Feed Aggregator Page 1

Rendered on Mon, 24 Oct 2016 19:30:12 GMT  newer latest older 

How Different Stakeholders Frame Security

via Schneier on Security by Bruce Schneier on Mon, 24 Oct 2016 11:03:26 GMT

Josephine Wolff examines different Internet governance stakeholders and how they frame security debates. Her conclusion: The tensions that arise around issues of security among different groups of internet governance stakeholders speak to the many tangled notions of what online security is and whom it is meant to protect that are espoused by the participants in multistakeholder governance forums. What makes...

DDoS Attacks against Dyn

via Schneier on Security by Bruce Schneier on Sat, 22 Oct 2016 13:47:31 GMT

Yesterday's DDoS attacks against Dyn are being reported everywhere. I have received a gazillion press requests, but I am traveling in Australia and Asia and have had to decline most of them. That's okay, really, because we don't know anything much of anything about the attacks. If I had to guess, though, I don't think it's China. I think it's...

Friday Squid Blogging: Which Squid Can I Eat?

via Schneier on Security by Bruce Schneier on Fri, 21 Oct 2016 21:00:23 GMT

Interesting article listing the squid species that can still be ethically eaten. The problem, of course, is that on a restaurant menu it's just labeled "squid." As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. EDITED TO ADD: By "ethically," I meant that the article discusses which...

Privacy Makes Workers More Productive

via Schneier on Security by Bruce Schneier on Fri, 21 Oct 2016 14:18:44 GMT

Interesting research....

Press Release: New court judgment finds UK surveillance agencies collected everyone’s communications data unlawfully and in secret, for over a decade

via News by editor on Fri, 21 Oct 2016 09:58:03 GMT

21 October 2016

Press contact: +44 (0) 20 3422 4321 and press@privacyinternational.org

Key points

  • Bulk Communications Data (BCD) collection, commenced in March 1998, unlawful until November 2015
  • Bulk Personal Datasets regime (BPD), commenced c.2006, unlawful until March 2015
  • Everyone’s communications data collected unlawfully, in secret and without adequate safeguards until November 2015
  • We maintain that even post 2015, bulk surveillance powers are not lawful
  • As the Investigatory Powers Bill is set to become law within weeks, we argue that the authorisation and oversight regime that was left wanting pre 2015 remains deeply inadequate.
  • Judgment will be here shortly: http://www.ipt-uk.com/judgments.asp

In a highly significant judgment released today, The Investigatory Powers Tribunal has found that the UK’s intelligence agencies were secretly and unlawfully collecting bulk data on people in the UK without adequate safeguards or supervision for over a decade. This is one of the most significant indictments of the secret use of the Government’s mass surveillance powers since Edward Snowden first began exposing the extent of US and UK spying in 2013.

The Tribunal, which is tasked with hearing complaints against the security and intelligence services, concluded that the two regimes, which permitted the collection of vast amounts of communications data (Bulk Communications Data) and large datasets with personal information (Bulk Personal Datasets), were unlawful for over a decade.

The case exposed inadequate safeguards against abuse, including warnings to staff not to use the databases created to house these vast collections of data to search for and/or access information ‘about other members of staff, neighbours, friends, acquaintances, family members and public figures’. Internal oversight failed, with highly sensitive databases treated like Facebook to check on birthdays, and very worryingly on family members for ‘personal reasons’.

The Tribunal ruled that “we are not satisfied that … there can be said to have been an adequate oversight of the BCD system, until after July 2015” with “no Codes of Practice relating to either BCD or BPD or anything approximating to them.” There was no statutory oversight of BPD prior to March 2015 and there has never been any statutory oversight of BCD.

Noting the highly secretive nature of the illegal BCD regime, the Tribunal ruled “it seems difficult to conclude that the use of BCD was foreseeable by the public when it was not explained to Parliament”.

The judgment does not specify whether the unlawfully obtained, sensitive personal data will be deleted.

Despite the Tribunal finding the regimes to be lawful after their respective “avowals” in 2015, Privacy International argues that they remain inadequate. There is no requirement for judicial or independent authorisation. Supervision by a member of the executive (i.e. a Government Minister) does not provide the necessary guarantees that surveillance operations that could impact on millions of people are necessary and proportionate. There is no procedure for notifying victims of any use or misuse of bulk communication data so they can seek an appropriate remedy. Entire databases of BCD and BPDs can be shared with foreign partners, ‘industry partners’ and other Government agencies. And the Tribunal has not assessed the necessity and proportionality of gathering such intrusive data about UK residents in bulk.

Mark Scott of Bhatt Murphy Solicitors, instructed by Privacy International in the legal challenge, said:

“This judgment confirms that for over a decade UK security services unlawfully concealed both the extent of their surveillance capabilities and that innocent people across the country have been spied upon.”

Millie Graham Wood, Legal Officer at Privacy International said:

“Today’s judgment is a long overdue indictment of UK surveillance agencies riding roughshod over our democracy and secretly spying on a massive scale. There are huge risks associated with the use of bulk communications data. It facilitates the almost instantaneous cataloguing of entire populations’ personal data. It is unacceptable that it is only through litigation by a charity that we have learnt the extent of these powers and how they are used. The public and Parliament deserve an explanation as to why everyone’s data was collected for over a decade without oversight in place and confirmation that unlawfully obtained personal data will be destroyed.”

