Transparency International Bangladesh (TIB) and Article-19 have said the ‘Proposed Cyber Security Rules, 2024’ will be a weapon to violate human rights, freedom of speech, and freedom of the press, and called for amending the original act.
TIB and Article-19, in a joint press conference on 'Proposed Cyber Security Rules, 2024: Observations and Recommendations,' stated that despite strong objections from relevant stakeholders, implementing the Cyber Security Rules, 2024 while retaining the human rights and freedom-curbing clauses of the Cyber Security Act, 2023, will not yield fruitful results.
Therefore, before the Cyber Security Rules, 2024 are implemented, the Cyber Security Act, 2023 must be overhauled and redrafted. TIB emphasized that this process should involve meaningful and effective participation from relevant experts and should consider the concerns, advice, and recommendations of all stakeholders involved.
The scope of the proposed Cyber Security Rules is very limited, as 19 rules are a verbatim reproduction of the Digital Security Rules, 2020.
The rules do not adhere to contemporary standards; they fail to adequately define Critical Information Infrastructures and Cyber Security Related Incidents, establish a top-heavy Cyber Security Agency, present a clear organizational structure, or provide an accountable and transparent working procedure.
Additionally, they do not specify the qualifications for relevant human resources, lack provisions for international assistance in information exchange and the Mutual Legal Assistance Treaty (MLAT), and do not meet global quality standards for the Digital Forensic Lab. Furthermore, certain sections on digital evidence are overlooked, and some sections contradict the main law related to digital evidence, creating legal gaps in evidence collection and reporting. Consequently, these rules would not be very effective, stated the two organizations.
At the press conference, TIB Executive Director Dr. Iftekharuzzaman, Adviser Executive Management, TIB, Professor Dr. Sumaiya Khair, and Regional Director (Bangladesh and South Asia) of Article-19, Sheikh Manjur-E-Alam, were present.
On behalf of the two organizations, the observations and recommendations were prepared and presented by Quazi Mahfujul Hoque Supan, Associate Professor of the Department of Law at the University of Dhaka. The press conference was conducted by Mohammad Tauhidul Islam, Director of Outreach and Communication at TIB.
The extent of the proposed rules has been kept limited. Without specifying important definitions and explanations, and the capacity and capability of the manpower, the rules related to the Cyber Security Agency, Emergency Response Team, Critical Information Infrastructure, and Digital Forensic Lab have been set. Furthermore, the definition of cyber security, the organizational structure, manpower, scope of work, responsibilities of the director general and directors of the Cyber Security Agency, and the responsibilities of the National Computer Incident Response Team have been copied verbatim from the arbitrary Digital Security Act and its associated Digital Security Rules, 2020.
This reflects how the lessons learned from the Digital Security Agency have been incorporated into the new rules. Additionally, there are no provisions or sections in the main Act and the proposed rules to ensure the transparency and accountability of the National Cyber Security Agency. Consequently, in the absence of an independent supervisory body, there are risks of violating citizens' privacy rights and enabling arbitrary access by government-controlled agencies.
In the proposed rules, Critical Information Infrastructures have been defined arbitrarily, not by identifying specific sectors, but by mentioning broad categories like “Public Safety or Economic Safety or Public Health” and “National Security or Sovereignty.”
Furthermore, the definition of a cyber security incident is incomplete, as it relies solely on the concept of unrestricted access, failing to consider that cyber security risks can exist even without such access.
Additionally, the cyber security agency is structured with six directors, including a director general, without creating sufficient technical positions to carry out the work, resulting in a top-heavy organization. This imbalance between the number of employees at the top and bottom will create multiple organizational levels, impeding morale and effectiveness due to delays in decision-making, slow information flow, excessive expenditure, and limited empowerment.
The proposed rules do not specify the inter-agency structure and operating procedure beyond the positions of director general and directors. Moreover, there is no mention of how the agency would build stakeholder-based relationships with law enforcement agencies, civil and military intelligence, and public administration and government strategists.
