 I'm going to talk about the personal data monitoring service in the case of Databrige in Southeast Asia. So since the beginning of this year, well actually I would like to give you a brief background about this a bit. So this is not going to be like a very tech-tech session, but looking at the relationship between the technology and human rights and personal data protection, which is a topic that gained attention very much in Thailand at the moment because the introduction of the GDPR, the law on the personal data protections in the European Union, that was introduced a few years ago. So since the beginning of 2019, there are actually two major data breach that happened at the regional level of Southeast Asia. So the first one that I'm going to talk about today is the case of Sephora, which is the cosmetic retailer that I hope that you know about. So give you the background a bit. So the Sephora data breach involved around three million individual personal data that have an online account with Sephora. So that means if you ever purchase like cosmetics, skincare online, so that means you are one of those three millions. And it affects customers in eight countries in Asia and Pacific, so five countries in Southeast Asia, Thailand, Indonesia, Malaysia, Philippines and Singapore, and three countries outside of our region, which is Hong Kong, New Zealand and Australia. So what happened after the data breach happened was that Sephora offered the personal data monitoring service to only four countries that are affected, which is Singapore, Hong Kong, New Zealand and Australia. After I said this, you might notice that it's kind of a discrimination because the incidents happen the same. The people that are affected belong in the same data breach, belong to the same database, things like that. So the personal data monitoring service that Sephora offered to the customer was that it's claimed to be... All right, I'm going to show you this first. So this is from the Australian Sephora website. How do I sign up for the personal data monitoring service? So you can click on this link at that time and then they give you the password, the code to use this kind of service, which is for you to scan whether where your leak data go even in the dark web, according to the claim. But this is the Sephora, Thailand. It's where you're offering me a free personal data monitoring service at the same time as it happened. So it said that local regulatory requirements prohibit the service from being offered in your market. So that's why we think that this is like a form of discrimination. So as I said before, as I mentioned a little bit earlier about this, so the personal data monitoring service it was offered by Sephora partner called Experian. So as we saw in the previous slides, the reason that the company gave to those that do not get the service is because of the local law that doesn't allow it to happen. But actually Experian only operate mainly in those first world countries only. So those four countries only that get those kind of service. So they do not provide any kind of service in the country, in any country in Southeast Asia except Singapore. So I actually wonder whether is it personal data monitoring service that Sephora offer might be beneficial in terms of we know where our leak data go. But Experian actually, if you are a general customer, you have to pay a very high fee in order to use that service. So there are sites that offer leak personal data tracking like that for free according to the package actually. But at some extent you can use that service for free. So there are, have I been pwned, have I been sold and dehashed? So these three sites, it's like, it offers you, it's like this. So you can like enter email address or password and you can see like, okay, where your email address or the password that you use for that email address went to, things like that. So what happened with these websites are that usually they have database, leak database store in their own database. And usually database are Western-based. So usually they do not have the leak database that occur in Southeast Asia region or in countries at the national level. Like when we realize that TrueMove has a database case last year in 2018, right? So this site, they don't have anything like that because they don't have like the database that belong to this our region store on the database. Except when it's at the global scale, like Tumble or things like that. So this is, you can see this company do not belong to like Thailand or any country in Southeast Asia at all. So this is the database that have I been pwned store. When the database happened, companies that experience database in Southeast Asia are not held accountable. The recent case is Lyon Air, where it's tree subsidiary like Malindo, Thai Lyon Air, and also Ba Thik Air, which is Indonesia based. It's only Malindo that issue a statement because they have, they fly to Europe countries. So that's why they kind of enforce, they kind of enforce a lot of statement to show some responsibility according to the GDPR because they have to comply with the law. So actually I wonder whether the personal data monitoring service is a tool that is actually useful because we, there actually have been some criticism about this service. First, how secure of the leak database that's stored in this website. For example, if the hacker want to hack this database, if it's not secure enough, of course it can happen. Sometimes the service is not free which create discrimination. For example, if you are not well off in terms of like financial resources, things like