Since a computer system is an important part of business operations and human sustenance, if any person acts anything to make the computer system unable to work according to its specified command or to make it work incorrectly from its specified command, or to use any method to access data, correct or destroy data of others in a computer system improperly, or to use a computer system to disclose false or obscene computer data, such act inevitably causes damage ,and affects the economy, society and the security of the state, including peace and good morals of people. Thailand has, therefore, enacted the law to enforce against Cybercrime Act.
In this context, the structure of the law with respect to Cybercrime that occur will be discussed and can be divided into 2 types as follows:
1. Cybercrime is a crime against computer "system" and computer "data", including intervention, destruction, alteration, and damage to the computer system and the computer data.
“Computer system”means a device or a set of computer equipment whose function is integrated together, for which instruction, instruction sets or anything else and working principles enable it or them to perform the duty of processing data automatically.
"Computer data" means data, messages, instructions , or anything else contained in a computer system, the output of which may be processed by a computer system including electronic data pursuant to the law on electronic transactions.
2. Cybercrime is a crime that uses a computer as a tool commit a crime which has serious and widespread consequences.
1. The Cybercrime are as follows:
1.1 Illegally access to computer system
The law prescribes that any person accessing a computer system which has specific access prevention measures, and such measures are not intended for their own use, such person must be subject to imprisonment or a fine or both.
1.2 Illegally access to computer data
The law prescribes that any person accessing computer data which have specific access prevention measures, and such measures are not intended for their own use, such person must be subject to imprisonment or a fine or both.
The law prescribes the offences pursuant to No. 1.1 and 1.2 in order to protect a confidentiality of data and privacy of owners of a system /data so that other people are not allowed to access. This protects the right to privacy in communication. The examples of the offences are using other people’s user / password, logging in to the system, or using Spyware / Sniffer programs to hack the system, or computer hacking, etc.
1.3 Knowing of measures to prevent illegally access to computer system
The law prescribes that any person knowing of measures to prevent access to a computer system specifically created by other people, if such person illegally discloses such measures in a manner that is likely to cause damage to other people, such person must be subject to imprisonment or a fine or both.
With regard to this offence, the law is aimed at implicating a person who keeps or knows of security and protection systems such as user names and passwords, and then discloses such data which may cause damage to other people since data of an organization, data of a business or personal data which are leaked can cause damage to the economy, finance and the stability of the organization.
It is noteworthy that the word "knowing" can either be legal or illegal. In terms of legal, for example, a computer system manager of a company knows passwords and user names of all employees and directors, and then discloses such measures to a third party. In terms of illegal, for example, hackers hack a computer system and use the hacked password or credit card number to disclose such data on different websites. Both cases are deemed as committing this offence as well.
1.4 Illegally eavesdropping on computer data
The law prescribes that any person commits any illegal act by an electronic means to eavesdrop on other people's computer data in process of being sent in a computer system and not intended for the public interest or for general people’s use, such person must be subject to imprisonment or a fine, or both.
The specification of this offence also conceals a legal loophole in terms of the telecommunication business which prescribes only telephone eavesdropping. This offence aims at protecting the right of privacy in communication. This offence covers all acts that use electronic means to eavesdrop on other people's computers in process of being sent. The examples of the offence is using a scanner to steal passwords and credit card information, including eavesdropping messages, electronic mails, or any video or audio data through a computer system (Sniffing).
1.5 Hindering or disrupting computer data
The law prescribes that any person illegally damages, destroys, changes or amends, either in whole or in part, other people's computer data, such person must be subject to imprisonment or a fine, or both.
1.6 Hindering or disrupting computer system
The law prescribes that any person who acts improperly in order to suspend the operation of other people's computer systems to be suspended, delayed, hindered or disrupted to the extent that the computer systems fail to operate normally, such person must be subject to imprisonment or a fine, or both.
The offences pursuant to No. 1.5 and 1.6 is aimed at protecting the integrity of computer data. The example of the offence under No. 1.5 is a case where a computer criminal makes changes to computer data or release a virus or use instruction sets (Malicious Code) such as Viruses, Worms, and Trojan Horses, causing computer data to be damaged or destroyed.
However, if such act makes a computer system to be delayed to the extent that the computer system fails to operate normally such as doing DOS (Denial of Service), it is deemed that such act is the offence pursuant to No.1.6.
In addition, if the above offences cause damage as follows:
Causes damage, whether it be immediate or subsequent and whether it be synchronous to the public.
It is an act that is likely to cause damage to computer data or a computer system related to the country’s security, public security, the country’s economic stability or public services or is an act against computer data or a computer system available for public use, such person will be subject to higher degree of penalty.
