THE SOUND AND THE FURY
Opinion

Govt's priority is to access, not protect, our personal data

government data breach, data surveillance
Visual: Anwar Sohel

Are we really all so nonchalant about the fact that our personal data is up for grabs?

Following multiple cybersecurity fiascos earlier in the year, including the leak of Smart NID Card information of at least 50 million Bangladeshis, the tech magazine Wired has uncovered another disturbing instance of data breach—this time from the database of an intelligence agency in Bangladesh. As per the report, the National Telecommunication Monitoring Center (NTMC) left exposed sensitive personal information for months on end through an unsecured database on its system. The breached data include the names, professions, blood groups, parents' names, phone numbers, call durations, vehicle registration information, passport details, fingerprint photos, personal financial details, national ID numbers, and so on—basically all the metadata that dictates and describes our online (and, by extension, our offline) lives. While some of it was test data, the Wired could verify a sample of real-world names, phone numbers, email addresses, locations, and exam results.

But let's pause for a moment and ask: why does the NTMC have the data to begin with?

The NTMC is a national-level intelligence agency of Bangladesh responsible for monitoring, collecting, recording, and the interception of electronic communication such as phone calls, emails, and social media accounts. Reconstituted as an independent agency in January 2013, from the previous National Monitoring Centre established in 2008, the NTMC has been drastically empowered in recent years to monitor people's personal communication—under the orders of the government of Bangladesh.

Beyond information that we willingly share with various government agencies, such as national ID or passport details, the breached data from the NTMC database also contains such information as which numbers a person may have called and for how long, and the amount of money in their bank accounts. The Wired investigation stated that it was "unclear why the data has been collected, where it has all been collected from, or what it is being used for," concluding that there is "no indication that it relates to any wrongdoing."

The government has made it clear that when it comes to our private data, its priority is to get access to it by any means—but not protect it. It has heavily invested in purchasing surveillance equipment and enhancing the capacities of various agencies to use them over the years. Unfortunately, though, it has not even shown an iota of the same interest in what should have been its priority—protection of citizens' data—as proven time and time again by the numerous data leaks and hacks in this year alone.

The NTMC's mission and objective state that it monitors, collects, and records data "lawfully." But who gets to decide what is and isn't lawful if not the all-powerful government, in the absence of any judicial oversight? What mechanisms are in place to ensure that they don't overextend themselves in pursuit of their own political agendas and interests, and in violation of people's right to privacy? Our constitution guarantees the rights to privacy, freedom of speech, thought and conscience as well as the right to life and personal liberty, but it also allows for "reasonable restrictions imposed by law… in the interest of national security" under Article 43. As per Section 46 of the ICT Act (2006), the government may intercept data in the interest of the sovereignty, integrity or security of Bangladesh, friendly relations of Bangladesh with other States, or public order—but what each of these terms mean, as we all know by now, is open to (mis)interpretation.

We have known for some time now—thanks to investigations by credible international news outlets and watchdogs—that the government has been buying advanced spyware, including from Israeli cybersecurity companies, to snoop on its citizens. In a telling move, the High Court rejected a writ petition that sought its directive on the government to take necessary steps to prevent eavesdropping and recording of private phone conversations in September 2021. In January this year, the government went one step further in legalising their surveillance mechanisms, when home minister Asaduzzaman Khan declared that they will soon introduce an Integrated Lawful Interception System (ILIS) to monitor social media and thwart various "anti-state and anti-government activities." The government, which had wanted to introduce this system ahead of the elections in 2018, is reportedly deploying it ahead of the upcoming general election. Purchased with $2 billion, the ILIS enables law enforcement and intelligence agencies to access the precise location as well as other confidential information of a mobile phone user.

Alarmingly, the telecom companies are legally obligated to participate in such gross violations of the privacy and human rights of their users. According to Section 97(A) of the Bangladesh Telecommunication Regulatory Act, telecommunications companies are bound to obey any order from the government to prevent, record, and collect information of any message or voice call of any user of telecommunication services "for the sake of the state's security or public order." More incredibly still, the money required for procuring and installing the surveillance software and equipment will reportedly have to be borne by the companies themselves—which means, in the end, it is the consumers who will end up paying for their own surveillance.

It's astonishing to think how easily the government has managed to pull all this off. At a time when opposition activists and leaders are indiscriminately being arrested and picked up from their homes and other locations, we can well imagine how such surveillance mechanisms are being used to that end. And it's not just the opposition whose geolocations are at stake. Once such a system is instituted, there is nothing to stop the authorities from using it to monitor and locate anyone they consider a threat, and from the way journalists, students, and academics have been arrested under the Digital Security Act, we can conclude that the range of who they deem a criminal is quite broad and arbitrary.

