Photo courtesy of BBC The advent of the internet and Information Communication Technology (ICT) has opened up ways for children and young people worldwide to gain self-learning and social development opportunities. A study published by UNICEF in 2016 notes that children under 18 account for one in three internet users in the world. The study also acknowledges that this will continue to increase in terms of the number of children accessing the internet and the time they spend online. On the darker side of things, the internet has resulted in creating dangerous spaces for children. It is no secret that there are multiple spaces online that have made it possible for perpetrators to trick and take advantage of innocent children. While children can be protected by regulating the time they spend on online platforms parents, who are best positioned to help their children, are often unable to do so as they are not knowledgeable enough to supervise their child’s internet use. While teachers may offer more knowledge on this matter, children may not be willing or comfortable to confide in them for fear of being shamed. These reasons, together with the lack of awareness of online child abuse and exploitation within the media, have resulted in few reports being made, thereby leading to a lack of public awareness. The social stigma surrounding child abuse has led to a lack of any attempt to take legal action against online child abuse or exploitation, allowing the perpetrator to continue in their dangerous schemes. While the increase in child abuse and exploitation cases has gained attention in media, there are comparatively very few cases of online child sexual exploitation and abuse being reported. This should not be misinterpreted to mean that online incidents do not take place. Instead, it points to a much more significant problem, which is that crimes committed online towards children have always been a grey area due to the innumerable ways the internet has made it possible to abuse and exploit children. The lack of knowledge on the forms of online child sexual exploitation and abuse has led to legal provisions being ambiguous on whether modern threats posed to children are criminalised. Online Child Sexual Exploitation and Abuse (OCSEA) does not have a universal definition. Various jurisdictions and multilateral treaties have adopted some descriptions. In a study that was commissioned to Verité Research by ECPAT Sri Lanka, a common definition was: “Situations where a child (under the age of eighteen years of age) takes part in sexual activity in exchange for something, either a benefit, promise, or gain.” OCSEA includes commercial and non-commercial sexual exploitation of children, with the former including cases of contact and non-contact sexual abuse for the purpose of financial gain. A key aspect of OCSEA is that it is constantly evolving, resulting in myriad forms of online child abuse emerging. This includes cyberbullying, online grooming, sexting, child porn/child sexual abuse material (CSAM), sextortion, revenge porn and live streaming. Is there a lack of laws? In considering whether OSCEA is criminalised in law internationally, three central instruments recognise the importance of doing so. These include:

• The Convention on the Rights of Child (CRC), which has been interpreted to prohibit OCSEA. (Note that the CRC does not expressly prohibit OSCEA as it was introduced in 1989.)
• The Luxenberg Guidelines, which defines child exploitation to cover OCSE through the words “any use of ICT that results in sexual exploitation or causes a child to be sexually exploited or that results in or causes images or other material documenting such sexual exploitation to be produced, bought, sold, possessed, distributed, or transmitted”.
• The Budapest Convention, which expressly prohibits CSAM in online systems.

Sri Lanka ratified the CRC in 1991 and acceded to the Budapest Convention in 2005. In relation to the latter, it was the first country in South Asia to sign and ratify the Convention enabling the national legislation – the Computer Crime Act, No. 24 of 2007 – to be passed. But OCSEA is not recognised or criminalised in Sri Lanka’s substantive law. Sri Lanka’s substantive law relating to OCSEA includes the Penal Code and the Computer Crime Act. Article 27(13) of the constitution further recognises that the state is entrusted with special care of children. The major flaw in each of the substantive laws is that the Penal Code does not identify ICT as a means of facilitating the sexual exploitation of children. Moreover, although the Computer Crimes Act recognises cybercrime, it does not criminalise OCSEA. The Computer Crimes Act does not consider the possibility of using ICT to enable the sexual exploitation of children. Consequently, there is a need to assess and interpret the current provisions on the sexual exploitation of children that is criminalised in the legislature to determine whether the spirit of the law firstly criminalises various forms of sexual exploitation and secondly whether such provisions can be read broadly to encompass OCSEA. Although OSCEA is impliedly criminalised, legal gaps exist. For instance, the Penal Code does not define what amounts to obscene or indecent, leaving judges with too much space for interpretation. Hence, problems may occur when questions of morality and immorality are used to determine such answers. What this means is that the wide scope of interpretation has led online child abuse forms like grooming to be a crime based on the judge’s interpretation. The Penal Code does not leave room for criminalising simulated representations or realistic images that appear to be a child. This refers to advanced technological capabilities that allow perpetrators to smartly create images of a child in a sexually explicit manner. In other words, children are no longer required to actually take an image or engage in such activities to be subjected to child abuse or exploitation. The lack of provisions to safeguard children in this regard is a point of concern with technologies such as Artificial Intelligence on the rise. The Penal Code does not make reference to the mental status, which is producing CSAM with the consciously formed intent of distributing it through a computer system.  