that. So yeah, that can also create discrimination. Why is it legal for this website to store millions of leak database? So that's also another question. Also, individuals usually cannot do much after they find that leak information. For example, we are often told in the case of data breach that we have to change our password. But usually the effect is long term as beyond the individual capacity updates happen. So here, this is from DHASH. So as I said, so Sephora, so you see like in the red circle, how can I protect myself or remove my data? So actually they just said that you can contact them and they will remove your information from that database only. But not in the public platform where the leak information up here. So as I said before, usually when it happens, it's beyond the effect individual capacity. Changing password, changing your password is not like a complete comprehensive solution to handle the breach. So in the case where the breach happened, the company should be held responsible in term of they need to consult the cybersecurity company in terms of the removal of the leak data that go across the website, including the dark web as well, investigate the incident to know the cause, and after they learn the flaw in that database, what can they do in terms of to prevent the same incident to happen again in the future. And also in the law aspect, there's also a need of a strict law at the same level as the General Data Protection Regulation to take place to hold this company responsible. In terms of Thailand, I know that the Personal Data Protection Act just has been adopted in May this year, but it will come into full effect one year after this, which is May next year. But there are still a lot of legal loopholes in terms of that, and I just doubt whether these data protections act, whether it's going to work if the incident like this happened. So actually I think that in terms of human security in this region, it should be like a unifying data protection act that country in Southeast Asia adopted the same data protection act where the meaning of the Personal Data Protection, where the meaning of what is sensitive data is interpreted the same. And so it's going to be less discrimination when this kind of incident happened. So the question to discuss here if you want to discuss is whether do you think that the Personal Data Monitoring Service tool that is available in the market is any useful? If you're familiar with it, of course. And are there any websites that offer personal data monitoring that you would like to recommend? And do you think that there is a chance to develop a Personal Data Monitoring Service tool that can offer service work like search engine like Google where you don't have, where we don't have to store the database, the leaked database on the site? So any question? Has anybody got any question? Yes. So my question is having such this tool, Personal Data Monitoring Service tool is a good idea. But I think the big question is how we can trust the company or any organization providing the tool because if we need this tool, so it means we need like maybe non-profit organization to provide the tool and then how much we can trust that they can store our information safely and privately not like sell our information to any company. That's the question, right? A comment. My question is who will be the owner of this data personalization monitoring tool? It would be like a company or organization or non-profit organization? For those existing website that has been running like Have I Been Pwned or Have I Been Soul or D-Hash, they usually, some of them are non-profit like Have I Been Pwned, it's offer the service for free and it's running on, I'm not sure whether it's a non-profit organization The guy that has been behind it, he doesn't accept any money from like from the other sources why he's doing this. I don't know whether he has like side business or not. For other sites, sometimes they are company that doing cyber security, not doing cyber security. In terms of like experience, for example, the Sephora offer, that one is a company but they offer like, they offer many services. For example, like in terms of the identity theft, yeah, they offer service in order to combat that as well but the fee is very high in order to use that. And they also like D-Hash, they have offered you some kind of package. For example, like, okay, if you want to use the service for free, there are these options, there are these options for you that is available and if you pay for this certain amount, you can do more, things like that. So it's like mixed. So my, another question is, I think it's better to have like a preventive mechanism like to, because if you look at the website like Have I Been Pwned, most of the websites that have been hacked is the government websites. So it's better to provide the knowledge to the government sector that they need to provide like a secure protocol like a HTTPS rather than like having such a tune to monitoring the data after we have been hacked. What else would like to give feedback or would like to ask questions? Okay, during the beginning of the session, you mentioned that the personnel monitoring service doesn't really have Southeast Asian countries data. The reason is that they are not accountable. It's a light. So the company in this region. Now usually it's because, so there are, okay, there are two causes. For example, like in terms of Sephora, four countries that affected except Singapore in Southeast Asia, they are not, the only thing that Sephora told them to do was to change the password, not offering