We are anonymous, we are legion

CIS Cybersecurity Series (Part 12) - Namita Malhotra

purba — 2013-11-18T10:03:29Z

CIS interviews Namita Malhotra, researcher and lawyer at Alternative Law Forum, Bangalore, as part of the Cybersecurity Series.

"In a strange mix of how both capitalism and state control work, what is happening is that more and more of these places that one could access, for various reasons, whether it is for ones own pleasure or for political conversations, are getting further and further away from us. And I think that that mix of both corporate interests and state control is particularly playing a role in this regard." - Namita Malhotra, researcher and lawyer, Alternative Law Forum

Centre for Internet and Society presents its twelfth installment of the CIS Cybersecurity Series.

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

Namita Malhotra is a researcher and lawyer at Alternative Law Forum (ALF). She has a keen interest in working on law, technology and media through legal research, cultural studies, new media practices and film making.

ALF homepage: www.altlawforum.org

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/blog/cis-cybersecurity-series-part-12-namita-malhotra

CIS Cybersecurity Series (Part 11) - Anja Kovacs

purba — 2013-10-15T15:25:07Z

CIS interviews Anja Kovacs, researcher and activist, and director of the Internet Democracy, Project as part of the Cybersecurity Series.

"Having the cyber security debate become more and more important was a real challenge for civil society. I think in part because many of us who were focused on human rights aren't necessarily techies. And so, when you have a conversation with a government bureaucrat, and ask questions about the kind of decisions they decided to take, very often they will come up with a technical answer in response. And then, if you don't have that expertise, it is difficult to react. In the meantime though, I think it has become clear that this is one of the biggest issues in the internet field at the moment. It is also one of the big issues that is driving the desires of governments to have a bigger role to play in internet governance. So it is an area that is unavoidable for activists. What has happened slowly is that we have come to realize that the first thing, as in most other areas, is not the technical details, but principles, and those principles are fairly similar to how they are in many other fields." - Anja Kovacs, Internet Democracy Project

Centre for Internet and Society presents its eleventh installment of the CIS Cybersecurity Series.

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

In this installment, CIS speaks to Anja Kovacs, director of the Internet Democracy Project. Her work focuses on a wide range of questions regarding freedom of expression, cybersecurity and the architecture of Internet governance as they relate to the Internet and democracy. Anja is currently also a member of the of the Investment Committee of the Digital Defenders Partnership and of the interim Steering Group of Best Bits, a global network of civil society members.

(Bio from internetdemocracy.in)

Internet Democracy Project homepage: http://internetdemocracy.in/

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/blog/cis-cybersecurity-series-part-11-anja-kovacs

CIS Cybersecurity Series (Part 6) - Lhadon Tethong

purba — 2013-08-01T09:54:46Z

CIS interviews Lhadon Tethong, Tibetan human rights activist, as part of the Cybersecurity Series

"In authoritarian states, and in this case, in Tibet, I think that every person that we can teach and pass knowledge to, that can help them stay out of jail, stay in the streets, for one, two, three days longer, one week longer, that is a valuable time of time and resources. And I think we cannot rely on only tools and technology solutions to protect people. I think we can't just rely on government policies at the highest levels, and on export controls... the approach to digital security has to be comprehensive and we have to engage citizens. And not just in cases like the Tibetans or for activists or for people living under repression, but for people in free and open societies too." - Lhadon Tethong, Tibetan human rights activist.

Centre for Internet and Society presents its sixth installment of the CIS Cybersecurity Series.

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

In this installment, CIS interviews Lhadon Tethong, Tibetan human rights activist. Lhadon is the Director of the Tibet Action Institute, where she leads a team of technologists and human rights advocates in developing and advancing open-source communication technologies, nonviolent strategies and innovative training programs for Tibetans and other groups facing heavy repression and human rights abuses.

Link for Tibet Action Institute: https://tibetaction.net/

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/cis-cybersecurity-series-part-6-lhadon-tethong

CIS Cybersecurity Series (Part 5) - Amelia Andersdotter

purba — 2013-08-01T09:54:14Z

CIS interviews Amelia Andersdotter, member of the European parliament, as part of the Cybersecurity Series

"Normally a good security policy will also provide privacy to the citizen that is encompassed by the security policy. So things like encryption, for instance, bring a more secure communication, more private communication, where you are able to interact with other people on equal terms and you don't have to fear outside interference. And that is obviously good for both the individual and for security. But then of course, security policies can be framed in different ways. It depends on who you are trying to protect with the security policy. Are you trying to create a secure situation for a copyright holder, or are you trying to create a secure situation for a law enforcement officer, or for a private citizen?" - Amelia Andersdotter, member of European parliament.

Centre for Internet and Society presents its fifth installment of the CIS Cybersecurity Series.

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

Amelia Andersdotter is a Member of the European Parliament for the Pirate Party in Sweden. She works with industrial policy in the parliamentary committee of Industry, Research and Energy and is a substitute member of the committees for international trade, INTA, and budget control, CONT. Amelia is the Patron of the European Parliament Free Software User Group (EPFSUG), and also works in the delegations for the Andean community and Korean peninsula.

Amelia's website is: http://ameliaandersdotter.eu/

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/cis-cybersecurity-series-part-5-amelia-andersdotter

CIS Cybersecurity Series (Part 3) - Eva Galperin

purba — 2013-08-01T09:55:23Z

CIS interviews Eva Galperin, Global Policy Analyst at the Electronic Frontier Foundation (EFF).

"It is a vital tool for speaking truth to power. Unless you are able to speak anonymously, you are not really free to espouse unpopular ideas to people who have the power to do bad things to do... I think the value of anonymous speech vastly outweighs the difficulties that you can sometimes get into because people can speak anonymously. And on the whole, I think anonymity is worth protecting." - Eva Galperin, Global Policy Analyst at EFF.

Centre for Internet and Society presents its third installment of the CIS Cybersecurity Series.

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

In this installment, CIS speaks to Eva Galperin, the Global Policy Analyst at the Electronic Frontier Foundation (EFF).She has worked for the EFF in various capacities for the last five years, applying the combination of her political science and technical background to organizing activism campaigns, and doing education and outreach on intellectual property, privacy, and security issues.

EFF homepage: https://www.eff.org/

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/cis-cybersecurity-series-part-3-eva-galperin

CIS contributes to the Research and Advisory Group of the Global Commission on the Stability of Cyberspace (GCSC)

Arindrajit Basu — 2018-07-05T16:00:02Z

The Global Commission on the Stability of Cyberspace (GCSC) is an initiative of the Hague Centre for Strategic Studies and the East West Institute that seeks to promote mutual awareness and understanding among various cyberspace communities. It seeks to develop norms and policies that advance the stability and security of cyberspace.

Chaired by Marina Kaljurand, and Co-Chaired by Michael Chertoff and Latha Reddy, the Commission comprises 26 prominent Commissioners who are experts hailing from a wide range of geographic regions representing multiple communities including academia industry, government, technical and civil society.

As a part of their efforts, the GCSC sent out a call for proposals for papers that sought to analyze and advance various aspects of the cyber norms debate.

Elonnai Hickok and Arindrajit Basu’s paper ‘ Conceptualizing an International Security Architecture for Cyberspace’ was selected by the Commissioners and published as a part of the Briefings of the Research and Advisory Group.

Arindrajit Basu represented CIS at the Cyberstability Hearings held by the GCSC at the sidelines of the GLOBSEC forum in Bratislava-a multilateral conference seeking to advance dialogue on various issues of international peace and security.

The published paper and the Power Point may be accessed here.

The agenda for the hearings is reproduced below

GCSC HEARINGS, 19 MAY 2018

HEARINGS: TOWARDS INTERNATIONAL CYBERSTABILITY

Venue: “Habsburg” room, Grand Hotel River Park 15:00-15:15

Welcome Remarks by Marina Kaljurand, Chair of the Global Commission on the Stability of Cyberspace (GCSC) and former Foreign Minister of Estonia 15:15-16:45

Hearing I: Expert Hearing

This session focuses on the topic Cyberstability and the International Peace and Security Architecture and includes scene settings, food-for-thought presentations on the new GCSC commissioned research, briefings and open statements by government and nongovernmental speakers.

“Scene setting: ”Cyber Diplomacy in Transition” by Carl Bildt, former Prime Minister of Sweden

“Commissioned Research I: Lessons learned from three historical case studies on establishing international norms” by Arindrajit Basu, Centre for Internet and Society, India

Commission Research II: The “pre-normative” framework and options for cyber diplomacy” by Elana Broitman, New America Foundation

“Some Remarks on current thinking within the United Nations”, by Renata Dwan, Director United Nations Institute for Disarmament Research (UNIDIR) (Registered Statements by Government Advisors) (Statements by other experts)

(Open floor discussion) 16:45-17:15

Coffee Break

For more details visit https://cis-india.org/internet-governance/blog/cis-contributes-to-the-research-and-advisory-group-of-the-global-commission-on-the-stability-of-cyberspace-gcsc

CIS contributes to ABLI Compendium on Regulation of Cross-Border Transfers of Personal Data in Asia

Amber Sinha and Elonnai Hickok — 2018-06-03T15:10:11Z

The Asian Business Law Institute, based in Singapore published a compendium on “Regulation of cross-border transfer of personal data in Asia”. This was part of an exercise to explore legal convergence around issues such as data protection, enforcement of foreign judgments and principle of restructuring in Asia.

