We are anonymous, we are legion

CIS Cybersecurity Series (Part 22) - Anonymous

purba — 2015-07-13T13:40:42Z

CIS interviews a Tibetan security researcher and information activist, as part of the Cybersecurity Series. He prefers to remain anonymous.

"I don't know technology but I am aware of the information people share with me. So yes, they can track you down through your mobile phone. The last time I was in Nepal, I met a westerner. We went to this restaurant and she asked me to take the battery out of the phone. That was the first time I had heard of this and so when I asked why she said that it is possible that people had followed us and it has happened to other Tibetans in Nepal..."

Centre for Internet and Society presents its twenty second installment of the CIS Cybersecurity Series.

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/blog/cis-cybersecurity-series-part-22-anonymous

CIS Cybersecurity Series (Part 21) – Gyanak Tsering

purba — 2014-09-06T05:08:44Z

CIS interviews Gyanak Tsering, Tibetan monk in exile, as part of the Cybersecurity Series.

“I have three mobile phones but I use only one to exchange information to and from Tibet. I don't give that number to anyone and nobody knows about it. High security forces me to use three phones. Usually a mobile phone can be tracked easily in many ways, especially by the network provider but my third mobile phone is not registered so that makes sure that the Chinese government cannot track me. The Chinese have a record of all mobile phone numbers and they can block them at anytime. But my third number cannot be traced and that allows me to communicate freely. This is only for security reasons so that my people in Tibet don't get into trouble.”

Centre for Internet and Society presents its twenty-first installment of the CIS Cybersecurity Series.

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

Gyanak Tsering is a Tibetan monk in exile, studying at Kirti Monastery, Dharamshala. He came to India in 1999, and has been using the internet and mobile phone technology, since 2008, to securely transfer information to and from Tibet. Tsering adds a new perspective to the cybersecurity debate and explains how his personal security is interlinked with internet security and mobile phone security.

Video

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/blog/cis-cybersecurity-series-part-21-gyanak-tsering

CIS Cybersecurity Series (Part 20) – Saumil Shah

purba — 2014-09-06T05:03:00Z

CIS interviews Saumil Shah, security expert, as part of the Cybersecurity Series.

“If you look at the evolution of targets, from the 2000s to the present day, the shift has been from the servers to the individual. Back in 2000, the target was always servers. Then as servers started getting harder to crack, the target moved to the applications hosted on the servers, as people started using e-commerce applications even more. Eventually, as they started getting harder to crack, the attacks moved to the user's desktops and the user's browsers, and now to individual user identities and to the digital personas.”

Centre for Internet and Society presents its twentieth installment of the CIS Cybersecurity Series.

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

Saumil Shah is a security expert based in Ahmedabad. He has been working in the field of security and security related software development for more than ten years, with a focus on web security and hacking.

Video

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/blog/cis-cybersecurity-series-part-20-saumil-shah

CIS Cybersecurity Series (Part 14) – Menaka Guruswamy

purba — 2014-07-21T10:39:03Z

CIS interviews Menaka Guruswamy, lawyer at the Supreme Court of India, as part of the Cybersecurity Series.

"The courts have rarely used privacy to stop the Indian state from getting into someone's business. So jurisprudentially, it is a weak challenge when you mount a rights based or a privacy right challenge against surveillance by the state. Because the answer of the state to that has always been, and as has been Obama's answer in the United States, that there are national security concerns. And usually national security will trump individual privacy."

Centre for Internet and Society presents its fourteenth installment of the CIS Cybersecurity Series.

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

Menaka Guruswamy practices law at the Supreme Court of India. She was a Rhodes Scholar at Oxford University, and a Gammon Fellow at Harvard Law School, and a gold medalist from the National Law School of India. She has law degrees from all three schools, with a focus on Constitutional Law and Public International Law. Guruswamy has worked at the Office of the Attorney General of India, the highest office that represents the federal government of India in the Supreme Court of India.

http://youtu.be/GCDD6Z-UrGI

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/cis-cybersecurity-series-part-14-2013-menaka-guruswamy

CIS Cybersecurity Series (Part 13) - Pranesh Prakash

purba — 2014-01-20T06:20:44Z

CIS interviews Pranesh Prakash, lawyer and policy director with Centre for Internet and Society, as part of the Cybersecurity Series.

"When it comes to things cyber we completely lose our sense of proportion. While killing someone by negligence only attracts two years of punishment, saying something that people can define "offensive" attracts even more under 66A of the Information Technology Act. Something that can be a nuisance, under the Criminal Laws, can attract up to six months punishment, whereas under the IT act, it is up to three years..." - Pranesh Prakash, lawyer and policy director, Centre for Internet and Society

Centre for Internet and Society presents its thirteenth installment of the CIS Cybersecurity Series.

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

Pranesh is a Policy Director with the Centre, and is a graduate of the National Law School of India University, Bangalore, with a degree in Arts and Law.

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/cis-cybersecurity-series-part-13-pranesh-prakash

CIS Cybersecurity Series (Part 12) - Namita Malhotra

purba — 2013-11-18T10:03:29Z

CIS interviews Namita Malhotra, researcher and lawyer at Alternative Law Forum, Bangalore, as part of the Cybersecurity Series.

"In a strange mix of how both capitalism and state control work, what is happening is that more and more of these places that one could access, for various reasons, whether it is for ones own pleasure or for political conversations, are getting further and further away from us. And I think that that mix of both corporate interests and state control is particularly playing a role in this regard." - Namita Malhotra, researcher and lawyer, Alternative Law Forum

Centre for Internet and Society presents its twelfth installment of the CIS Cybersecurity Series.

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

Namita Malhotra is a researcher and lawyer at Alternative Law Forum (ALF). She has a keen interest in working on law, technology and media through legal research, cultural studies, new media practices and film making.

ALF homepage: www.altlawforum.org

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/blog/cis-cybersecurity-series-part-12-namita-malhotra

CIS Cybersecurity Series (Part 11) - Anja Kovacs

purba — 2013-10-15T15:25:07Z

CIS interviews Anja Kovacs, researcher and activist, and director of the Internet Democracy, Project as part of the Cybersecurity Series.

"Having the cyber security debate become more and more important was a real challenge for civil society. I think in part because many of us who were focused on human rights aren't necessarily techies. And so, when you have a conversation with a government bureaucrat, and ask questions about the kind of decisions they decided to take, very often they will come up with a technical answer in response. And then, if you don't have that expertise, it is difficult to react. In the meantime though, I think it has become clear that this is one of the biggest issues in the internet field at the moment. It is also one of the big issues that is driving the desires of governments to have a bigger role to play in internet governance. So it is an area that is unavoidable for activists. What has happened slowly is that we have come to realize that the first thing, as in most other areas, is not the technical details, but principles, and those principles are fairly similar to how they are in many other fields." - Anja Kovacs, Internet Democracy Project

Centre for Internet and Society presents its eleventh installment of the CIS Cybersecurity Series.

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

In this installment, CIS speaks to Anja Kovacs, director of the Internet Democracy Project. Her work focuses on a wide range of questions regarding freedom of expression, cybersecurity and the architecture of Internet governance as they relate to the Internet and democracy. Anja is currently also a member of the of the Investment Committee of the Digital Defenders Partnership and of the interim Steering Group of Best Bits, a global network of civil society members.

