An ordinary person’s guide to dangerous online regulations

Two dangerous policy drafts regulating our online presence have been prepared right in front of our noses, and except for a few usual suspects crying wolf, there has been little public outrage over it. And I don't blame you for not knowing or caring about them. It's easy enough to get lost in the technical jargon of experts (Intermediaries? Traceability? Peer-to-peer encrypted messaging?), or the righteous indignation of human rights activists (Violation of constitutional guarantees? Incompatibility with Article 19 of the ICCPR? Principles of proportionality?).

Maybe you've got 99 problems and worrying about some distant law—that is likely going to affect some activist types anyway—ain't one of them.

But what if I told you that, if implemented, these laws won't just curtail whatever little freedom of expression the press still has, but could well get in the way of those endless Netflix shows? What if your most private photos could be easily and legally accessed on the flimsiest of pretexts, like you "liking" a Facebook post on government corruption?

The draft Data Protection Act (DPA), prepared in November last year and finalised last week, is supposed to do as its name suggests: protect your data. The problem is that, in reality, it allows a whole host of actors to access your data, without so much as your permission or even your explicit knowledge. These actors include law enforcement and security agencies, the director general of the Digital Security Agency—in charge of investigating violations, levying fines and ensuring compliance—as well as all employees of the Data Protection Office. The law also has a provision that gives further power to the government to exempt data controllers, meaning those responsible for collecting or processing (or supervising the processing) of personal data such as your IT person, from following the law.

Additionally, although it gives us the right to know what kind of personal data is being collected, it does not apply to instances in which "processing is necessary for functions of the government". What does "functions of the government" entail though, you ask? The draft does not specify that, which means that it could quite literally mean anything the government wants it to mean. Similarly, the draft says that government agencies can "intercept, record or collect information" of any person on "national security" or "public order" grounds, but it does not define or limit what these terms entail, which leave them open to (mis)interpretation.

Now, at this point, you may be thinking: well, this certainly sounds terrible, but I am a law-abiding citizen. I don't even go to Shahbagh for phuchka, much less protests. What possible justification would the government have for snooping through my Facebook chats? Unfortunately, the scope of the exemption is so broad that law enforcement or security agencies can legally access your data on the feeblest of grounds, for instance, for writing a status criticising a former minister, posting a satirical cartoon, or simply commenting on someone else's status.

It may sound as if I am exaggerating, but these are real-life examples of ordinary people, like students and professionals who have no link to the media or politics, who were picked up on these very grounds under the Digital Security Act (DSA).

You see, these laws seem distant only until they happen to you.

The second piece of legislation—"Bangladesh Telecommunication Regulatory Commission Regulation for Digital, Social Media and OTT Platforms"—is even scarier. It proposes an aggressive and authoritarian content governance framework that applies to a host of applications/actors including social media networks like Facebook, Twitter, Instagram, Pinterest; tech companies like Google, Microsoft; OTT platforms like Hoichoi, Netflix, Chorki, Spotify; Facebook live shows; IPTVs and social media handles of media organisations.

 Experts have pointed out the absurdity of lumping together services that are miles apart functionally, technically and operationally, and hence require different regulatory models. By forcing them under a one-size-fits-all model that actually fits none, the government is essentially undemocratising the internet, penalising in one broad stroke both content producers and end users.

Besides, all of these platforms will be required to get registration—yes, including appis selling sarees through Facebook live from their homes. For smaller e-commerce platforms and independent content producers, the bureaucratic loopholes of obtaining registration may well act as a deterrence to their entry into the digital space while, for an established news platform like The Daily Star, registration—and the looming threat of its cancellation—will be a noose that can tighten with the smallest of digressions.

The draft criminalises the same set of vague provisions as the DSA. It says that the above-mentioned service providers cannot host any information that, among other things, "threatens the unity, integrity, defence, security, or sovereignty of Bangladesh, [and its] friendly relations with foreign States"; "breaches the secrecy of the government; creates unrest or disorder or deteriorates law and order" situation; "is offensive, false or threatening and insulting or humiliating to a person" or "decency, morality, social acceptance, social values, against national culture".

But what exactly do these terms even mean? Would any R-rated Netflix show pass the test of "decency" or "national culture"? Who decides that? And frankly, what would the internet even look like without content that is "humiliating" or "insulting" to someone or the other?

Unfortunately, we have already witnessed how broadly and arbitrarily these definitions have been used by the government to arrest, harass and humiliate a broad range of actors—ordinary people included—for exercising their constitutional right to freedom of expression. Now, you may ask: if the DSA already allows the government to criminalise free speech, what does it matter that a new regulation is at play? It matters because now the government is making it mandatory for all social media platforms to do the policing on their behalf.

As per the new draft, platforms like Facebook can be fined up to Tk 3 billion and its representative imprisoned for up to 5 years for violations. With close to 45 million users in the country, how exactly is Facebook supposed to do this monitoring, with much of what is posted lost in translation? How can automated systems with filters understand context, dialects and nuance?

Moreover, the draft regulation says that the Bangladesh Telecommunication Regulatory Commission (BTRC) can direct service providers to remove or block content—that too, within 72 hours of the direction—which will rob any and all these platforms of their independence and character. The tech giants are unlikely to take these punches lying down. We have already seen Facebook, Google and Twitter warning Hong Kong that they would stop operating there if officials of that country move forward with data protection law amendments (which is not nearly as bad as ours) that could hold companies liable for users' actions.

The BTRC regulation further requires all social media intermediaries to have a resident complaint officer, a compliance officer to ensure due diligence, and an agent to liaison with law enforcement agencies and the BTRC—all of whom are to be residents of Bangladesh—essentially so that there is someone here they can hold liable or arrest in case of a violation. But why would a company like Netflix, for instance, go out of their way to take on this inconvenience when the easier and less expensive solution would be to pack up their bags and leave? And it isn't just Netflix of course. A host of regional and global businesses may no longer find it in their best interests to operate within Bangladesh.

It gets worse. The BTRC regulation as well as the DPA also make it mandatory for intermediaries such as WhatsApp, Signal, Telegram, etc. to enable traceability and identification of the first originator of any information. Simply put, this means these companies, whose very existence is premised upon the assurance of privacy, would be required to break end-to-end encryption. Yes, you read that right: these regulations will legalise the surveillance of your private messages that you do not want to share with the universe.

These are only some of the more obviously scary provisions of the drafts. They are dense and technical, but it is absolutely crucial that we unpack them to fully understand how they would impact us on an everyday basis, in a very real way, if and when they are approved. Unless we want to live the rest of our lives constantly looking over our shoulders, deprived of the real benefits of the internet, we, the ordinary citizens, must strongly raise our voices against them while we still can.

Sushmita S Preetha is a journalist and researcher.