We are anonymous, we are legion

The Fundamental Right to Privacy - A Visual Guide

amber — 2018-02-16T05:31:37Z

Privacy is the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively. This visual guide to the story of privacy law in India and the recent judgement of the Puttaswamy v. Union of India case is developed by Amber Sinha (research and content) and Pooja Saxena (design and conceptualisation).

The Fundamental Right to Privacy - A Visual Guide: Download (PDF)

For more details visit https://cis-india.org/internet-governance/blog/the-fundamental-right-to-privacy-a-visual-guide

The freedom of expression debate: The State must mend fences with The Web

praskrishna — 2013-01-07T10:30:21Z

A fortnight after her arrest, Renu Srinivasan spends her free time singing Ashley Tisdale's number Suddenly. The lyrics - Suddenly people know my name, suddenly, everything has changed - resonate with the story of her life ever since she 'liked' and 'shared' her friend, Shaheen Dhada's, 21, controversial post regarding Shiv Sena chief Bal Thackeray's funeral on Facebook on November 18 and got arrested for it.

The article by Rahul Jayaram was published in India Today on December 18, 2012. Pranesh Prakash is quoted.

She's now flooded with "hundreds" of messages on FB; some congratulatory, others abusive and gets at least a dozen friend requests on the social networking site. When Renu went to the doctor last week, two constables accompanied her.

"All of a sudden, there's too much attention on me," says the Botany graduate from Dandekar College and a budding singer who is making new friends in the virtual world. There's, however, a word from caution from her father P.A. Srinivasan: "Don't comment on controversial issues you don't understand."

Bloggers are careful. Krish Ashok, a well-known blogger is disappointed with the government's lack of engagement with India's surging online community. In a blog post in August 2010, he made fun of the Ramayana and the fact that women couldn't enter the Sabarimala temple in Kerala. A group called Hindu Janajagruti Samiti threatened to take him to court. Ashok spoke to his lawyer.

"I was amazed. She said no individual could take action against me. But a group or organisation could," he says. Since then, he has become more aware of his Internet rights.

Gursimran Khamba, who has over 30,000 followers on Twitter, kept his cool during Thackeray's death and funeral. When all the media went gaga over him, televising his family photo albums, Khamba, re-tweeted reports and accounts of the Shiv Sena's role during the Mumbai riots of 1992-93. "In my head, I am not courageous to say anything about it myself," he says. He didn't want to incite. He'd rather help his followers get a more nuanced picture of a venerated leader.

Palghar and after, has made Ashok think. "I would reduce the number of provocative posts I might make," he says. Khamba says he will stick to comedy and doesn't believe in offence for the sake of offending although "taking offence is our national sport."

It is a shame, for the Internet is growing in India like nobody's business. It's the medium of the age.

According to comScore, a company that measures Internet trends, India is the fastest growing online market in the last 12 months among BRIC nations. There were 44.5 million unique visitors in July 2011 and in July 2012 there were 62.6 million unique visitors. That is, a growth of 44 per cent in one year. The total Internet usage of 124.7 million users in July 2012, that is, a 41 per cent growth from last year (July 2011).

With 124 million users as of July 2012, India has an Internet penetration of 10 per cent. 75 per cent of India's online users are below the age of 35 making it one of the youngest Net-connected populations. 39.3 per cent of India's Internet population consists of females. It has the highest growth seen among 15 to 24 male and female segments. India has 56.2 million Facebook users and 4.1 million Twitter users. Facebook had 35.3 million users in July 2011 and it jumped to 52.1 million in July 2012. That's a growth of 47% in just one year!

Growth of the Internet is one thing. Freedom of the Internet is another. Freedom House, an American organisation that tracks political and civil liberties worldwide, is blunt in its assessment. India is third in terms of Internet penetration, after the United States and China. Before November 2008, government control over the Internet was limited. All that changed after the November 2008 Mumbai attacks.

Since then it says, "The need, desire, and ability of the Indian government to monitor, censor, and control the communication sector have grown. Given the range of security threats facing the country, many Indians feel that the government should be allowed to monitor personal communications such as telephone calls, email messages, and financial transactions. It is in this context that Parliament passed amendments to the Information Technology Act (ITA) in 2008, expanding censorship and monitoring capabilities. This trend continued in 2011 with the adoption of regulations increasing surveillance in cyber cafes. Meanwhile, the government and non-state actors have intensified pressure on intermediaries, including social media applications, to remove upon request a wide range of content vaguely defined as "offensive" and potentially pre-screen user-generated content. Despite new comprehensive data protection regulations adopted in 2011, the legal framework and oversight surrounding surveillance and interception remains weak, and several instances of abuse have emerged in recent years."

Over this year we have had the cases of cartoonist Aseem Trivedi being put in jail and later released in September. In April, Ambikesh Mahaptra of Jadavpur University in Kolkata was arrested for a cartoon poking fun at West Bengal chief minister Mamta Banerjee and Railway Minister Mukul Roy. In October, Ravi, owner of plastic packaging material factory was arrested and let off on bail for joking about Finance Minister P. Chidambaram's son, Karti. The list gets longer. The Web and the State are at loggerheads. Why?

Lawyers and bloggers haul up Internet laws. And for such a community, we have laws like Section 66 (A) of the Information Technology Act of 2000. The law states that "any person who sends by means of a computer resource or a communication device, any information that is grossly offensive or has menacing character," can be booked for online crime.

Legal experts think Section 66 (A) and the whole of the IT Act of 2000, needs revisiting. According to cyber lawyer Pavan Duggal, Section 66 (A) "is a vanilla provision that can be used for anything online."

Section 66(A) seeks to empower the police and the complainant. "The words 'grossly offensive' and 'menacing character' of Section 66 (A) have no definition given. Normal, legitimate bona fide conversation between boyfriend and girlfriend at noble times online is fine. Once relationship sours, and they are gone."