(Bio from internetdemocracy.in)

Internet Democracy Project homepage: http://internetdemocracy.in/

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/blog/cis-cybersecurity-series-part-11-anja-kovacs

CIS Cybersecurity Series (Part 6) - Lhadon Tethong

purba — 2013-08-01T09:54:46Z

CIS interviews Lhadon Tethong, Tibetan human rights activist, as part of the Cybersecurity Series

"In authoritarian states, and in this case, in Tibet, I think that every person that we can teach and pass knowledge to, that can help them stay out of jail, stay in the streets, for one, two, three days longer, one week longer, that is a valuable time of time and resources. And I think we cannot rely on only tools and technology solutions to protect people. I think we can't just rely on government policies at the highest levels, and on export controls... the approach to digital security has to be comprehensive and we have to engage citizens. And not just in cases like the Tibetans or for activists or for people living under repression, but for people in free and open societies too." - Lhadon Tethong, Tibetan human rights activist.

Centre for Internet and Society presents its sixth installment of the CIS Cybersecurity Series.

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

In this installment, CIS interviews Lhadon Tethong, Tibetan human rights activist. Lhadon is the Director of the Tibet Action Institute, where she leads a team of technologists and human rights advocates in developing and advancing open-source communication technologies, nonviolent strategies and innovative training programs for Tibetans and other groups facing heavy repression and human rights abuses.

Link for Tibet Action Institute: https://tibetaction.net/

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/cis-cybersecurity-series-part-6-lhadon-tethong

CIS Cybersecurity Series (Part 5) - Amelia Andersdotter

purba — 2013-08-01T09:54:14Z

CIS interviews Amelia Andersdotter, member of the European parliament, as part of the Cybersecurity Series

"Normally a good security policy will also provide privacy to the citizen that is encompassed by the security policy. So things like encryption, for instance, bring a more secure communication, more private communication, where you are able to interact with other people on equal terms and you don't have to fear outside interference. And that is obviously good for both the individual and for security. But then of course, security policies can be framed in different ways. It depends on who you are trying to protect with the security policy. Are you trying to create a secure situation for a copyright holder, or are you trying to create a secure situation for a law enforcement officer, or for a private citizen?" - Amelia Andersdotter, member of European parliament.

Centre for Internet and Society presents its fifth installment of the CIS Cybersecurity Series.

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

Amelia Andersdotter is a Member of the European Parliament for the Pirate Party in Sweden. She works with industrial policy in the parliamentary committee of Industry, Research and Energy and is a substitute member of the committees for international trade, INTA, and budget control, CONT. Amelia is the Patron of the European Parliament Free Software User Group (EPFSUG), and also works in the delegations for the Andean community and Korean peninsula.

Amelia's website is: http://ameliaandersdotter.eu/

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/cis-cybersecurity-series-part-5-amelia-andersdotter

CIS Cybersecurity Series (Part 3) - Eva Galperin

purba — 2013-08-01T09:55:23Z

CIS interviews Eva Galperin, Global Policy Analyst at the Electronic Frontier Foundation (EFF).

"It is a vital tool for speaking truth to power. Unless you are able to speak anonymously, you are not really free to espouse unpopular ideas to people who have the power to do bad things to do... I think the value of anonymous speech vastly outweighs the difficulties that you can sometimes get into because people can speak anonymously. And on the whole, I think anonymity is worth protecting." - Eva Galperin, Global Policy Analyst at EFF.

Centre for Internet and Society presents its third installment of the CIS Cybersecurity Series.

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

In this installment, CIS speaks to Eva Galperin, the Global Policy Analyst at the Electronic Frontier Foundation (EFF).She has worked for the EFF in various capacities for the last five years, applying the combination of her political science and technical background to organizing activism campaigns, and doing education and outreach on intellectual property, privacy, and security issues.

EFF homepage: https://www.eff.org/

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/cis-cybersecurity-series-part-3-eva-galperin

CIS contributes to the Research and Advisory Group of the Global Commission on the Stability of Cyberspace (GCSC)

Arindrajit Basu — 2018-07-05T16:00:02Z

The Global Commission on the Stability of Cyberspace (GCSC) is an initiative of the Hague Centre for Strategic Studies and the East West Institute that seeks to promote mutual awareness and understanding among various cyberspace communities. It seeks to develop norms and policies that advance the stability and security of cyberspace.

Chaired by Marina Kaljurand, and Co-Chaired by Michael Chertoff and Latha Reddy, the Commission comprises 26 prominent Commissioners who are experts hailing from a wide range of geographic regions representing multiple communities including academia industry, government, technical and civil society.

As a part of their efforts, the GCSC sent out a call for proposals for papers that sought to analyze and advance various aspects of the cyber norms debate.

Elonnai Hickok and Arindrajit Basu’s paper ‘ Conceptualizing an International Security Architecture for Cyberspace’ was selected by the Commissioners and published as a part of the Briefings of the Research and Advisory Group.

Arindrajit Basu represented CIS at the Cyberstability Hearings held by the GCSC at the sidelines of the GLOBSEC forum in Bratislava-a multilateral conference seeking to advance dialogue on various issues of international peace and security.

The published paper and the Power Point may be accessed here.

The agenda for the hearings is reproduced below

GCSC HEARINGS, 19 MAY 2018

HEARINGS: TOWARDS INTERNATIONAL CYBERSTABILITY

Venue: “Habsburg” room, Grand Hotel River Park 15:00-15:15

Welcome Remarks by Marina Kaljurand, Chair of the Global Commission on the Stability of Cyberspace (GCSC) and former Foreign Minister of Estonia 15:15-16:45

Hearing I: Expert Hearing

This session focuses on the topic Cyberstability and the International Peace and Security Architecture and includes scene settings, food-for-thought presentations on the new GCSC commissioned research, briefings and open statements by government and nongovernmental speakers.

“Scene setting: ”Cyber Diplomacy in Transition” by Carl Bildt, former Prime Minister of Sweden

“Commissioned Research I: Lessons learned from three historical case studies on establishing international norms” by Arindrajit Basu, Centre for Internet and Society, India

Commission Research II: The “pre-normative” framework and options for cyber diplomacy” by Elana Broitman, New America Foundation

“Some Remarks on current thinking within the United Nations”, by Renata Dwan, Director United Nations Institute for Disarmament Research (UNIDIR) (Registered Statements by Government Advisors) (Statements by other experts)

(Open floor discussion) 16:45-17:15

Coffee Break

For more details visit https://cis-india.org/internet-governance/blog/cis-contributes-to-the-research-and-advisory-group-of-the-global-commission-on-the-stability-of-cyberspace-gcsc

CIS contributes to ABLI Compendium on Regulation of Cross-Border Transfers of Personal Data in Asia

Amber Sinha and Elonnai Hickok — 2018-06-03T15:10:11Z

The Asian Business Law Institute, based in Singapore published a compendium on “Regulation of cross-border transfer of personal data in Asia”. This was part of an exercise to explore legal convergence around issues such as data protection, enforcement of foreign judgments and principle of restructuring in Asia.

