The military and police struck deals as recently as December to allow them to use hacking software to monitor mobile phones and computers, raising concerns of privacy violations.
The revelation came after WikiLeaks released more than one million searchable emails from the Italian surveillance malware vendor Hacking Team (HT) on July 8, showing the inner workings of the controversial global surveillance industry.
The Bangkok Post Sunday learned of the deals by sifting through hundreds of the company's emails and documents, which name the Royal Thai Army and Royal Thai Police as customers of its remote control systems (RCS), also known as Galileo and Da Vinci.
Apart from Thailand, other Southeast Asian clients include Vietnam, Malaysia and Singapore, according to a client list seen by the Bangkok Post Sunday in an Excel file attached to an email sent by HT's financial controller in January. It lists the Royal Thai Police as purchasing products worth €286,482 (more than 10 million baht) in 2013, while the Royal Thai Army spent €360,000 in 2014.
HT's partners in Thailand include Israel-based Nice Systems and Thai firms Placing Value Co and Netsurplus Co. In September 2012, Nice Systems met with people from several branches of the Royal Thai Army, including intelligence units, to conduct product demonstrations. They were shown "several key functionalities Nice has to offer for this market, which is characterised by poor legislation and no LEA [law enforcement agency] or intelligence connectivity to telecom service providers".
Placing Value eventually became HT's main partner and correspondence between the two started in October 2012.
An official letter addressed to HT and seen by the Bangkok Post Sunday shows that in December 2012, the Army Military Intelligence Command expressed interest in the Da Vinci RCS "to support our operation and mission".
The letter, which was signed by Maj Gen Ganit Chanpreechaya, the then-chief of army Military Intelligence, asked the company to demonstrate the system on Jan 21, 2013. The army eventually bought the Galileo system.
HT's RCS products are advertised as using stealth methods to collect evidence from all types of operating systems, with the ability to monitor "up to hundreds of thousands of targets".
Andrew Smith, director of computer forensic services at Orion Investigations Co, said hackers often take control of a device by exploiting vulnerabilities within software and installing malware, for example through malicious websites or by sending an email with a malicious attachment.
Once the person clicks on an email attachment, malicious software will install in the background and allow remote access.
On mobile phones, hackers can physically install malicious software by sending an SMS with a malicious link or by tricking phone users into connecting to fake Wi-Fi access points.
"They would have control and be able to monitor everything that can happen on a device," said Mr Smith, who has been involved in computer forensics for nearly 10 years in the UK. "If they wanted to they can take complete control including being able to delete or plant evidence [on a device]."
In December, a purchase order worth €360,000 was issued for a client named as the Royal Thai Army. The delivery date was within 60 days of the purchase date.
During the course of the correspondence, the army commander was Gen Prayut Chan-o-cha, who is now the prime minister following last May's coup.
Army spokesman Col Winthai Suvaree said he is not aware of the purchase.
HT says it designed its system to fight crime and terrorism. According to its customer policy, it will stop providing software to governments it believes have used its technologies to facilitate gross human rights abuses.
HT was itself hacked on July 5. Its server was compromised in the attack, after which it instructed clients to stop using the Galileo product. Virtually all clients complied. HT later issued a statement saying it plans to replace the existing Galileo version in the coming months.
In light of the revelations, National Human Rights Commissioner Niran Pitakwatchara slammed the use of spyware. "It is a violation of democratic principles, in which the state does not have the right to threaten the privacy of individuals," he said. "It's a misuse of authority."
Government spying for national security reasons is legal, provided there is a court order. But new legislation backed by the government, if passed, will make it easier for authorities to use spyware.
Dr Niran argued that national security could be used as an excuse to violate the human rights of those who, for instance, gather to protest against the government.
"Thailand needs to be aware that it is at risk of violating the right to privacy and freedom of expression, under the disguise of 'national security' concerns," he said. "There is a need to differentiate between the security of the nation and the security of the government."