Government eyes on internet monitoring

Earlier this month, the government passed the National Cyber Security Policy 2023 through a Cabinet meeting. This policy is expected to play a significant role in establishing a legal and structural foundation for cyber security in Nepal. Having provided initial suggestions on the Draft National Cyber Security Policy in 2021 and later submitting revised suggestions in April 2023, Digital Rights Nepal, a not-for-profit initiative dedicated to the protection and promotion of digital rights, has prepared the preliminary analysis of the approved National Cyber Security Policy 2023.

National internet gateway: Questions on intention and objectives

The National Cyber Security Policy now encompasses entirely new provisions that were absent in the draft policy and had not been previously deliberated with stakeholders. Strategy 11.25 of policy provides for establishment of a national internet gateway. Such a measure is largely implemented by autocratic regimes, aiming to exert comprehensive control over internet activities by channeling all incoming online traffic through government-controlled gateways.

When Cambodia attempted to implement such a national internet gateway, several international organizations such as Amnesty International, Human Rights Watch, and others raised strong objections.

It is a cause for concern that Nepal, a nation known for its strong dedication to upholding democratic principles and human rights, and presently a member of the United Nations Human Rights Council, has introduced the concept of a national internet gateway. The provision was not included in the initial draft, and its objectives and functions have not been openly disclosed. This could potentially have repercussions not only on Nepal’s global reputation, but also on its ability to attract foreign direct investment and international assistance.

By means of the national internet gateway, there exists a possibility for the government to monitor internet traffic, exercise control over online content, and implement measures of surveillance, control, and censorship. Given the escalating regulatory pressure to employ software such as TERAMOCS for accessing citizens’ personal information and data without a legal foundation recently, the establishment of the national internet gateway will enhance the government's capacity to monitor and control digital communications and this will provide a legal basis towards a controlled internet environment in Nepal.

Provisions relating to civil rights and fundamental rights

The initial policy draft had no reference to civil rights and fundamental rights. Following recommendations from stakeholders, the approved policy’s background now acknowledges the ‘universal principle of civil rights and the commitment to constitutional fundamental rights’ and ‘importance of collaborating with civil society and the private sector.’ However, the matter of safeguarding human rights and fundamental rights is still absent from the long-term plan, strategy and work plan.

Lack of policy implementation plan

The adopted policy lacks a concrete implementation strategy. There is ambiguity regarding the timeframe for its execution, the allocation of necessary resources, and the criteria used to prioritize its implementation. The absence of a clear timeline, along with uncertainties about required resources and methodologies, have led to concerns about its timely implementation.

Superficial analysis

The policy falls short in thoroughly identifying the underlying problems. While a superficial analysis has been conducted on the deficient internal and external coordination concerning cybersecurity, the causes behind this lack of internal and external coordination remain unexplored.

Prohibitive and control-oriented approach

Under the strategy of creating a safe online space with continuous surveillance for cyber security (10.8), this policy emphasizes on constant surveillance of citizen behavior in internet and cyberspace, and has taken a prohibitive and control-oriented approach rather than the regulation of the online space. Such an arrangement could potentially create a situation of unnecessary restrictions on freedom of expression.

Constriction on the role of regulatory authority

Both the National Cyber Security Center and the Department of Information Technology are assigned the regulatory role, as agencies responsible for cyber security. After establishing the National Cyber Security Center, as the dedicated regulatory body, it is not appropriate to increase the scope of the department in the area of cyber security regulation

Apathy toward latest development and challenges

The policy does not mention how to address the latest developments and challenges in the field of technology. There is no mention of cyber security challenges associated with, for instance, artificial intelligence and cloud computing.

Duplication of jurisdiction and potential conflicts

The policy has placed the digital forensic investigation work under the National Cyber Security Center. Digital forensic is related to regular criminal investigation and the Nepal Police has existing jurisdiction over it. However, the policy does not address the duplication of jurisdiction and potential conflict of jurisdiction between two different government entities.

Lack of coordination mechanism with regular agencies

Cyber security is directly related to national security, but the policy does not consider how cyber security agencies will coordinate with regular security agencies and what mechanisms will be required for such coordination and collaboration.

Lack of prevention aspect in cyber security process

In the cyber security process, it would be appropriate to include an action plan related to ‘prevention’ along with Preparedness, Protection, Detection, Response and Recovery (11.9). If an action plan related to ‘prevention’ was included, the policy would have encompassed a comprehensive range of actions, from proactive measures to enhance cyber security preparedness to post-incident recovery.

Positive aspects

Policy arrangements for cyber security promotion, digital literacy, ethical hacking, use of encryption and collaboration with the civil society and private sector are some of the positive aspects of the National Cyber Security Policy 2023. It would be important to observe how these policy proposals would be translated into laws and policies.

Policy needs reform

Based on the analysis above, Digital Rights Nepal calls for the reform in the National Cyber Security Policy 2023. We call on the government, parliament, members of parliament, political parties, civil society and mass media to take the initiative for making necessary amendments to the policy, especially to repeal the provision relating to national internet gateway and amend the other problematic provisions including those aimed at content regulation, to ensure individual’s freedom and human rights.