Author: Shubha Kayastha

Recent events reveal just how vulnerable data privacy is in Nepal

While the Nepali people struggle to cope with the coronavirus crisis, the Nepal government has been working towards bringing a new set of regulations that may significantly curb the fundamental rights of its citizens. In May, the National Assembly endorsed the Nepal Special Services Bill which authorises intelligence agencies to access and collect information on ‘suspects’ through the electronic medium, including phone tapping, without court order. The bill is yet to receive approval from the House of Representatives before being implemented. However, an endorsement from the National Assembly is in itself an alarming development. The law will compromise our right to privacy while increasing state surveillance. This is especially disconcerting given that the Nepal government, in recent years, has made a series of moves that curtail civil liberties.

In particular, a series of incidents in the recent past have undermined the privacy rights of Nepali citizens. The removal of a news report from Kathmandu Press, an online portal developed by Shiran Technologies, revealed the larger issue of misuse of government data. The deleted news report revolved around the purchase of Covid19 medical supplies from China and named the individuals alleged to have been involved in corruption, among whom Asgar Ali is a key player. Ali simultaneously holds the position as business partner in Shiran’s parent company F1Soft International Private Limited and the prime minister’s IT consultant. F1Soft has also been contracted to develop a new biometrics system which will be used to upgrade the immigration information system.

Additionally, Ali has access to citizens’ data from different departments, including immigration, labour, foreign employment, and the home ministry as his relatives are consultants hired to develop a Citizens App. Originally, the data was meant to be used at the National Information Technology Centre, but was transferred to the prime minister’s office. Citizens App has been designed for use in driver license applications, Permanent Account Number, public service commission examinations, land registrations, company registrations, social security and civil registrations such as births, marriages and divorces. Overall, it has been promoted as a way to make people’s life easier by centralising information from one’s SIM card and citizenship (or passport) number. But this means that every individual’s call and travel records, internet usage, income, property details, and personal information such as marital status and gender identity, among others, will be collected and recorded, making it far easier to identify and monitor them.

In April, news surfaced that Ali has also been promoting his company eSewa by stopping the operation of a payment gateway system that the government has already purchased. ExtensoData, a company under F1Soft International, already provides services to analyse and sell business data from Nepal.

Technologies should empower citizens. However, huge amounts of citizens’ data is being collected, manipulated and misused for profit-making by a handful. To make matters worse, the same set of people are in the powerful position of advising the prime minister on IT-related decisions. All this is happening at a time when the Nepal government is digitising several of its services. Projects like the Citizens App and the biometrics national identity card have garnered criticism from various civil society members and tech communities for the way they impinge on citizens’ rights to privacy and freedom of expression. Mass surveillance by the state and risks to data security also pose challenges to the way in which these technologies are manoeuvred effectively and ethically by the government.

Given China’s commitment to Nepal, which vaguely mentions technology within the 10-point agreement, there is a need to be extra vigilant over the government’s digitisation projects. China already has a trend of selling surveillance technology to other countries, helping them deploy it at a time when such technology is being adopted around the world by authoritarian governments to curb freedom of expression, assembly and association as well as the rights to privacy and information.

Data hacks

Already, several incidents of targeted hacking have shown how vulnerable data security mechanisms are in the country. Information was hacked from many companies and institutions including Foodmandu, Vianet Communications, Prabhu Money Transfer and Tribhuvan University. Hackers also hacked the websites of the Ministry of Agriculture, National Muslim Commission and the Central Library and made their login details public.

After the data breach, the companies informed their customers via email and messages about the breach and sought support from the Cyber Crime Bureau to find the hackers, but failed to do so. Twitter handles such as ‘SATAN’ (@Cyber_hell_god) and ‘Mr. Mugger’ (@mr_mugger) have surfaced claiming responsibility for the hacks, saying that they were done as a lesson to show the security vulnerability of all such data. These breaches in data, however, made public thousands of Nepali citizens’ personal details, including their phone number, email address, citizenship number, location and other details, and they could still be in the hands of criminals. After the incidents, users of these services complained about receiving spam messages and calls. In some cases, specific individuals appear to have been targeted.

Violation of privacy can lead to cyber crimes such as phishing, sextortion, extortion and doxing. Such crimes can have a serious impact on already marginalised groups such as queer individuals, and those working in sensitive areas including activists, journalists and sex workers, among others.

Some users have raised their concerns over the security measures adopted by these companies. While the companies rushed with public statements of apology and assurance that they will take measures to protect the privacy of their users and fix the security vulnerabilities on their platforms, they haven’t been transparent about the possible risk to users.

