Decyphering the Thai e-transactions Act

It is no surprise that the NBTC has again sided with TrueMove in the ongoing row over number portability given their track record, but it was the reasons cited that would have repercussions in security and what exactly constitutes a digital signature under Thai law.

True has been porting users out from the other two networks paperlessly at its sister company 7-11 convenience stores. Intrigued, I sent one of my minions to transfer a number to True and here is what he had to say.

“No visual ID verification. No pin or fingerprint needed. Inserted ID twice, first for port-out request, and the last one for a temporary number. In and out in 5 minutes with a free Android phone after I topped up 500 baht ($14).”

NBTC telecoms board chairman Colonel Setthapong Malisuwan said that Thailand’s Electronics Transactions Act overrode the NBTC’s own regulations on mobile number portability and told the other two operators to update their number porting procedures accordingly.

I asked both Dtac and AIS for their ideas. Dtac said it was preparing a statement for publication later today while AIS said they would forward my question to the executives. Until then, here is my take on what happened.

Setthapong was probably referring to section 7 of the ETA:

Section 7. Information shall not be denied legal effect and enforceability solely on the ground that it is in the form of a data message.

However, it appears the NBTC only read up to section 7 and made last Friday’s declaration vindicating True based on that. Sorry, Setthapong, simply using a smart card to populate a form does not constitute a digital signature.  If he were to read a bit further down he would have seen:

Section 8. Subject to the provision of Section 9, in the case where the law requires any transaction to be made in writing, to be evidenced in writing or supported by a document which must be produced, if the information is generated in the form of a data message which is accessible and usable for subsequent reference without its meaning being altered, it shall be deemed that such information is made in writing, is evidenced in writing or is supported by a document.

The number porting notification (law) needs the request to be made in writing. So section 9 must apply.

Section 9. In the case where a person is to enter a signature in a writing, it shall be deemed that such data message bears a signature if (1) the method used is capable of identifying the signatory and indicating that the signatory has approved the information contained in such data message as being his own; and (2) such method is a reliable one and appropriate for the purpose for which the data message is generated or sent, having regard to the surrounding circumstances or an agreement between the parties.

So the number porting clearly breaks 8 (unalterable) and 9(1) as there was no indication or digital signature. Thailand’s smart ID card uses a fingerprint to unlock the cryptographic portion and there was no fingerprint or PIN involved in the transaction so there was no indication of approval.

But suppose they ruled that inserting the card into the reader is the act of signing the document (we are talking about the same NBTC that ruled that True’s nationwide 850 3G network was accidentally rolled out without a licence and thus should not be punished, remember?) the ETA defines a reliable signature in section 26.

Section 26. An electronic signature is considered to be a reliable electronic signature if it meets the following requirements:

(1) the signature creation data are, within the context in which they are used, linked to the signatory and to no other person;

(2) the signature creation data were, at the time of signing, under the control of the signatory and of no other person;

(3) any alteration to the electronic signature, made after the time of signing, is detectable; and

(4) where a purpose of the legal requirement for a signature is to provide assurance as to the completeness and integrity of the information and any alteration made to that information after the time of signing is detectable.

The provision of paragraph one does not limit that there is no other way to prove the reliability of an electronic signature or the adducing of the evidence of the non-reliability of an electronic signature.

None of that would apply to the way the ID card was used during the number port. To the best of my knowledge 3 and 4 do not apply as there is no cryptographic function used.

Not that any of this matters.

If one network can port in customers in less than 5 minutes while the others go by the book and take much longer to photocopy, check and sign everything, that is a competitive advantage.

Then there is the matter of security. All banks use SMS one-time passwords now, but how secure is an SMS OTP when a number can be ported out with just an ID card, perhaps while the ID card is supposedly at a security counter at a building? Yes, Thais part with their ID cards almost on a daily basis when visiting office buildings or housing estates. With no PIN, fingerprint or even plain old signature check and a 7-11 around every corner, that is scary.

The real issue is that the Thai smart ID card project was ill-conceived and mired in corruption from the very beginning with a flawed design which makes it impossible to use securely over a decade after its introduction.. Estonian e-residents, for example, have two PINs - one for identification and one for signing. Such control over a signature is needed for a signature to be a signature and that seems evident in the Thai electronic transactions act if not the NBTC’s interpretation of it.