We are anonymous, we are legion

Bolstering right to remain private

praskrishna — 2012-10-29T09:00:13Z

The Justice AP Shah panel has done to well to lay down an enforceable roadmap that can strengthen privacy laws in the country. It’s now for the legislature to take the issue to a logical conclusion.

Apar Gupta's column was published in the Pioneer on October 29, 2012.

A haveli courtyard is an apt metaphor for the complexity which is involved in drafting a law on privacy. Though the courtyard gives an appearance of openness, it is limited by the walls, doors and windows which surround it. The architecture represents a mediated understanding of the options which are available to the resident in sharing and limiting information to family and strangers. A somewhat similar project is in the works with the Union Government taking steps towards the enactment of a privacy law.

Privacy law as it is understood at present is usually limited to the odd writ petition filed against the Government by a private individual seeking enforcement of a fundamental right to privacy. Recently, such adjudication has been limited to high-profile individuals, and where there is wide voyeuristic interest. For instance, two recent petitioners include industrialist Ratan Tata and former Samajwadi Party leader Amar Singh. Here, it is important to stress that with the state gathering more and more data about individuals through the Unique Identification Authority of India scheme, there is a need to democratise the right by making legal provisions for its enforcement. In making such provisions a balance has to be maintained, where information which serves public interest or gathered through informed consent is not encumbered in the name of protecting individual privacy.

To find this balance, the Government late last year tasked a Committee of Experts chaired by Justice AP Shah to prepare a report on the Privacy Bill. Readers would recall that Justice Shah had authored a judgement which read down Section 377 of the Indian Penal Code, decriminalising homosexual activity. A closer reading of the judgement shows the reliance placed by the court on the privacy right and to reach its determination. With such credentials, the Justice Shah Committee has exceeded the high expectations placed on it, presenting a fair and balanced approach towards a privacy law in India.

At the very outset the report clearly marks its objectives, from which it then commences to study judicial precedent on privacy as well as the experience of foreign jurisdictions. On the basis of this study, it has evolved nine privacy principles which encompass within it distinct aspects of individual privacy. Such a nuanced approach to privacy is certainly welcome given that privacy as a right is often subjective, varying drastically in its appreciation as per civil society, private industry and even Government itself.

Beyond the specific aspects of the privacy right, the report extends the right both to Government as well as private industry. This is a sign of the times, best put by Pranesh Prakash, policy director, Centre for Internet and Society, when he says that citizens reveal more data about themselves to social networking websites than they would to the Government under torture!

Another significant aspect is the proposed co-regulatory regime which the report suggests. And, experience has taught us that a right without an effective remedy to enforce it counts for a little more than a black letter on paper. In this respect, the report proposes a sectoral regulator which has supervision over State level privacy commissioners. In addition to this, the report also proposes a system of self-regulation where industry-specific standards may be proposed and then sanctioned by the privacy commissioners. However, contrary to the present approach of tribunalisation, the report suggests that recourse to civil courts for aggrieved persons should always be kept open.

Though the origins of the privacy rights may be antiquated, widespread consensus suggests that the modern practice and substance of privacy law owes its beginning to an article published in the fourth volume of the Harvard Law Review. The article, authored by Louis Brandeis and Samuel Warren drawing a physical justification for what seemed like a novelty back then, stated that the law regarded a man’s house as his castle.

Sadly, the right has not seen a proper development in India, mainly due to the absence of an overarching legislation as well as a lack of understanding of its proper contours. At least in this respect, the report marks a significant development in the drafting of a comprehensive privacy legislation in India. A haveli, a house or a castle — the Justice Shah panel has provided a useful blueprint to the legislature to build an effective and balanced statute to safeguard individual privacy.

(The writer is a partner in a Delhi-based law firm and visiting faculty at the National Law University, Delhi)

For more details visit https://cis-india.org/news/daily-pioneer-columnists-oct-29-2012-apar-gupta-bolstering-right-to-remain-private

The Rules of Engagement

nishant — 2015-04-24T11:48:54Z

Why the have-nots of the digital world can sometimes be mistaken as trolls. I am not sure if you have noticed, but lately, the people populating our social networks have started to be more diverse than before.

Nishant Shah's column was published in the Indian Express on October 29, 2012.

Oh, sure, we are still talking about a fairly middle-class hang-out that happens largely in English and is restricted to people in urban environments who have the economic and cultural capital of access. But if you browse through your friends’ lists and compare it with, say, the network from five years ago, you will realise that the age demography has changed quite dramatically. I am not suggesting that the Web was only the realm of the young – let us face it, the people who actually created the infrastructure of the Web were not tiny tots. However, with Web 2.0 at the turn of the millennium, we have had an extraordinary focus on young people online.

But as the networks grow to include more people, there are now a lot of people online, who might not be the 16-year-old BlackBerry-wielding digital native, nor be in the “business of internet” but are finding a space for themselves, tentatively and steadily negotiating with this new space. Some of it might be because, those of us who were new kids on the block in the Nineties, are now older by a decade and are still on the block, but replaced by newer kids around the block. Some of it might be because there is an ease of access as portable computing devices grow more personal and get more people to use their smartphones as a gateway into the online worlds. But a lot of it is actually because the fold of the Web is expanding. The digital spaces of conversation are being integrated into our everyday lives and practices, replacing older forms of media and information structures and processes of social and cultural belonging.

And so, even though the penetration of the interwebz is not as rapid in countries like India as one would have hoped for, we do see a wide age group of people coming online, forming networks, and entering into conversations. I hadn’t really realised this, even though I was adding them to my social networks, that the digital immigrants are now here, and they are here to stay. It suddenly surfaced in my thoughts, because I recently heard a few narratives which made me dwell on the effort and the learning that one takes for granted but is a prerequisite for belonging to these new social spaces.

One of the first complaints I heard was about a hostility that many digital immigrants face when they start engaging with the social media. They follow the manuals. They read the FAQs. They look at patterns, and learn. And yet, even when they seem to be doing what seems to be exactly what everybody else is doing, they are often told that they got it all wrong. This is bewildering for many, because they cannot really see the difference. And the reason is that the social web is governed by a whole lot of unwritten rules and codes, which clearly are the rites of passage into the online world. These are not things that can be taught. These are not written in a guideline that tells you how to behave on Facebook or how to sift through the live-streams on Twitter. It is a fiercely guarded set of dos and don’ts which clearly distinguish between the digital natives and the digital immigrants, reinforcing exclusivity and exclusion. And when the digital immigrant violates these rules, they are often faced with a sneer, a sarcastic comment, or a dismissal as “not with it”.

The second thing I have repeatedly noticed is “calling troll” to people who do not always know these rules. Trolling is not new to the world of the internet. People who disrupt conversations and discussions by posting provocative or tangential information, by voicing hateful opinions, by passing harsh judgments, or sometimes by willfully breaking the rules of the communities, in order to seek attention and interrupt the flow of conversations are called trolls. Trolls are universally frowned upon and trolling wars often take up epic proportions because people get emotionally invested in them. Trolls are often shamed publicly, their mistakes brought into an embarrassing spot-light and ridiculed in back-channels or even in public discussions.

Calling somebody a troll presumes that the user is conversant with the rules of the game and is then breaking them, working with the idea that if you are online, you are naturally a digital native. The digital immigrants often create noob mistakes that can appear troll-like but are not intended to be so, and are often on the receiving end of a community’s hostility. And it is time, now that our online networks are growing, for us to realise that our presumptions about who is online need to change. If we are looking at an inclusive Web, we need to stop imagining that the person on the other side of the interface is necessarily like us, and develop new networks of nurture, which allows the digital immigrants safe spaces to experiment, make mistakes, and learn like the best of us. The next time, before you call somebody a troll, see if it might just be somebody learning the tricks of the trade. If they are doing something wrong, just politely point it out to them. And remember, acceptance is not only for people who are like us, but about people who are markedly unlike us.

For more details visit https://cis-india.org/digital-natives/blog/india-express-news-nishant-shah-oct-29-2012-the-rules-of-engagement

Rethinking DNA Profiling in India

elonnai — 2012-10-29T08:00:01Z

DNA profile databases can be useful tools in solving crime, but given that the DNA profile of a person can reveal very personal information about the individual, including medical history, family history and so on, a more comprehensive legislation regulating the collection, use, analysis and storage of DNA samples needs included in the draft Human DNA Profiling Bill.

