KATHMANDU: On March 15, Balendra Shah (Balen) publicly shared a Gmail address, ‘balenforpmnepal,’ even before his appointment as Prime Minister. The same email is currently listed on his official Facebook page.

After assuming office on March 27, Shah held consultations with provincial assembly members on April 1 and subsequently directed the formation of separate WhatsApp groups for each province to streamline communication.

These actions raise serious concerns about his commitment to data security, despite his pledge to build a “Digital Nepal.” Communications sent to the Prime Minister’s email or exchanged via messaging platforms with lawmakers may involve sensitive, nationally significant information. Using Gmail for such exchanges effectively places that data within the infrastructure of Google’s parent company, Alphabet, while WhatsApp communications fall under Meta’s ecosystem, raising questions about external access and control.

Digital platforms have been central to Shah’s political rise, from his election as mayor of Kathmandu Metropolitan City to his elevation as prime minister. According to his publicly declared assets, he holds Rs 14.6 million in his bank account, earned largely through online platforms such as YouTube and Facebook.

If a digitally savvy prime minister demonstrates such laxity on a matter as critical as data security, it raises broader concerns about the practices of other ministers, civil servants, and diplomats.

A broader review suggests this is not an isolated issue. Many government officials continue to rely on unsecured, commercial email services. For example, official communication with Bikash Devkota, secretary at the Ministry of Health and Population, is directed to a publicly listed Gmail address on the ministry’s website.

Similarly, Biswa Babu Pudasaini, Secretary at the Ministry of Water Supply, uses a Yahoo account, while Ramakant Duwadi and Mukunda Sharma rely on Gmail for official correspondence.

The pattern extends across ministries. Indira Thapa at the Ministry of Urban Development, Mahesh Bahadur Singh, Maheshwar Dhakal, and Sumana Aryal all use Gmail for official communication.

PM Shah discussing with members of the HoR representing the Sudurpaschim Province on March 31. Photo courtesy: PM’s Secretariat

In the judiciary, one of the three email addresses used by Acting Chief Justice Sapana Pradhan Malla is Gmail, as is one of two used by Justice Kumar Regmi. Publicly listing and using such accounts for official purposes risks exposing sensitive information directly to external service providers.

The same practices are evident in Nepal’s diplomatic missions. Officials including Dipak Ghimire and Ambika Joshi at the Nepali Embassy in India, as well as Ambassador Shiva Maya Tumbahangphe and Deputy Chief of Mission Nirmal Prasad Bhattarai in South Korea, rely on Gmail for communication.

At the provincial level, the issue persists. Even the official email system of the Koshi Province Secretariat operates through Gmail. These examples illustrate a widespread dependence on commercial platforms across all tiers of government, from federal to local levels, with significant implications for data security and sovereignty.

Gmail is an email service of the Google company. Therefore, information or data exchanged on Gmail reaches Google’s servers. Similarly, WhatsApp falls under the Meta company. In other words, that information is not under our control; it resides on the servers of Google and Meta. There remains a possibility of such information being misused.

In the experience of IT expert Rajib Subba, most diplomats also communicate via WhatsApp. He says, “I keep cautioning diplomatic staff that communicating through it puts our data into others’ hands, but no significant improvement is seen.” Since ambassadors possess information on important national matters, intelligence agencies have a great interest in them.

In 2021, a massive digital espionage scandal came to light. A report published in The Guardian mentioned that details of more than 50,000 individuals were monitored through Pegasus, a spying software (spyware) created by the Israeli company NSO Group. Although the company making ‘Pegasus’ software claimed it was built for use against terrorists and criminals, investigations revealed that journalists, human rights activists, and opposition leaders were being monitored.

PM Balen Shah meets with Bagmati Province MPs. Photo courtesy: Prime Minister’s Secretariat

At that time, news was published that the numbers of diplomats related to Nepal were also under surveillance. It was published in the Indian media, ‘The Hindu’ that the number of the then Nepali ambassador to India, Nilambar Acharya, was on the list. However, in Nepal, neither was there a debate on this matter, nor did the government show interest.

Pegasus is so dangerous that it can enter just by answering a call on WhatsApp or clicking a link, sometimes without the mobile phone user even knowing. Once it enters the mobile phone, it gains access to messages, emails, photos, passwords, the camera, microphone, location, and call records. After that, one’s own mobile could be acting as a spy without them knowing. In most cases, WhatsApp is easily hacked.

In 2019, after it was found that cyber tools were used by the company making Pegasus, NSO, to hack 1,400 WhatsApp accounts, a US federal court ordered the NSO Group to pay USD 170 million in compensation to the Meta company.