The review of the rules also revealed that the qualifications of cyber security personnel are not clearly or specifically defined, with only the term "specialist in cyber security" mentioned, which lacks specificity. Past experiences have shown that most personnel employed at the agency lacked cyber security capabilities. To meet contemporary standards, these qualifications should be clearer and more specific.
Additionally, a clause on "source money and risk allowance" has been added to the rules, which was not mentioned in the original Act. As this is an important policy-related subject, it should be passed by the parliament through a democratic process. Furthermore, all major attacks on Critical Information Infrastructure in Bangladesh have originated from abroad. International cooperation and information exchange are crucial in such instances. However, the rules do not specify the types of legal, diplomatic, or procedural steps that would be taken to ensure such cooperation between local and international bodies.
Schedule-2 of the proposed rules indicates that the digital forensic process has emphasized device and file system forensics, while overlooking other customized apps and software. The idea of "one solution for all problems" would undermine the objectives and effectiveness of the digital forensic lab. Additionally, the "Evidence Act, 1872" was amended in 2022 to allow all courts in Bangladesh to accept digital evidence. However, the proposed rules do not mention sections 65 Ka and 65 Kha of the amended Act, which define the quality standards for registered evidence.
Highlighting that relevant stakeholders' opinions have not been reflected in the rules, TIB Executive Director (ED) Dr. Iftekharuzzaman stated, “The Cyber Security Act (CSA) is merely the Digital Security Act (DSA) in different packaging, and it is equally arbitrary. The CSA has been implemented following the DSA to use as weapons against the free access to information and free speech facilitated by information technology. The arbitrary elements unearthed in the review of the Cyber Security Act have been further complicated by the proposed rules.
“Therefore, the precondition for moving forward is to overhaul the main Act. We believe it is imperative to amend the Act by considering the advice and recommendations of relevant experts, civil society, and journalists. Additionally, the proposed Cyber Security organization has been given excessive powers, with significant risks of abuse due to the lack of clarity in human resource allocation and organizational management structure.”
“Moreover, the most pressing issue is that the local and international organizations that need to be directly or indirectly involved for proper implementation of the law have not been mentioned in the rules. We do not see any possibility of the goals and objectives of the law and rules being met, and we are concerned that this would only be used as a weapon for controlling the rights of citizens.”
In the press conference, Regional Director of Article-19, Sheikh Manjur-E-Alam said, “We are hasty when it comes to implementing laws. We draft one after another, and none are finalized. Facing backlash locally and globally, the government implemented the Cyber Security Act by merely changing the term from 'digital' to 'cyber' without making any substantive changes. Implementing rules based on a flawed law will not yield any positive results.”
“We still haven’t implemented a data protection law, yet we are working on an AI policy, despite AI being heavily reliant on data. We first need to be clear about our objectives! Instead of ensuring the safety of cyberspaces, we are showing interest in implementing such laws to control freedom of expression, gain access to information and data, and harass people. We must step away from this approach.”
TIB and Article-19 have issued a number of recommendations to make the Cyber Security Act and associated rules more aligned with rights, freedom of expression, and democracy.
These include overhauling and redrafting the Cyber Security Act, 2023, based on the effective participation of relevant stakeholders before implementing the Cyber Security Rules, 2024; maximizing the use of our limited economic, technological, and human resources; defining the minimum personal, educational, and technological qualifications for cyber security officials; establishing legal provisions for enlisting digital evidence from both domestic and international sources; creating an effective and meaningful organizational structure for the national Cyber Security Agency; upgrading the existing forensic lab with modern equipment, software, and human resources, rather than building a new digital forensic lab, with the possibility of establishing a new lab later based on this experience; and including sections in the rules to ensure the protection of human rights so that the national cyber security agency, national Cyber Incident Response Team, and Digital Forensic Lab cannot violate rights through their activities.