Elonnai Hickok's article was published in Economic & Political Weekly, Vol - XLVII No. 43, October 27, 2012

DNA evidence was first accepted by the courts in India in 1985,[1] and in 2005 the Criminal Code of Procedure was amended to allow for medical practitioners, after authorisation from a police officer who is not below the rank of sub-inspector, to examine a person arrested on the charge of committing an offence and with reasonable grounds that an examination of the individual will bring to light evidence regarding the offence. This can include

"the examination of blood, blood stains, semen, swabs in case of sexual offences, sputum and sweat, hair samples, and finger nail clippings, by the use of modern and scientific techniques including DNA profiling and such other tests which the registered medical practitioner thinks necessary in a particular case."[2]

Though this provision establishes that authorisation is needed for collection of DNA samples, defines who can collect samples, creates permitted circumstances for collection, and lists material that can be collected, among other things, it does not address how the collected DNA evidence should be handled, and what will happen to the evidence after it is collected and analysed. These gaps in the provision indicate the need for a more comprehensive legislation regulating the collection, use, analysis and storage of DNA samples, including for crime-related purposes in India.

The initiative to draft a Bill regulating the use of DNA samples for crime-related reasons began in 2003, when the Department of Biotechnology (DoB) established a committee known as the DNA Profiling Advisory Committee to make recommendations for the drafting of the DNA profiling Bill 2006, which eventually became the Human DNA Profiling Bill 2007.[3] The 2007 draft Bill was prepared by the DoB along with the Centre for DNA Fingerprinting and Diagnostics (CDFD).[4]

The CDFD is an autonomous institution supported by the DoB. In addition to the CDFD, there are multiple Central Forensic Science Laboratories in India under the control of the Ministry of Home Affairs and the Central Bureau of Investigation,[5], along with a number of private labs [6] which analyse DNA samples for crime-related purposes.

In 2007, the draft Human DNA Profiling Bill was made public, but was never introduced in Parliament. In February 2012, a new version of the Bill was leaked. If passed, the Bill will establish state-level DNA databases which will feed into a national-level DNA database, and proposes to regulate the use of DNA for the purposes of

"enhancing protection of people in the society and the administration of justice."[7]

The Bill will also establish a DNA Profiling Board responsible for 24 functions, including specifying the list of instances for human DNA profiling and the sources of collection, enumerating guidelines for storage and destruction of biological samples, and laying down standards and procedures for establishment and functioning of DNA laboratories and DNA Data Banks.[8] The lack of harmonisation and clear policy indicates that there is a need in India for standardising the collection and use of DNA samples. Although DNA evidence can be useful for solving crimes, the current 2012 draft Bill is missing critical safeguards and technical standards essential to preventing the misuse of DNA and protecting individual rights.

Concerns that have been raised with regards to the Bill are both intrinsic, including problems with effectiveness of achieving the set objectives, and extrinsic, including concerns with the fundamental principles of the Bill. For example, the use of DNA material as evidence and the subsequent creation of a DNA database can be useful for solving crimes when the database contains DNA profiles from[9] from DNA samples[10] only from crime scenes, and is restricted to DNA profiles from individuals who might be repeat offenders. If a wide range of DNA profiles are added to the database, the effectiveness of the database decreases, and the likelihood of a false match increases as the ability to correctly identify a criminal depends on the number of crime scene DNA profiles on the database, and the number of false matches that occur is proportional to the number of comparisons made (more comparisons = more false matches).[11] This inverse relationship between the effectiveness of the DNA database and the size of the database was found in the UK when it was proven that the expansion of the UK DNA database did not help to solve more crimes, despite millions of profiles being added to the database.[12]

The current scope of the draft 2012 Bill is not limited to crimes for which samples can be taken and placed in the database. Instead the Bill creates indexes within every databank including: crime scene indexes, suspects index, offender’s index, missing persons index, unknown deceased persons’ index, volunteers’ index, and such other DNA indices as may be specified by regulations made by the Board.[13] How independent each of these indices are, is unclear. For example, the Bill does not specify when a profile is searched for in the database – if all indices are searched, or if only the relevant indices are searched, and the Bill requires that when a DNA profile is added to the databank, it must be compared with all the existing profiles.[14] The Bill also lists a range of offences for which DNA profiling will be applicable and DNA samples collected, and used for the identification of the perpetrator including, unnatural offences, individual identification, issues relating to assisted reproductive technologies, adultery, outraging the modesty of women etc.[15] Though the Bill is not incorrect in its list of offences where DNA profiling could be applicable, it is unclear if DNA profiles from all the listed offenses will be stored on the database. If it is the case that the DNA profiles will be stored, it would make the scope of the database too broad.

Unlike other types of identifiers, such as fingerprints, DNA can reveal very personal information about an individual, including medical history, family history and location.[16] Thus, having a DNA database with a broad scope and adding more DNA profiles onto a database, increases the potential for misuse of information stored on the database, because there is more opportunity for profiling, tracking of individuals, and access to private data. In its current form, the Bill protects against such misuse to a certain extent by limiting the information that will be stored with a DNA profile and in the indices,[17] but the Bill does not make it clear if the DNA profiles of individuals convicted for a crime will be stored and searched independently from other profiles. Additionally, though the Bill limits the use of DNA profiles and DNA samples to identification of perpetrators,[18] it allows for DNA profiles/DNA samples and related information related to be shared for creation and maintenance of a population statistics database that is to be used, as prescribed, for the purpose of identification research, protocol development, or quality control provided that it does not contain any personally identifiable information and does not violate ethical norms.”[19]

An indication of the possibility of how a DNA database could be misused in India can be seen in the CDFD’s stated objectives, where it lists "to create DNA marker databases of different caste populations of India."[20] CDFD appears to be collecting this data by requiring caste and origin of state to be filled in on the identification form that is submitted with any DNA sample.[21] Though an argument could be made that this information could be used for research purposes, there appears to be no framework over the use of this information and this objective. Is the information stored along with the DNA sample? Is it used in criminal cases? Is it revealed during court cases or at other points of time?

Similarly, in the Report of the Working Group for the Eleventh Five Year Plan, it lists the following as a possible use of DNA profiling technology:

"Human population analysis with a view to elicit profiling of different caste populations of India to use them in forensic DNA fingerprinting and develop DNA databases."[22]

This objective is based on the assumption that caste is an immutable genetic trait and seems to ignore the fact that individuals change their caste and that caste is not uniformly passed on in marriage. Furthermore, using caste for forensic purposes and to develop DNA databases could far too easily be abused and result in the profiling of individuals, and identification errors. For example, in 2011 the UK police, in an attempt to catch the night stalker Delroy Grant, used DNA to (incorrectly) predict that he originated from the Winward Islands. The police then used mass DNA screenings of black men. The police initially eliminated Delroy Grant as a suspect because another Delroy Grant was on the DNA database, and the real Delroy Grant was eventually caught when the police pursued more traditional forms of investigation.[23]

Other uses for DNA databases and DNA samples in India have been envisioned over the years. For example, in 2010 the state of Tamil Nadu sought to amend the Prisoners Identification Act 1920 to allow for the establishment of a prisoners’ DNA database – which would require that any prisoner’s DNA be collected and stored.[24] In another example, the home page of BioAxis DNA Research Centre (P) Limited, a private DNA laboratory offering forensic services states,

"In a country like India which is densely populated there is huge requirement for these type of databases which may help in stopping different types of fraud like Ration card fraud, Voter ID Card fraud, Driving license fraud etc. The database may help the Indian police to differentiate the criminals and non criminals."[25] Not only is this statement incorrect in stating that a DNA database will differentiate between criminals and non-criminals, but DNA evidence is not useful in stopping ration card fraud etc. as it would require that DNA be extracted and authenticated for every instance of service. In 2012, the Department of Forensic Medicine and Toxicology at AFMC Pune proposed to establish a DNA data bank containing profiles of armed forces personnel.[26] And in Uttar Pradesh, the government ordered mandatory sampling for DNA fingerprinting of dead bodies.[27] These examples raise important questions about the scope of use, collection and storage of DNA profiles in databases that the Bill is silent on.

