Thailand

April 10, 2020

The Ministry of Digital Economy and Society introduces Mor Chana, a contact tracing app that uses Bluetooth Low Energy (BLE), to the public.

May 16, 2020

Thai Chana is introduced as a website platform for QR code scanning to check-in and check-out of locations.

May 20, 2020

Mor Chana includes a function that directly scans QR codes from Thai Chana.

May 22, 2020
A data governance committee is set up to ensure the data privacy protection of Thai Chana.
May 28, 2020

Thai Chana is developed into an app.

June 4, 2020

Thai Chana’s developers and the data governance committee hold a meeting with each other for the first time.

July 18, 2020

Thai Chana’s developers and the data governance committee hold a meeting with each other for the first time.

September 14, 2020

The retention period of the Thai Chana app is extended from 60 days to 90 days

September 14, 2020

The government announces a plan to develop a Mor Chana app to track those who enter the country from abroad.

Key Findings

  • The technical functions of both Mor Chana and Thai Chana do not support the protection of users’ privacy.

  • The released source code of Mor Chana is not found to have an open-source license.

  • Both apps have critical gaps with respect to their transparency.

  • The enforcement of Thailand’s Personal Data Protection Act (PDPA) was postponed until 2021, and the government agencies are excluded from the law.

  • Both Thai Chana and Mor Chana do not have privacy policies. ​

  • The data governance committee was set up to oversee how Thai Chana handles personal data; however, it is unclear how the committee would work in order to effectively ensure personal data protection.

A. The Development of Digital Contact Tracing in Thailand

In April 2020, Thailand introduced Mor Chana, a contact tracing application that uses Bluetooth Low Energy (BLE), to the public. The app is a collaboration between state organizations and private developers, and was rolled out to public after a two-week period of development. It was developed by the Code for Public and Chuay Kan Group. Users of Mor Chana are asked to share their records only when they are contacted by the authorities as part of the contact tracing investigations. It has been reported that the data collected from the app would be analyzed using artificial intelligence (AI) systems to assist with the continuing epidemiological research conducted by Thailand’s Department of Disease Control (DCC).

While authorities claim they are concerned about the privacy of the app, the app uses the Global Positioning System (GPS) and Bluetooth technology to track the locations of users. When it was first rolled out, the app requested a mobile phone number along with a profile photo of the user. However, it stated that the picture would not be uploaded to the server. The user is required to answer a number of questions in order for the app to assess the user’s risk level. The risk level is assigned to users, which is divided into four levels: green (lowest risk), yellow (low risk), orange (risky), and red (high risk). Mor Chana stated that it will keep the data for 30 days before the data is deleted. It has also stated that the data will be deleted within 30 days after the pandemic ends.

Around a month after the release of Thai Chana, the government introduced a new approach for contact tracing. Thai Chana is a check-in and check-out system that uses a QR code. It was developed by the IT team of the state-owned Krung Thai Bank, and was adopted by the Center for COVID-19 Situation Administration (CCSA) as a national platform to fight against COVID-19. Business owners are required to register with Thai Chana before a QR code is generated for them, while users need to scan the QR code of the locations they are visiting before entry. This method of contact tracing gathers information on how many people are located in a certain place at any given time. The data collected from Thai Chana is reportedly to be kept by the app for 60 days.

Thai Chana was later developed into an app with additional functions. According to the app’s terms and conditions, users of the app permit the Ministry of Health and its related agencies to collect, use, and disclose the phone number of users. Compared to its first version, the revised app can now verify the identity of a user. Through the app, users can also check the information about the locations where they have registered with Thai Chana, including how many people are currently at the location, and the maximum capacity that the location is able to accommodate. After users check out of the location, they also have the option to evaluate the safety precautions they observe at the location, including whether the staff are wearing masks, alcohol gel is provided, social distance is practiced, as well as how often cleaning services are performed at the location.