- Ends -

Notes to editors

  • IPT finds bulk powers (BCD and BPD) to be neither accessible nor foreseeable during the relevant period.
  • The IPT holds the Bulk Communications Data (BCD) regime (the where, when and what of communications), which commenced in 1998, did not comply with Article 8 of the European Convention of Human Rights until 4th November 2015
  • The IPT holds the Bulk Personal Datasets (BPD) regime (which enables intelligence agencies to requisition databases of information that might include medical records, tax records, electoral register information and virtually any other database of information held by companies, Government departments, charities), which has been in operation for around 10 years, did not comply with Article 8 until 12th March 2015.
  • In 2015 the Government admitted it had been using an obscure and vague clause in a piece of legislation from 1984 to obtain bulk communications data (BCD). A legal challenge brought by Privacy International in June 2015 forced the Government and intelligence agencies to disclose practices which have now been found unlawful, which had been kept hidden not only from the public but also from Parliament. The Tribunal noted that despite ‘several opportunities’ over the many years that these powers were used, ‘the government of the day did not avow the use of section 94’ of the 1984 Telecommunications Act.
  • BPD and BCD are intrusive and comprehensive. Current BCD collection includes location information and call data for everyone’s mobile telephones in the UK for one year.
  • BCD is the who, when, where, and how of a communication. It includes, but is not limited to, visited websites, email contacts, to whom and where and when an email is sent, map searches, GPS location and information about every device connected to every Wifi network. BCD can provide vast knowledge about individuals.
  • BPDs are large datasets that are incorporated into ‘analytical systems’. They contain considerable volumes of personal data about individuals, the majority of whom are unlikely to be of intelligence interest. They include biographical details, commercial and financial activities, communications and travel as well as BCD. BPDs contain the content of legally privileged communications (David Anderson QC para 2.84 Report of the Bulk Powers Review).
  • The claim concerned the acquisition, use, retention, disclosure, storage and deletion by GCHQ, SIS and the Security Service of Bulk Communications Data (BCD) obtained under section 94 of the Telecommunications Act 1984 and Bulk Personal Datasets (BPDs) obtained under a variety of legal powers.
  • These revelations come as a result of Privacy International’s litigation. Indeed, even Parliamentary debates about the Investigatory Powers Bill over the last year, which were supposed to have been the Government’s opportunity to come clean about the surveillance powers it has and the new powers it wants, have barely touched on the BPD and BCD regimes, which give the Government deeply intrusive powers to reach into every aspect of our lives.
  • For further background information, visit our website at https://privacyinternational.org/node/843

There is too much at stake for this to be a PR stunt

via News by editor on Fri, 21 Oct 2016 09:28:17 GMT

Date: 
21 October 2016

This week, from 17th-20th October 2016, the Kingdom of Morocco will be hosting the 38th International Conference of Data Protection and Privacy Commissioners (ICDPPC).

And two scenarios could play out…

Scenario one — like many other occasions, this will be used as wonderfully strategic PR stunt, whereby participants will be whisked directly from the airport to their hotel to the conference venue, and will be enchanted by the genuinely warm Moroccan hospitality. But they will leave with little or no clue of the grave human rights situation in Morocco. We are especially focused on the right to privacy (but that is not to detract from the wider human rights issues that Morocco must deal with).

Scenario two — it could be used as an opportunity for attendees and privacy protectors across the world to learn more about the countries they work with, and to shine a light on the Moroccan government’s attitude to the privacy of the Moroccan people, and urge reform.

As optimists, we sincerely hope for the latter.

Over the years, there have been significant global progress on the protection of privacy through legislation. On paper the Kingdom of Morocco is exemplary in this regard: it has a Constitutional right to privacy, a data protection framework, a data protection authority, and has ratified Convention 108 of the Council of Europe.

And yet, as is the case in many other parts of the world, the reality falls considerably short of the rhetoric.

Crackdown on civil society

In October 2015, seven activists and investigative journalists were brought before the Tribunal of First Instance of Rabat and charged with ‘using foreign funding to undermine State security’, a charge that carries up to five years in jail. The charges were widely seen as politically motivated. These individuals were known defenders and promoters of freedom of expression and privacy in Morocco. They were engaging in incredibly important work to raise awareness, in particular within their communities, on the right to privacy by supporting the development of advocacy strategies and tools to expand the reporting on government surveillance policies and practices. The trial has been postponed three times already in the last year, and the next hearing has been schedule for 26th October 2016.

This is just one of many examples that highlight the chasm between the policy and practice.

The limits placed on people’s democratic rights, coupled with aggressive abuse of their human rights, have been well documented and expressed by a variety of authoritative sources including Human Rights WatchAmnesty International, and Reporters Without Borders. We have ourselves been the target of such attacks. On two occasions, events organised by Privacy International with and by its local partners were shut down by the police, forcing the events to be re-located or cancelled. Furthermore, at the locally-hosted launch of a report published Privacy International, the Ministry of Interior proceeded with an act of intimidation designed to silence civil society and stifle legitimate criticism of the Moroccan government.

