is a long overdue indictment of UK surveillance agencies riding roughshod over our democracy and secretly spying on a massive scale. There are huge risks associated with the use of bulk communications data. It facilitates the almost instantaneous cataloguing of entire populations’ personal data. It is unacceptable that it is only through litigation by a charity that we have learnt the extent of these powers and how they are used. The public and Parliament deserve an explanation as to why everyone’s data was collected for over a decade without oversight in place and confirmation that unlawfully obtained personal data will be destroyed.”
- Ends -
Notes to editors
via News by editor on Fri, 21 Oct 2016 09:28:17 GMT
This week, from 17th-20th October 2016, the Kingdom of Morocco will be hosting the 38th International Conference of Data Protection and Privacy Commissioners (ICDPPC).
And two scenarios could play out…
Scenario one — like many other occasions, this will be used as wonderfully strategic PR stunt, whereby participants will be whisked directly from the airport to their hotel to the conference venue, and will be enchanted by the genuinely warm Moroccan hospitality. But they will leave with little or no clue of the grave human rights situation in Morocco. We are especially focused on the right to privacy (but that is not to detract from the wider human rights issues that Morocco must deal with).
Scenario two — it could be used as an opportunity for attendees and privacy protectors across the world to learn more about the countries they work with, and to shine a light on the Moroccan government’s attitude to the privacy of the Moroccan people, and urge reform.
As optimists, we sincerely hope for the latter.
Over the years, there have been significant global progress on the protection of privacy through legislation. On paper the Kingdom of Morocco is exemplary in this regard: it has a Constitutional right to privacy, a data protection framework, a data protection authority, and has ratified Convention 108 of the Council of Europe.
And yet, as is the case in many other parts of the world, the reality falls considerably short of the rhetoric.
Crackdown on civil society
In October 2015, seven activists and investigative journalists were brought before the Tribunal of First Instance of Rabat and charged with ‘using foreign funding to undermine State security’, a charge that carries up to five years in jail. The charges were widely seen as politically motivated. These individuals were known defenders and promoters of freedom of expression and privacy in Morocco. They were engaging in incredibly important work to raise awareness, in particular within their communities, on the right to privacy by supporting the development of advocacy strategies and tools to expand the reporting on government surveillance policies and practices. The trial has been postponed three times already in the last year, and the next hearing has been schedule for 26th October 2016.
This is just one of many examples that highlight the chasm between the policy and practice.
The limits placed on people’s democratic rights, coupled with aggressive abuse of their human rights, have been well documented and expressed by a variety of authoritative sources including Human Rights Watch, Amnesty International, and Reporters Without Borders. We have ourselves been the target of such attacks. On two occasions, events organised by Privacy International with and by its local partners were shut down by the police, forcing the events to be re-located or cancelled. Furthermore, at the locally-hosted launch of a report published Privacy International, the Ministry of Interior proceeded with an act of intimidation designed to silence civil society and stifle legitimate criticism of the Moroccan government.
We cannot remain silent in light of the life-changing consequences such arbitrary practices have on the lives of human rights defenders in Morocco and worldwide.
This is why we welcome the Resolution on Human Rights Defenders adopted on 18th October 2016 at 38th International Conference of Data Protection and Privacy Commissioners. The Resolution reaffirms the important role that human rights defenders play in ‘building a solid, lasting democratic society” and “in the process of fully achieving the rule of law and the strengthening of democracy”. In particular, we are pleased to note the commitment the ICDPPC undertakes to further consider the issues affecting human rights defenders in the context of privacy and data protection in future conferences. Human rights defenders play an essential role in researching and engaging in debates about the role of surveillance in our societies, and our participation should be encouraged. The adoption of this resolution is an important opportunity for these concerns to be addressed by the international community and recommendations put into action.
Shortcomings of data protection framework
With regards to the data protection legal framework there are some serious shortcomings. The data protection authority, la Commission Nationale de contrôle de la protection des Données à caractère Personnel (CNDP), does not exercise monitoring or regulation on the processing of data involving state security, defence, public safety or criminal offences. Considering the surveillance capabilities and ambitions of the Moroccan government, this is clearly an intentional oversight. For instance, the Moroccan government is a keen promoter of national IDs and biometric databases. Yet the CNDP has not pronounced any thoughts on this infrastructure, even though it has significant implications for people in Morocco, in particular in restricting access to public service and economic opportunities.
