Cybersecurity of virtual court: Where does Bangladesh stand?
Microsoft Teams is a third-party app and any exchange of data through this app is possessed, controlled and processed by the Microsoft, not by our Judiciary unless there is a “Data Processing Agreement (DPA)” and “Non-disclosure Agreement (NDA)” between Microsoft and our judiciary
Bangladesh entered a new era of e-judiciary on May 9, 2020 with the promulgation of an ordinance to conduct the virtual hearing and submitting bail petition and bail bond online. The arrangement was termed "virtual court".
This initiative will surely secure access to justice for people during an unprecedented situation like Covid-19 induced lockdown. As the landscape of technology is changing rapidly, the risks of data breaches have also significantly increased in the virtual judicial systems at all levels around the world.
For example, the US judicial system experienced over 24 million cyber-attacks in 2019, which is a sharp rise comparing with 9 million attacks in 2016.
According to the National Cyber Security Centre of the UK, the amount stolen from law firms through phishing in the first quarter of 2017 was 300% higher than the previous year.
Therefore, maintaining a robust cybersecurity framework is a sin-qua-non for making the virtual court successful.
By nature, virtual courts fall under the category of Critical Information Infrastructure containing sensitive personal data of the litigants and may contain confidential government information related to national security.
That is why the threshold of data protection is much higher for such kind of infrastructure. The question therefore arises: did our judiciary consider making the virtual court declared as Critical Information Infrastructure under section 15 of the Digital Security Act 2018?
As the virtual court deals with sensitive personal data, "Information Security" is essential in this context.
As per the Information Security Policy Guideline 2014 of Bangladesh, three cardinal principles, including confidentiality, integrity and availability of information have to be ensured for a secured information system. But did our judiciary outline any such framework for the virtual court?
As per sections 5 and 9 of Digital Security Act 2018 and section 6 of Digital Security Policy 2020, the Digital Security Agency will engage a national Cyber Emergency Response Team (CERT) to ensure the cybersecurity of a Critical Information Infrastructure with technical support, against any kind of cyber threats.
Right now, a bd-CERT is as the national CERT.
The Bangladesh National Digital Architecture (BNDA) Guideline 2019 advocates for a "whole of government" approach which would maintain an ecosystem of exchanging digital information in a coordinated and concerted manner within different government agencies and institutions.
Also, the National Cybersecurity Strategy 2014 prioritises developing a unified national multi-stakeholder strategy for international cooperation, dialogue and coordination in dealing with cyber threats.
But, has our Judiciary collaborated with the Digital Security Agency and bd-CERT to ensure the cybersecurity of the virtual court?
As per the Strategic Plan 2.9 of the National ICT Policy 2018, all the data generated from Bangladesh must be stored within the geographical territory of Bangladesh. However, our judiciary asked the litigants to use Microsoft Teams for virtual hearing.
Microsoft Teams is a third-party app and any exchange of data through this app is possessed, controlled and processed by the Microsoft, not by our Judiciary, unless there is a "Data Processing Agreement (DPA)" and "Non-disclosure Agreement (NDA)" between Microsoft and our judiciary.
The data in the app is in Microsoft Teams' server which might be situated in any part of the world. So, using this app for virtual hearing is contradictory to the abovementioned provision of National ICT Policy 2018 and thus creates scope for compromising national cybersecurity.
The Supreme Court also instructed the lawyers to send case documents in several Gmail IDs as per its official circular. But as per section 4.1 of the Government E-mail Policy 2018, all the government, semi-government, autonomous and constitutional organisations should use such email IDs which is developed and controlled by Bangladesh Computer Council.
As per section 5.1 of the said policy, even if the constitutional authority like Supreme Court decides to use different email ID of its own choice, it has to ensure adequate safety and security measures as per section 5.2 of the policy.
As Gmail is controlled by its mother company Alphabet, all the data transferred and exchanged within G-mail ID is controlled by them. Still, it is not clear whether there is any bilateral agreement between the company and our judiciary.
There is no doubt that Microsoft Teams or Gmail has one of the best and robust cybersecurity systems in the world. Their cybersecurity measures have already set the benchmarks for this field.
But the question is not how strong or effective third-party services our judiciary use, rather it is about the control and possession of personal data and developing network and systems by our judiciary.
Our national cybersecurity-related issues should not be controlled by third-party platform owners or service providers. Instead, our judiciary should strengthen the platform with "Privacy by Design" approach.
As the A2i, ICT Division and UNDP are assisting to develop this website, the focus should be given to developing a secured national server, network and Management Information System (MIS) going by the abovementioned national laws and policies. The same goes to the UNICEF assisted virtual juvenile court.
Moreover, we must have a dedicated Data Protection Act to coordinate all these massive and gigantic tasks of e-judiciary. With the advancement of technology involving Big Data, Artificial Intelligence and Internet of Things, the e-judiciary should be developed in compliance with National Blockchain Strategy 2020, National Strategy for Artificial Intelligence 2020 and National Internet of Things Strategy 2020.
Moreover, e-judiciary cannot be successful without coordination with prosecution and Law Enforcement Agencies. So, as per the mandate of National Cybersecurity Strategy 2014, the judiciary should collaborate with Crime Data Management System (CDMS) of Bangladesh Police for better investigation, prevention and prosecution of crimes through the virtual system.
Lastly, we must not forget that the privacy of "correspondence and other means of communication" is a fundamental right under Article 43 of the Constitution. So, the virtual court initiative should not face any deadlock due to compromise of cybersecurity and the abovementioned laws and policies should be followed with utmost importance.
Md Saimum Reza Talukder, is a senior lecturer of Cyber Law at Brac University