We cannot remain silent in light of the life-changing consequences such arbitrary practices have on the lives of human rights defenders in Morocco and worldwide.

This is why we welcome the Resolution on Human Rights Defenders adopted on 18th October 2016 at 38th International Conference of Data Protection and Privacy Commissioners. The Resolution reaffirms the important role that human rights defenders play in ‘building a solid, lasting democratic society” and “in the process of fully achieving the rule of law and the strengthening of democracy”. In particular, we are pleased to note the commitment the ICDPPC undertakes to further consider the issues affecting human rights defenders in the context of privacy and data protection in future conferences. Human rights defenders play an essential role in researching and engaging in debates about the role of surveillance in our societies, and our participation should be encouraged. The adoption of this resolution is an important opportunity for these concerns to be addressed by the international community and recommendations put into action.

Shortcomings of data protection framework

With regards to the data protection legal framework there are some serious shortcomings. The data protection authority, la Commission Nationale de contrôle de la protection des Données à caractère Personnel (CNDP), does not exercise monitoring or regulation on the processing of data involving state security, defence, public safety or criminal offences. Considering the surveillance capabilities and ambitions of the Moroccan government, this is clearly an intentional oversight. For instance, the Moroccan government is a keen promoter of national IDs and biometric databases. Yet the CNDP has not pronounced any thoughts on this infrastructure, even though it has significant implications for people in Morocco, in particular in restricting access to public service and economic opportunities.

One item on the international conference’s agenda is the interoperability of data protection law. We recommend that the conference should ideally address the existing national shortcomings as it proceeds with these discussions. Such developments must be used as an opportunity to raise the bar and implement high national data protection standards.

Communications surveillance: arbitrary and unregulated

Civil society organisations, independent media, and international human rights organisations regularly point to the discrepancy between the law and its application and there have been numerous reports from journalists and human rights defenders of on-going arbitrary and unlawful surveillance.

Some of our concerns include:

- Increasing reports of journalists, political activists, and human rights defenders having been unlawfully subjected to surveillance, detained, prosecuted on politically motivated charges, tortured and ill-treated.

- Lack of effective oversight of surveillance by law enforcement and intelligence agencies, given the limited publicly available information on their mandates, remits and powers;

- The full extent of the surveillance apparatus remains unknown but there is evidence of the expanding surveillance capabilities;

- The vague legal framework on encryption, which could be interpreted in a way that would criminalise personal use of encryption;

- Threats to anonymity with measures in place including mandatory SIM card registration;

Given that reconciling security and privacy has been set as key areas of focus for this year’s ICDPPC, this provides a unique and much needed opportunity to discuss some of the aforementioned concerns. And ask ourselves challenging questions: whose security are we really talking about? The security of those in power to maintain themselves in power or the security of citizens?

If these concerns fall on deaf ears of the international data protection community, Privacy International, with the essential support of local expertise, will continue with its effort to raise its concerns in other forums. Later this month, the UN Human Rights Committee will review the Kingdom of Morocco’s implementation of the International Covenant on Civil and Political Rights, which under Article 17 provides for the right of every person to be protected against arbitrary or unlawful interference with their privacy, family, home or correspondence as well as against unlawful attacks on their honour or reputation.

In 2017, the Kingdom of Morocco will be subject to scrutiny of the Human Rights Council through the 27th session of the Universal Periodic Review Working Group. Privacy International is preparing itself to engage in this process and has just submitted its stakeholder report on the right to privacy in Kingdom of Morocco.

Additional information:

Submission to the 116th Session of the UN Human Rights Committee https://www.privacyinternational.org/sites/default/files/HRC_morocco.pdf

Stakeholder report to the 27th Session of the Universal Periodic Review Working Group https://www.documentcloud.org/documents/3145724-UPR27-Morocco.html

President Obama Talks About AI Risk, Cybersecurity, and More

via Schneier on Security by Bruce Schneier on Thu, 20 Oct 2016 11:16:31 GMT

Interesting interview: Obama: Traditionally, when we think about security and protecting ourselves, we think in terms of armor or walls. Increasingly, I find myself looking to medicine and thinking about viruses, antibodies. Part of the reason why cybersecurity continues to be so hard is because the threat is not a bunch of tanks rolling at you but a whole bunch...

Bypassing Intel's ASLR

via Schneier on Security by Bruce Schneier on Wed, 19 Oct 2016 19:19:57 GMT

Researchers discover a clever attack that bypasses the address space layout randomization (ALSR) on Intel's CPUs. Here's the paper. It discusses several possible mitigation techniques....

Security Lessons from a Power Saw

via Schneier on Security by Bruce Schneier on Wed, 19 Oct 2016 11:45:17 GMT

Lance Spitzner looks at the safety features of a power saw and tries to apply them to Internet security: By the way, here are some of the key safety features that are built into the DeWalt Mitre Saw. Notice in all three of these the human does not have to do anything special, just use the device. This is how...

