Nepal: Revise cybersecurity policy to avoid further internet fragmentation

Nepal: Revise cybersecurity policy to avoid further internet fragmentation - Digital

Written by Michael Caster, Asia Digital Programme Manager at ARTICLE 19.


Earlier this month, Nepal’s cabinet approved a new National Cyber Security Policy, which is so far only available in Nepali. While an earlier draft version in 2021 had been shared for limited public consultation, the recently-approved policy introduces new provisions that raise serious concern for internet freedom.

Digital Rights Nepal, a Kathmandu-based nonprofit focused on promoting freedom of expression and good internet governance, has pointed out that, despite earlier recommendations, the new policy remains vague in critical areas and fails to acknowledge the protection of human rights and fundamental freedoms.

Among its particularly concerning provisions, the one denoted ‘Strategy 11.25’ proposes a government-owned intranet and the establishment of a national internet gateway. While the current policy offers no further definitions, if Nepal’s national internet gateway is modeled on others in the region it would mean centralising control of all internet traffic in and out of the country through a government-appointed operator, potentially supercharging surveillance and censorship capabilities while leaving open very serious questions about data privacy and protection, and the risk of criminal penalties for telecommunication companies.

Gateways of repression

While the details of the National Cyber Strategy Policy are far from hashed out, what we have seen in other countries in South Asia that have or have attempted to impose similar measures is worrisome.

The awesome censorship capabilities of China’s Great Firewall are well established. While two decades ago it initially relied on custom-built support from American tech giant Cisco, China’s sophisticated domestic infrastructure industry now widely exports tools and policy inspiration for advanced network censorship and surveillance.

In recent years, Cambodia has sought to emulate China’s level of control of the internet through the imposition of its own National Internet Gateway (NIG).

Cambodia’s NIG seeks to centralise the flow of all network traffic in Cambodia, empower government-appointed operators to block or disconnect connections, retain traffic data, and issue penalties for non-compliant telecommunications providers. The Sub-Decree behind the NIG has been in force since February 2021, but the implementation of the NIG appears to have been stalled for the time being due to a lack of infrastructure and administrative capacity.

Cambodia’s Ministry of Foreign Affairs has defended this move toward internet fragmentation, claiming that it conducted an ‘extensive study on infrastructure models from different countries around the world and found that most countries have internet gateways and respective regulations’. Meanwhile, no Cambodian official has provided any clarity on precisely which countries’ internet infrastructure models it studied. One can speculate the Ministry only looked to China and other digital authoritarian models.

Some in Nepal have privately speculated that ideas from China and Cambodia are the inspiration behind the new proposal there.

Others in the region have also flirted with similar ideas over the last decade. Thailand has twice tossed out the idea of a Single Internet Gateway, in 2015 and 2022. In the most recent case, following a rise in pro-democracy demonstrations and arbitrary reprisals for expression online, Thailand’s Minister of Digital Economy and Society claimed that such a gateway would aid in the protection of national security, and pointed to Cambodia as an example.

Although such measures are often masked in the language of national or cybersecurity, it is often nothing more than a tactic for totalising control over the internet by authorities who will not tolerate freedom of expression or access to information.

Fragmenting Nepal

This is not the first time that civil society in Nepal has raised serious digital rights concerns. Also this month, the Nepal Telecommunication Authority (NTA) instructed Nepal Telecom and Ncell to implement the Telecommunication Traffic Monitoring and Front Control System (TERAMOCS), which has been criticised for empowering authorities with disproportionate surveillance capabilities. And, last year the government was accused of purchasing Pegasus spyware for the Nepal Army.

But a national internet gateway would not only affect the internet freedom of the people of Nepal. It would also risk arbitrarily restricting the free flow of information between Nepal and the rest of the world, furthering internet fragmentation.

Digital Rights Nepal, Freedom Forum Nepal, and other civil society activists have stressed that the government did not conduct effective public consultation on the most recent version of its Cyber Security Policy, nor did it appear to adequately integrate civil society recommendations from previous versions.

Developing the actual technical infrastructure needed for a gateway is a herculean task, as is proving to be a hurdle in Cambodia, and will likely require outside custom-built support. This could mean from Chinese firms Huawei or ZTE, which already play a major role in Nepal’s digital infrastructure.

The lack of transparency at the policy design and approval phase does not inspire hope for future transparency toward any such public-private partnerships or agreements with other countries or companies who may be contacted to support the technical development and deployment. Without public consultation or procurement transparency, for example, there is little possibility of an effective human rights impact assessment.

As a party to the International Covenant on Civil and Political Rights, Nepal has an obligation to protect the right to privacy and freedom of expression.

The independent experts of the Human Rights Council, addressing Cambodia’s Sub-decree on the establishment of a National Internet Gateway in 2021, highlighted that such measures ‘pose risks to the fundamental freedoms of individuals, namely the freedoms of expression and opinion and the right to privacy and may expose individuals’ personal information without their consent, which would contravene international human rights instruments’.

Internet service providers and other technology and telecommunications companies, business associations, foreign governments, and UN agencies should impress upon Nepal the importance of maintaining a free, open, and interoperable internet and oppose such measures, which would only accelerate internet fragmentation. At present, the plan for a national internet gateway is little more than a sentence in a larger cyber policy, and that is where it should end.

This article also appears on Tech Policy Press.


For more information

Michael Caster, Asia Digital Programme Manager [email protected]