Cyber Security Act: All stakeholders are in the dark

Hooded man holds laptop computer as cyber code is projected on him in this illustration picture
Reuters

After a prolonged period of public demands, the government has finally decided to abolish the oppressive and restrictive Digital Security Act of 2018. The decision from the government was a sudden event for all the other stakeholders, leaving them embarrassed and uncomfortable. The primary reason is that, apart from the government, the opinions of all stakeholders were neither discussed nor considered during the drafting of the proposed Cyber Security Act 2023. Everyone except the government finds themselves in a grey situation about this law.

Civil society members and groups have been discussing the proposed Cyber Security Act, particularly relating to the provisions on offences, punishment, trial process, and other issues violating the rights of individuals. These discussions have raised significant concerns among civil society members. This is because the proposed law includes provisions for forming institutions that closely resemble those formed under the Digital Security Act of 2018. As there was limited consultation by the government with other stakeholders, implementing the Cyber Security Act and the functioning of the proposed institutions will seriously impair the rule of law, individual liberty, judicial independence, and the fundamental rights of citizens.

The primary reason is that, apart from the government, the opinions of all stakeholders were neither discussed nor considered during the drafting of the proposed Cyber Security Act 2023. Everyone except the government finds themselves in a grey situation about this law.

While the government and civil society discussions were occurring, the Digital Security Rules-2020 were officially published on 8 March 2020. Stakeholders were silent at that time. The Digital Security Rules and proposed Cyber Security Act postulate forming four institutions. These are the Digital Security Agency, Computer Emergency Response Team and Computer Incident Response Team, National Digital Security Council and Digital Forensic Lab. Other than the Digital Forensic Lab, the officials of the rest of other institutions are not subject to judicial investigation and oversight. Consequently, there exists a significant need for more transparency in the operations of these institutions.

For example, Section 8 of the proposed Cyber Security Act empowers the Director General of the Digital Security Agency to request the Bangladesh Telecommunication and Regulatory Commission to issue orders for a takedown or blocking of any information deemed a “digital security threat.” However, is the Bangladesh Telecommunication and Regulatory Commission (BTRC) solely bound to comply with such orders upon issuance?  The answer is no. Chairperson of the BTRC of Bangladesh, Shyam Sundar Sikder, conveyed during an event on 6 September 2021, "BTRC does not possess absolute authority over social media. While we have been bestowed with substantial powers by the law, limitations exist within that scope."

The post and telecommunication minister, Mustafa Jabbar, was also present at that event. The law has empowered the director of the Digital Security Agency to block, filter, and impose censorship on digital content, which threatens security, jeopardises national interest, and impairs religious values.

However, the activities of these institutions are not subject to oversight by a third party to ensure transparency and fairness. Moreover, the officials need to show explanations for removing various social media content, resulting in their immunity and lack of accountability. Due to the absence of judicial involvement on these issues, the whole spectrum remains out of public scrutiny. Written orders are binding on the dominant party. Although individuals are entitled to recourse to law to enjoy constitutional rights, that right has been taken away by the law itself.

On the other hand, the Bangladesh Telecommunication and Regulatory Act 2001 allows interception and surveillance of individuals' communications on the pretext of undermining “national security” and “public order.” They are not subject to judicial oversight in exercising the power to block, filter, monitor and collect user data. As a result, protecting an individual's right to freedom of expression and personal privacy needs to be addressed.

Like our neighbouring country India, Bangladesh also has Computer Emergency Response Teams to prevent cyber-attacks.  According to the proposed law, this team in Bangladesh is a statutory body like India. Although the Information Technology Rules govern the operations and functions of the Computer Emergency Response Team in India, 2014, there is no such rule in Bangladesh. Section 9(4) of the proposed Cyber Security Act 2018 only describes the functions of the Computer Emergency Response Team.

It is to be noted that Sections 6 to 11 of the potentially repealed Digital Security Rules 2020 deal with the responsibilities and functions of the Computer Emergency Response Team, the transmission and exchange of digital security information, and measures to be taken in digital security incidents along with office hours and headquarters.

Computer emergency response teams work closely with service providers, social media intermediaries, data centres, bodies, corporations or individuals in the event of a cyber security breach. But even here, there is no involvement of the judiciary. As a result, if these individuals and organisations face retaliation due to the Computer Emergency Response Team, they do not have the opportunity to approach the court. In this process, the simple principles of international and national human rights protection, applicable and enforceable legal restrictions, disclosure of information, and the necessary legal or regulatory obligations to maintain the right to privacy of personal data are absent.

Under the proposed law, Bangladesh e-Government Computer Incidents Response Team and the National Computer Emergency Response Team are supposed to work under the Digital Security Agency. At the same time, Bangladesh e-Government Computer Incident Response Team or BD e-Gov Cert's job is to regularly monitor what steps have been taken to protect vulnerable websites. Still, the proposed law only says how often.

The Computer Emergency Response Team (CERT) recently warned that a group of Indian hackers had threatened a major cyber-attack on Bangladesh ahead of 15 August. However, before and after this warning notification in English, Dinajpur police, Bangladesh Bank, and Chittagong Customs House websites were hit by cyber-attacks. These incidents show the limitations of CERT's activities or ambiguity in the programme and lack of coordination.

On the other hand, as per the proposed law, the National Digital Security Council will provide the necessary guidance and advice to the Digital Security Agency. Although the council comprises the country's highest-ranked officials, their specific responsibilities concerning cyber security could be more precise. If these administrative institutions need to be better integrated into cybersecurity under the proposed Cyber Security Act, then it will be necessary to amend the existing laws. In this context, the Bangladesh Computer Council Act 1990 and the Telecommunications Act 2001 will take precedence.

However, the hope is that, unlike the Digital Security Act, the proposed law does not contain any provision stating that “no lawsuit or criminal case or any other legal action shall be taken against any employee or individual with accountability if any person is harmed or is likely to be harmed as a result of any action taken in good faith.“

Nevertheless, no provision clarifies how the accountability process for these institutions' officials, employees, or individuals will be carried out, especially in cases where someone's fundamental human rights, freedom of expression, and the right to the privacy of personal information are violated. Even the obligation to publish these institutions' annual financial reports is optional. Moreover, something needs to be mentioned regarding the Standard Operating Procedures (SOPs).

We seek parliamentary or independent and impartial judicial oversight or control over administrative powers and the accountability of executive officials. Despite establishing eight cyber tribunals under the Information and Communication Technology Act 2006 to address cybercrime within the cyber domain, the burden of handling cybercrime cases still needs to be manageable. While the idea of forming a Cyber Appellate Tribunal under the law was present, it has yet to be realised even after 18 years.

Furthermore, the proposed rule encompasses provisions regarding arrest without warrant by law enforcement agencies without the approval of the competent authority and the power to seize any evidence related to the commission of a crime using computers, computer systems, computer networks, data or other devices, as well as supporting evidence in the commission of the offence.

Lastly, our National Human Rights Commission exists to hear allegations of human rights violations within the cyber domain. According to Article 12 of the National Human Rights Commission Act 2009, the commission can investigate allegations submitted spontaneously or brought before it. The National Human Rights Commission operates within Bangladesh's administrative, legal, and political constraints. The commission has also faced critical remarks for not taking more initiative to protect the right to freedom of expression in the cyber domain. However, does that mean the officials have been awakened from their slumber?

*Rezaur Rahman Lenin is a rights activist and researcher.