EC to monitor partner organisations to protect NID data

The Election Commission has decided to keep 171 subsidiary organisations – that take the server services of its National Identity Card Registration Wing (NIDW) – under round-the-clock surveillance.

The constitutional body took the decision in a meeting with experts and technicians concerned at the election commission building in Agargaon of the capital on Thursday (13 July).

AKM Humayun Kabir, director general of the NID Registration Wing of EC, said, "I sat with officials from universities and technical experts, and heard their opinion and recommendations. We will talk to 171 partners to implement them."

The EC's move comes days after several media outlets reported a leak of personal information of millions of citizens from a government website in Bangladesh.

At least 40 databases containing voters' photos, fingerprints, and other information are stored in the EC servers.

The organisations provide various types of services to the citizens, including the 'verification service' of specific information under an agreement with the EC.

Humayun Kabir said the experts recommended conducting periodic audits and increasing the physical and technical securities.

The technical experts told Kabir that no mistake was found in their end in regards to the data leak.

He said the Information and Communication Technology Division formed a technical probe committee over the incident.

"I have asked our people to cooperate with the committee so that we can take preventive measures. Cyberattacks are intensifying. If our skills are not improved, we will always be vulnerable." 

Kabir said there are no loopholes in the Election Commission's server securities.

"Still, we need to strengthen our system more. So that we can do a periodic audit. The technical committee can sit down from time to time to see if there are any threats. They suggested that we monitor our partners."

The NIDW director general said when the EC signs an agreement with an organisation regarding NID data, they look into the organisation's security.

"Then they need to obtain a certificate from the ICT Division. Now we will make it mandatory for them to obtain the ICT Division to be eligible for the contract. However, we will have to increase periodic audits – in gaps of three to six months– after the deal is inked."

Actions will be taken if the partner organisations break the agreement, warned Kabir.

Stating that technicians recommended setting up a Disaster Recovery System (DRS), he said, "Yesterday, we signed an agreement with the Bangladesh Computer Council [BCC]. From next month, our data will go to the DRS in Kaliakoir for preservation. If there is any disaster, we can recover from it. We will also form a technical committee."

In response to a question, he said, "Our DRS will be a backup. We will also set up an active DRS within the project period. Many things were missing up until recently. But now, we have a mirror backup in the ICT Division and the BCC."

Stating that there is no vulnerability in the NID server, he said, "Even banks can ask for NID numbers as it's not something secret. You have to provide the NID number to apply for a passport or get your salary. It's not something that cannot be obtained."

Among others, Mosaddek Hossain Kamal, professor of Computer Science and Engineering, University of Dhaka; Professor Muhammad Mahfuzul Islam, vice chancellor of Bangabandhu Sheikh Mujibur Rahman Digital University; and representatives from the ICT Division, Bangladesh Police, RAB, Tiger IT, BUET and Ahsanullah University of Science and Technology were present at the meeting.