"It's not clear what the purpose of Section 66A is. It's like having a single provision covering murder, assault, intimidation, and nuisance, and prescribing the same penalty for all of them," says Pranesh Prakash of the Center for Internet and Society, Bangalore. Terminology and the law's purpose are massive concerns.

"The extent of the ambiguity of Section 66A is worrying. Laws need to be very clear about what they want to achieve. If it is murder, then it must say murder. If its attempted murder, it must be clear it is attempted murder. Section 66 A is trying to do too many things at the same time. Its canvas is too vast," says Rajeev Chandrasekar.

As a country, we look to imitate the West, and often copy it badly. Some wonder if we need to mime the West. Pranesh Prakash thinks the Indian Constitution is stronger on free speech grounds than the (unwritten) UK Constitution, and the judiciary has wide powers of judicial review of statutes (i.e., the ability of a court to strike down a law passed by Parliament as 'unconstitutional').

Judicial review of statutes does not exist in the UK (with review under its EU obligations being the exception) as they believe that Parliament is supreme, unlike India. Putting those two aspects together, a law that is valid in the UK might well be unconstitutional in India for failing to fall within the eight octagonal walls of the reasonable restrictions allowed under Article 19(2).

Rajeev Chandrasekar thinks the Brits got it right. During the London riots of June 2011, "the UK government kept a tab on social media networking sites so as to check incitement, he says. It was a good example of clear legislation and effective execution, in an extreme scenario." To defuse online paranoia he wants the government to have a multi-stakeholder arrangement in fixing IT laws. This must involve users, IT companies, cyber cafe owners and the government. The State must mend fences with the Web.

For more details visit https://cis-india.org/news/india-today-rahul-jayaram-december-18-2012-the-freedom-of-expression-debate

The Four Parts of Privacy in India

bhairav — 2015-08-23T13:04:50Z

Privacy enjoys an abundance of meanings. It is claimed in diverse situations every day by everyone against other people, society and the state.

Traditionally traced to classical liberalism’s public/private divide, there are now several theoretical conceptions of privacy that collaborate and sometimes contend. Indian privacy law is evolving in response to four types of privacy claims: against the press, against state surveillance, for decisional autonomy, and in relation to personal information. The Indian Supreme Court has selectively borrowed competing foreign privacy norms, primarily American, to create an unconvincing pastiche of privacy law in India. These developments are undermined by a lack of theoretical clarity and the continuing tension between individual freedoms and communitarian values.

This was published in Economic & Political Weekly, 50(22), 30 May 2015. Download the full article here.

For more details visit https://cis-india.org/internet-governance/blog/economic-and-political-weekly-bhairav-acharya-may-30-2015-four-parts-of-privacy-in-india

The Forbes India 30 Under 30 List

praskrishna — 2014-02-21T07:59:41Z

Showcasing an enterprising new generation that dreams big and refuses to say die.

This article by Abhilasha Khaitan appeared in the Forbes India magazine of 21 February, 2014. Pranesh Prakash features in the list.

To borrow from Ayn Rand, ‘the question for this generation isn’t who is going to let them but who is going to stop them’. As a torchbearer of individualism, Rand would have approved of the first-ever Forbes India 30 Under 30 list. Sort of. The rider: This isn’t just a celebration of capitalism and profit; it is also in recognition of social value. Do-gooders, geeks, greens, musicians, sportspersons, creative-types and biz kids: The net was thrown wide to catch the best and the brightest.

As the names on the previous page will tell you, it was a worthwhile effort.

It was also an education. Generalisations, it appears, do not apply to the youth. Consider India’s reputation as nerd-land and a skew in favour of techpreneurs and IT geniuses would be expected. But while brilliant professionals dot the landscape, only a few seem to have translated an original thought into a viable, disruptive business proposition. Pallav Nadhani of FusionCharts, Rahul Yadav of Housing.com and Nischal Shetty of JustUnfollow , for instance, score high on both originality and utility.

If there is a slant, it is towards verticals that best suit the lone ranger: Sports, entertainment, the arts. Even there, though, we tried to separate the clichéd from the uncharted and zeroed in on Sushant Singh Rajput and Rajkummar Rao; and Suhail Yusuf Khan and Aathira Krishna; and Rahul Dravid’s purported successor Cheteshwar Pujara.

Plot this list on a heat map and the social entrepreneurship and policy dots would glow red too. Sectors with the potential for real change are drawing them in hordes. There is Rwitwika Bhattacharya who figured out the best way to get political leaders to perform is by helping them do it; Shashank Kumar who is committed to empowering farmers. Even those with different skill sets—design, in this case—are not oblivious: So a communication designer, Aditi Gupta, tries to create awareness about menstruation, a taboo subject.

Then some are in it for the happiness quotient: Pooja Dhingra for her macarons and Shivan and Narresh for their bikini sari.

This might be a good point to ask: Where is Virat Kohli? Deepika Padukone? Any sub-30 list should lead with those names. Here’s the thing: They don’t even make our consideration set. The reason is in the purpose behind this search: Forbes India was looking for a spark, for a story that is still waiting to be told and, for the most part, only starting to unfold.

To that end, individuals who are already forces in their fields—household names—will feature on another day, on another list.

As for those who are part of this list of possibility, it really is a question of who is going to stop them.

