Abstract
This paper examines Bangladesh’s digital identity ecosystem as an evolving socio-technical infrastructure in which the National Identity (NID) database has become a de facto identity spine across public administration and regulated markets. Using a qualitative, triangulated approach that combines legal and documentary analysis, stakeholder interviews, reconstruction of breach and misuse episodes, and mapping of inter-system access pathways, the study analyses how identity-linked data are collected, linked, and circulated across domains including telecommunications, health, immigration and border control, social protection, and finance.
The analysis finds that the principal risks do not arise from any single database, but from the wider architecture of interoperability and delegated access. Two dynamics are central: (i) the expansion of NID verification through direct institutional connections and commercial gateway models (including the Porichoy API arrangement), which widened downstream access and normalized identity checks; and (ii) the proliferation of informal ‘shadow’ copies of identity-linked data created for operational convenience, vendor maintenance, and analytics, often outside robust logging, deletion schedules, and audit baselines. These conditions, coupled with vendor backend access, procurement opacity, and a surveillance assemblage in which the National Telecommunication Monitoring Center (NTMC) operates as a central node for communications monitoring and data fusion, enable over-collection, unauthorized sharing, function creep, and, in some cases, insider monetisation of sensitive records.
The paper argues that Bangladesh’s existing sectoral laws and administrative practices have enabled data-intensive governance without commensurate rights, safeguards, or enforceable accountability. Drawing comparative lessons from India, the European Union, Pakistan, Singapore, and Australia, it advances a reform pathway centred on a coherent state data governance architecture, genuinely independent oversight (including breach notification and compensation), enforceable vendor controls, proportionality constraints on surveillance, and operationalization of consent and protections for vulnerable groups. The overarching contribution is a grounded map of how ‘digital inclusion’ infrastructure can become extractive when institutional capacity, legal limits, and technical accountability are misaligned.
