Kathmandu

Don't scan government documents on your phone, Kathmandu tells officials, here's why

By Sandeep Sen

KATHMANDU, JULY 2 The Office of the Prime Minister and Council of Ministers has told all government offices across Nepal to stop using mobile phone applications to scan official documents, warning that the practice poses serious risks to the security and confidentiality of state records. The circular, issued Wednesday and signed by computer engineer Bodhraj Baral at the Prime Minister's Office, applies to federal, provincial and local government offices and directs them to use only secure and authorised methods when digitising official documents. It states that ensuring the confidentiality, integrity and security of official information is the responsibility of every government office and employee. The concern is straightforward. Most free scanning apps, widely used on smartphones across Nepal and available on both Android and iOS app stores, are designed to automatically send scanned images to servers owned by the app developer, which are often located abroad. Once a document leaves the phone, the Nepal government has no control over who can access it, how long it is stored or whether it is adequately protected. Cabinet meeting minutes, classified correspondence, strategic policy documents and citizens' personal records are among the categories of information that could be exposed in this way. Many of these apps also use technology that reads and converts the text in a scanned document into searchable data, a process that is frequently carried out on external servers rather than on the phone itself. This means the contents of a sensitive government file could be read, processed and cached by a foreign company's systems without the official who scanned it ever being aware. Beyond that, many free scanning apps request permissions from users that go well beyond what scanning actually requires, including access to precise GPS location, contact lists and sometimes even the microphone. For a government official working inside a ministry or security facility, granting GPS access to an unverified app means that app could potentially track their location within sensitive premises. Access to local storage could expose other files on the same device. Free apps also frequently retain the right to store user data indefinitely under their terms of service, leaving a permanent trail of government records on commercial servers that employees rarely think to delete. The risks have real precedent. In 2019, security researchers discovered hidden malicious code inside CamScanner, at the time the world's most popular mobile scanning app with hundreds of millions of downloads. The code, which had been injected through a third-party advertising package embedded in a routine update, was capable of stealing data from users' devices. Google temporarily removed the app from its Play Store following the discovery, a reminder that even widely trusted applications can be compromised without users knowing. With this circular now all agencies are required to adopt secure and authorized methods for digitizing official records that store and process all data within Nepal's own systems without transmitting anything to external servers. The directive does not specify penalties for non-compliance, but its issuance through the highest executive office signals that mobile scanning has become a systemic security concern, one that grew quietly as government staff adopted free apps informally, without formal IT policy approval, simply because they were fast and convenient.