Inspecting Cybercrime conviction process: Does the existing laws have sufficient power to protect us ?

Even though Thai Supreme Court rules that IP address alone cannot convict a suspect, it is still accepted, as evidence, by court, when used in combination with other evidences. Despite challenges and difficulties in obtaining reliable evidence associated with a particular IP address, it is the duty of officers to adhere to the standard of operation prescribed by laws. In fact, the existing laws may have proven to be sufficient for such operation without the need for new laws.
While the growth of big data trend  has resulted in exponential amount of data being created and sorted, it has also brought about a rise in cybercrimes. This reality has placed a heavy workload on government agencies and law enforcement officers such as police, Ministry of Information and Communication Technology (MICT) to deal with the new form of threats.
By degrees, the indentification of the internet user is what challenges the enforcement of cybercrime laws. For instance, one can simply fake a Facebook account using other people’s picture or name as well as when apply for an email account. But on the other hand, data flows between users may not always be exclusive as it needs to pass through the ISP network, which have the obligations towards government to record users log or traffic data. In this way, users’ digital traces are duly recorded, thus, making it possible for law enforcement to retrieve them later as evidence in cybercrime cases.
Our experience observing online freedom of expression trials since 2010 indicates some significant types of digital evidences being used to identify the suspects as follows. 
1. Screenshot
A witness, whether official or civilian, who claimed to witness the illegal action online has often used screenshot technique to capture the crime that happens online, for example, a screenshot of illegal content on Facebook and a screenshot of SPAM email, etc. The witness must have saved the screenshot into computer first as image files and printed it out. At court trial, these screenshots must be used in a paper form. Nevertheless, Thai courts are less likely to review such evidence on internet by themselves. This practice has confirmed a weak standard of evidence used by Thai court in cybercrime case. Hardcopy print out of image file can be easily manipulated and falsified by widely available photo editing programs. Due to this, it is likely that the authenticity and integrity of the evidence will be challenged and questioned by the realted parties.  
In order to prove the authenticity of digital evidence, hardcopy print out of evidence should be made directly from the web browser, immediately after witnessed it, rather than being captured as a screenshot photo. This is because the direct browser printing method will not only provide the details of the crime happens on line (photo, text) but also the date of printing, number of pages and URL of the webpage. Even though, this has proven to be more credible than the screenshot type, it is still possible to manipulate this type of evidence. Moreover, the signature of relevant authority should be presented on all hardcopy print out evidence to improve the credibility of the document.
2. IP Address 
Internet Protocol address (IP address) is an exclusive string of numbers separated by full stops or colons assigned to users by Internet Service Provider (ISP). It is used to identify a computer or a device using the Transmission Control Protocol/Internet Protocol (TCP/IP) to communicate over a network. For example, for IPv4 or 2001:cdba:0000:0000:0000:0000:3257:9652 for IPv6. IP address functions on a network as a house number in a village . Apart from this it takes responsibility to determine the path of the data including how and when the data will be sent (routing and forwarding). 
In the past, many websites does not protect identity of the commenters and made default the public display of their IP addresses. This way, a person can be easily traced by law enforcement using IP address as evidence. However, it is more common nowadays for websites to support commenters’ anonymity and disable public display of commenters’ IP addresses. But according to article 26 of Thailand’s Computer Crime Act 2007, ISP still obliges to keep traffic data for at least 90 days or up to one year in case it receives an order from a competent official. Following this, article 18 authorizes the competent official to have a power to order ISP to submit IP address in question where there is reasonable ground to believe that it associates with the criminal activity. 
3. Relation of physical location and the IP address
After obtaining the IP address associated with the crime, law enforcement officers may request other electronic evidences related to that IP address from the ISP, for example, the other IP addresses that have been communicated with the IP address in question including date and time of such communications. Per request, the ISP will retrieve information such as name and physical address associated with the IP address from its customer registration database. 
Nonetheless, further information obtained using only IP address may not be enough to convict someone of a crime. This is because, technically, the IP address can be falsified and misleading. The person registered for a service with the ISP is not necessarily the same person associated with the crime. For instance, the father uses his name to register for an internet service in a household consisted of a mother, and three children. All of them use the internet from the same router. Every access to the Internet will be recorded as using the same IP address without separating the identity of each user. Hence, the IP address maybe useful for identificating the location associated to the crime but not yet clearly identificating the individual who comitted.
This can be observed in a landmark case of Noppawan, who became a suspect of lèse majesté charge because of the IP address evidence. Even though the IP address associated with lèse majesté crime was registered under Noppawan’s name and address, but the fact shows, there are more than one resident in this address as it turns out to be a factory with many workers and many computers. In practice, everyone in this address can use computer to access the internet to post that lèse majesté message in question. Finally, the Supreme Court dismissed the case based on insufficient evidence to prove guilt beyond a reasonable doubt that Noppawan was the person who committed lèse majesté crime.
4. Digital forensics
Digital forensic investigation can be initiated after the law enforcement officers find IP Address and the physical address and apply for a warrant from court in order to inspect, search and/or seize the computer related to IP address associated with the crime. The officers usually went to the physycal address and seized all electronic devices from such place and start to do forensic.
The digital forensics can be carried out in order to find at least four types of digital evidences as follows.
1) Cache file is the duplication of browsing files stored on a computer. These files are automatically created by browser in order to improve application performance by making the visit to the same website faster. 
2) Cookie is a file sent from a website to store in a user’s web browser to enabling the website to remember the user for the next visit
3) History refers to the list of webpages and data and time of each visit made by users that was automatically recorded by web browser  
4) Digital files directly associated with the crime is the file that can be used as digital evidence in a case law. For example, the officers need to examine a linkage between an image file found in a seized computer and the pornographic offences the owner has been charged with.
