The incident where a single individual easily sent millions of SMS messages targeting a specific location has exposed the extent to which users' highly personal details are at risk in Nepal's telecommunications sector. Regulators and service providers have been reluctant to respond to repeated data breaches and abuses.

Nepal Police has arrested Sedhai in the incident where more than 5 million SMSes were sent in the name of Nitish Sedhai, asking for 'sand to come to the anti-federalism demonstration'. However, experts are pointing out that the main culprit is not only the sender of the message but also the person who provided him with so many numbers, so the investigation should be focused on that. According to Kathmandu Valley Crime Investigation Office spokesperson Superintendent of Police Kaji Kumar Acharya, initial investigation has shown that out of 10 million SMSes sent by Sedhai, 5 million SMSes were 'delivered'. 'Seven million SMSes were sent through AT Alert and three million through SI Alert,' said spokesperson Acharya. 'Sedhai has claimed that he collected 50-60 million mobile numbers himself over 10 years. That is not possible.' The police suspect that someone within Nepal Telecom may have been influenced and provided these numbers. The incident has exposed the weaknesses in Nepal Telecom's data security and the risk of 'insider threat', according to the police's initial analysis. Sedhai has claimed that he collected 50-60 lakh mobile numbers himself over 10 years. That is not possible.

'There are indications that these SMSes were not sent randomly but in a planned manner targeting people within the valley,' said Superintendent of Police Acharya. 'These SMSes have been sent very rarely to numbers outside the valley.' This act has posed a serious security risk. If such a mechanism had been used to send provocative messages on issues of caste or religion, there would have been a risk of a major crisis in the country.' Although the police arrested Sedhai and are investigating the crime against public peace, the weaknesses of telecommunication service providers and SMS gateway providers are being revealed.

Earlier, last Chaitra, a suspicious and harmful SMS was sent to the digital wallet ‘eSewa’ from Aakash Tech’s sender ID ‘AT Alert’. ESewa customers were asked to click on the link provided saying ‘unusual activity has been detected in your account’ and resolve the problem. The scammers tried to steal money by accessing the accounts of the customers who made the link. According to Aakash Tech, at that time, the scammers had created unauthorized access to government portals and sent SMS from IDs including ‘AT Alert’. Barambar data breach

‘After that incident, we have made the system even more stringent by filtering SMS with links and immediately blocking such suspicious things,’ said the company’s Koirala. ‘Now, in the incident of Nitesh Sedhai, there was no link and it was only political content, so it could not be filtered.’ However, we immediately blocked him after we found out that he had sent SMS at night, contrary to our agreement. By then, about 5 million SMSes had been sent.''

The Nepal Telecommunication Authority, the regulator of the telecommunications sector, does not seem to be taking the incident seriously. Even after so many days of users raising their voices on social media about the misuse of their mobile numbers, the authority has said that it is still investigating the matter with both Nepal Telecom and Ncell service providers. Authority spokesperson Min Prasad Aryal said that efforts are being made to identify how the numbers were leaked.

'The authority has already issued instructions to all 51 value-added service providers to prevent the flow of such political content,' he said. 'The authority is working with Nepal Telecom to understand how the numbers were selected in bulk SMS or how the data was leaked, and more facts will be revealed after receiving a response from them.''

A few years ago, customer data collected by a food e-commerce platform and an internet service provider was hacked. The hackers stole the names, addresses, emails, phone numbers and other details of about 80,000 customers from both and made some of the details public. Although it is said that this happened due to the negligence of the companies, questions are still being raised as the regulatory telecommunications authority has not taken any action except for the formality of alerting them.

Senior advocate Satish Krishna Kharel, who is knowledgeable about cyber security, has termed the recent release of such a large number of mobile numbers as a ‘data breach’. He pointed out that the leakage of details from public service providers and banks is a dangerous symptom. ‘Some time ago, bank employees shared the details (name, number, email, address, etc.) of customers. I had received the information,' says Advocate Kharel, 'The incident of data breach is serious and the investigation should be on that. Now the police have arrested the person who sent the SMS. Who gave him the number should be investigated.'

How to regulate?

According to Kharel, if the content of the SMS itself is criminal, that is a separate matter, but prosecuting a case based on sending a large number of SMS is a mockery of the legal system. 'Our law does not prohibit whether or not unsolicited messages can be sent,' he clarified, 'Prosecution of a case based on someone sending an SMS to a large number would be against freedom of expression. But, the serious matter is a data breach. The service provider and regulator should take action against the responsible employees in this.' According to him, the fact that the Telecommunications Authority has not yet set concrete standards to prevent unsolicited or unnecessary messages is also a major weakness.

Nepalese law defines a person's mobile number as highly sensitive personal information.

Section 26 of the Personal Privacy Act, 2075

prohibits the use or disclosure of a person's personal information without their consent. There is a legal provision that anyone who violates this provision can be imprisoned for up to three years or fined up to thirty thousand rupees.

Similarly, section 10 of the Advertisement (Regulation) Act, 2076 also makes it clear that no advertising message can be sent to a mobile phone via SMS without the consent of the person concerned. There is a provision that anyone who acts contrary to this act can be fined up to one hundred thousand rupees. It states that government bodies can disseminate informative information for the public interest or send advance notices or information in the event of a disaster without the consent of the person concerned. The Telecommunication Authority's 'Cyber ​​Security Regulations 2077'

stipulates that customer data must be kept secure and must not be shared with anyone without permission. However, due to the lack of effective implementation, citizens' privacy has been repeatedly at risk. Experts have analyzed that the trend of not only SMS but also involving users in email campaigns without opting in or consenting, adding them to Viber/WhatsApp business group chats, and collecting highly personal information even in places where it is not necessary when using government and various organizations' services is increasing the incidence of misuse of personal identification details. Mobile users sometimes receive unauthorized messages related to services, goods, and programs that they have not subscribed to. Moreover, many people complain that during elections, users' personal mobile numbers receive phone calls, SMS, and audio recordings from the names of various candidates. This is because the users' digital identity (electronic identity) and digital data are being leaked from somewhere and misused, according to those advocating for digital rights. Ranju Darshana, who contested the House of Representatives election from Kathmandu-5 during the last general election, said that during the election, she received SMS and audio content from various mobile numbers on the mobile phones of her family members saying, 'I am such and such a candidate, please vote for me.' 'Others I know have also complained like this, how come such messages come from a place where we have not subscribed? Isn't our data being bought and sold?' she told Kantipur at that time. Such messages are sent not only in general elections but also in elections of professional organizations including engineers, lawyers, journalists.

Advocate Kharel points out that regulation is challenging due to the lack of a clear law on this issue. He suggests that the authority should formulate standards regarding 'unsolicited' or unsolicited messages. ‘You can say that you cannot send more than this at a time,’ says Kharel, ‘if I send you an SMS, we do not have a law to challenge why you sent it without permission based on the fact that it was sent. Just as platforms like WhatsApp have limited the number of messages that can be sent at a time, the authority should also set a limit for sending bulk SMS.’ Just as banks set security standards for electronic transactions, Kharel suggests that the Telecommunications Authority should also set certain security standards to keep service providers’ data safe and prevent information leakage. He has pointed out the inevitability of a clear legal system that restricts data breaches or information leakage by public service providers and allows for prosecution in case of such acts. He said that if it is confirmed that information has been leaked from within an organization (such as Nepal Telecom) with the collusion of employees, such employees should be taken action.