30 Under 30 list

Art & Culture
Suhail Yusuf Khan, 26
Sarangi Player / Vocalist

Aathira Krishna, 25
Carnatic Violinist

Design
Moneet Chitroda, 28
Sr Designer - Interiors, Renault Techno Centre

Aditi Gupta, 29
Co-Founder, Menstrupedia.com

Lokesh Karekar, 29
Visual Artist & Director, Locopopo

Alok Shetty, 27
Principal Architect & Founder, Bhumiputra Architecture

E-Commerce
Rahul Yadav, 24
Co-founder & CEO, Housing.com

Bhavish Aggarwal, 28
Co-Founder and CEO, Olacabs

Entertainment
Sushant Singh Rajput, 27
Actor

Rajkummar Rao, 29
Actor

Kishan SS, 18
Actor / Director

Fashion
Shivan Bhatiya & Narresh Kukreja, 29, 28
Swimwear Designers

Finance
Raghu Kumar, 28
Co-Founder, RKSV

Manju Bhatia, 27
Joint MD, Vasuli Recovery

Food & hospitality
Pooja Dhingra, 27
Founder-Chef, Le15 Patisserie

Greentech & sustainability
Abhishek Humbad, 27
Founder, NextGen PMS

Healthcare
Kabir Chadha, 27
Founder & CEO, Epoch Elder Care

Law, policy & Politics
Rwitwika Bhattacharya, 27
Founder, Swaniti Initiative

Pranesh Prakash, 28
Policy Director, Centre for Internet and Society

Apar Gupta, 29
Partner, Advani & Co.

NGOs & Social Entrepreneurship
Shashank Kumar, 28
Co-Founder, Farms n Farmers

Tarique Mohammad Quereshi, 29
Founder, Koshish

Anoj Viswanathan, 26
Co-Founder & President, Milaap

Kuldeep Dantewadia, 25
CEO & Co-Founder, Reap Benefit

Social Media / Mobile / Digital
Nischal Shetty, 28
Founder, JustUnfollow

Sports
Deepika Kumari, 19
Archer

Cheteshwar Pujara, 26
Cricketer

Gaganjeet Bhullar, 25
Golfer

Technology
Pallav Nadhani, 29
Co-Founder & CEO, FusionCharts

Paras Chopra, 26
Founder, Wingify

Methodology

Will we find 30 under-30s? That was the question that troubled when we started work on this project. The numbers are easy enough to add up but the list had to be representative, relevant and, well, not half-baked.

It was never going to be exhaustive. We knew that. The landscape was too vast, the information too sparse and spread out. But limited though it may be in geographical scope, the rigour in research—and the depth in young talent—has produced quality that satisfies the parameters we had set at the beginning. These are: Trigger: The extent of achievement and his/her impact in a short span of time and the level of disruption/innovation that has been shown; Scope: Scalability of his/her business or line of work; Sustainability: Signs of being a flash in the pan or is there enough indication of a long-run play?

The research took on two legs: One, interviews by Forbes India staffers with sources across relevant categories as well as through studies of databases and media coverage. Two, an online application on forbesindia.com inviting applications from entrepreneurs/professionals who felt they qualified. This helped us arrive at a long list which went up to over 300 names across the 14 categories. (Even this number went through an initial vetting.)

The next step was narrowing down to a ‘short long’ list—the names most likely to make it to the top 30. This pool of 75 names was decided in consultation with experts and observers—and this was the toughest leg. Consider that we had entered the ‘first among equals’ phase where separating the final 30 from the other contenders was, really, a judgment call.

But armed with expert views, the Forbes India editorial team debated, argued and vetoed for hours to finalise the 30 individuals you will read about here. There are those outside the list that couldn’t be left out. They find mention too.

For more details visit https://cis-india.org/news/forbes-india-abhilasha-khaitan-feb-7-2014-india-under-30-list

The flaw in cyber law

praskrishna — 2012-11-30T09:06:25Z

Legal experts and netizens want the controversial clause in the IT Act to be scrapped after two Mumbai girls were arrested for a post on Facebook.

This article by S Ronendra Singh was published in the Hindu BusinessLine on November 29, 2012. Sunil Abraham and Snehashish Ghosh are quoted.

Shaheen Dhada, 21, and her friend Rini Srinivas would never have imagined that they could land in jail because of a Facebook post. The two girls were arrested in Palghar following a complaint from local Shiv Sena workers against Shaheen's post on Facebook, where she questioned the need for a 'bandh' being observed in Mumbai on the death of the Sena supremo Bal Thackery.

While the two girls’ experience was traumatic, the action by the police has given fodder to activists and cyber experts to raise the clamour for scrapping section 66A of the IT Act, which they term as being draconian.

The Palghar incident is not an isolated event. Recently, Ravi Srinivasan, a 45-year-old supplier of plastic parts to telecom companies and a volunteer with India Against Corruption got into trouble with police after he tweeted about alleged corruption charges against Karti Chidambram, son of Finance Minister P Chidambaram.

There was a common factor in all these cases - arbitrary use of the Section 66 (A) of the Information Technology Act, 2000. The only mistake that most of these so-called offenders had committed was publishing their views online.

So, should we consider the law draconian now?

Assess Ambiguity

According to Snehashish Ghosh, Policy Associate at Centre for Internet and Society (Bangalore-based organisation looking at multidisciplinary research and advocacy in the field of Internet and society), the main reason for such inconsistent application of the law can be found in the history of the provision.

He said the language used in Section 66A of the IT Act, 2000 has been borrowed from Section 127 of the UK Communication Act, 2003 and the Malicious Communications Act, 1988.

“These two particular provisions are applicable in cases where the communication is directed to a particular person. Section 1 of the Malicious Prosecution Act begins with the, “any person who sends to another person” and hence it is clear that the provision does not include any post or electronic communication which is broadcasted to the world and deals with only one-to-one communication,” said Ghosh.

Section 127 only deals with “improper use of public electronic communications network”. It was meant to prevent misuse of public communication services. Therefore, social media Web sites do not fall under its ambit. However, the Section 66(A) in its current form fails to define any specific category, which has led to inconsistent and arbitrary use of the provision, said Ghosh.

