Fragments, not architecture: how a Digital Rights Foundation report’s Sri Lanka chapter misreads a pervasive surveillance state
…The authors Prihesh Ratnayake and Omar Rajarathnam mention Tamils and Muslims without treating unequal exposure as the central analytical problem, which is where it belongs, since Sri Lanka’s security state has never distributed suspicion evenly and surveillance lands hardest on those who challenge the state’s account of itself…
by Sanjana Hattotuwa, on his website, June 20, 2026
A critical reading of the Sri Lanka chapter by Prihesh Ratnayake and Omar Rajarathnam, from Factum, published in the Digital Rights Foundation’s report ‘Unveiling Cyber-Surveillance Technologies in South Asia’. The chapter names some of the right objects, but features them as episodes in a chronology rather than robustly reading them as parts of a single, evolving system – and, by extension, captures very little of how Sri Lanka actually cements post-war militarisation, censoriously surveils citizens, constrains memorialisation, and contains dissent.
Surveillance in Sri Lanka isn’t a single dramatic event, act or investment, and must be understood as a toxic patina of braided investments, architectures, technologies, and executive decisions that have built up over decades to target, amongst others, Tamils, minorities, critical dissent, journalists, activists, and inconvenient truths. It has accumulated through administrative habit, as wartime intelligence normalised the watching of Tamil communities (and their memorialisation of the dead or abducted), journalists, lawyers, families of the disappeared, and human rights defenders, after which telecom access opened routes into calls, metadata, subscriber records, and network traffic. Cybercrime and counter-terror law then widened the vocabulary through which ordinary speech, dissent, documentation, and association could be drawn into security scrutiny, and pandemic contact-tracing added a public-health layer in which military intelligence reached into the phone records of patients. Digital identity, biometric databases, family-tree data, police facial recognition, and service-delivery apps have since carried surveillance risk out of the exceptional and into the everyday.
A chapter that gestures at this sequence without ever building the system from it reduces a structural problem to a loose set of policy worries. To wit, Ratnayake and Rajarathnam rattle off all the right names – the Hacking Team, Pegasus allegations, Chinese infrastructure, Israeli procurement interest, digital identity, the Online Safety Act (OSA), the militarised North-East – but set them down as discrete points along a timeline and asks almost nothing of what holds them together. They do not pursue the institutions that connect these objects, the laws that authorise them, the vendors that supply them, the communities that pay for them, or the oversight bodies that fail to constrain them. What results is an inventory of parts, offered in place of any account of the expansive, invasive, and pervasive surveillance machinery they compose.
A flawed methodology
The chapter describes a year-long process resting on secondary sources and semi-structured interviews. However, the near total absence of subject-domain related research, and established Sri Lankan sources leads to significant gaps in analysis. A more serious research, and evidence-based grounding would have drawn from wartime intelligence, telecom access, cybercrime law, public-health tracing, digital identity, financial-crime powers, anti-corruption procedure, platform monitoring, civil society banking restrictions, and foreign supply chains into a pervasive architecture that has grown and hardened across two decades. However, Ratnayake and Rajarathnam gather fragments of that architecture and then decline to draw the lines between them. That refusal, more than any single omission, explains why the chapter captures so little of the country it sets out to describe.
The appendix, and a quiet reward for opacity
The report’s ranking of Sri Lanka by comparing it to other South Asian countries borders on the spread of misinformation, given how far removed it is from ground, policing, and policy realities. The problem begins with method rather than politics, since the appendix asks country experts (who aren’t named) to answer yes/no questions and to assign scores from one to ten, then converts those impressions into a comparative safety hierarchy – without requiring respondents to cite evidence for any score, without explaining how procurement opacity was weighed against legal safeguards or legal safeguards against lived harm, and without showing how unequal exposure by ethnicity, language, platform, media, religion, gender, identity, geography, profession, or political activity entered the calculation at all. It does not separate confirmed deployment from procurement interest, statutory capacity from operational practice, or the absence of public proof from the absence of harm. In a country where surveillance routinely shelters behind national security, emergency governance, telecom compliance, telco complicity, and administrative discretion, that final distinction is not a technicality but the very thing the index needed to measure.
The effect is to reward silence; where Sri Lanka produces fewer public procurement records, fewer forensic spyware confirmations, fewer court cases, and fewer formal acknowledgements of surveillance, the index is liable to read that quiet as relative safety, which is precisely where its logic fails. Public invisibility can as easily reflect weaker investigative capacity among journalists and civil society, stronger secrecy claims by the state, poorer transparency from telecommunications companies, fear among victims, or the simple absence of an independent technical audit. The appendix appears to correct for none of this, and so it places Sri Lanka (and, ironically, pleases government) at the comparatively safest end of the regional scale even as the country chapter itself records wartime intelligence, post-war surveillance of the North and East, an attempt to procure Hacking Team’s Remote Control System, Pegasus allegations, Israeli procurement interest, Chinese infrastructure dependence, airport facial recognition, and biometric identity concerns – leave aside everything else the chapter has omitted, flagged below.
