Protection of the State from Terrorism Act, No. of 2026: Observations from an information integrity perspective
By Dr Sanjana Hattotuwa
From the primary perspective of the integrity of information, and privileged communications, this bill’s forward presentation as a human rights improvement on the PTA obscures the reality that its core architecture, ranging from administrative detention, military powers, proscription regimes, and broad speech offences, replicates the essential features that made the PTA objectionable.
Posted online four days ago, the bill is open to public input for a month.
As journalist S. Rubatheesan wrote in the Sunday Times3, “Under the proposed Terrorism Act, those who commit an act of terrorism will be handed hefty penalties ranging from a twenty-year jail term with fines to life imprisonment after a High Court trial. The new law titled “Protection of the State from Terrorism Act, No. of 2026″ has been published by the Ministry of Justice and National Integration and will replace the current Prevention of Terrorism Act (PTA).”
General concerns
Oversight limitations
Section 78 defines “confidential information” to include information about the “functions, movements, or whereabouts of a specified person,” conduct of investigations, and “any secret code, word, password or encryption detail relating to national security.” Gathering or supplying such information with knowledge it could be used for terrorism is criminalised under section 8(2).
This definition of “confidential information” is overbroad, and likely by design (which is problematic). Information about the “functions, movements, or whereabouts of a specified person” could be interpreted to encompass social media posts documenting military checkpoints in the north and east, photographs showing troop deployments in the face of civilian protests, or even tweets noting the presence of intelligence personnel at public events. Tamil civil society organisations have long used social media platforms to document militarisation in their communities. These activities that could now constitute gathering confidential information.
The inclusion of information about “the conduct of any official activity, including any law enforcement or military measure which is intended to be carried out or is being carried out, or has been carried out” extends the definition to cover essentially any reporting on security operations. A Facebook post describing a police raid, a WhatsApp message warning neighbours about an ongoing cordon-and-search operation, or YouTube video documenting an arrest could all involve confidential information under this definition. The criminalisation under section 8(2) requires only that the person “knowingly or having reasonable grounds to believe” the information could be used for terrorism.
The reference to “secret code, word, password or encryption detail relating to national security” creates particular problems for encrypted communications. This language in the draft appears designed to capture not just sovereign encrypted communications, and related architectures4 but potentially any encryption that security agencies wish to access. If investigators claim that a suspect’s encrypted communications relate to national security, the encryption keys themselves become “confidential information” and anyone who possesses or transmits them faces potential liability. This provision works in tandem with section 55’s decryption orders, creating both a compulsion mechanism and a criminal offence framework around encrypted communications.
The reporting obligation
Section 15 criminalises failure to report information about terrorism offences, with penalties of up to seven years imprisonment. This provision places journalists, lawyers, doctors, religious figures, and community workers in impossible positions. A journalist who learns of alleged militant activity during an investigation, a lawyer who receives confidential information from a client or a priest who hears something in confession would face criminal liability for not immediately informing police.
Social media platform administrators, moderators of online forums, and administrators of messaging groups could face liability if they become aware of content that might relate to terrorism offences and fail to report it. A moderator of a Tamil diaspora Facebook group who sees posts that could be interpreted as supporting a proscribed organisation faces a choice between reporting community members to police or risking seven years imprisonment. The chilling effect on online community spaces would be substantial.
Journalists who receive information through encrypted channels face particular exposure. An investigative journalist using Signal or WhatsApp to communicate with sources in the north and east might learn of activities that could constitute offences under this Act, perhaps information about individuals who formerly had LTTE connections, or about community members who have expressed support for Tamil political causes that the government considers impermissible. The journalist’s failure to report this information to police would itself be criminal, regardless of source protection principles.
The provision also threatens the security of encrypted communications indirectly. If individuals know that anyone who becomes aware of certain information must report it, they will be reluctant to share sensitive material even through encrypted apps, and channels. E2EE protects the communication in transit, but cannot protect against a recipient who faces criminal liability for not forwarding the content to authorities. This creates a massive surveillance, and chilling effect without requiring any technical interception. The Protection of the State from Terrorism Act, No. of 2026 essentially, and incredibly conscripts recipients themselves as informants.
Lawyers, and especially criminal lawyers will face significant challenges. A lawyer in Jaffna whose client communicates via encrypted messaging about past associations with Tamil militant groups must either breach attorney-client privilege by reporting to police or face prosecution for failing to provide information. The “reasonable excuse” defence places the burden on the lawyer to prove that professional confidentiality constitutes a reasonable excuse. Given that Protection of the State from Terrorism Act, No. of 2026 explicitly overrides other written laws under section 74 (The provisions of this Act shall have effect notwithstanding anything contained in any other written law, and in the event of any conflict or inconsistency between the provisions of this Act and such other written law, the provisions of this Act shall prevail”), this is a very high burden of proof that lawyers, through no fault of their own, and for merely rendering legal services or advice, have to accommodate.
Military powers over civilians
The extension of police powers to military personnel under section 19 has direct implications for digital communications and devices. All powers of search and seizure that police possess now vest equally in armed forces members. This includes powers under section 20 to “take into custody any document, thing or article” connected with offences under the Act, language that encompasses mobile phones, laptops, storage devices, and any medium containing digital communications. A soldier who seizes a mobile phone at a checkpoint in Mullaitivu operates outside any civilian oversight framework. The new law’s 24-hour window before handover to police under section 24 creates a period during which military personnel, including through duress, and potentially even torture could access device contents, copy data, or extract information without any procedural safeguards.
