INTRODUCTION

E-Governance is a structural reform process that implies a fundamental, customer oriented re-engineering the service delivery process of government bodies. In Sri Lanka, Information Communication Technology Agency (ICTA) has proposed the initiative actions for E-Governance process after the introduction of Electronic Transaction Act 2006 which enables the E-Governance (E-filing of any form or document with any government bodies, issue of license or permit in electronic form and the receipt of payment of money or other transaction in electronic form[1]) and E-signature[2].

Electronic Identity (e-ID) is becoming increasingly an outstanding issue in various E-Governance programs and initiatives. E-ID which enables individuals to electronically prove their identity as an attribute about their identity to an information system.

The e-NIC program is one of the significant project in Sri Lanka to bring the universal trend of digital innovation. The launch of this project was focused on the inter-operability of various E-Governance functionalities to ensure the optimal utilization of ICT infrastructure.

Towards this Sri Lanka has recently amended the Registration of person Act[3] and made regulations to enable e-NIC. The department for registration of person has the authority to establish a national persons registry as an E-data system and issue e-NIC. Under this project a database will be established based on Bio data of persons of 15 years or above, fingerprints as biometrics and a photograph of citizens[4]. Objectives of the e-NIC project are, to collect personal data of persons as a family unit and establish a national persons registry and a central database, to issue an e-NIC to all citizens, to establish a policy of exchanging legal data in the central data storage and to provide facilities required for national security and economic development[5].

Benefits for the public and state

An E-identity is an ideal access tool for all kinds of E-services of government. Public can quickly and effectively access government’s services.

Improving security in terms of accountability.

Improving national security.

Increasing administrative efficiency and reducing cost.

Supporting mutual recognition of documents and certificates in Cross-border situations.

ICTA has the plan to linking the e-NIC with many government functionalities. Despite the e-NIC project helps to the quick and effective delivery of government services and ensure the national security, but there are many security and privacy issues regarding this e-NIC program due to the loopholes in the Srilankan legal regime and IT infrastructure.

PRIVACY RISKS AND THE E-NIC PROJECT

Privacy means as ‘’ the desire of people to choose freely under what circumstances and to what extent they will expose themselves, their attitudes and their behavior to others’’[6]. The Sri Lankan Constitution does not recognize the right to privacy as a fundamental right. Moreover, no any statutes deal with privacy issues except SL Telecommunication Act under which the interception of telecommunication transmission and the disclosure of that contents is an offence[7]. Which are not enough to cover modern trends in technology because the variables of new technology and privacy risks always have negative connection. Furthermore, in Sri Lanka, there are no data protection laws.

Data is an asset of an organization, and privacy is some sort of assurance that an individual require from an organization. Therefore data privacy together refers to the ability of an organization that determines which data has to be shared with other persons. The e-NIC contains both the demographic and biometric data, so it becomes a risk for an individual as well as to the government if the data are insecure.

The e-NIC project is very broader than a mere digitization of the current NIC, it is a wider identity database system granting wide powers to the public authorities to collect and record any personal details of peoples. These informations are not only dealt by national registry of persons but also link with the databases of land registry, Inland Revenue, stock market, registrar of companies… etc.  It is possible for the public officials to freely and legally access the personal informations (employment details, EPF and ETF details, details of bank transactions, credit cards, savings, vehicles, phone numbers, email address, share details.. etc) in the central database which leads to privacy threats and misuse of those informations.

It must be noted that, under the SL Computer Crimes Act, unauthorized access of any person in to the central information system of e-NIC[8], used that stealed information to commit further offence[9] and unlawful modification to the system[10], are offences. But the Computer crimes act failed to criminalize the act of when a person who has lawful authority to access information and if he misuses those information which is not an offence under Computer crimes act. There is a high probability for this kind of offences (government officers misuse the information stored in the e-NIC system) after the implementation of e-NIC.

SL e-NIC program is modelled on Pakistan’s CNIC system which was designed to fight against terrorism but indeed Pakistan’s CNIC was failure and created many privacy risks (examples) parliamentarians’ tax details were leaked and Wikileaks has reported that the US and UK have indirect control over the central database system of Pakistan.

Indian Supreme Court in Adhaar case, held that the right to privacy is a fundamental right of citizens even Indian Constitution does not expressly provide this right, the court has widely interpreted the Article 21.

Thus, it is obvious that without ensuring the right to privacy of citizens, data protection laws and effective cybercrime laws, SL government has initiated the e-NIC project. If SL government implement e-NIC without above mentioned protections, citizens will be in more vulnerable position to face privacy risks.