One item on the international conference’s agenda is the interoperability of data protection law. We recommend that the conference should ideally address the existing national shortcomings as it proceeds with these discussions. Such developments must be used as an opportunity to raise the bar and implement high national data protection standards.
Communications surveillance: arbitrary and unregulated
Civil society organisations, independent media, and international human rights organisations regularly point to the discrepancy between the law and its application and there have been numerous reports from journalists and human rights defenders of on-going arbitrary and unlawful surveillance.
Some of our concerns include:
- Increasing reports of journalists, political activists, and human rights defenders having been unlawfully subjected to surveillance, detained, prosecuted on politically motivated charges, tortured and ill-treated.
- Lack of effective oversight of surveillance by law enforcement and intelligence agencies, given the limited publicly available information on their mandates, remits and powers;
- The full extent of the surveillance apparatus remains unknown but there is evidence of the expanding surveillance capabilities;
- The vague legal framework on encryption, which could be interpreted in a way that would criminalise personal use of encryption;
- Threats to anonymity with measures in place including mandatory SIM card registration;
Given that reconciling security and privacy has been set as key areas of focus for this year’s ICDPPC, this provides a unique and much needed opportunity to discuss some of the aforementioned concerns. And ask ourselves challenging questions: whose security are we really talking about? The security of those in power to maintain themselves in power or the security of citizens?
If these concerns fall on deaf ears of the international data protection community, Privacy International, with the essential support of local expertise, will continue with its effort to raise its concerns in other forums. Later this month, the UN Human Rights Committee will review the Kingdom of Morocco’s implementation of the International Covenant on Civil and Political Rights, which under Article 17 provides for the right of every person to be protected against arbitrary or unlawful interference with their privacy, family, home or correspondence as well as against unlawful attacks on their honour or reputation.
In 2017, the Kingdom of Morocco will be subject to scrutiny of the Human Rights Council through the 27th session of the Universal Periodic Review Working Group. Privacy International is preparing itself to engage in this process and has just submitted its stakeholder report on the right to privacy in Kingdom of Morocco.
Additional information:
Submission to the 116th Session of the UN Human Rights Committee https://www.privacyinternational.org/sites/default/files/HRC_morocco.pdf
Stakeholder report to the 27th Session of the Universal Periodic Review Working Group https://www.documentcloud.org/documents/3145724-UPR27-Morocco.html
via Schneier on Security by Bruce Schneier on Thu, 20 Oct 2016 11:16:31 GMT
Interesting interview: Obama: Traditionally, when we think about security and protecting ourselves, we think in terms of armor or walls. Increasingly, I find myself looking to medicine and thinking about viruses, antibodies. Part of the reason why cybersecurity continues to be so hard is because the threat is not a bunch of tanks rolling at you but a whole bunch...via Schneier on Security by Bruce Schneier on Wed, 19 Oct 2016 19:19:57 GMT
Researchers discover a clever attack that bypasses the address space layout randomization (ALSR) on Intel's CPUs. Here's the paper. It discusses several possible mitigation techniques....via Schneier on Security by Bruce Schneier on Wed, 19 Oct 2016 11:45:17 GMT
Lance Spitzner looks at the safety features of a power saw and tries to apply them to Internet security: By the way, here are some of the key safety features that are built into the DeWalt Mitre Saw. Notice in all three of these the human does not have to do anything special, just use the device. This is how...via Schneier on Security by Bruce Schneier on Tue, 18 Oct 2016 19:29:05 GMT
Former NSA attorneys John DeLong and Susan Hennessay have written a fascinating article describing a particular incident of oversight failure inside the NSA. Technically, the story hinges on a definitional difference between the NSA and the FISA court meaning of the word "archived." (For the record, I would have defaulted to the NSA's interpretation, which feels more accurate technically.) But...via Schneier on Security by Bruce Schneier on Mon, 17 Oct 2016 11:28:05 GMT
This is a harrowing story of a scam artist that convinced a mother that her daughter had been kidnapped. More stories are here. It's unclear if these virtual kidnappers use data about their victims, or just call people at random and hope to get lucky. Still, it's a new criminal use of smartphones and ubiquitous information. Reminds me of the...via Schneier on Security by Bruce Schneier on Fri, 14 Oct 2016 21:20:10 GMT
Squid ink risotto is a good accompaniment for any mild fish. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....via The Privacy Blog by lance on Mon, 03 Oct 2016 22:48:21 GMT
If you care at all about security and privacy, a recent security analysis of the D-Link DWR-932 B LTE router will make your head explode. Researcher Pierre Kim found an amazing set of security vulnerabilities that should embarrass a first year developer. First, by default you and SSH and Telnet (yes Telnet!) into the router using […]
The post So many reasons to never buy a D-Link router appeared first on The Privacy Blog.
