Information Society, Security and Human Rights
The information society begets digital risks. The Digital Bangladesh is no exception to this. Encountering digital risks requires both technical and legal tools. The ICT Ministry is in the process of creating a legal tool, a cybersecurity law. The Ministry has uploaded a draft law on its website for public discussion and deliberation. Does the draft law include provisions to deal with potential cyber-threats? Does it compromise human rights in securing the cyberspace?
Before we respond to these questions, we need to discuss what cybersecurity means. My book titled Internet Governance and the Global South published by Palgrave Macmillan from the United Kingdom in 2014 shed some light on this issue. I cite it here for you to grasp the issue. The cyberspace is made of Internet infrastructure (i.e., computer, computer systems and networks) and users (e.g., individuals, businesses, and state machineries). The Internet which provides the base for many critical infrastructures in the information society, such as for data transmission, power generation, transportation and finance as well as banking, may be a victim of or a tool for crime or terrorism through ‘malicious’ actions. Any cybersecurity law should define the crimes and punishments, determine an investigation authority with its power and jurisdiction, and identify the court to settle cases.
The draft law has similarities with the Sri Lankan Computer Crime Act, 2007 and the draft Pakistani Electronic Documents and Computer Crimes Prevention Act, 2014 awaiting adoption by the Pakistani parliament. Similar to the Pakistani law, it talks about creating a cybersecurity authority to ensure the security of the computers, computer networks and curb cybercrimes (i.e., section 5). This agency will have the authority to monitor cybercrimes, financial transactions through computer networks, collect reports related to cybercrimes from the network operators, and impart cybersecurity training to the employees of different network service providers. While the Pakistani law specifically mentions a time limit for forming such an authority, the number of members, and the qualification of the members, our law is silent about these matters.
The draft Bangladeshi cybersecurity law identifies computer fraud, identity theft and impersonation, cyberterrorism, violation of privacy, and production, distribution and watching pornography as crimes and recommends punishments for committing these crimes. Computer fraud is defined as unauthorised access to any computer or computer system or network with a view to harming the owner of the computer or the system or making financial gain by modifying, distorting or deleting any data. Spamming someone with an intention to harm him or her financially is also counted as a crime. Identity theft includes stealing one’s identity to cheat or impersonate other people to make financial or material gain by using a computer or a computer system or network.
Cyberterrorism occurs when the activities of the government or a government agency or an official is obstructed by terrorising people to jeopardize national security, sovereignty, solidarity and public order by using a computer or a computer network or by barring someone from accessing a computer, computer system or network. Unauthorised access to a computer, computer system or network, abetting and instigating someone to do so, and abusing someone’s computer, computer system or network with a view to impeding public order and state security are also counted as cyberterrorist acts. Under the draft law, other cyberterrorist acts include spreading viruses to a computer system, jeopardizing the security of a foreign country, damaging the property of a foreign country, and obstructing an international organisation from doing its work by abusing computers, computer systems and networks.
According to the draft law, one’s privacy is violated by capturing a private picture of that person without his/her permission and disseminating such pictures. Private pictures refer to nude and half naked images of a person and images showing a person on underwear or briefs exposing their private parts. The law also criminalises the creation and distribution of pornography and accessing pornographic sites. The law recommends discreet punishments for all the above crimes.
This draft law needs to be revamped because some of its provisions are obscure such as the provision for creating an investigation authority and some provisions such as the provision for search, seizure and arrest without warrant and the provision making the offences nonbailable raise eyebrows. It also needs to accommodate a few more issues. The law needs to further elaborate the section related to the investigation of the offenses (i.e., Section 17). This section can be strengthened by having options for creating an investigation team including computer hardware and software experts. Cybercrimes are specialised crimes which a police officer may not be able to handle. Both the Pakistani and Sri Lankan law have provisions to form investigation teams by incorporating technical experts.
The Bangladeshi draft law, similar to both the Pakistani and Sri Lankan law, gives an investigator authority to search any place, seize any computer or data, and arrest anyone without warrant if they have the reason to believe that a cybercrime is happening. Sometimes it may be necessary for the law enforcement agency to conduct a search and seizure and arrest someone without warrant but there is also a risk of misusing this provision. Similar to the Pakistani law, the draft law makes all the cybercrimes nonbailable. Bail, defined as some form of property deposited or pledged to the court to release an accused or a prisoner from the custody with a condition that he/she will show up in the court whenever required, has been treated as a fundamental right of the accused in Bangladeshi legal tradition. Bail is admitted to save an innocent from imprisonment. The court is believed to consider an accused innocent until he/she is proven guilty. However, there are some nonbailable offences according to the Bangladesh Code of Criminal Procedure (CrPC). For example, no bail is granted when the accused may be guilty of an offence punishable either by death or imprisonment for life. However, exception to this is also made if the accused is below sixteen years of age, a woman, or a sick person. Making all the cybercrimes nonbailable, the law takes the harshest route to resist the crimes and allows critics to say that a fundamental right has been taken away from the accused. So, as per our legal tradition, it would be wise not to make the offences nonbailable and leave the issue of bail to the discretion of the judges. Moreover, it is also harsh to treat the production and dissemination of pornography and accessing pornographic sites as crimes of the same magnitude. On the one hand, the law keeps provisions to punish people for violating other’s privacy, but on the other hand, it creates opportunities for the cybersecurity authority to violate privacy through seamless monitoring of all computers, computer systems and networks.
The law should accommodate provisions for creating cybersecurity response teams to deal with cybersecurity emergencies. Many countries such as the US, the UK, Pakistan, and India have such teams with legal mandates. It should also have provisions to adopt measures to develop mechanisms to make people aware of cybercrimes. Without public awareness and cooperation, no law or entity will be able to eliminate cybercrimes.
I believe the law has been drafted in good faith to protect computers, computer systems and networks as well as users from being abused but it should not turn into a tool for violating privacy and human rights.