Intelligence Oversight and How It Can Fail

via Schneier on Security by Bruce Schneier on Tue, 18 Oct 2016 19:29:05 GMT

Former NSA attorneys John DeLong and Susan Hennessay have written a fascinating article describing a particular incident of oversight failure inside the NSA. Technically, the story hinges on a definitional difference between the NSA and the FISA court meaning of the word "archived." (For the record, I would have defaulted to the NSA's interpretation, which feels more accurate technically.) But...

Virtual Kidnapping

via Schneier on Security by Bruce Schneier on Mon, 17 Oct 2016 11:28:05 GMT

This is a harrowing story of a scam artist that convinced a mother that her daughter had been kidnapped. More stories are here. It's unclear if these virtual kidnappers use data about their victims, or just call people at random and hope to get lucky. Still, it's a new criminal use of smartphones and ubiquitous information. Reminds me of the...

Friday Squid Blogging: Barramundi with Squid Ink Risotto

via Schneier on Security by Bruce Schneier on Fri, 14 Oct 2016 21:20:10 GMT

Squid ink risotto is a good accompaniment for any mild fish. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

So many reasons to never buy a D-Link router

via The Privacy Blog by lance on Mon, 03 Oct 2016 22:48:21 GMT

If you care at all about security and privacy, a recent security analysis of the D-Link DWR-932 B LTE router will make your head explode. Researcher Pierre Kim found an amazing set of security vulnerabilities that should embarrass a first year developer. First, by default you and SSH and Telnet (yes Telnet!) into the router using […]

The post So many reasons to never buy a D-Link router appeared first on The Privacy Blog.

Macs are not safe from Bears

via The Privacy Blog by lance on Tue, 27 Sep 2016 18:19:00 GMT

Mac users have long had an unwarranted level of confidence about their immunity to malware and hackers. Palo Alto Networks’ recently discovered some Mac malware in the wild, which I hope will make us Mac users pay more attention to security. The malware, which targets mostly the aerospace industry, appears to be from an APT […]

The post Macs are not safe from Bears appeared first on The Privacy Blog.

Current Reading

via Emergent Chaos by adam on Tue, 27 Sep 2016 16:00:56 GMT

Gavle Goat, now 56% more secure!

via Emergent Chaos by adam on Thu, 22 Sep 2016 15:41:13 GMT

“We’ll have more guards. We’re going to try to have a ‘goat guarantee’ the first weekend,” deputy council chief Helene Åkerlind, representing the local branch of the Liberal Party, told newspaper Gefle Dagblad. “It is really important that it stays … Continue reading

Friends, Followers, Police Officers, and Enemies: Social Surveillance in Thailand

via News by editor on Mon, 19 Sep 2016 12:53:00 GMT

Date: 
Tuesday, September 20, 2016

This report examines the emergence of social media based surveillance in Thailand, carried out potentially by people’s own networks of friends and family. It looks at the severe impact this has on personal privacy and points to potential solutions.

In May 2014, Thailand experienced a military coup – its second in eight years. A military government led by General Prayut Chan-o-cha seized power and overthrew the administration of Prime Minister Yingluck Shinawatra. The Army declared martial law, which was maintained for the following 10 months, and an interim constitution was adopted in July 2014. The declaration of martial law allowed the Thai authorities to take strict public order measures, including  reportedly closely monitoring of ‘delinquent’ behaviour such as eating sandwiches in the street or reading George Orwell’s books.

The Thai military government has counted on its police force to monitor online speech in order to curb dissent. But beyond the police force itself, the ruling military government has empowered networks of citizens whom it encourages to denounce those who post online content considered contrary to government policies.

With increased tension between supporters and opponents of the military government, some individuals have also created citizen-led initiatives to spy and inform on other citizens, thereby fostering a network of social surveillance. What does it mean to live in a country where the thoughts you share online, your comments on your friends’ social media statuses, the ‘likes’ you click on as you browse social media sites, can lead you to be imprisoned or worse? This report addresses this issue by shedding light on the use of social media for intelligence purposes and social surveillance in Thailand and the damaging effects such initiatives have had for Thai citizens’ right to privacy.

 

Background 

Political discourse in Thailand has been broadly divided since 2005 into two camps: the red-shirts, supporters of Thaksin Shinawatra and his populist Thai Rak Thai party, and the yellow-shirts, who opposed Thaksin. [Political history of Thailand is not the focus of this report. A more detailed analysis can be found in Contemporary Socio-Cultural and Political Perspectives in Thailand by Pranee Liamputtong.] Thaksin, elected in 2001, was the first leader to see an elected government through a full term in office and was particularly popular among the poorer, rural populations living outside of the capital, Bangkok.

But Thaksin’s regime was stained by accusations of corruption and of human right abuses that fuelled his opponents’ discontent. The yellow-shirt supporters' Alliance for Democracy party gained supporters in a broad range of sectors, drawing largely from Bangkok’s middle class, including sections of the media, teachers’ unions, religious groups and non-governmental organisations (Liamputtong, 2014).

 

Thaksin Shinawatra, former Prime Minister of Thailand

 

Thaksin was deposed in a military coup in 2006. A self-proclaimed ‘Thaksin supporters’ party won the elections held the following year but the yellow-shirts launched another wave of protests until the newly elected prime minister was forced out of office. The military government once again took power and organised another round of elections in 2011. Once again, the Thaksin camp emerged victorious and Yingluck Shinawatra, Thaksin’s sister, was elected.

