Citizen data server? More like a data supermarket
Need someone's phone number to promote your products or do something similarly invasive? Need a rival's call history to know who they are talking to in secret? Or someone's NID card to open a fake bank/MFS account, or take out loans in their name? Or their driving licence to stage an incriminating scene?
There was a time when these questions would be almost as dangerous to ask as the pursuit of their answers. You would be looking over your shoulder constantly, lest someone catch a whiff of your unseemly interests. The criminal market built around such pursuits was still niche, and the personal of "personal data" still meant something other than just the nature of the data in question—it was a hands-off warning to anyone looking to infringe upon someone else's privacy. But those days are coming to an end.
Today, thanks in large part to the frequent breaches of government websites and servers, there has been a gradual normalisation of data-related crimes, to an extent that hardly do you see anyone raise an eyebrow anymore. Citizens appear to have accepted the fate of their data being inherently vulnerable the moment it is digitised. There has also been a thriving market for stolen data—a hidden domain populated by men trading in secrets—and leading it from the front are apparently government officials themselves: people who are supposed to protect our data.
This was the subject of a recent report published by this daily. As a columnist has rightly assumed, its findings would have "made a much bigger splash" in any other country, but not here. According to the report, citing a letter by the National Telecommunication Monitoring Centre (NTMC), some unscrupulous government employees were stealing sensitive personal data from the national intelligence servers and selling it to some 789 groups and pages on Facebook, Telegram, and WhatsApp. These pages and groups—where questions like the above would be routine—collectively have 32 lakh members and followers. Let that sink in for a moment.
The sheer size of the network, and its disruptive potential, is enough to frighten anyone. It's like a data bazaar or supermarket or, in marketing language, your one-stop shop for all things you. Here, your personal details are up for grabs to anyone willing to pay—to be used and tossed away at their disposal. Even payment is not necessary for information that is already publicly available thanks to previous data breaches and exposures.
The NTMC is legally authorised to monitor all electronic communications in coordination with the telecommunications ministry, BTRC, and law enforcement and intelligence agencies. It stores data related to citizens' NID cards, passports, driving licences, and call detail records. Reportedly, nearly 500 officials of 42 organisations can log in to its National Intelligent Platform (NIP) using their IDs, and access the data for verification and investigation purposes. The digital trail of the latest breach was discovered when the NTMC traced unusually high numbers of logins to the NIP by IDs belonging to two officials from the Anti-Terrorism Unit (ATU) and Rab-6. Both of them are now under investigation for unauthorised data transfers. Previously, two data entry operators of the IDEA 2 project were arrested for similar offences.
The question is, with so many officials and organisations having access to the servers of the NTMC—a platform with a chequered history of handling citizen data—are the four identified the only ones to have abused their login credentials? Knowing how prone to corruption many government employees are, and how weak our data security infrastructure and accountability mechanisms in general are, we cannot be sure. It is more likely that other attempts have gone unnoticed. Although we don't know how many people were or will be affected by the latest breach, the number is likely huge.
Over the last few years, we have had many such data breaches which were usually blamed on outsiders. What will the authorities say now that insider involvement has been found in illicit data sharing/selling? Who will take the blame for this alarming lapse in our data security protocols? For the citizens whose data was sold or otherwise made available, the consequences are not hard to imagine.
A widespread dissemination of their private data poses a severe risk to their security and privacy. NID details, for example, can be exploited to commit various crimes. In the past, we have seen how NID cards were used to open fake bank accounts and obtain loans, or to illegally access government grants. Victims, it goes without saying, may have to pay the price for such identity theft even years after the commission of any crime in their names.
The recent incident has raised fresh alarms both for the victims involved and Bangladesh's data ecosystem. A country that once promised a techno-utopian vision by ushering in "Digital Bangladesh" and "Smart Bangladesh"—with accompanying digitisation—is increasingly seeing its efforts descend into a dystopian nightmare. How the government responds to this scenario will determine the future of those grand visions.
Badiuzzaman Bay is assistant editor at The Daily Star.
Comments