5 - Privacy Risks in Myanmar's Emerging ICT Sector

Summary

Before the long-awaited 2015 general election, a cyber-group operating under the name Union of Hacktivists1 became infamous for launching several DDoS (distributed denial of service)2 attacks on Burmese media sites, including The Irrawaddy and Eleven Media. Unleashed Research Labs, a cybersecurity firm, traced the origins of these attacks to a military-operated network run by the Defense Services Computer Directorate, attributing the attacks on independent media outlets to the work of government — namely military — employees (Hindstrom 2016). Although the intention was simply platform and content defacement, these attacks emphasize the risks individuals, institutions and corporations face in storing and sharing information online. As more content is exchanged online and more information, particularly personal information, is stored by mobile providers, such risks are likely to shift from defacement attacks to identity theft and privacy violations. Given Myanmar's weak central regulations and the government's ability to access consumer and provider information under the 2013 Telecommunications Law, individuals and organizations are increasingly at risk of privacy violations.

Myanmar's transition is unique. Not only is the country emerging from the longest modern-day military government but the political transition also parallels the introduction of affordable smartphones and mobile technologies available for public consumption across the country. This availability and affordability of information and communications technologies (ICTs) is certainly exciting for the Myanmar public; however, security and privacy risks are high due to a patchwork regulatory framework and rapid growth in mobile penetration. During military rule, modern ICT infrastructure and services were largely unavailable to the public because of high prices. Alongside high economic barriers to entry, punitive regulations emphasized the government's ability to restrict an individual's usage of ICTs while failing to provide a coherent strategy for addressing macro-level issues in the sector. These issues range from cyber-attacks to data collection standards imposed on industry stakeholders. Today, the ICT regulatory framework remains largely unrestricted by laws or institutions, with the exception of the 2013 Telecommunications Law, which allows the government to seize information on ICT users and disable communications services based on broad legal language that is highly unspecific (MCRB, IHRB and DIHR 2015). While the government did enact the Law Protecting the Privacy and Security of Citizens in 2017, the law's ambiguous language provides little clarity or assurance to individuals. This existing legal environment protects the government while putting the public at risk of unwanted surveillance.