By Namini Wijedasa The Public Security Ministry has recommended the award of a lucrative tender to Thales DIS Finland Oy/Just in Time (JIT) that will see the French-Sri Lankan joint venture personalise 3.15 million e-passports—that is, enter biometric and biodata into the books—over the next few years. But the proposed contract has one concerning feature [...]

Feeds Editorials Times Online

News

Proposed contract for e-passports: Concern over major vendor lock-in trap

View(s):

By Namini Wijedasa

The Public Security Ministry has recommended the award of a lucrative tender to Thales DIS Finland Oy/Just in Time (JIT) that will see the French-Sri Lankan joint venture personalise 3.15 million e-passports—that is, enter biometric and biodata into the books—over the next few years.

But the proposed contract has one concerning feature that subject experts warn is a glaring “vendor lock-in trap”. It makes the Department of Immigration and Emigration (DIE) wholly dependent on Thales’s technology and services, so that switching to an alternative becomes prohibitively expensive, time-consuming, or technically impossible.

Applicants wait their turn at the Department of Immigration and Emigration

And the DIE has neither asked for a quotation nor capped a price for post-contract software licence renewals. There is nothing in the current bidding framework to prevent the vendor—Thales/JIT—from demanding exorbitant software renewal fees.

All this could potentially cost the taxpayer millions in unnegotiated software license fees.

What is this trap?

The tender is officially titled the “Procurement of Issuance System and Relevant Public Key Infrastructure components for personalisation of e-Passports to the Department of Immigration and Emigration of Sri Lanka”. It is designed to modernise Sri Lanka’s travel documents.

However, an analysis of the bidding documents, amendments and official clarifications exposes a procurement structure that goes as a simple service contract but sets up “a monopolistic trap” for the government at the end of the agreement’s tenure.

The Sunday Times looked into the terms of the contract. It holds the vendor—Thales/JIT—responsible for buying, installing, and maintaining all the physical IT infrastructure at their own initial expense, recovering the cost through monthly, per-passport fees.

According to the exit criteria of the tender, once the contract hits its limit—either in five years or exactly 3,150,000 passports—it terminates. The title and legal ownership of all physical hardware, including servers, security appliances, workstations and highly specialised hardware security module (HSM) components, will be transferred to the DIE.

However, the pricing structure then becomes problematic for the government. While the DIE will own the physical metal boxes, these machines are of no use without the proprietary software and firmware licenses required to run the public key infrastructure (PKI).

What’s the rub? The bidding document’s pricing schedule did not ask bidders to quote or lock in the prices for post-contract software licence renewals.

A “Trojan Horse” handover and a dire warning

At first glance, the contract appears to be a windfall for the state. The government inherits a multimillion-dollar, fully functioning data centre and PKI infrastructure. But DIE will not just walk away when the 3.15 million passports are printed.

Modern IT infrastructure cannot run without the requisite software. And the software required to operate the PKI and personalisation system is governed by a strict, proprietary licence. This is where the tender heavily favours the supplier, the Sunday Times found. The contract omits any requirement for bidders to lock in, or even disclose, the post-contract pricing for these essential software renewals.

During the pre-bid clarification phase, prospective bidders reportedly asked how they should price post-contract license renewals, noting that the rate card and price schedule did not include a section for it.

DIE’s official, published response (available online) said only this: “After contract period ends or after hand over, employer [DIE] will be responsible for license renewals.” It confirmed that the renewal prices for after the contract period had “not been requested” in the pricing submission.

“By accepting the hardware without a pre-negotiated software licensing agreement, the DIE is walking directly into a textbook ‘vendor lock-in’,” an expert with inside knowledge of the process told the Sunday Times. He did not wish to be named.

“Once the contract ends, the government will own racks of specialised hardware that can only be operated using the original vendor’s proprietary software,” he pointed out. “Because the renewal fees were never requested, evaluated, or capped during the competitive bidding process, the vendor is granted absolute pricing power.”

“They could easily revert to demanding ‘per-passport’ licensing fees, effectively continuing to tax the Sri Lankan government for infrastructure that the state supposedly already owns,” the expert warned. “If the DIE refuses to pay the arbitrary price dictated by the vendor, the inherited hardware becomes obsolete overnight, paralysing the nation’s ability to issue secure e-passports.”

