It’s a tricky balance. Technology makes it easier to access services of all kinds but it also adds to our vulnerability if the devices and systems we use are not secured against data theft and leakage. The same is true in the case of the National ID card scheme.
As a digital solution to prevent duplication of voter registration and identity theft, and to maintain proper records of internal migration of voters, Nepal in 2010 launched a pilot project to distribute to its citizens national identity cards with the bearer’s photograph and fingerprints.
The government announced that all citizens would get their national identity cards ‘very soon’ and the social security allowance would be distributed on its basis. But it officially inaugurated a National ID distribution campaign only in 2018 by presenting a card to a 101-year-old woman in Panchthar district, and to government employees at Singha Durbar, the central secretariat.
National ID is a federal-level digital identity card that holds the personal and biometric data of the cardholder including the name, birth date, sex, photo, prints of all fingers and digital signature on a computer chip.
But amid concerns by cybersecurity experts over the security of sensitive personal data and its possible misuse, government authorities claimed that the data is foolproof. Many others are sceptical, citing the 2018 leak of Aadhaar card data of hundreds of millions of Indians. Hackers had stolen people’s personal data and put that up for sale.
An Aadhar Card is a 12-digit unique number issued by the Unique Identification Authority of India, that holds biometric details, and demographic information like date of birth and address.
“In Nepal, too, both government and private organisations have been collecting huge amounts of sensitive private information on individuals, but nobody seems bothered about the data’s security,” said Rajib Subba, former deputy inspector general of Nepal Police who is an information and security expert.
He sees data and information as important assets of any country. “You could say it’s the ‘new oil’. If managed properly, it helps the country progress and prosper, but if not, this could bring many unwanted results,” warned Subba.
He gives the example of how, in 2017, Equifax, an American multinational consumer credit reporting agency, announced a data breach that exposed the personal information of 147 million people.
According to the Department of National ID and Civil Registration under the Home Ministry, till now 120,000 cards have been distributed across Nepal, and over 700,000 have been printed.
“We have collected the biometric data of nine million people, and we are sure we can secure their identity,” said Tirtha Raj Bhattarai, director general of the Department of National ID and Civil Registration.
However, Nepal’s cybersecurity record is patchy, and based on neighbouring India’s Aadhar data breach, cybersecurity experts are concerned about the safety of Nepal’s national ID card data.
“I don’t see proper guidelines to secure the national ID data. It seems our government has not learnt from India, which is still struggling to resolve security issues with the Aadhar card data,” said Bijay Limbu, a cybersecurity expert who is also the chief executive officer at Vairav Technology.
In India, ever since the launch of the Aadhaar Card, the country has seen many cases of duping and misuse, and Aadhaar rackets are getting bigger and murkier by the day.
In the past decade, there have been numerous Aadhar-related hassles in India, especially among the disadvantaged groups—government officials allegedly demanded bribes to make the card in order “to fix technical glitches”.
Similarly, a significant minority of people, especially among the elderly and disabled, were turned away from enrolment centres, and for poor people, correction or update of Aadhar cards–even simple changes like updating an address or marriage–has been a daunting task, according to the Indian media.
In 2018, some 20,000 pension holders–mostly women in Jharkhand–were deleted from the list of beneficiaries because of ‘faulty linking,’ according to BBC news. In 2017, it was reported that a billion identities were at risk on India’s biometric database.
Limbu says such incidents are likely to occur in Nepal too, “but the government doesn’t seem concerned”.
“If we are not judicious, Nepal may face problems bigger than India is now facing. India is in trouble as its government failed to anticipate all the glitches that could arise while distributing Aadhaar cards,” said Limbu.
Several incidents of information leak of individuals through Aadhaar have been reported in India. In 2017, former Indian cricket captain MS Dhoni’s personal information was mistakenly tweeted by an enrolment service provider. Also, many have termed Aadhar a tool of state surveillance.
In a story published by BBC.com, Indian political scientist Pratap Bhanu Mehta said the Indian government was transforming the Aadhaar card from a tool of citizen empowerment into a tool for state surveillance.
In Nepal, data security is weak and hackers have found loopholes on popular websites. As many government websites are often hacked, cybersecurity experts say it won’t be easy to secure the data of National ID cards.
In 2017, a year before the government officially started distributing National ID cards, 58 government websites were hacked by a group that called itself “Paradox CyberGhost”. The web sites of the Ministry of Defence, Office of the Auditor General and the Nepal Law Commission were also hacked.
In conversation with the Post, the hacker had claimed that the act was just a “vulnerability test,” and that they had no ulterior motives. The hacker also claimed that all 58 sites were hacked in just ‘three minutes’.
In 2015, the web site of the President of Nepal was hacked. The website of the Department of Passports was breached in the same year.
On November 17 last year, the Department of Passports started issuing e-passports and made the National ID card mandatory for all passport applicants.
“National ID comes under critical infrastructure, but in our country there are no guidelines on their security and there is no system to secure it,” said Limbu.
He further said the National ID card’s information is sensitive both from the individual and national security perspectives.
“It’s unfortunate that Nepal does not consider cybersecurity a matter of national security. And if there is data theft, we don’t have any government agency to handle it except the largely ineffectual e-governance commission,” said Limbu.
He said there is a possibility of theft of identity of a citizen with a fake account. “Before such a system was introduced, the government should have adopted all possible preventive security measures,” said Limbu.
Besides, cybersecurity experts also blame the government for not running awareness programmes on data safety. Experts say, regarding the National ID, the government is focused only on collecting data from citizens, not on safeguarding them.
“Sooner or later we have to face the consequences,” said Limbu.
Although the Constitution of Nepal, 2015 mentions an ‘integrated national identity management information system,’ and guarantees the ‘right to privacy’ in Article 15, experts say the provision has been largely ignored.
The National Identity Card and Registration Act, 2020 states that personal privacy would be ensured while implementing this law. However, this is not the case.
“It does not talk about data protection, and the document is riddled with loopholes,” said Prabin Subedi, a cyberlaw expert.
Although Nepal has a national cyberlaw called Electronic Transaction Act 2063 (2008), it is ill-equipped to deal with emerging cybercrimes, for lack of periodic reviews.
“The government should run campaigns to make people aware of the security vulnerabilities and ways to protect their private data,” said Subedi, who has an LLM in Information Communication Technology Law from the University of Oslo, Norway.
He further pointed out the lack of a policy on cross-border data transfer via embassies, hospitals and driving licences.
“In our case if somebody’s data is stolen, s/he does not have a place to report, and there is no remedy for the victim, and so just about anyone can be blackmailed,” said Subedi.
Subba, the information and security expert, says the only way to tackle this problem is to introduce mandatory IT security auditing procedures and increasing government investment in data security.
“The government should come up with a policy to invest in data security and data auditing. Besides, we urgently need a clear law to tackle data theft and misuse.”