The yellow-shirts were back in the streets in November 2013 to protest against corruption and to demand the end of the Thaksin presidency. In May 2014, the Royal Thai Armed Forces  seized power, imposed martial law, and announced that the government would not be organising elections for an indefinite period of time. Led by General Prayut Chan-o-cha, the head of the National Council for Peace and Order (NCPO), the post-coup regime committed serious human right abuses, according to human rights organisations and the United Nations Universal Periodic Review for Thailand. Among those abuses, the interim constitution accords unlimited executive, judicial and legal powers to the head of the NCPO. The constitution also contains troubling positions that conflict with the  right to a fair trial – civilians can be arbitrarily tried in military court and are denied the right to appeal. [On 12 September  2016, the NCPO announced they would stop trying civilians in military courts]. These developments and furthers restrictions on freedom of expression and freedom of assembly have been condemned by the UN. Amnesty International also documented cases of torture against four men detained in relation to a hand grenade attack in March 2015.

Freedom of expression – particularly online speech – has also been greatly reduced under the NCPO government, with an increasing number of arrests for 'lèse-majesté', speaking ill of the monarchy.

The Computer Crime Act (CCA) has been an important legal instrument used to justify increasingly repressive government orders against freedom of expression. Under Section 14 of the Computer Crimes Act it is a crime to import, disseminate or forward false ‘computer data’, if it is done in a manner likely to cause damage to a third party or to the public, to damage the country’s security or to cause panic among the public.

Due to the vague and broad wording of this provision, the Act has been used to prosecute cases of statements resembling lèse-majesté, to prosecute almost any comment about the Royal Family perceived as negative, and overall to repress freedom of expression online in Thailand.

According to the UN, after the 2014 coup, arbitrary application of Article 112 of the Criminal Code (or the lèse-majesté law) and Computer Crimes Act have been ramped up, as cases are tried in camera before military courts, which involves a lack of access by defense lawyers to ‘incriminating evidence’ and harsh prison terms. Since the May 2014 military coup, at least 40 individuals have either been convicted or remain in pre-trial detention for lèse-majesté offences, both under Article 112 of the Criminal Code and under the 2007 Computer Crimes Act.”

By condemning as lèse-majesté a wide range of dissenting opinion, the Thai government has been instigating a climate of fear that has affected the right to privacy of citizens. Individuals have been arrested for expressing their opinions on social media, a personal space many expect to be safe from government interference.

Privacy International defines social media as a unique space that cannot be simply assumed to be a public space. It is a space where people should feel safe to express themselves as long as they respect the rules set out by the companies that own the social media they use. Therefore, when the police track content posted on social media, or encourage citizens to denounce their friends, the personal sphere of the individual is violated and their privacy invaded.

The post-coup arrests of social media dissenters often relate to content that they posted before the coup, sometimes by several years. In Tanet’s case [Tanet’s last name is not disclosed for privacy reasons], for instance, a police investigation in 2010 had revealed that he had sent emails to a British citizen who ran a blog called ‘Stop the Lèse-majesté’. The police had hacked into the email account of the British citizen to identify the Thai citizens with whom he had been communicating. However, the police did not prosecute Tanet until four years later, in July 2014, two months after the coup. According to a source familiar with lèse-majesté cases, the NCPO had asked the police for a list of names of people who had criticised the royal family but had not been arrested.   

Since the coup, the sentences for posting content that the government considers to be illegal are also increasingly lengthy: Pongsak Sriboonpeng was condemned to 60 years in jail for posting six photos with comments considered to be in violation of lèse-majesté laws. He pleaded guilty. Though his sentence was halved to 30 years, it remains the longest sentence for a lèse-majesté case in Thailand to date.

Three days after the coup, the government announced that cases pertaining to national security – which in Thailand includes lèse-majesté crimes – would take place in military courts, instead of civilian courts. Judges can decide to hold military court trials in camera – behind closed doors – and defendants would no longer have a right of appeal.

While martial law was lifted in most parts of the country in April 2015, lèse-majesté cases are still heard in military courts.

The NCPO is seeking ever-broadening powers. In March 2015 it issued Order No.13/2559 (2016); article 3 and 4 of the order gives NCPO officers the power to; search premises, people, and vehicles; summon and arrest people; confiscate property; and request  information without a warrant if they suspect illegal activities.

The government has various ways of identifying the authors of what it deems to be illegal content on social media; in some cases, the government has arrested opponents in the streets during protests and forced them to hand over their social media passwords. The Thai police has also reportedly created a fake application to phish the data of users trying to log on to Facebook.

According to online newspaper Prachatai, in May 2014, Police Major General Pisit Paoin, the head of a government-appointed working group responsible for censoring the internet, revealed his plan to spy on social media and chat apps. “We’ll send you a friend request. If you accept the friend request, we’ll see if anyone disseminates information which violates the NCPO orders. Be careful, we’ll soon be your friend,” he said.

We will explore in this report the processes of identification the Thai government has been developing to prosecute online speech and how this processes have been detrimental to the right to privacy. In particular, we will look at cases of social surveillance and explore how the current climate has led citizens to initiate their own informant groups.

