​​Towards digital authoritarianism in Nepal: Surveillance, data collection, and online repression · Global Voices
EngageMedia

Image via EngageMedia. Used with permission.
This article is part of Pandemic of Control, a series that aims to further public discourse on the rise of digital authoritarianism in Asia-Pacific amid COVID-19. Pandemic of Control is an initiative by EngageMedia, in partnership with CommonEdge. This edited version of the article by Samik Kharel is republished in Global Voices under a content partnership.
In Nepal, the COVID-19 pandemic sped up the process of bringing public and private services online: from food delivery and shopping to government transactions. These changes came with many downsides, with data and privacy rights often not respected.
Nepal does not yet have the technology and expertise to be globally competitive in the digital world. Instead, it has looked to its closest neighbours, China and India, for guidance. However, seeking ideas from countries that have largely failed to respect basic digital rights puts Nepal in a vulnerable position.
From questionable data collection practices to the curtailment of free speech, Nepal is leaning towards an authoritarian model of internet control, with COVID-19 accelerating this development.
China holds a poor digital rights record, with rights groups flagging its online censorship rules and deployment of mass surveillance against the Uyghur Muslims, among other rights violations. Similarly, India has been widely criticised for procuring spyware, imposing internet shutdowns, and passing IT laws that do not conform to global rights norms.
In 2019, Nepali media reported on government plans to mount over 21,000 CCTV cameras for street-level surveillance. This is in addition to the thousands of surveillance cameras that are already installed in the Kathmandu Valley. Authorities say the cameras deter criminal activity, but they have also been used by police to monitor protests and other forms of expression. During the COVID-19 pandemic, police used these cameras as well as drones to monitor people’s movements and adherence to lockdown rules, publicly flaunting their use of this technology on their official YouTube channel.
In April 2022, a major Nepali daily reported that the government had purchased the Pegasus spyware system and handed it to the Nepal Army for trial use. While the government claims the system is to ensure citizen safety and security, there has been widespread criticism of the spyware and its misuse by governments around the world.
The government approach to COVID-19 vaccination built in a huge amount of personal data collection. To date, 70 percent of the total population has received at least one dose, requiring more than 20 million people to share their personal information with the government, including to obtain an official vaccine certificate. However, whether this massive dataset of personal information is kept secure is questionable.
When the government announced booster shots for frontline workers in mid-January 2022, journalist Rajendra Rai (name changed) rushed to the vaccination centre. He filled out a vaccination form on the health ministry website via his phone, giving personal information including his name, birthdate, address, and occupation.
This personal information could be used as a weapon by political parties and the state, especially with the federal and provincial elections coming up in late 2022.
Who ensures the safety of the collected data, especially given previous instances of potential data misuse that call into question the government’s ability to ensure data security? In the 2022 local elections, voters from particular areas received SMSes and emails from political parties; it is unclear how they obtained voters’ contact details — could have come from public service forms submitted to the government.
Body and Data, a digital rights organisation in Nepal, flagged privacy issues related to election campaigns:
Another example of how citizens’ phone numbers are shared without their consent for the election campaigns.
Sign our signature campaign petition requesting the Election Commission to secure our privacy!https://t.co/WzMUxgc0sa#dataprivacy #privacy #localelection2022 https://t.co/oHZphEak5j
— Body & Data (@bodyanddata) May 11, 2022
The Election Commission of Nepal also came under fire for releasing a list of the 17.7 million voters on its website, which included details of their names, ages, genders, voting booths, voter ID numbers, and even their parents’ and spouses’ names. While civil society and rights groups criticised this privacy breach, the authorities did not remove the list, arguing that “there should be no concern of a breach of privacy” because the data did not include voters’ photos, thumbprints, or phone numbers.
The government’s response suggests the authorities do not sufficiently understand the risks associated with a lack of digital security safeguards. Officials appointed to oversee the vaccine registration process are often unaware of where the data is being stored, how long it will be stored, and how it will be used, according to an anonymous, personal source from the health ministry. How, then, can one be assured that their personal data is secure?
Although civil society, human rights defenders, and concerned individuals have nudged the government to be more responsible with data, Nepal has yet to enact comprehensive data protection and privacy laws. Citizens also lack sufficient awareness and understanding of the potential for data misuse.
In 2020, Nepal was ranked 112th out of 180 countries on the Reporters Without Borders’ Press Freedom Index. The pandemic provided the government with an opportunity to undermine press freedom further, in an attempt to control narratives on the health situation. Nepalese journalists were attacked, censored, and arrested over their critical reporting of the government’s COVID-19 response. Police detained Radio Dhangadhi reporter Lok Karki for filming a disagreement over the distribution of food and relief goods. Nagarik News bureau chief Nagendra Upadhyay received threatening messages from a regional government official over his report that the official’s wife had been driven in a government car at the height of the lockdown. In March 2020, a report on the online news portal Kathmandu Press was taken down following pressure from the prime minister’s aide. This report alleged relatives of several high-ranking government officials were involved in the purchase of expensive medical equipment from China.
In April 2020, journalists reported about an exodus of workers from the Kathmandu Valley as a result of COVID-19 lockdowns. Reacting to the news, the prime minister told the editors of government newspapers that he found the reports “mysterious” — questioning their very basis. These comments were followed by a government-orchestrated online harassment campaign against journalist Binu Subedi using bogus Twitter accounts.
During this time, the government has continued to use the 2006 Electronic Transaction Act (ETA) to arbitrarily detain those criticising the government and leaders of the ruling party. The ETA, initially drafted to regulate financial scams, has become a convenient tool to criminalise speech online. Section 47 of the act prohibits the electronic publication or display of material deemed illegal under existing laws, but is so broad to include those “which may be contrary to the public morality or decent behaviour” or materials that may spread hate, jealousy or jeopardise “harmonious relations” among the people. This law was used against Radio Nepal board member Deepak Pathak, who was arrested in April 2020 for defaming Nepal Communist Party leader Pushpa Kamal Dahal on social media.
An Information Technology (IT) Bill, which would give the state the power to censor online content it deems offensive, is in the works. The bill also includes provisions for the arrests and jail term for anyone posting content deemed to be against “national unity, self-respect, national interest, relationship between federal units.” The proposed law also contains provisions that are vague and open to interpretation and possible misuse.
Worse than the IT Bill is the proposed Social Media Directive 2021, which would compel social media companies to register in Nepal and abide by the country’s laws. The proposed directive has been widely criticised for its intent to regulate content on social media, opening the door to further state censorship. By laying out only a vague idea of what constitutes illegal content, anyone criticising power structures or using humour and sarcasm against the state may face punishment. The bill also targets anonymity, threatening people’s free expression. The main purpose of the directive is to control online discourse, minimise public engagement in controversial state affairs, and neutralise those critical of the government.
The government’s pandemic response has opened the door to a wide range of threats to human and digital rights in Nepal — from the crackdown on critical voices to the lack of safeguards for digital data, and laws curtailing free speech. With the influence of its neighbours with poor digital rights records, Nepal must decide on its own path if it envisions a free, egalitarian, and democratic digital ecosystem.