Midweek Review
Sri Lanka’s digital ID project: Implications, risks, and safeguards
by Prof. Amarasiri de Silva
The government of Sri Lanka is waiting for clearance from the Public Security Ministry to go ahead with an India-funded Unique ID card project, according to a report published in The Island, quoting State Technology Minister Kanaka Herath. It is akin to seeking approval from the father to hand over control of the family’s personal details to the next-door neighbour! The state of affairs concerning the issuance and upkeep of ID cards in Sri Lanka, coupled with the prospect of outsourcing their management and execution to an Indian company, is undeniably a matter of serious concern. It is disheartening that there is a lack of capability within Sri Lanka to handle this crucial task, leading to the consideration of outsourcing the responsibility to an agency in another country. However, entrusting such a sensitive task to an external agency, particularly one based in India, comes with a myriad of challenges, foremost among them being data security issues.
India’s offer to provide advanced aid of 450 million Indian rupees to President Wickremesinghe’s government for funding the digital ID project undoubtedly presents an opportunity for financial support. However, this offer raises questions about the underlying motivations and implications for the countries involved, particularly for Sri Lanka. From a political perspective, the decision to introduce a project involving the outsourcing of national data to an Indian company, particularly under the leadership of Ranil Wickremesinghe, is likely to face scrutiny and questions regarding its legitimacy and mandate. This scrutiny can stem from several factors, including concerns about transparency, accountability, and national sovereignty.
Critics may question whether Ranil Wickremasinghe, as the leader of the government or a relevant authority, has the proper mandate to initiate such a project without sufficient consultation or approval from people, the Opposition, and other branches of government, such as parliament or relevant oversight committees. They may argue that such a significant decision, involving the collection and management of sensitive national data, should be subject to broader scrutiny and debate to ensure democratic accountability.
There may be concerns about the lack of transparency surrounding the decision-making process and the extent of public consultation undertaken before committing to the project. Citizens and civil society organisations may demand clarity on the rationale behind outsourcing sensitive data to an Indian company and seek assurances regarding data privacy, security, and potential risks associated with foreign involvement.
Outsourcing the management of national data, including biometric and personal information, to a foreign company raises questions about national sovereignty and security. Critics may argue that such a move compromises Sri Lanka’s ability to control and protect its citizens’ data, potentially exposing it to risks such as unauthorised access, misuse, or exploitation by foreign entities. There may be concerns about the implications for national security, particularly if the outsourced data falls into the wrong hands or is subject to foreign influence or interference.
Beyond political considerations, there may also be concerns about the economic implications of outsourcing such a project to an Indian company. Critics may question whether sufficient efforts were made to explore domestic alternatives or support local expertise and industries in developing and implementing the project. They may raise concerns about the potential loss of revenue, jobs, or technological capabilities that could result from relying on foreign assistance for critical infrastructure projects.
In response to these concerns, proponents of the project, including the government and supporters of Ranil Wickremesinghe, may argue that it is necessary to leverage external expertise and resources to address capacity constraints and accelerate the implementation of essential projects, such as digital identity systems. They may emphasise the potential benefits of collaboration with India, such as access to advanced technology, financial assistance, and opportunities for bilateral cooperation and knowledge exchange, but the advantages may outweigh the benefits.
However, the government must address legitimate concerns about transparency, accountability, data privacy, and national sovereignty through open dialogue, robust oversight mechanisms, and clear communication with the public and relevant stakeholders. Building trust and confidence in the project’s integrity and objectives will be essential to mitigate political opposition and ensure its successful implementation in the long run.
The digital ID project, as described, aims to collect biographic and biometric information, including facial, iris, and fingerprint data. While this endeavor may offer certain advantages to the Indian government, such as potentially enhancing bilateral relations or fostering technological cooperation, it also raises concerns regarding data privacy and sovereignty for Sri Lanka. India could utilise the biodata from Sri Lanka’s ID cards to influence the Sri Lankan economy, potentially crafting programs to facilitate Indian trade and expand technology initiatives.
First and foremost, the issue of data security looms large. Entrusting the collection and management of sensitive biometric and personal information to an external agency, particularly one based in another country, introduces significant risks. The use of national ID data of the Sri Lankan population by a foreign country like India raises significant concerns about data privacy, security, and national sovereignty. While it’s essential to acknowledge that any speculation about specific intentions should be approached cautiously, it’s crucial to understand the potential risks and implications associated with such scenarios:
Data Access and Control: If India has access to the national ID data of the Sri Lankan population, there is a risk that it could be used for various purposes, including surveillance, intelligence gathering, or profiling. This could infringe upon the privacy and civil liberties of Sri Lankan citizens, as their personal information may be subject to monitoring or exploitation without their consent.
Political Influence: Access to sensitive data about the Sri Lankan population could provide India with leverage or influence over Sri Lanka’s political decisions or policies. By leveraging this information, India could potentially exert pressure or manipulate decision-making processes to align with its interests, compromising Sri Lanka’s sovereignty and autonomy.
