According to an article in VN Express International’s website (see Personal data leak affects thousands of Vietnamese) the news of a major leak of personal data was announced. (Other articles covered the news in the Vietnamese language, but for purposes of discussion, the English language story will work best.) The data, which comprised 17 GBs of personal data, was posted on a notorious hacker site that is known for the sale of personal data and other illegal activities. The data allegedly came from the Pi Digital Currency, or a related site, and consisted of Know Your Customer data that had been collected from Vietnamese users in registering to mine the cryptocurrency.
This gives rise to a goodly number of issues.
First, per Vietnam’s cybersecurity law, a cyberattack includes among other things, acts of:
Infiltrating, harming or appropriating data stored or transmitted on a telecom network, the Internet, a computer network, information systems, information processing and control systems, database or e-facility;
Thus, if the illegal appropriation of data occurred in Vietnam, it would be deemed a cyberattack and the appropriate response would be meted out. That response, according to law, would include–according to the cybersecurity law–action on the part of the cybersecurity task force to coordinate with the system administrators to determine the origin of the cyberattack and collect evidence. System administrators are required to promptly and completely comply with requests for information from such a task force. Lovely law that it is, the cybersecurity law does not actually contain a prohibition against cyberattacks and the only penalty is imposed for violations of the law. More useful, perhaps is the law on network information security which requires that administrators who discover a data breach must act quickly and decisively to fix the breach.
While the law on network information security has been the subject of some implementation legislation–none of which actually addresses this issue–the cybersecurity law’s implementing decree has been bogged down in consideration for nearly two years. There is minimal guidance for actually dealing with a cyberattack and, even then, it must either be in relation to national security or “cause serious harm to social order and safety” before the cybersecurity task force will even begin an investigation. It is estimated that this week’s data leak only affected approximately 10,000 individuals. Whether this constitutes serious harm to social order and safety is a good question and may result in minimal or no action on the part of the government to address the leak.
A second consideration that is very relevant is the source of the leak. Per the article, the individuals whose data was leaked were all mining cryptocurrency for an internationally located blockchain. This gives rise to a couple of issues. First, as the Pi Digital Currency is not located in Vietnam, the ability of the Vietnamese government to take any action against the entity which collected the personal data is basically nonexistent. This, despite numerous legislative attempts to improve the reach of Vietnam’s jurisdictional control in cyberspace, proves Vietnam’s ineffectiveness in dealing with cross-border violations of its laws when those providers fail to comply with Vietnam’s laws. In draft form at the moment are provisions that would allow the government to block such sites from access to Vietnamese cyberspace upon repeated violations, but in the absence of a Chinese-style control of the country’s internet, there is little Vietnam’s government can do to prevent access to Vietnamese data by foreign providers.
The additional issue that the leak’s source raises is that of cryptocurrency itself. While the government has repeatedly made it clear that Vietnam does not allow cryptocurrency as a means of payment and does not deem digital currency as legal tender, Vietnam is in the forefront of global cryptocurrency adopters. One report stated that over half of the cryptocurrency transactions come from three countries in Asia, one of which was Vietnam. By refusing to acknowledge cryptocurrency as a means of payment the Vietnamese government has also failed to deal with the large number of its citizens involved with mining cryptocurrency and holding cryptocurrency assets in electronic wallets and other e-locations offshore. As this data leak demonstrates, Vietnam is all in when it comes to cryptocurrency despite what its government says and, if the government truly wishes to protect its citizens, should address the issues revolving around cryptocurrency rather than sticking its head in the sand like some Southeast Asian ostrich.
And for the sake of consistency, I’ll repeat my frequent argument one more time. Technology is progressing at a rapid pace and the Vietnamese legislative model is glacial. If the government truly wishes to prevent abuse and to regulate, and ultimately tax, the technology that is becoming profuse globally and locally, then they need to develop some means to tackle fast-moving issues in an equally rapid way. They have recently approved a pilot program for digital money targeting the unbanked and poor, and have a longstanding proposal for a regulatory sandbox in the fintech area (that excludes cryptocurrency) but there has been no concrete action. These ideas remain as pilot schemes or proposals, and have been so for quite some time. Something needs to change if the government doesn’t want to be left behind by a citizenry eager to capitalize on technological advancements that promise new means for wealth acquisition and equal efforts to abuse and defraud.