Uncertainties Abound
What the Digital Security Act leaves unsaid
Being a visionary of Digital Bangladesh since 2008, our current government has achieved much success and overcome digital divides in order to ensure access to internet at the upazila/thana level in the country. With Robot Sophia's tour to Bangladesh, the upcoming launch of Bangabandhu satellite, the under-construction Bangabandhu Hi-tech Park, and emergence of app-based services like Uber and Pathao, the government is trying to keep pace with a growing tech-savvy world in which Artificial Intelligence and Big Data are some of the core aspects of the Fourth Industrial Revolution.
But the government also seems interested in capitalising, regulating and securitising the online space more and more which might lead to curtailing of fundamental freedoms of citizens online. At a time when debate on the problematic Section 57 of the ICT Act hasn't yet died down, the proposed (and Cabinet-approved) Digital Security Act (DSA) is the latest addition to this controversy.
One wonders why the government despite having a similar law—ICT Act 2006 (amended in 2009 and 2013)—has approved the draft for the DSA. The use of the word "security" in the name of the law itself reminds us of the term "neoliberal legality" which includes enacting laws that enhance militarisation and securitisation in the online space by nation states in the post-9/11 era.
It remains unclear as to whose security the DSA is concerned about. Because the definition of "security" itself is not comprehensive in the draft of DSA (published in 2017). I could not find the latest draft online which has been approved by the Cabinet (or am I missing something?). After having browsed through different national daily newspapers, I got the idea that this draft is based on the one published in 2017.
Why this secrecy? Why keep citizens in the dark? "Security" is a strong word which has social, political, economic, cultural, historical and technical aspects which, in view of human security, seem to be missing from the DSA.
DSA also lacks a comprehensive definition of the words "cybersecurity" and "cybercrime." It also does not include non-legal taxonomies of cybercrime which are cyberpiracy, cybertrespass, cybervandalism, sextortion, sexting, cyber-based violence against women, etc. So how can we expect that the DSA will protect citizens and the government from multidimensional cyber threats? Moreover, it is still not clear how far the DSA is aligned with the National Cybersecurity Strategy of Bangladesh (enacted in 2014).
One major loophole of Section 4 of the proposed DSA is that it might not have clearly defined the jurisdictional issues. Take for example, Mr X, a resident of Brazil, who has gained unauthorised access to the website of a British resident called Mr Y. X gained remote access to Y's web server through a hacked computer in South Africa while using a VPN service in Greece. Y hosts his website at a hosting provider in the Netherlands. X hacked the website in order to spread ransomware to computers that are vulnerable to a particular trait of Adobe software. Now imagine that the ransomware has infected the computers of thousands of people in Bangladesh, the US and Germany. Infected computers connect through Tor to a command-and-control server which has been hosted at a hosting provider in Bulgaria. And X himself connects to his server through his VPN server in Greece. Now, in a situation that is so highly complex, which law will apply? Bangladesh's laws or the laws of those countries? The DSA remains unclear on such issues.
The Fourth Industrial Revolution is the age of intelligent machines and networks. Artificial intelligence, virtual and augmented reality, Internet of Things (IoT), machine learning, Big Data and net neutrality are some things that no nation can overlook in this era. The DSA, however, seems to not have addressed these core issues which are integral to our fundamental freedoms and right to privacy in the digital sphere. On the one hand, we are hosting fancy conferences in the presence of AI robots like Sophia, and on the other hand, we are not even ready to realise the benefits of technological development due to lack of updated and integrated national policies, strategies and guidelines.
According to the United Nations Human Rights Council (Resolution No. 68/167), all the rights ensured offline must also be ensured online. And one of the important aspects in ensuring these rights offline is "due process." Due process says that established laws and principles must be followed during any official act to ensure that the individual's rights are not infringed upon. The same well-established principle of law is also applicable online, which is known as "digital due process." But the DSA does not address this crucial aspect. For example, there is no mention of purpose specification, purpose limitation, privacy by design, safety of cloud storage, etc. These are essential elements needed to protect the privacy of communication and associated data, while allowing surveillance by government agencies to enforce the laws, respond to emergency circumstances and protect citizens.
The DSA is also silent about the principle of necessity, principle of legality and principle of legitimate aim which the judiciary can invoke while reviewing restrictions on freedom of expression online put in place by the state. Moreover, the law seems totally absent of the issues of politics of algorithm, digital divide, net neutrality, etc., which are some of the burning issues in a post-Brexit and post-Trump world. The proposed law also seems to be unaware of the sovereignty of nation states in the internet—which is a recent topic of debate around the world.
I hope that the government takes into serious consideration making the draft available online so that citizens can read, scrutinise and share their thoughts on the draft. I also hope that the government accommodates constructive suggestions in this proposed law in order to make it a rights-based, inclusive and comprehensive statute.
Md Saimum Reza Talukder is Senior Lecturer, School of Law, BRAC University.
Email: piash2003@gmail.com