Vietnam’s newly enacted cybersecurity law shows the legislative confusion of a government caught between a rock and a hard place.
On the one hand, Vietnam’s computer networks are among the most targeted for attack in the world, courtesy of rampant cybercrime and legions of Chinese hackers. The July hacking of Noi Bai Airport underlined the scale of Vietnam’s cyber woes. Investment in national cyber security efforts must increase drastically.
On the other hand, the new law makes it clear the government is antsy about citizens with the cyber savvy to encrypt their online communications. Political and media control, after all, requires the ability to monitor citizens’ online activities.
Therein lies the paradox. A citizenry largely ignorant of cyber security makes the job of hackers all the easier. Access to networks is often gained not through brute force means, but via phishing attacks that target individuals – as was likely the case with the Noi Bai Airport hack.
Citizens encrypting their online communications do not threaten national cyber security. Rather the opposite, they enhance it. But there is scant support for this notion in Vietnam’s 2015 Cyber Information Security Law, enacted on July 1, 2016.
The law sets out a system to classify digital information and specify the steps public organizations need to follow to protect such data. It mandates the Ministry of Communication and Information (MCI) and the Vietnam Computer Emergency Response Team (VNCERT) as the leaders in the nation’s battle against cybercrime.
The law, in principle, protects the right to privacy of information. The response to cyber information security incidents “may not infringe upon privacy, personal and family secrets of individuals and private information of organizations.”
The law further stipulates that no one can block or filter the internet – an odd inclusion only in that Vietnamese ISPs are known to block and filter content on behalf of government censors (focusing primarily on overseas or independent news websites).
Despite these measures, however, the Cyber Information Security Law clearly prejudices security over privacy.
In Section 2, Article 16, personal privacy is made subservient to other laws on security and defense. The entire third chapter of the law deals with “civil cryptography” (the storing, sending and receiving of encrypted messages). From a rights perspective, this chapter and the subsequent July 2016 Decree on Civil Cryptography are troubling.
The law divides encryption tools and services into two overarching categories – those that require a license and those that can be freely distributed without a license.
Widely used free chat services like WhatsApp, which employ end-to-end encryption, should not require a license. The decree explains that these services do not offer cryptographic components as their “primary function,” and they are used on a wide scale and installed by users without providers’ help.
However, all other tools and services focused on encryption, presumably including PGP email (an open source tool) and other services using a PKI (public key infrastructure) system, now require a lengthy and complex licensing process, with companies operating in Vietnam, in order to be legally used.
Beyond the bureaucratic difficulties of the licensing process, the law also stipulates the need for a backdoor into encrypted information.
Article 36 states that the responsibilities of users of cryptographic products and services include: “To provide necessary information relating to cryptographic keys for competent state agencies upon request.”
Furthermore, all users other than diplomatic missions and intergovernmental agencies will need to declare their use of civil cryptographic products to the Government Cipher Committee.
The July 2016 Decree on Civil Cryptography takes this troubling language further, with vague wording that ultimately empowers the government to access encrypted information, with a fine imposed on any person or organization that does not cooperate with requests to access information.
A lawyer, who asked not to be named, at a firm based in Ho Chi Minh City finds fault with this attack on privacy: “Failure to comply with the ‘requests’ or refusal to provide information on cryptographic keys carry the heaviest of penalties in the Decree. Furthermore, these requests do not require any court involvement or any specific process. For that matter, there’s no mention of the principle of personal privacy.”
Vietnam’s social activists have been largely silent on the 2015 Cyber Information Security Law and the subsequent Decree on Civil Cryptography. It is a technical area that is not widely understood or reported on.
There is no data available on the use of encrypted communications in Vietnam, but anecdotal reports among activist circles indicate it is rarely used. Mainstream internet users prefer to use the domestic online chat service Zalo or Facebook messenger (both unencrypted) over WhatsApp.
Nonetheless, as Vietnam’s citizens become ever more internet savvy and politically active, interest in encryption is likely to grow. It is particularly relevant given Vietnam’s high cybercrime environment. This new decree, if passed, will likely help to stifle the evolution to more secure communications, thereby removing an important tool in the nation’s cyber security defenses.
Vietnam’s government needs to balance its desire to monitor citizens’ private communications with the much higher economic and political cost of cybercrime and network attacks from China and abroad. So far, the cybersecurity law suggests their attention is focused in the wrong place.
Michael L. Gray is Project Manager of the Tia Sang Viet Nam initiative, an effort focused on digital rights in Vietnam. Previously, Michael worked for over 12 years in Vietnam in a variety of research, project management and communications roles. He holds a B.A. in Political Science and History from McGill University, and a Master’s in Southeast Asian Studies from the School of Oriental and African Studies in London.