On March 28, the Bangladesh government approved the project titled “Cyber Threat Detection and Response” under which internet monitoring equipment will be installed by May of next year. This is in response to tackling cyber crimes and the growing threat of militancy which is gaining ground in the internet through propaganda. This new sophisticated equipment will apparently enable the government to keep watch on internet users 24/7.
At this point, we don't have much information to work with, but whatever we know so far is disturbing enough to be concerned about the future of internet privacy in the country.
I am specifically talking about deep packet inspection (DPI) technology which is the centerpiece of this project. According to a report in this newspaper, the project will cost a whopping Tk. 150 crore of taxpayers' money and the government plans to set up 35 DPI machines, of which four are “very powerful”.
First, let's get one thing straight. This isn't just another Digital Security Act or ICT Act (although they are not completely dissimilar in terms of the threat they pose to internet privacy and the fundamental right to freedom of speech). We are talking about round-the-clock internet surveillance using a type of technology (which at first may just sound like harmless technical jargon) that has the potential to infiltrate the web and log people's digital footprint on a mass scale. With DPI technology, the lines between mass surveillance and noble intentions of curbing online radicalisation and tackling cyber crimes can, and most likely will, be blurred. Perfectly law abiding citizens are at risk of being “monitored” through their personal data and internet activity.
So, what exactly is DPI?
Deep packet inspection is a kind of computer network packet filtering that looks at the contents of the data being sent and re-routes it accordingly. An article titled “How deep packet inspection works” in Wired explains in layman terms how DPI technology functions. Computers gather the information you intend to send to someone in 'packets', which have a label on them called a 'header' which includes the type of information, sender and receiver. Normally, these data packets go unmonitored and the messages simply go from point A to point B. But when a network provider uses DPI it essentially means the contents of these packets are opened up for inspection according to a set criteria – which can be as innocuous as scanning for a virus or something more sinister such as internet censorship or eavesdropping. The criteria could include keywords that the scan picks up, and the contents are sometimes logged and re-routed if they pass the criteria.
To understand how DPI works, imagine a postal worker opening up a letter and reading it before it is sent to the intended recipient. Although DPI has many useful purposes, such as preventing illegal file sharing and prioritising certain types of traffic that are bandwidth dependent, it is also one of the most intrusive techniques of online surveillance.
In August 2011, when Libya's uprising had already turned into a full-blown civil war, Wall Street Journal published an article exposing a security unit – part of a “broad surveillance apparatus” – located in the Libyan capital of Tripoli. The unit, found in the deserted compound of Gaddafi's secret police, was “lined with posters and English-language training manuals stamped with the name Amesys, a unit of French technology firm Bull SA.” Amesys sold DPI technologies to Libya to help the Gaddafi regime spy on Libyan citizens and political opponents. Chinese telecom company ZTE Corp and a small South African firm by the name of VASTech also provided technology to monitor operations and tap international phone calls, respectively.
The Journal also reported that back in 2008, Nokia Siemens Networks, a joint venture between Germany's Siemens and Finland's Nokia, installed monitoring equipment in Iran's national telecommunication network that allowed for the state to conduct DPI. (However, the Journal couldn't confirm whether the equipment is used specifically for DPI.) Iranian authorities reportedly unlocked the equipment's full capabilities after protests broke out around the country over the presidential election of 2009 that was marred by controversy and claimed to have been rigged by all three opposition candidates.
The use of DPI technology for dark purposes is widespread around the world – from China to USA, from Russia to Bahrain. Whether it is used in the name of blocking websites of child pornography (like Russia) or banning foreign social networking sites (like China) the common thread has always been the curtailment of political speech.
The post-9/11 world is one of heightened surveillance. Collecting massive amounts of computer-accessible information has become a favourite tool for governments in the war on terrorism. The terrifying reality is that snooping on emails, Facebook chats and Viber calls is extremely easy. And let's not forget that tech brokers who enable this shadowy practice are part of a booming industry. Internet surveillance is to tech companies what wartime is to arms producers and military service contractors – a propitious time for soaring profits and stock prices. As the relationship between national security and individual liberties becomes murkier, state surveillance, policing, and control gain favour globally.
Apart from the use of DPI technology, the scale of the proposed government project and the enormity of its budget are also worrying. When you take into account that 141.5 million people in the country are internet-deprived and a paltry 13 percent of the population are internet users, a large portion of whom limit themselves to Facebook, YouTube and online games, it does not make sense why Tk 150 crore is being devoted to get this project up and running.
The implications of the Cyber Threat Detection and Response project for internet privacy and data protection are unlike anything we have ever seen before. More so because in light of the absence of internet privacy and data protection laws, the government has enormous power over the use of citizens' personal information and internet activity since nothing demarcates lawful use of user data from its unlawful use.
The writer is a member of the Editorial team at The Daily Star.