One of the principles of interpretation of statute is that of absurdity. It states that when there are two interpretation of the law - where one renders it absurd and arbitrary, while the other puts it within the constitutional limits - then the latter interpretation is adopted.

“In the case of 66(A), interpreting it to include any form of communication transmitted using computer resource or communication device renders it to be absurd and arbitrary. Therefore, it should be interpreted and made applicable only to communication between two parties,” he opined.

According to Pavan Duggal, cyber law expert and advocate at Supreme Court of India, primarily section 66(A) is for protecting reputation and preventing misuse of its own.

“It is so vast – what is annoyance and inconvenience – gives a tremendous handle in the hands of the complainant and the police to target anyone. Further, if you send any information through email or SMS, which aims to mislead the addressee about such mail or message is a crime. All this suddenly opens a Pandora box of offences,” he said.

“So, when you look at case of Mamta Banerjee or latest case of those two girls getting arrested in Mumbai, it shows that Section 66(A) becomes an effective tool in the hands of ingenious complainants to gag free speech. And, that is why there is so much noise,” Duggal said.

To Use, Not Abuse

Sighting the recent case of the two girls from Mumbai, he said the law was abused and all they need to do is just exploit – whether clicking a ‘Like’ button on Facebook could involve Section 66(A) – and this case is setting a precedence that ‘liking’ a comment can be an offensive of Section 66(A).

“When you click a ‘Like’ button, you do not send any information that is defined under Section 66(A). You only send information of ‘liking’ that information or message,” he said.

However, it has become a code of misuse in its own sense. Parameters given there in the Act are extremely wide and can be interpreted.

“It has only one good thing – it makes the offence bailable, which means bail as a matter of right. But, once you get stuck under Section 66(A), along with that invites a long period of mental agony and trauma because the trial will take five-six years and you will have to undergo the trial,” he added.

So does it mean the Government should scrap or completely abolish this Section from the IT Act, 2000 or should the people of India file a petition against this Section?

Sunil Abraham, Executive Director, Centre for Internet and Society says there are laws specifically dealing with cyber stalking and communications and therefore, there we do not need an additional law.

“Either scrap or retain narrow parameters, which could be made defamatory. Otherwise, more such cases would be seen in future under this section. It has not done anything significant and has an impact on basic free online speech to public,” says Duggal.

A better approach would be to strike down the provision and include separate well defined anti-stalking and anti-spamming provision, said Ghosh of Centre for Internet and Society.

However, Mahesh Uppal, Director, ComFirst India (consultancy firm on regulatory issues) said it would be premature, in these circumstances, for any litigation against this Section.

“The issue is serious. However, this is as much to do with policing in general as it is to do with Section 66(A) which needs an amendment and clarification to remove any scope for abuse,” he said.

But, is the Government ready for any change?

Minister of Communications and IT, Kapil Sibal recently said, “Just because some people do not follow it properly, we cannot entirely scrap the law. Can we do away with penal code? We cannot.”

So, does that mean we, as citizens, have to consult legal notes before posting a message online or sending an SMS? And, even if we do, are all laws, sections and under-sections comprehendible by the common man? If not, how big a risk are we, and the person who ‘Likes’ what we say is taking?

The answers to these questions determine the future of freedom of speech.

For more details visit https://cis-india.org/news/the-hindu-businessline-november-29-2012-the-flaw-in-cyber-law

The Five Monkeys & Ice-cold Water

sunil — 2012-10-30T10:43:38Z

The Indian government provides leadership, both domestically and internationally, when it comes to access to knowledge.

This article by Sunil Abraham was published in Deccan Chronicle on September 16, 2012.

Our domestic patent policy ensures that generic medicines are available and largely affordable not only within India but also in Africa and elsewhere. It also allows Indians to consume a wide range of technological innovations without worrying about legal bans that are an otherwise common feature in the developed countries, thanks to phenomena such as the ongoing mobile phone patent wars.

Copyright policy, including the last amendment of the copyright act, has ensured that fair dealing and the rights of students, researchers, disabled, etc., are protected. Texts, audio and video for education and entertainment are relatively affordable, especially in comparison to other countries in the Asia-Pacific.

Even at the World Intellectual Property Organisation, other developing countries look to India for guidance. The interventions of the copyright registrar G.R. Raghavender and the Indian team won praise during the most recent round of negotiations for the Treaty for the Visually Impaired. An excellent example of India's soft power protecting public interest at home and abroad.

In diametrical contrast, India has a terrible track record when it comes to freedom of expression, especially expression mediated by networked technologies such as telecommunications and the Internet.

Our policy-makers seem determined to extinguish the privacy of communications and also anonymous/pseudonymous speech through such devices as Know Your Customer (KYC) and data retention requirements for accessing the Internet through cyber-cafes, mobile phones, dial-up or broadband, ban on open wi-fi networks, plans to tie together Aadhaar and NATGRID and Central Monitoring System (CMS) to track a citizen using his/her UID across devices, networks and intermediaries, and requiring real-time interception equipment to be installed at all network and data centres.

All these without any horizontal privacy law or a data protection law that is compliant with international best practices. Security hawks argue that this pervasive, multi-tiered surveillance regime helps thwart criminal and terrorist attacks, but its poor design extracts a terrible price in terms of freedom of expression.

Citizens who cannot express themselves anonymously and privately begin to censor themselves, seriously undermining our democracy, which is most importantly founded on an anonymous expression, the electoral ballot.

In addition, in April 2011, rules under the amended IT Act were notified for intermediaries that have a chilling effect on free speech via unclear and unconstitutional limits on freedom of expression, encouragement of private censorship without any notice to those impacted, missing procedure for redress, and lack of penalties for those who abuse the rules to target legitimate speech. This was followed by calls for proactive censorship of social media, which caused much outrage amongst the twitterati.