The compendium contains 14 detailed reports written by legal practitioners, legal scholars and researchers in their respective jurisdictions, on the regulation of cross-border data transfers in the wider Asian region (Australia, China, Hong Kong SAR, India, Indonesia, Japan, South Korea, Macau SAR, Malaysia, New Zealand, Philippines, Singapore, Thailand, and Vietnam).

The compendium is intended to act as a springboard for the next phase of ABLI's project, which will be devoted to the in-depth study of the differences and commonalities between Asian legal systems on these issues and – where feasible – the drafting of recommendations and/or policy options to achieve convergence in this area of law in Asia.

The chapter titled Jurisdictional Report India was authored by Amber Sinha and Elonnai Hickok. The compendium can be accessed here.

For more details visit https://cis-india.org/internet-governance/blog/regulation-of-cross-border-transfers-of-personal-data-in-asia

CIS Comments: Enhancing ICANN Accountability

geetha — 2014-06-10T13:03:57Z

On May 6, 2014, ICANN published a call for public comments on "Enhancing ICANN Accountability". This comes in the wake of the IANA stewardship transition spearheaded by ICANN and related concerns of ICANN's external and internal accountability mechanisms. Centre for Internet and Society contributed to the call for comments.

Introduction:

On March 14, 2014, the US National Telecommunications and Information Administration announced its intent to transition key Internet domain name functions to the global multi-stakeholder Internet governance community. ICANN was tasked with the development of a proposal for transition of IANA stewardship, for which ICANN subsequently called for public comments. At NETmundial, ICANN President and CEO Fadi Chehadé acknowledged that the IANA stewardship transition and improved ICANN accountability were inter-related issues, and announced the impending launch of a process to strengthen and enhance ICANN accountability in the absence of US government oversight. The subsequent call for public comments on “Enhancing ICANN Accountability” may be found here.

Suggestions for improved accountability:

In the event, Centre for Internet and Society (“CIS”) wishes to limit its suggestions for improved ICANN accountability to matters of reactive or responsive transparency on the part of ICANN to the global multi-stakeholder community. We propose the creation and implementation of a robust “freedom or right to information” process from ICANN, accompanied by an independent review mechanism.

Article III of ICANN Bye-laws note that “ICANN and its constituent bodies shall operate to the maximum extent feasible in an open and transparent manner and consistent with procedures designed to ensure fairness”. As part of this, Article III(2) note that ICANN shall make publicly available information on, inter alia, ICANN’s budget, annual audit, financial contributors and the amount of their contributions, as well as information on accountability mechanisms and the outcome of specific requests and complaints regarding the same. Such accountability mechanisms include reconsideration (Article IV(2)), independent review of Board actions (Article IV(3)), periodic reviews (Article IV(4)) and the Ombudsman (Article V).

Further, ICANN’s Documentary Information Disclosure Policy (“DIDP”) sets forth a process by which members of the public may request information “not already publicly available”. ICANN may respond (either affirmatively or in denial) to such requests within 30 days. Appeals to denials under the DIDP are available under the reconsideration or independent review procedures, to the extent applicable.

While ICANN has historically been prompt in its response to DIDP Requests, CIS is of the view that absent the commitments in the AoC following IANA stewardship transition, it would be desirable to amend and strengthen Response and Appeal procedures for DIDP and other, broader disclosures. Our concerns stem from the fact that, first, the substantive scope of appeal under the DIDP, on the basis of documents requested, is unclear (say, contracts or financial documents regarding payments to Registries or Registrars, or a detailed, granular break-up of ICANN’s revenue and expenditures); and second, that grievances with decisions of the Board Governance Committee or the Independent Review Panel cannot be appealed.

Therefore, CIS proposes a mechanism based on “right to information” best practices, which results in transparent and accountable governance at governmental levels.

First, we propose that designated members of ICANN staff shoulder responsibility to respond to information requests. The identity of such members (information officers, say) ought to be made public, including in the response document.

Second, an independent, third party body should be constituted to sit in appeal over information officers’ decisions to provide or decline to provide information. Such body may be composed of nominated members from the global multi-stakeholder community, with adequate stakeholder-, regional- and gender-representation. However, such members should not have held prior positions in ICANN or its related organizations. During the appointed term of the body, the terms and conditions of service ought to remain beyond the purview of ICANN, similar to globally accepted principles of an independent judiciary. For instance, the Constitution of India forbids any disadvantageous alteration of privileges and allowances of judges of the Supreme Court and High Courts during tenure.

Third, and importantly, punitive measures ought to follow unreasonable, unexplained or illegitimate denials of requests by ICANN information officers. In order to ensure compliance, penalties should be made continuing (a certain prescribed fine for each day of information-denial) on concerned officers. Such punitive measures are accepted, for instance, in Section 20 of India’s Right to Information Act, 2005, where the review body may impose continuing penalties on any defaulting officer.

Finally, exceptions to disclosure should be finite and time-bound. Any and all information exempted from disclosure should be clearly set out (and not merely as categories of exempted information). Further, all exempted information should be made public after a prescribed period of time (say, 1 year), after which any member of the public may request for the same if it continues to be unavailable.

CIS hopes that ICANN shall deliver on its promise to ensure and enhance its accountability and transparency to the global multi-stakeholder community. To that end, we hope our suggestions may be positively considered.

Comment repository:

All comments received by ICANN during the comment period (May 6, 2014 to June 6, 2014) may be found at this link.

For more details visit https://cis-india.org/internet-governance/blog/cis-comments-enhancing-icann-accountability

CIS Comments on the Draft National Policy on Electronics

pranesh — 2011-11-01T00:05:32Z

These were the comments submitted by CIS to the request for comments put out by the Department of Information Technology on its draft 'National Policy on Electronics'.

The Department of Information Technology must be commended for taking the initiative to create this policy which aims to reduce India’s dependence on other countries for crucial electronic hardware requirements, and to increase Indian production to such a capacity as to not only serve India’s increasing demand for electronics, but to fulfil foreign demand as well.

We have mainly focused our comments on the implications of the patent regime on this laudable goal.

Technology Transfer

An area that the policy is silent on is technology transfer. In relation to technology, the main bargain embedded in the Trade-Related Intellectual Property Rights (TRIPS) Agreement of the WTO was the increase in the level of protection offered under patent laws of developing countries in exchange for increased transfer of technological know-how from the developed countries. While India has increased patent protection in accordance with the TRIPS Agreement, there has been no commensurate transfer of technology from countries which are currently hubs of electronics know-how.

One important example is China’s policy on transfer of technology along the whole value chain to enable domestic firms to gain technological expertise.

The Association of American Manufacturing notes, “One of the most potent weapons China has used to move up the value chain is forced technology transfer … It is only through the acquisition (rather than internal development) of sophisticated technologies that Chinese companies have been able to rapidly enter and expand in sophisticated industries ….”

This insistence on technology transfer as a national policy has served China well, and their experience should be incorporated into India’s National Policy on Electronics. This is not to say that India should not internally develop our own technological capabilities, but that the Indian government must use the policy space available to it to ensure that acquisition of technological capabilities happens alongside.