The government has made it clear that when it comes to our private data, its priority is to get access to it by any means—but not protect it. It has heavily invested in purchasing surveillance equipment and enhancing the capacities of various agencies to use them over the years. Unfortunately, though, it has not even shown an iota of the same interest in what should have been its priority—protection of citizens' data—as proven time and time again by the numerous data leaks and hacks in this year alone. When data breaches take place from the server of the Office of the Registrar General, Birth and Death Registration (BDRIS)—one of the 29 government-declared critical information infrastructures—or that of an intelligence agency—which is supposed to have the most advanced cybersecurity measures in place—it becomes obvious just how vulnerable Bangladesh's whole IT infrastructure is. We are so ill-equipped, in fact, that our agencies can't even bring themselves to respond or react to emails from foreign cybersecurity experts pointing out the leaks on time. Despite the severity of the breaches and the implications they have for the citizens involved, our authorities are yet to hold accountable the agencies in question or take any meaningful steps to bolster their cybersecurity measures.

The government's failure to protect our data is a violation and crime all on its own, for which we, as citizens, should be able to hold it responsible. Unfortunately, avenues for us to sue the government for such breaches do not yet exist. One could have looked to the proposed Data Protection Act for redress in the near future, but in its current form, the bill—even after the removal of the indemnity clause which provided authorities immunity from criminal and civil liability—is an exercise in enhanced surveillance rather than protection. Its insistence on data localisation—requiring all companies operating in the country, including Facebook, Google, Whatsapp, etc, to store their data in the country—would not only mean that the government can access our private data anytime they want on pretexts of national security, law and order, friendly relations, etc, but also makes us sitting ducks for hackers, given the country's proven poor track record.

The problem with an undemocratically elected government is precisely that it is accountable to no one. Whether it is stealing our data, snooping through it, or failing to protect it, citizens seem to have very little say in the matter. And it doesn't help that we would rather just watch reels on social media than worry about who is reading our emails, tracking our location, or accessing our bank details—and, in the process, making a mockery of our democratic and human rights.

Sushmita S Preetha is op-ed editor at The Daily Star.

Comments

Opinion

Govt's priority is to access, not protect, our personal data

government data breach, data surveillance
Visual: Anwar Sohel

Are we really all so nonchalant about the fact that our personal data is up for grabs?

Following multiple cybersecurity fiascos earlier in the year, including the leak of Smart NID Card information of at least 50 million Bangladeshis, the tech magazine Wired has uncovered another disturbing instance of data breach—this time from the database of an intelligence agency in Bangladesh. As per the report, the National Telecommunication Monitoring Center (NTMC) left exposed sensitive personal information for months on end through an unsecured database on its system. The breached data include the names, professions, blood groups, parents' names, phone numbers, call durations, vehicle registration information, passport details, fingerprint photos, personal financial details, national ID numbers, and so on—basically all the metadata that dictates and describes our online (and, by extension, our offline) lives. While some of it was test data, the Wired could verify a sample of real-world names, phone numbers, email addresses, locations, and exam results.

But let's pause for a moment and ask: why does the NTMC have the data to begin with?

The NTMC is a national-level intelligence agency of Bangladesh responsible for monitoring, collecting, recording, and the interception of electronic communication such as phone calls, emails, and social media accounts. Reconstituted as an independent agency in January 2013, from the previous National Monitoring Centre established in 2008, the NTMC has been drastically empowered in recent years to monitor people's personal communication—under the orders of the government of Bangladesh.

Beyond information that we willingly share with various government agencies, such as national ID or passport details, the breached data from the NTMC database also contains such information as which numbers a person may have called and for how long, and the amount of money in their bank accounts. The Wired investigation stated that it was "unclear why the data has been collected, where it has all been collected from, or what it is being used for," concluding that there is "no indication that it relates to any wrongdoing."

The government has made it clear that when it comes to our private data, its priority is to get access to it by any means—but not protect it. It has heavily invested in purchasing surveillance equipment and enhancing the capacities of various agencies to use them over the years. Unfortunately, though, it has not even shown an iota of the same interest in what should have been its priority—protection of citizens' data—as proven time and time again by the numerous data leaks and hacks in this year alone.

The NTMC's mission and objective state that it monitors, collects, and records data "lawfully." But who gets to decide what is and isn't lawful if not the all-powerful government, in the absence of any judicial oversight? What mechanisms are in place to ensure that they don't overextend themselves in pursuit of their own political agendas and interests, and in violation of people's right to privacy? Our constitution guarantees the rights to privacy, freedom of speech, thought and conscience as well as the right to life and personal liberty, but it also allows for "reasonable restrictions imposed by law… in the interest of national security" under Article 43. As per Section 46 of the ICT Act (2006), the government may intercept data in the interest of the sovereignty, integrity or security of Bangladesh, friendly relations of Bangladesh with other States, or public order—but what each of these terms mean, as we all know by now, is open to (mis)interpretation.

