image

15 July, 2023

Press Release

Statement from BNP Information and Technology Affairs Secretary A K M Wahiduzzaman.

Victor Markopoulos, a researcher at Bitcrack Cyber Security, an international cyber security organization based in South Africa, first saw on June 27 that many sensitive personal information including names, phone numbers, e-mail addresses, national identity numbers, etc., of many citizens of the country were unprotected on a website of the Bangladesh government. Complaints have been made that anyone can enter the website and see the name, date of birth, mobile number, email address and NID number by searching on Google. It is being said that the sensitive information of about 5 crore citizens has been leaked this way. Victor claimed that the Bangladesh government's cyber security risk team contacted the Computer Incident Response Team (BGD e-Gov Cert) in this regard and got no response. TechCrunch, a US-based online information technology news outlet, contacted the government's press office, the Bangladesh Embassy in Washington DC and the Bangladeshi consulate in New York City to inquire about the data leak, but TechCrunch has received no response. State Minister for Information and Communication Technology (ICT), Mr. Zunaid Ahmed Palak admitted to the data leak and said that the leak of people's information from the website of a government agency was due to technical weakness, no one hacked the website. Although he did not mention the website’s name, he said that people's personal information was leaked from organization number 27 in the list of Critical Information Infrastructure. As per the government notification, institution number 27 is the Office of the Registrar General (Registration of Births and Deaths).

Bangladesh Nationalist Party-BNP, a political party committed to protecting the public's right to privacy, believes citizens may face various online and offline risks if sensitive personal information is leaked. These risks include online blackmail, creating fake social media accounts, creating fake NID cards or passports or driving licenses or birth certificates, withdrawing money from personal bank accounts or credit cards, cyber-attacks on personal devices, etc. During the fascist government like Awami League, when opposition leaders and activists have been victims of disappearances, extrajudicial killings, enforced disappearances, arbitrary arrests, etc., there is a threat of massive online surveillance against them in the future if the residential addresses and other sensitive personal information of about 50 million citizens are leaked. In particular, cases of election-time disruption of the democratic environment by artificial intelligence technologies such as Cambridge Analytica, through the spread of political influence in various parts of the world, and from the example of Pegasus spyware hacking the phones of various human rights activists, politicians, and media workers around the world, we fear that this type of large-scale leak of personal data before the next general election will put the political environment of Bangladesh at risk and will hinder the way of holding a free and fair election.

On the other hand, the right to personal privacy is protected by recognizing the privacy of communication as a fundamental right under Article 43 of our Constitution. Article 12 of the Universal Declaration of Human Rights 1948 and Article 17 of the International Covenant on Civil and Political Rights 1966 obligate all states to protect the right to privacy. Bangladesh has pledged to abide by all the human rights principles formulated by the United Nations in Article 25 of its Constitution. Unfortunately, the current Awami League government is enacting laws and policies to control citizens’ data more than protect the right to privacy. The Digital Security Act 2018 fails to provide exemplary punishment to officers and employees who fail to protect personal data. The Digital Security Agency can order the removal of any online content that violates the right to freedom of expression by the administrative order of the Director General. The proposed draft data protection law allows for greater control over personal data by providing for the state’s localization of citizens’ data. The proposed OTT content policies will create an unfriendly business environment by regulating content (substances) on YouTube and other OTT platforms, imposing penalties on intermediaries providing information society services, and imposing excessive license fees for providing services on OTT platforms.

In this situation, the Bangladesh Nationalist Party-BNP is expressing deep concern and condemnation regarding the above, and demanding- an investigation into the entire incident and revealing the truth to the people immediately, exemplary punishment of the officials and employees who fail in data protection, and the resignation of the policy-makers related to cyber security. Above all, to protect people's right to privacy and ensure national cyber security, the Bangladesh Nationalist Party-BNP urges the immediate implementation of the following 10 recommendations:

1. Repeal the Digital Security Act and enact three different laws: Cyber Crime Act, Data Protection Act and Cyber Security Act. While formulating information and communication technology-related laws, rules and policies should be formulated based on the general public’s opinions, including human rights activists, political parties, academics, technicians, and professional groups.

2. Signing and ratifying the Convention on Cybercrime and other regional and international data protection principles, such as the United Nations Personal Data Protection and Privacy Principles, European Union's General Data Protection Regulation (GDPR), Asia Pacific Economic Cooperation (APEC) Cross Border Privacy Regulation (CBPR) etc. to be recognized and implemented in the legal framework of the country.

3. Enter into bilateral and multilateral Mutual Legal Assistance Treaties (MLAT) with other states to exchange information on cybercrime.

4. All investigation reports of Bangladesh Bank reserve theft and other cybercrimes should be disclosed immediately to the public under the Right to Information Act 2009, exemplary punishment should be given to those responsible, and ministers, deputy ministers, and government bureaucrats responsible for oversight should be removed from their positions.

5. Establishing an independent, autonomous, 24-hour National Cyber Incident Response Team (CIRT) to ensure national cyber security and entrusting its management to a team of domestic government, private and military information and communication technology experts.

6. Ensuring that all government agencies that store personal data promptly disclose any cyber-attacks to the public and publish transparency reports to the public regularly.

7. Compelling all government and private institutions to follow nationally formulated Standard Operating Procedures (SOPs) to ensure cyber security.

8. Setting specific thresholds for personal data monitoring and ensuring accountability for personal data monitoring activities.

9. Conducting effective nationwide educational programs to develop digital literacy among people.

10. To protect the people’s human rights and ensure the transparency of cyber security activities, all government institutions and law enforcement agencies engaged in cyber security should be brought under judicial monitoring.

News Sender-

(Md. Munir Hossain)

(Assistant Office Secretary)

(Bangladesh Nationalist Party-BNP)