Outflow of Foreign Exchange as Royalties Creating Adverse Balance of Payments

The latest data from the World Bank shows that our balance of payments is increasing adversely at an alarming rate, and has now reached over USD 2.38 billion.

Our royalty and licence fee payments have kept on increasing at an astounding rate.

Table: India’s royalty and licence fees payments (current USD)

1991	2006	2007	2008	2009	2010
49,565,208	845,949,436	1,159,824,391	1,528,826,913	1,860,283,808	2,437,500,663

Meanwhile India’s income is gaining slowly and erratically, and in 20100 reached USD 59.6 million.

Table: India’s royalty and licence fees, receipts (current USD)

1991	2006	2007	2008	2009	2010
615,525	13,445,053	30,690,000	27,211,957	38,128,141	59,560,687

This bleeds the Indian economy through a very inefficient outflow of capital. Insisting on transfer of technology is an important component in slowing down this trend.

Linking of Value Chain and Preferential Treatment

One important clarification that is needed in the policy (specifically clause IV.1.3) is that “domestically manufactured electronic products” is intended to mean not those products for which the last part of value has been added in India. This way essentially non-Indian products with Indian branding can be seen to be “domestically manufactured electronic products”. The longer the Indian part of the value chain, the more preference it should be given, and holding by Indian companies of essential patent rights (or the availability of greater number of components of the product under royalty-free, FRAND and RAND licences) could be an important criteria. This will also encourage the transfer of technological know-how to Indian firms.

Preferential Treatment

Some may argue that the provision of preferential treatment to domestic manufacturers contravenes the GATT Agreement, however the GATT Agreement itself provides a usable exception in Article 3(8):

Article III: National Treatment on Internal Taxation and Regulation

8 (a) The provisions of this Article shall not apply to laws, regulations or requirements governing the procurement by governmental agencies of products purchased for governmental purposes and not with a view to commercial resale or with a view to use in the production of goods for commercial sale.

(b) The provisions of this Article shall not prevent the payment of subsidies exclusively to domestic producers, including payments to domestic producers derived from the proceeds of internal taxes or charges applied consistently with the provisions of this Article and subsidies effected through governmental purchases of domestic products.

Thus, by crafting any further regulation under this policy to fit within this exception, India would not fall afoul of its obligations under GATT.

Cybersecurity and Source Code

An important aspect of the cybersecurity that is discussed in clause IV.5 is the ability to validate the lack of malicious code in the electronics used in strategically important infrastructure. For this, manufacturers must be required to provide the source code as part of government tenders in strategically important infrastructure.

Distinction between Innovation and Intellectual Property

The Electronic Development Fund must seek to promote innovation, research and development, and commercialization of products, and must be used to strategically acquire patents. Promotion of patents is not an end in itself, unlike promotion of innovation and ensuring that research and development reaches markets through commercialization. Patents are only a means to an end, and may sometimes be strategically useful, and often stand in way of gaining optimal use of technology by markets due to their monopolistic nature. Thus, it is recommended that “promotion of IP” be dropped from this clause, and instead “promotion of strategic acquirement and use of patents” be substituted in its place.

National Electronics Mission

The National Electronics Mission should not only have industry participation but also participation from academia and civil society.

Funding

The issue of funding for the initiatives outlined in this policy must be addressed as well.

For more details visit https://cis-india.org/internet-governance/comments-draft-national-policy-on-electronics

CIS Comments and Recommendations to the Human DNA Profiling Bill, June 2015

Elonnai Hickok, Vipul Kharbanda and Vanya Rakesh — 2015-09-02T17:09:04Z

The Centre for Internet & Society (CIS) submitted a clause-by-clause comments on the Human DNA Profiling Bill that was circulated by the Department of Biotechnology on June 9, 2015.

The Centre for Internet and Society is a non-profit research organisation that works on policy issues relating to privacy, freedom of expression, accessibility for persons with diverse abilities, access to knowledge, intellectual property rights and openness. It engages in academic research to explore and affect the shape and form of Internet, along with its relationship with the Society, with particular emphasis on South-South dialogues and exchange. The Centre for Internet and Society was also a member of the Expert Committee which was constituted in the year 2013 by the Department of Biotechnology to discuss the draft Human DNA Profiling Bill.

Missing aspects from the Bill

The Human DNA Profiling Bill, 2015 has overlooked and has not touched upon the following crucial factors :

Objects Clause

An ‘objects clause,’ detailing the intention of the legislature and containing principles to inform the application of a statute, in the main body of the statute is an enforceable mechanism to give directions to a statute and can be a formidable primary aid in statutory interpretation. [See, for example, section 83 of the Patents Act, 1970 that directly informed the Order of the Controller of Patents, Mumbai, in the matter of NATCO Pharma and Bayer Corporation in Compulsory Licence Application No. 1 of 2011.] Therefore, the Bill should incorporate an objects clause that makes clear that

“DNA profiles merely estimate the identity of persons, they do not conclusively establish unique identity, therefore forensic DNA profiling should only have probative value and not be considered as conclusive proof.

The Act recognises that all individuals have a right to privacy that must be continuously weighed against efforts to collect and retain DNA and in order to protect this right to privacy the principles of notice, confidentiality, collection limitation, personal autonomy, purpose limitation and data minimization must be adhered to at all times.”

Collection and Consent

The Bill does not contain provisions regarding instances when the DNA samples can be collected from the individuals without consent (nor does the Bill establish or refer to an authorization procedure for such collection), when DNA samples can be collected from individuals only with informed consent, and how and in what instances individuals can withdraw their consent. The issue of whether DNA samples can be collected without the consent of the individual is a vexed one and requires complex questions relating to individual privacy as well as the right against self incrimination. While the question of whether an accused can be made to give samples of blood, semen, etc. which had been in issue in a wide gamut of decisions in India has finally been settled by section 53 of the Code of Criminal Procedure, which allows collection of medical evidence from an accused, thus laying to rest any claims based on the right against self incrimination. However there are still issues dealing with the right to privacy and the violation thereof due to the non-consensual collection of DNA samples. This is an issue which needs to be addressed in this Act itself and should not be left unaddressed as this would only lead to a lack of clarity and protracted court cases to determine this issue. An illustration of this problem is where the Bill allows for collection of intimate body samples. There is a need for inclusion of stringent safeguard measures regarding the same since without such safeguards, the collection of intimate body samples would be an outright infringement of privacy. Further, maintaining a database for convicts and suspects is one thing, however collecting and storing intimate samples of individuals is a gross violation of the citizens’ right to privacy, and without adequate mechanisms regarding consent and security, stands at a huge risk of being misused.

Privacy Safeguards

Presently, the Bill is being introduced without comprehensive privacy safeguards in place on issues such as consent, collection, retention, etc. as is evident from the comments made below. Though the DNA Board is given the responsibility of recommending best practices pertaining to privacy (clause 13 (l)) – this is not adequate given the fact that India does not have a comprehensive privacy legislation. Though section 43A and associated Rules of the Information Technology Act would apply to the collection, use, and sharing of DNA data by DNA laboratories (as they would fall under the definition of ‘body corporate’ under the IT Act), the National and State Data Banks and the DNA Board would not clearly be body corporate as per the IT Act and would not fall under the ambit of the provision or Rules. Safeguards are needed to protect against the invasion of informational privacy and physical privacy at the level of these State controlled bodies. The fact that the Bill is to be introduced into Parliament prior to the enactment of a privacy legislation in India is significant as according to discussions in the Record Notes of the 4h Meeting of the Expert Committee - “the Expert Committee also discussed and emphasized that the Privacy Bill is being piloted by the Government. That Bill will over-ride all the other provisions on privacy issues in the DNA Bill.”

