Thursday, March 22, 2007

Cyber Law - The Electronic Transaction Act 2063 (2006)

Internet has opened up many opportunities for the world. It has given tremendous market access that any one from any corner of the world can offer their products and services to any part of the world. Farmer with Internet access in Mustang can sell their apples to the dealer in Manhattan. Job opportunity available in Malaysia can be applied from Bhojpur. Business and Individual can submit their income tax to Inland Revenue department(IRD) from their home computer. A young entrepreneur can register himself/herself a new company through Small and Cottage Industries Department without any harassment by unwanted brokers. A software freelancer in Pokhara can work for a buyer in Australia. And uncountable other possibilities can anybody get through Internet. But Nepal is still far behind all these opportunities. A lot of initiatives in the area been done but still many things to be implemented. A lot of measures are still to be taken for authenticity and confidence on the online transactions.

Nepal has moved a step further in the information and communication technology (ICT) as the government has promulgated Electronic Transaction Act-2063 and Regulations, legalizing all electronic transactions and digital signatures. Please Click Here to see my presentation on understanding Digital Signatures. I had made a technical presentation on the sensitization workshop about Cyber Law organized by National Information Technology Center and Ministry of Environment, Science and Technology on March 15, 2007. For more other issues, you can visit my site www.rajeshshakya.com

The House of Representatives (HoR) of the Government of Nepal approved the Electronic Transaction Act-2063 on December 4, 2006 and the Ministry of environment, science and technology (MoEST) formulated the Regulations. The new legislation has not only legalized all forms of electronic transactions and digital signatures but has also clearly spelled out ways to regulate various computer-based activities and punish cyber crimes.The new legislation has set forth legal framework, administrative and application mechanism for electronic transaction and digital signature. Besides legal validity of electronic records and digital signature, the new Act has made a provision of Comptroller of Certification authority (CCA). The Act is divided into 12 sections and 80 clauses with detailed information on role and rights of regulator, certification authority, customer, government and all the concerned stakeholders. It has also envisaged a separate judicial body -IT Tribunal and Appellate Tribunal, to look into all cases related to computer and cyber crimes. The 3-member tribunal will be headed by the district court judge or legal officer of equivalent status. The tribunal will be responsible for preliminary cases, while the appellate tribunal will look into major cases.

The computer and cyber crimes such as hacking, piracy, copyright violation, fraudulent and all other deceitful activities have been clearly defined and punishments are set accordingly. The action against such crimes and punishment will be in the range of a minimum Rs 50,000 to a maximum Rs 3,00,000 in cash and six months to three years imprisonment.

The electronic transaction and digital signature is valid not only for the private sector but also for the government agencies. It allows the government offices to use electronic medium for tender notice, vacancy announcement and others. It also validates public procurement and acceptance of electronic applications. This legislation would be beneficial to business community but there is a need of better infrastructure like telephone, Internet connectivity, and electricity and so on for better yield from the application of ICT tools.

The new law would facilitate business process and transactions would be made simpler, easier, swift and cost effective. The bottom line is the business facilitation. I would like to ask the concerned authority to bring into application of the provisions set by the legislation at the earliest possible in order to get benefit.

The Electronic Transaction Act was drafted about 6 years back and it was endorsed as Ordinance in 2005 as well. There is no literally change in the current Act. In many forums, I have raised my thought that such Acts should not be technology dependent, specially the Acts, which are brought out for regulating the technology. The current Electronic Transaction Act is limited in Asymmetric Cryptography with Key pairs for digital authentication, whereas there are already several other promising authentication technology and algorithms popular and established in the world. Key pair concept is not wrong but the Act should have opened up scope for possible future developments as well. I hope the concerned authorities will take consideration on this and widen the scope in the use of authentication technology through amendment in regulations or in the Act itself. It will help using different authentication and security measures as required by different applications and situations.

Office of Comptroller of Certification Authority is already established but Comptroller is still to be recruited and PKI infrastructure is to be setup. Authentication is the essential requirement for any kind of online transaction. In absence of such authority, citizens don't get confidence doing online transactions - document or financial transactions.

On the very first day of an online business launch, one may encounter a big cyber attack on data and another may face the non-repudiation problems on product or service delivery. I can only expect the timely seriousness of concerned authority to establish IT Tribunal and Appellate Tribunal to look into all cases related to computer and cyber crimes.

Many Acts remained without action. Government agencies, government employees, business community and private employees, non-government professional organization and all citizens should be aware about the Law so that they can explore the opportunity out of that and also behave as guided in the regulations. We have no such trend of making the stakeholders aware about scope of law, its benefits, its limitations and future enhancements. Who is really responsible for this?