On May 22, 2020, the government appointed a data governance committee to ensure the data privacy protection of Thai Chana. The committee is comprised of nine members with the responsibilities to provide consultation on data management to the organizations that use the Thai Chana, and to oversee and follow up on how Thai Chana handles its data. On June 4, 2020, it was reported that a team of Thai Chana developers held a meeting with the committee for the first time. During this meeting, the team provided information to the committee on how the app works, which the committee is to evaluate and provide its recommendations on how to protect personal data and privacy.

The two apps, Thai Chana and Mor Chana, are designed to complement each other. However, Mor Chana does not have a high adoption rate as it is not mandatory. In comparison, Thai Chana was able to gather the data of more than 2 million people within the first two days of its launch; this rate was due to the fact that people would not be allowed to enter many locations if they did not scan the QR code. One month after its launch, Thai Chana had more than 24 million users, 355,000 of whom are app users. Across the country, there have been more than 110 million check-ins; the number of check-outs was estimated to be 60% of the number of check-ins when the webpage platform was used, while the number was approximately 90% when the app was used.

Thai Chana started to permanently erase the first set of its data on July 18, 2020, which was 61 days after Thai Chana was launched. After 2 months, the users of Thai Chana rose to 37 million, while 274,887 businesses had registered with the platform. The number of downloads of the app was over 700,000 downloads. 96.3% of the check-ins were done through a website platform, and only 3.7% were done through the app.

As Thailand aims to allow visitors to entry the country again,  concerns have been raised about the second wave of COVID-19 in the country, even though the number of infected cases has been relatively low compared to other countries. The Minister of Digital Economy and Society (DE) stated a plan to develop Mor Chana to monitor those who enter the country. According to the Minister, the retention period of personal data collected by Thai Chana has also been extended from 60 days to 90 days before the data is to be deleted. Since its launch, Thai Chana has had 44 million users and 280,000 businesses have registered with Thai Chana as of September 14, 2020. 

B. Implications on Surveillance and the Right to Privacy

This section discusses the implications on surveillance and privacy from the adoption of the Mor Chana and Thai Chana apps. It elaborates on the technical functions that can put privacy at risk, the various gaps in privacy, and the lack of policy enforcement in Thailand to ensure the safety of personal data.

1. Technical functions do not support privacy

Although the app does not ask for users’ ID numbers or names, it is possible that the identity of users of Mor Chana may be disclosed. The app’s use of the Global Positioning System (GPS) raises concerns over privacy. An analysis of the released code of Mor Chana (which is available on GitHub) found that the app essentially tracks the locations of users at all times.

The ID used in the BLE is anonymous. Mor Chana registers the device during the launch of the app and retrieves the ID from the server during the time of registration. However, it is unclear whether the ID is fixed or changes from time to time, in a manner similar to Singapore’s TraceTogether app. Due to this function in Mor Chana, the ID can be changed during the app’s launch; however, this does not sufficiently protect the privacy of users, since other functions of the app are privacy invasive.

Another important issue of concern is that all contacts identified by each Bluetooth scan are immediately uploaded to the server and never stored on the phone. The location is also uploaded along with the contact information. When a user of Mor Chana scans a QR code from Thai Chana directly, the user’s location from the scan is also uploaded to Mor Chana. The app also includes push notifications, such that every time a push notification is received, the user’s location is again uploaded to the server. Apart from the BLE scans, QR code scans, and push notifications, Mor Chana sends the locations of its users every few minutes to the government’s server(s), depending on whether they have moved or not locations. As users move around, their location is continuously updated. However, their location is not updated if users stay within a certain range of their previous uploaded location; this exception allows the app to conserve the phone’s battery. The data gathered through these functions can be used to build a social or proximity graph of a person, about whom further information can be divulged.

In the case of Thai Chana, scanning a QR code could be a sensitive issue for people who visit certain locations such as gay bars, casinos, and some specialized clinics, and as a result, may face social stigmatization. Even though the government has announced that the data collected from Thai Chana has already started to be deleted, it is difficult to prove that the data has, in fact, been deleted.

2. Lack of transparency

When the code was first released, the code of Mor Chana that is available on GitHub did not reveal much information on how the app actually works; the only information provided tended to be extremely basic about the User Interface (UI)or extremely crude about the contact exchange system. However, this released code should not be considered as the source code, and the app should not be considered as an open-source app. The released code is also not found to have an open-source license. While the code was later updated, the code for Thai Chana has not been revealed. Moreover, the privacy policies of both Mor Chana and Thai Chana have also not yet been provided. 

All the information that has been provided so far in response to privacy concerns have come solely from government sources; there has been an absence of verified independent source to guarantee the privacy and security of both systems. A human rights impact assessment (HRIA) and privacy impact assessment (PIA) were also not conducted before Mor Chana and Thai Chana were rolled out. An HRIA and PIA would allow those in charge of the app and the systems to identify and understand the risks of Mor Chana and Thai Chana with regards to the privacy and security of personal data. The developers of Thai Chana held a meeting with the data governance committee that was specifically set up for Thai Chana. However, it is not clear whether the committee would make the evaluation of Thai Chana and its recommendations publicly available. 

There is also an absence of information on the data collected from Mor Chana that is stored in the Amazon Web Services (AWS) regarding the security of the stored data and its encryption. A well-designed encryption system would help to protect personal data from cyberattacks as well as from surveillance from those in charge of the systems, as well as from state authorities, developers, and other third-parties.

All these aforementioned issues have raised concerns about whether the apps can be trusted and how privacy is treated by the Thai Chana and Mor Chana systems. The Mor Chana app was rolled out to public hastily after only two weeks of development in the efforts to combat COVID-19. This fast period of development suggests that these efforts to respond to the pandemic through technology have also resulted in an oversight of the key issues regarding the right to privacy. 

A transparent contact tracing app would provide greater confidence for people when using the app. An improvement in transparency may also increase the number of users who the government is targeting in order to maximize the effectiveness of the digital contact tracing app. However, Thailand’s efforts to respond to the pandemic clearly lacks this element of transparency, as people still question the risks to their privacy from using both Thai Chana and Mor Chana.

3. Lack of policy enforcement

When Mor Chana was first rolled out in April 2020, the Minister of Digital Economy and Society claimed that an independent committee would be established to oversee the treatment of the app’s collected data. He also stated that the data collected by the app would be treated according to the Personal Data Protection Act, which had been passed in May 2019.

At that time of the Minister’s statement, the Personal Data Protection Act (PDPA) was set to come into effect in May 2020. However, when the date arrived, the government decided to postpone the enforcement of the law to 2021 instead. The reason provided for the postponement was that stakeholders were not yet prepared for this legislative change due to the COVID-19 pandemic. The government also issued the Royal Decree that excludes government entities and 22 types of businesses from the PDPA. 

The committee for Thai Chana has been appointed. However, without a policy to enforce the treatment of personal data and the protection of privacy, concern has been raised about the effectiveness and authority of the committee to ensure that the app’s collected data is protected. Due to the current circumstances surrounding the PDPA, the data that is collected from Thai Chana and Mor Chana app remain vulnerable to privacy risks.  

The data collected from Mor Chana will be stored in Amazon Web Services (AWS), which has raised further concern due to the 2018 Clarifying Lawful Overseas Use of Data Act (CLOUD Act). The law allows U.S. law enforcement authorities to access data stored by U.S. registered companies regardless of where the data is collected. Given that Thailand does not have robust legal protection on personal data, this U.S. law has raised concerns on how the collected data is kept safe from misuse, particularly when the data goes offshore.

When Mor Chana was first rolled out in April 2020, the Minister of Digital Economy and Society claimed that an independent committee would be established to oversee the treatment of the app’s collected data. He also stated that the data collected by the app would be treated according to the Personal Data Protection Act, which had been passed in May 2019.

At that time of the Minister’s statement, the Personal Data Protection Act (PDPA) was set to come into effect in May 2020. However, when the date arrived, the government decided to postpone the enforcement of the law to 2021 instead. The reason provided for the postponement was that stakeholders were not yet prepared for this legislative change due to the COVID-19 pandemic. The government also issued the Royal Decree that excludes government entities and 22 types of businesses from the PDPA. 

The committee for Thai Chana has been appointed. However, without a policy to enforce the treatment of personal data and the protection of privacy, concern has been raised about the effectiveness and authority of the committee to ensure that the app’s collected data is protected. Due to the current circumstances surrounding the PDPA, the data that is collected from Thai Chana and Mor Chana app remain vulnerable to privacy risks.  

The data collected from Mor Chana will be stored in Amazon Web Services (AWS), which has raised further concern due to the 2018 Clarifying Lawful Overseas Use of Data Act (CLOUD Act). The law allows U.S. law enforcement authorities to access data stored by U.S. registered companies regardless of where the data is collected. Given that Thailand does not have robust legal protection on personal data, this U.S. law has raised concerns on how the collected data is kept safe from misuse, particularly when the data goes offshore.

C. Conclusion and Recommendations

Thailand’s latest efforts to respond to COVID-19 through contract tracing apps have overlooked people’s right to privacy in many aspects. The use of GPS to track the locations of users is not recommended for the app due to the concern over the right to privacy, especially as the monitoring of people’s locations may reveal information about their private lives. The request for a profile photo in the Mor Chana app is also not necessary for contract tracing purposes. 

The code of the Mor Chana app has been released, but it cannot be sufficiently examined to identify how the app actually works. Therefore, it cannot be claimed that Mor Chana is an open-source app. The app has yet to be examined on how it securely stores its data, and specifically how its encryption works when the data is stored in the AWS. Furthermore, not much technical information is known about the Thai Chana app regarding how the data is treated. Both Mor Chana and Thai Chana also did not undergo a HRIA and PIA that are publicly available before the apps were rolled out; due to the absence of these assessments, there remains a lack of information on how human rights and privacy are treated when a person decides to use the apps.

In addition, there is currently no law enforcement for privacy and personal data protection in Thailand. Even if the PDPA is in place, it is still not sufficiently robust when compared to existing best practices, such as those provided under the General Data Protection Regulations (GDPA). The exclusion of 22 types of businesses and organizations in the PDPA, including government entities, reflects the law’s weaknesses. Concerns have also been raised about situations when the data goes offshore; as the collected data from Mor Chana is stored in AWS, U.S. law enforcement agencies are able to access the information under the 2018 CLOUD Act.

In light of these findings, the following recommendations are proposed for the government to make Mor Chana and Thai Chana more transparent and to protect privacy and personal data:

  1. Review the source code of Mor Chana and explore possibilities to prioritize the privacy of the app while maintaining its function for contact tracing.
  2. Issue a specific regulation for both Thai Chana and Mor Chana in order to ensure personal data and privacy protection. The specific regulation must stipulate the type of personal data that is allowed to collected; the data collected should be the most minimal as possible. The regulation should also detail how the personal data will be secured, and how long the data is to be retained. The consent of users should be considered at all necessary steps.
  3. Have clear privacy policies for both Mor Chana and Thai Chana. All the elements about how the data is collected, processed, and stored must be transparent. This should be in line with the international standards and best practices for privacy protection.
  4. Conduct a Human Rights Impact Assessment (HRIA) and Privacy Impact Assessment (PIA) for both Mor Chana and Thai Chana, as well as for other apps and platforms that may be implemented in the future for digital contact tracing purposes. The results should be made publicly accessible. 
  5. The governance data committee should expand its responsibilities to include Mor Chana, because the app also deals with users’ personal data and has a function related to Thai Chana. The process of how the committee works should be made publicly available, including its evaluation of the apps and its recommendations. The committee should have the authority beyond providing recommendations in order to ensure that the apps treat personal data and privacy with standards equivalent to the international best practices; this authority is necessary as Thailand does not yet have robust legislation on personal data and privacy protection.