Lack of restriction on type of analysis to be performed

The Bill currently does not provide any restriction on the types of analysis that can be performed on a DNA sample or profile. This could allow for DNA samples to be analyzed for purposes beyond basic identification of an individual – such as for health, genetic, or racial purposes. As a form of purpose limitation the Bill should define narrowly the types of analysis that can be performed on a DNA sample.

Purpose Limitation

The Bill does not explicitly restrict the use of a DNA sample or DNA profile to the purpose it was originally collected and created for. This could allow for the re-use of samples and profiles for unintended purposes.

Annual Public Reporting

The Bill does not require the DNA Board to disclose publicly available information on an annual basis regarding the functioning and financial aspects of matters contained within the Bill. Such disclosure is crucial in ensuring that the public is able to make informed decisions. Categories that could be included in such reports include: Number of DNA profiles added to each indice within the databank, total number of DNA profiles contained in the database, number of DNA profiles deleted from the database, the number of matches between crime scene DNA profiles and DNA profiles, the number of cases in which DNA profiles were used in and the percentage in which DNA profiles assisted in the final conclusion of the case, and the number and categories of DNA profiles shared with international entities.

Elimination Indice

An elimination indice containing the profiles of medical professionals, police, laboratory personnel etc. working on a case is necessary in case they contaminate collected samples by accident.

Clause by Clause Recommendations

As stated the Human DNA Profiling Bill 2015 is to regulate the use of DNA analysis of human body substances profiles and to establish the DNA Profiling Board for laying down the standards for laboratories, collection of human body substances, custody trail from collection to reporting and also to establish a National DNA Data Bank.

Comment:

As stated, the purpose of the DNA Human Profiling Bill is to broadly regulate the of DNA analysis and establish a DNA Data Bank. Despite this, the majority of provisions in the Bill pertain to the collection, use, access etc. of DNA samples and profiles for civil and criminal purposes. The result of this is an 'unbalanced Bill' - with the majority of provisions focusing on issues related to forensic use. At the same time the Bill is not a comprehensive forensic bill – resulting in legislative gaps.
Additionally, the Bill contains provisions beyond the stated purpose. These include:

Facilitating the creation of a Data Bank for statistical purposes (Clause 33(e))
Establishing state and regional level databanks in addition to a national level databank (Clause 24)
Developing procedure and providing for the international sharing of DNA profiles with foreign Governments, organizations, institutions, or agencies. (Clause 29)

Recommendation:

The Bill should ideally be limited to regulating the use of DNA samples and profiles for criminal purposes. If the scope remains broad, all purposes should be equally and comprehensively regulated.
The stated purpose of the Bill should address all aspects of the Bill. Provisions beyond the scope of the Bill should be removed.

Chapter 1: Preliminary

Clause 2: This clause defines the terms used in the Bill.

Comment: A number of terms are incomplete and some terms used in the Bill have not been included in the list of definitions.

Recommendation:

The definition of DNA Data bank manager - clause 2 (1)(g) - must be renamed as National DNA Data bank manager.
The definition of “DNA laboratory” in clause 2(1)(h) should refer to the specific clauses that empower the Central Government and State Governments to license and recognise DNA laboratories. This is a drafting error.

The definition of “DNA profile” in clause 2(1)(i) is too vague. Merely the results of an analysis of a DNA sample may not be sufficient to create an actual DNA profile. Further, the results of the analysis may yield DNA information that, because of incompleteness or lack of information, is inconclusive. These incomplete bits of information should not be recognised as DNA profiles. This definition should be amended to clearly specify the contents of a complete and valid DNA profile that contains, at least, numerical representations of 17 or more loci of short tandem repeats that are sufficient to estimate biometric individuality of a person. The definition of “DNA profile” does not restrict the analysis to forensic DNA profiles: this means additional information, such as health-related information could be analyzed and stored against the wishes of the individual, even though such information plays no role in solving crimes.

The term “known sample” that is defined in clause 2(1)(m) is not used anywhere outside the definitions clause and should be removed.

The definition of “offender” in clause 2(1)(q) is vague because it does not specify the offenses for which an “offender” needs to be convicted. It is also linked to an unclear definition of the term “under trial”, which does not specify the nature of pending criminal proceedings and, therefore, could be used to describe simple offenses such as, for example, failure to pay an electricity bill, which also attracts criminal penalties.

The term “proficiency testing” that is defined in clause 2(1)(t) is not used anywhere in the text of the DNA Bill and should be removed.

The definitions of “quality assurance”, “quality manual” and “quality system” serve no enforceable purpose since they are used only in relation to the DNA Profiling Board’s rule making powers under Chapter IX, clause 58. Their inclusion in the definitions clause is redundant. Accordingly, these definitions should be removed.

The term “suspect” defined in clause 2(1)(za) is vague and imprecise. The standard by which suspicion is to be measured, and by whom suspicion may be entertained – whether police or others, has not been specified. The term “suspect” is not defined in either the Code of Criminal Procedure, 1973 ("CrPC") or the Indian Penal Code, 1860 ("IPC").

The term volunteer defined in clause 2(zf) only addresses consent from the parent or guardian of a child or an incapable person. This term should be amended to include informed consent from any volunteer.

Chapter II: DNA Profiling Board

Clause 4: This clause addresses the composition of the DNA Profiling Board.

Comment: The size and composition of the Board that is staffed under clause 4 is extremely large. The number of members remains to be 15, as it was in the 2012 Bill.

Recommendation: Drawing from the experiences of other administrative and regulatory bodies in India, the size of the Board should be reduced to no more than five members. The Board must contain at least:

One ex-Judge or senior lawyer
Civil society – both institutional and non-institutional
Privacy advocates

Note: The reduction of the size of the Board was agreed upon by the Expert Committee from 16 members (2012 Bill) to 11 members. This recommendation has not been incorporated.

Clause 5(1): The clause specifies the term of the Chairperson of the DNA Profiling Board to be five years and also states that the person shall not be eligible for re-appointment or extension of the term so specified.

Comment: The Chairperson of the Board, who is first mentioned in clause 5(1), has not been duly and properly appointed.

Recommendation: Clause 4 should be amended to mention the appointment of the Chairperson and other Members.

Clause 7: The clause requires members to react on a case-by-case basis to the business of the Board by excusing themselves from deliberations and voting where necessary.

Comment: This clause addresses the issue of conflict of interest only in narrow cases and does not provide penalty if a member fails to adhere to the laid out procedure.

Recommendation: The Bill should require members to make full and public disclosures of their real and potential conflicts of interest and the Chairperson must have the power to prevent such members from voting on interested matters. Failure to follow such anti-collusion and anti-corruption safeguards should attract criminal penalties.