The compendium contains 14 detailed reports written by legal practitioners, legal scholars and researchers in their respective jurisdictions, on the regulation of cross-border data transfers in the wider Asian region (Australia, China, Hong Kong SAR, India, Indonesia, Japan, South Korea, Macau SAR, Malaysia, New Zealand, Philippines, Singapore, Thailand, and Vietnam).

The compendium is intended to act as a springboard for the next phase of ABLI's project, which will be devoted to the in-depth study of the differences and commonalities between Asian legal systems on these issues and – where feasible – the drafting of recommendations and/or policy options to achieve convergence in this area of law in Asia.

The chapter titled Jurisdictional Report India was authored by Amber Sinha and Elonnai Hickok. The compendium can be accessed here.

For more details visit https://cis-india.org/internet-governance/blog/regulation-of-cross-border-transfers-of-personal-data-in-asia

CIS Comments: Enhancing ICANN Accountability

geetha — 2014-06-10T13:03:57Z

On May 6, 2014, ICANN published a call for public comments on "Enhancing ICANN Accountability". This comes in the wake of the IANA stewardship transition spearheaded by ICANN and related concerns of ICANN's external and internal accountability mechanisms. Centre for Internet and Society contributed to the call for comments.

Introduction:

On March 14, 2014, the US National Telecommunications and Information Administration announced its intent to transition key Internet domain name functions to the global multi-stakeholder Internet governance community. ICANN was tasked with the development of a proposal for transition of IANA stewardship, for which ICANN subsequently called for public comments. At NETmundial, ICANN President and CEO Fadi Chehadé acknowledged that the IANA stewardship transition and improved ICANN accountability were inter-related issues, and announced the impending launch of a process to strengthen and enhance ICANN accountability in the absence of US government oversight. The subsequent call for public comments on “Enhancing ICANN Accountability” may be found here.

Suggestions for improved accountability:

In the event, Centre for Internet and Society (“CIS”) wishes to limit its suggestions for improved ICANN accountability to matters of reactive or responsive transparency on the part of ICANN to the global multi-stakeholder community. We propose the creation and implementation of a robust “freedom or right to information” process from ICANN, accompanied by an independent review mechanism.

Article III of ICANN Bye-laws note that “ICANN and its constituent bodies shall operate to the maximum extent feasible in an open and transparent manner and consistent with procedures designed to ensure fairness”. As part of this, Article III(2) note that ICANN shall make publicly available information on, inter alia, ICANN’s budget, annual audit, financial contributors and the amount of their contributions, as well as information on accountability mechanisms and the outcome of specific requests and complaints regarding the same. Such accountability mechanisms include reconsideration (Article IV(2)), independent review of Board actions (Article IV(3)), periodic reviews (Article IV(4)) and the Ombudsman (Article V).

Further, ICANN’s Documentary Information Disclosure Policy (“DIDP”) sets forth a process by which members of the public may request information “not already publicly available”. ICANN may respond (either affirmatively or in denial) to such requests within 30 days. Appeals to denials under the DIDP are available under the reconsideration or independent review procedures, to the extent applicable.

While ICANN has historically been prompt in its response to DIDP Requests, CIS is of the view that absent the commitments in the AoC following IANA stewardship transition, it would be desirable to amend and strengthen Response and Appeal procedures for DIDP and other, broader disclosures. Our concerns stem from the fact that, first, the substantive scope of appeal under the DIDP, on the basis of documents requested, is unclear (say, contracts or financial documents regarding payments to Registries or Registrars, or a detailed, granular break-up of ICANN’s revenue and expenditures); and second, that grievances with decisions of the Board Governance Committee or the Independent Review Panel cannot be appealed.

Therefore, CIS proposes a mechanism based on “right to information” best practices, which results in transparent and accountable governance at governmental levels.

First, we propose that designated members of ICANN staff shoulder responsibility to respond to information requests. The identity of such members (information officers, say) ought to be made public, including in the response document.

Second, an independent, third party body should be constituted to sit in appeal over information officers’ decisions to provide or decline to provide information. Such body may be composed of nominated members from the global multi-stakeholder community, with adequate stakeholder-, regional- and gender-representation. However, such members should not have held prior positions in ICANN or its related organizations. During the appointed term of the body, the terms and conditions of service ought to remain beyond the purview of ICANN, similar to globally accepted principles of an independent judiciary. For instance, the Constitution of India forbids any disadvantageous alteration of privileges and allowances of judges of the Supreme Court and High Courts during tenure.

Third, and importantly, punitive measures ought to follow unreasonable, unexplained or illegitimate denials of requests by ICANN information officers. In order to ensure compliance, penalties should be made continuing (a certain prescribed fine for each day of information-denial) on concerned officers. Such punitive measures are accepted, for instance, in Section 20 of India’s Right to Information Act, 2005, where the review body may impose continuing penalties on any defaulting officer.

Finally, exceptions to disclosure should be finite and time-bound. Any and all information exempted from disclosure should be clearly set out (and not merely as categories of exempted information). Further, all exempted information should be made public after a prescribed period of time (say, 1 year), after which any member of the public may request for the same if it continues to be unavailable.

CIS hopes that ICANN shall deliver on its promise to ensure and enhance its accountability and transparency to the global multi-stakeholder community. To that end, we hope our suggestions may be positively considered.

Comment repository:

All comments received by ICANN during the comment period (May 6, 2014 to June 6, 2014) may be found at this link.

For more details visit https://cis-india.org/internet-governance/blog/cis-comments-enhancing-icann-accountability

CIS Comments on the Draft National Policy on Electronics

pranesh — 2011-11-01T00:05:32Z

These were the comments submitted by CIS to the request for comments put out by the Department of Information Technology on its draft 'National Policy on Electronics'.

The Department of Information Technology must be commended for taking the initiative to create this policy which aims to reduce India’s dependence on other countries for crucial electronic hardware requirements, and to increase Indian production to such a capacity as to not only serve India’s increasing demand for electronics, but to fulfil foreign demand as well.

We have mainly focused our comments on the implications of the patent regime on this laudable goal.

Technology Transfer

An area that the policy is silent on is technology transfer. In relation to technology, the main bargain embedded in the Trade-Related Intellectual Property Rights (TRIPS) Agreement of the WTO was the increase in the level of protection offered under patent laws of developing countries in exchange for increased transfer of technological know-how from the developed countries. While India has increased patent protection in accordance with the TRIPS Agreement, there has been no commensurate transfer of technology from countries which are currently hubs of electronics know-how.

One important example is China’s policy on transfer of technology along the whole value chain to enable domestic firms to gain technological expertise.

The Association of American Manufacturing notes, “One of the most potent weapons China has used to move up the value chain is forced technology transfer … It is only through the acquisition (rather than internal development) of sophisticated technologies that Chinese companies have been able to rapidly enter and expand in sophisticated industries ….”

This insistence on technology transfer as a national policy has served China well, and their experience should be incorporated into India’s National Policy on Electronics. This is not to say that India should not internally develop our own technological capabilities, but that the Indian government must use the policy space available to it to ensure that acquisition of technological capabilities happens alongside.

Outflow of Foreign Exchange as Royalties Creating Adverse Balance of Payments

The latest data from the World Bank shows that our balance of payments is increasing adversely at an alarming rate, and has now reached over USD 2.38 billion.

Our royalty and licence fee payments have kept on increasing at an astounding rate.

Table: India’s royalty and licence fees payments (current USD)

1991	2006	2007	2008	2009	2010
49,565,208	845,949,436	1,159,824,391	1,528,826,913	1,860,283,808	2,437,500,663

Meanwhile India’s income is gaining slowly and erratically, and in 20100 reached USD 59.6 million.

Table: India’s royalty and licence fees, receipts (current USD)

1991	2006	2007	2008	2009	2010
615,525	13,445,053	30,690,000	27,211,957	38,128,141	59,560,687

This bleeds the Indian economy through a very inefficient outflow of capital. Insisting on transfer of technology is an important component in slowing down this trend.

Linking of Value Chain and Preferential Treatment

One important clarification that is needed in the policy (specifically clause IV.1.3) is that “domestically manufactured electronic products” is intended to mean not those products for which the last part of value has been added in India. This way essentially non-Indian products with Indian branding can be seen to be “domestically manufactured electronic products”. The longer the Indian part of the value chain, the more preference it should be given, and holding by Indian companies of essential patent rights (or the availability of greater number of components of the product under royalty-free, FRAND and RAND licences) could be an important criteria. This will also encourage the transfer of technological know-how to Indian firms.

