The OSA, and encrypted apps in Sri Lanka

Peacebuilding 5 Minutes

John Xavier – the technology Editor at The Hindu – has a very interesting piece on the future of WhatsApp in India. He notes,

WhatsApp sees any government that chooses to mandate traceability as “effectively mandating a new form of mass surveillance. To comply, messaging services would have to keep giant databases of every message you send, or add a permanent identity stamp — like a fingerprint — to private messages with friends, family, colleagues, doctors, and businesses.”

The Delhi High Court has set the next hearing of the case to 14 August – and it’s worth marking on calendars. India’s the world’s largest democracy, and has the largest user base of WhatsApp. What happens there, matters for the rest of us – and especially as South Asians.

What’s ironical is how while the Indian government’s trying to undermine encryption on the one hand, on the other, it officially uses WhatsApp as a means to address the country’s population at scale, and unofficially (or quasi-officially) uses the app to distribute targeted propaganda. If WhatsApp does exit the Indian market (around which, incredibly, there’s a non-zero possibility), the greatest losers will be the ruling party, and incumbent government – who are very likely going to be in power for years hence. It will be interesting to see how all this will play out in the months ahead.

What should be more concerning for Sri Lankans is how the Online Safety Act (OSA) – hurriedly, and very likely unconstitutionally passed in parliament earlier this year – enables, and risks through judicial interpretation subservient to autocratic expansion much the same thing without any comparable fuss, media coverage, pushback or awareness. The potential, though not as explicit in the OSA as it is in the proposed Indian legislation, is ripe for stochastic, expedient, and partisan exploitation given the Sri Lanka’s enduring democratic deficit, a long, sordid history of targeting citizens, and brazenly lying about it.

Sections 25-26 of the OSA empower the Commission to order service providers to disclose user identity information and electronic communications data. This can be interpreted in a way to compel the likes of Meta to break encryption, and hand over private user data to authorities.

The yet-to-be-established Commission under the OSA – a creation so overwhelmingly odious, it will, and can only be constituted by supine apparatchiks – has the power to issue directives and access orders without requiring independent judicial approval. The OSA also has zero safeguards against the arbitrary or excessive demands for user data, which could also compromise the integrity of encrypted communications by forcing disclosure. This is different to compelling the likes of Meta to break encryption, because a so-called “experts”, appointed by the Commission, essentially have complete, unfettered access to an individual’s on-device, and cloud data, communications, media, and storage if they are held liable for transgressing the Act’s provisions.

Though it’s considerably watered down in the proposed amendments (which in fact, overall, make the Act even worse than it is), Section 24 of the OSA penalises internet service providers and intermediaries for non-compliance with content takedown and data disclosure orders. The amendments indemnify the industry from the OSA’s worst excesses on this score. Tellingly, what the amendments don’t do is to address the points above – leaving citizens completely unprotected from the Act’s high likelihood of abuse in the service of an Executive President or government keen to quell dissent, and the viral spread of content that holds them accountable (think of the aragalaya, and the conversations that undergirded it).

The OSA has tragi-comically vague definitions of so-called “prohibited content”. These can be interpreted to demand the removal of content that resides on, was produced for, is spread through, and engaged with on encrypted platforms like WhatsApp. If the amendments come about, social media companies will be fine, but citizens will continue to be hunted down for content they have produced, shared, stored or engaged with even on product, and platform surfaces that are encrypted. Parenthetically, this can also result in a never before seen market in Sri Lanka for spyware apps like Pegasus, deployed against dissidents as has been the case in a number of other countries, and contexts.

