The increasing popularity of cloud computing has exposed flaws in privacy and data protection measures that have the potential to be the next wave of national security threats.
Cloud computing allows people to use software installed on servers on the internet, usually through their browsers. The users can also keep data on these servers. This means they can readily work or access data anytime, anywhere so long as they have internet access.
The most familiar form of cloud computing is online mail services such as Yahoo, Gmail or Outlook.
Although cloud computing is growing quickly, the technology is still in its infancy.
"It's time for the Thai government and educational authorities to determine measures that provide an appropriate level of security, and develop a national security policy for the national interest," said Jeff Gould, president of SafeGov.org, a US-based nonprofit organisation that promotes cloud security for government and education.
Many American police departments use cloud-based services such as Google Apps or Microsoft Office 365, replacing their organisational e-mail systems that rely on private servers and data centres, he said. But this move means higher information security and privacy risks.
Prinya Hom-anek, president of ACIS Professional Center, a Thai IT training security provider, urged the Electronic Government Agency (EGA), an organisation providing government cloud service, to enhance its computer security system to protect its data from electronic threats.
The government should dedicate a higher budget to advanced security equipment like malware analytic tools, source code reviews, and a systematic examination of computers to prevent or find software vulnerability, he said.
Mr Prinya added the Thai government should have its own data centre for a national security database, instead of using public cloud services as it does now.
Private firms, meanwhile, should read user agreements thoroughly before using public cloud services, he suggested.
Most public cloud service providers do not provide legal liability for free. Instead, they provide paid data backup and recovery services, which exclude liability coverage for data leaks, he said.
Mr Prinya pointed to Prism, the electronic surveillance programme operated by the US's National Security Agency to collect e-mails, documents, photos and other materials from US tech companies for review, which raised concerns about data privacy threats.
The centre said more people are using cloud-based services from US technology companies such as Microsoft, Apple and Google. These tech giants try to help users link their accounts and passwords to other websites to enhance user convenience.
For instance, if a user's Gmail account is hacked or has an easy-to-guess password that he or she also uses for Facebook and Instagram accounts, the user's identity could be stolen.
He suggested users turn on the two-step verification for their Google or Microsoft accounts to add an extra layer of security.
Nakorn Serirak, a policy adviser to Thai Netizen, a non-profit online data protection organisation, said Thailand still lacks a data privacy law as it has been delayed for almost a decade.
He supported the government's latest attempt early this year to accelerate the enactment of a data protection law, but noted it might take a few years to pass.
The draft law is based on international privacy practices and the principle of informed consent for the collection and use of personal data, meaning it requires the permission of the data owners. Mr Nakorn said the draft should also cover protection of children's data in the cloud.
Governments in Europe and Australia have already introduced regulations protecting children's data, while the US is in the process of amending its data protection regulations.
At least 60 institutes of higher education in Thailand use free education cloud services such as e-mail and online documents storage sponsored by Google and Microsoft.
Currently, cloud service providers offering free public e-mail can sell users' data to other companies for advertising or sales purpose.
Mr Nakorn said schools should put some restrictions in place against cloud service providers to prohibit the release of confidential student data without written consent.
While waiting for a law, he maintained the government should increase awareness among state agencies and private organisations about the significance of online data privacy rights and proper measures to deal with personal data protection.
About the author
- Writer: Suchit Leesa-nguansuk
Position: Senior Reporter