The companies that profit out of the services they provide to customers through fees, from advertisements or by cashing out customer data, so far haven’t invested in systems that secure this data. It is time to raise questions about their accountability. There needs to be greater transparency in how companies and institutions use, share, store and destroy customer/user data. All of this should be governed by rule of law.

Digital mechanisms for Covid19

Globally, countries are deploying contact tracing to counter the Covid19 pandemic. Contact tracing is an important public health tool used to control transmissible diseases which require identification of people who may have come in contact with an infected person. This helps to test those people who are at risk of contracting the disease. Countries like Singapore, China, Israel, South Korea, Brazil and the US have been deploying surveillance technology to combat the pandemic. Specifically, they have been tracking location through smart device application, geo-location, mobile networks and CCTV footage. In most countries, this has been voluntary, while some states have enforced it as rule of law.

Since the start of the pandemic, there has been an ongoing conversation in Nepal about how to deploy contact tracing in order to find patients and determine their behaviour using available technologies, whether they be CCTV footage or geo-location from mobile networks. Accordingly, multiple contact tracing apps have been developed, while some are in the process of being developed. Government bodies such as the Kathmandu Municipality, home ministry, Ministry of Information and Technology, Ministry of Health and Population, the Nepal Army and some local government administrations have already been using some of these apps. These apps help monitor those who are infected with Covid19, provide them with information and facilities, and track others who have come in contact with them. But contact tracing only works when it goes hand-in-hand with testing. In a rush to showcase how the state is responding to the pandemic, contact tracing right now looks merely like a stage-show that disguises the ineffectiveness of the government, given the lack of mass testing.

In a country where internet penetration accounts for only 60 percent of the population, with very limited digital literacy, contact tracing may prove to be altogether ineffective. Already, there has been much debate on how tracing has proven to be far less effective than was initially projected. Public health professionals have mentioned how contact tracing hasn’t worked in cities. Indeed, data collected through digital contact tracing can be highly inaccurate and exclusionary, especially as it leaves out a large number of people, including children, who do not have access to smart devices. This also creates a false sense of safety when posed as a solution for the pandemic, and can instead prove fatal.

Besides using digital means of tracing, we have also seen local authorities tracking migrant returnees through more analogous means such as marking their homes, collecting information on people travelling within Kathmandu manually, mobilising the police to find foreign returnees, and asking citizens to report any suspicious cases. Ordinary citizens are taking the onus of tracking and revealing information to authorities of people who are at the risk of contracting the virus. In this process, personal information of several individuals who contracted the virus has been released publicly without their consent. This has only led to targeted trolling, online bullying and even threats. Such practices could expose people to the risk of violence and social stigma, thereby discouraging many from opening up about their travel history or seeking medical help.

While collecting and using data can be crucial in dealing with the pandemic, risks arise when there isn’t much clarity about how such data is being used, who has access to it, how the privacy of individuals is being maintained, where data is being stored, for how long it will be retained, and when it will be deleted. Data hoarding can compromise personal privacy and could even be misused for mass surveillance. There is also a risk of the practice of mass surveillance being normalised amongst a citizenry where health and privacy are presented as mutually exclusive categories. The right to privacy needs to be upheld while implementing any surveillance and tracking technologies to counter the pandemic. In addition, the government needs to be clearly communicating to citizens about the measures it is using and their impact on citizens’ privacy.

The future of data security

The Nepal government has been rushing towards digitisation, along with mass surveillance, as a means to ensure better service, national security and public safety. But this should not happen without taking into account how digitisation and surveillance may increase instances of human rights violations. Surveillance can easily be used as a tool by a patriarchal state to control its citizens, using power to change their behaviour, and restricting civil liberties, especially of marginalised communities.

As it stands currently, a huge amount of Nepali citizens’ sensitive data is in the hands of individuals in positions of power who could easily manipulate it for their vested interests, especially given that there is no transparency on the nature of public-private partnership in these areas. Given the lack of data protection laws, poor implementation of laws around privacy and the recent instances of curtailing of freedom of expression and press freedom in the country, neither citizens nor their data is protected. The collected data could be used against citizens, putting them at further risk.

Existing laws such as the Electronic Transaction Act 2008 and Privacy Act 2019 and Nepal’s commitment to international human rights instruments such as the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights ensure every Nepali citizen’s right to privacy in physical as well as digital spaces. The 2015 Constitution of Nepal also enshrines this right. But implementation of these laws is far from real, and many loopholes existing within the system have repeatedly undermined them. We need a wider public discussion on data privacy and data protection in Nepal so that technology can be used to empower people through a transparent process of collection and use of data from both state and non-state actors.

First published in The Record