According to a standard digital forensic investigation, the officers should not make an examination based on the original suspected hard disk(s) but instead s/he would make two copies of the original hard disk. The first copy would also be stored at the designated place whereas the second copy would be used for further digital forensic process. This is to ensure that no unlawful alternation and/or destruction of the data can be done without authorization. About the investigation process, Thai officers will use “Encase forensic software” to search and restore the files in the hard disk. This software can even recover files that had been deleted from the drive. 
Although the officers could recover cache file, cookie or history associated with a crime in a computer, it is still difficult to conclude which user has committed a crime. Whereas the presence of digital evidence stored in a computer could make it less complicated to conclude that the computer has been used to commit a crime, it is still impossible to confirm the link between that digital evidence and the physical identity of the owner of the computer. This is because the computer can also be accessed and used to commit the crime by other users who are not the owner.
5. DNA trace on a computer
In some cases, digital evidences from IP address and digital forensic investigation alone may not be enough to convict someone of a crime committed in a given time and date. This pitfall has led to the increasing use of DNA trace as a supporting evidence in the context of digital forensic investigation between year 2014-2015. Nonetheless, there has been no judicial precedent in this case in assessing the weight or credibility of this type of evidence in case laws.
According to the aforementioned discussion, the enforcement of cybercrime can be technically complicated due to the fact that most type of evidences can be easily manipulated and falsified.  Nevertheless, this hindrance can be minimized when law enforcement officers have sufficient knowledge about how to handle digital evidences. In this light, the current Thailand’s Computer Crime Act 2007 has made ample and sufficient provisions to govern the role and responsibility of the ISP as well as the scope of duty and authorization of the authority to have access to digital evidence for the purpose of investigation. Due to this, it could be said that the current legal framework is not a deterrent to criminal procedure that would slow down the investigation process in cybercrimes cases.  
Limitation of the cooperation from foreign ISPs leads to government’s attempt to find more new tools
In practice, the enforcement of law on the Internet still has many obstacles. Whereas domestic law subjects to geographical boundary of the state, the internet does not. Therefore, foreign ISP companies may deny the request made by Thai authorities to provide information related to certain criminal offences, in particular, those offences that are not legally enforced by the state they are subject to. For example, lèse majesté law is the domestic law that enforced in Thailand and does not have extraterritorial jurisdiction in other country especially the country, which does not have the institution of monarchy. 
Big Internet companies like Google and Facebook, which have headquarters in the United States, often deny the request for IP address related to lèse majesté cases made by Thai authority. This is because these companies are not subject to Thai law or Thai Computer Crime Act 2007. Hence, many lèse majesté complaints filed with Thai authority have been left unprocessed because the suspect could not be identified.
Apart from cases related to lèse majesté that are most prevalent on social media, there are other type of cybercrime where the owners of the website are directly associated with the crime such as phishing websites and pornographic websites. In practice, the companies, therefore, likely to not oblige to fulfill the request made by Thai authority such as the request for an IP address of the owner of the websites.
In order to cope with the difficulties in accessing evidences in cybercrime cases, Thai authority proposes the use of more powerful techniques and tools for its operation on the internet. This includes the controversial draft of National Cyber Security bill. Its overwhelming power takes twofold: the increased authority of law enforcement officers on ISP, which would be obliged to give up its customer data upon request without warrant. Moreover, Thai government further proposes the use of single gateway that would allow it to have a complete control over all internet traffic through a single point bottleneck-control.
Enough power of the existing Internet law, under supervision by court
While the above tools, techniques and laws such as single gateway and new draft of cyber security bills are still not yet implemented and few obstacles in dealing with cybercriminal are still existed, Thai government is far from being short of solutions in accessing and gathering digital evidences. In stock failing case of Khata, the law enforcement officers tracked down IP address of the suspect by sending a link with a hidden script that would send back the information about IP address of that person once it was clicked to suspect's email. Moreover, in Tara and Jakrawut case, the officers disguised themselves on social media to gather information about the suspect.
In legal perspective, law enforcement officers are legally authorized by article 18(6) of Computer Crime Act 2007 to access internet traffic including IP address of the users for the purpose of investigation without the necessity to request the cooperation from the ISP. Moreover, article 18(7) and 18(8) further allow the officers to decrypt the password and seize the computers in question for the purpose of investigation on a condition that the operation must be accompanied by the judicial warrant according to article 19. Also, the officers exercising his power need to be able to justify that the case is beyond the reasonable doubt, layout the list of the tools s/he will be used during the operation and report back to court within 48 hours.
When the Department of Special Investigation (DSI) decided to take up the case, the DSI officers can exercise their power according to article 25 of the Special Investigation Act 2004 that will allow the targeted data surveillance similar to the phone tapping. In order to exercise this power, DSI officers also need to directly apply for a warrant from chief justice of the criminal court.
As we can see, the existing laws are deemed to give enough power for authorities to conduct almost all kind of investigation in cybercrime cases upon condition that the process must be subject to strictly review by judiciary. The officers have to uphold the additional duty of writing up and filing report with court. This practice endorses the respect to the principle of proportionality and acts as a deterrent to the arbitrary use of power to access personal data without reasonable ground. 
In order to efficiently handle a complicated digital evidence investigation process, the authorities must be equipped with essential expertise, good quality equipments and up-to-date technology.
Instead of proposing new laws that would bestow excessive power on authorities risking abuse of power and violation of freedom and human rights, the government should invest more in human capital especially the quality and quantity of law enforcement officers dealing with cybercrime in parallel with the frequent update on technology and equipments. In contrast with the promulgation of new laws, this approach leads to more sustainable outcome and ensures integrity and legitimacy of the criminal justice process.  


Article type: