Sri Lanka Police recently unveiled its e-traffic app to combat traffic violations. The app lets users upload photos or videos of an offense, which are sent directly to the SL Police for action. However, the launch is already off to a rocky start amid data privacy and security concerns.
Red flags galore
Where’s the app store link?
Despite the announcement, the app is still unavailable on the Google Play Store or the Apple App Store. Instead, users are asked to sideload an APK file from a link hosted on the Vercel platform, bypassing the App Store.
Given the e-traffic app revolves around surveillance and processes personal data, ensuring adherence to expected security practices is paramount. But the page barely offers any information on the app’s safety and data privacy aspects. This prompts some immediate questions:
- Why can’t the SL Police publish the e-traffic app on the Play Store? What guidelines has it failed to meet?
- Is the transmitted data encrypted?
- What is the data storage security process?
- What is the data retention policy?
- Is any of the information shared with a third party or other state institutions?
With little to no safety checks on how the data is processed and protected, sideloading a police-managed app for the public raises a red flag.
App permissions
This issue deepens further with the app itself. Its sole functionality depends on access to the phone’s camera, location data, and storage. But there’s no clear indication of the extent of this data’s usage. Its own Privacy Policy page provides no helpful hints either.
This level of access could be potentially problematic if safeguards aren’t put in place. Inadvertently giving access to continuous location tracking or phone file data to a sideloaded app isn’t ideal in any scenario.
Of course, Android itself has added security prompts for app permissions in recent years. For instance, Devices running Android 12 and up will display a green indicator on the top right of the phone whenever the camera or mic is turned on. Further, users can choose the permission level for location data, provided the OS version is Android 11 or above. But these are hardly the fix-it-all solutions to the risks of exploiting app permissions.
Anonymizing users
Using the app requires users to log in via Gmail or create an account. Given the app’s nature, a better implementation would have been to anonymize reporting. ManKiwwa, a crowd-sourced incident reporting app, already processes all of its reports anonymously by default. Surely, a state institution processing personal data can have similar standards.
Either way, it would be apt for the Sri Lanka Police to consider better data privacy practices, considering this is essentially a crowd-sourced surveillance app. State institutions are notorious when it comes to cybersecurity and the SL Police has done little to inspire confidence. It doesn’t help that the same couldn’t keep its own social media accounts safe just days ago. Trust between the institute and the citizenry doesn’t always start with zero, particularly when it comes to the police.
Contradicting best practices and legislation
As disinformation researcher Dr. Sanjana Hattotutwa points out, the app also poses questions about its alignment with the Personal Data Protection Act (PDPA). Specifics around lawful processing (Section 5), data minimization (Section 7), transparency/ collection of personal data (Section 11), and other sections point to possible compliance issues for the e-traffic app. Granted, the PDPA is only expected to be fully enforced by 18 March 2025. But non-compliance with the PDPA merely serves to question the priorities of the SL Police with its app.
Further, this prompts concern over the lack of due processes with other state institutions. For instance, SL CERT’s entire existence is based on the need for a government-regulated authority to oversee the country’s cybersecurity. But despite its assigned role, there’s zero evidence of any communication between the two parties about the security aspects of the e-traffic app.
Repeat telecast
Interestingly, this isn’t even a new app. The software was originally launched back in 2021 as a pilot project, though it never took off. Effective Solutions, the developers behind the original app clarified that the company handed over the software to SL Police after it was deployed.
It’s also worth noting that the 2021 version of the app was hosted on the Android Play Store as “e-Traffic Police Sri Lanka.” But Sri Lanka Police reportedly lost access after it was dropped from the store. Further, a version of the original app on APKPure suggests that the relaunched software is virtually unchanged.
It’s unclear what prompted the 2021 app to be dropped from the Play Store, though it’s likely one of the same reasons for the APK relaunch. As of now, the Vercel page says that the e-traffic app is in beta and will be available on the Play Store and App Store soon. Sri Lanka Police Media Spokesman SSP Buddhika Manatunga says it will be published in both stores by next week.
Could have been a WhatsApp
Commenting on the concerns around surveillance, the spokesman claims that experts were consulted during development “to ensure data protection.” He further stated that the new e-traffic app prioritizes data security and that personal data will not be shared.
However, we would like to remind the police that prioritizing data security doesn’t mean asking citizens to sideload an APK instead of downloading from the app store. It also doesn’t mean launching a webpage with no specifics on how said security is ensured. In fact, why was the app, which was originally launched in 2021, taken down from the Play Store in the first place?
To be clear, digitalizing government services plays a crucial role in serving the people’s needs. Unfortunately, history has shown how state institutions have abused existing laws and tools against citizens. Everything ranging from the Prevention of Terrorism Act and Online Safety Act to arresting/questioning people off random social media posts only erodes confidence in Sri Lanka’s police infrastructure. It only gets worse when you consider the government’s poor track record on cybersecurity.
The icing on the cake? It’s the police asking people to surveil each other amid the plethora of issues. At the very least, maybe a dedicated Business WhatsApp number would have served better. But then again, it probably doesn’t carry the same PR weight as “We launched an app.”
Thank you for reminding readers that this “app” is a repeat from 2021.
This is typical of our government–a new party into power, new superficial flashy stunts.