You'd think that just about the worst thing that could happen in today's charged smartphone-internet intersection is the theft of many thousands of the most important identification documents and personal details of mobile phone owners. But you'd be wrong.
The revelation that 11,400 TrueMove H customers lost scanned copies of ID cards and/or passports and residency (tabien ban) papers was actually destined to happen.
The loss of privacy by those smartphone customers went much deeper. The True Move subsidiary of the international Chicken People (CP aka Charoen Pokphand) conglomerate also handed over their customers' even more precious privacy -- details of their fingerprints and eyes. You know, those handy personal ID traits that supposedly are far better than passwords for security.
Air Chief Marshal Thares Punsri, the junta-appointed chairman of the National Broadcasting and Telecommunications Commission, speaks at an NBTC event at the Chaeng Wattana Road headquarters. High-profile secretary-general Takorn Tantasith is third to the right of ACM Thares. (Reuters photo)
We are not going to dwell on the fact that, yes, we told you this several times before. This loss of personal data and private body details was the result of a huge security mess-up that still isn't fixed.
It is almost certain that True Move put the customer details in an extremely unsafe place, open to any internet user who happened to pass by. Informed of its security error ("there is no security at all," it was told), True Move did nothing to fix it. It also did not notify the 46,000 customers it failed, and continued to bill them without apology.
Only when a foreign security researcher gave up waiting for True Move to do the right thing and close off the public access did the mobile firm act. It denied its obvious and egregious error and risibly threatened to get legal advice about suing the Norway-based British security expert Niall Merrigan, who uncovered their acts.
Sadly, all of this, as said, was preordained starting in 2016. That's when the always interesting National Broadcasting and Telecommunications Commission (NBTC) issued orders to every mobile phone company to supply identity thieves with every detail of every mobile phone user in the country.
Of course, that's not what the series of orders said, only what they meant. They said that phone service suppliers must collect official documents plus detailed biometrics -- fingerprints and retina scans -- from every SIM owner.
Here's the fun part. The NBTC also pushed online services, especially banking services, because using fingerprints as logins and passwords would be convenient.
No lie. But as was pointed out several times on this page, there's a huge, inherent problem. In a nutshell: If you use a password and a crook gets it, you can change the password, but if you use a fingerprint and a crook gets it, you can't change the fingerprint.
Once you give the fingerprint to a commercial firm or a government agency such as the NBTC, it's no longer secure. And that's the tip of this dangerous iceberg.
There is no law in Thailand that requires the people who take your most personal, personal documents and your most personal biometric information to keep it all confidential. The Computer Security Act has nothing to do with computer security and everything to do with imprisoning or intimidating people who have riled Asia's only suriving military junta.
All of the big mobile phone companies have regulations and policies designed to make you confident that the data is safe. In truth, it's like the airport -- security theatre, not security.
Be careful before you finger True Move or AIS, which had a smaller but even worse data breach last year (a company executive stole customer identities). Your phone provider is doing all this at the direct order of the NBTC. You have no specific recourse if your mobile company leaks your personal information, but the NBTC definitely has the power to hurt those phone providers if they don't collect the data.
The NBTC, famous worldwide for a lethargic 3G auction, an inept 4G auction and a disastrous digital TV licence auction, did it again last week. The current, lame-duck board of directors was charged with picking 14 men and women with extremely specific qualifications to serve on a new board. The eligibility rules were listed in an extremely specific set of regulations in language -- this is true -- comprehensible to an average ninth-year high school student.
And they blew it worse than Hillary Clinton blew the US election.
Job security: Whether accidentally or on purpose, the mess-up of selecting a new National Broadcasting and Telecommunications Commission board means lame-duck chairman ACM Thares Punsri (left) and secretary-general Takorn Tantasith now get to keep their jobs indefinitely. (File photo by Apichit Jinakul)
Eight, let's repeat that, eight of the 14 names forwarded to the National Legislative Assembly are unqualified to serve. This is an administrative crisis where the already expired NBTC board may get special authority (thanks to Section 44) to continue acting.
Maybe the junta-appointed NLA should have tasked a Grade 9 class to handle it.
On the other hand, incompetence or conspiracy, there's a bright side for the general prime minister. He gets to keep his most reliable broadcast censors for the election campaign.
- Editorial: Suspicion over the PM's role