Who do cybersecurity laws actually protect?
Across the world, these legislations often evolved from mere tools to combat cyber threats in the form of computer viruses to much more – blurring the lines between protecting individuals from malicious cyber activities to governments using the same laws to infringe on freedom of speech and expression
As you have probably heard, the government has recently announced that the Digital Security Act (2018) - criticised both locally and internationally for being used by authorities to suppress freedom of expression - will be replaced with a new Cyber Security Act (2023). The new law marks the latest step in the country's journey towards regulating cyberspace, which arguably began with the Information and Communication Technology (ICT) Act of 2006, also infamous for its Section 57, considered a precursor to the controversial DSA.
But Bangladesh is not alone in this endeavour to introduce cybersecurity laws and cyber surveillance laws, which often run afoul of individual liberties of citizens and their rights to freedom of expression.
Across the world, these legislations often evolved from mere tools to combat cyber threats in the form of computer viruses to much more – blurring the lines between protecting individuals from malicious cyber activities to governments using the same laws to infringe on freedom of speech and expression.
Cyber security experts point to the uptick in cyber threats and the burgeoning number of cybercriminals exploiting people's information, property, operations and other digital assets, which amplified the need for cyber security laws and legislations over the past couple of decades.
Currently, most countries around the world have cybercrime legislation. While 156 countries (80%) have enacted cybercrime legislation, the pattern varies by region: Europe has the highest adoption rate (91%) and Africa the lowest (72%), according to the United Nations Conference on Trade and Development.
In theory, cybersecurity laws – the specifics of which vary from country to country – are generally enacted to protect people from cyber threats. These include, but are not limited to hacking, data breaches, identity theft and fraud, cyberbullying and online harassment, online child exploitation, malware and ransomware, privacy violations, etc.
But time and again, in reality, the government's misuse of some of the provisions of these laws to intimidate, infringe citizen's rights to expression and even imprison individuals has been well-documented.
Moreover, while cybersecurity laws are primarily designed around the world to protect individuals from each other or from organisations, it should not be lost that it also applies to tech giants as well. Although the framework varies from country to country, cybersecurity laws are in place to prevent digital catastrophes such as Facebook's Cambridge Analytica scandal in December 2015, where millions of personal data was leaked – and that's just one example.
There have been multiple incidents of personal data leaks caused by mishandling of information by tech giants. This is to say, cybersecurity laws had failed; governments had failed to regulate tech giants all the while focusing elsewhere to put in use the enacted laws.
Theory vs reality
India's Section 66A of the Information Technology Act, 2000, was added through an amendment in 2008. This was intended to "address the transmission of offensive or false information using communication devices. It covered a broad range of actions, including posting content that could be considered offensive or harmful."
But things did not go well. Section 66A came under heavy scrutiny, primarily for being vague and for its scope to be misused by the government to curb freedom of speech and expression, so much so that in 2015, the Supreme Court of India ruled that "Section 66A was unconstitutional" and violated the right to freedom of speech guaranteed under the Indian Constitution. Section 66A was repealed and is no longer a part of the Information Technology Act, 2000.
Although Section 66A was repealed, reports suggested that similar provisions in other laws were still being used to target online speech. There were reports as recent as 2020 of activists and individuals being arrested under Section 505 of the Indian Penal Code (IPC) [the provision can punish whoever makes or circulates statements or rumours with intent to cause mutiny or fear among military personnel, incite offences against the State or public tranquillity, or promote hatred between different religious or social groups] read with Section 66A of the Information Technology Act for allegedly sharing social media posts critical of government policies.
This happened during the protests related to the Citizenship Amendment Act (CAA) and the National Register of Citizens (NRC).
There have been instances in India where individuals have been charged with sedition for allegedly posting content on social media platforms critical of government actions or policies.
Additionally, blocked websites and internet shutdowns during protests or situations of civil unrest in India are well-documented. Authorities justified these actions as preventive measures to spread information which might incite violence.
These "preventive measures," while not directly tied to cyber security laws, have significant implications for digital rights and access to information.
India is not alone. These tactics, including measures beyond the strict definitions of cybersecurity laws, are common practices by governments across the world to curb protests, dissent and freedom of speech or expression.
For instance, according to a 2017 Intercept report, in Egypt under president Abdel Fattah al-Sisi's regime, there was a phishing campaign against rights activists, which coincided with an ongoing effort by the Egyptian government to boost its electronic surveillance capabilities.
The report further explained how Egyptian authorities are also continually trying to block access to the encrypted messaging app Signal.
In Turkey 2015, according to BBC, Twitter and YouTube were promptly banned for 20 hours and the then Prime Minister Recep Tayyip Erdogan vowed to "eradicate" the platforms in the run-up to national elections. This happened after leaked audio recordings emerged, apparently revealing corruption in Erdogan's inner circle.