The assumption in the Bill that DNA evidence is infallible is another point of contention. The preamble of the Bill states that, "DNA analysis of body substances is a powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another, and further to establish the biological relationship, if any, between two individuals, living or dead with any doubt."[28]

This statement ignores the possibility of false matches, cross-contamination, and laboratory error[29] as DNA evidence is only as infallible as the humans collecting, analysing, and marshalling the evidence. These mistakes are not purely speculative, as cases that have relied on DNA as evidence in India demonstrate that the reliability of DNA evidence is questionable due to collection, analysis, and chain of custody errors. For example, in the Aarushi murder case the forensic expert who testified failed to remember which samples were collected at the scene of the crime[30] in the French diplomat rape case, the DNA report came out with both negative and positive results;[31] and in the Abhishek rape case the DNA sample had to be reanalysed after initial analysis did not prove conclusive.[32] Yet the Bill does not mandate a set of best practices that could help in minimising these errors, such as defining what profiling system will be used nationally, and defining specific security measures that must be taken by DNA laboratories – all of which are currently left to be determined by the DNA board.[33]

The assumption in the preamble that DNA can establish if a relationship exists between two individuals without a doubt is also misleading as it implies that the use of DNA samples and the creation of a database will increase the conviction rate, when in actuality the exact number of accurate convictions resulting purely from DNA evidence is unknown, as is the number of innocent people who are falsely accused of a crime based on DNA evidence in India. This misconception is reflected on the website of the Department of Biotechnology’s information page for CDFD where it states:

"…The DNA fingerprinting service, given the fact that it has been shown to bring about dramatic increase in the conviction rate, will continue to be in much demand. With the crime burden on the society increasing, more and more requests for DNA fingerprinting are naturally anticipated. For example, starting from just a few cases of DNA fingerprinting per month, CDFD is now handling similar number of cases every day."[34]

In addition to the claim that the DNA fingerprinting service has shown a dramatic increase in the conviction rate, is not supported by evidence in this article, according to the CDFD 2010-2011 annual report, the centre analysed DNA from 57 cases of deceased persons, 40 maternity/paternity cases, four rape and murder cases, eight sexual assault cases, and three kidney transplantation cases.[35] This is in comparison to the 2006 – 2007 annual report, which quoted 83 paternity/maternity dispute cases, 68 identification of deceased, 11 cases of sexual assault, eight cases of murder, and two cases of wildlife poaching.[36] From the numbers quoted in the CDFD annual report, it appears that paternity/maternity cases and identification of the deceased are the most frequent types of cases using DNA evidence.

Other concerns with the Bill include access controls to the database and rights of the individual. For example, the Bill does not require that a court order be issued for access to a DNA profile, and instead leaves it in the hand of the DNA bank manager to determine if communication of information relating to a match to a court, tribunal, law enforcement agency, or DNA laboratory is appropriate.[37]

Additionally, the Data Bank Manager is empowered to grant access to any information on the database to any person or class of persons that he/she considers appropriate for the purposes of proper operation and maintenance or for training purposes.[38] The low standards for access that are found in the Bill are worrisome as the possibility for tampering of evidence and analysis is increased.

The Bill is also missing important provisions that would be necessary to protect the rights of the individual. For example, individuals are not permitted a private cause of action for the unlawful collection, use, or retention of DNA, and individuals do not have the right to access their own information stored on the database.[39] These are significant gaps in the proposed legislation as it restricts the rights of the individual.

In conclusion, India could benefit from having a legislation regulating, standardising, and harmonising the use, collection, analysis, and retention of DNA samples for crime-related purposes. The current 2012 draft of the Bill is a step in the right direction, and an improvement from the 2007 DNA Profiling Bill. The 2012 draft draws upon best practices from the US and Canada, but could also benefit from drawing upon best practices from countries like Scotland. Safeguards missing from the current draft that would strengthen the Bill include: limiting the scope of the DNA database to include only samples from a crime scene for serious crimes and not minor offenses, requiring the destruction of DNA samples once a DNA profile is created, clearly defining when a court order is needed to collect DNA samples, defining when consent is required and is not required from the individual for a DNA sample to be taken, and ensuring that the individual has a right of appeal.

[1]. Law Commission of India. Review of the Indian Evidence Act 1872. Pg. 43 Available at: http://lawcommissionofindia.nic.in/reports/185thReport-PartII.pdf. Last accessed: October 9th 2012.
[2]. Section 53. The Criminal Code of Procedure, 1973. Available at: http://www.vakilno1.com/bareacts/crpc/s53.htm. Last accessed October 9th 2012.
[3]. Department of Biotechnology. Ministry of Science & Technology GOI. Annual Report 2009 – 2010. pg. 189. Available at: http://dbtindia.nic.in/annualreports/DBT-An-Re-2009-10.pdf. Last Accessed October 9th 2012.
[4]. Chhibber, M. Govt Crawling on DNA Profiling Bill, CBI urges it to hurry, cites China. The Indian Express. July 12 2010. Available at: http://www.indianexpress.com/news/govt-crawling-on-dna-profiling-bill-cbi-urges-it-to-hurry-cites-china/645247/0. Last accessed: October 9th 2012.
[5]. Perspective Plan for Indian Forensics. Final report 2010. Table 64.1 -64.3 pg. 264-267. Available at: http://mha.nic.in/pdfs/IFS%282010%29-FinalRpt.pdf. Last accessed: October 9th 2012. And CBI Manual. Chapter 27. Available at: http://mha.nic.in/pdfs/IFS%282010%29-FinalRpt.pdf. Last accessed: October 9th 2012.
[6]. For example: International Forensic Sciences, DNA Labs India (DLI), Truth Labs and Bio-Axis DNA Research Centre (P) Limited.
[7]. Draft Human DNA Profiling Bill 2012. Introduction.
[8]. Id. section 12(a-z)
[9]. Id. Definition l. “DNA Profile” means results of analysis of a DNA sample with respect to human identification.
[10]. Id. Definition m. “DNA sample” means biological specimen of any nature that is utilized to conduct CAN analysis, collected in such manner as specified in Part II of the Schedule.
[11]. The UK DNA database and the European Court of Human Rights: Lessons India can learn from UK mistakes. PowerPoint Presentation. Dr. Helen Wallace, Genewatch UK. September 2012.
[12]. Hope, C. Crimes solved by DNA evidence fall despite millions being added to database. The Telegraph. November 12th 2008. Available at: http://www.telegraph.co.uk/news/uknews/law-and-order/3418649/Crimes-solved-by-DNA-evidence-fall-despite-millions-being-added-to-database.html. Last accessed: October 9th 2012
[13]. Draft Human DNA Profiling Bill 2012. Section 32 (4(a-g))
[14]. Id. Section 35
[15]. Id. Schedule: List of applicable instances of Human DNA Profiling and Sources of Collection of Samples for DNA Test.
[16]. Gruber J. Forensic DNA Databases. Council for Responsible Genetics. September 2012. Powerpoint presentation.
[17]. Draft Human DNA Profiling Bill 2012. Section 32 (5)- 6)(a)-(b^[+] . Indices will only contain DNA identification records and analysis prepared by the laboratory and approved by the DNA Board, while profiles in the offenders index will contain only the identity of the person, and other profiles will contain only the case reference number.
[18]. Id. Section 39
[19]. Id. Section 40(c)
[20]. CDFD. Annual Report 2010-2011. Pg19. Available at: http://www.cdfd.org.in/images/AR_2010_11.pdf. Last accessed: October 9th 2012.
[21]. Caste and origin of state is a field of information that is required to be completed when an ‘identification form’ is sent to the CDFD along with a DNA sample for analysis. Form available at: http://www.cdfd.org.in/servicespages/dnafingerprinting.html
[22]. Report of the Working Group for the Eleventh Five Year Plan (2007 – 2012). October 2006. Pg. 152. Section: R&D Relating Services. Available at: http://planningcommission.nic.in/aboutus/committee/wrkgrp11/wg11_subdbt.pdf. Last accessed: October 9th 2012
[23]. Evans. M. Night Stalker: police blunders delayed arrest of Delroy Grant. March 24th 2011. The Telegraph. Available at: http://www.telegraph.co.uk/news/uknews/crime/8397585/Night-Stalker-police-blunders-delayed-arrest-of-Delroy-Grant.html. Last accessed: October 10th 2012.
[24]. Narayan, P. A prisoner DNA database: Tamil Nadu shows the way. May 17th 2012. Available at: http://timesofindia.indiatimes.com/india/A-prisoner-DNA-database-Tamil-Nadu-shows-the-way/iplarticleshow/5938522.cms. Last accessed: October 9th 2012.
[25]. BioAxis DNA Research Centre (P) Limited. Website Available at: http://www.dnares.in/dna-databank-database-of-india.php. Last accessed: October 10th 2012.
[26]. Times of India. AFMC to open DNA profiling centre today. February 2012. Available at:http://articles.timesofindia.indiatimes.com/2012-02-08/pune/31037108_1_dna-profile-dna-fingerprinting-data-bank. Last accessed: October 10th 2012.
[27]. Siddiqui, P. UP makes DNA sampling mandatory with postmortem. Times of India. September 4th 2012. Available at:http://articles.timesofindia.indiatimes.com/2012-09-04/lucknow/33581061_1_dead-bodies-postmortem-house-postmortem-report. Last accessed: October 10th 2012.
[28]. Draft DNA Human Profiling Bill 2012. Introduction
[29]. Council for Responsible Genetics. Overview and Concerns Regarding the Indian Draft DNA Profiling Bill. September 2012. Pg. 2. Available at: http://cis-india.org/internet-governance/indian-draft-dna-profiling-act.pdf/view. Last accessed: October 9th 2012.
[30]. DNA. Aarushi case: Expert forgets samples collected from murder spot. August 28th 2012. Available at: http://www.dnaindia.com/india/report_aarushi-case-expert-forgets-samples-collected-from-murder-spot_1733957. Last accessed: October 10th 2012.
[31]. India Today. Daughter rape case: French diplomat’s DNA test is inconclusive. July 7th 2012. Available at: http://indiatoday.intoday.in/story/french-diplomat-father-rapes-daughter-dna-test-bangalore/1/204270.html. Last accessed: October 10th 2012.
[32]. The Times of India. DNA tests indicate Abhishek raped woman. May 30th 2006. Available at: http://articles.timesofindia.indiatimes.com/2006-05-30/india/27826225_1_abhishek-kasliwal-dna-fingerprinting-dna-tests. Last accessed: October 10th 2012.
[33]. Draft Human DNA Profiling Bill 2012. Section 18-27.
[34]. Department of Biotechnology. DNA Fingerprinting & Diagnostics, Hyderabad. Available at: http://dbtindia.nic.in/uniquepage.asp?id_pk=124. Last accessed: October 10 2012.
[35]. CDFD Annual Report 2010 – 2011.Pg.19. Available at: http://www.cdfd.org.in/images/AR_2010_11.pdf. Last accessed: October 10th 2012.
[36]. CDFD Annual Report 2006-2007.Pg. 13. Available at: http://www.cdfd.org.in/images/AR_2006_07.pdf. Last accessed: October 10th 2012.
[37]. Draft Human DNA Profiling Bill 2012. Section 35
[38]. Id. Section 41.
[39].Council for Responsible Genetics. Overview and Concerns Regarding the Indian Draft DNA Profiling Bill. September 2012. Pg. 9 Available at: http://cis-india.org/internet-governance/indian-draft-dna-profiling-act.pdf/view. Last accessed: October 9th 2012.