A “safest” label resting on a very limited, myopic evidence base describes not restraint but the laundering of a dangerous misreading – that the problem looks milder because the machinery so often works without noise.
What the DRF ranking ignores: Freedom House, 2020 and 2024
Freedom House’s 2020 country report makes the ranking of Sri Lanka in the DRF report’s appendix much harder to defend: it records that, amid the pandemic, military intelligence retrieved the personal data and phone contacts of Covid-19 patients from mobile service providers – a finding that should weigh heavily in any rights-impact assessment, since it fuses health data, telecom records, emergency governance, and security agencies in a single act of watching. The same report tracks the consolidation of the Telecommunications Regulatory Commission (TRC) and allied bodies under the Ministry of Defence in December 2019, with a retired senior military officer installed as chairman. To this the local record adds a proposed Centralised and Integrated Population Information System tied to terrorism and financial-crime suspicion, an integrated police database and facial-recognition system involving Sri Lanka Telecom, e-NIC plans built on biometrics and family-tree data, transparency concerns around the Rakemu Api welfare platform, a reported request for surveillance technology from an unnamed Israeli company, Hacking Team approaches to Sri Lankan security actors, and unresolved questions about ZTE and Huawei infrastructure.
The Colombo Gazette had reported, in May 2019, that President Maithripala Sirisena’s three-day visit to Beijing, where he met Xi Jinping and Premier Li Keqiang, clinched over five billion rupees in Chinese “military support” supplied as software and surveillance equipment, one hundred million rupees of it a grant, even as Colombo turned to China for mass online surveillance meant to blanket the entire nation and a third social-media blackout in a single month followed the Easter Sunday bombings amid warnings of a China-styled Great Firewall. Taken together, these read less as isolated rumours than as the outline of an institutional pattern.
Lawyer, and activist Harindrini Corea’s account for EngageMedia, written within the Pandemic of Control series, documents a militarised pandemic response in which military-intelligence officers obtained the cell-phone numbers of patients from service providers to trace contacts and those who had “evaded” quarantine – this despite the prohibition on extrajudicial interception under the Telecommunications Act of 1996 – and she sets that surveillance inside a wider campaign of state-sponsored disinformation against Muslims, from the chief epidemiologist’s false claim that burial could contaminate groundwater, to the forced-cremation mandate that violated both Islamic practice and the World Health Organisation’s own guidance, to the amplification of that narrative through private broadcasters. She records, too, the arrest of Ramzy Razeek under the ICCPR Act and the Computer Crimes Act for a Facebook post calling for an “ideological jihad” of pen and keyboard against the cremation policy, and his detention for some five months. What 2020 shows is that surveillance, disinformation, and minority persecution were never three separate stories but one.
Four years later, Freedom House’s 2024 report adds to these concerns: it notes civil society fears that the Online Safety Act could enable law-enforcement surveillance of online activity, and records the Act’s power to compel intermediaries to disclose the identity and location of users; it tracks allegations of CID monitoring of WhatsApp calls and of possible Pegasus or other spyware capability, while recording denials where they belong; and it documents the reported Sri Lanka presence of S2T and the possibility of Sri Lankan clients, with services said to include tracking, penetration of closed social-media groups, remote activation of phone cameras, and covert recording. It also records CID and TID monitoring of online content, religious speech included, and the interception pathway under the Telecommunications Act by ministerial or court order or in connection with a criminal investigation. A methodologically serious index would have asked how these layers interact; this one compresses them into a single, soothing safety score.
Research, and writing ignored
The chapter’s use of my own research, and writing is oddly selective, and bizarrely limited – it cites my 2015 Groundviews investigation into Hacking Team and my 2012 piece on Chinese telecoms, yet misses the longer arc those pieces sit inside, which begins well before commercial spyware. Public articles on the ban on consequential TamilNet in 2007 (the first of its kind in the country), “Internet censorship in Sri Lanka” in 2009, and “Examples of on-going web censorship in Sri Lanka” in 2010 together describe a state learning to treat network control, ISP compliance, Tamil media visibility, and public access to information as governable security questions. This writing documents the prehistory of digital repression – blocking, filtering, selective inaccessibility, telecom opacity, and the slow normalisation of emergency logic around speech.
A chapter dealing with cybersurveillance that starts its clock at Hacking Team in 2014 has already, and completely missed the architecture being assembled around it.
My writing also tracked how surveillance entered civic life long before it enters a procurement record. Communications tapping, taping and paranoia in Sri Lanka caught the atmosphere of phone-tapping and suspicion after the war, and Growing online challenges for activists in Sri Lanka in 2013 carried the analysis into social graphs, family accounts, location disclosure, weak privacy settings, blackmail, and network exposure. I flagged how, in post-war Sri Lanka, civil society rarely encounters surveillance as a discrete legal event, and far more often as informal, deniable pressure exerted through everyday institutions – banks, employers, the police – whose cumulative effect is to normalise self-censorship long before any law is invoked. Icebergs of intelligence highlighted how the State Intelligence Service (SIS) had opened a file on me during the Commonwealth Heads of Government Meeting (CHOGM) in 2013, which had significant implications years later. Beyond my own case, I noted the structural consequences linked to the durability of suspicion, and the quiet violence of a dossier an ordinary citizen can neither read nor correct nor close.