Even when the government had legitimate grounds (the recent exodus of North-East Indians) to censor free speech, it overreached and acted incompetently, cracking down on parody accounts on social media rather than carefully configuring the text message ban. As if that weren't enough, the government beats up a cartoonist and jails him for sedition.

There’s a plan behind such attacks on free speech. The powerful in India, with their fragile egos, can afford expensive lawyers who can ensure that for those who dare to speak their mind, “the process is the punishment”, as Lawrence Liang of the Alternative Law Forum put it. Needless to say, cartoonists and others that dare to speak their mind cannot usually afford the time and expense of courts.

An experiment featuring monkeys, bananas and ice-cold water, commonly attributed to the late American psychologist Harry Harlow, explains what’s being attempted by those who attack free speech. First, five monkeys are put in a cage with bananas hanging from the top that can be reached by climbing a ladder. Every time one of the monkeys try to climb the ladder, ice-cold water is thrown on all of them. Soon, the monkeys learn not to climb the ladder.

Then, one of them is replaced with a monkey that has never been drenched with ice-cold water. When the new monkey tries to climb the ladder, the other four monkeys attack it and prevent it from reaching the banana. This is continued till all the original monkeys are replaced with new ones.

When that’s done, although none of the monkeys left in the cage has ever been drenched with ice-cold water, they continue to enforce the regulation on themselves. This is what has happened in China. This is what is being attempted here – to social engineer the Indian netizen.

For more details visit https://cis-india.org/internet-governance/www-deccan-chronicle-sep-16-2012-sunil-abraham-the-five-monkeys-and-ice-cold-water

The Fintech Disruption - Innovation, Regulation, and Transformation

praskrishna — 2017-03-29T02:10:49Z

Sumandro Chattapadhyay attended an event organized by Carnegie India on March 28, 2017. The aim of the initiative was that inclusive and sustainable regulations require constant interaction between policy makers and industry.

Select senior level policymakers, leaders from the banking industry and dynamic start-up founders and innovators gathered for the meet-up. The intention is to follow up on the discussions and debates from the round-table and come out with a detailed report on Fintech Regulations based on the research and conversations with start-ups and other valuable stakeholders.

See the conference agenda

For more details visit https://cis-india.org/internet-governance/news/the-fintech-disruption-innovation-regulation-and-transformation

The Evolving Cyber Threat and How to Address It

praskrishna — 2013-11-18T10:49:15Z

Larry Clinton, the President and Chief Executive Officer of the Internet Security Alliance will give a talk on cyber threat and how to address the same. The talk will be held at the office of the Centre for Internet and Society in Bangalore on November 22, 2.30 p.m. to 3.30 p.m.

The talk will broadly cover the following:

Using Public-Private Partnerships to Enhance Cyber Security
Ongoing Threat of Cyber-attacks Must be Fought on Both a Technical and Economic Basis
Targeted Education's Critical Role in Cyber security
Combating the Persistent Cyber Security Threat in the Manufacturing Industry / Cyber Security Threats to the Supply Chain
Economics of Cyber Security

Larry Clinton

Larry Clinton is the President and Chief Executive Officer of the Internet Security Alliance (ISA). ISA is a multi-sector trade association with membership from virtually every one of the designated critical industry sectors. The mission of the ISA is to combine advanced technology with economics and public policy to create a sustainable system of cyber security.

Mr. Clinton is regularly called upon to testify before both the U.S. House and Senate. In 2008, ISA published its Cyber Security “Social Contract,” which is both the first and last source cited in the Executive Summary of President Obama’s “Cyberspace Policy Review” (click here for report). This report also cited more than a dozen of ISA’s white papers – far more than any other source. Recently, these ISA documents were also the inspiration for many of the recommendations in the House Republican Cyber Security Task Force Report (click here for report).

Mr. Clinton is known for his ability to take the complicated issues in this space and explain them clearly to a wide range of audiences: professional, policy makers and the general public. He has been featured in mass media such as USA Today, the PBS News Hour, the Morning Show on CBS, Fox News, CNN’s Situation Room, C-SPAN, and CNBC. He has also authored numerous professional journal articles on cyber security. This year he has published articles in the Cutter IT Journal, the Journal of Strategic Security and the Journal of Software Technology (click here for a full list of articles and other ISA news appearances).

The ISA’s pro-market, incentives-based approach to cyber security, rather than regulation, is outlined in its numerous publications, including the ISA Cyber Security Social Contract and Financial Management of Cyber Security series, which were written by the ISA Board of Directors and edited by Mr. Clinton (click here for the full list of ISA Publications).

For more details visit https://cis-india.org/internet-governance/events/evolving-cyber-threat-and-how-to-address-it

The EU and Free Flows of Data - Data Protection, Trade and Law Enforcement

praskrishna — 2016-12-22T16:01:52Z

Amelia Andersdotter, Cofounder of Dataskydd.net, Distinguished Fellow, Centre for Internet and Society and former Member of the European Parliament gave a talk on December 14, 2016 at the Department of European Studies in Manipal.

Download the brochure

For more details visit https://cis-india.org/internet-governance/news/the-eu-and-free-flows-of-data-data-protection-trade-and-law-enforcement

The Embodiment of the Right to Privacy within Domestic Legislation

tanvi — 2014-09-08T02:37:39Z

The Right to Privacy is a pivotal construct, essential to the actualization of justice, fairness and equity within any democratic society. It is an instrument used to secure the boundaries of an individual’s personal space, in his interaction with not only the rest of society but also the State.