Clause 12(5): The clause states that the board shall have the power to co-opt such number of persons as it may deem necessary to attend the meetings of the Board and take part in the proceedings of the board, but such persons will not have the right to vote.

Comment: While serving on the Expert Committee, CIS provided language regarding how the Board could consult with the public. This language has not been fully incorporated.

Recommendation: As per the recommendation of CIS, the following language should be adopted in the Bill: The Board, in carrying out its functions and activities, shall be required to consult with all persons and groups of persons whose rights and related interests may be affected or impacted by any DNA collection, storage, or profiling activity. The Board shall, while considering any matter under its purview, co-opt or include any person, group of persons, or organisation, in its meetings and activities if it is satisfied that that person, group of persons, or organisation, has a substantial interest in the matter and that it is necessary in the public interest to allow such participation. The Board shall, while consulting or co-opting persons, ensure that meetings, workshops, and events are conducted at different places in India to ensure equal regional participation and activities.

Clause 13: The clause lays down the functions to be performed by the DNA Profiling Board, which includes it’s role in regulation of the DNA Data Banks, DNA Laboratories and techniques to be adopted for collection of the DNA samples.

Comment: While serving on the Expert Committee, CIS recommended that the functions of the DNA Profiling Board should be limited to licensing, developing standards and norms, safeguarding privacy and other rights, ensuring public transparency, promoting information and debate and a few other limited functions necessary for a regulatory authority.

Furthermore, this clause delegates a number of functions to the Board that places the Board in the role of a manager and regulator for issues pertaining to DNA Profiling including functions of the DNA Databases, DNA Laboratories, ethical concerns, privacy concerns etc.

Recommendation: As per CIS’s recommendations the functions of the Board should be limited to licensing, developing standards and norms, safeguarding privacy and other rights, ensuring public transparency, promoting information and debate and a few other limited functions necessary for a regulatory authority.

Towards this, the Board should be comprised of separate Committees to address these different functions. At the minimum, there should be a Committee addressing regulatory issues pertaining to the functioning of Data Banks and Laboratories and an Ethics Committee to provide independent scrutiny of ethical issues. Additionally:

Clause 13(j) allows the Board to disseminate best practices concerning the collection and analysis of DNA samples to ensure quality and consistency. The process for collection of DNA samples and analysis should be established in the Bill itself or by regulations. Best practices are not enforceable and do not formalize a procedure.
Clause 13(q) allows the Board to establish procedure for cooperation in criminal investigation between various investigation agencies within the country and with international agencies. This procedure, at the minimum, should be subject to oversight by the Ministry of External Affairs.

Chapter III: Approval of DNA Laboratories

Clause 15: This clause states that every DNA Laboratory has to make an application before the Board for the purpose of undertaking DNA profiling and also for renewal.

Comment: Though the Bill requires DNA Laboratories to make an application for the undertaking DNA Profiling, it does not clarify that the Lab must receive approval before collection and analysis of DNA samples and profiles.

Recommendation: The Bill should clarify that all DNA Laboratories must receive approval for functioning prior to the collection or analysis of any DNA samples and profiles.

Chapter IV: Standards, Quality Control and Quality Assurance Obligations of DNA Laboratory and Infrastructure and Training

Clause 19: This clause defines the obligations of a DNA laboratory. Sub-section (d) maintains that one such obligation is the sharing of the 'DNA data' prepared and maintained by the laboratory with the State DNA Data Bank and the National DNA Data Bank.

Comment: ‘DNA Data’ is a new term that has not been defined under Clause 2 of the Bill. It is thus unclear what data would be shared between State DNA data banks and the National DNA data bank - DNA samples? DNA profiles? associated records? It is also unclear in what manner and on what basis the information would be shared.

Recommendation: The term ‘DNA Data’ should be defined to clarify what information will be shared between State and National DNA Data Banks. The flow of and access to data between the State DNA Data Bank and National DNA Data Bank should also be established in the Bill.

Clause 22: The clause lays down the measures to be adopted by a DNA Laboratory and 22(h) includes a provision requiring the conducting of annual audits according to prescribed standards.

Comment:

The definition of “audit” under Chapter VI in clause 22 under ‘Explanation’ is relevant for measuring the training programmes and laboratory conditions. However, the term “audit” is subsequently used in an entirely different manner in Chapter VII which relates to financial information and transparency.
The standards for the destruction of DNA samples have not been included within the list of measures that DNA laboratories must take.

Recommendation:

The definition of ‘audit’ must be amended or removed as it is being used in different contexts. The term “audit” has a well established use for financial information that does not require a definition.
Standards for the destruction of DNA samples should be developed and included as a measure DNA laboratories must take.
Clause 23: This clause lays down the sources for collection of samples for the purpose of DNA profiling. 23(1)(a) includes collection from bodily substances and 23(1)(c) includes clothing and other objects. Explanation (b) provides a definition of 'intimate body sample'.

Comment:

Permitting the collection of DNA samples from bodily substances and clothing and other objects allows for the broad collection of DNA samples without contextualizing such collection. In contrast 23(b) Scene of occurrence or scene of crime limits the collection of samples to a specific context.
This clause also raises the issue of consent and invasion of privacy of an individual. If “intimate body samples” are to be taken of individuals, then this would be an invasion of the person’s right to bodily privacy if such collection is done without the person’s consent (except in the specific instance when it is done in pursuance of section 53 of the Criminal Procedure Code).

Recommendation:

Sources for the collection of DNA samples should be contextualized to prevent broad, unaccounted for, or unregulated collection. Clause (a) and (c) should be deleted and replaced with contexts in which the collection DNA collection would be permitted.
The Bill should specify circumstances on which non-intimate samples can be collected and the process for the same.
The Bill should specify that intimate body samples can only be taken with informed consent except as per section 53 of the Criminal Procedure Code.
The Bill should require that any individual that has a sample taken (intimate and non-intimate) is provided with notice of their rights and the future uses of their DNA sample and profile.

Chapter V: DNA Data Bank

Clause 24:This clause addresses establishment of DNA Data Banks at the State and National Level. 24(5) establishes that the National DNA Data Bank will receive data from State DNA Data Banks and store the approved DNA Profiles as per regulations.

Comment:

As noted previously, ‘DNA Data’ is a new term that has not been defined in the Bill. It is thus unclear what data would be shared between State DNA data banks and the National DNA data bank - DNA samples? DNA profiles? associated records?
The process for sharing Data between the State and National Data Banks is not defined.

Recommendation:

The term ‘DNA Data’ should be defined to clarify what information will be shared between State and National DNA Data Banks.
The process for the National DNA Data Bank receiving DNA data from State DNA Data Banks and DNA laboratories needs to be defined in the Bill or by regulation. This includes specifying how frequently information will be shared etc.

Clause 25: This clause establishes standards for the maintenance of indices by DNA databanks. 25(1) states that every DNA Data Bank needs to maintain the prescribed indices for various categories of data including an index for a crime scene, suspects, offenders, missing persons, unknown deceased persons, volunteers, and other indices as may be specified by regulation. 25(2) states that in addition to the indices, the DNA Data Bank should contain information regarding each of the DNA profiles. It can either be the identity of the person from whose bodily substance the profile was derived in case of a suspect or an offender, or the case reference number of the investigation associated with such bodily substances in other cases. 25(3) states that the indices maintained shall include information regarding the data which is based on the DNA profiling and the relevant records.