The larger research failure lies in everything the chapter leaves out about administration as surveillance: Big data can make South Asian cities more authoritarian, Dignity and digital identities, the 2025 e-NIC essays, the analysis of digital public infrastructure (DPI), the critique of World Bank financing, and the reading of the 2026 budget’s digitalisation agenda all converge on a point the chapter never reaches, namely that Sri Lanka’s surveillance risk now travels through development, welfare, identity, cloud infrastructure, service delivery, and budgetary modernisation. The danger lies not in digitisation as such but in biometric identity, API-driven data exchange, credential lockers, GovCloud, police apps, QR-code rationing, and welfare databases moving faster than legal authority, trilingual consultation, independent audit, data minimisation, and remedy. My writing on the OSA and encrypted apps (like WhatsApp or Signal) traces the convergence of platform governance, intermediary pressure, and investigative access – the state’s growing ability to identify speakers, lean on platforms, expose online locations, and recast memorialisation, religious expression, or minority speech as security risk. The Police eTraffic app and the 2026 fuel-pass writing (which no one else in the country has captured) shows the same logic operating from below: a person need not be targeted by the likes of Pegasus to be drawn into a surveillance system because routine points of contact with the state – fuel rationing, a police complaint, a health declaration, a welfare database, a digital credential – now perform that enrolment on their own. Once the state links identity, location, transaction, device, and service access, covert infection becomes unnecessary, because the surveillance already sits inside routine governance – surveillance by default, if not by design.
The significant legal omissions
The chapter mentions the Anti-Corruption Act, though only as an entry in a narrow table and without any meaningful analysis. It does not mention the Proceeds of Crime Act at all. Both are major oversights.
The Anti-Corruption Act, No. 9 of 2023 gives the Commission to Investigate Allegations of Bribery or Corruption reach into bank, financial, telecom, digital-service, and institutional records; it permits covert monitoring and recording of communications, allows applications to unlock or decrypt services and equipment, and shields its processes through in-camera proceedings and precedence over conflicting law. The Proceeds of Crime Act (PoCA) goes further still, recognising special investigation techniques, the interception of private communications, digital surveillance within private premises, access to traffic data and to telephone and mobile call records, and forensic extraction from computers and phones. Powers of this kind matter because they let the state map association, movement, communication, assets, and networks through ordinary legal procedure rather than through the drama of covert intrusion.
A chapter that compresses one of these Acts into a single table cell and leaves the other out entirely cannot claim to have weighed the law seriously; what makes a country safe is not whether such statutes exist, but what they permit, who controls them, and which communities (i.e., Tamils, Muslims, LGBTIQA+, dissidents) feel their sharpest edge.
Cyber-(in)security laws, drafted in the dark
Nowhere is the chapter’s episodic instinct more evident than in its handling of the two bills the Cabinet approved in 2021, the “Defence Cyber Command” Bill, and the general “Cybersecurity Bill”, which it records as a discrete administrative event. On Page 160 of the DRF report, the same paragraph is printed twice over dealing with these draft laws, without any substantive review of the proposed laws. In the years of opacity that have followed, the draft Cyber Security Act has advanced through successive governments while the public has been shown nothing at all of what it would actually permit. The bill’s last/latest public form, released in July 2023, establishes a Cyber Security Regulatory Authority whose chairperson, and members serve at the Executive President’s pleasure, folds the country’s Computer Emergency Readiness Team into that presidentially controlled body, and – in its objects clause – binds the Authority to coordinate with a Defence Cyber Command established under separate legislation that has never once been published for public scrutiny: a military cyber command whose enabling Act the very citizens it will watch over are not permitted to read. Section 28(4) allows warrantless searches on the Authority’s own self-certified opinion of urgency, with judicial confirmation sought only after the fact; Section 20 lets it designate almost any computer system as critical national infrastructure with no right of appeal, and no carve-out for newsrooms, civil society, law firms, or opposition offices; and Section 4(1)(l) opens a statutory pathway into subscribers’ own devices through their internet service providers. This is the architecture of surveillance by default, if not by design, and a chapter that reproduces the 2021 Cabinet note while saying nothing of the 2023 draft’s substance, or of the secrecy in which its progress has been deliberately wrapped, has mistaken a press release for the legislation.
