Eng. Rohana Palliyaguruල Former Chief Operating Officer,
Sri Lanka Computer Emergency Readiness Team.
In 2018, “EUROPOL” headquartered in Hague, Netherlands, a key organization established to prevent and combat serious internationally organized crimes, cybercrime and terrorism, had clearly defined the difference between cyber-dependent crimes and cyber-enabled crimes . As defined by them, any crime that can only be committed using computers, computer networks or other forms of information communication technology was named as cyber-dependent crimes and traditional crimes facilitated by the Internet and digital technology were categorized as cyber-enabled crimes. So, there are two categories of cybercrimes and these definitions are internally accepted.
Illicit intrusion and hacking into computer networks, disruption of computer functionality with the spread of viruses or other malware and Distributed Denial of Service (DDoS) attacks which can paralyze service delivery by computers are some examples for cyber-dependent crimes.
“Issues related to content such as defamation, harassment, misinformation, and impersonation occur not only through online means but also through the use of other traditional means (electronic or print media).”
Some Cyber-enabled crimes are child sexual exploitation, fraud/scams, blackmail, extortion etc.
In the Sri Lankan context, Computer Crime Act No. 24 of 2007 has already provided necessary legislative provisions for tackling most of the cyber-dependent crimes.
Issues related to content such as defamation, harassment, misinformation, and impersonation occur not only through online means but also through the use of other traditional means (electronic or print media). Hence, such things fall under cyber-enabled crimes. Sri Lanka has adequate laws to cobat such cyber-enabled traditional crimes. If not, the relevant legislation should be amended accordingly. It is not appropriate to make separate laws for such crimes considering only internet media, and doing so becomes very suspicious.
Hence, the objective of the Online Safety Act itself is problematic.
Also, naming the Act as Online Safety Act is also meaningless because its scope is very narrow. Otherwise it should be drafted in such a way to cover both types of cybercrimes mentioned above. But it is not so. Only provisions related to cyber-enabled crimes are mentioned in this act. These are often content related issues. Since the Act has given priority to regulating social media, I think it is appropriate to change its name to Social Media Regulation Act.
“This Online Security Act will have a huge impact on the freedom of expression of Sri Lankan citizens. The power to determine false/true statements and declare them as prohibited has been given to five people in a population of 21 million.”
While drafting this Act, it appears that no inputs from information technology experts had been obtained as many of the provisions included are not practical. For example, provisions sought to be enforced through global Internet intermediaries are not enforceable because the Sri Lankan market is too small for them to bother about and we do not have the bargaining power necessary to ensure enforcement. This should have been pointed out by IT expert but that does not seem to have happened. If the global service providers decide to exit the Sri Lankan market due to those provisions, it will severely affect the country’s economy as well as social harmony.
This Online Security Act will have a huge impact on the freedom of expression of Sri Lankan citizens. The power to determine false/true statements and declare them as prohibited has been given to five people in a population of 21 million. These five who cannot be considered politically independent will be nominated and appointed by the President with the approval of the Constitutional Council. This will have a major impact on the independence and impartiality of the commission as the President is empowered to nominate politically biased loyalists at will. The power to remove them at any time has also been given to the President. Reasons for doing so has not bee specified in the Act itself. Affected members are only given an opportunity to state their case at a hearing and there is no appeal process.
“Although the Commission has been entrusted with wide powers and duties, there are many practical obstacles to carrying them out. It appears that the provisions have been included without adequate technical study or consultation.”
As disqualification for appointment as a member of the commission, the Act mentions financial or other interest of such a member that may adversely impact the implementation of the commission’s functions. But there is no mention of required political independence of such members. It is essential that such a member cannot have a conflict of interest with Internet service providers, social network service providers, Internet intermediaries, but that is not mentioned here.
Although the Commission has been entrusted with wide powers and duties, there are many practical obstacles to carrying them out. It appears that the provisions have been included without adequate technical study or consultation. These practical problems will arise with implementation and the results will experience in the future.
The extent to which Internet Service Providers (ISPs) and Internet Intermediaries will comply with orders of the commission directly depends on the bargaining power we have as a country. We do not have the bargaining power of India, Japan or China. Our population of about 21 million is not a huge market that wields such influence. Also, global Internet intermediaries that provide various services have already introduced community standards to regulate the contents on their platforms which are currently in operation. Through that, they have also implemented a certain level of regulation in their platforms. It is unlikely that they will agree to carry out directives of a commission in a small country going beyond global community standards they have introduced.
ISPs only provide access to the Internet and are not concerned or responsible for its content or what users browse through the connection. It is therefore ludicrous to issue directives to the ISPs to provide opportunities to affected parties to respond to content deemed prohibited by a commission here. The ISPs have no control over such matters.