Preferential Treatment

Some may argue that the provision of preferential treatment to domestic manufacturers contravenes the GATT Agreement, however the GATT Agreement itself provides a usable exception in Article 3(8):

Article III: National Treatment on Internal Taxation and Regulation

8 (a) The provisions of this Article shall not apply to laws, regulations or requirements governing the procurement by governmental agencies of products purchased for governmental purposes and not with a view to commercial resale or with a view to use in the production of goods for commercial sale.

(b) The provisions of this Article shall not prevent the payment of subsidies exclusively to domestic producers, including payments to domestic producers derived from the proceeds of internal taxes or charges applied consistently with the provisions of this Article and subsidies effected through governmental purchases of domestic products.

Thus, by crafting any further regulation under this policy to fit within this exception, India would not fall afoul of its obligations under GATT.

Cybersecurity and Source Code

An important aspect of the cybersecurity that is discussed in clause IV.5 is the ability to validate the lack of malicious code in the electronics used in strategically important infrastructure. For this, manufacturers must be required to provide the source code as part of government tenders in strategically important infrastructure.

Distinction between Innovation and Intellectual Property

The Electronic Development Fund must seek to promote innovation, research and development, and commercialization of products, and must be used to strategically acquire patents. Promotion of patents is not an end in itself, unlike promotion of innovation and ensuring that research and development reaches markets through commercialization. Patents are only a means to an end, and may sometimes be strategically useful, and often stand in way of gaining optimal use of technology by markets due to their monopolistic nature. Thus, it is recommended that “promotion of IP” be dropped from this clause, and instead “promotion of strategic acquirement and use of patents” be substituted in its place.

National Electronics Mission

The National Electronics Mission should not only have industry participation but also participation from academia and civil society.

Funding

The issue of funding for the initiatives outlined in this policy must be addressed as well.

For more details visit https://cis-india.org/internet-governance/comments-draft-national-policy-on-electronics

CIS Comments and Recommendations to the Human DNA Profiling Bill, June 2015

Elonnai Hickok, Vipul Kharbanda and Vanya Rakesh — 2015-09-02T17:09:04Z

The Centre for Internet & Society (CIS) submitted a clause-by-clause comments on the Human DNA Profiling Bill that was circulated by the Department of Biotechnology on June 9, 2015.

The Centre for Internet and Society is a non-profit research organisation that works on policy issues relating to privacy, freedom of expression, accessibility for persons with diverse abilities, access to knowledge, intellectual property rights and openness. It engages in academic research to explore and affect the shape and form of Internet, along with its relationship with the Society, with particular emphasis on South-South dialogues and exchange. The Centre for Internet and Society was also a member of the Expert Committee which was constituted in the year 2013 by the Department of Biotechnology to discuss the draft Human DNA Profiling Bill.

Missing aspects from the Bill

The Human DNA Profiling Bill, 2015 has overlooked and has not touched upon the following crucial factors :

Objects Clause

An ‘objects clause,’ detailing the intention of the legislature and containing principles to inform the application of a statute, in the main body of the statute is an enforceable mechanism to give directions to a statute and can be a formidable primary aid in statutory interpretation. [See, for example, section 83 of the Patents Act, 1970 that directly informed the Order of the Controller of Patents, Mumbai, in the matter of NATCO Pharma and Bayer Corporation in Compulsory Licence Application No. 1 of 2011.] Therefore, the Bill should incorporate an objects clause that makes clear that

“DNA profiles merely estimate the identity of persons, they do not conclusively establish unique identity, therefore forensic DNA profiling should only have probative value and not be considered as conclusive proof.

The Act recognises that all individuals have a right to privacy that must be continuously weighed against efforts to collect and retain DNA and in order to protect this right to privacy the principles of notice, confidentiality, collection limitation, personal autonomy, purpose limitation and data minimization must be adhered to at all times.”

Collection and Consent

The Bill does not contain provisions regarding instances when the DNA samples can be collected from the individuals without consent (nor does the Bill establish or refer to an authorization procedure for such collection), when DNA samples can be collected from individuals only with informed consent, and how and in what instances individuals can withdraw their consent. The issue of whether DNA samples can be collected without the consent of the individual is a vexed one and requires complex questions relating to individual privacy as well as the right against self incrimination. While the question of whether an accused can be made to give samples of blood, semen, etc. which had been in issue in a wide gamut of decisions in India has finally been settled by section 53 of the Code of Criminal Procedure, which allows collection of medical evidence from an accused, thus laying to rest any claims based on the right against self incrimination. However there are still issues dealing with the right to privacy and the violation thereof due to the non-consensual collection of DNA samples. This is an issue which needs to be addressed in this Act itself and should not be left unaddressed as this would only lead to a lack of clarity and protracted court cases to determine this issue. An illustration of this problem is where the Bill allows for collection of intimate body samples. There is a need for inclusion of stringent safeguard measures regarding the same since without such safeguards, the collection of intimate body samples would be an outright infringement of privacy. Further, maintaining a database for convicts and suspects is one thing, however collecting and storing intimate samples of individuals is a gross violation of the citizens’ right to privacy, and without adequate mechanisms regarding consent and security, stands at a huge risk of being misused.

Privacy Safeguards

Presently, the Bill is being introduced without comprehensive privacy safeguards in place on issues such as consent, collection, retention, etc. as is evident from the comments made below. Though the DNA Board is given the responsibility of recommending best practices pertaining to privacy (clause 13 (l)) – this is not adequate given the fact that India does not have a comprehensive privacy legislation. Though section 43A and associated Rules of the Information Technology Act would apply to the collection, use, and sharing of DNA data by DNA laboratories (as they would fall under the definition of ‘body corporate’ under the IT Act), the National and State Data Banks and the DNA Board would not clearly be body corporate as per the IT Act and would not fall under the ambit of the provision or Rules. Safeguards are needed to protect against the invasion of informational privacy and physical privacy at the level of these State controlled bodies. The fact that the Bill is to be introduced into Parliament prior to the enactment of a privacy legislation in India is significant as according to discussions in the Record Notes of the 4h Meeting of the Expert Committee - “the Expert Committee also discussed and emphasized that the Privacy Bill is being piloted by the Government. That Bill will over-ride all the other provisions on privacy issues in the DNA Bill.”

Lack of restriction on type of analysis to be performed

The Bill currently does not provide any restriction on the types of analysis that can be performed on a DNA sample or profile. This could allow for DNA samples to be analyzed for purposes beyond basic identification of an individual – such as for health, genetic, or racial purposes. As a form of purpose limitation the Bill should define narrowly the types of analysis that can be performed on a DNA sample.

Purpose Limitation

The Bill does not explicitly restrict the use of a DNA sample or DNA profile to the purpose it was originally collected and created for. This could allow for the re-use of samples and profiles for unintended purposes.

Annual Public Reporting

The Bill does not require the DNA Board to disclose publicly available information on an annual basis regarding the functioning and financial aspects of matters contained within the Bill. Such disclosure is crucial in ensuring that the public is able to make informed decisions. Categories that could be included in such reports include: Number of DNA profiles added to each indice within the databank, total number of DNA profiles contained in the database, number of DNA profiles deleted from the database, the number of matches between crime scene DNA profiles and DNA profiles, the number of cases in which DNA profiles were used in and the percentage in which DNA profiles assisted in the final conclusion of the case, and the number and categories of DNA profiles shared with international entities.

Elimination Indice

An elimination indice containing the profiles of medical professionals, police, laboratory personnel etc. working on a case is necessary in case they contaminate collected samples by accident.

Clause by Clause Recommendations

As stated the Human DNA Profiling Bill 2015 is to regulate the use of DNA analysis of human body substances profiles and to establish the DNA Profiling Board for laying down the standards for laboratories, collection of human body substances, custody trail from collection to reporting and also to establish a National DNA Data Bank.

Comment:

As stated, the purpose of the DNA Human Profiling Bill is to broadly regulate the of DNA analysis and establish a DNA Data Bank. Despite this, the majority of provisions in the Bill pertain to the collection, use, access etc. of DNA samples and profiles for civil and criminal purposes. The result of this is an 'unbalanced Bill' - with the majority of provisions focusing on issues related to forensic use. At the same time the Bill is not a comprehensive forensic bill – resulting in legislative gaps.
Additionally, the Bill contains provisions beyond the stated purpose. These include:

Facilitating the creation of a Data Bank for statistical purposes (Clause 33(e))
Establishing state and regional level databanks in addition to a national level databank (Clause 24)
Developing procedure and providing for the international sharing of DNA profiles with foreign Governments, organizations, institutions, or agencies. (Clause 29)

Recommendation:

The Bill should ideally be limited to regulating the use of DNA samples and profiles for criminal purposes. If the scope remains broad, all purposes should be equally and comprehensively regulated.
The stated purpose of the Bill should address all aspects of the Bill. Provisions beyond the scope of the Bill should be removed.

Chapter 1: Preliminary

Clause 2: This clause defines the terms used in the Bill.

Comment: A number of terms are incomplete and some terms used in the Bill have not been included in the list of definitions.

Recommendation:

The definition of DNA Data bank manager - clause 2 (1)(g) - must be renamed as National DNA Data bank manager.
The definition of “DNA laboratory” in clause 2(1)(h) should refer to the specific clauses that empower the Central Government and State Governments to license and recognise DNA laboratories. This is a drafting error.

The definition of “DNA profile” in clause 2(1)(i) is too vague. Merely the results of an analysis of a DNA sample may not be sufficient to create an actual DNA profile. Further, the results of the analysis may yield DNA information that, because of incompleteness or lack of information, is inconclusive. These incomplete bits of information should not be recognised as DNA profiles. This definition should be amended to clearly specify the contents of a complete and valid DNA profile that contains, at least, numerical representations of 17 or more loci of short tandem repeats that are sufficient to estimate biometric individuality of a person. The definition of “DNA profile” does not restrict the analysis to forensic DNA profiles: this means additional information, such as health-related information could be analyzed and stored against the wishes of the individual, even though such information plays no role in solving crimes.

The term “known sample” that is defined in clause 2(1)(m) is not used anywhere outside the definitions clause and should be removed.

The definition of “offender” in clause 2(1)(q) is vague because it does not specify the offenses for which an “offender” needs to be convicted. It is also linked to an unclear definition of the term “under trial”, which does not specify the nature of pending criminal proceedings and, therefore, could be used to describe simple offenses such as, for example, failure to pay an electricity bill, which also attracts criminal penalties.

The term “proficiency testing” that is defined in clause 2(1)(t) is not used anywhere in the text of the DNA Bill and should be removed.

The definitions of “quality assurance”, “quality manual” and “quality system” serve no enforceable purpose since they are used only in relation to the DNA Profiling Board’s rule making powers under Chapter IX, clause 58. Their inclusion in the definitions clause is redundant. Accordingly, these definitions should be removed.

The term “suspect” defined in clause 2(1)(za) is vague and imprecise. The standard by which suspicion is to be measured, and by whom suspicion may be entertained – whether police or others, has not been specified. The term “suspect” is not defined in either the Code of Criminal Procedure, 1973 ("CrPC") or the Indian Penal Code, 1860 ("IPC").

The term volunteer defined in clause 2(zf) only addresses consent from the parent or guardian of a child or an incapable person. This term should be amended to include informed consent from any volunteer.

Chapter II: DNA Profiling Board

Clause 4: This clause addresses the composition of the DNA Profiling Board.

Comment: The size and composition of the Board that is staffed under clause 4 is extremely large. The number of members remains to be 15, as it was in the 2012 Bill.

Recommendation: Drawing from the experiences of other administrative and regulatory bodies in India, the size of the Board should be reduced to no more than five members. The Board must contain at least:

One ex-Judge or senior lawyer
Civil society – both institutional and non-institutional
Privacy advocates

Note: The reduction of the size of the Board was agreed upon by the Expert Committee from 16 members (2012 Bill) to 11 members. This recommendation has not been incorporated.

Clause 5(1): The clause specifies the term of the Chairperson of the DNA Profiling Board to be five years and also states that the person shall not be eligible for re-appointment or extension of the term so specified.

Comment: The Chairperson of the Board, who is first mentioned in clause 5(1), has not been duly and properly appointed.

Recommendation: Clause 4 should be amended to mention the appointment of the Chairperson and other Members.

Clause 7: The clause requires members to react on a case-by-case basis to the business of the Board by excusing themselves from deliberations and voting where necessary.

Comment: This clause addresses the issue of conflict of interest only in narrow cases and does not provide penalty if a member fails to adhere to the laid out procedure.

Recommendation: The Bill should require members to make full and public disclosures of their real and potential conflicts of interest and the Chairperson must have the power to prevent such members from voting on interested matters. Failure to follow such anti-collusion and anti-corruption safeguards should attract criminal penalties.

Clause 12(5): The clause states that the board shall have the power to co-opt such number of persons as it may deem necessary to attend the meetings of the Board and take part in the proceedings of the board, but such persons will not have the right to vote.

Comment: While serving on the Expert Committee, CIS provided language regarding how the Board could consult with the public. This language has not been fully incorporated.

Recommendation: As per the recommendation of CIS, the following language should be adopted in the Bill: The Board, in carrying out its functions and activities, shall be required to consult with all persons and groups of persons whose rights and related interests may be affected or impacted by any DNA collection, storage, or profiling activity. The Board shall, while considering any matter under its purview, co-opt or include any person, group of persons, or organisation, in its meetings and activities if it is satisfied that that person, group of persons, or organisation, has a substantial interest in the matter and that it is necessary in the public interest to allow such participation. The Board shall, while consulting or co-opting persons, ensure that meetings, workshops, and events are conducted at different places in India to ensure equal regional participation and activities.

Clause 13: The clause lays down the functions to be performed by the DNA Profiling Board, which includes it’s role in regulation of the DNA Data Banks, DNA Laboratories and techniques to be adopted for collection of the DNA samples.

Comment: While serving on the Expert Committee, CIS recommended that the functions of the DNA Profiling Board should be limited to licensing, developing standards and norms, safeguarding privacy and other rights, ensuring public transparency, promoting information and debate and a few other limited functions necessary for a regulatory authority.

Furthermore, this clause delegates a number of functions to the Board that places the Board in the role of a manager and regulator for issues pertaining to DNA Profiling including functions of the DNA Databases, DNA Laboratories, ethical concerns, privacy concerns etc.

Recommendation: As per CIS’s recommendations the functions of the Board should be limited to licensing, developing standards and norms, safeguarding privacy and other rights, ensuring public transparency, promoting information and debate and a few other limited functions necessary for a regulatory authority.

Towards this, the Board should be comprised of separate Committees to address these different functions. At the minimum, there should be a Committee addressing regulatory issues pertaining to the functioning of Data Banks and Laboratories and an Ethics Committee to provide independent scrutiny of ethical issues. Additionally:

Clause 13(j) allows the Board to disseminate best practices concerning the collection and analysis of DNA samples to ensure quality and consistency. The process for collection of DNA samples and analysis should be established in the Bill itself or by regulations. Best practices are not enforceable and do not formalize a procedure.
Clause 13(q) allows the Board to establish procedure for cooperation in criminal investigation between various investigation agencies within the country and with international agencies. This procedure, at the minimum, should be subject to oversight by the Ministry of External Affairs.

Chapter III: Approval of DNA Laboratories

Clause 15: This clause states that every DNA Laboratory has to make an application before the Board for the purpose of undertaking DNA profiling and also for renewal.

Comment: Though the Bill requires DNA Laboratories to make an application for the undertaking DNA Profiling, it does not clarify that the Lab must receive approval before collection and analysis of DNA samples and profiles.

Recommendation: The Bill should clarify that all DNA Laboratories must receive approval for functioning prior to the collection or analysis of any DNA samples and profiles.

Chapter IV: Standards, Quality Control and Quality Assurance Obligations of DNA Laboratory and Infrastructure and Training

Clause 19: This clause defines the obligations of a DNA laboratory. Sub-section (d) maintains that one such obligation is the sharing of the 'DNA data' prepared and maintained by the laboratory with the State DNA Data Bank and the National DNA Data Bank.

Comment: ‘DNA Data’ is a new term that has not been defined under Clause 2 of the Bill. It is thus unclear what data would be shared between State DNA data banks and the National DNA data bank - DNA samples? DNA profiles? associated records? It is also unclear in what manner and on what basis the information would be shared.

Recommendation: The term ‘DNA Data’ should be defined to clarify what information will be shared between State and National DNA Data Banks. The flow of and access to data between the State DNA Data Bank and National DNA Data Bank should also be established in the Bill.

Clause 22: The clause lays down the measures to be adopted by a DNA Laboratory and 22(h) includes a provision requiring the conducting of annual audits according to prescribed standards.

Comment:

The definition of “audit” under Chapter VI in clause 22 under ‘Explanation’ is relevant for measuring the training programmes and laboratory conditions. However, the term “audit” is subsequently used in an entirely different manner in Chapter VII which relates to financial information and transparency.
The standards for the destruction of DNA samples have not been included within the list of measures that DNA laboratories must take.

Recommendation:

The definition of ‘audit’ must be amended or removed as it is being used in different contexts. The term “audit” has a well established use for financial information that does not require a definition.
Standards for the destruction of DNA samples should be developed and included as a measure DNA laboratories must take.
Clause 23: This clause lays down the sources for collection of samples for the purpose of DNA profiling. 23(1)(a) includes collection from bodily substances and 23(1)(c) includes clothing and other objects. Explanation (b) provides a definition of 'intimate body sample'.

Comment:

Permitting the collection of DNA samples from bodily substances and clothing and other objects allows for the broad collection of DNA samples without contextualizing such collection. In contrast 23(b) Scene of occurrence or scene of crime limits the collection of samples to a specific context.
This clause also raises the issue of consent and invasion of privacy of an individual. If “intimate body samples” are to be taken of individuals, then this would be an invasion of the person’s right to bodily privacy if such collection is done without the person’s consent (except in the specific instance when it is done in pursuance of section 53 of the Criminal Procedure Code).

Recommendation:

Sources for the collection of DNA samples should be contextualized to prevent broad, unaccounted for, or unregulated collection. Clause (a) and (c) should be deleted and replaced with contexts in which the collection DNA collection would be permitted.
The Bill should specify circumstances on which non-intimate samples can be collected and the process for the same.
The Bill should specify that intimate body samples can only be taken with informed consent except as per section 53 of the Criminal Procedure Code.
The Bill should require that any individual that has a sample taken (intimate and non-intimate) is provided with notice of their rights and the future uses of their DNA sample and profile.

Chapter V: DNA Data Bank

Clause 24:This clause addresses establishment of DNA Data Banks at the State and National Level. 24(5) establishes that the National DNA Data Bank will receive data from State DNA Data Banks and store the approved DNA Profiles as per regulations.

Comment:

As noted previously, ‘DNA Data’ is a new term that has not been defined in the Bill. It is thus unclear what data would be shared between State DNA data banks and the National DNA data bank - DNA samples? DNA profiles? associated records?
The process for sharing Data between the State and National Data Banks is not defined.

Recommendation:

The term ‘DNA Data’ should be defined to clarify what information will be shared between State and National DNA Data Banks.
The process for the National DNA Data Bank receiving DNA data from State DNA Data Banks and DNA laboratories needs to be defined in the Bill or by regulation. This includes specifying how frequently information will be shared etc.

Clause 25: This clause establishes standards for the maintenance of indices by DNA databanks. 25(1) states that every DNA Data Bank needs to maintain the prescribed indices for various categories of data including an index for a crime scene, suspects, offenders, missing persons, unknown deceased persons, volunteers, and other indices as may be specified by regulation. 25(2) states that in addition to the indices, the DNA Data Bank should contain information regarding each of the DNA profiles. It can either be the identity of the person from whose bodily substance the profile was derived in case of a suspect or an offender, or the case reference number of the investigation associated with such bodily substances in other cases. 25(3) states that the indices maintained shall include information regarding the data which is based on the DNA profiling and the relevant records.

Comment:

25(1): The creation of multiple indices cannot be justified and must be limited since collection of biological source material is an invasion of privacy that must be conducted only in strict conditions when the potential harm to individuals is outweighed by the public good. This balance may only be struck when dealing with the collection and profiling of samples from certain categories of offenders. The implications of collecting and profiling DNA samples from corpses, suspects, missing persons and others are vast. Specifically a 'volunteer' index could possibly be used for racial/community/religious profiling.
25(2): This clause requires the names of individuals to be connected to their profiles, and hence accessible to persons having access to the databank.
25(3) The clause states that only information related to DNA profiling and will be stored in an indice. Yet, it is unclear what such information might be. This could allow inconsistencies in data stored in an indice and could allow for unnecessary information to be stored on an indice.

Recommendation:

25(1) Ideally, DNA databanks should be created for dedicated purposes. This would mean that a databank for forensic purposes should contain only an offenders’ index and a crime scene index while a databank for missing persons would contain only a missing persons indice etc. If numerous indices are going to be contained in one databank, the Bill needs to recognize the sensitivity of each indice as well as the difference between each indice and lay down appropriate and strict conditions for collection of data for such indice, addition of data into the indice, as well as use, access, and retention of data within the indice.
25(2) DNA profiles, once developed, should be maintained with complete anonymity and retained separate from the names of their owners. This amendment becomes even more important if we consider the fact that an “offender” may be convicted by a lower court and have his profile included in the data bank, but may get acquitted later. However, till the time that such person is acquitted, his/her profile with the identifying information would still be in the data bank, which is an invasion of privacy.
25(3) What information will be stored in indices should be clearly defined in the Bill and should be tailored appropriately to each category of indice.

Clause 28: This clause addresses the comparison and communication of DNA profiles. 28(1) states that the DNA profile entered in the offenders or crime scene index shall be compared by the DNA Data Bank Manger against profiles contained in the DNA Data Bank and the DNA Data Bank Manager will communicate such information with any court, tribunal, law enforcement agency, or approved DNA laboratory which he may consider appropriate for the purpose of investigation. 28(2) allows for any information relating to a person's DNA profile contained in the suspect's index or offenders' index to be communicated to authorised persons.

Comment:

28(1) (a-c) allows for the DNA Bank Manager to communicate the following: 1.) if the DNA profile is not contained in the Data Bank and what information is not contained, 2.) if the DNA profile is contained in the data bank and what information is contained, and if in the opinion of the Manager, 3.) the DNA profile is similar to one stored in the Databank. These options of communication are problematic as they 1. allow for all associated information to be communicated – even if such information is not necessary, 2.) Allows for the DNA Databank Manager to communicate that a profile is 'similar' without defining what 'similar' would constitute.
28(1) only addresses the comparison of DNA profiles entered into the offenders index or the crime scene index against all other profiles entered into the DNA Data Bank.
28(1) gives the DNA Data Bank manager broad discretion in determining if information should be communicated and requires no accountability for such a decision.
28(2) only addresses information in the suspect's and offender's index and does not address information in any other index.

Recommendation:

Rather than allowing for broad searches across the entire database, the Bill should be clear about which profiles can be compared against which indices. Such distinctions must take into consideration if a profile was taken on consent and what was consented to.
Ideally, the response from the DNA Databank Manager should be limited to a 'yes' or 'no' response and only further information should be revealed on receipt of a court order.
The Bill should define what constitutes 'similar'
A process for determining if information should be communicated should be established in the Bill and followed by the DNA Data Bank Manager. The Manager should also be held accountable through oversight mechanisms for such decisions. This is particularly important, as a DNA laboratory would be a private body.
Information stored in any index should be disclosed to only authorized parties.

Clause 29: This clause provides for comparison and sharing of DNA profiles with foreign Government, organisations, institutions or agencies. 29(1) allows the DNA Bank Manager to run a comparison of the received profile against all indices in the databank and communicate specified responses through the Central Bureau of Investigation.

Comment: This clause allows for international disclosures of DNA profiles of Indians through a procedure that is to be established by the Board (see clause 13(q))

Recommendation: The disclosure of DNA profiles of Indians with international entities should be done via the MLAT process as it is the typical process followed when sharing information with international entities for law enforcement purposes.

Clause 30: This clause provides for the permanent retention of information pertaining to a convict in the offenders’ index and the expunging of such information in case of a court order establishing acquittal of a person, or the conviction being set aside.

Comment: This clause addresses only the retention and expunging of records of a convict stored in the offenders index upon the receipt of a court order or the conviction being set aside. This implies that records in all other indices - including volunteers - can be retained permanently. This clause also does not address situations where an individuals DNA profile is added to the databank, but the case never goes to court.

Recommendation: The Bill should establish retention standards and deletion standards for each indice that it creates. Furthermore, the Bill should require the immediate destruction of DNA samples once a DNA profile for identification purposes has been created. An exception to this should be the destruction of samples stored in the crime scene index.

Chapter VI: Confidentiality of and Access to DNA Profiles, Samples, and Records

Clause 33: This provision lays down the cases and the persons to which information pertaining to DNA profiles, samples and records stored in the DNA Data Bank shall be made available. Specifically, 33(e) permits disclosure for the creation and maintenance of a population statistics Data Bank.

Comment:

This clause addresses disclosure of information in the DNA Data Bank, but does not directly address the use of DNA samples or DNA profiles. This allows for the possibility of re-use of samples and profiles.
There is no limitation on the information that can be disclosed. The clause allows for any information stored in the Data Bank to be disclosed for a number of circumstances/to a variety of people.
There is no authorization process for the disclosure of such information. Of the circumstances listed – an authorization process is mentioned only for the disclosure of information in the case of investigations relating to civil disputes or other civil matters with the concurrence of the court. This implies that there is no procedure for authorizing the disclosure of information for identification purposes in criminal cases, in judicial proceedings, for facilitating prosecution and adjudication of criminal cases, for the purpose of taking defence by an accused in a criminal case, and for the creation and maintenance of a population statistics Data Bank.

Recommendation:

The Bill should establish an authorization process for the disclosure of information stored in a data bank. This process must limit the disclosure of information to what is necessary and proportionate for achieving the requested purpose.
Clause 33(e) should be deleted as the non-consensual disclosure of DNA profiles for the study of population genetics is specifically illegal. The use of the database for statistical purposes should be limited to purposes pertaining to understanding effectiveness of the databank.
Clause 33(f) should be deleted as it is not necessary for DNA profiles to be stored in a database to be useful for civil purposes. Instead samples for civil purposes are only needed as per the relevant case and specified persons.
Clause 33(g) should be deleted as it allows for the scope of cases in which DNA can be disclosed to by expanded as prescribed.

Clause 34: This clause allows for access to information for operation maintenance and training.
Comment: This clause would allow individuals in training access to data stored on the database for training purposes. This places the security of the databank and the data stored in the databank at risk.
Recommendation: Training of individuals should be conducted via simulation only.

Clause 35: This clause allows for access to information in the DNA Data Bank for the purpose of a one time keyboard search. A one time keyboard search allows for information from a DNA sample to be compared with information in the index without the information from the DNA sample being included in the index. The clause allows for an authorized individual to carry out such a search on information obtained from an DNA sample lawfully collected for the purpose of criminal investigation, except if the DNA sample was submitted for elimination purposes.
Comment: The purpose of this clause is unclear as is the scope. The clause allows for the sample to be compared against 'the index' without specifying which index. The clause also allows for 'information obtained from a DNA sample' rather than a profile. Thus, the clause appears to allow for any information derived from a DNA sample collected for a criminal investigation to be compared against all data within the databank – without recording such information. Such a comparison is vast in scope and open to abuse.
Recommendation: To ensure that this provision is not used for conducting searches outside of the scope of the original purpose, only DNA profiles, rather than 'information derived from a sample' should be allowed to be compared, only the indices relevant to the sample should be compared, and the search should be authorized and justified.
Clause 36 : This clause addresses the restriction of access to information in the crime scene index if the individual is a victim of a specified offense or if the person has been eliminated as a suspect of an investigation.

Comment:

This clause only addresses restriction of access to the crime scene index and does not address restriction of access to other indices.
This clause only restricts access to the indice for certain category of individual and for a specific status of a person. Oddly, the clause does not include authorization or rank as a means for determining or restricting access.

Recommendation:

This clause should be amended to lay down standards for restriction of access for all indices.
Access to all information in the databank should be restricted by default and permission should be based on authorization rather than category or status of individual.

Clause 38: This clause sets out a post-conviction right related to criminal procedure and evidence.

Comment: This clause would fundamentally alter the nature of India’s criminal justice system, which currently does not contain specific provisions for post-conviction testing rights.

Recommendation: This clause should be deleted and the issue of post conviction rights related to criminal procedure and evidence referenced to the appropriate legislation. Clause 38 is implicated by Article 20(2) of the Constitution of India and by section 300 of the CrPC. The principle of autrefois acquit that informs section 300 of the CrPC specifically deals with exceptions to the rule against double jeopardy that permit re-trials. [See, for instance, Sangeeta Mahendrabhai Patel (2012) 7 SCC 721.] The person must be duly accorded with a right to know rules may provide for- the authorized persons to whom information relating to a person’s DNA profile contained in the offenders’ index shall be communicated. Alternatively, this right could be limited only to accused persons who’s trial is still at the stage of production of evidence in the Trial Court. This suggestion is being made because unless the right as it currently stands, is limited in some manner, every convict with the means to engage a lawyer would ask for DNA analysis of the evidence in his/her case thereby flooding the system with useless requests risking a breakdown of the entire machinery.

Chapter VII: Finance, Accounts, and Audit

Clause 39: This clause allows the Central Government to make grants and loans to the DNA Board after due appropriation by Parliament.

Comment: This clause allows the Central Government to grant and loan money to the DNA Board, but does not require any proof or justification for the sum of money being given.

Recommendation: This clause should require a formal cost benefit analysis, and financial assessment prior to the giving of any grants or loans.

Chapter VIII: Offences and Penalties

Chapter IX: Miscellaneous

Clause 53: This clause allows protects the Central Government and the Members of the Board from suit, prosecution, or other legal proceedings for actions that they have taken in good faith.

Comment: Though it is important to take into consideration if an action has been taken in good faith, absolving the Government and Board from accountability for actions leaves little course of redress for the individual. This is particularly true as the Central Government and the Board are given broad powers under the Bill.

Recommended: If the Central Government and the Board will be protected for actions taken in good faith, their powers should be limited. Specifically, they should not have the ability to widen the scope of the Bill.

Clause 57: This clause states that the Central Government will have the powers to make Rules for a number of defined issues.

Comment: 57(d) allows for the regulations to be created regarding the use of population statistics Data Bank created and maintained for the purposes of identification research and protocol development or quality control.

Recommendation: 57(d) should be deleted as any use for the creation of a population statistics Data Bank created and maintained for the purposes of identification research and protocol development or quality control is beyond the scope of the Bill.

Clause 58: This clause empowers the Board to make regulations regarding a number of aspects related to the Bill.
Comment: There a number of functions that the Board can make regulations for that should be defined within the Bill itself to ensure that the scope of the Bill does not expand without Parliamentary oversight and approval.
Recommendation: 58(2)(g) should be deleted as it allows the Board to create regulations for other relevant uses of DNA techniques and technologies, 58(2)(u) should be deleted as it allows the Board to include new categories of indices to databanks, and 58(2) (aa) should be deleted as it allows the Board to decide which other indices a DNA profile may be compared with in the case of sharing of DNA profiles with foreign Governments, organizations, or institutions.

Clause 61: This clause states that no civil court will have jurisdiction to entertain any suit or proceeding in respect of any matter which the Board is empowered to determine and no injunction shall be granted.

Comment: This clause in practice will limit the recourse that individuals can take and will exclude the Board from the oversight of civil or criminal courts.

Recommendation: The power to collect, store and analyse human DNA samples has wide reaching consequences for people whose samples are being utilised for this purpose, specially if their samples are being labeled in specific indexes such as “index of offenders”, etc. The individual should therefore have a right to approach the court of law to safeguard his/her rights. Therefore this provision barring the jurisdiction of the courts should be deleted.

Schedule

Schedule A: The schedule refers to section 33(f) which allows for disclosure of information in relation to DNA profiles, DNA samples, and records in a DNA Data Bank to be communicated in cases of investigations relating to civil disputes or other civil matters or offenses or cases listed in the schedule with the concurrence of the court.

Comment: As 33(f) requires the concurrence of the court for disclosure of information, it is unclear what purpose the schedule serves. If the Schedule is meant to serve as a guide to the Court on appropriate instances for the disclosure of information stored in the DNA databank – the schedule is too general by listing entire Acts, while at the same time being too specific by naming specific Acts. Ideally, courts should use principles and the greater public interest to reach a decision as to whether or not disclosure of information in the DNA databank is appropriate. At a minimum these principles should include necessity (of the disclosure) and proportionality (of the type/amount of information disclosed).

Recommendation: As we recommended the deletion of clause 33(f) as it is not necessary to databank DNA profiles for civil purposes, the schedule should also be deleted.

Note: The schedule differs drastically from previous drafts and from discussions held in the Expert Committee and recommendations agreed upon. As per the Meeting Minutes of the Expert Committee meeting held on November 10th 2014 “The Committee recommended incorporation of the comments received from the members of the Expert Committee appropriately in the draft Bill...Point no. 1 suggested by Mr. Sunil Abraham in the Schedule of the draft Bill to define the cases in which DNA samples can be collected without consent by incorporating point no. 1 (I.e 'Any offence under the Indian Penal Code, 1860 if it is listed as a cognizable offence in Part I of the First Schedule of the code of Criminal Procedure, 1973)”

Download CIS submission here. See the cover letter here.

For more details visit https://cis-india.org/internet-governance/blog/cis-comments-and-recommendations-to-human-dna-profiling-bill-2015

CIS Comments and Recommendations on the Data Protection Bill, 2021

Pallavi Bedi and Shweta Mohandas — 2022-02-14T16:07:44Z

This document is a revised version of the comments we provided on the 2019 Bill on 20 February 2020, with updates based on the amendments in the 2021 Bill.

After nearly two years of deliberations and a few changes in its composition, the Joint Parliamentary Committee (JPC), on 17 December 2021, submitted its report on the Personal Data Protection Bill, 2019 (2019 Bill). The report also contains a new version of the law titled the Data Protection Bill, 2021 (2021 Bill). Although there were no major revisions from the previous version other than the inclusion of all data under the ambit of the bill, some provisions were amended.

This document is a revised version of the comments we provided on the 2019 Bill on 20 February 2020, with updates based on the amendments in the 2021 Bill. Through this document we aim to shed light on the issues that we highlighted in our previous comments that have not yet been addressed, along with additional comments on sections that have become more relevant since the pandemic began. In several instances our previous comments have either not been addressed or only partially been addressed; in such instances, we reiterate them.

These general comments should be read in conjunction with our previous recommendations for the reader to get a comprehensive overview of what has changed from the previous version and what has remained the same. This document can also be read while referencing the new Data Protection Bill 2021 and the JPC’s report to understand some of the significant provisions of the bill.

Read on to access the comments | Review and editing by Arindrajit Basu. Copy editing: The Clean Copy; Shared under Creative Commons Attribution 4.0 International license

For more details visit https://cis-india.org/internet-governance/blog/pallavi-bedi-and-shweta-mohandas-cis-comments-on-data-protection-bill

CIS Comment on ICANN's Draft FY20 Operating Plan and Budget

akriti — 2019-02-12T23:44:46Z

At the Centre for Internet and Society, we are grateful for the opportunity to provide our comments on the proposed draft of ICANN’s FY20 Operating Plan and Budget along with their Five-Year Operating Plan Update. As part of the public comment process, ICANN provided a list of documents which can be found here that included their highlights of the budget, the total draft budget for FY20, an operating plan segregated by portfolios, amongst others.

The following are our comments on relevant aspects from the different documents:

There are several significant undertakings which have not found adequate support in this budget, chief among them being the implementation of the ICANN Workstream 2 recommendations on Accountability. The budget accounts for any expenses that arise from WS2 as emanating from its contingency fund which is a mere 4%. Totalling more than 100 recommendations across 8 sub groups, execution of these would require significant expenditure. Ideally, this should have been budgeted for in the FY20 budget considering the final report was submitted in June, 2018 and conversations about its implementation have been carried out ever since. It is wondered if this is because the second Workstream does not have the effectuation of its recommendations in its mandate and hence it is easier for ICANN to be slow on it.^[1] As a member of the community deeply interested in integrating human rights better in ICANN’s various processes, it is concerning to note the glacial pace of the approval of the aforementioned recommendations especially coupled with the lack of funds allocated to it. Further, there is 1 one person assigned to work on the WS2 implementation work which seems insufficient for the magnitude of work involved.^[2]

A topical issue with ICANN currently is its tussle with the implementation of the General Data Protection Regulation (GDPR) and despite the prominence and extent of the legal burden involved, resources to complying with it have not been allocated. Again, it is within the umbrella of the contingency budget.

The Cross Community Working Group on New gTLD Auction Proceeds is also, presently, developing recommendations on how to distribute the proceeds. It is unclear where these will be funded from since their work is funded by the core ICANN budget yet it is assumed that the recommendations will be funded by the auction proceeds. Almost 7 years after the new gTLD round was open, it is alarming that ICANN has not formulated a plan for the proceeds and are still debating the merits of the entity which would resolve this question, as recently as the last ICANN meeting in October, 2018.

Another important policy development process being undertaken right now is the Working Group who is reviewing the current new gTLD policies to improve the process by proposing changes or new policies. There are no resources in the FY20 budget to implement the changes that will arise from this but only those to support the Working Group activities.

Lastly, the budgets lack information on how much each individual RIR contributes.

Staff costs

ICANN’s internal costs on their personnel have been rising for years and slated to account for more than half their annual budget with an estimated 56% or $76.3 million in the next financial year. The community has been consistent in calling upon them to revise their staff costs with many questioning if the growth in staff is justified.^{^[3]} There was criticism from all quarters such as the GNSO Council who stated that it is “not convinced that the proposed budget funds the policy work it needs to do over the coming year”.^{^[4]} The excessive use of professional service consultants has come under fire too.

As pointed out in a mailing list, in comments on the FY19 budget, every single constituency and stakeholder group remarked that personnel costs presented too high a burden on the budget. One of the suggestions presented by the NCSG was to relocate positions from from the LA headquarters to less expensive countries such as those in Asia. This can be seen from the high increase this budget of $200,000 in operational costs though no clear breakdown of that entails was given.

The view seems to be that ICANN repeatedly chooses to retain higher salaries while reducing funding for the community. This is even more of an issue since there employment remuneration scheme is opaque. In a DIDP I filed enquiring about the average salary across designations, gender, regions and the frequency of bonuses, the response was either to refer to their earlier documents which do not have concrete information or that the relevant documents were not in their possession.^{^[5]}

ICANN Fellowship

The budget of the fellowship has been reduced which is an important initiative to involve individuals in ICANN who cannot afford the cost of flying to the global ICANN meetings. The focus should be not only be on arriving at a suitable figure for the funding but also to ensure that people who either actively contribute or are likely to are supported as opposed to individuals who are already known in this circle.

Again, our attempts at understanding the Fellowship selection were met with resistance from ICANN. In a DIDP filed regarding it with questions such as if anyone had received it more than the maximum limit of thrice and details on the selection criteria, no clarity was provided.^{^[6]}

Lobbying and Sponsorship

At ICANN 63 in Barcelona, I enquired about ICANN’s sponsorship strategies and how the decision making is done with respect to which all events in each region to sponsor and for a comprehensive list of all sponsorship ICANN undertakes and receives. I was told such a document would be published soon but in the 4 months since then, none can be found. It is difficult to comment on the budget for such a team where there is not much information on the work it specifically carries out and the impact of such sponsoring activities. When questioned to someone on their team, I was told that it depends on the needs of each region and events that are significant in such regions. However without public accountability and transparency about these, sponsorship can be seen as a vague heading which could be better spent on community initiatives.

Talking of Transparency, it has also been pointed out that the Information Transparency Initiative has 3 million dollars set aside for its activities in this budget. It sounds positive yet with no deliverables to show in the past 2 years, it is difficult to ascertain the value of the investment in this initiative.

Lobbying activities do not find any mention in the budget and neither do the nature of sponsorship from other entities in terms of whether it is travel and accommodation of personnel or any other kind of institutional sponsorship.

^{^[1]} https://cis-india.org/internet-governance/blog/icann-work-stream-2-recommendations-on-accountability

^{^[2]} https://www.icann.org/en/system/files/files/proposed-opplan-fy20-17dec18-en.pdf

^{^[3]} http://domainincite.com/22680-community-calls-on-icann-to-cut-staff-spending

^{^[4]} Ibid

^{^[5]}https://cis-india.org/internet-governance/blog/didp-request-30-enquiry-about-the-employee-pay-structure-at-icann

^{^[6]} https://cis-india.org/internet-governance/blog/didp-31-on-icanns-fellowship-program

For more details visit https://cis-india.org/internet-governance/blog/akriti-bopanna-february-8-2019-comment-on-icann-draft-fy-20-operating-plan-and-budget

CIS anniversary

praskrishna — 2013-05-06T07:28:07Z

The Centre for Internet and Society will celebrate five years of its existence with an exhibition showcasing its works and accomplishments.

This was published in Hindu Business Line on May 5, 2013

The exhibition will be held concurrently at both Bangalore and Delhi offices from May 20 to 24, 2013, said a press release.

“To promote transparency, we're getting the general public to be our auditors by throwing open our account books and contracts which show how we have spent the Rs 8.3 crore received from our donors.”

The exhibition will also see artists like Kiran Subbaiah, Tara Kelton, Navin Thomas, Abhishek Hazra, among others exhibiting their works, as well as lectures.

For more details visit https://cis-india.org/news/the-hindu-business-line-may-5-2013-cis-anniversary

CIS and International Coalition Calls upon Governments to Protect Privacy

elonnai — 2013-09-25T07:21:09Z

The Centre for Internet and Society (CIS) along with the International Coalition has called upon governments across the globe to protect privacy.

On September 20 in Geneva, CIS joined a huge international coalition in calling upon countries across the globe, including India to assess whether national surveillance laws and activities are in line with their international human rights obligations.

The Centre for Internet and Society has endorsed a set of international principles against unchecked surveillance. The 13 Principles set out for the first time an evaluative framework for assessing surveillance practices in the context of international human rights obligations.

A group of civil society organizations officially presented the 13 Principles this past Friday in Geneva at a side event attended by Navi Pillay, the United Nations High Commissioner for Human Rights and the United Nations Special Rapporteur on Freedom of Expression and Opinion, Frank LaRue, during the 24th session of the Human Rights Council. The side event was hosted by the Permanent Missions of Austria, Germany, Liechtenstein, Norway, Switzerland and Hungary.

Elonnai Hickok, Programme Manager at the Centre for Internet and Society has noted that "the 13 Principles are an important first step towards informing governments, corporates, and individuals across jurisdictions, including India, about needed safeguards for surveillance practices and related policies to ensure that they are necessary and proportionate."

Navi Pillay, the United Nations High Commissioner for Human Rights, speaking at the Human Rights Council stated in her opening statement on September 9:

"Laws and policies must be adopted to address the potential for dramatic intrusion on individuals’ privacy which have been made possible by modern communications technology."

Navi Pillay, the United Nations High Commissioner for Human Rights, speaking at the event, said that:

"technological advancements have been powerful tools for democracy by giving access to all to participate in society, but increasing use of data mining by intelligence agencies blurs lines between legitimate surveillance and arbitrary mass surveillance."

Frank La Rue, the United Nations Special Rapporteur on Freedom of Expression and Opinion made clear the case for a direct relationship between state surveillance, privacy and freedom of expression in this latest report to the Human Rights Council:

"The right to privacy is often understood as an essential requirement for the realization of the right to freedom of expression. Undue interference with individuals’ privacy can both directly and indirectly limit the free development and exchange of ideas. … An infringement upon one right can be both the cause and consequence of an infringement upon the other."

Speaking at the event, the UN Special Rapporteur remarked that:

"previously surveillance was carried out on targeted basis but the Internet has changed the context by providing the possibility for carrying out mass surveillance. This is the danger."

Representatives of the Centre for Internet and Society, Privacy International, the Electronic Frontier Foundation,Access,Human Rights Watch,Reporters Without Borders, Association for Progressive Communications, and theCenter for Democracy and Technology all are taking part in the event.

Find out more about the Principles at https://NecessaryandProportionate.org

Contacts

NGOs currently in Geneva for the 24^th Human Rights Council:

Access
Fabiola Carrion: fabiola@accessnow.org

Association for Progressive Communication
Shawna Finnegan: shawna@apc.org

Center for Democracy and Technology
Matthew Shears: mshears@cdt.org

Electronic Frontier Foundation
Katitza Rodriguez: katitza@eff.org - @txitua

Human Rights Watch
Cynthia Wong: wongc@hrw.org

Privacy International
Carly Nyst: carly@privacy.org

Reporters Without Borders
Lucie Morillon: lucie.morillon@rsf.org
Hélène Sackstein: helsack@gmail.com

Signatories

Argentina
Ramiro Alvarez: rugarte@adc.org.ar
Asociación por los Derechos Civiles

Argentina
Beatriz Busaniche: bea@vialibre.org.ar
Fundación Via Libre

Colombia
Carolina Botero: carobotero@gmail.com
Fundación Karisma

Egypt
Ahmed Ezzat: ahmed.ezzat@afteegypt.org
Afteegypt

Honduras
Hedme Sierra-Castro: hedme.sc@gmail.com
ACI-Participa

India
Elonnai Hickok: elonnai@cis-india.org
Center for Internet and Society

Korea
Prof. Park: kyungsinpark@korea.ac.kr
Open Net Korea

Macedonia
Bardhyl Jashari: info@metamorphosis.org.mk
Metamorphosis Foundation for Internet and Society

Mauritania, Senegal, Tanzania
Abadacar Diop: jonction_jonction@yahoo.fr
Jonction

Portugal
Andreia Martins: andreia@coolpolitics.pt
ASSOCIAÇÃO COOLPOLITICS

Peru
Miguel Morachimo: morachimo@gmail.com
Hiperderecho

Russia
Andrei Soldatov: soldatov@agentura.ru
Agentura.ru

Serbia
Djordje Krivokapic: krivokapic@gmail.com
SHARE Foundation

Western Balkans
Valentina Pellizer: valentina.pellizzer@oneworldsee.org
Oneworldsee

Brasil
Marcelo Saldanha: instituto@bemestarbrasil.org.br
IBEBrasil

For more details visit https://cis-india.org/internet-governance/blog/cis-and-international-coalition-calls-upon-governments-to-protect-privacy

CII Digital India Summit

praskrishna — 2015-05-02T03:56:58Z

The Digital India Summit was organized at the Taj Mahal Hotel and Pragati Maidan in New Delhi on April 21 and 24, 2015. Pranesh Prakash participated in it.

Day 1 - 21 April 2015: Taj Mahal Hotel, New Delhi

Programme

0900 - 1000 hrs	Registration
1000 - 1030 hrs	Inaugural Session
1000 - 1015 hrs	Opening Remarks	Mr Kiran Karnik Chairman CII National Mission on Digital India
1015 - 1030 hrs	Setting the Context, Goals	Mr Bhaskar Pramanik Chairman CII National Committee on IT & ITes & Chairman Microsoft India Private Limited
1030 - 1100 hrs	Tea Break
1100 - 1315 hrs	Breakout Sessions
Group 1 1100 - 1315 hrs	Tackling Structural Issues and Developing Business Models for Digital India
Moderated by	Mr Sanjeev Gupta, Joint Secretary - IT, Department of Agriculture & Cooperation, Ministry of Agriculture Mr Kiran Karnik, Chairman, CII National Mission on Digital India
According to a DeitY estimate INR 100,000 cr. is needed just for funding the existing schemes. The achievement of the vision will need finance, expertise & intent from the private as well as the government. Given the different credo & objective for each sector, the need will be to build effective, collaborative & sustainable business models which provide a return on their investment while harnessing their strengths. Some of the key questions which will need to be answered are : · What is the role of public-private partnerships towards overcoming each of these five challenges? · How can we coordinate multi-stakeholder discussions and stimulate a collaborative approach towards shared goals of Digital India? · What are the sustainable business models that guarantee significant commercial (business feasibility) and social returns (such as inclusive growth, rural skill-building and employment generation)?
Group 2 1100 - 1315 hrs	Overcoming India's Last Mile Challenge-Creating Access through Network Reach, Innovative Business Models and Affordable Data-Enabled Devices/Internet plans
Moderated by	Ms Aruna Sundararajan, Additional Secretary & Administrator (USOF) and Chairman-cum- Managing Director, BBNL
Given India's size & demographics providing digital reach to the people at the right price is one of the most piquant issues that we face. Bringing every citizen on the digital backbone will increase empowerment & inclusion. Reaching out to the 2.5 lakh villages as envisaged in the plan will require intent, innovation & investment. Some of the questions that we need to discuss are: · What are the roadblocks in increasing internet penetration in India? · What are the alternate technologies that may be used to offer cost-effective internet in rural areas? · What are the regulatory changes that need to be in place? · What are the prerequisites for creating practical business models? · How do we stimulate internet usage through affordable service delivery in rural India? · What can the government do to encourage such business models?
Group 3 1100 - 1315 hrs	Developing a Digital Workforce - Empowering the Current and Future Workforce through Digital Literacy
Moderated by	Mr Pramod Bhasin, Non-Executive Vice Chairman and former President and CEO, Genpact Mr Atul Bhatnagar , Chief Operating officer, National Skill Development Corporation*
India's success in the technology sector has been based on our strength in skilled workforce. There are significant challenges in creating similar program to help build out the Made in India campaign in the manufacturing sector. The key questions are: · How should we define Digital Literacy? What does this mean and how much is still left to be done. What should we target to achieve over the next 3, 5 and 10 years? · What are the most effective measures Govt can take to enhance digital literacy and what kind of PPPs can we build to really take this to a completely different level? What are the biggest roadblocks to achieving digital literacy and how do we overcome these? · What is the role schools, colleges and vocational institutions, skills training providers can play in this area? How can that role be made much more effective and impact many more people? · How can digital literacy empower the unorganised sectors and entrepreneurship across India--in areas that are not touched by it normally--agriculture, farmers, construction, etc? How can this help bring a real revolution to these sectors which represent the majority of the work force? · How can digital literacy help create employability and access to jobs? How can it empower women and the hard to reach communities across India and bring them into the mainframe? · How can we use Digital literacy to substantially improve Governance and Transparency specially in public services and delivery of these across the population? · How can we use digital literacy to solve substantive problems such as Healthcare, Swatch Bharat, Build Smart Cities, increase Employability.
Group 4 1100 - 1315 hrs	Delivering Critical Services through a Universal, Verifiable Digital Identity
Moderated by	Mr Rajesh Bansal , Assistant Director General, UIDAI Mr Bhaskar Pramanik, Chairman, CII National Committee on IT and ITes and Chairman, Microsoft
The UID is already the largest program of its kind in the world. The real benefits will accrue when we build on this program to create add on programs which will harness what has been created and co-ordinate with financial, telecom & regulatory entities to create a collaborative model around direct benefit transfer and universal banking. Some of the key points that need to be discussed are: · What are the top 3 high-impact applications that would leverage the UID platform to offer critical services? · How can the govt. foster public and private sector innovation, and entrepreneurial creativity to foster UID-linked application to access services? · What is the potential for cross-sector collaboration and new business opportunities? For example, leveraging UID for enabling direct subsidies would require an effective partnership between financial services and energy sectors. What other avenues are worth exploring? · What is the action plan for different stakeholders and enablers? o Government and regulators o Corporates and institutions o Financial ecosystem partners o Telecom and IT companies o Individuals
1315 - 1415 hrs	Networking Lunch
1415 - 1435 hrs	Report back by Group 1
1435 - 1455 hrs	Report back by Group 2
1455 - 1515 hrs	Report back by Group 3
1515 - 1535 hrs	Report back by Group 4
1535 - 1550 hrs	Tea/ Coffee Break
1550 - 1700 hrs	Summing up and finalization of recommendation of each group by Mr Kiran Karnik

Day 2 - 24 April 2015: Hall No. 14, Pragati Maidan, New Delhi

1100 hrs	Inauguration of Digital Pavilion by Mr Ravi Shankar Prasad, Minister for Communications & Information Technology.
1130 - 1300 hrs	Panel Discussion on "Accelerating the Digital transition"
The Panel Discussion will focus on the imperatives required to ensure digitization across the value chain and what stakeholders must do to ensure that digitization supports sustainable growth. Outcomes from the discussions on Day 1 will be presented by each of the Session Chair to Hon'ble Minister
*"Release of the CII Compendium on cross company best practices / success stories on Digital India by Mr Ravi Shankar Prasad, Hon'ble Minister of Communications and Information Technology"*

For more details visit https://cis-india.org/internet-governance/news/cii-digital-india-summit