A Chipped Tooth: Right to Privacy in the Internet era in Bangladesh

Privacy is an edgy topic suffering from historical neglect, but is rapidly becoming all-important with the proliferation of the internet, increased social media consumption and escalating surveillance efforts.

It is an inalienable, non-negotiable and sacrosanct right of every individual. Not withstanding over the last few decades, both the conception and perception of privacy has diluted considerably, due in no small part to technological advancements and internet connectedness.

According to reports published by Statista and DataReportal, around 4.66 billion people (or about 60 per cent of the global population) are now online.

In Bangladesh, according to statistics published by the Bangladesh Telecommunication Regulatory Commission, in November 2021, around 116.53 million mobile phone subscribers and 10.07 million broadband users had active internet connections, taking the total number of active internet subscribers to an astounding 126.60 million.

On a comparative scale, the numbers have increased by approximately 18.44 per cent compared to the figures from March 2020.

However, the actual number of consumers of digital services and content is likely to be far less as these statistics are based on the number of individuals who accessed the internet at least once in the preceding 90 days, which may not necessarily reflect the actual number of active consumers.

At the very least these figures represent the approximate, and increasing, size of the overall consumer market, and provide insight into the amount of data belonging to Bangladeshi citizens that could be generated, collected and processed by local and offshore service providers.

From a constitutional standpoint, the right to privacy of correspondence and other means of communication is recognised as a fundamental right in Bangladesh, which in the digital era extends to both online and offline platforms.

But in 50 years since the constitution was adopted, no substantive privacy legislation has been enacted in the country. As a result, privacy infringements remain to be a common phenomenon.

A strong case could therefore be made that Bangladesh should, sooner than later, introduce a robust framework to protect its nearly 170 million citizens from internal and external privacy threats, compromise and corruption.

But what of the situation on the ground?

Every time we use the internet, we leave behind virtual footprints which corporations and governments can collect to use and process by exercising their extensive mandates.

One might say this level of control exemplifies the Promethean fire: it can be used for good or evil.

Bangladesh, albeit a little late in the game, is slowly but surely moving towards a data-driven society, where big data could be used to diagnose problems, design solutions and deliver outcomes.

However, admittedly, there is very limited hard data on privacy compliance in Bangladesh, making it difficult to delineate the landscape with cut and dry figures. Nonetheless, there is sufficient evidence to shed light on the country’s prevalent privacy culture.

For instance, earlier last year, the media beguiled its viewers and readers with sensational content for months.

Over and over again, several media outlets brazenly portrayed female personalities like Shamsunnahar Smrity, alias Pori Moni, and Sabrina Arif Chowdhury in an unflattering light. At the time, the two often had their personal lives thrust into the media limelight; and consumers consumed big time, on both online and offline platforms.

Admittedly, one of the most complicated and controversial intersections of privacy and free speech considerations occur on the doorsteps of public figures. A rising popularity of one’s public persona automatically unfurls the curtain to their private life, to the extent that the individual’s life is treated as a commodity of sort, to be viewed, sold and consumed with impunity.

While it is implicit that privacy is traded-off for recognition for celebrities, such scandal-mongering and irresponsible behaviour violates not only the basic tenets of journalistic ethics, but also the legitimate expectation of a citizen in respect to his privacy.

Interestingly enough, the problem and its solution are both embedded in Bangladesh’s constitutional framework.

While the media has the fundamental right to publish and inform the public about matters that are newsworthy, the content must not defame any person, encroach upon decency or morality, incite an offence, or otherwise amount to contempt of court.

From recent events, it is ostensibly clear that discretions exercised by some enterprising journalists fall foul of the constitutional limitations. As a result, public interest litigation was filed in August 2021, where the court, whilst summarily dismissing the case on procedural grounds, reprimanded the government authorities for its apparent failure to take appropriate actions to remove such scurrilous content.

In all fairness, such phenomena are not unique to Bangladesh.

