Curbing spam, scam and fraud in Sri Lanka

Wednesday, 24 January 2024 00:20 -     - {{hitsCtrl.values.hits}}

There is no foolproof approach to completely stop spam and 

fraud – the solution does not lie in a single activity 


The Sri Lankan Government is said to have approved the creation of an international A2P SMS centre to curtail fraud and spam. A private company, Infobip, has submitted a proposal to the Cabinet in this regard. The President has proposed appointing a committee with representatives from the Ministry of Finance, Ministry of Technology and the TRCSL to evaluate this proposal.

The need for such a centre to be set up at this time, approved at Cabinet-level, and run by an international private messaging aggregator raises multiple questions.

Spam, scam, and fraudulent communications are a valid cause for concern.

However, we have no publicly available information on how significant the issue of scams and frauds are in Sri Lanka. It would be good to start off with knowing how bad is the spam, scam, fraud situation in Sri Lanka? Do we have numbers and statistics, gathered by the Government or independent researchers, to go by? 

The Sri Lanka Post phishing scam is a recent example of the kind of scams out there that need to be curtailed. Beyond knowing that some people fell victim to this scam, there is no information on how widespread it was, what kind of action was taken to stop these messages from being circulated, the barring of the links being shared, etc. There is definitely a need to safeguard users from these such risks but having a comprehensive understanding of the gravity of the problem will serve to ensure that the right solutions are adopted.

None of these issues are new, so what has TRCSL done to date?

Spam, scams and fraud are certainly worrisome and any regulator worth their salt should have systems in place to address this issue. But it is hard to know what TRCSL has done in this regard to date. Unfortunately, as in other similar cases, there isn’t much information that is publicly available.

Typically, some form of light regulation exists to support the business of bulk SMS. These actions include requirements for telecom service providers to implement filtering mechanisms (SMS firewalls), ensure that there are opt-in/opt-out features to receive messages, and restrictions on sending only on-net bulk/A2P (so one operator cannot spam another operator’s customers), daily messaging caps, and so on are in place to reduce the incidence of unsolicited messages. Sometimes A2P SMS termination rates are also regulated but this less common in competitive markets.

In Sri Lanka, we know that the StopAd opt-out feature hardly works – there seems to be no enforcement of this system by the regulator. We do not have an opt-in list mechanism either. There may be an industry code of conduct that exists (highly unlikely) but there is nothing publicly available to confirm this. If I am not mistaken, there is also no restriction on sending messages across networks, making it possible for one network to sell and send bulk SMS to phone numbers on other networks. 

This leads us to the next set of questions that should be asked about the solutions available to address the issue of spam and scams. Is the centralised messaging centre the only proposed solution to the problem of spam and scams? Will the above-mentioned Committee look at how other countries have tackled this issue? Do they have similar setups? Has this approach fixed the problem? What has and should the regulator be doing in this regard? Basically, we should be able to understand, as citizens, how this approach approved by the Cabinet is the best way to address the problem at hand. Instead, all we have are a few articles in mainstream media announcing the decision.

Why is the Government considering a centralised system for spam filtering from Infobip?

In most countries, operators install SMS firewalls on their own networks at their own cost to filter out spam messages and calls. In fact, some operators in Sri Lanka seem to already have these firewalls in place, but questions remain. Are these systems ineffective? If so, what is making them ineffective? What is the responsibility of the operator to limit spam on their networks? Why is the Government promoting the use of a 

central system?

A comprehensive assessment of solutions must have been done by the Ministry of Technology and the TRCSL, through which they identified that the best approach is to set up such a centralised centre. In that case, then the next series of questions that should be asked have to be in relation to the provider. SMS firewalls are widely available as a commercial solution from many established vendors around the world, so why are we engaging Infobip, a private messaging aggregator? Is there no need for an open tender for such systems adopted by Government? Was a cost-benefit analysis done to determine that Infobip’s offer is the most suitable? Along the same vein, questions should be asked on the technical and security implications of this solution. 

On the long-term sustainability of this approach, we should be asking questions about who is funding the firewall – the Government and/or telecom operators? Perhaps we have a grant from a development/funding institution for this purpose, but once that runs out how are we going to maintain this system in the long-term?

Who is going to be held accountable for such decisions?

Finally, to ensure that this approach will actually be beneficial to the citizens of the country, we need to be asking the Government about the expected objective from setting this centre up? The Committee should identify a set of indicators or targets they are hoping to achieve by a certain point in time by adopting this system? We should know how we are going to monitor and evaluate the impact of this approach. Will the Committee be held accountable for the success of failure of this approach? What is TRCSL’s role in this matter beyond being an implementer? 

Other considerations for the Committee

The issue is also not limited to SMS and messaging – robocalling or spam calls are a related challenge that the authorities should be looking into, but there has been no mention of this thus far. This is why there is a need for a comprehensive analysis of the extent of this problem, before a single solution is adopted.

There is no foolproof approach to completely stop spam and fraud – the solution does not lie in a single activity such as the setting up of this centre. User education and awareness about scams, phishing, spoofing, and fraud is a must and should go hand in hand with regulation and system solutions. In line with this, regional approaches should be studied as there are many tried and tested fixes that we can adopt to curb the ills of unsolicited communication. Markets like India, Malaysia and Singapore have had years of experience in mitigating these problems and addressing these under strict consumer protection and telecom sector regulations.

Overall, there is a lot to say about the lack of transparency in matters like this. It would bode well for the Government to strengthen existing independent institutions to take well-documented and publicly consulted decisions when it comes to digitalisation efforts. The appointment of a private firm to offer a service to Sri Lankans should not be the task of the Cabinet or a Committee. We already have an established statutory Government body whose role should be to champion these efforts and take ownership of such issues, but this does not seem to be happening.

A thorough examination of these considerations and the questions raised above will be crucial to ensure the proposed centralised A2P messaging centre in Sri Lanka effectively addresses the issues of spam, scams, and fraud while maintaining transparency and accountability.

Recent columns

COMMENTS