For more details visit https://cis-india.org/internet-governance/blog/epw-web-exclusives-oct-27-2012-elonnai-hickok-rethinking-dna-profiling-india

Privacy Perspectives on the 2012 -2013 Goa Beach Shack Policy

elonnai — 2012-10-25T10:23:50Z

CCTVs in India are increasingly being employed by private organizations and the government in India as a way to increase security and prevent/ deter crime from taking place. When the government mandates the use of CCTV’s for this purpose, it often does so by means of a blunt policy mandate, requiring the installation of CCTV systems, but without any further clarification as to who should oversee the use of the cameras, what bodies should have access to the records, how access should be granted or obtained, and how long the recordings should be retained.

The lack of clarity and specificity in these requirements, the fact that these technologies are used in public spaces to collect undefined categories and amounts of information, and the fact that the technology can cut through space – and does not distinguish between private and public and primarily captures information where it is directed to, give rise to privacy concerns and raises fundamental questions about the ways in which technologies can be used to effectively increase security while still protecting the rights of individuals and the promotion of business.

An example of a blanket CCTV installation requirement from the government is seen in the 2012-2013 Goa Beach Shack Policy.[1] This blog will examine the shack policy from a privacy perspective, and how identification requirements are evolving. The blog will explore different principles by which surveillance technologies like CCTVs can be employed in order to promote effectiveness and protect the rights of individuals.

To help understand the current status of the Shack Policy and the extent of CCTV use in Goa, I spoke with a number of shack owners, cyber café owners, the Ministry of Tourism, and the Police of Goa. In this blog I do not use any direct quotes and write only from the perspective of my personal observations.

Current Status of the Shack Policy

This year, for the 2012-2013 tourist season, the Department of Tourism of Goa is implementing the Beach Shack Policy for regulating the establishment and running of temporary shacks at beaches in Goa. The policy applies only to the licensing, construction, maintenance, and demolition of temporary shacks on beaches owned by the government. The policy lays out requirements that must be submitted by applicants for obtaining a license and requirements relating to the operation of the shacks including size, security, health and safety, and noise control. Shacks, huts, hotels, etc. built on private land do not come under the scope of the policy. The shacks can only be bars and restaurants that can run from November 1^st through May 31^st, after which they must be taken down until the next season. The licensing of these shacks is to enable local employment opportunities in Goa. This can be seen by the requirement in the policy that Shacks are to be granted to only one member of the family who is unemployed.[2] Currently, the Ministry of Tourism has almost completed the allotment of shack spaces on all beaches in Goa. The police will assist in the enforcement of the policy, but their exact role is in the process of being clarified. Before the 2012-2013 policy, shacks were regulated by annual beach shack policies, which are not available online, but can be accessed through an RTI request to the Department of Tourism. Resistance to the policy has been seen by some because of concerns that the shacks will take away business from local private owners, will block fishing boats, will cause trash and sewage problems, and create issues for free movement of people on the beach.

Inside the policy:

Application Requirements

To apply for a license for a temporary shack, every application must be turned in by hand and must be accompanied by a residence certificate in original issued by Village Panchayat Municipality, attested copy of ration card, four copies of a recent colored passport photos with name written on the back, attested copy of birth certificate/passport copy/Pan Card and any other information that the applicant desires to furnish, and affidavit. In addition individuals must provide their name, address, telephone number, name of the shack, name of the beach stretch, nationality, experience, and any other information they wishes to provide.[3] These requirements are not excessive and have been kept to what seems minimally necessary for providing a license, though the option for individuals to provide any additional information they wish – could be used to convey meaningful information or extraneous information to the government.

Operational Requirements

The policy has a number of operational requirements for shack owners as well. For example owners must clearly display a self identifying photograph on the shack[4] and they must agree to assist the Tourism Department and Police department in stopping any crime and violation of any law along the Beach.[5]

The policy also requires that any person handling food must take a course conducted by IHMCT, GTDC, or Porvorim,[6] shacks must also be made out of eco friendly material as much as possible and the use of cement is banned,[7] and the proper disposal of trash and waste water will be the responsibility of the shack owner.[8] Furthermore, foreigners working in the shacks must have a work visa,[9] and loud music is not allowed to be played after 10:30 p.m.[10]

As noted in the introduction, each shack must install a CCTV surveillance system that provides real-time footage with an internal looping system in a non-invasive form. [11] But I got to understand that the CCTV requirement will be slowly introduced and will not be implemented this year due to resistance from shack owners. When the requirement is implemented, hopefully different aspects around the use of CCTVs will be clarified including: the retention period for the recordings, access control to the recordings, the responsibilities of the shack owner, where the camera will be set up and where it needs to be directed to, etc.

Currently in Goa there are official requirements for CCTVs to be installed in Cyber Cafes under section 144 of the CrPc. This requirement only came into effect on October 1st 2012.[12]Some private hotels, huts, and restaurants run CCTV cameras for their own security purposes. When asked if CCTVs will also become mandatory for private areas, some said this will happen, while others said it would be difficult to implement.

Enforcement

The policy uses a number of measures to ensure enforcement. For examples, successful applicants must place a security deposit of 10,000 with Director of Tourism. If any term of the policy is violated, the deposited amount will be given to the Government Treasury and the individual is required to pay another Rs. 10,000 to continue operating.[13]The placement of deck beds on the beach without authorization will also be treated as an offense under the Goa Tourist Places (protection and maintenance) Act 2001 and will be punished with a term of imprisonment minimum three months, which may extend to 3 years, and a fine which may extend to Rs. 5,000 or both. All offenses under the Act are cognizable and non-refundable. [14] If the shack is not dismantled at the end of the season, the individual will have their application rejected for the next three years.[15] Shack owners will also be penalized of they are caught discriminating against who can and cannot enter into the shack.[16]

Interestingly, though CCTV cameras can be used to ‘catch’ a number of offenses, the offenses that are penalized under the Act do not seem to require the presence of a CCTV camera. Additionally, the policy is missing penalties for the tampering and misuse of these cameras and unauthorized access to recordings.

Other practices around security and identification in Goa

In 2011 Goa also issued a new ‘C’ form that must be filled out by foreigners entering hotels.[17]

The form requires twenty six categories of information to be filled out including: permanent address, next destination to be proceeded to, contact number in hotel, purpose of visit, whether employed in India, and where the foreigner arrived from. According to hotel owners, three copies of these records are made. Two are submitted to the police and one is kept with the hotel. The records kept with the hotel are often kept for an undefined time period. In 2011 the police also enforced a new practice where every shack, hut, hotel etc. must have an all night security guard to ensure security on the beach. It was noted that registration of migrant workers is now mandatory, and that non-registered or undocumented vendors are removed from working on the beaches.

Will the 2012 – 2013 Beach Shack Policy have new implications?

In its current form, especially taking into consideration that the CCTV requirement will not be implemented immediately, the 2012 – 2013 shack policy does not seem alarming from a privacy perspective. On the general policy, though the penalties, such as the possibility of three months in prison for having too many beach chairs, seems to be over-reaching, there are a number of positive requirements in the policy such as the use of eco-friendly material, noise control, and strict procedures for disposing of trash and sewage.

