Digital privacy: an overlooked side of civil liberties in Nepal

A series of policies adopted by the Government of Nepal in the last few years reveal a pattern of data collection and surveillance that puts an individual’s right to privacy at risk. As explained in a previous article on biometric identification in Nepal, the government is piloting the national identity project this year. The digitization of all vital records – birth, marriage, divorce, death, and migration –  is underway this year.
But these hobbled attempts at e-governance come with a cost, particularly in their current form and absent legal protections. While often overlooked, a citizen’s right to privacy is a fundamental civil liberty that is guaranteed in the Constitution of Nepal. Creating new systems without serious safeguards for these rights can lead to identity theft and worse.

The Election Commission is a case in point. It collected biometric data on over 12.9 million voters for the purpose of ID cards, and now hosts the largest biometric databases in the country. These ID cards, it was initially thought, would be morphed into national ID cards; the idea was later abandoned. The data on millions of Nepali, however, remains in their servers. Stagnant and without a clear purpose,  all that private information of millions of citizens is now in the danger for abuse.

The national identity project is the ultimate Achilles heel, whose first phase begins this year with support from the Asian Development Bank. The first lot of the cards will be printed this year, but once again, the government goals are unclear. While the uniqueness of these biometrics-based cards is already being touted, no one clearly knows how exactly will this card come to use. These cards will not only record a citizen’s information for identity verification, but also have an archive of their financial transactions. And it’s not just the lay citizen that are in the dark about these technological developments in governance, but also the bureaucrats who aren’t quite versed on the risks involved.

The recent case of the hosting of “smart” driving-license database in India, which raised a national concern around data protection, is another important example. The Department of Transportation, in an ad-hoc decision, contracted Madras Security Printers, an Indian company, to help print “smart” licenses intended for Nepali drivers. In the process, they transmitted the database with individual driver information to the company servers in Chennai. A stay order by the Supreme Court has at present forced the Department to stop handing out this information, but the final verdict is yet to be reached.

The massive dragnet hoovering up personal data poses the further risk of function creep. Data collected for one purpose can be used for another, like surveillance. A case filed at Supreme Court in 2012 drew attention to the potential misuse of data by government personnel. Nepal Police retrieved SMS and phone-call records of over 500,000 individuals during the investigation into the murder of Supreme Court Justice Rana Bahadur Bam. A newspaper report noted that police personnel went beyond the scope of the murder investigation, reading for “entertainment” the private messages sent by the cell phone users

The government is not the only entity gathering biometric data and identification details in Nepal. Commercial services, such as registering a SIM-card or a bank account, require fingerprinting, photographs, and other key customer details as part of their know-your-customer schemes. Ncell and Nepal Telecom, two of the largest telecom providers in the country who were also defendants in the 2012 case, indicated that there was a need for balance between privacy and law enforcement, a curious case for companies with the responsibility to protect privacy of tens of millions of customers.

Until they are standardized, digitized and centralized, the data on us may still be protected in a limited way by what is called “practical obscurity.” The physical location of the databases in paper form in offices scattered around the country requires physical and financial resources to retrieve, limiting the danger of a massive information compromise.

The Right to Information Act is the only legal statute that touches on the right to privacy and requires the government to prevent unauthorized release of personal information. However, the Act does not specify how much data the government can collect on you. Data collection laws in Nepal also do not specify for how long can these data be stored for, therefore increasing the risk of future leaks and repurposing. Information collected for benign reasons can pose grave dangers to civil liberties. In places prone to discrimination, such data is used in racial profiling and “pre-emptive crime prediction.” Mandatory identity cards can also be used as internal passports to limit people’s mobility or discourage voting. From creepy to invasive and discriminatory, such data collection and misuse must be avoided.

Photo credit: Jessica Lucia / Flickr