In what ways can ICT be used for better and open government without violating the right to privacy of citizens?

Privacy concerns are common with many applications of technology, especially those that involve personally identifiable information. In Sri Lanka, objections against the use of e-NIC that potential threat to civil liberties, including increased monitoring and surveillance and a decrease in anonymous free speech. Though there are many privacy issues regarding e-NIC, those threats can be overcame through the effective/secure architecture of e-NIC system.

Before the implementation of e-NIC project, Sri Lanka has to fulfill the following pre-conditions in order to ensure the privacy of citizens such as, constitutionally recognize the right to privacy as a fundamental right, and enact data protection laws and privacy enhancing policies and using privacy enhancing technologies.

Privacy enhancing policies

Many states follow specific policies in order to reduce the privacy threats includes, data minimization which requires government bodies to limit the amount of data they collect, and data breach notification which requires bodies to notify individual if personally identifiable information is compromised. 

Germany has a number of policies to protect individual privacy, particularly from abuse by government. Some of these policies limit the technology namely, by prohibiting centralized database of biometric information or allowing the use of pseudonyms for e-transactions. Moreover, biometric information is allowed to be used only for identification and cannot be used to determine other information, such as race[11].

Some states follow data handling policies that specifically prohibit linking various databases that contain personally identifiable information.

Belgium has a strict privacy framework for personal data. The Belgian Privacy Commission maintains strict control over the use of personal information in both the public and private sector[12] and they use ‘’ask once” principle for E-governance, which seeks to eliminate requiring individuals to submit information multiple times to government agencies namely a single agency becomes the primary source of data[13].

In Austria, each citizen EIC contains a unique identifier associated with the individual’s identity in the Central Register of Residents. To eliminate linkage between databases, this number is not used in transactions. Instead, a derivation of this number is created which help to protect personal information[14].

Using privacy enhancing technologies

A variety of technologies can be used to reduce the risk of privacy of e-NIC holders such as, Encryption, Access control, Unique identifiers and Verify-only modes for credentials and biometric information[15].

Encryption which can be used to secure the data stored on an E-ID, data in transist, and data stored by a third party, such as a central database. States can encrypt personal information stored on an e-ID system to protect the data from misuse.

Access Control– one way to control the release of information is to require to enter a PIN to authorize any data transfer from an e-NIC. This can also limit who can access data in an e-NIC.

Verification of credentials and biometrics– one way that e-ID systems can protect user privacy is by providing verification of information for service providers rather than providing the actual information. A form of verification can be used for biometric information to reduce the collection and distribution of this sensitive personal data. Example, rather than storing a scanned image of a digital finger print, an e-NIC might just save certain key elements of the fingerprint that allow the system to positively identify an individual[16].

Conclusion

Though digitalizing the existing national identities in electronic form creates potential benefits for the public, the initiated e-NIC project in Sri Lanka is neither safe nor appropriate without ensuring the privacy of citizens and data protection law and well secured IT infrastructure. Before the implementation of e-NIC project, Sri Lanka has to consider the following matters: creating an e-NIC implementation plan with broad input from all stakeholders including the private sector; architecting an e-NIC framework that supports both current and emerging technologies; ensuring the privacy and data protection through enacting new laws and; ensuring the e-NIC solutions which  are accessible and available to all citizens.

[1] Sec 8 of Electronic Transaction Act 2006.

[2] Sec 7 of Electronic Transaction Act 2006.

[3] No8 of 2016 the Registration of person (amended) Act.

[4] http://www.drp.gov.lk/Templates/eNIC.english.Department-for-Registration-of-Persons.

[5] Ibid.

[6] A Westian, privacy and freedom, Atheneum 7.

[7] Sec 53 and 54 of Telecommunication Act 1996.

[8] Sec 3 of SL Computer Crime Act 2007.

[9] Sec 4 of SL Computer Crime Act 2007.

[10] Sec 5 of SL Computer Crime Act 2007.

[11] Whitley and Hosein, Global Challenges for Identity Policies, 33. 

[12] Mariën and Audenhove, “The Belgian e-ID and its complex path to implementation and innovational change,” 32. 

[13] Explaining international it application leadership: EID 2011, pgn 42.

[14] “Citizen Cards – Overview” Buergerkarte.at. n.d., http://www.buergerkarte.at/en/ueberblick/index.html. 

[15] European Network and Information Security Agency, “Privacy Features of European eID Card Specifications.” 

[16] Ibid.