The government’s recent decision to expand the distribution of national identity cards, which include personal and biometric data, in all the districts at the same time has alarmed digital security experts, and lawmakers. They say the government hasn’t sufficiently addressed the safety shortcomings regarding the access and storage of such a huge volume of sensitive personal data of nearly 30 million Nepalis.

Last November, the government began a pilot programme funded by the Asian Development Bank to distribute digital identification cards in Panchthar in eastern Nepal and for the Singha Durbar staff. This was in accordance with the government’s policy from 2009, which envisioned providing digital identity card, with a unique identification to all Nepali citizens. The plan was to then expand the identification card distribution to 15 districts first, then to another 25, and eventually across the country. But the Ministry of Home Affairs last month quietly scrapped the original plan and decided to expand the digital identity card distribution countrywide at once.

The decision came a month after the National Identity Card and Civil Registration bill was tabled in Parliament in January.

Technical efficiency to handle such a large volume of sensitive data aside, experts say the absence of the culture of respecting people’s privacy in Nepal could make things worse for Nepalis.

“Privacy is still an alien concept here, despite being guaranteed by the constitution, so there is a high possibility that the state could be reckless when dealing with such sensitive personal data of its citizens,” said Bipin Adhikari, dean at the Kathmandu University School of Law and an expert on constitutional law.

The government’s decision to move ahead with the identification card pilot programme in Panchthar and Singha Durbar without a security test—like guidelines for the government employees to access, and store such private data—has already set a dismal precedent regarding the handling of these sensitive data.

“We’ve not seen the government adequately address information security concerns in its past digital initiatives, so they need to do a complete information security check to ensure that such a massive volume of its citizens’ confidential data is stored and handled the right way,” said Ashim Mahara of Vairav Technology, a security research company in Nepal.

Experts also say Nepal needs to learn from the data breach in India’s Aadhar system— the world’s largest biometric database containing the personal information of more than one billion Indians, which gives Indians a unique identity number. They fear something similar could play out if Nepal isn’t prepared with a concrete plan to address security concerns.

“Moving to digital ID cards is inevitable, but what we need to be concerned about is where these biometric data are being stored, who has access to these private data and how long is the state going to retain them?” wondered Shubha Kayastha, co-founder of Body & Data which works in the intersection of gender, sexuality and digital technology in Nepal.

The current provisions in the bill demand not just biometric data, but also personal information about  an individual—from parents’ and grandparents’ names to the number of times they’ve moved around the country to their marriage history—which experts say is already an infringement of individuals’ right to privacy.

“What if the person doesn’t want to be identified by his/her past or family association? Shouldn’t there be room to consider issues like this?” questioned Bipin Adhikari.

There are several unclear provisions in the bill which could slow down the implementation process.

The current provisions in the bill say that the District Administration Office, which has the jurisdiction to issue citizenship, will not have the jurisdiction to issue these national IDs. The newly created department of national ID and civil registration instead has been given this authority. This had led to the creation of two parallel bodies distributing similar documents. However, the supervisory jurisdiction to take action—if there is foul play in the data collection for these cards—lies with the District Administration Office, and this could make it difficult to keep check and balance.

“Given the long experience of chief district officers handling such identification cards, the creation of a parallel body just for the national identity card could lead to unnecessary waste of human and financial resources,” said Jivesh Jha, who teaches legal philosophy at Kathmandu University School of Law.

Prem Kumar Rai, secretary at the Home Ministry, refused to talk to the Post about the recent decision to expand the distribution of these ID cards across the country at once. He said it was the role of the ministry spokesperson to comment on the matter, but the spokesperson, Ram Krishna Subedi, didn’t respond to the Post’s calls and requests for an interview.

Last month when lawmakers raised concerns about the security aspect and unclear provisions in the proposed bill, officials from the Home Ministry tried to reassure them. They talked about putting in place multiple passwords to secure software used to collect people’s data, assured how they would take steps to ensure national security isn’t compromised and also explained how only the printing process would be done abroad, while performing the crucial task of entering the data in the country.

Rekha Sharma, former minister and lawmaker from the ruling Nepal Communist Party (NCP), who was among the parliamentarians questioning the security aspect of the bill, said she isn’t yet convinced by the ministry’s explanation.

“I strongly feel we need to have more discussion on what measures, especially given our lack of expertise and experience in data security, will be used to ensure the confidentiality of our citizens’ data,” said Sharma.

The government has defended the bill saying this would pave the way for a centralised database of all Nepalis, which would help it on various fronts like curbing crime and terrorism. But given Nepal’s past experience and failure to properly store or invest in software to create a similar web-based central database of biometric information, experts and government officials alike are sceptical.

In 2008, the Election Commission started collecting voter information with photos and fingerprints in order to curb fraudulent voting. Over a period of several years they were able to distribute voter ID cards with photos and also gather massive biometric data about the voters. However, in the absence of a budget to build a secure data centre, those data are now crammed into the Election Commission’s servers. Financial crunch has also prevented them from creating a centralised web-based database, which was the original plan. And now the useability of the data is also under threat.

“We had to compress several of the biometric data because of limited storage infrastructure and this might have compromised the quality of the fingerprints which aren’t available in the original high resolution format anymore,” said Surya Prasad Aryal, an under-secretary at the Election Commission.

A cybersecurity expert who has worked with private and government entities’ data security and spoke to the Post on the condition of anonymity said the government’s lax attitude towards security of such sensitive data is extremely worrying.

“The government doesn’t have a runbook or guideline on how the data should be handled, stored and accessed securely by the authorities concerned,” said the expert. “I am now worried about the safety of my own data, which the state will have access to very soon.