It is within this realm of the social transaction that there exists an unending conflict between the Right to Privacy of an individual and the overbearing hand of the State as a facilitator of public interest. This right thus acts as a safety valve providing individuals with a sacred space within which their interactions in their personal capacity have no bearing on their conduct in the public sphere. The preservation of this space is incredibly important in order to ensure a willingness of individuals to engage and cooperate with the State in its fulfillment of public welfare measures that would otherwise be deemed as intrusive. It is in this regard that the Right to Privacy, one of the last sustaining rights that an individual holds against a larger State interest, ought to be protected by the law.

There are numerous dimensions to the idea of the Right to Privacy. These include but are not limited to the privacy of person, privacy of communication, personal privacy, transactional privacy, privacy of information and the privacy of personal data.

The Supreme Court of India has come to the rescue of individuals, time and again by construing "Right to Privacy" as an extension of the Fundamental Right to “Protection of Life and Personal liberty” under Article 21 of the Constitution. This has been reflected in the adjudicatory jurisprudence of the Constitutional courts in the country. However, there exists no Constitutional remedy to redress the breach of privacy by a nongovernmental actor, except under tortuous liability. The power and authority of public and private institutions to use an individual’s personal data for larger interests of national security or effectuation of socio-economic policies is still under extensive scrutiny. It is in this regard that we have compiled a number of sectoral legislations, regulating domains ranging from Finance and Telecom to Healthcare, Freedom of Expression, Consumer rights and Procedural codes. The highlighted provisions under each Act pertain to the mechanisms embodied within the legislation for the regulation of privacy within their respective sectors. Through this we aim to determine the threshold for permissible collection of confidential data and regulatory surveillance, provided a sufficient need for the same has been established. The determination of such a threshold is imperative to formulating a consistent and effective regime of privacy protection in India.

Click to download the below resources:

Legislations
Master Circulars
Finance and Privacy
Code of Civil Procedure and Code of Criminal Procedure
Freedom of Expression
Identity and Privacy
National Security and Privacy
Consumer Protection
Transparency and Privacy
Healthcare
Telecom

Case Laws
Code of Civil Procedure and Code of Criminal Procedure
Freedom of Expression
Identity and Privacy
National Security and Privacy
Consumer Protection
Transparency and Privacy
Healthcare
Telecom

For more details visit https://cis-india.org/internet-governance/blog/the-embodiment-of-right-to-privacy-within-domestic-legislation

The Draft Electronic Delivery of Services Bill, 2011 – Comments by CIS

praskrishna — 2011-08-02T07:37:37Z

The Draft Electronic Delivery of Services Bill, 2011 (“Bill”) is a Bill to provide for delivery of government services manadatorily through electronic means by phasing out manual delivery of services. It is heartening to note that the Bill shifts the approach to electronic delivery of services by Government agencies to one as part of the citizens' right to service delivery through electronic means rather than a luxury or benefit doled out by the Government. The Bill introduces bodies exclusively accountable for ensuring that electronic delivery of services by the Government at the state and central levels. While this is a welcome move on the part of the Government there are a few comments we, at the Centre for Internet and Society, have on the present version of the Bill:

