• 
  
• Outdated, poorly crafted legislation cannot handle complex realities of today
• Need for close coordination of stakeholders, community awareness building 

Sri Lanka’s existing legal and institutional frameworks are not adequately equipped to address the growing dangers of children’s exposure to sexual content online, and yet not much can be done about it, Sri Lanka Computer Emergency Readiness Team Coordination Centre (Sri Lanka CERT|CC) Senior Information Security Engineer Charuka Damunupola claims. 

This warning comes amid rising concerns over online pornography, grooming, and child sex tourism, all of which continue to threaten the well-being of children.

While Sri Lanka CERT|CC plays a role in assisting with the removal of content, such as intimate images published without consent, and managing general threats to critical infrastructure rather than policing content on the open internet, the National Child Protection Authority (NCPA) is also involved in the protection of children. 

At present, the NCPA refers cyber-related complaints to the Criminal Investigation Department’s (CID) Computer Crime Investigation Division (CCID). Yet the authority has recognised the need for faster and more direct intervention.

When The Sunday Morning contacted NCPA Chairperson Preethi Inoka Ranasinghe regarding the matter, she declined to be quoted for this article. Subsequently, the NCPA issued an official written response.

The NCPA’s statement read: “At present, when enforcing the law on cyber-related complaints, we refer matters to the CCID. However, as the national body mandated to prevent child abuse, we have also held discussions with Meta to explore mechanisms for obtaining direct access to remove harmful content from social media platforms.”

Cybersecurity and Govt.’s digital strategy

The Ministry of Digital Economy is also taking steps to bolster cybersecurity in ways that indirectly safeguard children. 

Ministry Acting Secretary Waruna Sri Dhanapala confirmed that Sri Lanka had invested in new infrastructure. “Yes, there is a general critical infrastructure protection mechanism managed by Sri Lanka CERT|CC,” he said. “Furthermore, a National Cyber Security Operations Centre (NCSOC) was launched by the President this Friday (19).”

The NCSOC is tasked with monitoring threats, coordinating responses, and protecting national information systems from attacks. Dhanapala clarified, however, that its scope was distinct from filtering harmful content.

“At the ministry level, we have adopted a five-year strategy with special focus on threats against women and children,” he added. 

“Awareness campaigns are being run by Sri Lanka CERT|CC to educate school communities and parents. The focus is not to control devices entirely, since they are needed for education, but to teach safe use, including how to avoid harmful sites and manage screen time responsibly.”

Dhanapala was referring to the National Cyber Protection Strategy (2025–2029), which was formally presented to President Anura Kumara Dissanayake on Friday.

SL CERT’s role and limits of internet control

Damunupola stressed that the agency’s role was limited to reactive measures. “In terms of control, we do not have the authority to filter content on websites,” he explained. 

“Our role is reactive. We can act upon requests to take down pornographic content that has been published without an individual’s consent. In such cases, we assist with the removal process from that particular website. That is where we normally provide assistance.”

He emphasised that the NCSOC’s role was different. “The NCSOC deals with cybersecurity, protecting critical infrastructure from attacks and breaches. Filtering sexual content is an internet safety issue, which is outside its scope.”

On whether the Online Safety Act could change this, Damunupola was cautious. 

“The act is not yet in full effect, as modifications are still underway. Even with legislation, the fundamental challenge remains that most platforms hosting harmful content are based overseas. No government has direct control over what is posted on such platforms. The only option is to request removals through official channels,” he said.

He also warned against unrealistic expectations about filtering, noting: “No country filters the internet to that extent. Blocking some sites is possible, but to filter every piece of content would mean controlling the internet itself, which raises human rights and freedom of speech concerns. The internet must remain open, though platforms can and do enforce their community guidelines.”

Child sex tourism and industry guidelines 

The risks are not confined to cyberspace. The NCPA has identified child sex tourism as another area of concern and is taking preventive steps.

“We are collaborating with the Sri Lanka Tourism Development Authority and the Tourist Police to develop comprehensive guidelines for the travel and tourism industry,” the NCPA said.

“These guidelines are designed to ensure children are protected by establishing procedures to identify, report, and prevent incidents of abuse involving tourists or those operating in the tourism sector,” the statement added. 

Counselling and rehabilitation

For children who have already been harmed, whether through online grooming, pornography, or exploitation in tourism zones, the NCPA has rolled out a series of psychosocial and rehabilitation programmes.

