Beyond the Shadows: Reforming surveillance practices in Bangladesh

Sabhanaz Rashid Diya

Beyond restrictions on speech, the CSA grants expansive powers to law enforcement officers, allowing them to issue information disclosure orders for suspected offenses to local and offshore operators and service providers without clear procedural safeguards or judicial oversight. However, narrowly viewing mass surveillance through the activities of the NTMC or the CSA risks overlooking the broader and more systemic issues driving the erosion of citizens’ privacy. A complex web of constitutional exceptions, legislation, government bodies, law enforcement and intelligence agencies, private corporations, spyware and interception service providers, and international assistance for counter terrorism and cybersecurity programmes have all contributed to legitimising a pervasive surveillance culture.

A country caught in the war on terror

If we trace back the history, the 9/11 attacks were a pivotal moment in reshaping the intelligence communities of the US and its allies, with significant downstream effects on the rest of the world. The War on Terror justified a shift in surveillance targets from traditional state militaries to more nebulous terrorist networks, including ordinary citizens, and led to a widespread expansion of monitoring and interception capabilities within telecommunication networks. Muslim-majority countries like Bangladesh came under intense scrutiny as potential hotspots for terrorist sleeper cells and extremist recruitment, fuelled by political violence and polarisation.

In Bangladesh, this global focus on counterterrorism led to the formation of the Rapid Action Battalion (RAB) in 2004 (initially) as a specialised counterterrorism unit, followed by the passage of the Anti-Terrorism Act in 2009 and the Anti-Terrorism Rules in 2013 (that led to the formation of the Anti-Terrorism Unit under Bangladesh Police). The subsequent establishment of the Counter Terrorism and Transnational Crimes (CTTC) unit and Bangladesh Financial Intelligence Unit (BFIU) further solidified the country’s role in supporting the global war on terror by ramping up its intelligence gathering and triangulation capabilities. Dispatches from the US and UK between 2005 and 2010 mention technical assistance provided to Bangladesh to “strengthen the ability of law enforcement to stop terrorist financing and tighten border controls.”

During this period, the CTTC’s Cyber Crime and Investigation Division, along with the Cyber Intelligence Bureau at the Directorate General of Forces Intelligence (DGFI) and the Criminal Investigation Department (CID) of Bangladesh Police, expanded their surveillance remit to include online spaces, such as community blogging forums and social media platforms. This expansion was justified as a necessary response to the attacks and killings of bloggers between 2013 and 2015 and the 2016 Holey Artisan attack in Dhaka. To formalise telecommunication surveillance and reduce procedural and hierarchical scrutiny, the National Telecommunications Monitoring Centre (NTMC)—formerly the National Monitoring Centre (NMC)—was brought under the Ministry of Home Affairs in 2013. This move was based on an overbroad interpretation of Section 97 and 97A of the Bangladesh Telecommunication Regulation Act (BTRA), giving the NTMC the authority to monitor and intercept mobile devices and calls under the pretext of “catching militants”, including members of Jamaat-e-Islami, and later, Hefazat-e-Islam.

Under the banner of countering violent extremism, domestic efforts to predict, identify, and mitigate terrorism risks in Bangladesh quickly expanded into, and justified, arbitrary monitoring and wiretapping of “suspected” citizens. This included collecting data such as bank details, business records, cell phone records, body and bag scans, facial recognition through CCTV cameras, and tracking movement across borders.

In the past decade, these expanded mandates led to the acquisition of a wide range of monitoring and interception equipment and spyware, as well as contracts with surveillance service providers from countries such as the US, Germany, Israel, China, and Canada. A global investigation into surveillance providers identified at least 13 entities that sold their services to Bangladesh, offering capabilities such as geolocation tracking, advanced data extraction from mobile devices, WiFi data interception, internet traffic monitoring, social media data scraping, and other privacy-invasive activities. An estimated 70 percent of these companies originated from Israel, often using shell companies in Cyprus, Singapore, Greece, or Luxembourg to avoid diplomatic scrutiny of their supply chains. A 2023 investigation by the European Parliament’s Committee of Inquiry probed the sale of Israeli-owned spy vehicles and device interceptors (used during protests) to Bangladesh between 2017 and 2022, with deals amounting to approximately US$ 3.6 million.