The illusion of a single-price service model

On the surface, the procurement strategy seems straightforward. According to Section 4.12 of the main procurement document, the pricing structure is consolidated into a single line item.

Bidders are not required to provide a detailed, itemised cost breakdown for the massive array of hardware and software they will deploy. Instead, they must submit a unified price for a total volume of 3,150,000 passports.

This structure implies a “pay-as-a-service” model. This is further corroborated by Appendix 7 (Terms and Procedures for Payment), which outlines only two payment milestones: a 10 percent advance payment; and a monthly payment schedule based strictly on the delivery volume of personalised e-passports.

The selected vendor is expected to supply a massive technological ecosystem, including the personalisation and issuance system, data aggregation components, national public key directory (nPKD), and the highly sensitive PKI, which encompasses HSMs, document signers, and key management systems.

The vendor must also provide all underlying servers, storage, racks, and third-party software on its own dime, recovering its costs through the per-passport fee charged to the DIE.

“Procuring complex IT infrastructure as a ‘service’ is a standard global practice, but it requires airtight exit strategies. Handing over hardware without securing the long-term software rights and pre-determining renewal costs is financially reckless,” the expert emphasised.

“Before this tender is awarded, the High-Level Procurement Committee (HLPC) and national oversight authorities must intervene,” he stressed. “Bidders must be required to submit legally binding, capped price schedules for post-contract software licensing and maintenance.”

“Without this critical amendment, the DIE is not buying an e-passport system,” he said. “It is buying a multimillion-dollar hostage crisis.”

The pricing formula

The pricing for this project is entirely structured around a “per successfully personalised passport” model, but it consists of two separate contracts that the government is paying to the same vendor (Thales).

One is the physical booklet: The government previously signed a contract to buy the physical, blank e-passport booklets from Thales at a rate of EUR 4.62 per booklet.

The second is the PKI & personalisation system: To actually encode the chips and print the data onto those blank booklets, the vendor is charging a separate system fee of EUR 1.04 + LKR 302.23 per passport (which is roughly LKR 726.42 per passport based on the July 2025 exchange rate).

According to the Cabinet paper, which the Sunday Times saw, the total base cost for 3.15mn passports is EUR 3,276,000 and Rs. 952,024,500 (without VAT). With taxes, the total is Rs. 2,288,233,610.

The vendor first gets a 10 percent advance payment, upfront. Thereafter, the DIE pays them monthly, based on the exact number of passports printed that month.

It is guaranteed that, even if demand drops, the government is contractually bound to pay for a minimum of 60,000 passports every month until the total cap of 3.15 million passports is reached.

The vendor will buy, install and maintain all the physical IT infrastructure at its own initial expense, recovering the cost through monthly per-passport fees.

When the contract ends, and the DIE takes over the hardware, it will immediately have to go back to Thales to buy software license renewals to keep the national passport system running.

Because the government did not negotiate a fixed renewal price during the competitive bidding phase, Thales will wield absolute monopoly pricing power. It could demand millions of dollars in annual software licensing fees or dictate a new per-passport software fee. Without it, the hardware the government owns will be obsolete.

The DIE faces a licensing burden on an additional front: it must also pay Oracle, Microsoft (Windows), and antivirus providers for standard commercial IT licence renewals to keep the base servers running.

There is another aside here. Bids for the PKI tender were invited via international competitive bidding. Eight suppliers submitted offers. Out of the evaluated bidders, only Thales/JIT was deemed technically qualified, scoring 94.40 out of 100 marks.

Share This Post

WhatsappDeliciousDiggGoogleStumbleuponRedditTechnoratiYahooBloggerMyspaceRSS

The best way to say that you found the home of your dreams is by finding it on Hitad.lk. We have listings for apartments for sale or rent in Sri Lanka, no matter what locale you're looking for! Whether you live in Colombo, Galle, Kandy, Matara, Jaffna and more - we've got them all!

Advertising Rates

Please contact the advertising office on 011 - 2479521 for the advertising rates.