2. The use of computer to commit offences
2.1 Spam mail
The law prescribes that any person who sends computer data or electronic mail to other people by concealing or falsifying the source of such data which disrupts the normal operation of the computer system of other people, such person must be subject to a fine, but no imprisonment is prescribed for this offence.
The examples of this offence are spamming, concealing / falsifying of the source publishing content with such characteristics whether publishing from a computer, mobile phone, other communication devices or computer systems, for example, sales electronic mails or electronic mails newsletters which do not give recipients an easy opportunity to cancel.
2.2 Selling or distributing instruction sets created specifically to be used as a means for the offence
The law prescribes that any person who sells or distributes instruction sets created specially be used as a means for committing the offences pursuant to No. 1.1 to No. 1.7 above, such person must be subject to imprisonment or a fine or both.
This offence may affect the public security and may cause damage to valid programs which can affect an electronic business. The examples of such offence are selling or distributing game aid programs.
2.3 Entering into a computer system, any computer data which is fake or false or is a threat to public security or an obscene or a transmission of information
The law prescribes any person who commit the following offences:
Entering false computer data into a computer system, whether in whole or in part, or false computer data in a manner likely to cause damage to the general public.
Entering false computer data into a computer system which is likely to cause damage to the national security or cause panic to the general public.
Entering into a computer system, any computer data which is an offence related to national security or offences related to terrorism under the Criminal Code.
Entering any obscene data related into a computer system which may be accessible to the general public.
Distributing or forwarding computer data despite knowing of the fact that it is computer data pursuant to (1) to clause (4) above.
As such, such person must be subject to imprisonment or a fine, or both.
The examples of this offence are posting on a thread with inappropriate content which is a threat to security, falsifying files to disguise oneself to destroy a computer system, cheating and fraud by falsifying a website of a financial institution in order to use information of other people to commit the offence.
2.4 A service provider supports or consents a perpetration of the offence pursuant to No. 2.3 in a computer system under his/her control
The law prescribes that any person who is a "service provider" who intentionally supports or consents a perpetration of the offence related entering into a computer system, any fake or false computer data or a threat to security or obscene or transmitting such data in a computer system under his/her control, such person must be subject to the same penalty as the person who commits the said offence with both imprisonment, fines, or both.
A service provider means (1) a person who provides service to other people with access to the internet or the ability to communicate by other means through the internet, whether it is in his/her own name or in the name or for the benefit of other people; or (2) a person who stores computer data for the benefit of other people.
The examples of this type of offence are the website or forums owner knows that computer data is deemed as such offence, but still let that data be published in his/her possession, it is deemed that the owner of the website or the forum intentionally supports or consents a perpetration of the offence.
2.5 Entering into a computer system, a picture of other people which is edited and which causes such people to be defamed, detested or humiliated
The law prescribes that any person who uses computer data which appears as a picture of other people, and enters such image which is created, edited, added or amended electronically or by any other means into a computer system which may be accessible to the general public in a manner which is likely to cause people be defamed, denounced, detested or humiliated must be subject to imprisonment and fine.
In addition, if such offence is committed against to a picture of a deceased and such act is likely to cause the deceased's parents, spouse, or children to be defamed, denounced, detested or humiliated, such offender must be subject to imprisonment and fines as well.
Except that this offence is committed in good faith, with fair comments given towards any person who is deemed to be of a regular manner of the general public, such person is not guilty.
The example of this type of offence is editing a photo of an injured person which may be edited for fun and then enter into a computer system which may cause the injured person to be denounced and humiliated.
Offences outside the Kingdom
In this case, whether it is a computer-oriented crime or types of a computer-oriented crime, if the perpetration of the offence is an offence outside the Kingdom, the law also prescribes the following categories of persons, even when they are outside the Kingdom, while committing an offence, but still have to be punished in the Kingdom:
An offender is Thai and the government of the country where the offence occurs or an injured person requests punishment or;
An offender is a non-Thai citizen and the Thai government or the Thai person who is an injured person and an injured person requests punishment, such offender must be punished within the Kingdom as prescribed for the perpetration of such offence.
Duty of the Service Provider on Keeping Data
In addition, the law specifies 2 types of duties and responsibilities for keeping data of a service provider:
Computer traffic data means data related to computer system-based communication which demonstrates the sources, origins, destinations, routes, time, dates, volumes, time periods, types of services, or others related in a computer system’s communication whereby a service provider must keep computer traffic data for not less than 90 days from the date such data enters into a computer system.
Data of a service user means data which records an identity of a person when accessing service through a service provider's network, regardless of name, surname, identification number, user name or any pin code, and regardless of whether such service user is required to pay for the service or not. The service provider is obliged to keep the user's data from the beginning of the service and must keep such data for not less than 90 days after the termination of the service.