The same opacity now shrouds the fate of the Online Safety Act (OSA). Having promised to repeal or substantially revise a statute condemned across the political spectrum, including by many who voted for it, and having invited public submissions early this year, the current government (which before coming to power promised to repeal the OSA) has since retreated into a familiar silence in which the submissions go unpublished, the timetable undisclosed, and the substance of any amendment a matter of speculation rather than record. That a law so widely disowned should prove so difficult to undo invites the uncomfortable inference that an instrument drafted to chill dissent, and police speech serves purposes far too convenient to whoever holds power to be surrendered, whatever the public position on reform; stonewalling, on this reading, is not a failure of the process but the point of it.
The vendor market the chapter never mapped
The foreign-technology section needs far more discipline, because the risk does not sit inside a single procurement story but a broader market of cybersurveillance products, platforms, apps, tools, technologies, and services successive governments have been interested in. The chapter names China, Israel, India, Hacking Team, Pegasus, Huawei, ZTE, airport facial recognition, body cameras, and the Indian MOSIP-linked identity infrastructure, but then stops, never mapping the wider ecology that supplies filtering, lawful interception, biometric matching, video analytics, public-space monitoring, telecom probes, social-media intelligence, malware delivery, and digital identity. The omission matters because, as I have repeatedly written about, and mentioned to civil society actors in Sri Lanka, a government need not buy Pegasus to build a surveillance state. It can assemble capacity from network appliances (which the chapter does, to its credit, note), telecom probes, police databases, facial-recognition engines, traffic cameras, lawful-intercept systems, cloud architecture, data exchanges, phishing tools, and financial or identity records. The machinery may look fragmented, but in practice (and, arguably, by design) the fragments join.
Surveillance Watch’s country listings sharpen the concern, placing Sri Lanka inside the claimed footprint of Blue Coat Systems, Neurotechnology, NtechLab, Protei, S2T Unlocking Cyberspace, Thales Group, VCA Technology, and ZTE. A listing does not prove that Sri Lankan authorities procured, deployed, or operated any of these tools, since it establishes a market-risk lead rather than a deployment finding; but that evidentiary gap is, in good part, manufactured, because procurement details, use cases, distribution, and servicing are routinely shut out from public, and parliamentary oversight under overbroad national-security frameworks – a permissive secrecy in which surveillance technologies are left to grow with impunity.
Blue Coat sits in the network-control layer, its proxies and deep-packet-inspection appliances capable of filtering, classification, and censorship, identified by Citizen Lab across multiple countries in 2013 and tied to regime surveillance in Syria. Neurotechnology occupies the biometric layer, with facial, fingerprint, iris, and voice matching at scale through products such as MegaMatcher and VeriLook, while NtechLab holds the mass facial-recognition layer behind FindFace and carries European Union sanctions imposed in July 2023 over its role in human-rights violations in Russia. Protei works the telecom-interception layer as an AI-powered SORM provider, with location, traffic, and web-blocking capability alongside “Smart City” offerings, and S2T inhabits the hybrid layer where open-source intelligence blurs into automated phishing, advertising-database tracking, fake accounts for influence operations, facial recognition, and location tracking; it has reportedly held offices including in Sri Lanka, and Forbidden Stories identified possible customers in the country. Thales spans the integrated defence, border, identity, and public-space layer, where surveillance arrives wearing the respectable language of efficiency and modernisation; VCA Technology turns passive CCTV into searchable surveillance through facial and licence-plate recognition and frame-by-frame search; and ZTE sits beside Huawei in the telecom-infrastructure layer, with network cameras and state-scale monitoring, and a Reuters record of supplying Iran with systems able to monitor landline, mobile, and internet communications.
Of these eight, the Chinese strand already sits on the procurement side of the listing-versus-deployment line: the Colombo Gazette’s May 2019 report of over 5 billion rupees in Chinese “military support” (a staggering amount at the time), supplied as software and surveillance equipment, is the rare, documented deal against which a listing like ZTE’s can be tested rather than merely noted. Taken together, these amount not to a scatter of anecdotes but to a map of capability that a rigorous chapter would have tested against procurement records, export data, tender documents, telecom audits, airport systems, policing contracts, and interviews with affected communities.
The carrier the chapter mistakes for a conduit
The chapter treats the telecommunications operators as neutral conduits, the passive carriers of other people’s surveillance, when the more uncomfortable history is that the largest of them have already served as instruments of the security state. In 2006, as the ceasefire unravelled, Dialog shut its networks across the peninsula for two months at the military’s insistence, leaving some 220,000 families unable to reach their relatives, and another 200,000 uncertain their phones would work when they most needed them. No court ordered it, no published instrument authorised it, and no due process attended it. A single request from MoD, and likely without even a paper trail, was sufficient to sever an entire region from communication. Once a carrier can be made to go dark on command, the distance to making it watch, intercept, track, and listen on command is short. It is precisely this capacity – with Sri Lanka’s leading telcos as the eyes, and ears of the intelligence services – that the chapter’s faith in carriers as mere infrastructure doesn’t accommodate.
