Sri Lanka’s proposed Anti-Terrorism Act, and encrypted communications 

Technology 3 Minutes

Since I stick to my subject/domain expertise of, and focus on online harms, I hadn’t studied the proposed Anti-Terrorism Act (ATA) in relation to clauses that may impinge on privacy, and the integrity of online communications. Based on how the Online Safety Act (OSA) alone can very seriously impact the integrity of encrypted communications I posted about yesterday, someone alerted me to the fact that a section of the ATA demands almost exactly what Meta’s fighting against in India.

The section on encrypted communications is in Clause 65 of the ATA (see below).

This clause worsens already significant concerns surrounding the OSA’s potential for abuse by providing a parallel, and even more expansive, invasive framework for surveillance, and unbridled data access, with even fewer safeguards, and a lower threshold for application.

Clause 65 of the ATA grants police officers (not below the rank of Superintendent) the power to seek a magistrate’s order to intercept, access, and monitor a wide range of communications and data, including encrypted services. This expands the scope of surveillance beyond the OSA’s provisions, which focus on user identity and electronic communications data held by service providers.

A magisterial order would allow for a couple of things under the ATA’s Clause 65. First, a police officer can tell someone who provides digital keys or encryption for communication, storage, or equipment to unlock it, and give the police full access to the information inside. Second, they can intercept, read, listen to, or record any kind of message or conversation, whether it’s through mail, phone, internet, video, or any other way. This hits end-to-end encryption directly, including, but not limited to apps like WhatsApp, and Signal. Third, the Police can access any type of data or information, and any system used to exchange or transfer that data.

While the OSA requires the (yet to be appointed, but very likely to be completely supine, and subservient) Commission to have “reasonable grounds” to believe that a service provider possesses information necessary for an investigation, the ATA only requires “reasonable grounds of suspicion” against a person in the commission of an offence under the Act. The focus also shifts from service provider to individual – and this is not insignificant. To wit, the very broad purposes for which a magistrate may issue an order under Clause 65(2) of the ATA can (and likely will) be used to target dissenting voices or conduct vast surveillance expeditions hoovering up data on large numbers of individuals or even entire institutions, given (1) Sri Lanka’s militarised state, and (2) history of misapplying national security arguments, and laws.

The potential chilling effects, already heightened by the OSA, will be made worse. In January this year, the United Nations noted, inter alia,

If passed in its current form, the Bill would grant excessive powers to the executive to restrict rights, with limited or no safeguards against abuse of such powers. It would weaken the legal grounds needed for security forces to arrest individuals without warrants. It would also still permit lengthy pre-trial detention.

Aside from a number of reports, statements, and articles on the proposed ATA, I couldn’t find any study or reference on how the OSA, alongside the even more problematic Clause 65 alone of the ATA will serve as unprecedented foundations of a surveillance, singling out, and silencing architecture the likes of which Sri Lanka’s never seen before – with a devastating impact on democracy.

###

The ATA draft notes, under Clause or Section 65,

(1) For the purposes referred to in subsection (2), a police officer not below the rank of a Superintendent of Police may make an application to a Magistrate seeking for an order authorizing such officer–

(a) to direct any person who provides locking or encryption services pertaining to any communication or storage services or equipment of any data or information or other thing, to unlock or unencrypt the service or equipment and provide information contained therein to such police officer;

(b) to intercept, read, listen or record any postal message or electronic mail or any telephone, voice, internet, or video conversation, or conference or any communication through any other medium;

(c) to access any analogue or digital data or information; exchange or transfer system.

Provided however, such police officer shall be entitled to apply for an order under this section only if there exist reasonable grounds of suspicion against any person in the commission of an offence under this Act.

(2) The purposes for which the Magistrate may make an Order under subsection (1) shall be –

(a) to determine the identity of a person who has committed; (b) to determine the location of a person who has committed;

(c) to facilitate the conduct of an investigation into; (d) to gather evidence against a person who has committed; (e) to determine whether one or more persons are conspiring, planning, preparing or attempting to commit; or (f) to take measures to prevent the commission of,

an offence under this Act.

(3) Such Magistrate shall, if he is satisfied that the application is made in good faith and making of such order is reasonably necessary for conducting investigations, issue such order.

Published by Sanjana

An Ashoka, Rotary World Peace and TED Fellow, I have since 2002 used, studied and advocated Information and Communications Technologies (ICTs) to strengthen peace, human rights & democratic governance. I founded in 2006 and till June 2020 edited the award-winning Groundviews, Sri Lanka's first civic media website. From 2002-2020 I was a Senior Researcher at the Centre for Policy Alternatives. I pioneered both the use of social media for activism and online citizen journalism/civic media in Sri Lanka, including setting up South Asia's first Twitter and Facebook accounts for civic media, in 2007. Having started digital security training for human rights activists in 2010, I continue to advise civil society on digital hygiene, mass and personal surveillance, privacy and secure communications to date. I also curate a comprehensive digital archive of material linked to peace and conflict in Sri Lanka, since 2002. I specialise in, advise and train on social media communications strategy, countering-violence extremism online, web-based activism, online advocacy and grounded, context-based, platform-specific social media research. My work experience over two-decades spans five continents. Through the ICT4Peace Foundation and since 2006, I help strengthen information management during crises and work on countering violent extremism online. For over a decade, this included leading the Foundation's work on these lines with the United Nations and other multi-lateral organisations involved in peacebuilding, peacekeeping, and humanitarian affairs. Since 2008, I have worked in South Asia, South East Asia, North Africa, Europe and the Balkans to capture, disseminate and archive inconvenient truths in austere, violent contexts. I completed doctoral studies at the University of Otago, New Zealand, looking at the symbiotic relationship between offline unrest and online instigation of hate and harm in Sri Lanka and, in the aftermath of the Christchurch massacre in 2019, facilitated by leading research based on New Zealand's first ever Data for Good grant by Twitter.

Published