Accessibility
The Bill does not make it mandatory for all Government services to be accessible to all including persons with disabilities. The Bill refers to the term “access”, as defined in Section 2(1)(a) from the prespective of merely gaining physical access to the services or availability of such services1 rather than from the perspective of catering to the ability of a person with print (or other) disbilities from gaining access to the services in the normal format. It is very important that the electronic services are delivered in a format which is accessible to all persons including persons with disbilities, elderly persons etc. It should be mandatory for the Government to comply with Web Content Accessibility Guidelines (WCAG) and National Informatics Centre (NIC) guidelines for web accessibility. It is also important to ensure accessibility of all documents produced during service delivery by Government agencies.
Linguistic Accessibility
Section 5(2)(b) of the Bill requires the Government to prescribe a framework for all its agencies to ensure web presence or enablement which refers to rendering electronic services in the language chosen by the user. In pursuance of the same, it is important for delivery of services to be available in all national languages of India to begin with in addition to the content being encoded in Unicode font for all languages. It is important to note that there are not many open fonts available for Indian languages. Hence, it must be ensured that the Government allocates sufficient funds to ensure linguistic accessbility of the services delivered, while ensuring implementation of the provisions of the Bill.
Public Scrutiny
In order to ensure transparency of Government services and process of service delivery, it is essential that the Bill incorporates a provision to enable citizens to gain access to information provided by the Government as part of the service delivery process unless disclosing such information would amount to violation of any applicable law. Similarly, provision should be made for making public all RTI applications filed with the Government and responses to them.
Use of Free and Open Source Software
Considering that electronic service delivery by Government agencies is effected through public money, it is important that Governments are urged to use Free and Open Source Software (FOSS) for service delivery. This cuts costs to a great extent and also make the process more transparent and capable of customisation to varied needs of different departments. It is important to insert a provision requiring the Government to use FOSS as far as possible and in the event of any use of proprietary software, the Government should clearly explain the reason for such use, the costs incurred for the same, the additional benefit derived out of its use and other relevant details.
Open Standards
The Bill must stress on use of open standards for all computer resources and service delivery systems by Government agencies. As is the case with FOSS, such use brings down operation costs drastically and makes the service delivery process transparent and available for all to use. Use of ODF formats for documents, HTML for websites, ISA standards for hardware is recommended. It is also useful to ensure compliance with W3C guidelines by the concerned Government departments during implementation of the Bill.
Whistleblower Exception
The Bill does not contain any safeguards to ensure free and fearless disclosure of any wilful violation of the law impacting larger public interest. It is important to include a provision protecting any person exposing any violation of the provisions of the Bill or blowing the cover off any scam or farudulent activity decieving the public committed by service providers under the Bill. Such protection can be given by ensuring that the actions of such whistleblower, to the extent required for the exposure, does not constitute an offence under the provisions of the Bill.
Penalties for Offences
- Chapter 4 of the Bill gives a detailed list of acts constituting an offence under the Act including Section 15 which specifically relates to offences by companies. It is critical to ensure that the punishment and penalities for offences extend not only to citizens and companies but also to Government officials who misuse information they are privy to under the provisions of the Bill. In fact, a separate provision specifically applicable to the various offences which could be committed by Government officials under the Bill can reduce misuse of its provisions by the Government.
- It is to be noted that several provisions listed under Chapter 4 of the Bill covering offences and penalties are a reproduction of the provisions for the same under the Information Technology Act, 2000 (“IT Act”). Such reprodution is unnecessary and acts which are already deemed to be offences and have punishments prescribed for them under the IT Act (or any other legislation for the time being in force in India) need not be covered again in the Bill. This will avoid duplication and confusion in the legislations.
- Section 19(1) of the Bill provides that no alleged offence under the Bill can be tried in a court of law unless the Central Electronic Delivery of Services Commissioner (“Central Commissioner”) or the State Electronic Delivery of Services Commissioner (“State Commissioner”) authorises the same by issuing a complaint in this regard to the relevant court. This provision directly conflicts with a citizen's constitutional right to seek legal redress since it takes away his freedom to approach a court of law for redressal of his grievance without the permission of the Commissioners. It is recommended that the provision be either deleted or suitably modify so that it is not in violation of this constitutional right.
Bottoms up Approach
A decentralised approach should be adopted along the lines of the Panchayati Raj system giving the citizen a greater say in the framework and implementation of service delivery by Government agencies. Implementation can be at the Panchayat and District levels apart from State levels. Citizens must be able to access and update their information. Furthermore, they should be able to define to a certain extent, access control to their information. This will automatically make them eligible or ineligible for various government services.
Charges for service delivery
Section 4 of the Bill authorises the Government to allow service providers to collect charges for electronic service delivery while Section 3(2) provides for the Government to regulate the manner and method of payment of such charges. It is critical to ensure that such charges levied under the provisions of the Bill do not exceed the charges levied by the Government agency for manual delivery of services. Charges for manual service delivery may include charges for photocopy, printing, paper, postage etc., all of which are totally eliminated during service delivery through electronic means. Thus, levying the same charges, let alone greater charges for electronic service delivery is totally unnecessary and places an additional burden on the citizen ultimately defeating the very purpose of the Bill.
Security in payment of charges
Section 3(2) of the Bill provides for the Government to regulate the manner and method of payment of charges for delivery of services.It is important that each transaction that takes place is done securely and without the exposure of an individuals confidential details. There are many ways to structure the transaction of payment of fees to achieve this goal. We reccommend that the SCOSTA smart card structure is used for completing and processing a transaction.
Data Security and Privacy
Section 5(1)(e) of the Bill requires the Government to ensure integrity, security and confidentiality of data collected, preserved and retained. We recommend that in addition to this, the Government also ensures integrity, security and confidentiality of data or information that is transferred, accessed or deleted. We also recommend that the Bill requires the Government to prescribe a framework under Section 5(2) for agency privacy policies to ensure that they are interoperable and consistent between different departments of the Government.
Functions of the Central Commissioner
Section 8 of the Bill grants the Central Commissioner the power to perform any or all of the functions listed in the provision including Section 8(f) which refers to the power of the State Commissioner in conducting the work of the State Government agencies. A Central Government authority may not have a say in all matters under the purview of the State Governments. This aspect has been left out for consideration while drafting this provision and hence it needs to be relooked at.
Cut-off Date for Implementation
While the Bill mandates a cut off period of 180 days for the Government to finalise on the scope, framework and manner of service delivery under its provisions, it states that the Government “may” prescribe a framework for implementation of the provisions. It is recommended, for the purpose of ensuring speedy implementation of the provisions, that the term “may” in Section 5(2) be replaced by “shall”.
Transparency of Government Agencies
Transparency and accountability of the Government towards the citizen is as important as the transparency of the citizen towards the Government. Therefore, the provisions of the Bill must ensure that the Government activities are transparent to the citizens by making available to the citizens, details of the responsible officials under the Bill, manner of service delivery and other relevant information in this regard.

For more details visit https://cis-india.org/internet-governance/blog/draft-electronic-delivery-services

The DNA Profiling Bill: Developing Best Practices

praskrishna — 2012-09-17T05:54:30Z

On the 27th of September 2012 the Centre for Internet & Society invites the public to a meeting and talk with international experts Helen Wallace from GeneWatch UK, and Jeremy Gruber from the Council for Responsible Genetics from the United States. The meeting will take place from 9.00 a.m. to 1.00 p.m. at the India International Centre, Lodhi Road, New Delhi in Conference Room No. 2.

The public meeting and talk will focus on the proposed DNA Profiling Bill pending in Parliament and explore best practices concerning the collection, storage, and retention of DNA samples and best practices concerning the analysis of DNA samples and use of DNA samples as evidence in courts. Case studies from the US and the UK will be explored to understand what India can do better from the experiences of other countries.

Dr Helen Wallace

Dr Helen Wallace is Director of GeneWatch UK, a not-for-profit organisation which aims to engage members of the public in ensuring that genetic science and technologies are used in the public interest. She is the author of numerous articles and book chapters on the social and ethical issues raised by DNA databases and is widely quoted in the UK press. Helen provided expert evidence to the applicants in the case of S. and Marper v. the UK at the European Court of Human Rights, in which the Court ruled unanimously that the indefinite retention of innocent people's DNA database records was in breach of the European Convention on Human Rights. She has supplied both oral and written evidence on this issue to numerous parliamentary committees including the Scottish Parliament’s Justice Committee and the UK Science and Technology, Home Affairs and Constitutional Committees, as well as the scrutiny committee for the Protection of Freedoms Act 2012. This new Act requires the removal of about a million innocent people's records from the UK National DNA Database and the destruction of all stored biological samples.

