Personal secrecy

Data leak points to govt failure

After the personal information of around 50 million people of Bangladesh, that is around one third of the country’s population, was leaked, the matter was widely discussed in the news media and the social media, but not too much could be learnt about it from the government. Also, questions have arisen about the competence and capabilities of the concerned persons in the government regarding the protection of the personal information of the citizens.

After the leak of the citizens' personal data, from the statement of the ICT state minister Zunaid Ahmed Palak it is evident no one had carried out a phishing attack to filch this information. Technical flaws were the reason and the government had been aware of these flaws. There is no explanation as to why nothing had been done to address these flaws.

Director general of the election commission’s National Identity (NID) registration wing AKM Humayun Kabir, at a press briefing, failed to elaborate on how this leak took place. Under the ICT division, the Bangladesh Computer Council’s BGD e-gov CIRT, that looks after the cyber security of the government, published a press release, but that too had no precise clarification.

There are 171 organisations that collect this data from the government and use it. It is said that the leak was from one of these organisations. But nothing is being said about whether the data security system of these organisations had been checked at first, or if they had any form of certification in this regard. Another matter to be considered is whether there is an effort to place the blame of weaknesses in the government’s information protection system on the shoulders of others.

In context of this personal data leakage incident, certain other matters have come to light, that are so astonishing and alarming that these seem almost unbelievable. One of these matters is that it was on 27 June that Viktor Markopoulos, consultant of the South African-based international cyber security organisation Bitcrack, got to know about the data leak. He sent emails to six offices in Bangladesh to inform the Bangladesh government of the matter, but received no reply. That means the concerned persons were incapable of grasping the significance of the matter or they had no idea what was to be done. This raises questions on the competence and capabilities of the concerned persons. If this is the manifestation of the ‘Digital Bangladesh’ that Bangladesh has been harping on for so long, but skills haven’t been developed to detect such leaks or at least to do something after being informed about it, then the people have all reasons to be concerned.

If your personal information is used to commit a crime, you will bear the blame. There is also the risk of the money in your bank account disappearing

The government has formed a committee to look into the matter and submit a report within seven days. But there is very little scope for hope when an inquiry committee is formed in Bangladesh in any incident. It is never even known what report these committees eventually come up with.

It has already been widely discussed as to what dangers the citizens may face with such an extensive leak of personal data. If your personal information is used to commit a crime, you will bear the blame. There is also the risk of the money in your bank account disappearing. The government till now has taken no visible initiative to inform the people what to do in such a circumstance, how the government will provide assistance and who the citizens should approach. The citizens gave the government their personal information, but from its behavior, it hardly seems like the government has any sense of responsibility in this regard.

This incident not only indicates technological weaknesses and the government’s failure to carry out its responsibility, but it also brings forward a political question. Over the last few years, whenever various personal information and data of critics of the government have been leaked in the media and social media, authorities have blatantly encouraged this rather than protect the secrecy of the citizens.

On the other hand, when there is any criticism of those in power or any statements made about them, this is termed as defamation and cases are filed under the Digital Security Act. From the behavior of the government and the ruling party, it is apparent that they are unwilling to make the slightest compromise when it comes to safeguarding their personal secrecy or dignity. And it is not as if the accused have always received recompense when they turn to the court.

There is no legal provision in Bangladesh to protect personal information. The question of data protection has long been raised and the government has drawn up a draft of a data protection act. But the draft of the data protection act that was published this March, has no clarification of what personal data entails and how it will be protected. The proposed law does not have any provision for a person to resort to the court if their personal rights are infringed upon.

One of the main objections that has been raised over the past two and a half years during discussions on this law, is about all sort of information being kept with a government-controlled agency. Raising objections about this, Transparency International Bangladesh (TIB)’s executive director Iftekharuzzaman said, “If everyone’s information is kept with a an agency controlled by government authorities, how is that protected? How secret will that remain? In a country where democracy hasn’t been consolidated, the government can easily misuse this if it so wishes.” (BBC, 23 March 2023).

It seems that the dangers of the government’s misuse hangs over the head like a sword, and on top of that, there is no secrecy or security. The objective of the laws that the government has enacted and wants to enact ostensibly to protect the personal information of the people and ensure their safety in cyber space, do not really aim at protecting the people. The government is more eager about these laws from political considerations, than that from the considerations of people’s interests.

The leak of citizens’ personal information has revealed the weaknesses in the country’s data protection. Undoubtedly it has shown how fragile the technological infrastructure is, and the government cannot avoid taking responsibility. It is important to refrain from simply putting the blame on technology.

The citizens must also be alert that advantage is not taken of this situation in order to hastily pass the flawed draft of the data protection act. We hope that those who work in protecting citizens’ rights, remain alert in this regard.

 * Ali Riaz is distinguished professor of Illinois State University’s department of politics and government, non-resident senior fellow of the Atlantic Council and president of the American Institute of Bangladesh Studies

 * This column appeared in the print and online edition of Prothom Alo and has been rewritten for the English edition by Ayesha Kabir