Safeguarding Security or Infringing on Privacy? Vietnam's Social Media Account ID Proposal

The Vietnamese government prioritizes complete control over cyberspace rather than protecting privacy and data autonomy.

Safeguarding Security or Infringing on Privacy? Vietnam's Social Media Account ID Proposal
Graphic: Tuy Phong/Luat Khoa Magazine.

Imagine a scenario wherein everyone’s full names and all contact information were displayed on brightly lit signs around their necks when they walked in the park. While this is obviously an exaggeration, the draft decree proposed by the Ministry of Information and Communications brings Vietnam uncomfortably close to such an intrusive scenario. It stipulates that social media accounts need to be verified with a person’s real name and phone number to be able to post, comment, livestream, or engage in other forms of online interaction.

This proposal is part of the draft replacing Decree No. 72/2013/ND-CP on Internet Management, which the Ministry plans to submit in the second quarter of 2023. [1] If this draft is accepted, the identifying information of all Vietnamese citizens will be attached to them at all times whenever they step into an online space.

While Saudi Arabia sent spies to infiltrate Twitter in order to obtain the identities and locations of citizens who criticized the government and the Saudi royal family in 2022, Vietnam has taken this invasion of privacy a step further; the Vietnamese government aims to have the personal and private information of dissenters and critics sent directly to their servers. [2]

When Deputy Minister of Information and Communications Nguyen Thanh Lam proposed the creation of the draft decree, he attempted to present legitimate concerns. He argued, “There are times when the authorities identify social media account owners who violate the law but cannot trace them due to their use of cross-border applications.” [3] Therefore, “unidentified accounts will be fought against, prevented, and dealt with at different levels,” the deputy minister warned. [4]

Vietnam is not the only nation pushing for this policy. Approximately 80% of countries worldwide have enacted cybersecurity laws that enable their governments to monitor social media with various degrees of control. [5] However, it does not follow that Vietnam should do the same just because a great number of nations have implemented similar measures.

Some legal and sociological theories emphasize the inseparability of law and social context. One widely recognized aspect of legal realism is that judges and courts of law are often strongly influenced by their political views, personal values, individual characteristics, and other non-legal factors. [6] From a Marxist perspective, the law is seen as a tool of the bourgeoisie or the ruling class to maintain their economic and social power over the proletariat. This theory views the law as a means of social control and argues that it is formed to serve the interests of those in power. [7]

As such, the rationale of the deputy minister needs to be analyzed together with the context surrounding Vietnam.

On a global scale, many countries that enforce cybersecurity laws have simultaneously implemented measures that suppress or limit the freedoms of their citizens. According to statistics from Freedom House, in 2021, out of 4.5 billion people with internet access, 76% live in countries where individuals have been arrested or detained for posting content on political, social, or religious issues; 64% live in countries that block political, social, or religious content on the internet; 51% live in countries where access to social media platforms is temporarily or permanently restricted. [8] [9]

For instance, Indonesia's Information Law, originally enacted to protect consumers in e-commerce transactions, has been increasingly abused to silence political dissent. The vagueness of definitions in this law, combined with the expansion of police powers, has led to the rise of arbitrary arrests in the country. [10]

In Syria, President Bashar al-Assad's government updated its cybercrime law in April 2022 to target individuals critical of the president, the state, and the constitution.

In Egypt, the cybercrime law has been used to impose fines and imprisonment on singers who "violated family values" in a YouTube video. [11] Many more examples can be found in the infographic below.
Source: Freedom House.

It is apparent that in countries that enact cybersecurity laws, very few have well-developed legal frameworks that protect privacy and data autonomy while simultaneously upholding the essential right of citizens to freely express their opinions without fear or restriction.

Nevertheless, it is not an impossible feat. An example of an effective legal framework that manages to do both is the General Data Protection Regulation (GDPR) in Europe. After seven years of intense development, the GDPR was enacted on May 25, 2018. The regulation’s primary objective is to give users more control over their private and personal data. The GDPR ensures that users can refuse various data collection practices employed by technological companies, deny data brokers access to personal information, and totally erase all their data from various websites. [12]

Regrettably, even in these developed countries, people still struggle against the growing trend of mass surveillance, as seen in the case of the United Kingdom. [13]

Vietnam’s Intensifying Control Over Cyberspace

Considering the context of Vietnam, the country ranks low in protecting its citizens' rights and freedoms, scoring only 22 out of 100 in the Freedom on the Net report for 2022. It is also ranked 178 out of 180 in the 2023 Reporters Without Borders (RSF) World Press Freedom Index ranking. [14] [15]

Over 160 individuals are currently detained in the country for peacefully exercising their fundamental civil and political rights. Additionally, at least 27 people were sentenced to long-term imprisonment in the first nine months of 2022 for criticizing the government and advocating for human rights, the environment, or democracy. [16]

More importantly, it can be observed that the government is continuously pushing for total control over cyberspace:

• For more than two decades since internet connections became available on November 9, 1997, the Vietnamese government has continuously introduced and amended a series of laws, decrees, and circulars to regulate the internet and its users within the country. [17]

