Pegasus controversy and cyber security in Bangladesh
The controversial Pegasus surveillance spyware has shaken the cyber security of the world sparking global outrage. Over the years, journalists, political leaders, civil society activists and human rights campaigners have voiced their concerns over tapping and data hacking of their communication devices through sophisticated spyware.
A recent string of exposures of Israeli cyber-espionage firm, NSO group's Pegasus Project spyware surveillance of around 50,000 people by the Forbidden Stories and Amnesty International along with 17 media groups, including the Guardian, the Washington Post have unearthed how Pegasus was used to extract information from mobile phones of journalists, politicians, and rights activists.
Surprisingly, the Israeli made Pegasus spyware device is used as spyware weapon by nearly 50 government agencies across America, Europe, Africa, and Asia including India, Pakistan, and Bangladesh to deal with individuals dissenting against the government. It has been possible due to lack of cyber security laws to deal with surveillance technologies.
According to UNCTAD, 128 out of 194 countries have put in place laws to secure the protection of data and thereby of privacy. Across Asia, only a few countries including China, Vietnam, and Singapore have dedicated cyber security laws while others have traditional cyber laws focusing digital data safety of civilians, government bodies, and e-commerce industries.
Regarding Bangladesh, we do not have a cyber security law except the conventional Information and Communication Technology (ICT) Act, 2006 and the Digital Security Act (DSA), 2018. In the wake of ultra-advancements in surveillance techniques over the last 10 years, the existing legal structure is not sufficient to cope with the newly manifested threats.
As of today, in Bangladesh, any sort of spyware is illegal because spyware or malware enables cybercrimes under the ICT Act, 2006 and the DSA, 2018. In order to check the misuse of surveillance technologies, the existing cyber law needs to be amended or a dedicated cyber security law should be enacted.
Article 43(B) of the Bangladesh Constitution, 1972 safeguards citizens' privacy of correspondence and communication. Section 63 of the ICT Act, 2006 provides penalty for disclosure of confidential and private electronic record, book, register, correspondence, information, document, or other material without consent of the person concerned. The punishment for unlawful disclosure of such records may extend to two years of imprisonment or fine up to Taka two lakhs.
The DSA, 2018 as a form of cyber security law, aims to promote confidentiality and integrity with the target to protect individuals' rights and privacy, commercial interests, and data protection in the cyberspace. Section 26 of the DSA terms personal data as identity information requiring individual's explicit consent or authorisation to be obtained for collecting, selling, preserving, supplying, or using. Any violation of such provision is punishable with five years of imprisonment, or fine of Taka 5 lakhs and in case of repetition of the offence, the penalty increases up to 7 years of imprisonment or fine of Taka 10 lakhs. Under section 34, the DSA treats hacking as a seriously punishable offence with imprisonment up to 14 years or fine up to Taka 1 Crore or both.
Section 71 of the Telecommunications Act, 2001 penalises for eavesdropping telephone conversation with six months' imprisonment or fine of Taka 50 thousand. But the amendment of the law in 2006 exempts the law enforcement agencies on the grounds of state security or public order under section 97A. Under sections 407, 408, and 409, the Penal Code 1860 penalises the violation of privacy through criminal breach of trust.
Article 17 of the International Covenant on Civil and Political Rights (ICCPR), 1966 to which Bangladesh is a party, provides that no one shall be subject to arbitrary or unlawful interference with privacy, family, home, or correspondence.
Undeniably, interception and monitoring are important tools for the Government in targeting opponent voices undermining digital rights and liberties including the data security and right to privacy. The Pegasus scandal is an incident that has shaken as well as shattered all stakeholders intending to take the internet and cyber security for granted. This episode is a wakeup call for Bangladesh to adopt appropriate strategies to deal with the constant challenges of surveillance technologies.
In today's data-driven world, amid advent of newer technologies like artificial intelligence (AI), Internet of Things (IoT), Big Data, and Blockchain, the upcoming years ahead, the country will be crisscrossed with numerous distinct challenges on cyber ecosystem requiring adoption of adequate measures to prevent unauthorized misuse of surveillance and interception. A holistic perspective to strike a balance between protecting sovereign interests and digital liberties and rights of individuals is the need of time.
The writer is Independent Researcher on Law and Human Rights Issues based in Dhaka.