Overview
This article provides an overview of the Computer Crime Act (CCA), a significant legislative development in Thailand in the sphere of internet and computer data security, which came into force one year ago, on the 18th of July 2007. Running computer systems is essential to today’s business operations and our way of life. The CCA aims to protect businesses, protect online privacy and enhance electronic commerce and national security.

The CCA provides definitions of the most relevant terms relating to computer technology and computer equipment, such as Computer System, Computer (Traffic) Data, Service Provider and Service User. The definitions under the CCA are drafted widely and the effect is that such definitions could cover any potentially unlawful activity or act related to the use and transmission of computer-related data or services.

Prohibited Acts
The CCA then defines specific acts relating to computer systems and data or internet use which are prohibited.

The first set of acts prohibited under the CCA (sections 5 to 13) relates to illegal access and use of computer systems and computer data. In this regard the following acts are prohibited:

• illegally accessing a computer system and its data;
• disclosing to third parties knowledge and measures to circumvent access protection of a computer system and data;
• illegally intercepting electronic communications and data;
• illegally causing damage, changes or amendments of a third party’s computer data in whole or in part;
• illegally causing the work of a computer system to be suspended, delayed or disrupted; and
• illegally sending computer data or electronic mail disguising the source of such data in a manner that disturbs other persons’ operation of their computer systems.
  

Hacking, Spam and Viruses - Punishment
All of the above acts, which are best known to computer-users by the terms 'hacking, spam and virus attacks' are subject to a fine or imprisonment or both. In the event that the aforesaid acts cause damage or delay to a computer system or illegally send computer data in a manner disturbing the operation of another computer and cause damage to the public, to national security or public security or public services then the penalty under the CCA is quite severe. A person committing any such offence could face imprisonment of up to fifteen years.

A second set of acts regulated under the CCA (sections 13 to 15) deals with distribution of computer technology or data which might be used to infiltrate third party’s computer systems or which may affect public security. In this regard the following acts are prohibited:

1. any act which involves importing forged or false computer data into a computer system, which is likely to cause damage to a third party, the country’s security or cause a public panic;
   
2. and any act that involves the import of forged or false computer data to a computer system related to an offence against the Criminal Code or which involves import of any computer data of a pornographic nature that is publicly accessible. All of the aforesaid acts are subject to imprisonment of up to five years of a fine of up to 100,000 Thai Baht or both.
   

Injuring Reputation and Causing Embarassment
A specifically interesting and noteworthy provision in the CCA is section 16, which provides a very extensive protection of personal privacy rights. Under this provision it is punishable to import to a computer system that is publicly accessible, computer data where a third party’s picture appears either created, edited, added or adapted in a manner that is likely to impair the third party’s reputation or cause that party to be isolated or embarrassed. This is a very wide provision, which any computer-user living in Thailand might wish to bear in mind when participating in blog discussions or when publishing content relating to third parties on publicly accessible websites like ‘YouTube’. This applies regardless of the server’s location and a victim’s successors can act in the event of his decease.

Investigative Powers
The CCA provides the investigating official with authority to investigate by accessing computer data and computer systems. Some of the investigatory measures are subject to further requirements. For example a court approval has to be obtained either before or within 48 hours of any of the following actions being taken:

• copying computer data from a computer system;
• instructing a person to deliver computer data or computer storage equipment to the competent official;
• inspecting and accessing a computer system or data belonging to any person that is or may be evidence relating to an offence under the CCA;
• decoding any person’s computer data; or
• seizing a suspect computer system for the purpose of obtaining details of an offence under the CCA.

Whenever one of the aforesaid measures has been taken the competent investigator further has an obligation to inform any person affected by such a measure that a court approval has been sought.

The legal requirement of a judicial approval shows the intention of the legislative body drafting the CCA to implement checks and balances by involving the courts in investigation of measures, which interfere with privacy rights and which involve accessing non-public computer data and computer systems. The CCA further demands that any petition to a court to approve one of the aforesaid measures must identify reasonable grounds to believe that an offence has been or will be committed, and must state the characteristics of the alleged offence, a description of the equipment used and details of the offender. This stipulation intends to further protect against unfounded ‘fishing for evidence’ by an investigating official.

Storage – Hotels; Condominiums; Public internet access
Under the CCA any service provider is further obliged to store computer traffic data for at least ninety days. In exceptional circumstances defined in the CCA the data must be stored for up to a year.

Any organisation or business which has a website or provides access to the internet for their employees or customers is subject to this specific responsibility and must be in a position to provide internet-related records to authorised officials as they investigate computer related crimes. Also hotels, apartment complexes and condominiums that provide internet access to the public or their employees have the responsibility to ensure that proper records are kept. Any of the aforesaid businesses should therefore review their policies, procedures and technologies to ensure they comply with the CCA.

Conclusion
The CCA is a key step allowing officials powers and setting a framework to fight computer related crimes and enforce measures through the law. The adoption of the CCA touched on many controversies in Thailand but such issues are global, as is the world of computers.

Those who favour state intervention may welcome the legislation, believing it will have a positive impact on internet users, protect online privacy and ensure internet security. The application of the law relating to the internet is controversial. At the least, the CCA provides the legal framework for officials to deal with anti-social behaviour and behaviour detrimental to businesses and governments such as hacking, spam and virus attacks.

As our world continues to develop its technologies, the law must continue to keep up by introducing rules to set out the boundaries of use and prohibit unacceptable abuse.

This article was written by Ingo Müller (Senior Associate) based in the Phuket office of Belmont Limcharoen International Law Firm (www.belmontlimcharoen.com)