During my decade (2013-24) in Nepal, one of the many things I discovered about the country that shocked me to no end was the level and extent of incompetence and negligence of those in positions of power. Their demonstration of that would peak during or in the aftermath of calamitous events. The two most calamitous in the living memory of the citizens happened during the decade: the megaquakes of 2015 and the coronavirus pandemic. I tracked both the aftermath of the megaquakes and the pandemic and wrote a great deal about them.
The following, however, highlights the run-of-the-mill kind of incompetence and negligence—specifically, the State’s failure to safeguard personal data. While Nepali bureaucracy may have various reasons for avoiding the widespread use of technology to facilitate service delivery, bureaucracy being more about control than service is definitely one. Widespread application or use of technology would likely promote efficiency, effectiveness, accountability, and transparency, which, of course, is antithetical to the established system.
Institutions, systems, and structures in Nepal generally don’t view and treat the general population with sufficient respect; they demonstrate an insufficient value for the life of ordinary citizens, as evidenced by the way they are set up, their composition, and the manner they conduct themselves.
Data protection and personal privacy, for example, is not something they show much concern for. I am sure there are a number of reasons for this, and one may be that, with certain data under certain circumstances, they just might not have the means for that. Another may be a lack of knowledge and understanding about the need for protection. That is, they are simply incompetent.
I would venture to guess that many ordinary Nepalis would likely be unable to enumerate what someone might be able to do or what someone might be doing with their personal biodata. But, of course, that cannot be a justification for private and public companies disregarding data protection and ignoring the personal privacy of those whose information they collect.
Another mitigating factor may be that identity theft, while it does happen, is not such a widespread crime for it to register on the radars of ordinary citizens when it occurs or when it is reported on.
Still another reason may be that the Government of Nepal itself does not do much to protect the personal data and privacy of its citizens.
Case Study 1: The Flagrant Disregard of Voter Rolls
Back in March 2022, months before the November elections, I discovered that the Election Commission’s website had seriously infringed upon the privacy of citizens. Browsing through their voter rolls online, I discovered that all the personal details of the voters were available to anyone just browsing the list. I made a post about this on X (formerly Twitter) copying it to Bishal KC, someone with whom I had worked during the pandemic and who is considerably more knowledgeable about cyber security. For any constituency you pick, the page displayed the name, registration number, age, gender, name of spouse, and names of parents of every single voter.
In September, I discovered that nothing had changed about that. So, I took more screenshots and shared them under Election Commission’s post about where one could check one’s voter registration status.
Fast forward to November 2025, three-and-a-half years later, and what do I find? The same thing. The voter rolls continue to infringe on the privacy of the citizens, and this time too, I shared that fact under the same old Election Commission’s post (see image below)!
Case Study 2: Insecure Health and ID Registration Systems
Sadly, this is not unusual. If government sites don’t share private information, they are often insecure. During the coronavirus pandemic, the vaccination drive was preceded by an online registration process. I noticed that the site was insecure and so waited until it was secured before registering in October 2021.
The site was so insecure that, after drawing the attention of Bishal KC again, he was able to scrape personal information about someone who had registered.
In fact, it turned out that the Covid-19 Crisis Management Centre’s (CCMC) website had been so insecure that, as Nepali Times reported, anyone could have scraped information about fellow Nepalis who had submitted personal information. Incidentally, apart from being insecure, the site had not been crashproof either, reportedly crashing according to the Kathmandu Post.
In December of 2021, just a couple of months since finally registering for the vaccine–because the site had finally been secured–there was something else I needed to register online for: National ID. Visiting the site to do so, I discovered, again, that the site was not secure.
One of the things Bishal responded with was to say, “I will make a quick visual platform where we all can see the state of secure web presence in our government websites and updates regularly.”
Not long after, he shared his results. Only about 12% of the Government of Nepal’s websites are secure (see images below).
That was almost four years ago. Given what I discovered about voter roll data, what are the chances that the Election Commission’s website with voter registration data is the only one that so flagrantly disregards the privacy of the voters and makes their personal information available to the public? What numbers are we talking about here? As of Nov. 21, 2025, over 12.5 million voters’ personal details are available for anyone interested in them. This figure is based on the available data, though reliability is a concern: for instance, the rate of registration in Lumbini appears irregular, and data for Sudurpaschim is unavailable on the Election Commission website.
What are the chances that the Government of Nepal has tightened the security of all of their websites since then? (I am looking into the security of their sites and will publish a follow-up blog post soon.)
What are the chances that political parties in Nepal have been abusing the voter roll information in some way to give their own party and/or candidates a leg up in the elections? I don’t consider myself to be politically savvy and yet even I can think of ways candidates and/or political parties could abuse that.
In my last blog post, The Price of “Nepali Time”: How Disrespect for Time Reveals Disregard for Life, I opined how Nepal keeps moving time instead of moving with time and consequently how the country has been falling behind throughout history. The level and extent to which the State itself infringes on the privacy of the citizens and so blatantly disregards the security of citizen’s personal information not only shows the level of ignorance and incompetence of those steering the country in the twenty-first century, the century of data, it also shows how much the country is lagging behind.
This negligence isn’t just an embarrassment; it is a direct threat to the financial and personal security of every citizen. But when control and power are mostly what you care about, such fundamental rights cease to matter.
What do you think?
PS. I got help from Google’s AI Gemini composing this blog post.
Additional Reading
- Bishal KC (Nov 21, 2025). A Unified Digital Identity for a New Nepal. ‘Cybercrime has increased eightfold in the past five years , and in the Kathmandu Valley alone, online fraud has amounted to over Rs 378.5 million since July 2024.’ Farther down, KC says, ‘Nepal “currently lacks a comprehensive Personal Data Protection Act”. We are collecting sensitive citizen information without a legal framework to govern its use.’
- Click here for a recent (Nov. 25, 2025) discovery by Bishal KC.
