Technical overview on Online Safety Act of Sri Lanka

This Online Safety Act will have a huge impact on the freedom of expression of Sri Lankan citizens 

In 2018, “EUROPOL” headquartered in Hague, Netherlands, a key organisation established to prevent and combat serious internationally organised crimes, cybercrime and terrorism, had clearly defined the difference between cyber-dependent crimes and cyber-enabled crimes. As defined by them, any crime that can only be committed using computers, computer networks or other forms of information communication technology was named as cyber-dependent crimes and traditional crimes facilitated by the Internet and digital technology were categorised as cyber-enabled crimes. So, there are two categories of cybercrimes and these definitions are internally accepted. 

Illicit intrusion and hacking into computer networks, disruption of computer functionality with the spread of viruses or other malware and Distributed Denial of Service (DDoS) attacks which can paralyse service delivery by computers are some examples for cyber-dependent crimes.

Some cyber-enabled crimes are child sexual exploitation, fraud/scams, blackmail, extortion, etc.

In Sri Lankan context, Computer Crime Act No. 24 of 2007 has already provided necessary legislative provisions for tackling most of the cyber-dependent crimes.

Issues related to content such as defamation, harassment, misinformation, impersonation occur not only through online means but also through the use of other traditional means (electronic or print media). Hence, such things fall under cyber-enabled crimes. Sri Lanka has adequate laws for such cyber-enabled traditional crimes. If not, the relevant legislation should be amended accordingly. It is not appropriate to make separate laws for such crimes considering only internet media, and doing so becomes very suspicious.

Hence, the objective of preparing the Online Safety Act itself is problematic.

Also naming the Act as Online Safety Act is also meaningless because its scope is very narrow. Otherwise it should provide the provisions in such a way, to cover both types of cybercrimes that I mentioned above. It is not so. Only provisions related to cyber-enabled crimes are mentioned in this act. These are often content related issues. Since the Act has given priority for regulating social media, I think it is appropriate to change the name of the Act as Social Media Regulation Act.

Only legislators involved

While drafting this Act, it seems that only the legislators have been involved without obtaining inputs of information technology experts as many of the provisions given here are not practical. For example, provisions sought to be enforced through global Internet intermediaries are not enforceable because the Sri Lankan market is too small for them to consider and hence we do not have the bargaining power to enforce them. This should be pointed out by IT experts. However, it seems that it has not happened. If the global service providers decide to exit the Sri Lankan market due to those provisions, it will severely affect the country’s economy as well as the social harmony.

This Online Safety Act will have a huge impact on the freedom of expression of Sri Lankan citizens. The power to determine false/true statements and declare them as prohibited statements has been given to five people out of a population of 21 million. These five people who cannot be considered politically independent will be nominated and appointed by the President with the approval of the Constitutional Council. This will have a major impact on the independence and impartiality of the commission. That is, since the nomination of the members is done by the President, he has the ability to nominate loyal and politically biased people at will. The power to remove them at any time has been given to the President. Necessary reasons can be made through the provisions given in the Act itself. Members are only given an opportunity to state the facts as a hearing. There is no appeal process for removal.

As disqualification for appointment as a member of the commission, the Act has mentioned financial or other interest of such a member that may adversely impact the implementation of its functions, but has not mentioned political independence of those members. Also, it is essential that such a member cannot have a conflict of interest with Internet service providers, social network service providers, Internet intermediaries, but that is not mentioned here.

Although the Commission has been entrusted with very powerful powers and duties, there are many practical obstacles in carrying them out. It appears that the provisions have been implemented without adequate technical study or consultation in this regard. These practical problems arise with implementation, the results of which they will experience in the future.

The extent to which Internet Service Providers (ISPs) and Internet Intermediaries will accept orders of the commission directly depends on the bargaining power we have as a country. We do not have the bargaining power of India, Japan or China. Our population of about 21 million is not a huge market that such flag giants can influence. Also, global Internet intermediaries that provide various services have already introduced Community standards to regulate the contents on their platforms which are currently in operation. Through that, they also have implemented a certain level of regulation in their platforms. It is unlikely that they will agree to carry out orders given by a commission in a small country beyond these global community standards they have introduced.

ISPs only provide access to the Internet and are not concerned or responsible for its content or what users browse through the connection. It is therefore ludicrous to issue directives to the ISPs to provide opportunities to the affected party for responding to the content which the Commission concludes as prohibited. The ISPs have no control over that.

Persons communicating prohibited statements must be specifically identified before being notified to stop communicating such statements. Who is going to do that? Also, in order to specifically identify a particular person it is essential to obtain privacy related data from the relevant social media service provider or Internet Intermediary. Since every global service provider is obliged to protect the privacy of their users (via Privacy Policies), it is doubtful that they would override their privacy policies and provide that information to the Commission.

