Relabelling the DSA won’t protect citizens from cybercrimes
Last week, British director Daniel Gordon's new documentary Billion Dollar Heist was released. The film highlights the seriousness of cybersecurity issues the world faces today. Unfortunately, the subject of Gordon's documentary is our central bank, the Bangladesh Bank, which was almost robbed of around a billion dollars by hackers in one of the worst instances of cybercrime in the world. Reviews published in some of the leading international newspapers, including The Guardian and The Financial Times, remind us that the 2016 heist remains quite a mystery.
Nearly three years after the heist, our government enacted the Digital Security Act, 2018, promising it to be "an Act to make provisions for ensuring digital security and identification, prevention, suppression and trial of offences committed through digital device and for matters ancillary thereto." But instead, from its beginning, it has been another tool for suppressing free speech and political dissent in the country. According to Law Minister Anisul Huq, as of January 31 this year, more than 7,000 cases have been lodged under this law since its enactment. This means that, on average, 4.5 cases are filed under the DSA each day. The number of people sued and arrested has not been released by the government, but could be speculated to be three to four times the number of cases. This clearly indicates that the DSA has been weaponised to intimidate and harass dissenters.
In more recent years, there have been quite a few instances of serious security breaches that one would have thought could not happen following the lessons learnt from the Bangladesh Bank heist. The latest in this series of shocking failures was a 38-hour shutdown of our NID server and trouble with a few other critical networks following threats from hackers, allegedly from outside Bangladesh. Before this, there was a breach into more than 50 million Bangladeshis' personal information, which remained unnoticed by the local authorities until a South African cybersecurity expert, Viktor Markopoulos, went public with the information (following weeks of waiting) to draw the attention of the authorities responsible for keeping the data secure.
After nearly five years of resisting the demand for scrapping the DSA, both from within the country and from international development partners and rights groups, the government has now decided to replace the law. Unfortunately, the publication of its replacement, named the Cyber Security Act (CSA), is already another disappointment.
In a world where most democracies reform their cyber laws to provide better protection for their citizens' freedom of expression and right to privacy, Bangladesh is moving in the opposite direction and instead criminalising dissent and critical views.
The most contentious provisions of the DSA – which have been viewed as a harsh deterrent to free speech – Articles 21 and 28, have been retained practically unaltered, save for a nominal reduction of sentences. Provisions related to the authority for removal of content, search and seizure of devices, and arrest of suspects without warrants given to law enforcement agencies also remain unchanged. Rights groups have been alleging that such abuses have inflicted great suffering on thousands of activists and innocent citizens, not to mention they caused the death of writer Mushtaq Ahmed under custody.
Despite the reduction of sentences and allowing of bails on a few of the offences which were previously non-bailable, experts have pointed out that the unchanged vagueness and the wider scope of the act's application will likely be the most worrying aspects of the proposed CSA. They have argued that the retention of about nine articles from the DSA will continue to impede independent journalism and freedom of expression and opinion. Changing the name of the law and the implementing agency perhaps symbolises all that is proposed by the government: a simple relabelling of a tool of suppression.
Ministers have said innumerable times that the DSA is not very different from that of most other countries. Some of them even questioned whether digital regulations in Western countries were actually less repressive. In an interview on May 2, Prime Minister Sheikh Hasina told US broadcaster Voice of America's Bangla service that the digital security law does not exist only in Bangladesh, but in all other countries of the world. Furthermore, the PM said that her government was looking into the contents included in the digital laws of other countries, such as the US, the UK, and in European countries. She also added that if it is discovered that there are punishments in the laws of these other countries which are tougher, then those sections in our law, too, will be reformed.
The draft CSA does not hint, however, that the government has examined relevant laws in either the US or the UK. Firstly, under the First Amendment of the US constitution, its citizens enjoy almost unfettered freedom of expression and opinion, be it online or offline. The United Kingdom, prior to January 1, 2021, was a member of the European Union and hence still follows EU principles and legislations in regulating cyberspace, especially in relation to the protection of citizens' rights. There are a number of national legislations in the EU regarding digital security, but all of them are aligned with the Convention on Cybercrime adopted in 2001 (otherwise known as the Budapest Convention) which has been ratified by 68 countries. Currently, negotiations are ongoing to improve it further and make it a global charter. The Budapest Convention states that signatories be: "Mindful of the need to ensure a proper balance between the interests of law enforcement and respect for fundamental human rights as enshrined in the 1950 Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms, the 1966 United Nations International Covenant on Civil and Political Rights and other applicable international human rights treaties, which reaffirm the right of everyone to hold opinions without interference, as well as the right to freedom of expression, including the freedom to seek, receive, and impart information and ideas of all kinds, regardless of frontiers, and the rights concerning the respect for privacy."
Notably, in the digital security laws of other countries, the independence of law enforcement agencies (including police) is such that they can be guided by the law, not the whims of politicians. These countries also have powerful watchdogs which work free from government interference. With fast-changing technology, lawmakers are under pressure to update their legislations more frequently and, as a result, the EU enacted a new Digital Services Act (DSA) last year to make companies more transparent and accountable in relation to protecting citizens' rights (not the political ideology of a party or of the politicians in power). A similar legislation, the Online Safety Bill, is currently being considered by the UK parliament.
In a world where most democracies reform their cyber laws to provide better protection for their citizens' freedom of expression and right to privacy, Bangladesh is moving in the opposite direction and instead criminalising dissent and critical views. As a result, the state is increasingly infringing upon citizens' privacy. Relabelling the DSA as CSA is not the answer to making the law compliant with human rights standards. Our authorities must draw lessons from democracies.
Kamal Ahmed is an independent journalist. His X handle is @ahmedka1