The privacy perspective could change when CCTVs are implemented. The amount of data that would be generated and the ambiguity around the employment of the cameras could raise a number of privacy concerns. Yet the fact that this part of the policy will only be implemented later down the road seems indicative of both the shack owners discomfort in using the technology, and perhaps the government’s recognition that a certain level of ground work needs to be done before CCTVs are made mandatory for every shack in the state. Hopefully before the requirement is implemented, the ground work will be set up either at a national level – in the form of a national privacy legislation, or at the state level – in the form of appropriate safeguards and procedures built into the policy.

At the macro level, and when examined in the context of the growing use of CCTVs by private owners, the implementation of the UID and NPR requirements in Goa, and the introduction of the new ‘C’ form for foreigners, the CCTV requirement found in the Shack Policy seems to part of a growing trend across the country where the government seems to seek to identify all individuals and their movements/actions for unclear and undefined purposes, and looks towards identification through the collection of personal information and use of technology as a means to solve security issues.

For example, Goa is not the only city to consider mandatory installation of CCTV’s. In Delhi, the Department of Tourism issued a similar requirement in a 2012 amendment to the “existing Guidelines for Classification/Reclassification of Hotels”. According to the amendment hotels applying for approval are required to provide documentation that security features including CCTV systems are in place.[18] Similarly, in 2011 the Delhi State Industrial and Infrastructure Development Corporation began implementing a plan to install CCTVs outside of government and private liquor shops, amounting to 550 shops in total. The goal was to use the CCTV cameras to catch individuals breaking the Excise Act on camera and use the recordings during trials. According to news coverage, the cameras are required to be capable of recording images 50 meters away and all data must be stored for a period of 30 days.[19]

The ambiguity that exists around the legal use of many of these security systems and technologies, including CCTV’s was recently highlighted in Report of the Group of Experts on Privacy headed by Justice A.P Shah.[20] The report noted that the use of CCTV cameras and more broadly the use of electronic recording devices in India is an area that needs regulation and privacy safeguards. The report describes how the nine proposed national privacy principles of notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, and openness, could be applied and will be affected by the use of these technologies.[21]

Conclusion

In India and elsewhere, the police are faced on a daily basis with the challenge of preventing and responding to all types of crime, and from this perspective – any information, clue, or lead is helpful and necessary, and the potential usefulness of CCTVs in identifying criminals and to some extent deterring crime is clear. On the other hand when CCTVs are employed without safeguards and regulations it could result in infractions of privacy and rights or could simply move the crime away from the surveilled area to an unsurveilled area.

Finding a way to ensure that police have access to the information that they need and that crime is prevented, while at the same time ensuring that the rights of individuals are not compromised, and the private sectors ability to easily do business is not limited by unrealistic security requirements, is an important discussion that governments, policy makers, and the public should be having. The answer hopefully is not found in a binary game of all or nothing, surveillance or no surveillance – but instead is found through mechanisms and principles that apply to both security and privacy such as transparency, oversight, proportionality, and necessity. For example, practices around what access the police legally have via surveillance systems, retention practices, cost of implementing surveillance, and amount of surveillance undertaken each year could be made transparent to the public to ensure that the public is informed and aware of the basic information around these systems. Furthermore, clear oversight over surveillance systems including distinction between the responsibilities and liabilities can ensure that unreasonable requirements are not placed. Lastly any surveillance that is undertaken should be necessary and proportional to the crime or threat that it is being used to prevent or detect. These principles along with the defined National Privacy Principles could help measure what amount and what type of surveillance could be the most effective, and ensure that when surveillance is employed it is done in a way that also protects the rights of individuals and the private sector.

Notes
[1].Ministry of Tourism. Goa Government. 2012-2013 Beach Shack Policy. Available at: http://bit.ly/Xk18NH. Last accessed: October 24th 2012.
[2]. Id. Section 2.
[3]. Id. Application Requirements 1-8. Pg 1&2.
[4]. Section 33.
[5].A part of the affidavit
[6].Id. Section 4.
[7]. Id. Section 17.
[8].Id. Section 28.
[9]. Id. Section 35.
[10].Id. Section 37.
[11]. Id. Section 38.
[12]. Order No. 38/10/2006. Under Section 144 of the Code of Criminal Procedure, 1973. Available at: http:// www.goaprintingpress.gov.in/downloads/1213/1213-28-SIII-OG.pdf
[13]. Beach Shack Policy 2012 - 2013, Section 16.
[14]. Id. Section 18.
[15]. Id. Section 22.
[16]. Id. Section 32.
[17]. Arrival Report of Foreigner in Hotel.”Form C” . Available at: http://bit.ly/TbUO4S
[18]. Government of India. Ministry of Tourism. Amendment in the existing Guidelines for Classification / Reclassification of Hotels. June 28^th 2012. Available at: http://bit.ly/RXtgBg. Last Accessed: October 24th 2012.
[19]. Bajpaj, Ravi. CCTV shots to check drinking outside city liquor vends. The Indian Express reproduced on the website of dsidc. December 20^th 2011. Available at: http://bit.ly/VHwCzd. Last accessed: October 24th 2012.
[20]. GOI. Report of the Group of Experts on Privacy. October 2012. Available at: http://bit.ly/VqzKtr. Last accessed: October 24th 2012.
[21]. Id. pg. 61-62.

For more details visit https://cis-india.org/internet-governance/blog/privacy-perspectives-on-the-2012-2013-goa-beach-shack-policy

Panel suggests law to protect individual privacy

praskrishna — 2012-10-22T14:37:28Z

A government-appointed expert panel Thursday called for a law to protect individual privacy against misuse of information collected by various agencies, public and private, and through various methods like telephone tapping.

Published in Newstrack India on October 18, 2012.

Concerns have been voiced by various quarters in the country on the possible invasion of citizen's privacy guaranteed under Article 21 of the Constitution through national programmes like Unique Identification number, reproductive rights of women, DNA profiling and brain mapping which will be implemented through the information, communication and technology (ICT) platforms.

Minister of State for Planning Ashwani Kumar last year had constituted the experts group to identify the privacy issues and prepare a report to facilitate authoring of the privacy bill.

The group, headed by former Delhi High Court Chief Justice A.P. Shah, recommended setting up of a regulatory framework comprising Privacy Commissioners at the centre and regional levels to deal with privacy issues and mandatory destruction of telephone conversation after a specified period.

As regards the specific issue of phone tapping, it said "interception orders must be specific and all interceptions would only be in force for a period of 60 days and renewed for a period up to 180 days".

It suggested that the records of the conservation should be destroyed by security agencies and telephone service providers within stipulated time frame.

"Records of interception must be destroyed by security agencies after six months or nine months and service providers must destroy after two or six months," it said.

Acccording to an official release, the following are some of the major recommendations made in the panel's report:

The regulatory framework will consist of Privacy Commissioners at the Central and Regional levels.

A system of co-regulation that will give self-regulating organizations at industry level choice to develop privacy standards which should be approved by a Privacy Commissioner.

Individuals would be given the choice (opt-in/opt-out) with regard to providing their personal information and the data controller would take individual consent only after providing inputs of its information practices.

The data controller shall only collect personal information from data subjects as is necessary for the purposes identified for such collection as well as process the data relevant to the purpose for which they are collected.

The data collected would be put to use for the purpose for which it has been collected. Any change in the usage would be done with the consent of the person concerned.

Data collected and processed would be relevant for the purpose and no additional data elements would be collected from the individual.

Interception orders must be specific and all interceptions would only be in force for a period of 60 days and renewed for a period up to 180 days. Records of interception must be destroyed by security agencies after 6 months or 9 months and service providers must destroy after 2 months or 6 months.

Infringement of any provision under the Act would constitute an offence by which individuals may seek compensation for an organization/bodies held accountable to.

Note: CIS was part of the expert committee even though not explicitly mentioned.

For more details visit https://cis-india.org/news/newstrackindia-october-18-2012-suggests-law-to-protect-individual-privacy

The Public Voice: Privacy Rights are a Global Challenge

praskrishna — 2012-10-22T14:28:09Z

October 21, 2012 is an important day for global civil society defending privacy and free speech. The Public Voice coalition will be hosting a global conference in Punta del Este, Uruguay, and you are invited to take part in the conversation and interact with the panelists. Malavika Jayaram is speaking at this event.

You can follow the live conversation here, and join the conversation by using #thepublicvoice hashtag, ask questions, participate in polls and interact with those covering the event in several languages. The conference aims to assess cultures and privacy perspectives from around the World, and members of civil society wil discuss the spread of Surveillance Technologies and its implications in societies, experts will explore Latin American policy, law, and technology perspectives on privacy governance and suggest to governments and private sector to safeguard citizens privacy.

You can read the program and follow the live Webcast in English and Spanish.

During the day the panelists will assess cultures and privacy perspectives from around the world. They will raise public awareness of surveillance technology and its consequences to consumers, for freedom of expression and human rights, and they will explore Latin American policy, law, and technology perspectives. It is the small window civil society has before the 34th International Conference of Data Protection and Privacy Commissioners comprising all the governmental agencies all over the World, webcast available here. It certainly can bring the relevant topics for citizens to the discussion table. I hope you join us.

