CCMC’s serious infringement of citizen privacy

Supreme Court Judge Sapna Pradhan Malla was coming home from New Delhi on Wednesday afternoon but the details of her flight were publicly available even before she landed at the Kathmandu airport. 

In fact, her birth date, mobile number, passport number, health details, address, husband's name and his mobile number were all available online. 

Before flying from Delhi to Kathmandu, Malla had filled in the details related to the flight and other personal information in the form available on www.ccmc.gov.np, which the Covid-19 Crisis Management Centre (CCMC) had made mandatory for all the passengers flying in and out of the country following the reopening post-coronavirus lockdown. 

But it is evident that the centre has paid no heed to protect user privacy or keep the personal details confidential. 

The form with full details in the PDF format is available for anyone to download easily as Nepali Times/HimalKhabar was able to do, that of Malla, during an investigation following a lead that the CCMC website has been irresponsible in maintaining confidential details. 

After filling in the form at www.ccmc.gov.np, the system will provide passengers with an ID number in the PDF file. The number assigned to each individual is actually the person's identity on the CCMC website, which lasts in the site's 'address bar'. 

Another person's PDF file can be found by changing the same number in the 'Address Bar'. To explain all this process, watch this short video we prepared by filling a similar form.

On Wednesday afternoon, Nepali Times/Himal Khabar created a similar file in its name by filling all the details, posing as a passenger on the Nepal Airlines Doha-Kathmandu flight RA 240. We were assigned the ID number 295916.

Now that the PDF file containing the personal details of Nepali Times/Himal Khabar has been created, with the same ID number still mentioned in the address bar, the details of the person who filled the form before and after us could be easily found. The details of Malla was similarly found.

We then tried changing the last three digits of our ID number and we found Ajay Nepali's file. He was coming to Kathmandu on Friday on a Himalayan Airlines flight from Kuala Lumpur International Airport. The file contained more of his additional details, which we have not disclosed here.

Similarly, we out found Prem Prakash Neupane of Damak, Jhapa is coming to Kathmandu from Doha, Qatar on Thursday. All his details including his reason for coming back and contact numbers of his relatives were all available. In the case of a woman, whether she is pregnant or not and if she is pregnant, how far along she is, are all public.

We were unable to contact Malla but another passenger who had recently come to Nepal from London expressed his indignation at the government machinery. 

"It could be that the government employees do not know that our personal details should be kept confidential, but it only goes on to show how incompetent they are,” he said. “If this had happened abroad, the developers of the website and the CCMC staff would be been immediately prosecuted."

Advocate Baburam Aryal blames the CCMA’s negligence and carelessness for the predicament. “The issue of how the CCMC collects the data and how long it can be kept is controversial in itself. It is only because of the pandemic and possible emergency use we are letting it be. But if confidential information are placed under such weak security, it is gross negligence, a technical and legal failure.”

Aryal pointed out the need to investigate the case. “A lot of money was spent on this website but if even people without technical knowhow can access personal information easily, what’s the point of choosing such an incompetent developers? Anyone who feels their privacy has been violated could go to court and seek action.”

Nepal's constitution protects the right to privacy as a fundamental right. Article 28 stipulates, "The confidentiality of any person's life, residence, property, written documents, facts, correspondence and character matters shall be inviolable except in accordance with the law." An Act on Personal Privacy was enacted a little over a year ago to implement this provision of the constitution.

The act also ensures the confidentiality of written documents in addition to personal details. Section 11 (subsection 2-c) of the Act considers citizenship certificate, passport among other documents as confidential. A provision in the same article states that no one should make such details public.

Why has the CCMC so carelessly ignored the issue of personal privacy despite the constitutional guarantee to protect it? We asked Major Saugat Singh Rathore of the Nepal Army, assigned 'Media and Information Technology' cell at the centre. “My main responsibility is to monitor the media. Please let our IT department know how it happened. I can't comment,” he said.

When we contacted the Information Technology Department of the Centre, we were suggested to speak with the Member Secretary Khagraj Baral, who then told us that he was unaware of such a loophole.

"Once the concerned person fills out the form and submits it, no one else should be able to see it. I’ll see how this has happened and work to improve on it,” he said. "I have just been transferred. I also need to understand this myself."

In Nepal, citizenship, passports and mobile numbers are the primary sources of identification and are required in property ownership documents, when registering a company, and while opening a bank account and trading shares. In recent times, email addresses have been used to reveal personal details. 

"Even authorities don’t seem concerned about keeping personal details confidential despite examples of how these information have been used to trap innocent individuals in criminal activities," says Aryal. “Citizenship is our primary legal document, one can easily misuse it. Not to mention, it can easily endanger safety of people.”

While there are best international practices to follow, they have not been followed mandatorily in Nepal. The Department of IT had sent out a circulation saying that websites need to be audited but this also has not been followed strictly. 

"It is good that the government is doing it, and the intention is good. But do they have the length and breadth to keep the information secure?" questions IT researcher, Hempal Shrestha. "The scale by which we are going digital is huge, but the capacity to control and secure is small."

In general, what is seen [in case of government websites] is that the data gathering part is abundant, then after it is gathered it is dumped, after that it can go anywhere. There is no system to monitor who has access to the data or how it is used.

(With additional reporting from Sahina Shrestha)