Latest news with #Sak
Bangkok Post
27-06-2025
- Business
- Bangkok Post
An intelligent approach to AI governance
Thailand has drafted principles for artificial intelligence (AI) legislation as it seeks to establish an AI ecosystem and widen adoption. The Electronic Transactions Development Agency (ETDA) recently completed an online public hearing on the draft and plans to submit it for cabinet consideration by the end of July. How was Thailand's AI regulatory framework developed? Sak Segkhoonthod, senior advisor at ETDA, said enforcement of AI rules thus far has been based on soft laws or guidelines. An AI law is needed to help Thailand efficiently deal with the impacts of the evolving technology, he said. Since 2022, Thailand has studied global models, especially the EU's AI Act, and introduced two draft laws: one focused on regulating AI-enabled business services, and another on promoting AI innovation. These two draft laws will be combined to form the basis of the AI law. Both drafts adopted a risk-based framework, classifying AI systems into prohibited, high risk and general use categories. ETDA took the lead in promoting AI governance rules, proposing four tiers. The first tier recommends Thailand work with other countries to enhance its global position in AI governance. The country also embraces Unesco's principles to advance AI governance, in line with international ethical standards. The second tier involves the concept of sectoral regulators overseeing policies in their respective areas. The third tier focuses on corporate implementation, where organisations adopt practical tools, guidelines and frameworks. ETDA already launched the AI Governance Guidelines for Executives and the Generative AI Governance Guideline for Organisations. "We have plans to release up to 50 guidelines or tools or checklists, including on AI procurement, job redesign and AI readiness assessment to assist organisations' in their AI transformation," said Mr Sak. The fourth tier promotes AI literacy at the individual level. What are the benefits of the AI law? He said the legislation aims to provide protection to users from potential AI risks, establish governance rules and remove legal barriers that existing laws cannot address, unlocking broader AI adoption. For example, the Transport Ministry's current regulations do not support the deployment of autonomous vehicles, as they were not designed to address an unmanned system. "The new AI law will support innovations," said Mr Sak. Having a dedicated AI law will help Thailand efficiently remove regulatory hurdles, he said. Relevant agencies can quickly develop their own organic AI laws based on the main law. The new law should also support tech entrepreneurs in testing AI in a controlled setting or regulatory sandbox, as well as in real world conditions, he said. The draft should permit the use of previously collected personal data, originally gathered for other purposes, in the development or testing of AI systems intended for public benefit, conducted under strict conditions, said Mr Sak. "By providing legal clarity and confidence, the law will encourage broader AI adoption across sectors through a combination of contextualised use of AI, sector-specific oversight and a common governance framework, ensuring consistency and minimising regulatory conflicts between different domains," he said. For example, using AI to monitor student behaviour may raise ethical concerns and be inappropriate in some contexts. In contrast, applying AI to monitor driver behaviour is essential to ensure passenger safety, said Mr Sak. What are the principles in the draft? The principles focus on supervising AI risks. Legal recognition should be granted to actions and outcomes produced by AI, and such recognition should not be denied solely because no human directly intervened unless there is a specific clause to allow the denial of such legal recognition, he said. As AI is a human-controlled tool, all actions and outcomes derived from AI must remain attributable to humans, said Mr Sak. Individuals may be legally exempt from acts or contracts generated by AI in cases where the party responsible for the AI could not have reasonably foreseen the AI's behaviour, and the other party was aware -- or should have reasonably been aware -- that such actions were unforeseeable to the responsible party, according to the draft. He said the law will not define a list of prohibited or high-risk AI applications, instead empowering sectoral regulators to define these lists based on their domain expertise. The draft proposed the providers of AI services are bound by duty of care to adopt risk management rules based on global guidelines and best practices. Overseas-based companies that provide AI services in Thailand will be required to set up legal representatives in the country. Law enforcement agencies can issue orders to stop AI service providers or users of AI from providing services or using AI, according to the draft. Companies that use AI to generate content are expected to label it or adopt relevant methods to inform consumers. Which authority oversees AI law enforcement? ETDA's AI Governance Center (AIGC) is expected to coordinate with related parties on law enforcement. The existing regulators in all sectors will define and enforce rules for high-risk AI in their domains, according to the draft. Under the AI law, two key committees will be established, with the regulator committee responsible for issuing practical frameworks and setting policies in coordination with the sectoral regulators. The expertise committee is tasked with monitoring and evaluating emerging AI risks to ensure timely and informed regulatory responses. What do companies think of the draft? Mr Sak said as of June 20, 80 