Yesterday (2) local authorities announced that the official website of the Department of Government Printing which was hacked on Tuesday (31 December 2024) has now been restored. This, according to the Sri Lanka Computer Emergency Readiness Team (SLCERT) who are empowered to respond to cyber-security incidents related to State institutions. However, efforts were still underway last evening to regain control of the official YouTube channel of the Sri Lanka Police Department which had also been subjected to a cyber attack since Friday (27 December).
Sri Lanka is no stranger to routine cyber attacks and having to face a range of cyber crimes – scams, with last year showing significantly advanced cyber scams targeting the banking sector and individuals being brought to light. The Government has been issuing warnings about cyber safety and cyber scams for some time. However, time and again the poor state of State cyber security is exposed with State websites, online services and systems often compromised. Meanwhile, consecutive governments have preached to the public about the coming ‘digitalisation’ of the State sector and trumpeting all the wonders it will bring along. So, why does the Government, or governments – let's spread the blame where it should fall – continue to keep their institutions and online services vulnerable to cyber attacks and hacking? The State should begin to practice what it preaches, and get its house in order first.
Meanwhile, the Police Department launched their ‘e-Traffic’ mobile application on the first of January, which they claim is a “cutting-edge tool aimed at reducing traffic violations and improving road safety in line with the ‘Clean Sri Lanka’ initiative”. The app was officially launched by Acting Inspector General of Police (IGP), Priyantha Weerasuriya, at a ceremony held at the Police Headquarters. According to media reports, the e-Traffic app empowers the public to report traffic violations and related incidents in real-time. Users can upload photos or videos of offenses using the app’s Camera and Video options. These submissions will be forwarded directly to the Police Headquarters for immediate action.
However, concerns regarding the digital safety and security of the said mobile app which was launched by the Police has already been questioned by some experts. Posting on his LinkedIn page, disinformation researcher Dr. Sanjana Hattotuwa has questioned the credibility of the Sri Lanka Police’s new app called ‘eTraffic’. Hattotuwa points out that Sri Lanka Police failed to protect its own social media accounts, after being targets of cyber attacks recently, raising concerns over privacy and data protection. The researcher also pointed out that the Police ‘eTraffic’ app, isn’t available yet on the Google Play Store, contrary to what the logo featured in a notice on social media platform X (previously known as Twitter) by the Sri Lanka Police suggests. “May advise to investigative journalists, human rights defenders, civil society activists, and anyone else invested, and interested in their privacy, is not to install the e-Traffic App,” Hattotuwa stated in a Linkedin post. “The manner of the App's release is particularly revealing. The APK's availability prior to approval by Google's Play Store suggests an interest in getting the app out to the public in ways that are not standard practice, and lead to behaviours that can compromise the integrity of personal devices. Technical issues aside, there's zero evidence the Police have consulted the Data Protection Authority (DPA) or are remotely aware of the PDPA's provisions which kick into gear in a couple of months. This is a major red-flag. The Sri Lankan Police just this week have demonstrated their monumental incompetence in basic cyber security measures to safeguard their own social media accounts. It is a stretch to ask the public to entrust them with sensitive, personal information particularly if the app's harvesting includes persistent location data. Without knowing how information, and media submitted by users will be used, and for what purposes especially over time, it is foolish to implicitly trust the Sri Lankan Police with data or, through the app, a vector to potentially track individuals,” Hattotuwa stated.
While the Police Department is yet to respond to the concerns raised about their own mobile app, the shambles that is cyber security and privacy within the State establishment can no longer be swept under the rug. The Police Department, as a key law enforcement agency with both national security and public order management responsibilities, needs to take this issue more seriously. A question which the Police must now respond to, is if they did a cyber security and privacy audit on their own mobile app before they launched it?
The State has a duty of care towards its citizens, and it's high time that the Government and the State mechanism got their act together on cyber safety and security. They must protect the public, not make them more vulnerable.