via The Privacy Blog by lance on Tue, 27 Sep 2016 18:19:00 GMT
Mac users have long had an unwarranted level of confidence about their immunity to malware and hackers. Palo Alto Networks’ recently discovered some Mac malware in the wild, which I hope will make us Mac users pay more attention to security. The malware, which targets mostly the aerospace industry, appears to be from an APT […]
The post Macs are not safe from Bears appeared first on The Privacy Blog.
via Emergent Chaos by adam on Tue, 27 Sep 2016 16:00:56 GMT
via Emergent Chaos by adam on Thu, 22 Sep 2016 15:41:13 GMT
“We’ll have more guards. We’re going to try to have a ‘goat guarantee’ the first weekend,” deputy council chief Helene Åkerlind, representing the local branch of the Liberal Party, told newspaper Gefle Dagblad. “It is really important that it stays … Continue readingvia News by editor on Mon, 19 Sep 2016 12:53:00 GMT
This report examines the emergence of social media based surveillance in Thailand, carried out potentially by people’s own networks of friends and family. It looks at the severe impact this has on personal privacy and points to potential solutions.
In May 2014, Thailand experienced a military coup – its second in eight years. A military government led by General Prayut Chan-o-cha seized power and overthrew the administration of Prime Minister Yingluck Shinawatra. The Army declared martial law, which was maintained for the following 10 months, and an interim constitution was adopted in July 2014. The declaration of martial law allowed the Thai authorities to take strict public order measures, including reportedly closely monitoring of ‘delinquent’ behaviour such as eating sandwiches in the street or reading George Orwell’s books.
The Thai military government has counted on its police force to monitor online speech in order to curb dissent. But beyond the police force itself, the ruling military government has empowered networks of citizens whom it encourages to denounce those who post online content considered contrary to government policies.
With increased tension between supporters and opponents of the military government, some individuals have also created citizen-led initiatives to spy and inform on other citizens, thereby fostering a network of social surveillance. What does it mean to live in a country where the thoughts you share online, your comments on your friends’ social media statuses, the ‘likes’ you click on as you browse social media sites, can lead you to be imprisoned or worse? This report addresses this issue by shedding light on the use of social media for intelligence purposes and social surveillance in Thailand and the damaging effects such initiatives have had for Thai citizens’ right to privacy.
Background
Political discourse in Thailand has been broadly divided since 2005 into two camps: the red-shirts, supporters of Thaksin Shinawatra and his populist Thai Rak Thai party, and the yellow-shirts, who opposed Thaksin. [Political history of Thailand is not the focus of this report. A more detailed analysis can be found in Contemporary Socio-Cultural and Political Perspectives in Thailand by Pranee Liamputtong.] Thaksin, elected in 2001, was the first leader to see an elected government through a full term in office and was particularly popular among the poorer, rural populations living outside of the capital, Bangkok.
But Thaksin’s regime was stained by accusations of corruption and of human right abuses that fuelled his opponents’ discontent. The yellow-shirt supporters' Alliance for Democracy party gained supporters in a broad range of sectors, drawing largely from Bangkok’s middle class, including sections of the media, teachers’ unions, religious groups and non-governmental organisations (Liamputtong, 2014).