organisations including Google and Microsoft submitted feedback during the recent public hearing. The majority praised the draft for striking a balance between prohibiting harmful uses and promoting innovation. However, some feedback raised concerns on whether sectoral regulators will be ready to efficiently supervise AI. In addition, the issue of AI sovereignty was highlighted, including the risk that foreign generative AI models may provide incomplete or inaccurate responses to users related to Thailand, due to limited local data representation. "We are considering the development of common benchmarking guidelines for privately owned large language models in the Thai language," he said. Ratanaphon Wongnapachant, chief executive of CLOUD, welcomed the AI legislation, calling it a timely step to prevent misuse and enforce responsible AI practices, particularly in sensitive sectors. Pochara Arayakarnkul, chief executive of Bluebik Group, expressed concern over the definition of AI in the upcoming legislation. He said if the definition is too broad, it could have far-reaching implications. Conversely, a narrow definition may fail to cover emerging risks. AI governance must go beyond a single risk dimension as each industry adopts AI in fundamentally different ways, with varying degrees of risk depending on how mature the technology is, said Mr Pochara. "The implications span multiple dimensions, from transparency and accountability to operational reliability," he said. Touchapon Kraisingkorn, head of AI Labs at Amity Group, proposed establishing objective, easy-to-understand criteria for defining high-risk and prohibited AI, using metrics such as the number of users, impact on fundamental rights or the monetary value of potential damages. "This would promote uniform interpretation across the private sector and reduce the discretionary burden on regulators," he said. Mr Touchapon also proposed a tiered compliance framework for small and medium-sized enterprises based on their size, as determined by revenue and employee count. He said this mechanism should be independent of a company's age, allowing startups the space to innovate before taking on the full scope of regulatory responsibilities as they mature. Moreover, a formal certification programme for "AI auditors" should be developed, complemented by the promotion of open-source tools for model clarity and risk assessment to ensure both industry and government have the necessary talent and tools to comply with new standards, said Mr Touchapon. "We strongly recommend an 'AI incident portal', which is a public, anonymised repository of AI system failures and rights violations that would be an invaluable resource, enabling all parties to learn and adapt quickly. This fosters a necessary culture of transparency and trust in AI systems," he said. For labelling or watermarking AI-generated content, Mr Touchapon recommended a phased approach, starting with a voluntary programme to assess its effectiveness before mandating a general requirement. This strategy allows for a timely response to deepfakes and misinformation without placing a premature or excessive burden on the industry, he said.
Tom's Guide
09-05-2025
- Tom's Guide
Why Windscribe's court case proves how important VPN no-logging policies are
Case dismissed. These were the welcomed words heard by Windscribe founder Yegor Sak, and ones that marked the end of a challenging, almost two-year-long legal battle. In an uncommon move, Sak himself had been taken to court in Greece and charged with the crime of "illegal access to information system" – despite the alleged offence being committed by a Windscribe user. However, Sak could not provide evidence, because Windscribe had not collected any data on the user. The result is in line with the provider's "no-logs policy," and this was a significant factor in the case's outcome. In turn, it has important ramifications for the VPN industry. It shows authorities can't mindlessly go after VPN providers. But it also shows providers need to ensure they're following their no-logs policies and prepare for them to be examined. Independent audits verify these claims and assess them inline with the provider's privacy policy. Having them proven in court is even better. To be considered as one of the best VPNs, a verified no-logs policy is non-negotiable. The policy is a promise that your browsing history, identifiable personal data, or internet activity is never stored or shared. A no-logs VPN provides maximum privacy and security when surfing the web. Windscribe's recent legal case has highlighted how important a no-logs policy is. Its importance can be felt not just by Windscribe, but the VPN industry as a whole. "A bittersweet experience" is how Yegor Sak described his recent legal case. He shared how being charged for a crime he didn't commit, in a country he'd never visited, was a "stressful and challenging" experience. However, he found the positives, saying Windscribe's no-logs policy was "unequivocally validated" in a way no independent audit ever could. Authorities discovered that an IP address belonging to a Windscribe server in Finland was used to breach a Greek server. However, Windscribe could not hand over any data relating to the alleged crime because it hadn't been collected in the first place. The outcome has unequivocally validated Windscribe's no-logs policy in a manner that no third-party audit ever could In a blog post, Sak stated how the law is "pretty cut and dry" and if you have the data, you must provide it. If you're found withholding data that could be handed over, you're in big trouble. Windscribe's last independent audit was undertaken in 2024, but although audits are an excellent way of adding weight no-logs policies, they aren't 