CommonEdge Asia
    Back to Articles
    accountability
    digital rights
    global south
    human rights
    surveillance
    tech policy

    Sri Lanka's Digital ID Gamble: Building Trust in the Age of Digital Public Infrastructure

    By Mahishaa Balraj
    Sri Lanka's Digital ID Gamble: Building Trust in the Age of Digital Public Infrastructure

    Digitising the economy is the right ambition, coming at the right time. Anyone who has stood in a queue for a basic service knows how much there is to gain from moving paper to pixels. The National People Power (NPP) government’s emphasis on digital identity is therefore welcome: a secure way to prove identity can unlock faster banking services, more efficient benefits delivery, and less friction across everyday life. But great infrastructure needs great governance. If we build quickly without guardrails, we risk losing the trust that digitisation depends on.

    What’s being built?

    In brief, two layers: a high‑security electronic National Identity Card (e‑NIC) that captures fingerprint and face (with iris envisaged later), and the Sri Lanka Unique Digital Identity (SL‑UDI) platform that lets government offices, banks, and other stakeholders verify identity over networks.

    SL‑UDI is being implemented on Modular Open‑Source Identity Platform (MOSIP) software originally developed in India. According to public notices and media reports, Sri Lanka signed a Memorandum of Understanding (MoU) with India in 2022 for a grant of roughly LKR 10.4 billion towards a project valued at approximately LKR 20 billion. Under that arrangement, the Indian government could select the Master Systems Integrator (MSI) —an Indian firm — to serve as the main contractor to set up and implement the system. Sri Lankan officials claim that day‑to‑day operations will transfer to a local operator after launch, with overlap for training and handover.

    This represents significant progress, but much of it remains opaque to citizens. Assurances that no foreign party will access Sri Lankans’ data are important. Yet the Department for Registration of Persons has warned in writing that the proposed MSI remit includes master data and profile management, raising serious questions about data sovereignty. Both statements could be true; only publication of the MoU, cabinet approvals, and key contracts will resolve the tension.

    The case for caution begins with biometrics

    Fingerprints and face templates are not passwords that can be changed if compromised. That puts a premium on rigorous privacy rules, cybersecurity, and engineering discipline before rollout, not after. Today, Sri Lanka’s Personal Data Protection Act is not fully implemented while cybersecurity legislation is still being debated. Rolling out a national biometric system in that legal vacuum without guardrails is a choice — one that the country must not make.

    Architecture matters, too 

    MOSIP deployments typically rely on a central registry to anchor identity. Centralised repositories are efficient, but they are single points of failure. When such a system becomes the backbone for welfare, health, and finance, a breach or outage can cascade across services.

    Estonia avoids a single mega‑database; where each government agency holds its own records and exchanges only what is necessary in a federated system. Singapore similarly minimises centralised storage of sensitive data, designing for isolation. India’s Aadhaar, by contrast, struggled with data exposures and authentication failures at scale. Even Estonia had to contend with a serious smart‑ID flaw in 2017.

    The lesson therefore is simple: design for containment, not for convenience alone.

    Optional vs. mandatory

    Officials say enrollment will not be compulsory. However, if the digital ID becomes the only practical route to pensions, rations, clinics, or bank accounts, people lose meaningful choice.

    India’s Supreme Court restricted compulsory use of Aadhaar; nonetheless, banks often insisted on it. In Jordan, access to aid via iris scans became the norm, raising hard questions about consent. Sri Lanka must set a different precedent: keep analog routes genuinely viable and write into law that no one is denied essential services for lack of the new credential.

    Power without accountability breeds mission creep

    A central platform that touches every sphere of life creates incentives to collect more data and to track more usage. Digital IDs can be repurposed for surveillance: Venezuela’s case highlights these very concerns.

    The antidote is not to abandon digitisation, but to build restraint and independent oversight into the system from day one. These include clear legal limits, warrant‑based access, tamper‑evident logs, and institutions with the capacity to say no.

    Citizens deserve clarity

    In the absence of disclosure from the authorities, my team at Hashtag Generation filed a detailed Right to Information (RTI) request with the Ministry of Digital Economy. We sought documents and answers across the full project life cycle. With no response within the statutory window, we have filed an appeal, and will publish all materials we receive.

    We support the digitisation agenda; but our ask is simply that it be implemented with the transparency and safeguards that would make it durable.

    A pragmatic blueprint can move us forward, safely and swiftly. Our recommendations for such a blueprint are as follows:

    • Publish the agreements, contracts, and detailed implementation plan

    Publish the MoU with India, cabinet approvals, and a time‑bound roadmap online. Release a redacted MSI contract that spells out data protections, dispute‑resolution venues, and the timetable and conditions for transfer to a Sri Lankan operator.

    • Anchor in law first

    Enforce the Personal Data Protection Act and pass cybersecurity legislation before nationwide rollout of the digital ID project. Mandate Data Protection Impact Assessments and Algorithmic Impact Assessments for each phase.

    •  Make privacy concrete

    List the exact demographic and biometric fields to be collected and why. Prohibit secondary uses without fresh legal authority and demonstrable necessity and proportionality. Enforce retention limits and deletion pathways.

    • Keep identity separate from authentication

    Use privacy‑preserving verifiable credentials and tokenised, purpose‑specific identifiers so every transaction need not touch the central registry. Where possible, prefer match‑on‑card or local device verification over server‑side biometrics.

    • Design for containment, not centralisation

    Minimise the central repository; adopt a federated architecture in which agencies retain their own data; and exchange only what’s necessary via a secure, audited layer, not a population‑wide log of every use.

    • Guard the keys

    Generate and store cryptographic keys in hardware security modules located in Sri Lanka under multi‑party custody. Ensure no foreign contractor controls key material.

    • Commit to verifiable security

    Adhere to international standards (eg: ISO/IEC 27001, 27701 and NIST digital identity guidance); encrypt data at rest and in transit; enforce strict role‑ and attribute‑based access; and require independent audits, red‑team exercises, and bug‑bounty programs with public summaries before each scale‑up.

    • Put the courts and watchdogs in the loop

    Require judicial warrants for any law‑enforcement or intelligence access to identity records or usage logs. Establish an independent oversight body with the power to investigate, order remedies, and sanction misuse.

    • Guarantee inclusion in statute

    Keep the current NIC valid for a multi‑year transition; fund offline and assisted channels; and publish exclusion metrics (failed authentications, denied benefits, field‑level errors) so problems are fixed early.

    • Build grievance and remedy mechanisms

    Mandate breach notification, fraud hotlines, the ability to lock/unlock credentials, and compensation protocols for harm caused by system failures.

    These recommendations are a call to formulate a plan that can move at speed with the right brakes and guardrails. The safest systems are those that assume breaches will occur and prepare for recovery. The most legitimate systems are those that tell the public, in advance, what will be built, why, and how it will be governed.

    Sri Lanka has a chance to set a regional benchmark: an identity platform that balances efficiency with rights, security with inclusion, and innovation with accountability. If we get the architecture and the governance right, queues will shorten, services will accelerate, and citizen dignity will be strengthened, not just today, but for decades to come.