Thaksin Shinawatra, former Prime Minister of Thailand
Thaksin was deposed in a military coup in 2006. A self-proclaimed ‘Thaksin supporters’ party won the elections held the following year but the yellow-shirts launched another wave of protests until the newly elected prime minister was forced out of office. The military government once again took power and organised another round of elections in 2011. Once again, the Thaksin camp emerged victorious and Yingluck Shinawatra, Thaksin’s sister, was elected.
The yellow-shirts were back in the streets in November 2013 to protest against corruption and to demand the end of the Thaksin presidency. In May 2014, the Royal Thai Armed Forces seized power, imposed martial law, and announced that the government would not be organising elections for an indefinite period of time. Led by General Prayut Chan-o-cha, the head of the National Council for Peace and Order (NCPO), the post-coup regime committed serious human right abuses, according to human rights organisations and the United Nations Universal Periodic Review for Thailand. Among those abuses, the interim constitution accords unlimited executive, judicial and legal powers to the head of the NCPO. The constitution also contains troubling positions that conflict with the right to a fair trial – civilians can be arbitrarily tried in military court and are denied the right to appeal. [On 12 September 2016, the NCPO announced they would stop trying civilians in military courts]. These developments and furthers restrictions on freedom of expression and freedom of assembly have been condemned by the UN. Amnesty International also documented cases of torture against four men detained in relation to a hand grenade attack in March 2015.
Freedom of expression – particularly online speech – has also been greatly reduced under the NCPO government, with an increasing number of arrests for 'lèse-majesté', speaking ill of the monarchy.
The Computer Crime Act (CCA) has been an important legal instrument used to justify increasingly repressive government orders against freedom of expression. Under Section 14 of the Computer Crimes Act it is a crime to import, disseminate or forward false ‘computer data’, if it is done in a manner likely to cause damage to a third party or to the public, to damage the country’s security or to cause panic among the public.
Due to the vague and broad wording of this provision, the Act has been used to prosecute cases of statements resembling lèse-majesté, to prosecute almost any comment about the Royal Family perceived as negative, and overall to repress freedom of expression online in Thailand.
According to the UN, after the 2014 coup, arbitrary application of Article 112 of the Criminal Code (or the lèse-majesté law) and Computer Crimes Act have been ramped up, as cases are tried in camera before military courts, which involves a lack of access by defense lawyers to ‘incriminating evidence’ and harsh prison terms. Since the May 2014 military coup, at least 40 individuals have either been convicted or remain in pre-trial detention for lèse-majesté offences, both under Article 112 of the Criminal Code and under the 2007 Computer Crimes Act.”
By condemning as lèse-majesté a wide range of dissenting opinion, the Thai government has been instigating a climate of fear that has affected the right to privacy of citizens. Individuals have been arrested for expressing their opinions on social media, a personal space many expect to be safe from government interference.
Privacy International defines social media as a unique space that cannot be simply assumed to be a public space. It is a space where people should feel safe to express themselves as long as they respect the rules set out by the companies that own the social media they use. Therefore, when the police track content posted on social media, or encourage citizens to denounce their friends, the personal sphere of the individual is violated and their privacy invaded.
The post-coup arrests of social media dissenters often relate to content that they posted before the coup, sometimes by several years. In Tanet’s case [Tanet’s last name is not disclosed for privacy reasons], for instance, a police investigation in 2010 had revealed that he had sent emails to a British citizen who ran a blog called ‘Stop the Lèse-majesté’. The police had hacked into the email account of the British citizen to identify the Thai citizens with whom he had been communicating. However, the police did not prosecute Tanet until four years later, in July 2014, two months after the coup. According to a source familiar with lèse-majesté cases, the NCPO had asked the police for a list of names of people who had criticised the royal family but had not been arrested.
Since the coup, the sentences for posting content that the government considers to be illegal are also increasingly lengthy: Pongsak Sriboonpeng was condemned to 60 years in jail for posting six photos with comments considered to be in violation of lèse-majesté laws. He pleaded guilty. Though his sentence was halved to 30 years, it remains the longest sentence for a lèse-majesté case in Thailand to date.