Internet intermediaries may withdraw from providing services

The commission can issue notices to the Internet intermediaries to remove prohibited content from their online platform or block the content to the users in Sri Lanka. But as I mentioned

above, they will remove or block them only if the content is contrary to their policies. In such a case, the commission can only block the whole respective platform (e.g.: facebook) through Internet service providers in Sri Lanka. This is unfair to all users in Sri Lanka and as a result there is a danger that respective Internet intermediaries may also withdraw from providing services to our country.

When Internet intermediaries have the ability to automatically check whether a certain content violates their community standards through complex processes using modern technology such as artificial intelligence (AI algorithms), how far will they accept the recommendations made by the Commission to remove prohibited statements? This should be thought of practically.

It has been proposed to maintain an online portal containing information to give the public an understanding of the falsity of a certain statement. This is funny because the public can get more information from lot of other independent sources and come to their own conclusions than referring to the information provided via this portal. 

A team with expertise in information technology is required to carry out investigations that may be necessary for the execution of the Commission’s powers and duties. Who is going to do this? Does the Commission have a permanent internal investigation team?

It is not practical to register Global Internet Intermediaries in such a manner as may be specified by the rules made by this Act. We are a bankrupt country without enough market or bargaining power to enforce such provisions. Therefore, this provision should be reconsidered.

In order to specifically identify a person who has made a false statement, it is essential to obtain personally identifiable information (PII) from Internet intermediaries. How practical is this? As I mentioned above, will they provide the information requested by the Commission? Even if that is granted, how can the legal action be taken if the person is outside Sri Lanka? Will

ISPs in overseas provide relevant data to the Commission for investigations?

Also, a fact that is true at one moment may be false at another. Even if a provocation or riot occurred on the basis of a truthful statement, it is also possible that the commission later defines it as a false statement because of the riots.

Disruption of a religious assembly by a true statement may later become a false statement because of the fact that the incident did not occur. For example, the Easter bomb attack may not happen because of a statement spread predicting it can happen on that day and disturbs the religious gatherings. But since the bomb blast did not happen, later the above statement can be interpreted as a false statement justifying that it was made purposely to disturb the said religious meetings.

Outrage of religious feelings is a very sensitive matter and there should be a balance of freedom of expression and its limitations. One’s beliefs regarding a religion may be contrary to another’s and how should the right to express it be? For example, is it an insult to a religion and a false statement to declare that there is no one called God?

Cheating doesn’t just happen online

Cheating doesn’t just happen online. Other traditional methods are also widely used for that. Therefore, it is more appropriate to introduce a law that is common to all or to update an existing law rather than legal provisions that are limited to online media.

Impersonating doesn’t just happen online either. This fraud can also be done by using fake documents. Therefore, the existing laws should have been updated to cover online methods as well.

The provisions of this Act regarding child abuse should have been made by updating other existing Acts such as the Child Protection Act, and not by highlighting them as an offenses due to the medium of the Internet. Online techniques are one of the mediums through which child abuse occurs.

Although it is possible to obtain an order to disclose the information of those who made a statement using a fake online account or bot, as I have mentioned several times above, it is doubtful to what extent Internet intermediary service providers will respond to this due to the existing privacy policies of them. If there was an international law in this regard this may have been easy. We know from our past experience that obtaining privacy related information through cyber security conventions is not practical.

This Act exempts ISPs from liability in case something is uploaded or interfered with by a third party. It is not necessary to say this because it is not their responsibility. As I mentioned earlier, if these legislators had recognised the role of Internet service providers, such a provision would not have been provided.

Global Internet Intermediary Service Providers will not take action on content unless it violates existing community standards. It is also unlikely that they will appear in our courts to resolve content related issues.

I feel that it is required to re-think whether those global Internet intermediaries agree to the various conditions stipulated in Section 29 of the Act, which state that they should ensure that any paid content that it includes or causes to be included on the declared online location, is not communicated in Sri Lanka on the declared online location.

Internet intermediary service providers are well aware that fake online accounts and organised counterfeiting occur through their platforms. But, they have not taken drastic measures to ban them completely, often to protect freedom of expression and individual identity. They also do not hesitate to cancel such accounts if they violate their community standards. It is unlikely that they will implement the Commission’s directives to ban fake accounts.

Finally, it must be mentioned that this is not an act introduced with the broad objective of creating security online, but an act aimed at controlling content on the Internet. In the future, we can experience the impact of this on the freedom of expression of the people as well as the economy and social activists of the country.

(The writer is former Chief Operating Officer, Sri Lanka Computer Emergency Readiness Team.)