But a clear jurisprudence around celebrity rights has evolved in many jurisdictions on the basis that they should have the right to exercise control over commercial exploitation of their own lives. This includes their images and identity, to the exclusion of others, which allows recourse for privacy infringements under intellectual property, defamation and privacy laws.

For example, in December last year, Meghan Markle, the Duchess of Sussex, won a lawsuit and received a symbolic £1 in damages and public apology from the Mail on Sunday for privacy violations.

Across the border in India, Sourav Ganguly secured a financial settlement nearly a decade ago from a leading conglomerate for the unauthorised use of his name in an advertisement.

Another emerging concern around individual privacy comes from fabricated content or deepfakes.

Advancements in animation technology, machine-learning techniques and augmented virtual reality now allow the manipulation of pictures, video and audio using artificial intelligence to make it appear that a person said or did something that he never said or did.

These online tools can swap or synthesise faces, body movements, expressions and speech to such a level of flawlessness that it is now becoming overwhelmingly difficult for victims to assert privacy violations, especially in the absence of authentication solutions.

And increasingly, this tool is being used for sinister purposes.

Not too long ago, only the big-budget studios could afford to create movies using this technology. Back in 2015, the face of Paul Walker was superimposed on his brother to imitate the deceased actor in Fast and Furious 7.

An American director ventriloquized and created a photorealistic fake video of Barack Obama cursing and calling the then President Donald Trump a “total and complete dips—” in 2018.

While deepfake content was initially only about public figures, nowadays it is being used by and against ordinary people. Many consumer applications offer advanced functionalities like face swapping, lip-syncing, puppet-mastery, attribute synthesization and audio manipulation.

Now, with these readily available software and mobile applications, even a 14-year-old in his mother’s basement with a smartphone can create fabricated content.

For privacy advocates and policymakers, access to these tools in the consumer market rings alarm bells. In many countries, this technology is already being used to create non-consensual pornographic deepfakes (of both celebrities and regular folk).

In Bangladesh, using this technology for political satire, spreading misinformation on the internet and cyberbullying is gaining traction.

In an era of unmoderated social media interactions and unrestricted access to online content, the multifaceted ramifications of this technology include reputational damage, psychological trauma, law enforcement risks against victims, intellectual property rights violation, political scandals, and creation of a shadow market for false identity and pornography.

In Bangladesh, while the Digital Security Act, 2018, and Pornography Control Act, 2012 criminalises impersonation and pornography, these laws are not fit-for-purpose in counteracting deepfakes and other emerging internet crimes.

In fact, most other countries are yet to implement effective laws to insulate victims from such invasive privacy violations. In several jurisdictions, defamation lawsuits and privacy tort are the main recourse.

However, trials are fraught with evidential issues, and there is a dearth in qualified lawyers and forensic experts, and oftentimes the creator of the content cannot be located. Most importantly, a trial can be perverse to the victim’s privacy, as the public and media will have full access to materials and evidence submitted to the court.

So, what’s the solution?

Put simply, proactive judicial intervention and enactment of data privacy legislation is the answer.

Bangladeshi courts have, every now and then, been vocal advocates of the citizens’ privacy rights.

In 2019, the High Court Division of the Supreme Court of Bangladesh in The State v Oli took cognizance of the fact that private conversations are frequently intercepted, recorded and leaked without the consent of the concerned individuals, and reminded the Bangladesh Telecommunication Regulatory Commission of its “great responsibility towards proper compliance of the constitutional mandate of maintaining privacy in communication.”

Earlier in 2016, another court in Aynunnahar v Bangladesh observed that the “right to privacy is an essential foundation of the freedom of dissent. So this right cannot be undermined in the name of surveillance.”

More recently in August 2021, a trial court in Jhenaidah reportedly rebuked a civil servant for confiscating the mobile phone of a private citizen and reading his messages, observing that as the messages were sent over an end-to-end encrypted private messaging application, his action was tantamount to an infringement of privacy rights.