Prayut Chan-o-cha, Prime Minister of Thailand

 

The right to privacy and online speech

The repression of freedom of expression online in turn raises many questions about privacy. In Thailand the process of identifying individuals who post what is deemed illegal content online has led to citizens’ personal online space being invaded and they risk their private thoughts and opinions being denounced to authorities.  

Social media sites are not entirely public spaces. In some countries, citizens have some rights to privacy in the public space but those rights cannot be easily transferred to social media. In a public, physical space, a police officer in many jurisdictions could only follow one person at a time and for a limited amount of time; the person could also potentially realise they are being followed. On social media, a police officer could access potentially thousands of accounts at the same time using social media monitoring technologies that scrape data from user content and profiles, and perform automatic analysis on them.

Unlike most websites, social media services are spaces that require the user to create an account and log in to access the full range of social media services, for example, sharing articles or exchanging messages with other users. To access some specific pieces of content, depending on the privacy settings of the user who posted the content, the services may require users to log in and be authorised by the poster of that content to view it. Each social media service is governed by terms of use set out by the private companies that provides the service as to what can and cannot be accessed when you are logged in or not logged in.

Regardless of privacy settings, most social media users are communicating with a network, albeit sometimes a very large one, rather than it being a fully ‘public broadcast’, where they assume that anyone and everyone can access it. As such, people who are under no suspicion of any crime should have a reasonable expectation that their social media activity is not routinely watched and controlled by state actors.

To that extent, even if the content is publically available, social media is a partially private space that should require a form of legal authorisation – that specifies the nature of the mission for which access to social media will be needed and the duration of the authorisation – for the police to investigate. When the Thai police phishes users’ data or relies on a network of informants, it is invading the privacy of social media users.

Article 35 of the previous Constitution of Thailand included the right to privacy as a human right [B.E. 2550 (2007) Constitution Article 35: “A person’s family rights, dignity, reputation or the right of privacy shall be protected. The assertion or circulation of a statement or picture in any manner whatsoever to the public, which violates or affects a person’s family rights, dignity, reputation or the right of privacy, shall not be made except for the case which is beneficial to the public”]. Following the May 2014 military coup, all but a few provisions of the 2007 Constitution were suspended. An interim Constitution was promulgated on 22 July 2014. The Interim Constitution does not explicitly uphold the right to privacy and the only provision on the protection and promotion of fundamental rights and freedoms reads: “subject to the provisions of this Constitution, all human dignity, rights, liberties and equality of the people protected by the constitutional convention under a democratic regime of government with the King as the Head of State, and by international obligations bound by Thailand, shall be protected and upheld by this Constitution.”

A new constitution was voted on 7th August 2016 that specifically upholds the right to privacy.

Yet the three cases below reflect the Thai police’s investigation tactics and the impact the subsequent arrests have on Thai citizens’ right to privacy.

 

Pongsak Sriboonpeng   

Pongsak Sriboonpeng is a 48-year-old former tour operator. In his interviews he claims he became sensitized to poverty and inequality in Thailand during his extensive travels throughout Europe. Under the pseudonym “Sam Parr” that he used on Facebook, Pongsak became increasingly involved in politics, writing blog posts on Thai political history and taking part in red-shirt political rallies. Upon his return to Thailand, Pongsak was required to take care of his elderly mother. Socially isolated, he would spend his free time online meeting new people who shared his views [Pongsak also claimed alcohol led him to post content he would not have otherwise posted]. In June 2014, one month after the coup, Pongsak featured on a list of 17 people summoned by the government. He failed to appear for questioning.

But the police caught up with Pongsak. One of his new online ‘friends’ invited him to visit him in his home town in December 2014. Pongsak had been speaking to him for four or five months and the person had even sent him a mobile phone as a gift. As Pongsak took the bus to visit his friend, the latter frequently messaged him to check on his location. When the bus arrived Pongsak was greeted by police officers and soldiers who boarded the bus to bring him to a military base where he was detained. His ‘friend’ turned out to be one of the officers who interrogated him. He reportedly asked Pongsak: “Don’t you remember me?”

Pongsak was tried for offences related to six Facebook posts. Four of them were posted in September 2013, before the coup. Two of them were from November 2014. The content of the posts could not be reported since the military trial took place in camera, as the content was deemed too offensive to be disclosed. The posts involved a picture of the King’s sculpture, a photo montage and a picture of a banner.

Yet, Reuters reported that the postings included neither threats of violence toward the King or the royal family, nor appeals to abolish the monarchy. Pongsak was judged in a military court, and despite a plea for leniency for health reasons, he was sentenced to 60 years in jail –10 years for each post. His sentence was eventually reduced to 30 years following his guilty plea.

 

Akaradej

‘Akaradej’ [His name is not disclosed for privacy reasons] was a student at Mahanakorn University of Technology. On Facebook he used the pseudonym “Uncle Dom also loves the King.” In March 2014, one of his Facebook friends, who disagreed with his political views, denounced him to the police for a comment Akaradej had made on a status he had posted. In June 2014, a month after the coup, ten police officers arrested him at his university dormitory and confiscated his electronic devices. Akaradej was denied bail and spent five months in detention before being tried in November 2014. A criminal court condemned him to five years in jail, which was reduced to two and a half years.

