Introduction Amidst omnidirectional digital repression by the military, data/information can cure or kill people. After the 2021 coup, Myanmar military has been oppressing cyberspace by imposing punitive laws, banning circumvention tools and any other ways possible to suppress freedom of expression of the anti-coup population. While the military’s target area of repression becomes cyberspace, the pro-democracy institutions whose work of resistance largely depend on their digital presence become vulnerable. In spite of everything, digital presence means everything for the pro-democracy institutions, from recruiting, advertising and earning credibility from their audience. Consequently, a trilemma between popularity, credibility and security has built up, and people got arrested, children lost their education because of the incidents caused by the trilemma.
What happened? A noteworthy case study was the ‘Kaung for You’ incident. To provide a little bit of background: federal education initiatives were born to fill the gap of education access caused by the pandemic and the coup after the National Union Government announced a recognition policy for interim federal education schools. K4U was one of those schools which was established to participate in this good endeavor. From the beginning the school gained massive popularity on social media. The principal of the school, Kaung Thaik Soe, also became a popular social media figure along with the school. Number of students registered also skyrocketed because of the popularity. However, as the military was strictly monitoring the social media as well as imposing every possible digital repression activities, the school was targeted. It was hard to say if the school was ignorant about the potential threats given the popularity or underestimated the adversary. The incident started on June 20th 2022 with the blackmailings to the students who registered. K4U’s student database was leaked or hacked possibly by the pro-military groups. The students were blackmailed by exploiting the leaked data that they received SMS asking to send money. The school, however, was not able to promptly respond to the incident due to lack of digital incident response protocols or possibly due to the low digital security level of the organization. Consequence of the lack of response and investigation of the incident led to another incident. On July 3rd 2022, the military lobby Telegram channel, Han Nyein Oo, posted that they received the information of the school and will call for the arrest of those affiliated to the school. That was the time, the lobby channels share personal information about pro-democracy, protest leaders and the military literally follows their information and raid houses, arrest and torture the victims. 10 days later, on July 13th, the principal of the school, Kaung Thaik Soe and other teachers of the school were arrested.
Analysis of the incident By analyzing this incident, the trilemma between credibility, popularity and security was clearly observed. In order to gain credibility, they published students’ personally identifiable information on social media which they should not. Plus, responsible personnel of the school were hyped by the popularity of the school and publicly shared his personal information on social media which he should not. Those actions undermined security of the institution, more importantly, the thousands of students who have trusted the institution and created a disaster. From the perspective of digital security, lack of data management policy, emergency risk mitigation plan, accountability in personal data retention and collecting unnecessary data of the students have triggered the whole incident.
What can we do? First, in order to prevent incidents similar to K4U’s, the federal focused institutions require a concrete framework for which data to collect, how to manage and how to execute the data collected. In a country which does not have a data protection framework, developing data management policy for individual institutions is challenging due to lack of reference. However, I have found that the “ Data Minimization Principle” of the prominent European Union’s General Data Protection Regulation (GDPR) is holistic and practical to implement for Myanmar’s pro-democracy institutions. The data minimization principle described that “ The personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.
Adequate – sufficient enough to fulfill the stated purpose. (Institutions need to figure out what data is going to be collected and make sure the data collected is sufficient enough to process for the stated purpose)
Relevant – has a rational link to that purpose (Institutions need to have solid reasoning for the relationship between the data collected and the stated purpose.)
Limited – data collected must be limited to what is necessary (Institutions need to make sure that the collected data is the minimal data they need. )
The principle is expressed in Article 5(1)(c) and Article 4(1)(c) of GDPR. The Information Commissioner’s Office (ICO) of the United Kingdom also provided a comprehensive checklist. We can reflect our data collection process if it is aligned with the data minimization principle by checking against this list :
☐ We only collect personal data we actually need for our specified purposes. ☐ We have sufficient personal data to properly fulfill those purposes. ☐ We periodically review the data we hold, and delete anything we don’t need.
Second, as the magnitude of digital repression in the country is increasing, a digital security plan which contains internally agreed upon digital communication protocols and a digital incident response plan. Spring Revolution Security provided comprehensive and simple digital security tactics categorized into Code Green, Code Yellow and Code Green according to the sensitivity to create a digital security plan. Tactical Technology Collective’s research also provided best digital security practices, tools and guides to digital security policy formation. In summary, we need to be mindful that our digital and physical selves have merged, hence, digital threats could affect physical security. Data can be a remedy or tragedy. Therefore, dealing with public data should be considered as a major component of our institutions’ operations. Awareness and practice of data security can solve the trilemma of popularity, credibility and security which could determine life and death of the revolution.