Comment:

25(1): The creation of multiple indices cannot be justified and must be limited since collection of biological source material is an invasion of privacy that must be conducted only in strict conditions when the potential harm to individuals is outweighed by the public good. This balance may only be struck when dealing with the collection and profiling of samples from certain categories of offenders. The implications of collecting and profiling DNA samples from corpses, suspects, missing persons and others are vast. Specifically a 'volunteer' index could possibly be used for racial/community/religious profiling.
25(2): This clause requires the names of individuals to be connected to their profiles, and hence accessible to persons having access to the databank.
25(3) The clause states that only information related to DNA profiling and will be stored in an indice. Yet, it is unclear what such information might be. This could allow inconsistencies in data stored in an indice and could allow for unnecessary information to be stored on an indice.

Recommendation:

25(1) Ideally, DNA databanks should be created for dedicated purposes. This would mean that a databank for forensic purposes should contain only an offenders’ index and a crime scene index while a databank for missing persons would contain only a missing persons indice etc. If numerous indices are going to be contained in one databank, the Bill needs to recognize the sensitivity of each indice as well as the difference between each indice and lay down appropriate and strict conditions for collection of data for such indice, addition of data into the indice, as well as use, access, and retention of data within the indice.
25(2) DNA profiles, once developed, should be maintained with complete anonymity and retained separate from the names of their owners. This amendment becomes even more important if we consider the fact that an “offender” may be convicted by a lower court and have his profile included in the data bank, but may get acquitted later. However, till the time that such person is acquitted, his/her profile with the identifying information would still be in the data bank, which is an invasion of privacy.
25(3) What information will be stored in indices should be clearly defined in the Bill and should be tailored appropriately to each category of indice.

Clause 28: This clause addresses the comparison and communication of DNA profiles. 28(1) states that the DNA profile entered in the offenders or crime scene index shall be compared by the DNA Data Bank Manger against profiles contained in the DNA Data Bank and the DNA Data Bank Manager will communicate such information with any court, tribunal, law enforcement agency, or approved DNA laboratory which he may consider appropriate for the purpose of investigation. 28(2) allows for any information relating to a person's DNA profile contained in the suspect's index or offenders' index to be communicated to authorised persons.

Comment:

28(1) (a-c) allows for the DNA Bank Manager to communicate the following: 1.) if the DNA profile is not contained in the Data Bank and what information is not contained, 2.) if the DNA profile is contained in the data bank and what information is contained, and if in the opinion of the Manager, 3.) the DNA profile is similar to one stored in the Databank. These options of communication are problematic as they 1. allow for all associated information to be communicated – even if such information is not necessary, 2.) Allows for the DNA Databank Manager to communicate that a profile is 'similar' without defining what 'similar' would constitute.
28(1) only addresses the comparison of DNA profiles entered into the offenders index or the crime scene index against all other profiles entered into the DNA Data Bank.
28(1) gives the DNA Data Bank manager broad discretion in determining if information should be communicated and requires no accountability for such a decision.
28(2) only addresses information in the suspect's and offender's index and does not address information in any other index.

Recommendation:

Rather than allowing for broad searches across the entire database, the Bill should be clear about which profiles can be compared against which indices. Such distinctions must take into consideration if a profile was taken on consent and what was consented to.
Ideally, the response from the DNA Databank Manager should be limited to a 'yes' or 'no' response and only further information should be revealed on receipt of a court order.
The Bill should define what constitutes 'similar'
A process for determining if information should be communicated should be established in the Bill and followed by the DNA Data Bank Manager. The Manager should also be held accountable through oversight mechanisms for such decisions. This is particularly important, as a DNA laboratory would be a private body.
Information stored in any index should be disclosed to only authorized parties.

Clause 29: This clause provides for comparison and sharing of DNA profiles with foreign Government, organisations, institutions or agencies. 29(1) allows the DNA Bank Manager to run a comparison of the received profile against all indices in the databank and communicate specified responses through the Central Bureau of Investigation.

Comment: This clause allows for international disclosures of DNA profiles of Indians through a procedure that is to be established by the Board (see clause 13(q))

Recommendation: The disclosure of DNA profiles of Indians with international entities should be done via the MLAT process as it is the typical process followed when sharing information with international entities for law enforcement purposes.

Clause 30: This clause provides for the permanent retention of information pertaining to a convict in the offenders’ index and the expunging of such information in case of a court order establishing acquittal of a person, or the conviction being set aside.

Comment: This clause addresses only the retention and expunging of records of a convict stored in the offenders index upon the receipt of a court order or the conviction being set aside. This implies that records in all other indices - including volunteers - can be retained permanently. This clause also does not address situations where an individuals DNA profile is added to the databank, but the case never goes to court.

Recommendation: The Bill should establish retention standards and deletion standards for each indice that it creates. Furthermore, the Bill should require the immediate destruction of DNA samples once a DNA profile for identification purposes has been created. An exception to this should be the destruction of samples stored in the crime scene index.

Chapter VI: Confidentiality of and Access to DNA Profiles, Samples, and Records

Clause 33: This provision lays down the cases and the persons to which information pertaining to DNA profiles, samples and records stored in the DNA Data Bank shall be made available. Specifically, 33(e) permits disclosure for the creation and maintenance of a population statistics Data Bank.

Comment:

This clause addresses disclosure of information in the DNA Data Bank, but does not directly address the use of DNA samples or DNA profiles. This allows for the possibility of re-use of samples and profiles.
There is no limitation on the information that can be disclosed. The clause allows for any information stored in the Data Bank to be disclosed for a number of circumstances/to a variety of people.
There is no authorization process for the disclosure of such information. Of the circumstances listed – an authorization process is mentioned only for the disclosure of information in the case of investigations relating to civil disputes or other civil matters with the concurrence of the court. This implies that there is no procedure for authorizing the disclosure of information for identification purposes in criminal cases, in judicial proceedings, for facilitating prosecution and adjudication of criminal cases, for the purpose of taking defence by an accused in a criminal case, and for the creation and maintenance of a population statistics Data Bank.

Recommendation:

The Bill should establish an authorization process for the disclosure of information stored in a data bank. This process must limit the disclosure of information to what is necessary and proportionate for achieving the requested purpose.
Clause 33(e) should be deleted as the non-consensual disclosure of DNA profiles for the study of population genetics is specifically illegal. The use of the database for statistical purposes should be limited to purposes pertaining to understanding effectiveness of the databank.
Clause 33(f) should be deleted as it is not necessary for DNA profiles to be stored in a database to be useful for civil purposes. Instead samples for civil purposes are only needed as per the relevant case and specified persons.
Clause 33(g) should be deleted as it allows for the scope of cases in which DNA can be disclosed to by expanded as prescribed.

Clause 34: This clause allows for access to information for operation maintenance and training.
Comment: This clause would allow individuals in training access to data stored on the database for training purposes. This places the security of the databank and the data stored in the databank at risk.
Recommendation: Training of individuals should be conducted via simulation only.