For E2EE, this creates serious risks. Military personnel could coerce detainees to unlock devices or provide passwords during the handover period, before any judicial oversight comes into play. Given documented patterns of abuse during military detention, asymmetrically impacting Tamils, and Tamil speaking peoples including Muslims, the risk that this coercion may involve torture is not theoretical. It is established fact. Material obtained during this crucial window, including, potentially, the contents of encrypted messaging applications, could then inform subsequent investigation even if not formally admitted as evidence. There’s also the potential for devices of suspects to be targeted with spyware, creating long-tail surveillance risks, and surveillance trails even after the subject has been released.
The intersection with section 55’s decryption powers is also significant. Section 55 requires a magistrate’s order for compelled decryption, but nothing prevents military personnel from obtaining passwords or biometric access during the initial detention period. By the time a suspect is produced before a magistrate, their encrypted communications may already have been accessed without any judicial authorisation.
Tamil diaspora communities could be potentially impacted as well. Many maintain active social media connections with family and friends in Sri Lanka, sharing news about community events, documenting ground conditions, discussing political developments, and publishing content memorialising war time events, including around enforced disappearances. Under the draft law, a Tamil diaspora activist in say New York who shares vital, granular information received via WhatsApp from friends or relatives in Jaffna around the military’s targeting of memorialisation events7 or the on-going instrumentalisation of the existing PTA to target Tamil journalists covering mass graves could potentially be committing offences under Sri Lankan law, that section 2(c) explicitly extends to citizens resident outside Sri Lanka (i.e., even dual citizens).
Impact on information integrity, and privileged communications
Section 55: Core surveillance and decryption powers
This section grants magistrates authority to order the unlocking of encrypted communications and to authorise interception of electronic communications. The scope extends to postal messages, electronic mail, telephone conversations, voice communications, internet exchanges, video conferences, and “any communication through any other medium.” It also permits access to “any analogue or digital data or information exchange or transfer system.” The breadth of this language appears designed to capture all forms of digital, and online communications, including those protected by end-to-end encryption.
Related sections a>ecting online communications
Section 3(2)(h) and (j) criminalise interference with electronic systems, computerised networks, cyber environments, domains assigned to Sri Lanka, and “electronic, analogue, digital or other wire-linked or wireless transmission system[s].” These provisions establish the underlying offences that sections like 55 would be used to investigate.
Section 9 on encouragement of terrorism applies to anyone who “publishes or causes to be published any statement, or speaks any word or words, or makes any sign or visible representation” with intent to encourage terrorism. The recklessness standard in subsection (3) lowers the threshold considerably, one need not intend encouragement, merely be reckless as to whether encouragement occurs.
Section 10 specifically addresses dissemination of terrorist publications and explicitly covers electronic transmission. Subsection (1)(e) criminalises transmitting contents of terrorist publications, whilst subsection (2)(e) specifies “transmits the contents of a terrorist publication electronically.” Subsection (1)(d) captures those who “provide a service to others that enables them to obtain, read, listen to or look at a terrorist publication”, language that could potentially implicate ISPs (like Dialog), platforms (like Facebook), hosting services (like Google Drive), or even individuals sharing links.
Section 11 defines the scope of “statement or publication” for sections 9 and 10 to include “internet,” “electronic media,” and “other form of public notice or dissemination.” This definition confirms that online commentary, social media posts, and digital content fall within these offences.
Section 53 grants investigative access to telecommunications, satellite, digital service, and data service providers. Police may obtain orders requiring disclosure of information about services provided, data stored or archived, and records of uploading or downloading. This provision operates alongside section 55 but targets service providers rather than encrypted content directly. For example, Starlink services in Sri Lanka were recently only enabled after data interception capabilities were ensured9. This can be read as a measure that prefigured the publication of the Protection of the State from
Terrorism Act, No. of 2026 draft, and is clearly enabled by it.
Implications for E2EE communications
Section 55(1)(a) specifically addresses encryption by authorising orders “directing any person who provides locking or encryption services pertaining to any communication or storage services or equipment for any data or information or other thing, to unlock or unencrypt the service or equipment and provide information contained therein.” This language raises significant concerns for E2EE platforms where the provider may not possess decryption keys by design. The bill assumes technical capability that doesn’t exist with some, leading, strong E2EE implementations, and apps (like the Signal or Session apps for example).
Very limited guardrails
Section 11(1) provides exceptions for content “published in good faith with due diligence for the benefit of the public or in the national interest” and “opinion, legitimate criticism, satire, parody, caution or imputation made in good faith.” These carve-outs offer some protection for journalistic and political speech, though “good faith” remains undefined, and subject to partisan, political, prosecutorial and judicial interpretation, especially given Sri Lanka’s history of judicial, and institutional capture.
The bill requires magisterial approval for most surveillance powers under section 55, and ex parte applications may be heard in camera. However, the threshold for obtaining such orders (“reasonable grounds to suspect”) is low, potentially leading to loose, and wide application (arguably, and as noted earlier, asymmetrically implicating, and injuriously impacting minority communities, especially in the North, and East).
