National sovereignty concerns in cyberspace
Recently, I was called upon to write a short memo for a policy-letter collection to the would-be 45th president of the United States; the piece would be framed as a policy suggestion in response to shifts in the strategic outlook and value of Asia's rising generation. Clouded in the harsh political rhetoric of personal characterisation and domestic focus during year-long presidential campaigning, one issue with immense global impact in the age of connectivity has yet to receive sufficient spotlight: cyber-security.
Ongoing debates seem to point towards more prying eyes of the government on the people -- American and global citizens alike -- in the name of national security. This ought to raise alarm over individual privacy as well as national sovereignty in cyberspace.
Such issues become more of a threat given the growing presence of American tech giants abroad and the huge amount of data which they have amassed. Regulations regarding data security are in place, but hardly sufficient as evidenced in the frequent breaches even at the highest-levels of the US government and business organisations. The trend has been rapidly prevalent beyond US borders. Notwithstanding privacy concerns repeatedly echoed by many Americans, the voices of other countries, especially smaller ones, on this issue have hardly been heard.
Sutapa Amornvivat, Ph.D. is Chief Economist and First Executive Vice President at Siam Commercial Bank. She has international work experience at IMF, ING Group and Booz, Allen, Hamilton. She received a BA from Harvard and a PhD from MIT. Email firstname.lastname@example.org. EIC Online.
More worrisome is that our private information is increasingly falling into the hands of a few corporates. Today, consumers voluntarily give up private information on mobile apps, social media platforms, cloud storage and computing on mobile devices in exchange for "free" services. Tech companies operating worldwide are keen on collecting this data, which allows them to analyse consumer behaviour and apply insights into various aspects ranging from marketing to fraud detection. The data collection is expeditiously more concentrated as larger companies swallow smaller ones -- Google acquiring YouTube in 2006, and Facebook acquiring Instagram in 2012, and WhatsApp in 2014.
An enormous amount of data concentrated in one place could pose greater risks for users, as leaks and hacks become common. In September, Yahoo officially admitted to a massive data breach of at least 500 million user accounts in 2014. In another case, a Security News website, CSO, reported that Hzone, a dating app for HIV-positive singles, leaked data of 5,000 users in 2015. Despite the small number of people who were affected, the app contained highly personal information that could potentially cause pain to the individuals involved.
What's worse is that data can be forced out of private companies' hands by governments too. This could possibly threaten the sovereignty of other countries. As the US presidential candidates put forth in their campaigns, the fight against terrorists means more intelligence gathering. In February 2016, the FBI asked Apple to help mine data from iPhones and build a backdoor to unlock an iPhone used by the shooter in the terrorist attacks in San Bernardino. Although the case was eventually withdrawn from the court, it sparked concern about future requests. What if the US government finds a "legitimate" reason to look into an iPhone of key political figures in other countries?
More vulnerable are developing countries with weaker institutions and less capabilities in advanced cybersecurity. In Europe, the European Commission recently launched the EU-US Privacy Shield Agreement that provides a legal basis to force companies who transfer data across borders to uphold citizens' right to privacy and data protection. China chose the extreme measure of shutting these foreign companies out altogether. Smaller nations, like Thailand and other Asean members, however do not enjoy such privileges. In these developing economies, a data monopoly by a few foreign firms is even more pressing. Astounding growth of the internet as well as social media users -- there are more than 41 million Facebook users in Thailand and 241 in Southeast Asia according to International Data Corporation -- means that cyber security in these countries should be treated with urgency.
This is where the US government could step in to help mitigate potential risks and demonstrate leadership. Doing so can improve diplomatic ties and goodwill between the US and this region, as the balance of power has tipped towards China for years. With greater fear of cyber-attacks, the US could help maintain regional cyber-stability by coordinating worldwide regulations on borderless data and cyber-espionage. The US presence and support can also lend a hand to developing countries to be able to protect themselves from incoming cyber threats.
The Thai government should also do more to strengthen legal institutions regarding rights to data. This will ensure citizens' right to privacy and data protection especially when dealing with foreign data monopolists. The same framework will also help prepare for a transition to Thailand 4.0. More will be at stake with many digitalisation plans under way such as the upcoming PromptPay.
Furthermore, there will be entries of new players beyond US corporates as well. This month, Jack Ma, Alibaba's executive chairman, visited Thailand to discuss a collaborative project with the Thai government. The kind of risks we could face can be even more threatening over time as more data get linked together. Yet, concerns on security and privacy have not been adequately addressed.
Not only is this issue less straightforward than addressing traditional security, it also requires the government to strike the right balance between fostering innovation and protecting data privacy. I personally believe that premature regulations of the tech industry could cripple innovation and creativity. But cyber-security is important too. It is likely that the Thai authorities already have this in mind. Perhaps, what they need to do is to communicate their game plan louder and clearer to raise public awareness of this potential danger.
With the unstoppable force of connectivity, regulations alone will not be enough. Private companies such as banks and telecom firms will have to do much more to improve their security systems. But the process for greater protection can be slow without strong demand from customers. More importantly, we should also ask ourselves whether, as individuals, we have done our part to protect our privacy in this oversharing world.
CEO of SCB ABACUS
Sutapa Amornvivat, PhD, is CEO of SCB ABACUS, an advanced data analytics company under Siam Commercial Bank, where she previously headed the Economic Intelligence Center and the Risk Analytics Division. She received a BA from Harvard and a PhD from MIT. Email: SCBabacus@scb.co.th