Cybersecurity Risks: Storing or transmitting national ID data across international borders introduces cybersecurity risks, as it increases the potential attack surface for malicious actors, including hackers, cybercriminals, or hostile state actors. Any breach or compromise of the data could have severe consequences, including identity theft, fraud, or espionage.
Geopolitical Considerations: The collection and control of national ID data by a foreign country like India could have broader geopolitical implications, particularly in the context of regional power dynamics and strategic competition. It may exacerbate tensions or mistrust between countries and undermine efforts to foster cooperation and trust.
Economic Exploitation: Access to national ID data could also enable economic exploitation, such as targeted marketing or commercial profiling, by Indian companies or entities with vested interests. This could disadvantage Sri Lankan businesses and consumers, as their personal information may be used for commercial gain without adequate safeguards or consent.
Diplomatic Fallout: Revelations of foreign interference or exploitation of national ID data could strain diplomatic relations between Sri Lanka and India, leading to diplomatic tensions, public outcry, or calls for accountability. It could undermine trust and cooperation between the two countries on other bilateral or regional issues.
Sri Lanka must carefully consider the implications of sharing its citizens’ data with a foreign entity and ensure that robust safeguards are in place to protect against data breaches, unauthorised access, or misuse.
Furthermore, the reliance on foreign aid for such a critical project raises questions about national sovereignty and self-reliance. While external support can be beneficial, Sri Lanka needs to maintain control over its identity management infrastructure and ensure that decisions regarding data collection, storage, and usage align with its national interests and values.
Additionally, there may be concerns about the long-term implications of dependence on foreign assistance for essential infrastructure projects. Sri Lanka must weigh the short-term benefits of financial aid against the potential risks and dependencies created by outsourcing critical functions to external entities.
“ID card projects” typically refer to initiatives or programmes aimed at issuing identification cards to individuals within a certain population. These cards serve as official documents that verify a person’s identity and may contain information such as their name, photograph, date of birth, and sometimes biometric data like fingerprints or iris scans. Usually, National ID Cards are issued by Governments that may implement national ID card projects to provide citizens with a standardised form of identification for various purposes, such as voting, accessing government services, and proving eligibility for employment or benefits.
Outsourcing an ID card project to an outside agency can raise several security concerns, including:
Data Privacy and Protection: Providing personal information to an external organisation raises the risk of data breaches or unauthorised access. The outside agency must adhere to strict data protection regulations and implement robust security measures to safeguard sensitive information.
Identity Theft: If the external agency does not adequately secure the data collected for the ID card project, it could be vulnerable to identity theft or fraud. Criminals could exploit weaknesses in the system to obtain and misuse individuals’ personal information.
Counterfeiting and Fraud: Outsourcing the production of ID cards increases the risk of counterfeit cards entering circulation. Without stringent controls and security features, criminals may replicate or alter the cards for fraudulent purposes, such as gaining unauthorised access or committing identity theft.
Vendor Reliability: Depending on an external agency for the implementation of the project introduces dependencies and risks associated with the reliability and integrity of the vendor. Issues such as delays, miscommunication, or vendor misconduct could compromise the project’s security and effectiveness.
Lack of Oversight and Control: Entrusting the entire ID card project to an outside agency may result in reduced visibility and control over the process. Government agencies or organisations must maintain sufficient oversight to ensure compliance with security standards and regulatory requirements.
Supply Chain Risks: The supply chain involved in producing ID cards, including materials, equipment, and personnel, may introduce vulnerabilities if not properly managed. External vendors and subcontractors should be vetted thoroughly to mitigate supply chain risks.
To address these security issues, organisations should conduct thorough risk assessments, establish clear contractual agreements with the external agency, implement robust security controls, regularly monitor compliance, and ensure transparency and accountability throughout the project lifecycle. Additionally, ongoing communication and collaboration between the outsourcing organisation and the external agency are essential to address security concerns effectively.
In light of the risks associated with accepting external assistance for Sri Lanka’s digital ID project, the protection of citizens’ data sovereignty, privacy, and security must be paramount. This necessitates the implementation of robust safeguards, regulatory frameworks, and oversight mechanisms to mitigate the potential for unauthorised access or misuse of national ID data by foreign entities.
Furthermore, fostering greater transparency, accountability, and public awareness regarding the collection, storage, and use of personal information is imperative. By engaging in open dialogue and providing clear information to the public, trust can be built, and responsible governance in the digital age can be ensured.
In summary, while India’s offer of financial support presents opportunities for expediting the project’s implementation, careful consideration of concerns surrounding data security, national sovereignty, and long-term sustainability is essential. Sri Lanka must conduct a comprehensive risk assessment to weigh the potential benefits against the risks associated with external assistance. Proactive measures should be taken to safeguard citizens’ privacy and uphold the integrity of identity management systems through transparent decision-making and robust oversight. Ultimately, prioritising the interests of the Sri Lankan population is paramount in navigating the complexities of such partnerships.