Three days after the coup, the government announced that cases pertaining to national security – which in Thailand includes lèse-majesté crimes – would take place in military courts, instead of civilian courts. Judges can decide to hold military court trials in camera – behind closed doors – and defendants would no longer have a right of appeal.
While martial law was lifted in most parts of the country in April 2015, lèse-majesté cases are still heard in military courts.
The NCPO is seeking ever-broadening powers. In March 2015 it issued Order No.13/2559 (2016); article 3 and 4 of the order gives NCPO officers the power to; search premises, people, and vehicles; summon and arrest people; confiscate property; and request information without a warrant if they suspect illegal activities.
The government has various ways of identifying the authors of what it deems to be illegal content on social media; in some cases, the government has arrested opponents in the streets during protests and forced them to hand over their social media passwords. The Thai police has also reportedly created a fake application to phish the data of users trying to log on to Facebook.
According to online newspaper Prachatai, in May 2014, Police Major General Pisit Paoin, the head of a government-appointed working group responsible for censoring the internet, revealed his plan to spy on social media and chat apps. “We’ll send you a friend request. If you accept the friend request, we’ll see if anyone disseminates information which violates the NCPO orders. Be careful, we’ll soon be your friend,” he said.
We will explore in this report the processes of identification the Thai government has been developing to prosecute online speech and how this processes have been detrimental to the right to privacy. In particular, we will look at cases of social surveillance and explore how the current climate has led citizens to initiate their own informant groups.
Prayut Chan-o-cha, Prime Minister of Thailand
The right to privacy and online speech
The repression of freedom of expression online in turn raises many questions about privacy. In Thailand the process of identifying individuals who post what is deemed illegal content online has led to citizens’ personal online space being invaded and they risk their private thoughts and opinions being denounced to authorities.
Social media sites are not entirely public spaces. In some countries, citizens have some rights to privacy in the public space but those rights cannot be easily transferred to social media. In a public, physical space, a police officer in many jurisdictions could only follow one person at a time and for a limited amount of time; the person could also potentially realise they are being followed. On social media, a police officer could access potentially thousands of accounts at the same time using social media monitoring technologies that scrape data from user content and profiles, and perform automatic analysis on them.
Unlike most websites, social media services are spaces that require the user to create an account and log in to access the full range of social media services, for example, sharing articles or exchanging messages with other users. To access some specific pieces of content, depending on the privacy settings of the user who posted the content, the services may require users to log in and be authorised by the poster of that content to view it. Each social media service is governed by terms of use set out by the private companies that provides the service as to what can and cannot be accessed when you are logged in or not logged in.
Regardless of privacy settings, most social media users are communicating with a network, albeit sometimes a very large one, rather than it being a fully ‘public broadcast’, where they assume that anyone and everyone can access it. As such, people who are under no suspicion of any crime should have a reasonable expectation that their social media activity is not routinely watched and controlled by state actors.
To that extent, even if the content is publically available, social media is a partially private space that should require a form of legal authorisation – that specifies the nature of the mission for which access to social media will be needed and the duration of the authorisation – for the police to investigate. When the Thai police phishes users’ data or relies on a network of informants, it is invading the privacy of social media users.
Article 35 of the previous Constitution of Thailand included the right to privacy as a human right [B.E. 2550 (2007) Constitution Article 35: “A person’s family rights, dignity, reputation or the right of privacy shall be protected. The assertion or circulation of a statement or picture in any manner whatsoever to the public, which violates or affects a person’s family rights, dignity, reputation or the right of privacy, shall not be made except for the case which is beneficial to the public”]. Following the May 2014 military coup, all but a few provisions of the 2007 Constitution were suspended. An interim Constitution was promulgated on 22 July 2014. The Interim Constitution does not explicitly uphold the right to privacy and the only provision on the protection and promotion of fundamental rights and freedoms reads: “subject to the provisions of this Constitution, all human dignity, rights, liberties and equality of the people protected by the constitutional convention under a democratic regime of government with the King as the Head of State, and by international obligations bound by Thailand, shall be protected and upheld by this Constitution.”