 

Sasivimol

In September 2014, nine members of an ultra-royalist group in Chiang Mai province led by Krit Yiammethakorn filed a complaint to the local police against a Facebook user named Rungnapha Khamwichai, who they claimed had posted seven messages deemed to be lèse-majesté. The group had been informed that the user was based in Chiang Mai. The police identified the person behind the account Rungnapha Khamwichai as Sasivimol (also spelled Sasiwimol), a 29-year-old bar tender who worked in a hotel in Chiang Mai and the single mother of two girls.

Sasivimol claimed she had never engaged in any political activity. When plainclothes officers came to her house in September 2014 and confiscated her computer and mobile phone for inspection she told them she was not the author of the messages that they found. According to iLaw, a Thai non-profit organisation fighting for legislative change, she was then told it was not a serious case and that she would be let go if she confessed. Sasivimol claims she was not aware of Article 112 – the law banning lèse-majesté – and did not have access to a lawyer. She decided to do as she was told and confessed to having authored the lèse-majesté posts.

On February 2015, she was told she had been charged with violating Article 112 and taken to military court. She was detained until her trial in August 2015. Sasivimol was sentenced to 56 years in jail – eight years for each of the seven messages – but her sentence was reduced to 28 years because of her confession. The court ignored her retraction of the confession.

 

Social Surveillance

Sasivimol’s case is reflective of a form of identification that particularly threatens the right to privacy in Thailand: social surveillance.

The Thai government has deployed substantial resources in order to surveil the population over social media. The Technology Crime Suppression Division (TCSD) – the police unit that specialises in cyber-crime –  has deployed a 30-person team that “operates around the clock, scanning online postings and following up complaints from the public on cybercrimes, including royal defamation.” The military also has a force of 60 to 70 officers participating in ‘Information Warfare’ and ‘Information Operations’ to monitor online content and investigate, arrest and charge authors of content deemed to be lèse-majesté offences.

Apart from the police and the military, the Thai government relies largely on the goodwill of Thai citizens to identify what it considers to be offensive speech. The social veneration of the royal family combined with a political context that fosters denunciation has led to the creation of ultra-monarchist groups – like the one in Chiang Mai – that focus on denouncing and harassing people they accuse of lèse-majesté offences. The polarisation of the Thai political scene heightens the tension: according to legal sources we have spoken to, some yellow-shirt supporters are inclined to join groups to accuse red-shirt members of lèse-majesté. 

Shortly after the coup, Deputy Police Commissioner General Somyot Poompanmoung created a bounty programme to encourage Thai internet users to denounce dissidents. Thai citizens are encouraged to send pictures of anyone who may be “displaying opposition to the military coup.” For each picture sent, the denunciator receives 500 Baht (approximately US $14). As mentioned earlier, signs of dissent that have elicited Thai authorities' interest have reportedly included reading George Orwell’s books and eating sandwiches outside.

Below are examples of citizen groups whose purpose is to report what is deemed as illegal online content.

Cyber Scouts website

 

Cyber Scouts

The Cyber Scouts is an initiative that was ‘reactivated’ in August 2014 by the Ministry of Information and Communications Technology (ICT) as part of a collaboration with 200 schools. The original initiative had been created in 2010 as a collaboration between the Ministry of Justice and the Ministry of ICT, though the project collapsed after a few months following the change of government. The goal of Cyber Scouts has been to create a youth movement to police the internet, in search of “distorted information” and lèse-majesté content.

Using social media, teenagers recruited by Cyber Scouts are expected to monitor the internet and denounce anything illegal according to Thai law. They get ‘points’ for doing so and outstanding ‘cyber scouts’ see their profiles featured on the Cyber Scouts website. The Ministry of ICT expects Cyber Scouts to become ‘ambassadors’ of ‘good’ internet practices, as they can “demonstrate [to] their close friends, parents or acquaintances [how] to use internet appropriately [sic].”

In 2011, before the project collapsed, one Cyber Scout told Agence France Presse (AFP) about his one-day training: “I learned about the history of the King, his Majesty, and how divine he is ... and also how to use a computer, the internet and Facebook. Not many people know about the project. They may think they're talking to a friend because I don't tell them I'm a cyber scout. I feel I am doing an important job.”

The Cyber Scouts are of particular concern, as unlike citizen-led initiatives the government is the organiser, thereby officially endorsing the project. The initiative is emblematic of the government’s attempts to foster a climate of fear in which Thai citizens feel threatened for expressions of political dissent and led to believe there is no safe space.

 

Citizen-led initiatives

The current climate of severe repression of dissident speech and government-encouraged denunciations, political polarisation and glorification of the royal family in Thailand has led individuals to create their own platforms to denunciate others. 

The Rubbish Collection Organisation (RCO) is an ultra-royalist group founded in April 2014, one month before the coup, by doctor and hospital director Reintong Nannah [also spelled Rienthong Nanna]. Nannah stated in an interview that his goal was to “bring all lèse-majesté offenders to justice”.