• On January 1, 2019, the Cybersecurity Law effectively stifled online civil,  political, and human rights discussions. [18]

• Decree No. 53/2022/ND-CP, which came into effect on Oct. 1, 2022, provided additional regulations on several provisions of the Cybersecurity Law. It required all businesses involved in data collection, exploitation, analysis, and processing within Vietnam's cyberspace, telecommunications network, internet, and value-added services to store their data locally. This data includes:

(i) the personal information of service users in Vietnam;

(ii) data generated by service users in Vietnam, including user or account names, the duration of their service usage, credit card information, e-mail addresses, the IP addresses of their most recent login/logout sessions, phone numbers associated with their accounts; and

(iii) data on the social networks of service users, including friends and groups that users connect or interact with (Clause 3, Article 26). [19]

This year:

  • Decision No. 06/Qd-Ttg integrated each resident's phone number with the National Population Database.
  • On April 15, 2023, mobile phone subscribers, who did not authenticate their identities, were cut off from two-way communication.
  • The Ministry of Public Security informed citizens that they will soon hold discussions with the State Bank to authenticate payment accounts.
  • The Telecommunications Law will regulate the management of Over-The-Top (OTT) applications, which include communication and entertainment applications on the internet, across borders and domestic platforms.
  • By the end of 2023, all social media account owners, whether individuals or organizations, must complete account identification procedures in order to access foreign and domestic social media platforms like Facebook, YouTube, and TikTok.
  • In addition to cyberspace, the Ministry of Public Security has also proposed issuing and managing vehicle registration plates based on the electronic identification code of vehicle owners. This is expected to be implemented on July 1, 2023. [20] [21]

It is clear that the Vietnamese government is actively building a database of the entire country’s population toward a national-scale digital identification and unification program. This development has raised concerns among experts and human rights organizations in the past. [22]

On Sept. 5, 2022, Vietnam quietly passed Decree No. 59/2022/ND-CP, which regulates electronic identification and authentication. It has been in effect since Oct. 20, 2022. [23] This decree assigns Vietnamese citizens a unique barcode corresponding to their citizen identification number, which the government calls the personal electronic identification code.

Anyone with a dedicated device can scan this barcode and reveal detailed information about a person’s life, such as the places they have traveled to with their vehicle carrying its unique license plate, the individuals they have interacted with using their identified phone number, as well as other identification data collected by Decree 53. When the draft decree on social media account identification is passed, this barcode will appear everywhere a person browses on the internet.

All legal laws and regulations that have been discussed are concerning because they have been, are being, and will be passed without transparency and without feedback from the general public. These laws have the potential to completely reshape Vietnamese society. Despite this, they are being implemented in silence.

Thinking about an Example of an Excellent Electronic Identity Program?

If a unified electronic identification program in Vietnam is unavoidable, then it is paramount to understand the key attributes that make it excellent. According to research by the McKinsey Global Institute, a good electronic identity program needs to meet the following four conditions:

  1. Verifiable: The program should be tested by experts to see if it is reliable and safe from digital attacks by unsavory elements.
  2. Unique: Each person in the program should only be assigned one electronic identification number or name.
  3. Established with Individual Consent: Individuals should be fully aware of registering for the program and provide explicit consent. They should also be informed about what kind of personal information will be collected and about how it will be used.
  4. Protect User Privacy and Ensure Control Over Personal Data: Protection measures should be built into the program to ensure privacy and security while allowing owners access to their private data. Owners should also have the right to decide who can access their data and should also be aware of who has accessed it in the past. [24]

Deputy Minister Nguyen Thanh Lam defended Vietnam's draft decree on social media account identification by arguing that it was a security measure to monitor lawbreakers who use cross-border applications. In reality, the draft law is not necessary to achieve this purpose. For instance, we can take a look at an incident that happened in the past. When analyzing racist behavior on Twitter that targeted English football players during the Euro 2020 final, Twitter's research noted that the ID verification would have been unlikely to prevent the abuse because the accounts it suspended were not anonymous. Therefore, 99% of the account owners on Twitter accounts permanently suspended from the Tournament were identifiable. [25]

This draft in Vietnam also imposes a significant burden on citizens in maintaining security and reduces the responsibility of the government and corporations. However, the solution proposed by experts is to “shift the control of digital ID from government and private actors to the person. This requires that digital ID systems are designed for privacy, giving the person control over who accesses their data.” [26]

The government could consider applying self-sovereign identity (SSI) technology, which is increasingly prevalent in electronic government systems, to enhance citizens' privacy while allowing identity verification.

