What do the GT200 magic wand and the Internet Sniffer project have in common? Both are an assault on privacy and allow the state to pick on anyone at will.
The fact that the GT200 magic wand divining rod failed the test was not a surprise. That certain factions of society want to continue to use the GT200 is not about money, technology or even about finding bombs, but everything about finding an excuse to arrest someone on a whim.
They can use the readings from the GT200 as proof to justify a search and seizure of assets, as has already happened in the deep South. Anyone the authorities suspect - or simply do not like - can have this so-called proof thrown at them so they can be persecuted. So-called evidence from the Alpha-6, another magic wand, has often been used against Southern villagers to justify smashing their doors down or seizing their vehicles to be cut up in search of bombs.
But back to the Sniffer project. First, the law. Way back in 2002, the ICT Ministry had just been set up. At the time, Nectec, under the Ministry of Science, had finished drafting two laws. One was the Computer Misuse Act (better known as the cybercrime law) and a corresponding data privacy law.
One was to empower the state to crack down on the cyber world. The other was to protect the citizens of the cyber world from attacks. One wonders why only one half has been passed and the other long forgotten.
To be effective, the scale of a Sniffer has to be enormous. Forget communist China for a while and focus on the UK. In 2008, a report surfaced that the government was planning a 12 billion (642 billion Baht) Government Interception Modernisation Programme (gIMP) for a super-database to do just what the Thai government is planning. In other words, before the usual government overrun, the money needed is already more than one third of the entire Thai national budget.
On the one hand, it means that whatever the ICU Ministry (it has been headed by a succession of doctors and nurses, after all) plans to do will fail to provide security because of a lack of funding. On the other, it could be just about right in keeping tabs on certain individuals - such as journalists and human rights activists - just as the GT200 can be used to take someone in for questioning on the whim of some official.
Any Sniffing system that is effective in protecting the people will be too expensive to maintain and even if the money were there, the disruption to business would be immense.
All businesses regularly use VPN (Virtual Private Networking) to create a secure, encrypted pipe to their corporate intranet. Because multiple users and sessions are put into one encrypted pipe, it nicely renders Sniffing impossible. The only way to make Sniffing work would be to outlaw VPN, effectively outlawing any foreign business that needs security.
Or do we ban VPN only for Thais and not for foreign investors? Thailand tried that with the 30 percent withholding law on money transfers, and in the end it had to be watered down to be ineffective in order to not stop the economy from melting down entirely.
Rather what would happen is that people continue to do business as usual, enemies of the state would then be Sniffed and day-to-day things such as SSL encryption or VPN would then suddenly be cause for them to be hauled in for questioning. Under the Computer Misuse Act, not cooperating with ICT Ministry-certified officials, the so-called Cybercops, can itself be an offence. In other words, the Sniffer is a GT200 for the cyber-world - it can be turned on anyone to find an excuse to pull them in for questioning and intimidation.
There is anonymity and there is privacy, and there different schools of thought for the level of the two afforded to the citizen. Most jurisdictions agree that privacy is legal. Even in lawless Thailand, police cannot stop and search without due cause unless a state of emergency is declared (not that it stops the police from doing so anyway).
Anonymity is a right in most countries but not in Thailand. In the UK, it is not a crime to go around without an ID card. Well, at least for now.
Privacy is easy. Pretty Good Privacy (PGP), and its open source equivalent, the Gnu Privacy Guard (GPG) is a system of public-key encryption that can be used on anything from emails to short messages to encryption over VoIP. With PGP, it is possible to exchange keys in public in such a way that the public key can only encrypt but not decrypt messages. To do that, a corresponding private key is needed. In this context, two people could exchange keys in full view of the ICT Ministry yet keep their messages totally private from Big Brother.
What they cannot do is stop the Thought Police from knowing that they are sending each other email. In other words, PGP may help with privacy, but it does not provide anonymity. For the paranoid there are more tools in the arsenal against our Orwellian rulers.
SSL (secure socket layer) encrypts the session between the browser and the server. Gmail has enabled SSL by default since the hacking attempt on Chinese human rights activists. A secure pipe is only as secure as the server on the other end, and if the server is in Thailand then it is pretty pointless in this context but Google's Do No Evil mantra should be enough to provide some assurance.
The Onion Router (Tor) routes packets through a layer of nodes in a way that each node does not know how many hoops it has been through yet before one node puts that packet to the open Internet. By not knowing who it came from and who sent it before the last node, tracing, say, a web posting to its source would be all but impossible.
Certificates could also be used, but the problem is that of organisation. With ToT and CAT Telecom both vying to be national certificate authorities, the irony is that both are under the MICT, so protection from Sniffing in that sense would be very dubious, as both Sniffer and protector report to the same boss.
All these tools can be used by paedophiles and drug traffickers as well as human rights activists and other enemies of the state as well as journalists, businessmen and investors alike.The danger is that the ICT Ministry could ban these tools as dangerous. But a knife is dangerous, yet banning knives everywhere would probably lead to starvation.
The silver lining is that in creating awareness of this problem, it has shattered the blissful ignorance that Thailand has been operating under. It is not the MICT that should be feared, but the cyber criminals who take advantage of our lack of protection and steal our data. According to Symantec, cybercrime has surpassed drug trafficking in the United States last year in dollar terms.
The idea of sending messages to and fro unencrypted is akin to living in a fool's paradise, making us easy targets for the dark side. Encryption of communication should be encouraged, not as a measure against the government's Sniffer, but to protect ourselves against the real world.