In Iran, according to the Atlantic Council of United States (think tank), several key provisions in the proposed "Protection Bill" (2022) pose an imminent threat to freedom of expression in Iran and endangers the LGBTQI community in particular.
The bill envisions tightened state control over online spaces and aims to erode online anonymity while criminalising VPNs (Virtual Private Networks)—essential tools for circumventing online censorship.
Under the bill, control over key communication infrastructure will be delegated to armed forces and security agencies—including the Islamic Revolutionary Guards Corps (IRGC) and police force—that have a history of cracking down on marginalised communities.
In Russia, according to a Wired report, since 2019 Vladimir Putin "has supercharged his plan to separate Russia from the global internet."
The report further explains how the country's "sovereign internet law," which came into force in November 2019, gives officials the power to block access to websites for millions of Russians. The law was used to hit Facebook, Instagram, and Twitter with blocks and followed Russia's invasion of Ukraine in February 2022.
A series of Russian laws aimed at regulating online content and promoting "sovereign internet" had been implemented.
In China, the Great Firewall has influenced the development of China's internal internet economy by giving preference to domestic companies and reducing the effectiveness of products from foreign internet companies. It also works to limit the use of internet.
And some have seen amendments, or had been repealed, including but not limited to Australia's Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018. Before its amendment, the law was criticised for its potential to undermine encryption and introduce backdoors for government access to encrypted communications.
Proposals to Brazil's Cybercrime Bill, according to a 2016 Intercept report, were controversial because "critics argue the combined effect will be to substantially restrict open internet in the country by peeling back the right to anonymity, and providing law enforcement with draconian powers to censor online discourse and examine citizens' personal data without judicial oversight."
Protests and advocacy led to changes in the bill to address some of these concerns.
UK's Investigatory Powers Act (Snooper's Charter) provides a framework for the use of investigatory powers by the security and intelligence agencies, law enforcement and other public authorities. These powers cover the interception of communications, the retention and acquisition of communications data, according to a UK government website.
More simply put, it allows State authorities to collect information about everything citizens do and say online and order private companies to store it. Various legal challenges and discussions have prompted revisions and amendments.
In the United States, Section 215 of the Patriot Act (enacted after the 9/11 attacks) permits the FBI to obtain a secret court order to collect any business records deemed relevant to a national security inquiry.
According to a New York Times report in 2020, "Section 215 has been at the center of repeated fights over the balance between empowering national security investigators to detect potential threats and preserving Americans' privacy and freedom to read what they want or call other people without fear of government observation."
Moreover, the report explained how the government has interpreted a high-profile provision of the Patriot Act as empowering FBI national security investigators to collect logs showing who has visited particular web pages.
A silver lining?
While governments around the world introduce new laws and regulations to expand their scope of intervening into individual rights of citizens, a counter movement to secure the rights of the citizens through legislation is also starting to thankfully pick pace.
The key regulation that impacts cybersecurity and data protection across the European Union (EU) is the General Data Protection Regulation (GDPR). It is a comprehensive data protection regulation that came into effect in May 2018. It applies to all EU member states and regulates the processing of personal data of EU citizens.
This is regarded as a means to protect citizens from government overreach and abuse of power. Although it does not explicitly say it protects citizens from the government, it however, includes provisions that enhance individuals' data privacy rights and impose requirements on how both public and private entities handle personal data.
The EU also prescribes laws pertaining to cybersecurity such as the Network and Information Security (NIS) Directive (also known as the Cybersecurity Directive). It requires member states to establish national strategies for network and information security, designate competent authorities, and ensure the cooperation between public and private sectors in responding to cybersecurity incidents.
Other laws such as ePrivacy Directive (focusing on privacy in electronic communications) and Regulation on the Free Flow of Non-Personal Data aim to protect individuals from government overreach and abuse.
Similar to GDPR, Brazil's General Data Protection Law (LGPD) regulates the processing of personal data. While not solely focused on government actions, it sets forth principles and rights that apply to both public and private sectors, aiming to protect individuals from any entity's data practices.
More generally, many countries prescribe to Human Rights Acts and Constitutional Provisions, which safeguard citizens' privacy and limit government intrusion. These principles can apply to digital spaces and may be invoked to challenge government surveillance activities that violate citizens' privacy rights.
Moreover, various international agreements and standards, such as the International Covenant on Civil and Political Rights (ICCPR), recognise the right to privacy and freedom of expression. These standards can guide domestic laws and court decisions aimed at protecting citizens from government surveillance.
And finally, some countries have proposed or enacted laws to protect encryption and prevent government-mandated backdoors. These laws aim to preserve citizens' ability to communicate securely and privately.
Time and again, across the world, it becomes evident that the purpose of cybersecurity laws and cyber surveillance laws is heavily and mostly manhandled for the benefit of the powers to be.
Whilst there are some initiatives to protect citizens specifically from government overreach and abuse of power, a lot still remains to be done to ensure a safe cyberspace for all.