the personal data monitoring service like the rest of the country that got affected. And I think that when they mentioned that it's, because of the legal matter, I think that it's the reason that it's not legitimate to provide. And I think that they can do more in terms of like protecting personal data of people, but I just don't know whether like because they don't want to or because I don't know. And when it comes to the website that exists in the market, like have I been polled or de-hatched? Because these companies actually operate like in the western country, like in Europe or in the US. And sometimes the data breach happens very often. It happens like all over the world. And sometimes these people, they just, you know, don't understand or do not monitor what happened or what's going on in terms of the data breach in Southeast Asian country or even like well let alone at the national level, like in Thailand in terms of like true move edge. Or as I remember, I think Lesada also experienced some kind of like data breach a few years ago. Grung Thai Bank as well also experienced data breach like last year or something like that. But then there's not much things that mentioned about this. Also the media, they don't talk much about the incident as well. And I think that the reason that the company can get away with it is because first there's no strict law that held them accountable and also the public understanding as well. Usually this kind of thing, the data breach, when it happens, it doesn't have immediate effect. It's like it doesn't, we don't get the immediate effect in the way that we live our lives unless or until like our account has been hacked, like for example our Facebook has been hacked because we happen to use the same password as those account was leaked, something like that. At that moment we realized, oh okay, I'm the one that got affected. What can I do? So it doesn't have like immediate effect. So when it doesn't have immediate effect, so people are kind of like, ah, it's okay. And when there's no strict law enforcement on that issues as well, the company are like, they usually get away with it and when the media doesn't push for them to take some kind of responsibility. So it's kind of like they're waiting till like, you know, time goes by and yeah. And waiting until everything goes quiet, things like that. And it usually happens all the time in this region, which is that. This indicates that the cybersecurity in this region is very bad. Yes, yes. There's actually an article on the ASEAN Post, I think like last month talking about, so it's actually like a hub for hackers in terms of like, you know, stealing database, things like that. Yeah. And it's actually sad because the government in countries in this region, they just like get alert on the issues after the introductions of the GDPR only because it affects the countries in terms of economic and business opportunity because the GDPR actually forcing the company outside of the European region to taking care of the personal data of the European citizen that live outside of the European Union as well. So that's the thing. So they just don't want to, you know, lose the business opportunity instead of genuinely care about the cybersecurity, things like that. And usually the business that affected the most are like airline company, hotel company. Those business like dealing with, you know, people from outside. So that means for the company that operates mainly in Thailand, there won't be any regulation like GDPR or something like that? Like I mentioned before, there's a Personal Data Protection Act that Thailand just passed. And also at the same time there's Cyber Security Act, so two laws together that Thailand just adopted in May this year. And in terms of the Personal Data Protection Act, it will come into full effect next year in May. But months have passed. We haven't seen much in terms of like the government effort in terms of like, you know, telling the business company how to prepare and in terms of like, you know, comply with the law when it's going to be fully enforced. And also like, there's also, I think that in this case, the business that are affected, that are the most worried are the medium and small business. For example, we know that Thai people these days we tend to use Instagram to, you know, showcase the product and service. And then when we want those products or services, we have to contact the owner of the shop via like Line Messenger, right? And then after the transaction happened, we give them like our Personal Data for the products to be delivered. Our name, phone number and address. So it's like, the question is, how do we know that those information that we gave to the vendors that run like Instagram accounts and shops like that, like micro-business, online micro-business, are secure or what they're going to do with it afterwards, things like that. And it's worrying because sometimes those shops, like those who run the Instagram accounts are run by just only one people, one single person. And the limitations of the law, in terms of like, okay, what do I do in terms of like, when the law come into full effect? Like, because they're going to be fine. If, fine in terms of like, you know, like, in terms of like, if the data got leaked or exposed to the public. Yeah, like what they can do with it as a micro-business owner, things like that. Yeah, so so far there hasn't been any guideline yet. Thank you. You're welcome. I think we run out of time. And if you have like, any more questions or want to discuss, you can reach me afterwards. Thank you very much.