We have known for some time now—thanks to investigations by credible international news outlets and watchdogs—that the government has been buying advanced spyware, including from Israeli cybersecurity companies, to snoop on its citizens. In a telling move, the High Court rejected a writ petition that sought its directive on the government to take necessary steps to prevent eavesdropping and recording of private phone conversations in September 2021. In January this year, the government went one step further in legalising their surveillance mechanisms, when home minister Asaduzzaman Khan declared that they will soon introduce an Integrated Lawful Interception System (ILIS) to monitor social media and thwart various "anti-state and anti-government activities." The government, which had wanted to introduce this system ahead of the elections in 2018, is reportedly deploying it ahead of the upcoming general election. Purchased with $2 billion, the ILIS enables law enforcement and intelligence agencies to access the precise location as well as other confidential information of a mobile phone user.

Alarmingly, the telecom companies are legally obligated to participate in such gross violations of the privacy and human rights of their users. According to Section 97(A) of the Bangladesh Telecommunication Regulatory Act, telecommunications companies are bound to obey any order from the government to prevent, record, and collect information of any message or voice call of any user of telecommunication services "for the sake of the state's security or public order." More incredibly still, the money required for procuring and installing the surveillance software and equipment will reportedly have to be borne by the companies themselves—which means, in the end, it is the consumers who will end up paying for their own surveillance.

It's astonishing to think how easily the government has managed to pull all this off. At a time when opposition activists and leaders are indiscriminately being arrested and picked up from their homes and other locations, we can well imagine how such surveillance mechanisms are being used to that end. And it's not just the opposition whose geolocations are at stake. Once such a system is instituted, there is nothing to stop the authorities from using it to monitor and locate anyone they consider a threat, and from the way journalists, students, and academics have been arrested under the Digital Security Act, we can conclude that the range of who they deem a criminal is quite broad and arbitrary.

The government has made it clear that when it comes to our private data, its priority is to get access to it by any means—but not protect it. It has heavily invested in purchasing surveillance equipment and enhancing the capacities of various agencies to use them over the years. Unfortunately, though, it has not even shown an iota of the same interest in what should have been its priority—protection of citizens' data—as proven time and time again by the numerous data leaks and hacks in this year alone. When data breaches take place from the server of the Office of the Registrar General, Birth and Death Registration (BDRIS)—one of the 29 government-declared critical information infrastructures—or that of an intelligence agency—which is supposed to have the most advanced cybersecurity measures in place—it becomes obvious just how vulnerable Bangladesh's whole IT infrastructure is. We are so ill-equipped, in fact, that our agencies can't even bring themselves to respond or react to emails from foreign cybersecurity experts pointing out the leaks on time. Despite the severity of the breaches and the implications they have for the citizens involved, our authorities are yet to hold accountable the agencies in question or take any meaningful steps to bolster their cybersecurity measures.

The government's failure to protect our data is a violation and crime all on its own, for which we, as citizens, should be able to hold it responsible. Unfortunately, avenues for us to sue the government for such breaches do not yet exist. One could have looked to the proposed Data Protection Act for redress in the near future, but in its current form, the bill—even after the removal of the indemnity clause which provided authorities immunity from criminal and civil liability—is an exercise in enhanced surveillance rather than protection. Its insistence on data localisation—requiring all companies operating in the country, including Facebook, Google, Whatsapp, etc, to store their data in the country—would not only mean that the government can access our private data anytime they want on pretexts of national security, law and order, friendly relations, etc, but also makes us sitting ducks for hackers, given the country's proven poor track record.

The problem with an undemocratically elected government is precisely that it is accountable to no one. Whether it is stealing our data, snooping through it, or failing to protect it, citizens seem to have very little say in the matter. And it doesn't help that we would rather just watch reels on social media than worry about who is reading our emails, tracking our location, or accessing our bank details—and, in the process, making a mockery of our democratic and human rights.

Sushmita S Preetha is op-ed editor at The Daily Star.

Comments

বাংলাদেশে ইসলামি চরমপন্থার জায়গা হবে না: ড. ইউনূস

বাংলাদেশে আর কখনো ইসলামি চরমপন্থার জায়গা হবে না বলে মন্তব্য করেছেন অন্তর্বর্তী সরকারের প্রধান উপদেষ্টা ড. মুহাম্মদ ইউনূস।

৭ ঘণ্টা আগে