Flawed Step Forward: SIM Card Registration in the Deep South of #Thailand

What if you are told to give up your personal data otherwise you will not be able to use your phone to communicate? This is happening in the three southernmost provinces – Pattani, Yala, Narathiwas and four districts of Songkhla province at the moment. SIM card registration is mandatory in Thailand, but authorities clearly think that it is not enough for the area which has been under insurgency since 2004.

As part of the registration, people who live or visit the area have been told to have their face scanned for identification. This was ordered by military authority of the International Security Operations Command (ISOC-4), a military operation unit in the Deep South. The given reason is because SIM cards have been used to detonate bombs many times in the area. The most notable incident happened in 2018 when a bronze mermaid statue located on Samila Beach, a tourist landmark in Songkhla, was attacked. Self-made bombs are common in the Deep South, and they can be detonated by a clock, radio, walkie-talkie, and mobile phone.

From November 1st, those living in the area who have not registered their SIM Card will not be able to use their phones. National security is of course important. However, it should be done on a basis that considers more than just a security aspect. On April 9 and June 21, the National Broadcasting and Telecommunications Commission (NBTC) announced in the Royal Gazette that residents of the Deep South, as well as visitors from outside the region, were required to register their cellphones in person via local branches of their mobile phone providers. However, it did not state that a photograph must be provided. Therefore, a question is raised here on how this is considered as lawful for people to give up their personal information like this?

Informed Consent, Informed Consent, and Informed Consent

When our face goes together with a name, address, and ID number as part of the SIM card registration; that can be so valuable for hackers, identity theft, or even used to create profiling by a government agency. The face is considered as biometric data and considered to be personal. It is something that can be used to identify our identities. In this case, we have to be consent at giving this information about ourselves. This concept of consent is seemed to be misunderstood by the authorities.

The logic behind this is the order itself, which seems to be from the military. In this case, it does not seem to be exercised in a lawful way. It is also interpreted that the practice is not done based on free will. It is considered as forcing people to give up their personal data, otherwise they are not allowed to use their phone numbers to communicate. People are left with almost no option given that mobile phones are necessary these days as technology has an influential role in our daily lives. If people have to choose with registering with their face and losing the phone, the first one is surely win because of social and economic reasons. For example, doing a business would require a phone to communicate. Our lifestyle is also tied with social media and mobile applications. Many would choose not to miss a chance to communicate, do business, and keep up with what is going on via mobile internet.

The correct concept of consent is that people have a choice and allow something to happen with free will. If they have to let something happen because something bad would happen to them or that they will lose something as a consequence. This is not considered as an “informed consent”.

Secured Database: Wait, Has It Ever Been Secured?

In April 2018, data of around 46,000 TrueMove H users were leaked online. The data was leaked into Amazon Web Services’ (AWS) cloud storage, leading the National Broadcasting and Telecommunications Commission (NBTC) to call in the company for questioning. The leaked data included scanned images of users’ ID cards, passports and drivers’ licenses. The incident was discovered by a cybersecurity researcher, Niall Merrigan, who found that AWS Bucket, contained the information, was set for publicly accessible. He reported the company about the incident in early March, but TrueMove H was able to proceed with the incident only in April. It took around one month to close the storage from public.

The TrueMove H incident has given concerns over the SIM card registration in the Deep South regarding where the collected information will be stored, how secured of the storage, and how the information will be proceeded. It also raises a concern on who will take care of it. Since the order comes from ISOC-4, will the network service providers share this sensitive personal data with the military as well? Also, is it lawful for the military to have this sensitive information? How will they proceed securely? Most importantly, how the owner of the data can be sure that their information is safe?

Moreover, since the registration involves biometric data as people are ordered to have their faces scanned, it has raised more concerns over individuals’ safety regarding whether the authorities understand the risk of the order. In August 2019, biometric data of over one million people were leaked in the United Kingdom. The data contained facial recognition information, unencrypted usernames and passwords, and personal information of individuals. If the leaked information is about our emails and passwords, we can always change them. However, when it is biometric data like face and fingerprints, the effects can be more disastrous. Our fingerprints cannot be changed, and face cannot be changed that easily unless we are talking about plastic surgery. 

Cybersecurity in Thailand is largely undermined especially when it comes together with national security or public safety. Authorities usually put national security and public safety first without carefully assessing the aspect of cybersecurity which can have huge social and economic impacts. Many experts have addressed the weak cybersecurity in Thailand, and how it can lessen Thailand’s competitive advantage in terms of business opportunities. It also affects individuals’ right and safety greatly. Hackers can always steal information and put people as a victim of criminal activity. It is an element that needs urgent attention.

SIM Card Registration and Human Rights

SIM card registration is not new in Thailand. Using biometric data as part of the registration happened in 2017 when the NBTC launched a new registration method that require such data and ordered all the three mobile phone operators in Thailand which are Advanced Info Service, True Corp, and Total Access Communication, to adopt the new biometric registration system. The Deep South was the area the system was piloted, but it only applied to those who buy new SIM cards.

Having all mobile users to register with biometric data means that authorities are tightening security in the area. National security and public safety are important, but it should not be the only aspect that authorities are concerned because it can put the right to privacy and personal data of citizens at risk, especially in the environment where cybersecurity is overlooked, like Thailand.

In a democratic environment, state actors must not impose any order to suppress human rights of people. In this case, it does not appear to be lawful for military to use their power to order the registration when threat against human rights are clearly visible. People who are the owner of the data must be informed, not forced, to give their consent to a lawful order. They have to also be informed about how their data is collected, stored, processed, used, and transferred. On the other hand, authorities have to ensure cybersecurity of the database where the data is stored to prevent cybercrime. The incident clearly shows that the authorities fail to assess these parts which makes  the order as a threat to human rights and cybersecurity.

This article is published under Creative Commons license CC-BY-NC-ND 4.0.

Latest Updates

July 9, 2020
Open Letter to Request for Strong User Privacy Protections in the Philippines’ COVID-19 Contact Tracing Efforts
08 July, 2020 The Inter-Agency Task Force for the Management of Emerging Infectious Diseases (IATF-EID) Department of Health (DOH) Department of Information and Communications Technology (DICT) […]
April 2, 2020
TraceTogether: Not Easy to Verify the State’s Privacy Claims
Update as of May 7, 2020: Some of the content in this article is outdated. The ‘reference implementation’ of the BlueTrace protocol called OpenTrace has been […]
June 30, 2020
Open Letter to KOMINFO Requesting for Strong User Privacy Protections in the PeduliLindungi App
26 June 2020 H.E. Johnny G. Plate Minister of Communication and Information Technology Ministry of Communication and Information Technology (KOMINFO) Jl. Medan Merdeka Barat no. 9, […]