Unlike, and diametrically opposed to laws like the proposed American Privacy Rights Act of 2024 (APRA), and even world-class legal frameworks like Sri Lanka’s own Personal Data Protection Act (PDPA), the OSA has almost no protections around user consent, data minimisation, and purpose limitation. The resulting potential for hoovering of public data at scale, which can also include metadata from apps like WhatsApp in order to determine (even without breaking encryption) who is talking to whom, is significant. As I noted in an article published earlier this year,

The OSA grants a government commission expansive authority to monitor online content and communications with minimal transparency, accountability, or independent validation safeguards as seen in PDPA’s governance standards. Additionally, the OSA allows state regulators to block websites based on vague prohibitions, restricting public digital access and discourse. By contrast, PDPA focuses singularly on securing citizens’ data protections and privacy rather than compromising rights through opaque speech controls, and unchecked surveillance authority. The sweeping expansion of state power to access user data and restrict online information permitted by OSA, contrasts directly with PDPA’s purpose to protect consumer privacy, and digital rights. It is unclear how, and if these tensions will be resolved. Meanwhile, sensitive personal information in the hands of security, and other state agencies will be used to track, trace, and target activists, journalists, opposition figures, and other dissenting voices for state harassment or arrest. Knowing that their online activities will likely be constantly monitored, citizens will likely increasingly avoid discussing sensitive or political topics, leading to self-censorship, and a significant chilling effect.

Simply put, the OSA must be seen an extension of the vast, unbridled, undemocratic powers of Sri Lanka’s Executive Presidency. Official presentations that it is about women, and children are complete, blatant lies. As long as the OSA’s in our statute books, it will provide unprecedented scope for expedient exploitation. This potential for abuse extends to encrypted messaging apps as well, though actual risk will vary given technical differences in apps, and other factors. The risk to Sri Lankans is similar to what Meta’s fighting against in India – which also places why the entire industry opposed the OSA not once, but four times over.

While Sri Lanka’s OSA does not explicitly mandate content/commentary traceability like the proposed Indian law, its provisions extending executive authority to access private communications, and significantly undermine the integrity of privileged communications will have a significant chilling effect which will be asymmetrically experienced by Tamils, Muslims, investigative journalists, activists, whistleblowers, and those who hold power to account – already violently targeted, and with near total impunity.

###

First published on LinkedIn.

###

Addendum: On 29 April, I wrote how Sri Lanka’s proposed Anti-Terrorism Act (ATA) directly targets encrypted communications.

Published by Sanjana

An Ashoka, Rotary World Peace and TED Fellow, I have since 2002 used, studied and advocated Information and Communications Technologies (ICTs) to strengthen peace, human rights & democratic governance. I founded in 2006 and till June 2020 edited the award-winning Groundviews, Sri Lanka's first civic media website. From 2002-2020 I was a Senior Researcher at the Centre for Policy Alternatives. I pioneered both the use of social media for activism and online citizen journalism/civic media in Sri Lanka, including setting up South Asia's first Twitter and Facebook accounts for civic media, in 2007. Having started digital security training for human rights activists in 2010, I continue to advise civil society on digital hygiene, mass and personal surveillance, privacy and secure communications to date. I also curate a comprehensive digital archive of material linked to peace and conflict in Sri Lanka, since 2002. I specialise in, advise and train on social media communications strategy, countering-violence extremism online, web-based activism, online advocacy and grounded, context-based, platform-specific social media research. My work experience over two-decades spans five continents. Through the ICT4Peace Foundation and since 2006, I help strengthen information management during crises and work on countering violent extremism online. For over a decade, this included leading the Foundation's work on these lines with the United Nations and other multi-lateral organisations involved in peacebuilding, peacekeeping, and humanitarian affairs. Since 2008, I have worked in South Asia, South East Asia, North Africa, Europe and the Balkans to capture, disseminate and archive inconvenient truths in austere, violent contexts. I completed doctoral studies at the University of Otago, New Zealand, looking at the symbiotic relationship between offline unrest and online instigation of hate and harm in Sri Lanka and, in the aftermath of the Christchurch massacre in 2019, facilitated by leading research based on New Zealand's first ever Data for Good grant by Twitter.

Published