Sri Lanka also does not criminalise sexual abuse, as it only recognises sexual intercourse when it comes to hiring or employing children as sexual procurers. These gaps have also meant that Sri Lanka has failed to uphold the conditions specified under international treaties or conventions. The Penal Code uses gendered language, using phrases such as “a man is said to commit…”. Such wording leads to a belief that male children cannot be victims and that OSCEA can only be conducted by male adults. This is further heightened when the victim is described in such provisions in gendered terms; the Penal Code uses the pronoun her when referring to consent. One of the central confusions surrounding legal provisions related to children has been the lack of consistency in identifying who amounts to a child. For instance, the Age of Majority (Amendment) Act, No. 17 of 1989, recognises the age of majority at 18 while the Penal Code and its Amendments of 1995, 1998 and 2006 have defined a child as under 18 years only in specific provisions. In contrast, the Children and Young Persons Ordinance (CYPO) 1939 defines a child to be 14 years and anyone between 14 to 16 years to be a young person. Other provisions of the Penal Code consider the age of consent to be 16, implying a child to be below 16 years of age. Sections 75 and 76 of the Penal Code note that the minimum age of criminal responsibility is 12 years. The varying standards to assess who a child is under each act make it difficult to truly protect all children. Is there a lack of implementation? At times, although the law impliedly criminalises OSCEA, it is not implemented. This is seen by Section 286B of the Penal Code: Duty of a Person Providing Service by Computer to Prevent Sexual Abuse of a Child. According to this, Internet Service Providers (ISPs) have an affirmative duty to report instances of sexual abuse of children in addition to requiring them to turn over any identifying information to law enforcement. In theory, this would mean ISPs would proactively need to block access to content sites that display child sexual abuse images. Unfortunately, it is doubtful whether the criminalisation of failure to report incidents of online abuse is implemented. There are various actors involved in curtailing online child sexual abuse/exploitation and in enforcing the law. A few of the institutions that play a key role in implementing the law include the National Child Protection Authority (NCPA), the Cyber Crime Division of the Criminal Investigations Department (CID), the Bureau for the Prevention of Abuse of Children and Women (CWB) and the Attorney General’s Department (AG). The NCPA receives complaints through its helpline 1929, which is a 24 hour free, trilingual hotline. The role of the NCPA is limited to the preliminary investigation as it merely documents all information and advises or refers the case to the Cyber Crime Division of the CID. For the CID to investigate any case of child abuse, there is a need for a complaint to be lodged. Currently, the highest number of OCSEA complaints lodged is related to sextortion which refers to the practice of extorting money or sexual favours from someone threatening to reveal evidence of their sexual activity. There is difficulty in finding the perpetrator due to the difficulty of tracking IP addresses. The lack of prompt action taken by the CID has been a complaint and a reason as to why one may not report it. On average it takes three months for the online content to be taken down. The CWB’s role has mostly been in forwarding complaints to the CID. Sometimes the CID would forward this to the Sri Lanka Computer Emergency Readiness Team (SLCERT), thereby demonstrating the general lack of knowledge even among the key law enforcement institutions on OCSEA. The CWB has been criticised for blaming the victim. Victims that have come forward often end up getting re-victimised, resulting in a reluctant to report it. The AG’s Department’s efficiency in addressing or trying all cases related to child abuse in court has been painstakingly slow. For example, at the end of 2017, the Child Protection Unit had 17,582 pending cases. The latest statistics by NCPA reveal that the number of complaints against child abuse in 2022 alone was 10,497. On average, the highest number of reports are being made in the Western Province (3320), Southern Province (1486) and North Western Province (1,226). The AG’s Department has mostly used Section 286A on the Obscene Publication of a Child to prosecute the offence of OCSEA. There is a lack of laws in some respect when it comes to criminalising OCSEA, especially when comparing them to the international standards, while there is also a lack of implementation or enforcement due to weaknesses in law enforcement institutions.