"Only a connection through an account": How Sri Lanka Police's defence of eTraffic app underscores significant concerns

After a comprehensive critique of the eTraffic app was widely disseminated over the past two days, several journalists called me after an official press conference today held at the Government Information Department in which concerns raised by me had been put to the Police.

Newswire is the first to publish an article on the responses provided: Police assure data security with ‘eTraffic’ app launch. Soon after reading it, I flippantly noted on Twitter "Tell me you don't understand anything about cybersecurity, privacy or Personal Data Protection Act without telling me you don't understand anything about cybersecurity, privacy or PDPA."

More seriously, the responses by Police Media Spokesman SSP Buddhika Manatunga as noted in the Newswire article deserve their own critique, given how perfectly they illustrate, and amplify concerns highlighted in my critique of the eTraffic app.

The Newswire article notes that,

SSP Manatunga stressed that no private data will be entered into the app’s system. “There is only a connection through an account."

Incredibly, the Police Spokesperson justifies the atrocious privacy protections of the eTraffic app without realising that an account created on the it does, in fact, constitute the sharing of personal information. The SSP's assertion is also particularly troubling given the app's APK (i.e. code level) permissions documented in my technical analysis, and potential for their abuse or surreptitious use for purposes other than what's publicly noted. The app explicitly requests access to location data (including background tracking), camera functionality, and external storage - all of which involve processing private data, by definition. SSP Manatunga's statement suggests either a concerning lack of understanding about what constitutes personal data or, more worryingly, deliberate minimisation of privacy concerns.

Hanlon's Razor springs to mind.

The SSP's attempt to separate the compromise of social media accounts from website security demonstrates a fundamental misunderstanding of organisational cybersecurity. The successful breach of multiple social media accounts indicates serious shortfalls, and vulnerabilities in the Police's cyber-security practices, access controls, awareness, and authentication protocols. Claiming that "the [Police] website was neither hacked nor compromised" as a defence misses the central point entirely - that the social media breaches alone reveal significant institutional weaknesses in cybersecurity governance, which the Police then want the public to ignore when installing, and using the eTraffic app (leave aside how to date the app can only be installed by side loading it - which is anathema to good cybersecurity).

SSP Manatunga's statement that "there is only a connection through an account" reveals a dangerous, gross over-simplification of data security (or again, just sheer ignorance). As I highlighted in my previous article, the app integrates with Firebase, and Google services, involves cross-border data transfers, and implements custom permission systems on installed Android devices. These features create complex data flows that require robust security measures, and the very careful consideration of privacy implications - leave aside compliance with relevant sections of the Personal Data Protection Act (PDPA).

Perhaps most concerning is SSP Manatunga's casual approach to addressing security vulnerabilities: "If there are any identified weaknesses, they will be addressed in future." This reactive stance towards security, and privacy directly contradicts fundamental principles of privacy by design and security by design, especially critical for law enforcement applications handling sensitive, personal data at scale (which I've expanded more in my original article).

With the PDPA coming into force in March 2025, this approach is particularly problematic since it re-affirms that the Sri Lankan Police have no clue about legal obligations, and compliance.

The SPP's attempt to deflect concerns by referencing "foreign operatives" and similar attacks in India, rather than addressing the specific technical and legal issues raised about the eTraffic app by journalists present, suggests a concerning pattern of avoiding responsibility for cybersecurity failures. The reference to unnamed "experts" consulted during development, without any specific details about security measures or compliance frameworks, further undermines credibility.

The stark, and worrying disconnect between SSP Manatunga's assurances, and the technical reality of the app's implementation suggests either a significant knowledge gap at senior levels of the Police service regarding digital security and privacy, or a troubling lack of transparency about the app's true capabilities and purposes. Or both.

Either way, statements by the Police spokesperson at today's press conference serves only to strengthen my warning to investigative journalists, human rights defenders, civil society activists, and anyone else invested, and interested in their privacy - especially highly surveilled communities in the North, and East - to NOT install the eTraffic app.