BlogsRSS

SIM registration, Thainess and the war on privacy

I often say that in Thailand, the need to be seen to do something outweighs the need to do something. But when it comes to the matter of identity the way Thailand behaves is nothing short of staggering.

I remember when the Thai government first tried to enforce website registration for local websites a decade ago. Each Thai citizen is given a 13-digit identification number which is on every government document and persists through marriages and name changes. The ICT Ministry told websites to log the ID numbers of every poster or else.

The catch-22 of course was that a physical ID card is easily faked and if BORA, the bureau of registration administration (terrible name, I know, the agency that runs the citizen database) opens up the database to every webmaster to check picture as well as name, ID and address, well, that would spell the end of any semblance of privacy. Websites went through the motion of security rather than actually having meaningful security.

The other question was why would registration help? It was as if the powers that be had this almost cult-like belief in the 13-digit ID number; that once someone used it they would not only be who they claimed to be, but that they would speak no evil online either.

It was about a decade ago too that the idea of SIM card registration first came up. In April 2005 to be exact under the diktat of former Prime Minister Thaksin Shinawatra.

In the meantime, the Thai government toyed with the idea of an official, verified email account whereby every citizen could send and receive trusted, legally binding email. The system at khonthai.com (roughly translated as Thai person or Thai national) gives users a staggering 2 megabytes of storage space (yes, two million bytes - woo-hoo!) and your email address is a big-brother approved p followed by your 13-digit ID number. P for person, one might guess.

Unfortunately the site is temporarily down for new registrations and there still is a happy new year 2013 message on the front page. Pity, I really wanted to use my taxpayer-funded 2 MB.

The problem is that once something is used all the time, it no longer becomes secret. When entering any office building or housing estate it is common practice to leave your ID card at reception. So if you want to be a master identity thief in Thailand, all you have to do is act pretty and become a receptionist at a building. Or just hack into the database or video feed of the housing estates or buildings who have gone digital.

Microsoft Thailand used to have a sign-in sheet upstairs in addition to the building sign-in sheet downstairs. I pointed this out to its then country manager Andrew McBean once that the upstairs sign-in was totally pointless. I could sign myself in as Bill Gates and there was no way to prove or disprove my claim as my ID card was downstairs. McBean quickly removed that second sign-in security desk afterwards.

A decade on, few things have changed. The other day I called in to my credit card company, issued by Thailand’s second largest bank, Siam Commercial Bank. All they needed for me to pass security and access my account was my name (on my ID card), date of birth (on my ID card), ID number (er, also on my ID card) and one yes or no question - do I have any zero percent interest rate deals on it? Meaning that anyone with my ID card details (which is just about everyone when you live long enough) would have a 50-50 chance of getting past the bank’s security check.

Yet somehow, despite all this, the country still works. Kafka would be proud of how Thailand has developed.

But things may be changing soon. The government wants to use phone numbers to replace ID numbers for internet access so as to lock down every IP with a number and through that a name. The ICT Ministry has also toyed with the idea of using IPv6 and issuing every individual with a range of V6 addresses as identification, though thankfully nobody has mentioned that idea for some time now.

Which is why it has been trying for the past ten years to implement SIM registration. As usual, the four horsemen of the infocalypse - terrorism, drug dealers, paedophiles and organized crime - are cited as the reason to clamp down on anonymity. Though in Thailand insulting the monarchy is often cited as the top reason that we peasants cannot be entrusted with privacy and anonymity.

But while everything changes, everything also stays the same.

The need to be seen to do something outweighs the need to actually do something. The need to be seen to be registering SIM cards in the name of national security is more important than actually create a proper, clean and useful database of SIM card users.

At first the regulator, the National Broadcasting and Telecommunications Commission, feared that small vendors would go out of business and allowed every Tom, Dick and Harry with a corner shop to access the registration app. Never mind the tiny detail that usernames and passwords to registration servers were hard-coded in the app. Never mind too that dealer usernames and passwords were often given out so people could download the app and register themselves instead of getting the SIMs registered at approved outlets. Never mind either that bogus SIM registration vendors popped up that only took victim's’ details without registering them, and sometimes charging them for the privilege too.

Then the regulator went the other way and locked everything down, forgetting the tiny detail that tens of millions of SIM cards were already registered under the old, broken system, and were questionable. Furthermore, by locking everything down, not only did they make life for small dealers difficult (the same small mom-and-pop dealers they argued for at the beginning, not that many are left from the recession) and they also made it virtually impossible for small MVNOs to get their users registered.

Besides, with someone else’s details (which I could get if I were a pretty receptionist at any office building) I could easily register a SIM card in their name and go blow up a bomb with that number.

The omnishambles does not end there. Apparently ten years is not enough time to register all the SIM cards. The deadline was 31 July. Now it has been extended by a further three months, kicking the can down the road. In three months it is likely that the new frequency act will have been enacted and a new set of commissioners will have to take care of the mess that these clowns have left them.

Thainess. Such warm and fuzzy and messy Thainess, but somehow it always manages to scrape by.