To wit, that the operator is no longer merely a conduit is something Dialog now advertises in its own promotional materials, where its enterprise arm markets Dialog Video Surveillance, an analytics-driven “video surveillance as a service” (VSaaS) platform that bundles facial recognition, and detection, automatic number-plate recognition, object detection, intrusion detection, activity heat maps, people counting, and a feature it names, without apparent irony, the acceleration of investigations – the very conversion of passive cameras into searchable, attributable surveillance that the chapter notes only in passing of a foreign vendor like VCA Technology, sold here instead as a domestic subscription, retaining footage in centralised cloud storage the customer is told cannot be destroyed. The platform is built to ingest any third-party ONVIF-compliant camera, which in a price-sensitive market means, overwhelmingly, the inexpensive hardware of Hangzhou Hikvision, and Dahua Technology – the same manufacturers the United States barred from federal use in 2019, and from all sales by 2022, that the United Kingdom stripped from its sensitive sites, and that India, having found roughly nine in ten of its two million cameras to be Chinese, moved to ban outright from April 2026.
The objection is not nationalist but structural: China’s 2017 National Intelligence Law obliges every Chinese company to assist the state’s intelligence work, and to do so beyond China’s borders, while Hikvision’s controlling shareholder is a state-owned defence conglomerate described in official documents as a primary technology supplier to the People’s Liberation Army, so that a feed gathered by such a camera, however benign its ostensible purpose, sits one legal demand away from a foreign security service.
Sri Lanka has undertaken none of the audits, certification regimes, or procurement bans those other states judged necessary, and a chapter purporting to map the country’s surveillance landscape that fails to notice its premier connectivity provider selling face-recognising, plate-reading surveillance built atop precisely this hardware has left its most consequential finding unwritten.
The ethnic asymmetry absent in the chapter
The authors Prihesh Ratnayake and Omar Rajarathnam mention Tamils and Muslims without treating unequal exposure as the central analytical problem, which is where it belongs, since Sri Lanka’s security state has never distributed suspicion evenly and surveillance lands hardest on those who challenge the state’s account of itself. One of the chapter’s authors, Omar Rajarathnam, went further still: on a Digital Rights Foundation webinar held in June before the report’s official launch, he stated that there was no evidence of the online surveillance of Tamils in the north. I contested this on the call to no avail, and it simply does not survive contact with established facts.
Reporters Without Borders records that, in July 2021, the Batticaloa journalist Selvakumar Nilanthan – secretary of the Batticaloa Tamil Journalists Association – was held for a three-hour police interrogation and made to surrender direct access to his WhatsApp, Facebook, email, and personal bank records, which investigators combed for supposed links to the defunct LTTE and for his reporting on local-government corruption and state-backed land encroachments; in August 2025, as Front Line Defenders records, the Counter Terrorism Investigation Department summoned the photojournalist Kanapathipillai Kumanan, president of the Mullaitivu Press Club, on a notice that withheld its reason in writing while officers told him by phone that the inquiry turned on his digital communications and social-media posts – the very posts documenting 41 days of excavation at the Chemmani mass grave; and REDRESS and the International Truth and Justice Project record the investigative failure around the murder of the BBC’s Nimalarajan Mylvaganam, with prosecutors and police refusing to examine or enter into evidence the death threats and call logs he received before he was killed, even as they audited his personal bank accounts – call data worked hard when the Tamil journalist is the suspect and ignored when he is the victim. The Adayaalam Centre for Policy Research describes a persisting culture of surveillance and intimidation across the North-East as a phantom that is, in its words, entirely real.
Harms of this kind rarely generate a spectacular case file, yet they corrode freedom all the same – through CTID summonses and forced account access for Tamil journalists, securitised pandemic governance and counter-terror suspicion for Muslim communities, and the constant knowledge that an ordinary digital trace, social media post, online metadata or telco held record may later become evidence (or worse, a reason for a suspect to be taken into custody under the draconian Prevention of Terrorism Act, and risk physical abuse or torture).
Surveillance through finance: the FATF layer
The chapter misses, entirely, the surveillance that now runs through money, registration, and suspicion. The civil society explainer produced by the Sri Lanka CSO FATF Network and the Neelan Thiruchelvam Trust – work that builds on Ambika Satkunanathan’s sustained scrutiny of how counter-terror financing rules are turned against civil society – documents Sri Lanka’s 2026 mutual-evaluation process, including a site visit scheduled from 26 October to 6 November 2026, and shows how anti-money-laundering and counter-terror-financing compliance now enables the watching of civil society itself. It records intelligence monitoring of human-rights and relief organisations, Ministry of Defence clearance for NGO registration, Financial Intelligence Unit reporting without reasonable suspicion, TID summonses, plainclothes visits, and bank-driven financial exclusion, and its survey of one hundred organisations finds that 69% faced difficulties accessing foreign funding, 50% struggled to open bank accounts, 57% faced frequent banking problems, and 21% postponed activities outright.