Clause 35: This clause allows for access to information in the DNA Data Bank for the purpose of a one time keyboard search. A one time keyboard search allows for information from a DNA sample to be compared with information in the index without the information from the DNA sample being included in the index. The clause allows for an authorized individual to carry out such a search on information obtained from an DNA sample lawfully collected for the purpose of criminal investigation, except if the DNA sample was submitted for elimination purposes.
Comment: The purpose of this clause is unclear as is the scope. The clause allows for the sample to be compared against 'the index' without specifying which index. The clause also allows for 'information obtained from a DNA sample' rather than a profile. Thus, the clause appears to allow for any information derived from a DNA sample collected for a criminal investigation to be compared against all data within the databank – without recording such information. Such a comparison is vast in scope and open to abuse.
Recommendation: To ensure that this provision is not used for conducting searches outside of the scope of the original purpose, only DNA profiles, rather than 'information derived from a sample' should be allowed to be compared, only the indices relevant to the sample should be compared, and the search should be authorized and justified.
Clause 36 : This clause addresses the restriction of access to information in the crime scene index if the individual is a victim of a specified offense or if the person has been eliminated as a suspect of an investigation.

Comment:

This clause only addresses restriction of access to the crime scene index and does not address restriction of access to other indices.
This clause only restricts access to the indice for certain category of individual and for a specific status of a person. Oddly, the clause does not include authorization or rank as a means for determining or restricting access.

Recommendation:

This clause should be amended to lay down standards for restriction of access for all indices.
Access to all information in the databank should be restricted by default and permission should be based on authorization rather than category or status of individual.

Clause 38: This clause sets out a post-conviction right related to criminal procedure and evidence.

Comment: This clause would fundamentally alter the nature of India’s criminal justice system, which currently does not contain specific provisions for post-conviction testing rights.

Recommendation: This clause should be deleted and the issue of post conviction rights related to criminal procedure and evidence referenced to the appropriate legislation. Clause 38 is implicated by Article 20(2) of the Constitution of India and by section 300 of the CrPC. The principle of autrefois acquit that informs section 300 of the CrPC specifically deals with exceptions to the rule against double jeopardy that permit re-trials. [See, for instance, Sangeeta Mahendrabhai Patel (2012) 7 SCC 721.] The person must be duly accorded with a right to know rules may provide for- the authorized persons to whom information relating to a person’s DNA profile contained in the offenders’ index shall be communicated. Alternatively, this right could be limited only to accused persons who’s trial is still at the stage of production of evidence in the Trial Court. This suggestion is being made because unless the right as it currently stands, is limited in some manner, every convict with the means to engage a lawyer would ask for DNA analysis of the evidence in his/her case thereby flooding the system with useless requests risking a breakdown of the entire machinery.

Chapter VII: Finance, Accounts, and Audit

Clause 39: This clause allows the Central Government to make grants and loans to the DNA Board after due appropriation by Parliament.

Comment: This clause allows the Central Government to grant and loan money to the DNA Board, but does not require any proof or justification for the sum of money being given.

Recommendation: This clause should require a formal cost benefit analysis, and financial assessment prior to the giving of any grants or loans.

Chapter VIII: Offences and Penalties

Chapter IX: Miscellaneous

Clause 53: This clause allows protects the Central Government and the Members of the Board from suit, prosecution, or other legal proceedings for actions that they have taken in good faith.

Comment: Though it is important to take into consideration if an action has been taken in good faith, absolving the Government and Board from accountability for actions leaves little course of redress for the individual. This is particularly true as the Central Government and the Board are given broad powers under the Bill.

Recommended: If the Central Government and the Board will be protected for actions taken in good faith, their powers should be limited. Specifically, they should not have the ability to widen the scope of the Bill.

Clause 57: This clause states that the Central Government will have the powers to make Rules for a number of defined issues.

Comment: 57(d) allows for the regulations to be created regarding the use of population statistics Data Bank created and maintained for the purposes of identification research and protocol development or quality control.

Recommendation: 57(d) should be deleted as any use for the creation of a population statistics Data Bank created and maintained for the purposes of identification research and protocol development or quality control is beyond the scope of the Bill.

Clause 58: This clause empowers the Board to make regulations regarding a number of aspects related to the Bill.
Comment: There a number of functions that the Board can make regulations for that should be defined within the Bill itself to ensure that the scope of the Bill does not expand without Parliamentary oversight and approval.
Recommendation: 58(2)(g) should be deleted as it allows the Board to create regulations for other relevant uses of DNA techniques and technologies, 58(2)(u) should be deleted as it allows the Board to include new categories of indices to databanks, and 58(2) (aa) should be deleted as it allows the Board to decide which other indices a DNA profile may be compared with in the case of sharing of DNA profiles with foreign Governments, organizations, or institutions.

Clause 61: This clause states that no civil court will have jurisdiction to entertain any suit or proceeding in respect of any matter which the Board is empowered to determine and no injunction shall be granted.

Comment: This clause in practice will limit the recourse that individuals can take and will exclude the Board from the oversight of civil or criminal courts.

Recommendation: The power to collect, store and analyse human DNA samples has wide reaching consequences for people whose samples are being utilised for this purpose, specially if their samples are being labeled in specific indexes such as “index of offenders”, etc. The individual should therefore have a right to approach the court of law to safeguard his/her rights. Therefore this provision barring the jurisdiction of the courts should be deleted.

Schedule

Schedule A: The schedule refers to section 33(f) which allows for disclosure of information in relation to DNA profiles, DNA samples, and records in a DNA Data Bank to be communicated in cases of investigations relating to civil disputes or other civil matters or offenses or cases listed in the schedule with the concurrence of the court.

Comment: As 33(f) requires the concurrence of the court for disclosure of information, it is unclear what purpose the schedule serves. If the Schedule is meant to serve as a guide to the Court on appropriate instances for the disclosure of information stored in the DNA databank – the schedule is too general by listing entire Acts, while at the same time being too specific by naming specific Acts. Ideally, courts should use principles and the greater public interest to reach a decision as to whether or not disclosure of information in the DNA databank is appropriate. At a minimum these principles should include necessity (of the disclosure) and proportionality (of the type/amount of information disclosed).

Recommendation: As we recommended the deletion of clause 33(f) as it is not necessary to databank DNA profiles for civil purposes, the schedule should also be deleted.

Note: The schedule differs drastically from previous drafts and from discussions held in the Expert Committee and recommendations agreed upon. As per the Meeting Minutes of the Expert Committee meeting held on November 10th 2014 “The Committee recommended incorporation of the comments received from the members of the Expert Committee appropriately in the draft Bill...Point no. 1 suggested by Mr. Sunil Abraham in the Schedule of the draft Bill to define the cases in which DNA samples can be collected without consent by incorporating point no. 1 (I.e 'Any offence under the Indian Penal Code, 1860 if it is listed as a cognizable offence in Part I of the First Schedule of the code of Criminal Procedure, 1973)”

Download CIS submission here. See the cover letter here.

For more details visit https://cis-india.org/internet-governance/blog/cis-comments-and-recommendations-to-human-dna-profiling-bill-2015