Updates over WhatsApp groups, pegged to content published on this site and a plethora of issues related to them, was started in 2016. Started off as groups where all subscribers could exchange thoughts with each other, the constitutional crisis late 2018 required restrictions to be placed to only allow the admins to share and seed content. Unprecedented recent events, which I consider to be a harbinger of risks pegged to malevolent intrusion and surveillance in Sri Lanka that will increase in sophistication, speed and scale at pace, require shutting these groups down.

The background to and details around all this is captured in a Google Doc that mirrors emails sent out by me soon after learning about the cloned mobile number. As I note,

After careful consideration, in light of how a cloned mobile number on the original Groundviews WhatsApp updates group sent messages to others on it, I am shutting these groups down. This isn’t the first time subscribers on these groups have been harvested. At a consequential provincial election a few years ago, a candidate contesting in Colombo (with the SLPP) sent unsolicited propaganda to members of the group after harvesting subscribers. The individual subsequently apologised and promptly ceased doing this after I intervened. If that was an inconvenience, what’s happened now – and likely to happen again – is a security risk that will grow at pace with the general surveillance landscape in Sri Lanka. There’s now a duty of care and responsibility that falls on me (as Group Admin) to not provide an easy attack vector for malicious or criminal actors in the future. The way these groups are presently constituted, even if no one can message anyone else on them, everyone on them can see who else is a subscriber. This now is a risk and one I do not seek to amplify. 

For other admins of public WhatsApp groups, including many I am told exist curated by and for journalists, I’d encourage urgent review and revision to group permissions and whether they are actually needed now, independent of when and why they were initially set up. If using WhatsApp to push out content, consider using the Broadcast feature, which is what for example Daily FT & the Sunday Times did during the pandemic lockdown when the newspapers weren’t printed.

The digital security wiki by Groundviews has some basic guidance around how to be safe online. Online risk though is, amongst other things, a complex, contextual, socio-technical and gendered issue. There’s no one or easy answer to any challenge or risk. The Groundviews‘ wiki and other recently resources online – including many now updated in light of Black Lives Matter protests in the US – give general guidance. They aren’t exhaustive, and many of them require extensive localisation and guidance to meaningfully implement. Please lean on institutional IT advisors, staff or trusted individuals to help navigate this fluid landscape.

Institutions, activists, journalists, diplomats and officials working or present in Sri Lanka, and frankly everyone online or on social media, are encouraged to take digital-security seriously. As I’ve flagged, blanket scrutiny of online traffic in Sri Lanka through Deep Packet Inspection (DPI) is already a reality, adding to sordid history of telcos in the country acting at the behest of extra-judicial and possibly contra-constitutional requests from government (including under Yahapalanaya, read RTI Reveals Lanka E News Blocked On Order from President’s Office). The implications of DPI used at (this) scale are real and disturbing. This is a point addressed in my second email as well, using an analogy that many in Sri Lanka would be far more familiar with – traffic on Galle Road and VVIP convoys.

It’s been an extraordinary privilege to communicate with all of you over many years through WhatsApp, with a subscriber base that extended from civil society to senior officials in government. For continued updates from Groundviews, please follow @groundviews on Twitter and/or like the page on Facebook.

Sanjana Hattotuwa (Founding Editor, @sanjanah)