The slippery slope of legitimising surveillance

The right to privacy, protected under Article 43 of Bangladesh's Constitution, is subject to "reasonable restrictions" imposed by law for reasons of national security, public order, or public morals. This limitation has often allowed law enforcement and intelligence agencies broad discretion, justifying the interception of “correspondence and other communication” as necessary and proportionate to address national threats. Till date, “national security” and “public order” remain undefined; the courts and parliament have yet to provide any specific explanation or guidelines, leaving them open to arbitrary and subjective interpretations by state and security agencies.

Based on this premise, the Criminal Procedure Code (CrPC) provided law enforcement and intelligence agencies broad powers to gather information for any investigation or suspected offense. This is reinforced by special powers granted to relevant law enforcement, authorities and statutory bodies to gather information and compel data disclosures under the Anti-Terrorism Act and Rules, the Money Laundering Act and Rules, and the Bangladesh Telecommunication Regulatory Act (BTRA). Licensing guidelines for radio, spectrum, telecom operators (requesting 2G, 3G and 4G licenses), internet service providers (ISPs), international internet gateway services (IIGs), national internet exchange (NIX), and a wide range of telecommunication services explicitly require providers to facilitate “intelligence gathering”, else risk losing their licenses.

In addition to legalising surveillance within telecommunication networks, the national ID database has also been subjected to arbitrary access by law enforcement and intelligence agencies. Originally designed to prevent identity and financial fraud, KYC (Know Your Customer) and e-KYC guidelines have been repurposed to create a detailed network of personal identifiers. E-governance programmes linked to this database, which include biometric data and cell phone information, have facilitated the collection of extensive data, ranging from birth details and banking information to eligibility for government benefits. The COVID-19 pandemic further accelerated the collection of personal health and travel data. Although this extensive database is supposed to be “very strictly” managed by the Ministry of Home Affairs, it is accessible to law enforcement, intelligence agencies, and various state-affiliated bodies with minimal procedural safeguards or access controls. Recent reports of data breaches have revealed that these groups have access to sensitive personal information, such as biometric data and vaccination records, with little transparency regarding how or why this data is shared.

Crafting a path forward

Addressing the entrenched privacy-invasive practices requires, as a starting point, the establishment of a robust personal data protection legislation. The current draft data protection bill, which has been in circulation for the past three years, is inadequate in both substance and process. It needs to be revisited by experts in international and domestic privacy laws, human rights, industry, and academia, followed by comprehensive public consultations. Provisions that expand law enforcement access to personal data or mandate data localisation must be eliminated, as they significantly heighten the risks of surveillance amid existing weak institutions and rule of law.

Moreover, the interim government must also review contracts with spyware service providers and assess data access controls within law enforcement, intelligence agencies, and state bodies. A strong data protection framework should clearly define the scope of data collection, usage, access, and retention, with stricter guidelines for public sector institutions that handle sensitive information.

Bangladesh has struggled with implementing effective procedural safeguards for the lawful interception of personal communications, necessitating a thorough review of current legislation, policies, and guidelines that permit surveillance. While law enforcement and intelligence agencies globally may have a legitimate, court-sanctioned basis for narrowly defined access to telecommunication data to combat transnational crime, evidence from Bangladesh and beyond highlights the dangers of such powers expanding into broad surveillance of citizens' private lives. To mitigate these risks, it is crucial to establish strict, narrowly scoped legal frameworks supported by independent judicial oversight, enforce explicit data minimisation and retention limits, and provide mechanisms for public redress when data is unlawfully accessed, processed, or stored.

More fundamentally, Bangladesh needs to recognise both theoretically and practically the importance of safeguarding individual privacy. This is essential for any digital reform or restoration of civil liberties and is crucial for rebuilding trust in the law and its enforcement agencies.

Sabhanaz Rashid Diya is the executive director of Tech Global Institute. She is a visiting policy fellow at Oxford Internet Institute, where her work focuses on Internet governance, privacy and human rights.

Back to Homepage