Persons making prohibited statements must be specifically identified before being notified to stop making such statements. Who is going to do that ? Also, in order to specifically identify a particular person it is essential to obtain privacy related data from the relevant social media service provider or Internet intermediary. Since every global service provider is obliged to protect the privacy of their users (via privacy policies), it is doubtful that they would override their privacy policies and provide that information to the commission.
“It has been proposed to maintain an online portal containing information to give the public an understanding of the falsity of a certain statement. This is funny because the public can get more information from lot of other independent sources and come to their own conclusions than referring to the information provided via this portal.”
The commission can issue notices to the Internet intermediaries to remove prohibited content from their online platform or block the content to users in Sri Lanka.But as I mentioned above, they will remove or block them only if the content is contrary to their policies. In such a case, the commission can only block the whole platform (eg: facebook) through Internet service providers in Sri Lanka. This is unfair to all users in Sri Lanka and as a result there is a danger that internet intermediaries may also withdraw from providing services to our country.
When internet intermediaries have the ability to automatically check whether some content violates their community standards through complex processes using modern technology such as artificial intelligence (AI algorithms), how far will they accept the recommendations made by the commission to remove prohibited statements? This should be thought of practically.
It has been proposed to maintain an online portal containing information to give the public an understanding of the falsity of a certain statement. This is funny because the public can get more information from lot of other independent sources and come to their own conclusions than referring to the information provided via this portal.
A team with expertise in information technology is required to carry out investigations that may be necessary for the execution of the Commission’s powers and duties. Who is going to do this? Does the Commission have a permanent internal investigation team?
It is not practical to register Global Internet Intermediaries in such a manner as may be specified by the rules made by this Act. We are a bankrupt country without enough market or bargaining power to enforce such provisions. Therefore, this provision should be reconsidered.
In order to specifically identify a person who has made a false statement, it is essential to obtain personally identifiable information (PII) from Internet intermediaries. How practical is this? As I mentioned above, will they provide the information requested by the Commission? Even if that is granted, how can the legal action be taken if the person is outside Sri Lanka? Will ISPs in overseas provide relevant data to the Commission for investigations?
Also, a fact that is true at one moment may be false at another. Even if a provocation or riot occurred on the basis of a truthful statement, it is also possible that the commission later defines it as a false statement because of the riots.
Disruption of a religious assembly by a true statement may later become a false statement because of the fact that the incident did not occur. For example, the Easter bomb attack may not happen because of a statement spread predicting it can happen on that day and disturbs religious gatherings. But since the bomb blast did not happen, later the above statement can be interpreted as a false statement justifying that it was made purposely to disturb the said religious meetings.
Outrage of religious feelings is a very sensitive matter and there should be a balance of freedom of expression and its limitations. One’s beliefs regarding a religion may be contrary to another’s and how should the right to express it be? For example, is it an insult to a religion and a false statement to declare that there is no one called God?
Cheating doesn’t just happen online. Other traditional methods are also widely used for that. Therefore, it is more appropriate to introduce a law that is common to all or to update an existing law rather than make legal provisions limited to online media.
Impersonating doesn’t just happen online either. This fraud can also be done by using fake documents. Therefore, the existing laws should have been updated to cover online methods as well.
The provisions of this Act regarding child abuse should have been made by updating other existing Acts such as the Child Protection Act, and not by highlighting them as an offenses due to the medium of the Internet. Online techniques are just one plaform through which child abuse occurs.
Although it is possible to obtain an order requiring disclosure of information relating tho those making statements using a fake online account or bot, as I have mentioned several times above, it is doubtful to what extent Internet intermediary service providers will cooperate due to their existing privacy policies. If there was an international law in this regard, this may have been easy. But we know from past experience that obtaining privacy related information through cyber security conventions is not practical.
This Act exempts ISPs from liability in case something is uploaded or interfered with by a third party. It is not necessary to say this because it is not their responsibility. As stated earlier, if those who drafted the Bill had recognized the role of Internet service providers, such a provision would not have been provided.
Global Internet Intermediary Service Providers will not take action on content unless it violates existing community standards. It is also unlikely that they will appear in our courts to resolve content related issues.
I feel that it is required to re-think whether those global Internet intermediaries agree to the various conditions stipulated in Section 29 of the Act. Internet intermediary service providers are well aware that fake online accounts and organized counterfeiting occur through their platforms. But, they have not taken drastic measures to ban them completely, often to protect freedom of expression and individual identity. They also do not hesitate to cancel such accounts if they violate their community standards. It is unlikely that they will implement the Commission’s directives to ban fake accounts.
Finally, it must be mentioned that this is not an Act introduced with the broad objective of creating security online, but one aimed at controlling content on the Internet. In the future, we can experience the impact of this on the freedom of expression of the people as well as the economy and social activism.
Courtesy of The Island