Sri Lanka to Use India-Developed Digital Identity FrameworkSome Cybersecurity Experts Voice Concern Over Data Protection
The Sri Lankan government has prioritized implementation of the Unitary Digital Identity Framework, or UDIF, a national biometrics-based digital identity project. But cybersecurity experts familiar with India's Aadhaar program, whose framework Sri Lanka is set to use, have voiced concerns over the lack of data protection laws, including data localization regulations, and the risk of cyberattacks.
See Also: 2022 Unit 42 Incident Response Report
After a meeting between Sri Lankan President Gotabaya Rajapaksa and Indian Prime Minister Narendra Modi in December 2019, India offered the island nation a grant of undisclosed value to implement the digital identity framework, according to a report published on the Sri Lankan government news portal.
It is not known if India will provide technological support for the project.
Sri Lanka has been eager to adopt a large-scale digital initiative such as Aadhaar since 2017, according to a report in The Hindu newspaper citing Harin Fernando, a member of the Sri Lanka Parliament who was then the country's minister of telecommunication and digital infrastructure. Fernando also said that the country could save $2 million a day by digitizing related unspecified operations.
Global Suitors for Aadhaar
The Aadhaar framework is based on the India Stack, a set of open APIs and digital initiatives to drive identity, data and payments at scale for large populations. Issued by the Unique Identification Authority of India, or UIDAI, Aadhaar reportedly has the world's largest biometric database, with more than 1.3 billion enrollments as of Oct. 30, 2021, comprising 99.7% of India's adult population, according to the UIDAI website.
The scale of its implementation has garnered wide interest in the India Stack, and several countries, including Russia, Morocco, Algeria, Tunisia, have expressed interest in adopting the model, according to a Mint report that cites former Indian Minister of External Affairs M.J. Akbar. The framework has also been a talking point for countries such as Portugal and the U.S.
In fact, last week, Sébastien Soriano, chairman of Arcep, the French regulatory authority for telecommunications, said in a tweet: "India Stack is an impressive initiative and if everything is not transposable (biometrics, etc.), France would benefit from drawing inspiration from it - building public digital infrastructures."
While its popularity is undisputed, Aadhaar's reputation has been dubious at best, and several data breach incidents are on its record.
Prasad Perera, general manager and chief digital officer at Sri Lankan e-commerce firm Wishque, who tweets as BuduMalli, said recently on Twitter: "Hope our Sri Lanka citizens database is in safe hands. I remember what happened to Aadhaar, India's national ID database a few years ago."
Perera is referring to a 2018 data breach incident that compromised personal information of 1.1 billion Indian citizens. The World Economic Forum in its 2019 Global Risks Report called it the largest data breach event in the world.
News platform Moneylife reported that following the leak, cybercriminals sold access to the database for as little as 500 rupees (about $6).
Targeted Cyberattacks a Risk
Sri Lanka currently does not have a data protection law that regulates how entities collect and store citizens' data, Asela Waidyalankara, independent cybersecurity adviser and former executive committee member of Sri Lanka's Cyber Security Center of Excellence, tells Information Security Media Group. This is especially concerning since the country intends to import the digital identity framework from India, which also has not yet established data protection laws .
The absence of data regulations also brings up the "nagging question" of how data will be customized and localized, says Waidyalankara. Thus, the "lift and shift" approach of importing the Aadhaar framework and implementing it into the UDIF will not work, he adds.
Also, the database may be targeted by anti-government entities, including the Liberation Tigers of Tamil Eelam, he says. In May 2009, the group hacked the Sri Lankan Army's website, according to news reports. Separately, in Feb. 2021, hacktivists reportedly defaced several Sri Lankan websites by infecting their DNS records.
Implementation of the framework is not cheap. According to the UIDAI website, the identification authority's expenditure amounts to 138 billion rupees ($1.84 billion) between the project's rollout in 2009 and 2021-22.
In Sri Lanka, identity data of citizens is fragmented and siloed, Waidyalankara says. For instance, births and marriages are registered by separate civic bodies, under separate legal provisions, he says. Passport offices are governed by one regulation, while land deeds conform to an entirely different set of regulations, he adds.
"There is no concentrated traceability of citizen information and data. And this has always been a challenge in terms of digitizing any government service in Sri Lanka."
Waidyalankara says historic storage of past records in physical or analog forms is yet another challenge to the implementation. "Reconciling all this data, digitizing it and capturing people's biometrics is something the government needs to figure out," he says.