This is surveillance conducted through finance, registration, suspicion, and administrative dependency, and though it resembles nothing in the Pegasus literature it may prove far more consequential for many organisations – a bank that delays funds, an officer who asks for donor details, a ministry that demands clearance, an agency that treats human-rights work as risk. None of this quieter machinery is visible from inside the chapter’s spyware-heavy frame, and near total focus on laws like the OSA.
What a more grounded chapter would look like
A constructive revision is not hard to specify, and it would rebuild the chapter around architecture, chronology, and asymmetry rather than around a handful of named entities and the familiar spyware references, naming evidentiary gaps, and weighting minority exposure as a central factor rather than an afterthought. It would treat public administration as a surveillance surface, integrate the FATF and financial-surveillance layer, and read the Anti-Corruption Act and the Proceeds of Crime Act for the powers they actually confer. It would look at the proposed Cybersecurity and PSTA laws as measures that potentially significantly worsen surveillance in the country, asymmetrically impacting those already at risk. It would state plainly that Surveillance Watch listings prove neither procurement nor deployment, then use them to press sharper questions about which ministries, telcos, police units, airports, regulators, financial-crime bodies, and intelligence agencies have bought or tested comparable systems, and through which third countries and public-private partnerships those systems arrived. Above all it would place Tamil and Muslim exposure at the centre and ask, of every database and every watchlist, who appears in it, who controls it, who audits its errors, who can challenge a match, and who bears the first and worst consequences when the system fails.
Select bibliography
Adayaalam Centre for Policy Research. “A phantom that is real: Persisting culture of surveillance and intimidation in the North-East.” 2025. https://adayaalam.org/wp-content/uploads/2025/05/A-Phantom-that-is-Real_-Persisting-Culture-or-Surveilance-and-Intimidation-in-the-NorthEast.pdf
ARTICLE 19. “The Johannesburg principles on national security, freedom of expression and access to information.” 1995. https://www.article19.org/wp-content/uploads/2018/02/joburg-principles.pdf
Citizen Lab. “Hide and seek: Tracking NSO Group’s Pegasus spyware to operations in 45 countries.” 2018. https://citizenlab.ca/research/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/
Citizen Lab. “Planet Blue Coat redux.” 2013. https://citizenlab.ca/2013/07/planet-blue-coat-redux/
Colombo Gazette. “Chinese intelligence agencies operating in Sri Lanka.” 19 May 2019. https://colombogazette.com/2019/05/19/chinese-intelligence-agencies-operating-in-sri-lanka/
Colombo Telegraph. “Sri Lankan Govt to spend 6.9 billion rupees for interception equipment.” 21 March 2019. https://www.colombotelegraph.com/index.php/sri-lankan-govt-to-spend-6-9-billion-rupees-for-interception-equipment/
Daily FT. “SLT launches 100G ultra-speed national backbone network.” 4 November 2014. https://www.ft.lk/article/365927/SLT-launches-100G-ultra-speed-national-backbone-network
Dialog Enterprise. Dialog Video Surveillance (DVS): Video surveillance as a service. Product brochure, Dialog Axiata PLC. Undated.
Digital Rights Foundation. Unveiling cyber-surveillance technologies in South Asia. 2026.
EngageMedia (Harindrini Corea). “In Sri Lanka, state-sponsored disinformation and suppression of dissent taint COVID-19 response.” 22 April 2022. https://engagemedia.org/2022/pandemic-control-sri-lanka/
Forbidden Stories. “The Pegasus project: Global democracy under cyber attack.” 18 July 2021. https://forbiddenstories.org/about-the-pegasus-project/
Freedom House. “Freedom on the Net 2014: Sri Lanka.” 2014. https://www.refworld.org/reference/annualreport/freehou/2014/en/102727
Freedom House. “Freedom on the Net 2019: Sri Lanka.” 2019. https://freedomhouse.org/country/sri-lanka/freedom-net/2019
Freedom House. “Freedom on the Net 2020: Sri Lanka.” 2020. https://freedomhouse.org/country/sri-lanka/freedom-net/2020
Freedom House. “Freedom on the Net 2024: Sri Lanka.” 2025. https://freedomhouse.org/country/sri-lanka/freedom-net/2024
Freedom Online Coalition. “Guiding principles on government use of surveillance technologies.” 2023. https://freedomonlinecoalition.com/guiding-principles-on-government-use-of-surveillance-technologies/
