Thai cafes ordered to store customers’ passwords, emails

The Thai government has requested all coffee shops, including small mom-and-pop operators, keep traffic data of customers using their Wi-Fi for 90 days and provide that information if required.

The government says this is necessary to deter crimes and track suspects. But concerns have been raised that it would drive away customers worried about privacy and misuse of the data collected.

Minister of Digital Economy and Society Buddhipongse Punnakanta said on Wednesday: “This is beneficial for both the authorities and the shop owners, who can protect themselves if their customers did something wrong while using their Wi-Fi.

“We’re merely asking for cooperation. It is not compulsory.”

But on Tuesday, he told reporters that those not doing so may face a computer crime charge and a fine of up to $16,500.

Buddhipongse did not specify what types of crime the authorities are targeting. But since taking up his post in July, he has intensified a crackdown on fake news and criticism against the government and monarchy.

The country’s first anti-fake news centre is expected to be set up in his ministry by November 1.

Thailand’s Computer Crime Act, which requires all Internet providers to keep a log file data for at least 90 days, has been in effect since 2007.

But cyber-law expert Paiboon Amonpinyoket said that in terms of enforcement, the authorities have focused only on large-scale operators such as Internet and telecom providers, as well as foreign-owned coffee shop chains, leaving out small-scale businesses.

“All of a sudden, the government wants to enforce it without educating people first. This is bound to create confusion and a burden on these operators,” Paiboon said.

Many coffee shop owners and managers are not aware of the law and the government’s plan to enforce it. Others fear the new measure would lead to a reduction in the number of customers concerned about their privacy and the misuse of their data.

Suparat Rattanabunditsakul, the director of Drip and Drop Coffee Supply Bangkok, said: “Most people don’t know that their login data is stored by shops when they use their Wi-Fi. Now they know and may panic, even though we have never used such data.

“I’m afraid our regular customers who love to sit for a long time to work using our Wi-Fi may not come any more.”

Coffee chain Artis Coffee manager Thitiya Thanataweepong said: “We have never kept such data. It’s their private information. We don’t want the customers to view us negatively. Hopefully, this will not affect our sales.”

To keep data of customers for up to 90 days, the shops would need to buy new storage equipment or upgrade their software, which would cost at least thousands of baht, and none appear willing to do so.

Arthit Suriyawongkul, coordinator for the Thai Netizen Network, a non-profit group campaigning for Internet freedom and digital rights, said: “This measure does not guarantee that those intending to commit crimes can be stopped. They may use VPN or other means to avoid sharing their data.”

Arthit said that when someone uses a shop’s Wi-Fi, the internet protocol addresses and time of use are shared with the shop.

If users log in to Wi-Fi with their e-mail addresses and other personal information such as ID numbers, it would make it easier for the authorities to track them.

Users’ web browsing history, passwords and private messages could also be exposed, depending on how secure the websites and apps in use are. The “https” websites are more secure than the “http” ones as the former only identify access to the site but not the activities inside it, Arthit said.

“This has created more problems for the public and might not even prove to be an effective measure to deter crimes. It’s rather a tool for the government to keep people in line,” he said.