100% foolproof. This is why having a no-logs policy proven in court means so much, and it should reassure all Windscribe users that their data is secure. Sak described a robust no-logs policy as "the cornerstone of any privacy-focused VPN service." He said how "without it, a VPN cannot credibly claim to protect user privacy." Even under legal pressure, your data will not be compromised – and it's not just Windscribe that can prove this. Private Internet Access (PIA) had its no-logs policy examined in court in 2016 and 2018 – in both cases it successfully showed no data collection. In 2023, Swedish police searched Mullvad VPN's offices with the aim of seizing computers containing customer data. This data did not exist and the police left empty-handed. You don't want to go to the trouble of hiding your data from third parties and hackers, only for your VPN provider to store this information instead. Many VPNs claim to never store your data, but how many can actually verify this? Listed below are some reputable providers with proven no-logs policies and when an audit was last completed. This isn't an exhaustive list, but covers most of the major providers. The majority of these providers publish their audits online, but not all of them were easy to find. The audits can be published along with transparency reports. These reports often detail the amount of data requests received by a provider and how much of that data is shared. Spoiler alert: it's almost always zero. It's important to note the difference between no-logs and zero-logs policies. No-logs policies may store the email address you sign up with and the billing information used to pay for the VPN subscription, and often anonymized, aggregated usage data. For example, Windscribe collects usage data over a 30-day period to enforce its Windscribe Free monthly data limit. However, Windscribe doesn't require an email on sign up – neither does Mullvad. Zero-log providers collect and store nothing. NymVPN and Obscura VPN are two newer providers who claim to be zero-logging VPNs, but neither has undergone an independent audit yet. The potential rise in legal cases involving VPNs or privacy activists is a growing concern, and Sak believes it's "highly probable" we will see a further increase in the coming years. In recent months we have seen the French broadcaster Canal+ pursue a number of VPN providers, and changes to Swiss encryption laws have been proposed. Sak said these anti-encryption laws "risk weakening the security infrastructure of the entire internet." "These initiatives often lack input from technical experts, relying instead on policymakers who may not fully grasp the long-term consequences of their proposals," he said. "This growing regulatory push threatens to erode the very protections that users rely on, and we anticipate further challenges as governments seek to balance security with control." A no-logs policy means none of your personal data is collected, stored, sold, or shared. But it's worth understanding what data this is referring to, so here are some examples: Connection Logs: Details of the VPN server you connect to Usage Logs: Your online activity, including browsing history IP address Logs: Your connecting IP address Timestamp Logs: Records of when you connect/disconnect from a VPN server Bandwidth Logs: The amount of data transferred through the VPN Referring to his case in Greece, Sak liked to think it was a "well-meaning attempt to address cybercrime that missed the mark due to a lack of technical understanding" – and this is where problems arise. Both Tom's Guide and Windscribe condemn the use of VPNs for criminal purposes, but we have to accept that some "bad actors" will take advantage of privacy technology. Attacking VPN providers and the technology they provide is not the answer, and doing so puts our right to privacy at risk. "Privacy activists must emphasize that sacrificing anonymity to catch a handful of bad actors would undermine the fundamental protections that millions depend on daily," Sak said. "It is not about enabling wrongdoing but about preserving the right to free expression and access to information in an increasingly surveilled world." However, should there be a rise in legal cases against VPNs and privacy advocates, Sak believes there's a silver lining. Successful defenses, like that seen in Sak's case or that of PIA, "establish critical legal precedents that can deter frivolous or overreaching prosecutions in the future," he said. Predicting the future is impossible, but "each victory strengthens the foundation for protecting user privacy and reinforces the legitimacy of privacy-focused services." Data collection is on the rise. Whether it's from Western governments or big tech companies, your data is sought after and we must prepare for requests to increase. This is why having a VPN with a proven no-logs policy is so vital. The data can't be collected if it isn't there and privacy activists must stand firm in the face of any attacks on our freedoms. Subscribing to a reputable, private, and secure VPN, one with an independently audited no-logs policy, is the best way to protect you and your data. It is the responsibility of VPN providers to regularly complete these audits and be transparent about their data practises. We can then stand firm against unjust overreach and intimidation by authorities and stand firm in our beliefs that online privacy is a right for everyone. We test and review VPN services in the context of legal recreational uses. For example: 1. Accessing a service from another country (subject to the terms and conditions of that service). 2. Protecting your online security and strengthening your online privacy when abroad. We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.