Online Payment method is another BIG issue. We don't have any Act, Law or regulations or government directives which allow to conduct legal online financial transaction. I can not imagine ripping off the full benefit of Internet technology without online payment possibilities. The Electronic Transaction Act without a single word on online payment is only half done. Is any government agency working on formulating online financial transaction in Nepal? Again, which agency is responsible doing this? Ministry of Finance? Nepal Rastra Bank? Coalition of Private banks? Ministry of Environment, Science and Technology? High Level Commission for Information Technology (HLCIT)? or National Information Technology Center (NITC)?

Sooner the implementation — with proper manpower, proper understanding — better the results will be".

Tuesday, March 20, 2007

National Identification (NID) Card

Can you imagine how many times you may need to produce your personal profile during your life? How many times you get frustrated when your credentials are not correct? Just imagine, your personal and family informations are important from the day you born - Birth certificate, School admission application, Citizenship certificate, College admission form. Similar information required for starting your business, getting driving license for riding your first motorbike, acquiring and transferring properties, registering your marriage, migrating from district to district, casting vote for your favorite leader, getting passport for traveling abroad, applying for the job and so many events and in so many situations you will have to disclose your personal identification. So your personal information is scattered everywhere. Besides that the agencies which deal with you on such situations, each one of those should process, store, retain your information separately and definitely waste of resources, time, money. On top of that, you can not expect consistency on the information of the same person in each agency. When we are planning for the e-governance implementation in Nepal, its a high time to think about an appropriate solution for this. Many countries in our region and many countries in the world have come up with the card based identity solution. Why not we go for the similar option?

Modern ID cards bear little resemblance to the traditional "photograph on piece of cardboard" and are often hi-tech smart cards capable of being swiped and read by computer. ID card is a identity document in the form of a small standard-sized card (most of the banks in urban areas issue debit and credit cards with similar card technology). Unlike other forms of documentation, which only have a single purpose such as authorizing bank transfers or proving membership of a library, an ID card should assert the bearer's identity. The ID card, which may be issued by the government should assert a unique single civil identity for a person, thus defining that person's identity purely in relation to the country. New technologies allow ID cards to contain biometric information, such as photographs, face, hand or iris measurements, or fingerprints, and other supporting database - including full name, parents' names, address, profession, nationality, medical information like blood type, Rhesus factor(Rh factor) and many other information. In addition to that it may include the transactional information like driving license information, property ownership information, passport information etc.

It is obvious that the primary data requirement for the effective e-Governance is the Citizen database and identifying citizen may be the National ID (NID) Card. It should be a multipurpose secured and authentic ID card. Nepal government should be able to provide such card to the citizens at a cost effective basis, may be for free. Hence there is a need to select the right technology for the preparation of the card and online issue of the card also needs to be determined. This challenge must be taken up by the consortium of public and private industries, academic institutions with the Government. I would suggest introducing Single multipurpose National ID card (NID) containing all personal and family information, photo, finger print of the person and other transactional information for different purposes.

NID would be a useful administrative tool that will increase government efficiency and cut down on crime. If the government doesn't issue ID cards, private companies will require equivalent documents, such as a driver license, which are not properly suited for identity purposes. crimes such as identity theft would be drastically reduced, and are indeed unknown in countries where ID cards are required to open a bank accounts. To make the NID work, it should be a citizen-driven movement. It is a political issue. Cards for everything from passport and visa, voter ID, drivers license, vehicle registration, weapon permit, health care and welfare and secured services should come under its umbrella of NID. From 2010 you need Electronic Machine Readable Passport to travel abroad according to the International Civil Aviation Organization (ICAO) requirements. Some of the countries already use biometric passports.

Electronic cards are used increasingly by various governments, million passports are in electronic format. Smart Cards based IDs seem to be part of life in those countries. E-passports mean automated entry and exit at airports, all the while enhancing two mutually exclusive elements-security and management of passenger flows. Not only Singapore, Japan, Korea, USA, UK, but there are several developing countries that are expanding their use of smart cards as well. Take the example of multipurpose card (myKad) in Malaysia, vehicle registration and driver licenses' in El Salvador, ID cards in Oman, health care cards in Slovenia and vehicle registration in India. Government security in the US, UK, - there are whole range of areas where smart card usage is applicable and beneficial.

During my interactions with different agencies while preparing investment plan for the e-governance, I found a greater enthusiasm for putting driving licenses, vehicle registration, Citizenship certificate, passports etc., on the card. If national broadband network can be started and made available in cities and to the last village, East to west, Himalayan region to plain Terai, a number of e-services can be delivered, which would provide a government-citizen interface of tremendous value. The National ID card is the foundation of trust for e-governance. A large number of services can be listed, which could make all the difference in creating a efficient government-citizen integration.

The scale and range of the National ID card business is so vast that multi-stakeholder partnership (may be the Public Private Partnership) is the only perceived way it could be successfully implemented for all the citizens of Nepal. For all these services however, the cards need to be secure against fraud and tampering. It should be a strong identification, with no threat to customer privacy, providing a better service to the clients and an easy to deploy system. Visit www.rajeshshakya.com for other details.