Freedom Online Coalition. “Rights-respecting digital public infrastructure principles.” 2025. https://freedomonlinecoalition.com/rights-respecting-dpi-principles/
Front Line Defenders and partner organisations. “Sri Lanka: Counter-terror police must cease harassment of Tamil photojournalist Kanapathipillai Kumanan.” 15 August 2025. https://www.frontlinedefenders.org/es/statement-report/sri-lanka-counter-terror-police-must-cease-harassment-tamil-photojournalist
Global Network Initiative. “The GNI principles.” https://globalnetworkinitiative.org/gni-principles/
Hattotuwa, Sanjana. “Are Chinese telecoms acting as the ears for the Sri Lankan government?” Groundviews, 16 February 2012. https://groundviews.org/2012/02/16/are-chinese-telecoms-acting-as-the-ears-for-the-sri-lankan-government/
Hattotuwa, Sanjana. “Hacking the hackers: Surveillance in Sri Lanka revealed.” Groundviews, 15 July 2015. https://groundviews.org/2015/07/15/hacking-the-hackers-surveillance-in-sri-lanka-revealed/
Hattotuwa, Sanjana. “The ban on Tamilnet in Sri Lanka.” ICT for Peacebuilding, 20 June 2007. https://ict4peace.wordpress.com/2007/06/20/the-ban-on-tamilnet-in-sri-lanka/
Hattotuwa, Sanjana. “Internet censorship in Sri Lanka.” ICT for Peacebuilding, 18 June 2009. https://ict4peace.wordpress.com/2009/06/18/internet-censorship-in-sri-lanka/
Hattotuwa, Sanjana. “Communications tapping, taping and paranoia in Sri Lanka.” ICT for Peacebuilding, 30 November 2009. https://ict4peace.wordpress.com/2009/11/30/communications-tapping-taping-and-paranoia-in-sri-lanka/
Hattotuwa, Sanjana. “Examples of on-going web censorship in Sri Lanka.” ICT for Peacebuilding, 23 February 2010. https://ict4peace.wordpress.com/2010/02/23/examples-of-on-going-web-censorship-in-sri-lanka/
Hattotuwa, Sanjana. “Growing online challenges for activists in Sri Lanka.” ICT for Peacebuilding, 12 February 2013. https://ict4peace.wordpress.com/2013/02/12/growing-online-challenges-for-activists-in-sri-lanka/
Hattotuwa, Sanjana. “Big data can make South Asian cities more authoritarian.” ICT for Peacebuilding, 6 April 2015. https://ict4peace.wordpress.com/2015/04/06/big-data-can-make-south-asian-cities-more-authoritarian/
Hattotuwa, Sanjana. “Dignity and digital identities.” 26 March 2017. https://sanjanah.wordpress.com/2017/03/26/dignity-and-digital-identities/
Hattotuwa, Sanjana. “Icebergs of intelligence.” 1 April 2018. https://sanjanah.wordpress.com/2018/04/01/icebergs-of-intelligence/
Hattotuwa, Sanjana. “Post-Coronavirus: Towards pandemic panopticons or something radically new?” ICT for Peacebuilding, 3 May 2020. https://ict4peace.wordpress.com/2020/05/03/post-coronavirus-towards-pandemic-panopticons-or-something-radically-new/
Hattotuwa, Sanjana. “The rise of the panopticon state.” 13 February 2024. https://sanjanah.wordpress.com/2024/02/13/the-rise-of-the-panopticon-state/
Hattotuwa, Sanjana. “The OSA, and encrypted apps in Sri Lanka.” 28 April 2024. https://sanjanah.wordpress.com/2024/04/28/the-osa-and-encrypted-apps-in-sri-lanka/
Hattotuwa, Sanjana. “Sri Lanka Police’s eTraffic app raises significant data protection, and compliance concerns.” 1 January 2025. https://sanjanah.wordpress.com/2025/01/01/sri-lanka-polices-etraffic-app-raises-significant-data-protection-and-compliance-concerns/
Hattotuwa, Sanjana. “Sri Lanka’s e-NIC project: Mapping public discourse, and information vacuums.” 16 January 2025. https://sanjanah.wordpress.com/2025/01/16/sri-lankas-e-nic-project-mapping-public-discourse-and-information-vacuums/
Hattotuwa, Sanjana. “Digital public infrastructure (DPI) in Sri Lanka: Technocratic futures versus human rights foundations.” 2 October 2025. https://sanjanah.wordpress.com/2025/10/02/digital-public-infrastructure-dpi-in-sri-lanka-technocratic-futures-versus-human-rights-foundations/
Hattotuwa, Sanjana. “Sri Lanka’s e-NIC project: Towards economic development or encoding discrimination?” 24 October 2025. https://sanjanah.wordpress.com/2025/10/24/sri-lankas-e-nic-project-towards-economic-development-or-encoding-discrimination/
Hattotuwa, Sanjana. “Digitalisation in 2026 budget: A Trojan Horse for a surveillance state or vital foundation for democratic governance?” 12 November 2025. https://sanjanah.wordpress.com/2025/11/12/digitalisation-in-2026-budget-a-trojan-horse-for-a-surveillance-state-or-vital-foundation-for-democratic-governance/