Traditional identity management systems, such as mobile eID solutions (VNeID in Vietnam), are centralized and often encounter issues such as single point of failure (SPoF), where a design or operational error can lead to severe system issues; Vietnam’s current technology lacks system interoperability and threatens citizens' privacy. In contrast, SSI is a decentralized approach that allows users to fully own and manage their digital identities without relying on third parties. [27]

Some other solutions to maintain security and combat cybercrime have been proposed by experts, such as:

  • Developing a comprehensive community education program for online safety to improve online behavior within the community at all levels.
  • Identifying minimum industry standards for government employees, including managers, technology staff, and software developers. For example, the U.S. Department of Defense has introduced industry certifications for government personnel involved in data handling.
  • Creating a list of strategies that small and medium-sized businesses can implement to reduce the risk of cyberattacks and providing government programs to small businesses.
  • Focusing on enhancing healthcare, legal, and education cybersecurity systems. According to the Office of the Australian Information Commissioner, these three sectors have low maturity in network management systems and are the prime targets for breaches and data leaks. [28]

The common argument that states, “Privacy has to be sacrificed to achieve security,” is not an absolute truth. Citizens' security and privacy are not mutually exclusive but can be protected together if the government approaches the situation with a comprehensive and more human rights-oriented perspective. Unfortunately, the Vietnamese government has not pursued this option.

For now, the battle for privacy rights does not favor social media users and the overall community. In Vietnam, the right to free conversation is restricted, but according to Luat Khoa Magazine, political and social discussions will continue to persist. Internet users and the entire population will continue speculating on various social problems and issues in their homeland. [29]

This article was written in Vietnamese and previously published in the Luat Khoa Magazine on July 3, 2023. Lee Nguyen translated this into English.


1. Người dùng mạng xã hội ở Việt Nam sẽ được định danh thế nào. (2023, May 17). VnExpress.

2. Amnesty International. (2023). Saudi Arabia: Alarming crackdown on online expression. Amnesty International.

3. Việt Nam yêu cầu người dùng mạng xã hội xác minh danh tính. (2023, May 9). BBC News Tiếng Việt.

4. See [1]

5. Cybercrime Legislation Worldwide. (n.d.). UNCTAD.

6. Leiter, B. (2008). American Legal Realism. In Blackwell Publishing Ltd eBooks (pp. 50–66).

7. Review: Marxist Legal Theory and Legal Positivism, JSTOR. (n.d.).

8. Dennis, M. A., Kahn, R. (2023, June 26). Internet | Description, History, Uses, & Facts. Encyclopedia Britannica.

9. Freedom House. (n.d.-a). Countering an Authoritarian Overhaul of the Internet. In Freedom House.

10. Hamid, U. (n.d.). Indonesia’s Information Law has threatened free speech for more than a decade. This must stop. The Conversation.

11. Holleis, J. (2022, May 15). How cybercrime laws are silencing dissent in Mideast.

12. Hern, A. (2018, August 2). What is GDPR and how will it affect you? The Guardian.

13. Nguyễn Quốc Tấn Trung. (2022). Nền dân chủ lâu đời nhất thế giới có phải là một quốc gia giám sát? Luật Khoa Tạp Chí.

14. Freedom House. (n.d.-f). Vietnam. In Freedom House.

15. Vietnam. (n.d.). RSF.

16. Vietnam. (2023). Human Rights Watch.

17. Trần Long Vi. (2022). 20 năm làm luật kiểm soát Internet ở Việt Nam | Luật Khoa tạp chí. Luật Khoa Tạp Chí.

18. Quoc-Tan-Trung Nguyen, Thi-Hong-Ninh Bui, and Hong-Thanh Phung. (2022). Human Right Concerns in Vietnam’s Cybersecurity Law: From International Discourse to a Comparative Perspective. Journal of Human Rights Practice, 14(3), 968–985.

19. Nghị định 53/2022/NĐ-CP hướng dẫn Luật An ninh mạng mới nhất. (n.d.).

20. Lê Hiệp. (2023, May 8). Tất cả chủ tài khoản mạng xã hội Facebook, TikTok. . . sẽ phải xác thực danh tính. Báo Thanh Niên.

21. Bộ Công an đề xuất cấp và quản lý biển số xe theo mã định danh của chủ xe. (2023, March 17). Tuoi Tre ONLINE.

22. Solomon, B. (2018, September 28). Digital IDs Are More Dangerous Than You Think. WIRED. và OHCHR. (n.d.-a). A/HRC/51/17: The right to privacy in the digital age.

23. Nghị định 59/2022/NĐ-CP định danh và xác thực điện tử mới nhất. (n.d.).

24. Digital identification - A key to inclusive growth. (2019, April). McKinsey Global Institute.

25. Combatting online racist abuse: an update following the Euros. (n.d.).

26. Digital identities in 2023 | DW Observatory. (n.d.). Digital Watch Observatory.

27. Pöhn, D., Grabatin, M., & Hommel, W. (2021). eID and Self-Sovereign Identity Usage: An Overview. Electronics, 10(22), 2811.

28. Manuel, D. (n.d.). Seven ways the government can make Australians safer – without compromising online privacy. The Conversation.

29. Võ Văn Quản. (2023b). Đồn đoán chính trị trong vụ xung đột ở Tây Nguyên là vũ khí chống lại độc quyền thông tin. Luật Khoa Tạp Chí.

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to The Vietnamese Magazine.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.