Nepal’s Data Privacy Dilemma: Is Citizens’ Data at Risk?
Approximately three years ago, I published an article titled Why We Should Take Privacy & Security Seriously? (TechPana, 2021), highlighting how users unknowingly leak personal data on social media and the severe consequences that follow. We have long advocated for better data security practices, emphasizing the need for users to protect their data and carefully consider what they post online. While individual caution is crucial, what happens when sensitive information is publicly disclosed by the government?
In this digital age, data is often regarded as an invaluable asset, akin to property. However, for an extended period, the Department of Transport Management (DOTM) in Nepal has been publishing users’ personal information, including full names, parent names, and citizenship numbers, on public platforms. While names may not always be considered highly sensitive, citizenship numbers — unique, lifelong identifiers — pose significant risks if exposed.
As you can see, DOTM is publishing all written test reports of citizenship data on their website and various social media platforms, such as Facebook, including sensitive information like citizenship numbers.
The Issue with Citizenship Numbers
Citizenship numbers are permanent identifiers assigned to individuals and can be misused in various ways. Despite raising this issue in an IT-related group nearly three years ago. I later learned that a law student brought this concern to the authorities, even filing a case against the DOTM (TechPana, 2024). Despite some initial efforts, the DOTM has continued to publicly disclose sensitive information on its website and social media platforms over the past six months. This raises the question: Are we unknowingly breaching our sensitive data online due to a lack of proper laws and regulations?
While Bivek has filed a case under the Personal Information Act 2075, Section 11, there is still no comprehensive law like GDPR or HIPAA to protect users’ Personally Identifiable Information (PII). According to a statement from DOTM, they need to upgrade the software to resolve these issues. However, software problems should not be used as an excuse for violations of citizens’ privacy and data. Their actions suggest a lack of seriousness in addressing this critical issue, which must be resolved immediately.
Lessons from Global Standards
Countries with advanced data protection laws offer valuable lessons. For instance, the European Union’s General Data Protection Regulation (GDPR) emphasizes responsible handling of personal data. Organizations must ensure transparency, security, and respect for individuals’ rights. Under GDPR, disclosing personal data without consent or legal justification can lead to severe penalties:
- Administrative Fines: Up to €20 million or 4% of the company’s global annual revenue, whichever is higher.
The GDPR considers identification numbers, such as social security numbers, passport numbers, and driver’s license numbers, as personal data. Similarly, in the United States, the Health Insurance Portability and Accountability Act (HIPAA) protects medical information. Unauthorized sharing of such data can result in lawsuits and hefty fines.
Unfortunately, Nepal lacks robust data protection laws, leaving citizens vulnerable. The DOTM’s delays in upgrading its systems and addressing these sensitive issues further exacerbate the problem.
Why Public Disclosure of Citizenship Numbers Is Dangerous
Disclosing citizenship numbers publicly has far-reaching consequences. Here are some key risks:
- Access to Comprehensive Personal Information:
Citizenship numbers can be exploited to retrieve additional data from government portals, such as the Election Commission’s database. Before generating the vote ID, citizenship numbers were required as a form of verification; however, since we already found it via DOTM social media, this requirement can be easily bypassed.
As you can see, I was able to easily generate the voter ID card using just the citizenship number. Other information, such as date of birth, parents’ names, full address, and voting place, can be easily obtained.
Once we obtain that information using only the citizenship number, we can generate the NID information, as shown in the following screenshot.
2. SIM Card Fraud:
In Nepal, purchasing a SIM card requires a photocopy of a citizenship ID and a photograph. Malicious actors could use stolen details to issue SIM cards for fraudulent activities. If a crime is committed, the blame would fall on the rightful owner of the ID, not the perpetrator.
3. Passport Verification Bypass:
Passport verification often requires citizenship numbers. If this information is leaked, it could be exploited to find the lost passports.
4. Social Media Account Compromises:
Social media platforms sometimes ask for government-issued IDs for account recovery. Leaked IDs could enable hackers to gain unauthorized access to accounts, leading to further misuse.
As you can see, by knowing just the citizenship number, we were able to access any user’s information, including downloading the citizen’s voter ID and NID, as well as bypassing social media verification.
Recommendations
To mitigate these risks and protect citizens, immediate action is necessary. Here are some recommendations:
- Adopt Alternative Identifiers:
Replace the use of citizenship numbers with temporary or anonymized identifiers for online verification processes. - Implement Secure Notification Systems:
Instead of publishing personal information online, the government could adopt SMS-based systems to notify users of their status (e.g., pass/fail) securely. - Establish Comprehensive Data Protection Laws:
Nepal should introduce laws aligned with global standards, such as GDPR, to ensure accountability and safeguard sensitive personal data. - Increase Public Awareness:
Educate citizens about the importance of data privacy and the risks associated with sharing personal information.
Conclusion
The public disclosure of sensitive personal information, such as citizenship numbers, poses a significant threat to privacy and security. Without proper laws and systems in place, citizens are left vulnerable to identity theft, fraud, and other malicious activities. Governments must take urgent action to address these issues by implementing secure systems and enacting robust data protection regulations. By learning from global standards and prioritizing citizen privacy, we can ensure a safer digital future for everyone.
References:
https://www.techpana.com/2024/146943/it-is-the-government-that-violates-the-privacy-of-citizens