For more details visit https://cis-india.org/internet-governance/events/privacy-rights-are-a-global-challenge

Privacy law mooted to protect people against misuse of info

praskrishna — 2012-10-22T10:25:53Z

A government-appointed expert group today suggested enactment of a law to protect individuals against misuse of information collected through telephone tapping, videography or any other method.

Read the original published in the Business Standard on October 18, 2012.

The group headed by former Delhi High Court Chief Justice A P Shah recommended setting up of a regulatory framework comprising Privacy Commissioners at the Centre and regional levels to deal with privacy issues and mandatory destruction of telephone conversation after a specified period.

The group, set up by Minister of State for Planning Ashwani Kumar in September 2011, suggested that the records of the conversation should be destroyed by security agencies and telephone service providers within stipulated time frame.

"Records of interception must be destroyed by security agencies after six months or nine months and service providers must destroy after two or six months," it said.

The proposed law seeks to protect individuals from misuse of data collected by agencies, whether in private or public sector. It said the data of individuals should be used only for the purpose for which it was collected.

The issues concerning privacy of individuals assume significance in view of the collection of data by multiple agencies, government as well as private, for different purposes. At present, data is being collected under programmes like Aadhar, Know Your Customer (KYC) norms, recordings of telephone conversation, DNA profiling, brain mapping, etc.

The group, Kumar said, "has evaluated what is happening in the other country and what is the constitutional position in India... How imperatives of national security and right to privacy of individual can be harmonised".

Note: The Centre for Internet & Society was part of the expert committee even though it is not explicitly mentioned.

For more details visit https://cis-india.org/news/business-standard-october-18-2012-privacy-law-mooted-to-protect-people-against-misuse-of-info

Experts' committee moots law to protect privacy

praskrishna — 2012-10-22T10:18:34Z

In its report submitted to the Planning Commission on Thursday, the first ever experts’ group to identify the privacy issues and prepare a report to facilitate authoring of the privacy bill, has said that existing laws have created an ‘unclear regulatory regime’ which allows a state to be intrusive.

Saikat Datta's article was published in DNA on October 19, 2012

The report has been prepared by experts led by justice AP Shah, former chief justice of the Delhi high court.

In its exceptions to the proposed law on privacy, the experts’ group has recommended that national security, public order and disclosures made in ‘public interest’ will be exempted from the limitations of privacy. Several members of the group unsuccessfully argued to bring in the Intelligence agencies which are empowered to legally tap phones, intercept emails and conduct surveillance on citizens under the ambit of the Privacy Act.

The report, a copy of which is available with DNA, recognises that there are major differences in the existing laws that permit intrusive phone-tapping or surveillance of private citizens by the government.The group feels that “these differences have created an unclear regulatory regime that is inconsistent, non-transparent, and prone to misuse and does not provide remedy or compensation to aggrieved individuals.”

Therefore, the group has recommended that when the government conducts any intrusive surveillance like phone tapping, it must adhere to the principles of proportionality, legality and remain within the boundaries of a democratic state.

“The limitation (on tapping phones, etc) should be in proportion to the harm that has been caused or will be caused,” the report states.

Interestingly, the report also exempts the disclosure of personal or private information for journalistic or historical and scientific purposes from being curbed under the proposed Privacy Act. Interestingly, this will give journalists a legal cover from being hauled up under the proposed privacy laws when they file stories.

The government is keen to enact a privacy law quickly because of two major issues. The fallout of the leakage of the tapes of Niira Radia speaking to industry heads like Ratan Tata which led to a renewed clamour for a comprehensive Privacy Act. Ironically, anything related to phone-tapping has now been left out of the provisions of such an Act.

The other reason was the pressure from the industry that is keen to get business from abroad that deals with sensitive personal data. In the absence of any personal data protection laws, Indian companies were not getting any business from European or American firms. With this law, India can look forward to getting substantial business that involves personal data.

With this framework in mind the experts’ group has recommended that notice be given to any individual from whom personal information will be sought. With intrusive government projects like the UID or the NATGRID, the group was worried that this kind of massive data in the hands of the government could turn this into a police state.

It has also mandated that the choice and consent of the individual must be taken before collecting this information. Also, there has to be a limitation on collecting this information and anything that has been collected will use the data for only a limited purpose. A data controller should be appointed to collect, maintain and use the data under strict stipulations.

Therefore, the data controller will be made accountable for any lapse in handling or disclosure of the data. To ensure that this kind of control can be exercised, the group has suggested the appointment of privacy commissioners who will adjudicate on any matter of illegal disclosures and mete out server punishment.

Recommendations

National security, public order and disclosures made in ‘public interest’ will be exempted from the limitations of privacy
The limitation (on tapping phones, etc) should be in proportion to the harm caused or will be caused
Disclosure of personal or private information for journalistic or historical and scientific purposes should be exempted from being curbed under the proposed Act
Notice be given to individual from whom information has to be sought
A data controller should be appointed to collect, maintain and use the data
Privacy commissioners who will adjudicate on any matter of illegal disclosures be appointed

Note: The Centre for Internet & Society was part of the expert committee even though not explicitly mentioned.

For more details visit https://cis-india.org/news/dna-india-october-19-2012-saikat-datta-experts-committee-moots-law-to-protect-privacy

Govt panel wants curbs on phone taps

praskrishna — 2012-10-22T09:57:05Z

A government-appointed panel on Thursday recommended several measures, including guidelines on interception of telephonic conversations, video and audio recordings, use and storage of data as well as setting up of dispute resolution entities at Centre and state-level to protect the privacy of individuals.

Read the original published in the Times of India on October 19, 2012.

The group led by former Delhi High Court chief justice A P Shah was set up by the Planning Commission to identify privacy issues and prepare a document to facilitate the proposed Privacy Act.

The group was set after concerns were raised about the impact on privacy of individuals with the emergence of several national programmes such as Unique Identification number, NATGRID, DNA profiling, Reproductive Rights of Women, privileged communications and brain mapping, most of which will be implemented through information and communication technology (ICT) platforms.

The panel recommended that reasons for interception must be specified and be recorded in writing and the provisions establish conditions for authorization by the competent authority. It said that all interceptions can be in force for 60 days and renewed for not more than 180 days. The panel said records of interception be destroyed by the security agencies after six months or nine months and service providers must destroy records after two months or six months. It also said that intermediaries must provide an internal check to ensure the security, confidentiality and privacy of intercepted material, and intermediaries would be held legally responsible for any unauthorized access or disclosure of intercepted materials.

The panel said the proposed Act should extend the right of privacy to individuals and bring under its regulation data controllers, which includes all corporates, public/ governmental bodies and organizations. Minister of State for Planning Ashwani Kumar said, "The group has evaluated what is happening in the other country and what is the constitutional position in India... how imperatives of national security and right to privacy of individual can be harmonized."

It said the Act should clarify that publication of personal data for artistic and journalistic purposes in public interest, use of personal information for household purposes and disclosure of information as required by the RTI Act should not constitute an "infringement of privacy".

The proposed Privacy Act should also articulate national privacy principles. The principles will extend and be binding to all private/ public data controllers. It said the principles must establish safeguards and procedures over the collection, processing, storage, retention, access, disclosure, destruction of sensitive personal information, personal identifiable information and identifiable information.

The Act should establish the Central office of the privacy commissioner, regional level privacy commissioner, self regulating organizations at the industry level and data controllers and privacy officers if required at the organization level, the report recommended.

The panel also recommended that the infringement of any provision under the Act should constitute as an "offence" and individuals may seek "compensation" from organizations/ bodies held accountable.

The group agreed that any proposed framework for privacy legislation must be technologically neutral and interoperable with international standards. "Specifically, the Privacy Act should not make any reference to specific technologies and must be generic enough such that principle and enforcement mechanisms adaptable to changes in society, the market place, technology and government," the report said.

Note: The Centre for Internet & Society was part of the expert committee even though not explicitly mentioned.

For more details visit https://cis-india.org/news/times-of-india-october-19-2012-govt-panel-wants-curbs-on-phone-taps

Privacy Act should not circumscribe RTI: expert group

praskrishna — 2012-10-22T09:36:49Z

An expert group to draw the framework of a law to protect privacy of individuals has suggested that issues of personal privacy must not be used to dilute the provisions of or block information under the Right to Information Act, and used a language that almost directly contradicts the sentiments expressed by the Prime Minister in this regard just a few days ago.

This article by Amitabh Sinha was published in the Indian Express on October 19, 2012.

The group headed by Justice (retd) A P Shah has argued that the RTI Act already has provisions that protect the privacy, and such types of information are exempt from public disclosure. “When applied, the (proposed) Privacy Act should not circumscribe the Right to Information Act,” the report of the expert group, which was made public on Thursday, said.