A new constitution was voted on 7th August 2016 that specifically upholds the right to privacy.
Yet the three cases below reflect the Thai police’s investigation tactics and the impact the subsequent arrests have on Thai citizens’ right to privacy.
Pongsak Sriboonpeng
Pongsak Sriboonpeng is a 48-year-old former tour operator. In his interviews he claims he became sensitized to poverty and inequality in Thailand during his extensive travels throughout Europe. Under the pseudonym “Sam Parr” that he used on Facebook, Pongsak became increasingly involved in politics, writing blog posts on Thai political history and taking part in red-shirt political rallies. Upon his return to Thailand, Pongsak was required to take care of his elderly mother. Socially isolated, he would spend his free time online meeting new people who shared his views [Pongsak also claimed alcohol led him to post content he would not have otherwise posted]. In June 2014, one month after the coup, Pongsak featured on a list of 17 people summoned by the government. He failed to appear for questioning.
But the police caught up with Pongsak. One of his new online ‘friends’ invited him to visit him in his home town in December 2014. Pongsak had been speaking to him for four or five months and the person had even sent him a mobile phone as a gift. As Pongsak took the bus to visit his friend, the latter frequently messaged him to check on his location. When the bus arrived Pongsak was greeted by police officers and soldiers who boarded the bus to bring him to a military base where he was detained. His ‘friend’ turned out to be one of the officers who interrogated him. He reportedly asked Pongsak: “Don’t you remember me?”
Pongsak was tried for offences related to six Facebook posts. Four of them were posted in September 2013, before the coup. Two of them were from November 2014. The content of the posts could not be reported since the military trial took place in camera, as the content was deemed too offensive to be disclosed. The posts involved a picture of the King’s sculpture, a photo montage and a picture of a banner.
Yet, Reuters reported that the postings included neither threats of violence toward the King or the royal family, nor appeals to abolish the monarchy. Pongsak was judged in a military court, and despite a plea for leniency for health reasons, he was sentenced to 60 years in jail –10 years for each post. His sentence was eventually reduced to 30 years following his guilty plea.
Akaradej
‘Akaradej’ [His name is not disclosed for privacy reasons] was a student at Mahanakorn University of Technology. On Facebook he used the pseudonym “Uncle Dom also loves the King.” In March 2014, one of his Facebook friends, who disagreed with his political views, denounced him to the police for a comment Akaradej had made on a status he had posted. In June 2014, a month after the coup, ten police officers arrested him at his university dormitory and confiscated his electronic devices. Akaradej was denied bail and spent five months in detention before being tried in November 2014. A criminal court condemned him to five years in jail, which was reduced to two and a half years.
Sasivimol
In September 2014, nine members of an ultra-royalist group in Chiang Mai province led by Krit Yiammethakorn filed a complaint to the local police against a Facebook user named Rungnapha Khamwichai, who they claimed had posted seven messages deemed to be lèse-majesté. The group had been informed that the user was based in Chiang Mai. The police identified the person behind the account Rungnapha Khamwichai as Sasivimol (also spelled Sasiwimol), a 29-year-old bar tender who worked in a hotel in Chiang Mai and the single mother of two girls.
Sasivimol claimed she had never engaged in any political activity. When plainclothes officers came to her house in September 2014 and confiscated her computer and mobile phone for inspection she told them she was not the author of the messages that they found. According to iLaw, a Thai non-profit organisation fighting for legislative change, she was then told it was not a serious case and that she would be let go if she confessed. Sasivimol claims she was not aware of Article 112 – the law banning lèse-majesté – and did not have access to a lawyer. She decided to do as she was told and confessed to having authored the lèse-majesté posts.
On February 2015, she was told she had been charged with violating Article 112 and taken to military court. She was detained until her trial in August 2015. Sasivimol was sentenced to 56 years in jail – eight years for each of the seven messages – but her sentence was reduced to 28 years because of her confession. The court ignored her retraction of the confession.
Social Surveillance
Sasivimol’s case is reflective of a form of identification that particularly threatens the right to privacy in Thailand: social surveillance.
