Thailand’s Facial Recognition Policy in the Deep South Raises Serious Human Rights Concerns
In early May 2020, despite the ongoing Covid-19 pandemic, residents in Thailand’s largely Malay Muslim deep south began reporting targeted mobile network shutdowns. This follows an earlier announcement requiring residents to re-register their SIM cards through a new facial recognition system. The timing of network shutdowns amid the Covid-19 pandemic, when rapid access to information is crucial, poses public health risks, but that’s not all.
Thailand’s facial recognition policy in the deep south raises serious human rights concerns that predate the pandemic and unless they are addressed risk normalising questionable practices. The regulations raise serious questions about the right to privacy and informed consent. They also violate the right to freedom of expression and information.
Because it puts people at risk during a public health crisis and risks violating the country’s human rights obligations, the Government should at once re-active all network connections that have been cut. Furthermore, Thailand should immediately halt its biometric data collection and facial recognition requirements for SIM card registration until an effective human rights impact assessment is able to address these concerns.
Collecting Biometric Data in Thailand’s Deep South
Starting in June 2019, Thailand’s Internal Security Operations Command (ISOC), a unit of the military, and telecom providers began contacting all mobile phone users registered across Thailand’s southernmost provinces of Yala, Pattani, Narathiwat, and parts of Songkhla informing them of new regulations. Mobile users in these areas were required to appear at telecom providers’ stores and temporary stations set up by ISOC to have their faces scanned and checked along with the data on their National ID cards. Those who did not comply by April 2020, would risk network shutdowns.
By the April 2020 deadline roughly just 800,000 of the region’s 1.5 million residents had successfully re-registered their SIM cards with their biometric data. This leaves many at risk of losing mobile network connection at a time when it is crucially needed, during a pandemic. Meanwhile, authorities have not provided clear assurances that privacy and anti-discrimination measures are in place, nor explained the full scope of the campaign.
In 2019, Colonel Pramote Promin, a spokesperson for ISOC, explained that the regulation had come from the Office of the National Broadcasting and Telecommunications Commission (NBTC). It is ostensibly meant to combat identify theft in financial transactions and prevent terrorism or other violent acts in Southern Thailand. Authorities have reportedly discovered that mobile phones have been used to remotely detonate explosive devices in the past. However, those have primarily been foreign registered SIM cards. This raises questions about the law enforcement effectiveness of regulations that will almost certainly contribute to existing human rights abuses against Thailand’s Southern minorities.
Over the past 15 years, thousands have died amid insurgency in the deep south. The region has been under an emergency decree since 2005, which has allowed authorities to impose curfews, ban public assembly and movement, censor media, and detain individuals without charge and at times try civilians in military courts. Much of this has disproportionately targeted ethnic and religious minorities. Other measures have included the forced collection of DNA samples from Malay Muslims at military checkpoints or raids on homes and private religious gatherings. The United Nations Committee on the Elimination of Racial Discrimination has noted such conduct could amount to ethnic profiling.
Thailand is, of course, within its rights to adopt anti-terrorism measures. The United Nations Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism, Fionnuala Ni Aolain, however, notes biometric data collection, including photographs and facial recognition, must comply with international human rights law.
Because national human rights groups who have spoken out about concerns in the past have been targeted for defamation by ISOC and state agencies, the trend in abuses and the lack of accountability does not inspire confidence in the new regulations.
Thailand’s current biometric collection policy does not appear to meet its human rights obligations, in particular the right to privacy and freedom of expression.
Thailand Must Respect Human Rights in its Biometric Data Program
The widespread collection, storage, and transfer of biometric data such as facial recognition imagery tied to one’s National ID raises right to privacy issues that must be addressed during the design, implementation, and follow up of any such technologies.
The right to privacy is a fundamental human right, enshrined in Article 12 of the Universal Declaration of Human Rights (UDHR) and Article 17 of the International Covenant on Civil and Political Rights (ICCPR). It is also protected under Article 32 of Thailand’s Constitution. The United Nations Human Rights Council holds that the protection of the right to privacy is not limited to one’s private space but extends to the public sphere, from government monitoring to publicly available social media information. The right to privacy applies equally to all, regardless of race, religion, or nationality.
Any interference in the right to privacy is only permissible when it is legal, necessary, and proportionate. To meet these standards, it often requires meaningful consent.
In Thailand, however, telecom service providers have been unable or unwilling to provide mobile users with transparency as to the extent authorities file requests for or gain access to mobile users’ personal data. While it is believed the facial recognition database is stored at NBTC servers, it is unclear who operates the database, how secure it is, and what further purposes the authorities have for mass-storage of this biometric data. That ISOC is involved has sparked additional concerns over the protection of the right to privacy and the larger design and purpose behind the mass collection of biometric data.
A January 2020 announcement by Thailand’s Deputy Prime Minister General Prawit Wongsuwan of plans to expand the use of artificial intelligence following a visit to the region’s CCTV control center raises further concerns over the accumulation of a facial recognition database. This is especially the case considering such technologies have often proven elsewhere to exhibit discriminatory bias toward minorities and women.
Large and centralised biometric databases are vulnerable to security breaches putting user data at risk, which introduces potentially grave risks for already marginalised communities, and often fail to adhere to the requirement for proportionality noted above.
Data protection laws, like the European Union’s General Data Protection Regulation (GDPR), are one way to address some of these concerns. Unfortunately, in May 2020 Thailand further delayed the implementation of its own Personal Data Protection Act (PDPA) first approved in February 2019 and originally scheduled to take effect last month. Among its provisions, it would prohibit the collection of biometric data without explicit consent.
It is noteworthy that part of the official rationale for postponing the implementation of the data protection act, administrative delays due to the Coronavirus outbreak, surprisingly has not influenced a postponement in the roll out of network shutdowns. One would hope if the pandemic was an excuse to delay data protection it should certainly delay network shutdown for failure to provide the same data that would have otherwise been protected.
As of now, mobile users are forced to comply or lose network coverage, hardly an effective test of consent. The loss of network connection raises a second major concern, arbitrary denial of the freedom of expression.
The freedom of opinion and expression is a fundamental right under Article 19 of the UDHR and ICCPR. It is also recognised in Article 36 of the Constitution of Thailand. The freedom of expression is so fundamental that the Human Rights Committee in its comment on the ICCPR holds that it can never be necessary to restrict even during a state of emergency. This includes the right of access to information, the necessity of which is arguably only heightened during a public health emergency.
Because we cannot be sure the facial recognition requirement for network access is based on the protection of human rights, therefore the accompanying loss of network access and restriction on the freedom of expression can only be seen as arbitrary and disproportionate.
These measures fail Thailand’s human rights obligations and only make the local population increasingly vulnerable to the ongoing public health crisis.
Keep it On
Not least of all during the public health emergency brought on by Covid-19, the Government of Thailand should immediately put an end to forced network shutdowns for those failing to comply with biometric data re-registration orders. The government must immediately restore the lost network connection for those who have lost mobile access, and forced participation in the collection of biometric data must not be a requirement to resume service. Meanwhile, Thailand should immediately halt this program until an independent, effective human rights impact assessment has addressed these concerns.