“Section 8 of the (RTI) Act lists specific types of information that are exempted from public disclosure in order to protect privacy. In this way, privacy is the narrow exception to the Right to Information,” the report said.

Interestingly, just earlier this week, while inaugurating an annual convention of information commissioners, Prime Minister Manmohan Singh had made the opposite argument. “There is a fine balance required to be maintained between the Right to Information and the right to privacy, which stems out of the Fundamental Right to Life and Liberty,” he had said.

“The citizens’ right to know should definitely be circumscribed if disclosure of information encroaches upon someone’s personal privacy. But where to draw the line is a complicated question,” he had said.

Sibngh’s remarks had come at a time when questions were being asked about whether government money had been spent on foreign trips and medical treatment of UPA chairperson Sonia Gandhi. The government had clarified that no public money had been spent on either of the two.

The expert group under Justice Shah was constituted at the initiative of Minister of State for Planning Ashwani Kumar after an attempt by the Department of Personnel and Training (DoPT) last year to draft a privacy bill ended in a disaster. The expert group was only asked to draw up the broad contours of what a privacy law must comprise of. It has drawn from international experiences and presented nine ‘principles’ that must be accommodated in any future privacy law.

The group also recognises that the constitutional basis of privacy as “a fundamental right deriving from Article 21 of the Constitution of India”.

The report deals mainly with how the extensive collection of personal data — through government institutions like Census, NATGRID, UID, or through private agencies like banks, credit card companies or phone operators — must be stored, managed and eventually destroyed, if possible, without infringing on the privacy rights of an individual.

The report would now be referred to the DoPT which will then begin further consultation processes to make a fresh start at drafting a privacy law.

Suggestions on Tapping

The expert group has said that the system of telephone and other communication interception for security reasons has an “unclear regulatory regime that is inconsistent, non-transparent, prone to misuse, and that does not provide remedy or compensation to aggrieved individuals”. It has suggested the following:

All orders of interceptions must be reported to a court within 15 days, disclosing the reason for interception.
All interceptions must only be in force for 60 days, renewable up to a period of 180 days.
Reasons for interception order must be specified and recorded in writing by competent authority.
Records of interception must be destroyed by security agencies after six months, or nine months, and service providers must destroy records after two months, or six months.
All interception orders must be sent for review by a designated committee.
Officers to whom information relating to interception can be disclosed must be specified.
Intermediaries (like telephone operators) must ensure security, confidentiality and privacy of intercepted material, and must be held legally responsible for any unauthorized access or disclosure of intercepted material.

Note: The Centre for Internet & Society was part of the expert committee even though it is not explicitly mentioned here.

For more details visit https://cis-india.org/news/indianexpress-amitabh-sinha-october-19-2012-privacy-act-should-not-circumscribe-rti-expert-group

Bill to create bank for DNA profiling of accused coming

praskrishna — 2012-10-22T09:15:43Z

Access to data only for victim’s or suspect’s relatives.

This article by Aarthi Dhar was published in the Hindu on October 21, 2012.

A Bill to create a DNA data centre to profile people accused of serious crimes and unknown deceased is in the works. The proposal was originally mooted in 2007 but was dropped to factor in ethical, moral and legal issues on the sensitive matter.

Crafted by the Department of Biotechnology, it allows Deoxyribose Nucleic Acid (DNA) profiling for cases of culpable homicide, murder, death by negligence, miscarriage, dowry deaths, causing death of new born child, sexual assault, unnatural offences, outraging the modesty of a woman, co-habitation with a woman by deceit, adultery, enticing a married woman with criminal intent, among others.

Protecting privacy

Addressing issues related to protecting privacy of individuals, the draft Bill envisages that access to the information in the National DNA Data Bank will be restricted to those related to the victim or suspect; any individual undergoing a sentence of imprisonment or death sentence can apply to the court which convicted him, for an order of DNA testing of specific evidence under specific conditions.

The Human DNA Profiling Bill seeks to establish a DNA Profiling Board that will lay down the standards for laboratories, collection of human body substances and custody trail from collection to reporting. It also has a provision for setting up a National DNA Data Bank.

The DNA analysis of body substances that makes it possible to determine whether the source of origin of one body substance is identical to that of another, and to establish the biological relationship, if any, between two individuals.

The “forensic material” from which the DNA sample can be lifted is biological material from the body and represents intimate body samples. They include blood, semen, or any other tissue fluid.

DNA Profiling Board

As envisaged in the Bill, the DNA Profiling Board at the national level, with similar structures at the State level, will be headed by a renowned molecular biologist with the other members being from police, legal, biological and related fields.

It will deliberate and advise on all ethical and human rights issues emanating out of DNA profiling in consonance with the United Nations vis-à-vis the rights and privacy of citizens, civil liberties and issues having ethical and other social implications.

The Board will make recommendations on the use and dissemination of DNA information, ensure the accuracy, security and confidentiality of DNA and guidelines destruction of obsolete, expunged or inaccurate information.

Jail, fine for data misuse

It will also will lay down standards and procedures for establishment and functioning of DNA laboratories and Data Banks and prepare guidelines for storage of biological substances and their destruction. Any misuse of DNA data will attract imprisonment up to three years and monetary fine.

The working draft of the Bill has been sent to the Centre for Internet and Society for analysis and comments. The Citizens Forum for Civil Liberties has already opposed the proposed legislation and sought pre-emptive intervention to stop “dangerous” erosion of privacy by DNA profiling of citizens.

In a representation submitted to the National Human Rights Commission, the Forum has said DNA profiling is “undesirable, particularly as forensic DNA developments are intertwined with significant changes in legislation and contentious issues of privacy, civil liberty and social justice.”

The Forum has sought “immediate intervention to safeguard citizens’ privacy and their civil liberties, which face an unprecedented onslaught from the provisions of the DNA Profiling Bill and other related surveillance measures being bulldozed by unregulated and ungovernable technology.”

For more details visit https://cis-india.org/news/the-hindu-aarti-dhar-october-21-2012-bill-to-create-bank-for-dna-profiling-of-accused-coming

Court’s approval needed to tap phones: Panel

praskrishna — 2012-10-22T07:02:34Z

Investigators can monitor a person for 15-20 days on executive orders in case of emergencies, suggests panel.

Surabhi Agarwal's article was published in LiveMint on October 18, 2012. Sunil Abraham is quoted.

Government agencies need judicial permission before intercepting any communication or starting surveillance of any individual, a panel on the proposed privacy law suggested on Thursday.

If there is any urgency, investigators can tap phones or monitor a person’s movements for 15-20 days on executive orders but will then have to approach the courts to continue, the committee led by retired Delhi high court judge Ajit P. Shah recommended.

“Phone tapping under the present regime is done under executive permission whereas in other countries it is done only with the permission of the courts,” Shah said.

Security agencies currently require permission from home secretaries, either at the Centre or the states, to set up wiretaps or monitor emails. An oversight group of the cabinet, law and telecom secretaries at the Centre reviews all such authorizations.

	The government established the Shah committee in Feburary under the Planning Commission to study international best practices on privacy and surveillance after concerns arose on misuse of information collected by official agencies. Shah said on Thursday that the committee was “not interested” in preparing a privacy law but has only laid down the principles. The department of personnel and training will deliberate on the panel’s recommendations and then draft a legislation, said Ashwani Kumar, junior minister in the Planning Commission.

The government established the Shah committee in Feburary under the Planning Commission to study international best practices on privacy and surveillance after concerns arose on misuse of information collected by official agencies.

Shah said on Thursday that the committee was “not interested” in preparing a privacy law but has only laid down the principles.

The department of personnel and training will deliberate on the panel’s recommendations and then draft a legislation, said Ashwani Kumar, junior minister in the Planning Commission.

The Shah panel has recommended appointing privacy commissioners and a system under which organizations will have to develop privacy standards that will be approved by a commissioner as a means of self-regulation.

Sectoral industry associations would form a code of conduct for companies that will comply with law as they will be approved by the privacy commissioner, according to Kamlesh Bajaj, chief executive officer of Data Security Council of India, one of the members of the committee. “These associations could also act as alternative dispute-resolution mechanisms,” Bajaj said.

The committee’s other recommendations include giving individuals a choice to provide personal information, collection of only critical personal information, use of data only for the purpose for which it has been collected, and a penalty for violations.

“Without a comprehensive horizontal regulatory framework and the office of the regulator both private and public entities in India have been trampling on the rights of citizens without complying to any of the international best practices when it comes to protecting the right to privacy,” said Sunil Abraham, executive director of Centre for Internet and Society, a Bangalore-based advocacy group. After the privacy law is enacted and the office of a privacy commissioner is created, people will be able to seek redressal against these erring pubic and private entities if their rights are violated, he added.

