The ASEAN governments exploiting cybersecurity threats to expand authoritarian powers

ASEAN governments are seeing severe digital security breaches and violations of users’ privacy. Rather than improving cybersecurity, the region’s governments are using these threats to crack down on internet freedoms.

By Skylar Lindsay

Three-quarters of ASEAN’s population is expected to have internet access by 2020 – a sharp jump from the 260 million users in 2017 to 480 million in 2020. As access has expanded, Southeast Asian states have seen a series of security breaches that violate the privacy and security of their citizens.

But rather than responding to these by improving digital governance and strengthening protections for users, the region’s governments are continuing down a path towards digital authoritarianism – from widely expanding the scope of existing laws in Myanmar and Malaysia to sweeping new cybersecurity measures in Cambodia, Thailand and Vietnam.

New laws and censorship are suppressing freedom of expression, and ASEAN’s leaders expect foreign tech companies to go along with it.

Weak digital security in Southeast Asia has put users at risk

A series of cybersecurity breaches in ASEAN states have shown that the region’s governments have yet to build systems and regulations to protect their expanding populations of users.

In 2016, the Philipines saw one the largest government data breaches ever when a group named Anonymous Philippines hacked the Commission on Elections (Comelec) and leaked voter data that included 1.3 million passport numbers of overseas Filipino voters, 228,605 email addresses and the fingerprint records of 15.8 million citizens.

In Malaysia in 2017, data on 46 million mobile accounts was stolen and leaked – in a country with a population of only 32 million.

Earlier this year in Thailand, True Corp, the country’s second-largest mobile company, publicly exposed data on 45,000 customers after JPG and PDF scans of consumer identity documents were accidentally left in a public-facing cache.

Cambodia, on the other hand, recently saw a digital security breach that violated not only users’ privacy, but Cambodian citizens’ right to self-determination. In the lead-up to Cambodia’s election earlier this year, US security firm FireEye found evidence that a Chinese hacker group had gained access to a number of computer systems in the country, including those of Cambodian election officials, opposition figures, media outlets and government ministries.

It’s unclear what the goal of the hack was, but China was already playing an outsized role in the election, providing US$20 million to support the process.

After the US and European nations revoked aid in response to Cambodia’s crackdown on political dissent, China was doubtless fishing for further information on a country that receives an ever-growing amount of investment Chinese businesses, many of them state-owned enterprises.

Incumbent Prime Minister Hun Sen’s Cambodian People’s Party (CPP) won the election in a landslide victory.

ASEAN has struggled to improve digital security. Though there are attempts at regional collaboration, these have not progressed beyond identifying a set of 11 objectives to work towards. The only concrete domestic measures Southeast Asia’s leaders have taken have been centred around suppressing freedom of expression online.

Across ASEAN, governments are restricting internet freedoms rather than improving digital security

As internet access has expanded in Southeast Asia, many of the region’s governments have responded with digital authoritarianism, by restricting free use of the web and using new and existing laws to punish dissent.

In Malaysia, the government has used Section 233 (1)(a) of the Communications and Multimedia Act to prosecute citizens for posting anything that’s considered offensive. Activist Fahmi Reza was sentenced under the act for posting a clown caricature of former Prime Minister Najib Razak to Facebook.

Myanmar has also seen expanded use of an existing measure, clause 66(d) of the 2013 Telecommunications Law, to prosecute journalists and activists for posting anything online that the state deems to be “defamatory.”

Thailand has taken a similar approach with the Computer Crimes Act, using the law to threaten and prosecute users for an ever-expanding range of posts.

But Thailand has also pledged to pass new data protection and cybersecurity legislation by the end of 2018, ostensibly with the goal of improving security and protecting users. However, the measure will likely also be used to punish those who exercise their freedom of expression.

The Thai junta has proposed creating a new National Cybersecurity Committee (NCSC), with the power to surveil internet traffic, confiscate computers as they see fit and order sites to remove content that they find objectionable. In response to this proposal, the US-ASEAN Business Council wrote a letter to the Thai government suggesting that cybersecurity “cannot come at the cost of sacrificing privacy, civil liberties, and rule of law.” It also pointed out that cybersecurity cannot be the responsibility of corporations. The council includes Facebook, Amazon, Apple and Google. The letter was not intended for public release but a copy was reviewed by Reuters.

Two domestic industry groups, the Telecommunications Association of Thailand and the Thai Internet Service Provider Association, expressed concerns about the impacts of any government attempts to regulate content.

A spokesperson for the Ministry of Digital Economy, which is responsible for the proposal, said the officials involved would revise the proposal to address these concerns.

Cambodia is pursuing similar measures, with the announcement of a new National Anti-Cybercrime Committee that will be chaired by Hun Sen and have the power to arrest citizens for posting content online. According to Cambodian Ministry of Information spokesperson Ouk Kimseng, “This will benefit the public and help stop the sharing of provocative information that can cause social chaos”.

In Vietnam, a new cybersecurity law will require all companies operating in the country to store data on servers inside the country, and therefore be subject to Vietnamese law. The law is set to go into effect on January 1.

These measures threaten to turn Southeast Asia’s increasing internet access into a liability. As the region’s population moves more of its social and political interactions online, they now face threats not only from cybersecurity attacks but also from their own governments.

Foreign tech corporations in the region now have an obligation to uphold internet freedoms

As the user base expands, the digital economy of ASEAN will grow accordingly, with total digital spending topping US$240 billion by 2025 (this data includes ridesharing, online marketplaces and online media, but not banking). Tech giants such as Facebook and Google are facilitating growth, but Southeast Asian governments are now asking them to be complicit in controlling and regulating internet activity.

In 2018, the governments of Vietnam, Thailand, Singapore, and Indonesia all asked Google and Facebook to remove content they found objectionable. The companies often complied, without necessarily determining whether the content actually violated domestic law.

Rather than blindly pursuing growth, these companies have a chance to consider the impacts of facilitating ASEAN states’ internet use. If they comply with the governments’ every whim, their business practices could actually increase the threat to users’ freedoms and privacy. Their harvesting of user data will become an even larger liability to users than it already is.

These companies now face a choice: they can comply with domestic laws that violate users’ rights to privacy and freedom of expression, or they can work with ASEAN governments to improve digital security. As the space for free expression online is shrinking just as fast as the digital economy is growing, tech giants must now consider what role they want to play in Southeast Asia.