NID server at risk: No arrangement for alternative backup

The National Identity Card (NID) server under election commission (EC) contains the personal information of approximately 120 million citizens. However, at present, there is no Disaster Recovery Site (DRS) or adequate backup system in place for this critical database. Officials involved expressed concerns about the vulnerability of this national database due to the absence of a DRS.

The issue regarding the NID database emerged at a recent meeting of the information technology implementation committee of the election commission. Individuals familiar with the matter revealed that the NID database encompasses approximately 30 categories of personal information of around 120 million voters. Moreover, there are around 171 public and private organisations that rely on this EC database for continuous information verification services.

In a recent incident, the website of an organisation utilising services from the EC experienced a data breach, resulting in the leakage of personal information belonging to hundreds of thousands of individuals. This incident sparked widespread discussion over the safety and security of digital information management in the country.

In the absence of a Disaster Recovery Site (DRS), the destruction of the NID database due to natural disasters or other unforeseen circumstances poses a significant risk of losing a vast amount of information concerning numerous individuals. Despite ongoing discussions about implementing an alternative storage system (backup) for a considerable period, it has not been fully established yet. Although the Bangladesh Computer Council (BCC) is currently involved in data backup, EC officials express concerns that this measure is not sufficient.

As per reliable sources, a meeting of the Implementation Committee of Information Technology in the election commission regarding the NID, voter list, and election management took place on 4 June. During the meeting, Brigadier General Abul Hasnat Mohammad Sayem, the director of the EC’s Identification System for Enhancing Access to Services (IDEA) project (second phase), highlighted the risks associated with the national database. The NID processing is carried out through this project.

The project director said in the meeting that the national database is at great risk as there is no alternative DRS at present. He said in the meeting that the Bangabandhu Hi-Tech Park located in Gazipur has been directed to ensure only safe data backup of the national database. Once the agreement is signed, the DRS programme will be launched on a limited basis. Nevertheless, it is necessary to take initiatives for the establishment of an active DRS right away (both servers operating simultaneously) to safeguard the national database.

During the meeting, Ahsan Habib Khan, an election commissioner and chairman of the implementation committee of information technology, stressed the importance of promptly securing the physical, information, and cyber aspects of the national databases. He expressed concerns that any damage to the server, whether caused by natural disasters or other reasons, could potentially disrupt the entire digital management system of the country.

Abul Hasnat Mohammad Sayem, the director of the IDEA project, stated to Prothom Alo that the establishment of the DRS is currently in progress. He clarified that although there is a backup option available under BCC for disaster recovery, it is deemed inadequate. A rented space in Gazipur has already been allocated for the implementation of the DRS. While a DRS will be set up there, it will not be an active DRS. Furthermore, efforts are underway to establish another DRS in Cumilla.

In response to the question whether it is dangerous not to have DRS for the national database, the project director said, DRS must be available and not having a proper one is definitely a risk.

In 2007, the election commission under ATM Shamsul Huda initiated the process of creating a voter list with photographs and issuing National Identity Cards (NID) to voters. Currently, around 30 types of personal information are collected, including the voter’s name, parent’s name, address, date of birth, educational qualification, and photograph. Additionally, voter’s fingerprint, iris recognition, and digital signature are also recorded. All this data is stored in the NID server maintained by the election commission.

According to EC sources, the commission led by Shamsul Huda had initially planned to establish backup servers in Gazipur and Jashore. However, these backup servers have not been activated thus far. On 9 July, the EC nominated three officials to engage with the Bangladesh Data Centre Company Limited for the purpose of setting up the DRS.

IT expert Suman Ahmed Sabir, told Prothom Alo, NID server is very important which supports a wide range of services including banking operations and SIM card sales. He stressed the necessity of a Disaster Recovery Site (DRS) for such a database, stating that there is no alternative to it. Sabir highlighted the potential dangers of not having a DRS for the NID server, underscoring the importance of a live backup system where both servers operate simultaneously. This ensures that if one server is damaged or compromised, the other can seamlessly take over its functions.

*This report, originally appeared in Prothom Alo print and online edition in Bangla, has been rewritten for English by Farjana Liakat