Computer Crime Act : should all companies install log systems ? !

Something rather disturbing caught my eyes yesterday…

Heightened awareness of online information security in Thailand has IT specialists cashing in on higher demand. Private companies and government agencies are racing to comply with the Computer Related Crime Act, to be enforced on Aug 23. It requires all state and private organisations to install log management systems to store and monitor computer data to prevent internet crime or face fines of up to 500,000 baht. (Bangkok Post)

Wait a minute ! The Computer Related Crime Act took effect… last july !

Here is a translation, and a summary from Nation, and an article from… myself.

It seems to be about “services providers” (like internet cafes) absolutly not all the companies….

So what’s going on ? Why the article from Bangkok Post talking about a regulation for august 23… ?

And to add to the confusion, I have to say that some people spoke to me, in a professional environment, of this “law” and about the necessity to take actions (which remain, of course, mysterious)… before august.

So coincidence ? Or, indeed, the thai authorities have cooked for us a totally insane plan ? I mean this law is already totally insane… but can you imagine… all companies rushing to install log systems… on all their networks ? !

Or is it just a scam from some IT companies ? In order to get business ?

9 Responses to “Computer Crime Act : should all companies install log systems ? !”


  1. 1 sakult 11 June 2008 at 5:04 am

    Q: The Computer Related Crime Act took effect… last july !
    A: Yes, the law was enacted in July 2007, and in effective 1 month later.. that means it actually took effective in August 2007.

    Q: So what’s going on ? Why the article from Bangkok Post talking about a regulation for august 23… ?
    A: Again, the law allowed “30 days up to 1 year grace period” for the each types of “Service provider”. So that the service providers have time to prepare and keep the neccessery logs. The 1-year (maximum) grace period comes to an end on this Aug 23, 2008.

    Q: It seems to be about “services providers” (like internet cafes) absolutly not all the companies….
    A: The law clarified “service providers” into 4 types: 1.Carrier (ie. CAT, AT&T), 2.Access providers, 3.Hosting service, and 4.Internet Cafe. If you are a company who serves computer network to your employees, you are in type2.

    Q: I mean this law is already totally insane… but can you imagine… all companies rushing to install log systems… on all their networks ? Or is it just a scam from some IT companies ? In order to get business ?
    A: This is not an insane. Says..if today one of your employee using your office PC to spread scams to the Internet… and yes.. someone reported to the police…If the police or the goverment office comes knock your company door, and asked for the access logs. if you cannot provide the logs, it is not only you who will be in trouble… since it is your CEO is responsible for the whole actions/consequences of the company…

    Hope this help..
    Sakul.Tunboonek@itpattana.com

  2. 2 thaicrisis 11 June 2008 at 5:22 am

    Thanks a lot for your lights Sakul. But you need to tell us what is your position (lawyer ?).

    I try since many days to have some infos on this issue, without any success.

    Fair enough on the 1 year grace period.

    I still see this law as totally insane.

    A company (car maker, bakery, hotel) is not an “access provider”. Nobody talked about this law 1 year ago, with the companies angle.
    The discussion (hot) was for individuals (the police can come and take your PC) and internet cafes and ISP (access providers).

    With or even without the company angle, this law is nothing less than an aberration (on all levels : privacy, freedom of speech, and usability, again it’s impossible to install a log system in every company that share one Internet access [ADSL] with more than 2 computers !])

    It’s just common sense.

    And the fact that IT businesses start to talk about this company angle, since end of may, shows that something is wrong.

    How come nobody was aware of this issue since last july ?

  3. 3 thaicrisis 11 June 2008 at 5:47 am

    In the law we can read : “The types of service provider to whom the provisions under paragraph one shall apply and the timing of this application shall be established by a Minister and published in the Government Gazette.”

    Do you have this document ? When it was published ?

  4. 4 sakult 13 June 2008 at 7:45 am

    Hi Thaicrisis,

    First of all, I am not a lawyer. I am a IT professional. I own an IT Outsource company. Let’s me share more my understanding regarding your concerns.

    Q: “Government Gazette.” Do you have this document ? When it was published ?
    A: Sorry I have it only in Thai. I cannot find English version so far. I will keep trying.

    Q: A company (car maker, bakery, hotel) is not an “access provider”.
    A: A company who give access to its employees (ie car maker), or to others (ie. hotel/Internet cafe gives Internet access)are “Access Provider” for sure.
    For Small Bakery shop, or home network who might have only a ADSL Access Point to share the Internet access, they are not the “Access Provider”… My take is this…
    – For a business company, the company will want to be able to keep logs. So if an employee commits the crime, you can identify the individual. In this case, you are resposible for section 4 (keep logs)
    – For Home or small Bakery, you are not company. You do not want to identify that your kids commit the crime. In this case, you are responsible for your Home/Bakery shop. If the police comes to you, you are already charged with other sections (section 5 to 16) arelady.

    Q: The discussion (hot) was for individuals (the police can come and take your PC) and internet cafes and ISP (access providers).
    A: It is that easy for the police to come take your belonging. This law is a criminal law, and was created based on personal liberty. There must be someone allege you with the police officer. The police has to prove to the court to get the search warrant. Also, the law has only approved a group of special agency who can take you PC in to the custody.

    Q: With or even without the company angle, this law is nothing less than an aberration (on all levels : privacy, freedom of speech, and usability, again it’s impossible to install a log system in every company that share one Internet access [ADSL] with more than 2 computers !])
    It’s just common sense.
    A: Well….ok.. I understand Thailand is not the only country who has this law. I do not know what country you are from. But can you compare these angles with the same Computer Act law in you country?

  5. 5 thaicrisis 13 June 2008 at 7:50 am

    Thank you to send me the document (cthai2 (at) yahoo.com) , so I can have a translation and put it here, on the blog.

    This way, It will end the controversy.

  6. 6 JT 26 June 2008 at 4:07 am

    Please cite your reference sources so we can build up the factual information, and base our judgments on that.

  7. 7 Tim Bass 10 August 2008 at 5:41 pm

    Please refer to this blog post on the (ISC)2 web site for effective dates of the CCA, based on the current situation:

    Cybersecurity Law in Thailand Criminalizes Noncompliance with Archiving Requirements

    http://blog.isc2.org/isc2_blog/2008/08/cybersecurity-l.html

    Yours sincerely, Tim

  8. 8 ThaiCrisis 11 August 2008 at 3:54 am

    -> Tim. Thanks for the link.

    We now have the schedule, but the official definition of “service provider” is still missing !

    I talked to other people involved in IT, they told me that the whole story was just empty.

    People are confused with the definitions.


  1. 1 Draconian new internet data law - Page 5 - Ajarn Forum - Living and Teaching In Thailand Trackback on 20 August 2008 at 3:44 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




Thailand Crisis

Coup, Economic slowdown, Terror In the South... The situation is worsening in Thailand. Bumpy road like often before.

But this time, it's different.

The key to understand the present turmoil is the inevitable... succession of King Bhumibol.


%d bloggers like this: