From True Move H at home to Facebook worldwide, privacy concerns are front and centre as the law plays catch-up

With few if any laws to protect them, many online users fear loss of privacy and identity theft - and for good reason. (Graphic via Commons)

Goosebumps are rising among social media fans amid a firestorm over Facebook's massive personal data harvesting. Coincidentally, a similar scandal has erupted in Thailand, where one of the country's largest telecom operators faces censure as a result of IT security negligence.

In the latest saga, the personal data of about 46,000 True Move H users was recently leaked into Amazon Web Services (AWS) cloud storage.

The leaked data found by security researchers on AWS cloud storage, also known as the S3 bucket, included scanned images of users' ID cards, passports and driving licences.

More than 32GB of data was found stored in the bucket, amounting to 46,000 files that were listed by year.

In all likelihood, True Move H lacked proper measures for storing customer data because the company could not keep that data on the iTrueMart system.

All mobile operators must keep customers' personal data on their own storage systems, rather than allowing a dealer or other channels to handle the task. This is a case in point because iTrueMart had transferred a folder of customers' personal data back to True Move H, rather than keeping such files by itself.

Unfortunately, the existing Telecom Business Act, in effect since 2001, has no clear context for punishment when a telecom operator is responsible for customers' personal data leakage or access by outsiders.

The latest controversy begs the question of whether Thailand's IT security is sufficiently secure as the country aims to usher in greater digitisation through the Thailand 4.0 policy.

WAKE-UP CALL

Security experts and the telecom regulator have said a data protection law is critical in the age of big data and cloud computing, with an emphasis on increasing cybersecurity literacy for data privacy.

Prawit Leesathapornwongsa, a commissioner of the National Broadcasting and Telecommunications Commission (NBTC), said no data protection law is currently in place, and therefore the existing regulations can only impose punishment in the event of data loss when someone uses that data to cause damage to the victim.

"If there is no damage, we cannot undertake any enforcement," Mr Prawit said. "In other countries where data protection law exists, personal data is an asset. If the service providers incur any data breach, they will be fined immediately as a penalty and have to compensate users without waiting for damage to occur."

IT security expert Nakrob Niamgamtham said the rise in cases of mishandled data is a wake-up call for officials who need to grasp the importance of data privacy.

Thailand lacks compliance in enforcing data privacy, resulting in a loophole for businesses to sell personal data to third parties.

"This is why we still have unknown contacts of credit card and insurance sales coming from telesales," Mr Nakrob said.

The time is ripe for creating a central body to oversee data protection and compliance, he said, citing the EU's General Data Protection Regulation (GDPR) to ensure personal data protection among euro-zone countries and the US's Sarbanes-Oxley Act for corporate transparency and preventing accounting scandals.

The EU's GDPR, which goes into effect next month, will force Facebook to make privacy settings more secure by pressuring the famed social media network to refrain from setting the default mode for personal data sharing to "public".

In terms of security, the government and businesses need to have a data loss prevention (DLP) system installed in every system, including data centres, mobile phones, servers and digital gateways, Mr Nakrob said.

Data encryption, database security and malware filtering are also needed, he said, along with restricted data policy control for authentication and level of data access.

Recording and data playback, which is akin to video surveillance, can help trace people who access specific data, he said.

ROCK BOTTOM

Based on Dell EMC's findings on data risk management in Asia-Pacific, Singapore, Australia and Hong Kong impose the harshest penalties for data breach as a percentage of GDP, while Japan, India and Thailand are at the bottom of the scale.

Enforcement within Asia-Pacific markets varies greatly: the Singapore government imposes fines of up to S$1 million (23.8 million baht) for non-compliance with any of its data protection provisions, while Australia imposes fines of up to A$1.7 million (40.9 million baht).

On the other hand, Japan and India levy the lowest fines, at ¥1 million (291,000 baht) and 500,000 rupees (236,500 baht) respectively, for any breaches in data privacy. As more organisations across the region become digitally driven, such enforcement will increasingly become a higher priority.

In the data protection space, the EU's GDPR presents a good example of what the law should look like. It only penalises companies that are lax with data management and IT security and that, through a lack of investment in those areas, end up losing data, said Simon Piff, vice-president for blockchain and security research at IDC Corporation.

In Singapore, the cybersecurity regulation is another approach, whereby it is mandatory to notify authorities in the event of a breach. This does not necessarily mean that the breach will become public knowledge, but failure to inform the authorities is a punishable offence.

This is desirable because it only punishes offenders for failure to report, Mr Piff said.

Mandatory exposure is critical to governments, as it allows them to build up a knowledge base of how attacks happen, share this back to the country and help all organisations be better prepared to defend against the next one, he said.

Mr Piff said Thailand ranked at the bottom of 14 countries studies, as the country's law doesn't really address the issue of personally identifiable information (PII).

There is a balance between good data management, IT security and legislation. "We need to protect PII to the extent that it is only available to those that can legally access it, such as law enforcement entities, but ensure that this data is protected from broader exposure," Mr Piff said.

"For Thailand, it is about striking a balance between ensuring that the markets take data security more seriously than they do at the moment."

A man uses his smartphone while walking past a True Move advertising board. (Photo by Patipat Janthong)

A well-crafted law will both ensure that businesses enact more stringent data management and security policies, and at the same time protect those individuals whose data is in the hands of corporations, Mr Piff said.

"Can such data leaks be totally stopped? Sadly, not in the world we currently live in," he said, "but a law covering these issues would certainly make it more difficult for hackers to break in and further ensure that strict policies are in place that would counter any accidental exposure of data that should be kept hidden."

LEGAL PROTECTION NEEDED

Prinya Hom-anek, committee member and secretary of the Thailand Information Security Association, said more and more security researchers are using available scanning tools for vulnerabilities in the IT system in a bid to raise a warning flag against virtual threats.

Data privacy is a growing concern around the globe amid the controversy surrounding Facebook's data harvesting, Mr Prinya said, noting that the Thai government should think seriously about cross-border personal data.

"This is really anything that users post on social media like Facebook, in which the system will make a shadow profile by gathering all information online about them, even if they don't hand over such information on those social media websites," he said.

Businesses with analytics and artificial intelligence capability can proceed to sell users' personal data or gain a deeper understanding of users' behaviour.

"The data can help predict which products and services users are willing to buy or have an interest in," Mr Prinya said.

He said now is the time for the government to implement data privacy regulations that include a fine for data leakage by business operators.

Such regulations should also cover misuse or sale of personal data to a third party, such as cross-border data sharing with global internet firms such as Google, Amazon, Microsoft and Facebook, he said.

"We need to have digital literacy at every level [of society] to raise awareness of how to protect personal data properly, particularly concerning data privacy settings on social networks," Mr Prinya said.