News
Concerns over Lankans’ identity in foreign hands: DRP warns Ministry
View(s):By Namini Wijedasa
The Department for Registration of Persons (DRP) has raised concerns regarding Sri Lanka’s proposed “unique digital identity project” (SL-UDI)—including that full delivery, maintenance and integration responsibility lies with a “master system integrator” (MSI), which is a foreign party.
India’s National Institute for Smart Government (NISG) recently invited bids from Indian companies to appoint an MSI—a contractor—for the development, implementation and maintenance of the SL-UDI Project. The Indian grant-funded initiative involves collecting citizens’ demographic and biometric information for a digital ID system similar to India’s Aadhaar system.
Twenty-two concerns were communicated to the Digital Economy Ministry Secretary by P.T.G. Perera, the Acting Project Director of Sri Lanka’s electronic national identity card (e-NIC) project, a separate initiative implemented by the DRP which will be merged with SL-UDI.
One of them is that the MSI is being granted privileges “that go beyond software management”, extending to control of master data and profile management—areas that are officially under the supervision of the DRP’s information technology (IT) department.
“This change bypasses the established oversight of user profile authorisation and authentication and unnecessarily transfers control of sensitive data and profile management away from the IT Department,” he has warned.
Mr. Perera’s letter—issued on a DRP letterhead—was annexed to a Supreme Court petition filed last month by former Minister Wimal Weerawansa that seeks to nullify the India-Sri Lanka Memorandum of Understanding related to the SL-UDI. The Sunday Times obtained the document, which is now public.
Cornerstone of the digital economy
The government says the SL-UDI project is an integral part of its digitalisation drive. Hans Wijesuriya, Adviser to the President on Digital Economy, recently told the Sunday Times that a trusted digital identity is the cornerstone of a digital economy framework.
The digital ID will integrate seamlessly with other digital public infrastructures such as digital signatures, digital certifications and credentials, enabling paperless transactions and interactions, Dr. Wijesuriya said. In a physical space, he pointed out, biometric authentication through methods such as fingerprints or iris scans will ensure accurate identification and eliminate the risk of identity fraud.
At its core, this project objective aims to provide every citizen with a unique national digital identifier, revolutionising the way digital interactions and transactions are conducted. The Information Communication Technology Agency (ICTA) says on its website, “By eliminating duplications in identity records across government departments, SL-UDI seeks to ensure data accuracy and efficiency in government operations.”
Concerns abound
But the DRP letter highlights many issues based on the invitation for bids published by the NISG. It points out, for instance, that bidding is restricted to Indian-led entities, while subcontractors, too, are under Indian authority. The contractor will have “end-to-end operational control”.
The contractor is allowed full commissioning, hosting and performance management. This poses a risk to sovereign data access controls, the letter states. The clause related to export restrictions is “vague and open-ended” and “does not explicitly prohibit replication or data reuse outside Sri Lanka”.
Separately, the contractor can assign or transfer contract obligations with limited Government of Sri Lanka (GoSL) control over end-entities. The software, including its intellectual property and redistribution rights, will be formally transferred to the GoSL only after three years.
As the migration of existing data to the new solution (SL-UDI) is required prior to testing and go-live operations, there is a possibility of data leakage to third parties, the letter continues. The section on “software solution” clearly stipulates that all development activities shall be conducted at an offshore location.
Meanwhile, the MSI will be involved in analysing, designing and estimating the firewall to be deployed at the data centre (DC) and disaster recovery (DR) sites. “These critical security components are under the MSI’s control,” the letter points out. “This arrangement may allow third-party applications visibility to the DC and DR environments, thereby compromising the sovereignty and control of data owned by the Government of Sri Lanka and the respective Department.”
Arbitration problems
According to the bid documents, arbitration will follow United Nations Commission on International Trade Law (UNCITRAL) rules and be conducted in New Delhi, India, “effectively bypassing Sri Lanka’s judiciary.
The clause on law and language states that the contract is governed by Sri Lankan law. But arbitration and jurisdictional control are ceded abroad, creating inconsistency. Intellectual property rights for custom or package software, in the meantime, may remain with the contractor or licensors, with Sri Lanka holding limited rights, the letter maintains.
Crucially, the clause on limitation of liability restricts the contractor’s liability to 10% of contract value, even in cases of major breach of data loss. “As [sic] the Government of Sri Lanka is not involved in the tender’s oversight, development or implementation, it would be responsible for the remaining 90% of damages in the event of a data breach, cyber-attack or physical system failure,” it warns.
The “scope of services” identifies redundant modules that overlap with the e-NIC system, which has already been designed, tested and implemented in accordance with DRP requirements. And while the document refers to an iris capture device, there is currently no legal framework within the Government of Sri Lanka to support iris data collection.
The invitation for bids shows that the MSI will take over management of all IT assets, including hardware, software applications and network components procured under the project. These responsibilities will be removed from the DRP IT Department’s oversight, “disrupting asset governance and security management”.
“This may lead to uncontrolled and unnecessary procurement of equipment, potentially misaligned with existing infrastructure, security standards and protocol and service agreements applicable to GoSL once the system is fully transitioned,” the DRP letter cautions.
Mr. Weerawansa’s fundamental rights petition—along with an application on the same matter by another petitioner—was last taken up on August 27, when the Supreme Court gave directions to issue notices to the respondents named in both petitions. They are the Cabinet of Ministers, headed by the President, and the Prime Minister.
The petitions will be taken up for consideration on October 17.
The best way to say that you found the home of your dreams is by finding it on Hitad.lk. We have listings for apartments for sale or rent in Sri Lanka, no matter what locale you're looking for! Whether you live in Colombo, Galle, Kandy, Matara, Jaffna and more - we've got them all!