The government has been looking to enact a privacy law to ensure data collected by various programmes such as the National Population Register, Unique Identification Authority of India and National Intelligence Grid was not misused. It was expected to scotch criticism of these programmes by privacy and Internet activists. It later expanded the scope of the proposed legislation after catching flak for a leak of tapped conversations between corporate lobbyist Niira Radia, industrialists and journalists.

The government now aims to uphold the right of all Indians against any misuse of personal information, interception of personal communication, unlawful surveillance and unwanted commercial communication. That means it effectively covers everything from the misuse of data collected by the government to spam.

However, there could be opposition from law enforcement agencies if the privacy law mandates that prior permission of the courts will be required before intercepting communication.

If judges begin taking a call on interception requests, there could be chances of leakage, “since there are so many judges at so many levels”, said Rumel Dahiya, deputy director general at Institute of Defence Studies and Analyses, a New delhi-based think tank. “The government carries out surveillance to gain fool-proof intelligence. That purpose will be defeated.”

Last week, Prime Minister Manmohan Singh said a fine balance needs to be maintained between the right to information and the right to privacy.

The Shah committee included representatives from the private sector, the department of information technology, ministry of home affairs, department of telecommunication, the law ministry and the department of personnel and training.

Kirthi V. Rao contributed to this story.

For more details visit https://cis-india.org/news/livemint-october-18-2012-surabhi-agarwal-courts-approval-needed-to-tap-phones

Nine-point code set out to safeguard personal information

praskrishna — 2012-10-22T06:42:36Z

A. P. Shah panel lists exceptions; suggests privacy commissioners.

Published in Hindu Business Line on October 18, 2012.

The Justice A. P. Shah panel has recommended an over-arching law to protect privacy and personal data in the private and public spheres.

The report also suggested setting up privacy commissioners, both at the Central and State levels.

It has spelt out nine national privacy principles that could be followed while framing the law.

The report comes at a time when there is growing concern over unique identity numbers, DNA profiling, brain-mapping, etc, most of which will be implemented on the ICT platform.

The report has listed certain exceptions in the right to privacy such as national security, public order, disclosure in public interest, prevention, detection, investigation and prosecution of criminal offences and protection of the individual or of the rights of freedom of others.

In certain cases, historical or scientific research and journalistic purposes can also be considered as exceptions, says the report.

Networking sites

Referring to social networking sites and search engines, which have their own privacy code, Justice Shah said these will either have to follow the model provided in the proposed Act or have a self-regulatory mechanism approved by the privacy commissioner.

The report suggests harmonising the proposed privacy Act with the RTI Act. Responding to privacy infringement concerns, as aired by the Prime Minister recently, Justice Shah said RTI was the only law that gave statutory protection to privacy, which could be over-ridden only in certain cases for individuals, not companies.

Minister of State for Planning Ashwani Kumar said a privacy Act was necessary as in a democracy one had to ensure that "no one right is so exercised so as to infringe upon the rights of individuals."

The high-level panel submitted its report to the Planning Commission on Thursday. It will now be forwarded to the Department of Personnel and Training, which is already looking into the privacy law.

Note: The Centre for Internet & Society was a part of the expert committee even though it is not explicitly mentioned here.

For more details visit https://cis-india.org/news/the-hindu-business-line-oct-18-2012-nine-point-code-set-out-to-safeguard-personal-information

Privacy law mooted to protect people against misuse of info

praskrishna — 2012-10-22T06:35:42Z

A government-appointed expert group on Thursday suggested enactment of a law to protect individuals against misuse of information collected through telephone tapping, videography or any other method.

Published in Zee News on October 18, 2012.

The group, set up by Minister of State for Planning Ashwani Kumar in September 2011, suggested that the records of the conservation should be destroyed by security agencies and telephone service providers within stipulated time frame.

"Records of interception must be destroyed by security agencies after six months or nine months and service providers must destroy after two or six months," it said.

Note: The Centre for Internet & Society was part of the expert committee even though not explicitly mentioned here.

For more details visit https://cis-india.org/news/zee-news-october-22-2012-privacy-law-mooted-to-protect-people-against-misuse-of-info

Could better DNA testing facilities in India have saved the Talwars?

praskrishna — 2012-10-11T09:44:30Z

Over the last decade, the use of DNA tests to solve crimes has seen a significant rise in crime investigation in India. But forensic experts warn that the absence of standard practices, quality checks and regulation has resulted in irresponsible and inaccurate application of the technology.

This article by Pallavi Polanki was originally published in FirstPost on October 11, 2012. CIS press statement is mentioned.

The use of outdated technology and lack of expertise to competently collect and analyse DNA samples from the crime scene has compromised investigation and led to instances where courts have rejected DNA evidence as being unreliable or inconclusive.

Says GV Rao, DNA analyst and formerly chief staff scientist at the Hyderabad-based Centre For DNA Fingerprinting and Diagnostics (CDFD), “Today we are very much behind the rest of the World in upgradation of technology as required…Further, the backlog of cases is quite large in each of the DNA labs in India and not much is being done about it. Still we have not obtained or adopted the DNA techniques to identify difficult samples. The recent example of Bhanwari Devi case, where the CBI had to send the victim’s bones to FBI, USA for identification to get it identified. This is a sad reflection of the present status of DNA technology in India.”

Most recently, the demand for more advanced DNA tests to be conducted was unsuccessfully made by dentist couple Rajesh and Nupur Talwar, who have been charged with the murder of their teenage daughter Aarushi and domestic help Hemraj.

Perhaps, no other case has so fully exposed the pathetic state of the crime-scene investigation in India. With most of the crucial evidence either destroyed or contaminated due to shoddy police work, the prosecution’s case has come to depend entirely on circumstantial evidence, without a shred of material evidence to support it.

The police force’s lack of expertise to collect DNA evidence was flagged recently by senior scientist at the All India Institute of Medical Sciences (AIIMS) Anupama Raina at a public meeting by the Bangalore-based Centre for Internet and Society on the DNA profiling Bill, in the Capital.

Raina, speaking at the meeting, emphasized the usefulness of the technology but cautioned that the police were still perfecting the use of DNA samples for forensic purposes.

Elaborating on the inadequate training to cops on collecting DNA evidence, Rao said, “In India, there are no special crime case investigators. We have a law and order police station for each area and from bandobast duty to control crowds. It is a tall order expecting them to collect samples. In some states there are special teams which collect samples for DNA testing and then hand it over to the police….Till date none of the DNA labs have made any sample collection kits made available to police stations or other agencies.”

And what after the samples reach the DNA labs?

Painting a rather bleak picture of existing conditions under which many of the DNA labs are operating, Rao says “There is lack of standards, guidelines, accreditation, proficiency testing of the DNA labs and its experts. Each DNA lab is issuing DNA reports in its own style. Each DNA lab is again following different procedures for conducting the test. ”

“No proper records of the tests conducted are being maintained for production in a court of law for its inspection. DNA experts are not being tested for their proficiency in their expertise by a third party and presently they are getting away with such minimal expertise,” he said.

Will the new draft DNA Profiling Bill fix the problems that beset the use of DNA evidence for forensic purposes in India? And what is the context to the draft DNA profiling bill?

“India currently does not have a legislation specifically regulating the collection, use, and storage of DNA samples for forensics purposes. To address this gap, in 2007 a draft DNA Profiling Bill was created by the Centre for DNA Fingerprinting and Diagnostics. In February 2012 a new draft of the bill from the department of biotechnology was been leaked. The draft Bill envisions creating state level DNA databases that will feed into a national level DNA database for the purposes of solving crime.” (Read the full press statement by CIS here)

Raina endorsed the passing of the bill but with necessary safe-guards. The Bill has raised a degree of alarm for its sweeping proposals to collect DNA profiles and create DNA databases – a move experts believe violates the privacy of citizens.

Helen Wallace, director of GeneWatch UK (a not-for-profit group that monitors developments in genetic technologies from a public interest perspective), who participated in the public meeting on the DNA profiling bill, underlined the absence of a clear purpose for the DNA profiling system as proposed by the bill and its lack of clarity on the collection policy that wishes to profile not just those involved in criminal cases but also civil cases.

Jeremy Gruber, president and executive director of the US-based Council for Responsible Genetics, also warned against the bill’s blind faith in DNA results as the gospel truth and ignoring very real possibilities of false matches, cross-contamination and laboratory errors.

Expressing his disappointment with the draft bill, Rao said, “Unfortunately this bill does not provide for standardization, quality control and regulation except for collection of DNA samples of everybody involved in all civil and criminal cases, including suspects… We need standards, protocols, guidelines, amendments to IPC and CrPC for effective implementation of DNA testing.”

For more details visit https://cis-india.org/news/first-post-pallavi-polanki-oct-11-2012-could-better-dna-testing-facilities-in-india-have-saved-the-talwars