The Thai government has deployed substantial resources in order to surveil the population over social media. The Technology Crime Suppression Division (TCSD) – the police unit that specialises in cyber-crime – has deployed a 30-person team that “operates around the clock, scanning online postings and following up complaints from the public on cybercrimes, including royal defamation.” The military also has a force of 60 to 70 officers participating in ‘Information Warfare’ and ‘Information Operations’ to monitor online content and investigate, arrest and charge authors of content deemed to be lèse-majesté offences.
Apart from the police and the military, the Thai government relies largely on the goodwill of Thai citizens to identify what it considers to be offensive speech. The social veneration of the royal family combined with a political context that fosters denunciation has led to the creation of ultra-monarchist groups – like the one in Chiang Mai – that focus on denouncing and harassing people they accuse of lèse-majesté offences. The polarisation of the Thai political scene heightens the tension: according to legal sources we have spoken to, some yellow-shirt supporters are inclined to join groups to accuse red-shirt members of lèse-majesté.
Shortly after the coup, Deputy Police Commissioner General Somyot Poompanmoung created a bounty programme to encourage Thai internet users to denounce dissidents. Thai citizens are encouraged to send pictures of anyone who may be “displaying opposition to the military coup.” For each picture sent, the denunciator receives 500 Baht (approximately US $14). As mentioned earlier, signs of dissent that have elicited Thai authorities' interest have reportedly included reading George Orwell’s books and eating sandwiches outside.
Below are examples of citizen groups whose purpose is to report what is deemed as illegal online content.
Cyber Scouts website
Cyber Scouts
The Cyber Scouts is an initiative that was ‘reactivated’ in August 2014 by the Ministry of Information and Communications Technology (ICT) as part of a collaboration with 200 schools. The original initiative had been created in 2010 as a collaboration between the Ministry of Justice and the Ministry of ICT, though the project collapsed after a few months following the change of government. The goal of Cyber Scouts has been to create a youth movement to police the internet, in search of “distorted information” and lèse-majesté content.
Using social media, teenagers recruited by Cyber Scouts are expected to monitor the internet and denounce anything illegal according to Thai law. They get ‘points’ for doing so and outstanding ‘cyber scouts’ see their profiles featured on the Cyber Scouts website. The Ministry of ICT expects Cyber Scouts to become ‘ambassadors’ of ‘good’ internet practices, as they can “demonstrate [to] their close friends, parents or acquaintances [how] to use internet appropriately [sic].”
In 2011, before the project collapsed, one Cyber Scout told Agence France Presse (AFP) about his one-day training: “I learned about the history of the King, his Majesty, and how divine he is ... and also how to use a computer, the internet and Facebook. Not many people know about the project. They may think they're talking to a friend because I don't tell them I'm a cyber scout. I feel I am doing an important job.”
The Cyber Scouts are of particular concern, as unlike citizen-led initiatives the government is the organiser, thereby officially endorsing the project. The initiative is emblematic of the government’s attempts to foster a climate of fear in which Thai citizens feel threatened for expressions of political dissent and led to believe there is no safe space.
Citizen-led initiatives
The current climate of severe repression of dissident speech and government-encouraged denunciations, political polarisation and glorification of the royal family in Thailand has led individuals to create their own platforms to denunciate others.
The Rubbish Collection Organisation (RCO) is an ultra-royalist group founded in April 2014, one month before the coup, by doctor and hospital director Reintong Nannah [also spelled Rienthong Nanna]. Nannah stated in an interview that his goal was to “bring all lèse-majesté offenders to justice”.
According to the Bangkok Post, which was present during the group’s first meeting, RCO members are mostly retired soldiers. It is unclear how many people support the RCO. Nannah had claimed to the Bangkok Post that the group already had 2,000 ‘teams’ but its first meeting – where the interview took place – was only joined by 25 people. As of May 2016, over 224,000 users had ‘liked’ their Facebook page.
The RCO’s first target was Chatwadee Rose Amornphat, a Thai-British dual citizen. Chatwadee works as a hairdresser in London and is also one of the most outspoken opponents of lèse-majesté laws and regularly posts videos lampooning the Royal Family.