The authority provides trauma-focused counselling and motivational interviewing, along with psychosocial assessments to determine the depth of trauma and specific needs. It conducts the ‘Sith Saviya’ programme, which offers psychosocial rehabilitation for children exposed to severe abuse, including sexual exploitation. 

The NCPA also provides psychoeducation and parental counselling to rebuild trust, reduce stigma, and aid family reintegration. In urgent cases, immediate psychological first aid is made available via phone counselling, and victims are referred to district and divisional officers for long-term therapy.

The authority’s Psychosocial Division carries out tourism-zone interventions through the ‘Siyapath Surakum’ programme, which combines counselling with awareness activities in high-risk coastal areas to protect children from sex tourism and re-victimisation. 

Community-level efforts, such as positive discipline training and awareness campaigns in schools, help reduce stigma and promote resilience in children recovering from exploitation. According to the NCPA, integration with law enforcement, probation, and healthcare ensures that victims not only receive legal protection but also tailored psychosocial care.

Education and awareness in schools

The NCPA has launched several proactive programmes aimed at educating the community on child protection, with a particular focus on online safety. These initiatives are based on a comprehensive analysis of child abuse cases reported to the authority.

Among such key programmes are the School Student Ambassador National Programme on Child Protection for senior prefects and the School Child Protection Committee Programme. These initiatives educate students, teachers, principals, and parents on the fundamental aspects of child protection, relevant laws, cybersecurity, and essential soft skills. 

The programmes aim to empower participants with knowledge that is critical for navigating the digital landscape safely. They are open to all schools in Sri Lanka, including Government, semi-Government, international, private, and piriven schools, making it a sustainable and widely accessible effort.

According to the NCPA, a core component of these programmes is the training of student prefects and the formation of school-based child protection committees. This is done to encourage children’s involvement in decision-making and to create a more child-friendly, safe environment within the school system.

National database and research

The NCPA, under Act No.50 of 1998, maintains the national database on child abuse, including online exploitation cases.

“This database allows us to record, monitor, and track complaints effectively,” the NCPA explained. “It also guides training for district child protection officers, psychosocial officers, and teachers. In addition, we have strengthened our Cyber Surveillance Unit and provided training to improve capacity in responding to online threats.”

Based on the figures recorded through its national database, the NCPA has been continuously building the capacity of district child protection officers, district psychosocial officers, and divisional officers on online safety, given their involvement in field-level activities and awareness programmes. 

In addition to these efforts, the authority has strengthened its Cyber Surveillance Unit by providing specialised training to improve monitoring and response capabilities. The NCPA also extends its training programmes to teachers, community leaders, and professionals, equipping them with knowledge of online and cybersecurity laws whenever opportunities arise.

Smartphones, SIM cards and regulation

The debate over children’s smartphone and social media use is also intensifying both locally and globally.

On this matter, the NCPA has taken a strong stance. “We have already requested the Government to ban social media usage among children below 16 years of age,” the authority confirmed. “This proposal was raised at recent ministerial discussions, reflecting our deep concerns about device addiction and exposure to harmful content.”

Dhanapala echoed this position, noting: “Children’s addiction to devices is one concern, but their access to inappropriate content is another. These devices can connect them to harmful individuals, sometimes without their knowledge. It is certainly an aspect we will explore further.”

Globally, several countries have begun implementing restrictions. France has banned the use of mobile phones during school hours for students under 15. Australia, through State-level policies in New South Wales and Victoria, has restricted smartphone use in primary and secondary schools to curb cyberbullying and manage screen time. 

Meanwhile, Sweden has implemented local bans in schools, while Denmark and Norway are actively debating similar measures. In each case, the focus is on balancing educational needs with protection from harmful content.

In Sri Lanka, one safeguard already exists through SIM registration. “SIM cards must be registered under a National Identity Card, which is only issued from age 16,” Dhanapala noted. 

“If a child uses a SIM, it must be under a parent’s or guardian’s name. One subscriber can register up to five SIMs, but this is an area we may need to strengthen further with the Telecommunications Regulatory Commission of Sri Lanka. Whether or not a parent must inform authorities if a child is using a SIM card, and whether such a regulatory mechanism must be introduced as a proposal, we can consider in future,” he added.

With discussions underway to regulate smartphone use for children below the age of 16 years, it appears the Government is considering measures to protect the younger generation from excessive use of such devices, following in the footsteps of some developed countries. How it hopes to secure content accessible to children without obstructing the flow of information through the internet or restricting free speech remains to be seen.