According to the Bangkok Post, which was present during the group’s first meeting, RCO members are mostly retired soldiers. It is unclear how many people support the RCO. Nannah had claimed to the Bangkok Post that the group already had 2,000 ‘teams’ but its first meeting – where the interview took place – was only joined by 25 people. As of May 2016, over 224,000 users had ‘liked’ their Facebook page.

The RCO’s first target was Chatwadee Rose Amornphat, a Thai-British dual citizen. Chatwadee works as a hairdresser in London and is also one of the most outspoken opponents of lèse-majesté laws and regularly posts videos lampooning the Royal Family.

In the UK, Chatwadee had been stalked and harassed by pro-monarchy groups. After the coup, the government requested Chatwadee’s extradition from the UK to Thailand; the UK has refused the request as lèse-majesté is not considered a crime under British law.

In May 2015, a woman who goes by the name Tananun Buranasiri on Facebook said she had been fired from her job after her employer was informed that she posted lèse-majesté content on Facebook. RCO had orchestrated a bullying campaign offline and online against Tananun. She was ‘doxed’: her personal information, including her workplace, details on her husband and children were posted on RCO’s Facebook page. RCO has also filed a legal complaint against Tananun. RCO also announced in October 2015 they would file criminal charges against Facebook and YouTube for hosting lèse-majesté material.

Social Sanction (which is known by the term ‘the SS’) is an ultra-royalist group that has been active since 2010. The SS’ Facebook page description claims their goal is “to increase public awareness of corruption and create pressure to combat it, and to stop the crime of lèse-majesté.” [As of May 2016, the SS have 2,131 “likes” on their Facebook page.]

The SS became well-known with the arrest of Norawase Yotpiyasathien, a business administration student from Kasetsart University, for his blog posts deemed to contain content insulting the royal family. He was, at 23 years old, the youngest person arrested for lèse-majesté, which caused concern among students.

The SS exposed Norawase and published his name, photos, personal address and phone numbers online. When he was arrested the SS wrote "another one is down." Norawase was arrested before the coup, a time when lèse-majesté sentences were significantly more lenient and he was therefore released on bail after a few days of arrests.

Norawase was not the SS’ first student target. In 2010, they harassed Natthakarn Sakuldarachart, a politically-active high school student, and threatened to harm her if she showed up at the admission examination at Kasetsart University, the university to which she had applied. She eventually did not attend the examination out of fear and failed to qualify to enter Kasetsart University.

Social surveillance is not solely organised by groups. Some individuals take it upon themselves to independently denounce others. “Some people try to become famous on Facebook with mass denunciations,” said one legal source familiar with lèse-majesté cases. [Another source familiar with lèse-majesté cases referred to the case of a man in the North East province that regularly reports evidence of lèse-majesté to the police. People charged with lèse-majesté have to go to court where the complaint has been filed.]

A Facebook user has for instance denounced Chaida Bunyothin and Parichat Klinsrisuk, who posted messages on the Facebook profile of a red-shirt radio host.

 

Concluding remarks

The government has been stoking existing tensions within the Thai population and has created a climate in which citizens no longer have a safe space for formulating their thoughts and expressing themselves in an environment that should be considered at least partially private. With the increased focus on arresting dissidents and individuals accused of lèse-majesté, the government has fomented a climate where citizens feel justified in policing each other. With a new constitution that protects the right to privacy, social network users should not be made to self-censor expressions of political dissent. So long as the rules set out by social network companies are respected, users should be fearing neither their government nor civilian ‘militia’ informing on them.

Privacy International has observed social surveillance practices in several countries, including Morocco and China, through the Sesame social network. This practice effectively offers the government free policing and surveillance capabilities over their citizens and reinforces oppressive political dynamics.

Privacy International demands that the Thai government put an end to social surveillance by:

  • Dismantling the Cyber Scouts initiative, which has no place in a democratic society. The Thai government therefore must not expect citizens to police one another in private spaces.
  • Discouraging civilian-led initiatives of informing on those critical of the current regime or posting lèse-majesté content.
  • Condemning ‘doxing’, the practice of releasing personal information about a particular individual over social media.

 

 

Feature Reference: 
Building a Global Privacy Movement
Written by: 

Diagrams in Threat Modeling

via Emergent Chaos by adam on Fri, 09 Sep 2016 15:24:55 GMT

When I think about how to threat model well, one of the elements that is most important is how much people need to keep in their heads, the cognitive load if you will. In reading Charlie Stross’s blog post, “Writer, … Continue reading

Journal of Terrorism and Cyber Insurance

via Emergent Chaos by adam on Wed, 24 Aug 2016 23:58:03 GMT

At the RMS blog, we learn they are “Launching a New Journal for Terrorism and Cyber Insurance:” Natural hazard science is commonly studied at college, and to some level in the insurance industry’s further education and training courses. But this … Continue reading

What does the MS Secure Boot Issue teach us about key escrow?

via Emergent Chaos by adam on Wed, 10 Aug 2016 22:01:05 GMT

Nothing. No, seriously. Articles like “Microsoft Secure Boot key debacle causes security panic” and “Bungling Microsoft singlehandedly proves that golden backdoor keys are a terrible idea” draw on words in an advisory to say that this is all about golden … Continue reading

 newer latest older