In the UK, Chatwadee had been stalked and harassed by pro-monarchy groups. After the coup, the government requested Chatwadee’s extradition from the UK to Thailand; the UK has refused the request as lèse-majesté is not considered a crime under British law.
In May 2015, a woman who goes by the name Tananun Buranasiri on Facebook said she had been fired from her job after her employer was informed that she posted lèse-majesté content on Facebook. RCO had orchestrated a bullying campaign offline and online against Tananun. She was ‘doxed’: her personal information, including her workplace, details on her husband and children were posted on RCO’s Facebook page. RCO has also filed a legal complaint against Tananun. RCO also announced in October 2015 they would file criminal charges against Facebook and YouTube for hosting lèse-majesté material.
Social Sanction (which is known by the term ‘the SS’) is an ultra-royalist group that has been active since 2010. The SS’ Facebook page description claims their goal is “to increase public awareness of corruption and create pressure to combat it, and to stop the crime of lèse-majesté.” [As of May 2016, the SS have 2,131 “likes” on their Facebook page.]
The SS became well-known with the arrest of Norawase Yotpiyasathien, a business administration student from Kasetsart University, for his blog posts deemed to contain content insulting the royal family. He was, at 23 years old, the youngest person arrested for lèse-majesté, which caused concern among students.
The SS exposed Norawase and published his name, photos, personal address and phone numbers online. When he was arrested the SS wrote "another one is down." Norawase was arrested before the coup, a time when lèse-majesté sentences were significantly more lenient and he was therefore released on bail after a few days of arrests.
Norawase was not the SS’ first student target. In 2010, they harassed Natthakarn Sakuldarachart, a politically-active high school student, and threatened to harm her if she showed up at the admission examination at Kasetsart University, the university to which she had applied. She eventually did not attend the examination out of fear and failed to qualify to enter Kasetsart University.
Social surveillance is not solely organised by groups. Some individuals take it upon themselves to independently denounce others. “Some people try to become famous on Facebook with mass denunciations,” said one legal source familiar with lèse-majesté cases. [Another source familiar with lèse-majesté cases referred to the case of a man in the North East province that regularly reports evidence of lèse-majesté to the police. People charged with lèse-majesté have to go to court where the complaint has been filed.]
A Facebook user has for instance denounced Chaida Bunyothin and Parichat Klinsrisuk, who posted messages on the Facebook profile of a red-shirt radio host.
Concluding remarks
The government has been stoking existing tensions within the Thai population and has created a climate in which citizens no longer have a safe space for formulating their thoughts and expressing themselves in an environment that should be considered at least partially private. With the increased focus on arresting dissidents and individuals accused of lèse-majesté, the government has fomented a climate where citizens feel justified in policing each other. With a new constitution that protects the right to privacy, social network users should not be made to self-censor expressions of political dissent. So long as the rules set out by social network companies are respected, users should be fearing neither their government nor civilian ‘militia’ informing on them.
Privacy International has observed social surveillance practices in several countries, including Morocco and China, through the Sesame social network. This practice effectively offers the government free policing and surveillance capabilities over their citizens and reinforces oppressive political dynamics.
Privacy International demands that the Thai government put an end to social surveillance by:
via Emergent Chaos by adam on Fri, 09 Sep 2016 15:24:55 GMT
When I think about how to threat model well, one of the elements that is most important is how much people need to keep in their heads, the cognitive load if you will. In reading Charlie Stross’s blog post, “Writer, … Continue readingvia Emergent Chaos by adam on Wed, 24 Aug 2016 23:58:03 GMT
At the RMS blog, we learn they are “Launching a New Journal for Terrorism and Cyber Insurance:” Natural hazard science is commonly studied at college, and to some level in the insurance industry’s further education and training courses. But this … Continue readingvia Emergent Chaos by adam on Wed, 10 Aug 2016 22:01:05 GMT
Nothing. No, seriously. Articles like “Microsoft Secure Boot key debacle causes security panic” and “Bungling Microsoft singlehandedly proves that golden backdoor keys are a terrible idea” draw on words in an advisory to say that this is all about golden … Continue reading