In Nepal as well, WhatsApp accounts, Gmails, and websites of government offices, large companies, and high-level individuals have been hacked. The priority of hackers lies in data theft. IT expert Subba says, “In today’s time, whoever holds digital power holds the sovereignty of the country. However, the government of Nepal has not paid attention to this aspect yet.”

The dream of digital Nepal

Recently, on April 5, the government decided to take a loan totaling USD 90 million, which is approximately Rs 13 billion, with USD 40 million from the Asian Development Bank and USD 50 million from the World Bank for the ‘Digital Nepal Transformation’ project.

However, the prime minister and government agencies involved in the campaign to build a digital Nepal by taking such a large foreign loan are still not aware of data security. IT expert Subba suggests that they might be using Gmail and WhatsApp instead of using emails with servers in the country even to deliberately hide their data.

A photo collage of Gmail accounts of government officials

Instead of Prime Minister Balen or ministry employees and diplomats using Gmail, it would have been safer to use emails with the ‘.gov.np’ domain, which have servers in Nepal. Many ministries and government offices do use the ‘.gov.np’ domain. Its server and backup are located at the Integrated Data Management Center under the Ministry of Communication and Information Technology.

For the sake of data security, foreign apps like WhatsApp do not work in China. Instead, China built a messaging app itself, like WhatsApp called WeChat. Government agencies and citizens there use WeChat because its data server is in China.

According to experts in the IT sector, if the government wants, a chat system residing on our own servers can be operated in Nepal as well. IT expert Subba says, “A ‘Nepal Chat’ can be operated within our own ‘Nagarik app.’ If that is done, the data remains secure.”

Furthermore, while the digital system is developing in Nepal, there is no digital literacy among the citizens. Not only the common citizens, but also, due to the lack of awareness from government employees to the Prime Minister, there is a risk of Nepalis’ data falling into others’ hands at any time.

Recently, the trend of complaints regarding data theft, email misuse, and hacking is increasing at the Cyber Bureau of the Nepal Police. According to the Bureau’s statistics, two complaints related to data theft were registered in the fiscal year 2022/23. Similarly, three complaints were registered in 2023/24 and six complaints in 2024/25.

According to the Bureau’s spokesperson, Superintendent of Police Dipak Raj Awasthi, incidents such as personal, institutional, and government data hacking, theft, and misuse of email accounts have started to increase.

A void of legislation and literacy

The Integrated Data Management Center under the Ministry of Communication and Information Technology has identified four major cyber security challenges in Nepal. According to the details placed by the center on its website, the lack of awareness is a major cyber security challenge. Since a large portion of the population lacks awareness of cyber security, they are at risk of cyber attacks.

Similarly, many institutions in Nepal still rely on old IT infrastructure. That also increases the risk of cyber attacks. Furthermore, there are only a small number of cyber security experts in Nepal, and cyber security laws are also not sufficient.

According to experts, when starting the campaign to build a ‘Digital Nepal,’ it is necessary to first conduct digital literacy programs for the general public. Computer scientist Dobhan Rai says it is necessary to make arrangements in the school-level curriculum to provide knowledge about cyber security to citizens. She says, “In today’s time, digital awareness is necessary for all citizens. The government must pay attention to that.”

IT expert Subba says digital education is also necessary for government employees and political leadership. He suggests that all systems in government offices must be replaced with new ones. “To do all these things, first of all, a separate law for data protection is needed,” he says.

Since the United States brought the CLOUD Act in 2018, the danger has increased further in countries that do not have separate laws regarding data protection. This is because that law has a provision where the US government can obtain data of citizens of any country residing on servers in the United States.

In Nepal, a comprehensive legal framework for data protection remains absent. Existing laws, including the Right to Information Act, 2007, the National Statistics Act, 2022, and the Information Technology Directive (2012/13) issued by Nepal Rastra Bank, contain limited provisions related to data security. The Privacy Act, 2018, also addresses aspects of information protection and secure usage. However, these fragmented measures fall short of ensuring robust, system-wide data security.

The government adopted a Cyber Security Policy in 2023, outlining goals such as establishing legal and institutional mechanisms for a secure cyberspace, safeguarding critical national infrastructure, reducing cyber risks, and strengthening research and workforce capacity in cybersecurity. Despite these commitments, no corresponding legislation has been enacted to operationalize the policy.

In addition, the e-Governance Board introduced the Personal Data Protection Policy, 2025, which explicitly acknowledges the need for a dedicated legal framework. Baburam Aryal, a long-time advocate for data protection legislation, argues that existing laws and policies are insufficient. “Even if the government envisions a Digital Nepal, it cannot be realized without a standalone law. That must come first,” he says.

With the government already committing to significant foreign borrowing for its Digital Nepal initiative, IT expert Subba remains cautiously optimistic that legal reform will follow. “There are high expectations from the government,” he says, emphasizing the need to establish both a dedicated governing body and a comprehensive law to move forward.