Hattotuwa, Sanjana. “The Anti-Corruption Act, and Prevention of Crimes Act: Putting civil society at greater risk through potential procedural overreach?” 9 December 2025. https://sanjanah.wordpress.com/2025/12/09/the-anti-corruption-act-and-prevention-of-crimes-act-putting-civil-society-at-greater-risk-through-potential-procedural-overreach/
Hattotuwa, Sanjana. “Financing the framework, fleeing the fallout: World Bank financing digitalisation in Sri Lanka.” 10 March 2026. https://sanjanah.wordpress.com/2026/03/10/financing-the-framework-fleeing-the-fallout-world-bank-financing-digitalisation-in-sri-lanka/
Hattotuwa, Sanjana. “The World Bank in Sri Lanka: Financing the digital state, ignoring the dangers.” 27 April 2026. https://sanjanah.wordpress.com/2026/04/27/the-world-bank-in-sri-lanka-financing-the-digital-state-ignoring-the-dangers/
Hattotuwa, Sanjana. “Legislating in the shadow of loss: Privacy, surveillance, and the targeting of dissent in Sri Lanka’s draft Cybersecurity Act of 2023.” 10 June 2026. https://sanjanah.wordpress.com/2026/06/10/legislating-in-the-shadow-of-loss-privacy-surveillance-and-the-targeting-of-dissent-in-sri-lankas-draft-cybersecurity-act-of-2023/
LIRNEasia (Rohan Samarajiva). “Over 200,000 in Jaffna deprived of phone service now for two months.” 30 October 2006. https://lirneasia.net/2006/10/over-200000-in-jaffna-deprived-of-phone-service-now-for-two-months/
Necessary and Proportionate. “The thirteen international principles on the application of human rights to communications surveillance.” 2014. https://necessaryandproportionate.org/13-principles/
OHCHR. “Guiding principles on business and human rights.” 2011. https://www.ohchr.org/sites/default/files/documents/publications/guidingprinciplesbusinesshr_en.pdf
OHCHR. “Spyware and surveillance: Threats to privacy and human rights growing, UN report warns.” 2022. https://www.ohchr.org/en/press-releases/2022/09/spyware-and-surveillance-threats-privacy-and-human-rights-growing-un-report
Parliament of Sri Lanka. “Anti-Corruption Act, No. 9 of 2023.” 2023. https://parliament.lk/uploads/acts/gbills/english/6296.pdf
Parliament of Sri Lanka. “Online Safety Act, No. 9 of 2024.” 2024. https://www.parliament.lk/uploads/acts/gbills/english/6311.pdf
Parliament of Sri Lanka. “Personal Data Protection Act, No. 9 of 2022.” 2022. https://www.parliament.lk/uploads/acts/gbills/english/6242.pdf
Parliament of Sri Lanka. “Proceeds of Crime Act, No. 5 of 2025.” 2025.
Parliament of Sri Lanka. “Sri Lanka Telecommunications Act, No. 25 of 1991.” 1991. https://stepbysteptrade.lk/media/No.25%20of%201991.pdf
Reporters Without Borders. “RSF urges Sri Lankan government to stop hounding Tamil journalists.” 9 September 2022. https://rsf.org/en/rsf-urges-sri-lankan-government-stop-hounding-tamil-journalists
REDRESS and International Truth and Justice Project. “Sri Lanka has shielded killers of journalists, finds new report examining investigation failures in BBC reporter’s murder.” 2025. https://redress.org/news/sri-lanka-has-shielded-killers-of-journalists-finds-new-report-examining-investigation-failures-in-bbc-reporters-murder/
Sri Lanka Brief. “Sri Lanka: Protection of the State from Terrorism Act, No. of 2026: Observations from an information integrity perspective.” 2026. https://srilankabrief.org/sri-lanka-protection-of-the-state-from-terrorism-act-no-of-2026-observations-from-an-information-integrity-perspective/
Sri Lanka CSO FATF Network and Neelan Thiruchelvam Trust. “Regulation and oversight of civil society: How is it connected to the Financial Action Task Force?” 2026.
Surveillance Watch. “Sri Lanka regional target page.” 2026. https://surveillancewatch.io/targets?country=sri-lanka
The Diplomat. “Chinese surveillance cameras have become a huge problem for India.” June 2026. https://thediplomat.com/2026/06/chinese-surveillance-cameras-have-become-a-huge-problem-for-india/
The Guardian. “Revealed: Leak uncovers global abuse of cyber-surveillance weapon.” 18 July 2021. https://www.theguardian.com/world/2021/jul/18/revealed-leak-uncovers-global-abuse-of-cyber-surveillance-weapon-nso-group-pegasus
The Hindu. “China to assist Sri Lanka in its anti-terror efforts.” 16 May 2019. https://www.thehindu.com/news/international/china-to-assist-sri-lanka-in-its-anti-terror-efforts/article27142911.ece
The New York Times. “How China uses high-tech surveillance to subdue minorities.” 22 May 2019. https://www.nytimes.com/2019/05/22/world/asia/china-surveillance-xinjiang.html
Xinhua. “Sri Lanka installs automated face recognition system at main airport to nab criminals.” 6 January 2024. https://english.news.cn/20240106/1a83cdf29bf84d868c85a5dd3790e32d/c.html