However, such judicial interventions are few and far between, and there is no landmark judgement on privacy, or on conflict between privacy and press freedom, and hence there is a strong case for judicial engagement in the development of privacy jurisprudence in Bangladesh.

There is an equally strong case for introducing tort of invasion of privacy in order to provide victims financial remedies. For the foreseeable future, the lawyers and judges are probably best suited to create creative solutions to these complex problems as they come across their desks and dockets.

On the legislative front, given the amount of data being generated, collected, processed and stored continues to increase exponentially, it is an opportune time for the parliament to enact a data privacy law. Since 2020, the government has reportedly started drafting a new data protection legislation.

However, there are indications that in crafting this legislation, the government is taking into consideration factors that are extraneous to the protectionist architecture of the law, and commentators were quick to point out shortcomings on some very crucial issues.

Under the proposed law, data localisation (i.e., a requirement to store data in servers and data centres located in Bangladesh) will be compulsory.

This, in effect, creates a new avenue for security agencies to carry out surveillance and interception activities under the Bangladesh Telecommunication Regulation Act, 2001, citing the vague and variably interpretable “national security” and “public order” grounds.

Furthermore, as the draft also confers exemptions and indemnifications to the government agencies, this removes the element of accountability and transparency from the law enforcement process and that has the potential to undermine rights of citizens (particularly critics, dissidents and opposition) in a way similar to how the Digital Security Act, 2018 and the Information and Communication Technology Act, 2006 have been used.

Additionally, the establishment of the data protection office under the direct control and administration of the Digital Security Agency also points to the failure of the government to separate data protection objectives from digital security concerns.

Finally, the potentially global application of the law is unreasonable and disproportionate and is fated to result in its poor enforcement. On the whole, the overall structure of draft legislation appears to undermine the spirit of the law to codify citizens’ right to privacy and seemingly strengthens regulatory and supervisory authority of the government over citizens and businesses.

More often than not, discussions about privacy start with collateral considerations. Let’s look at the thorny issue of data localisation: it is premised on the apprehension that a nation’s sovereignty is threatened by the government’s inability to control its citizens’ data stored outside the country (in addition to national security, law enforcement and intelligence gathering considerations).

Ultimately, these considerations result in negative impacts on human rights and further dilution of privacy, especially in weaker democracies. Resultantly, data territorialization contributes to increased internet fragmentation, endangers global interconnectedness, and weakend security of individual privacy.

As the Russian experience shows, similar localisation requirements were heavily criticised by businesses and several technology companies still do not comply with the requirements since the law was enacted in 2015.

A few advocates of data nationalism have made fallacious economic and commercial arguments in favour of data localisation: more data centres would mean increased economic growth and more high-tech jobs, investments and innovations.

However, evidence suggests that while data centres will create some short-term construction jobs, but once it is operationalised, much of the activities will be automated and only a limited number of employees (some of whom may be expatriates) will be employed.

Moreover, evidence also shows data localisation increases the cost of doing business and limits the availability of technology-based products and services.

As a result, in recognition of these arguments, a declaration was reportedly signed at the digital and tech ministerial meeting ahead of the 2021 G7 Leaders’ Summit, with a commitment to preserve “an open, interoperable, reliable and secure internet, one that is unfragmented, supports freedom, innovation and trust which empowers people.”

It is worth noting that, where the law is so egregious that it cannot be complied with, offshore service providers can simply pull the plug on its services. In Hong Kong, the big tech companies reportedly warned the government that they would cease offering their services in the country if the authorities amended the data protection laws that could make service providers directly liable for content shared by users.

Despite its far-reaching implications, policymakers at home and abroad are not having enough in-depth, nuanced and meaningful conversations to counteract and mitigate the effects of privacy dilution.

Any discussion on privacy should start with privacy considerations, and have privacy considerations as its main component, pristine and unencumbered by peripheral considerations, lest it is trivialised and brushed aside.

Other relevant issues should be given due consideration, but primacy to privacy is paramount to an effective conversation. Otherwise, the discussions will become, in the words of Greta Thunberg, all “blah blah blah …”