Jeremy Gruber

Jeremy Gruber is the JD, President and Executive Director of Council for Responsible Genetics. Jeremy joined CRG in March 2009. Previously he served as the legal director of the National Workrights Institute, a human rights organization dedicated to the rights of American workers. Prior to that he served as the field director for the ACLU’s National Taskforce on Civil Liberties in the Workplace. Jeremy has worked for over a decade on genetic non-discrimination legislation at the state and Federal level. He helped author and pass numerous state laws on genetic non-discrimination. Jeremy is a founder and executive committee member of the Coalition for Genetic Fairness, a group of 500 organizations that advocated for genetic non-discrimination legislation on Capitol Hill and played a major role in the recently passed Genetic Information Non-Discrimination Act (GINA) by Congress. He worked closely with members of Congress and staff on GINA language as well as strategy and support. He is a prolific writer on privacy issues and is often consulted by state legislatures. He is regularly featured in print, radio and television. Jeremy holds a Juris Doctor (J.D.) from St. John’s University School of Law and a B.A. in Politics from Brandeis University.

Forensic DNA: A Human Rights Challenge

The above video was originally posted in YouTube

Click on the links below to download the files:

For more details visit https://cis-india.org/internet-governance/the-dna-profiling-bill-developing-best-practices

The DNA Profiling Bill 2007 and Privacy

elonnai — 2012-03-21T09:40:56Z

In 2007 a bill known as the Draft DNA Profiling Bill was piloted by the Centre for DNA Fingerprinting and Diagnostics, an autonomous organization funded by the Department of Biotechnology, Ministry of Science and Technology, Government of India. The below is a background to DNA collection/analysis in India, and a critique of the Bill a from a privacy perspective.

Introduction

In 2007 a bill known as the Draft DNA Profiling Bill was piloted by the Centre for DNA Fingerprinting and Diagnostics, an autonomous organization funded by the Department of Biotechnology, Ministry of Science and Technology, Government of India[1]. The Bill is pending in parliament. The DNA Profiling Bill looks to legalize the collection and analysis of DNA samples for forensic purposes. We believe that it is important that collection of DNA has associated legislation and regulation, because DNA is sensitive physical evidence that if used correctly can benefit the public good, but if misused can lead to serious privacy and human rights violations. Therefore it is important to create a balance between the constitutional rights of an individual and the public interest and bring accountability and transparency to the practice of DNA collection and testing.

In our research we consulted with GeneWatch UK to learn from their work and experience with DNA testing in the UK. This briefing is meant to give a background on the logistics of DNA testing, highlight ways in which DNA testing raises privacy concerns, and provide a critique of the DNA Profiling Bill.

Background Facts about DNA and DNA testing:

What is DNA: DNA is material that determines a persons hereditary traits such as hair color, eye color, body structure etc. Most DNA is located in the cell nucleus, and wrapped up in small structures called chromosomes. Every person inherits 50% of genetic material from their mother and 50% from their father. Genetic disorders are caused by mutations in a person's DNA, and comparing DNA within families can reveal paternity and non-paternity. DNA is found in every cell of our bodies, and each person has a unique strand of DNA [2]. Thus, DNA is seen as a useful form of identification with marginal room for error [3].

What is a DNA profile/ DNA database, and how can it be used/misused:

When DNA samples are taken from individuals they are analyzed in laboratories to produce a digitized representation of numbers known as a DNA profile. Once created, a DNA profile is stored on a DNA database (i.e. an electronic database) with other identifying information from the individual and information from the crime scene. A DNA profile is based on parts of a person's DNA, so it is not unique to an individual. The probability of an individual's DNA profile matching a stranger's by chance is very small, but not impossible. To collect a sample of DNA police normally use a mouth swab to scrape cells from inside the suspect's cheek. If the individual refuses, their DNA can be obtained by pulling some hairs out of their head (cut hair does not contain DNA, it is only in the roots), if the law allows DNA to be taken without consent. DNA samples are also collected from crime scenes, for example from a blood stain, and analyzed in the same way. DNA samples are sometimes stored indefinitely in the laboratory with a bar code number (or other information) that allows them to be linked back to the individual [3]. Stored DNA profiles from crime scenes can be helpful to exonerate an innocent person who is falsely accused of a crime if their DNA does not match a crime scene DNA profile that is thought to have come from the perpetrator. However, stored DNA profiles from individuals are not needed for exoneration because the individual's DNA can always be tested directly (it does not need to be stored on a database). Collecting DNA profiles from individuals can be useful during an investigation, to compare with a crime scene DNA profile and either exonerate an individual or confirm they are a suspect for the crime. Corroborating evidence is always needed because of the possibility of false matches (which can occur by chance or due to laboratory errors) and because there may be an innocent explanation for an individual's DNA being at a crime scene, or their DNA could have been planted there. Storing DNA profiles from individuals on a database is only useful to implicate those individuals in possible future crimes, not to exonerate innocent people, or to solve past crimes. An individual is implicated as a possible suspect for a crime if their stored DNA profile matches a new crime scene DNA profile that is loaded on to the database. For this reason, most countries only store DNA profiles from individuals who have committed serious crimes and may be at risk of re-offending in the future. Stored DNA profiles could in theory be used to track any individual on the database or to identify their relatives, so strict safeguards are needed to prevent misuse [4].

DNA testing in India:

At present, India does not have a national law that empowers the government to collect and store DNA profiles of convicts, but DNA collection and testing and is taking place in many states. For instance, in Pune the army is currently considering creating DNA profiles of troops who are involved in hazardous tasks inorder to help identify bodies mutilated beyond recognition [5]. In December of this year a judge in the Supreme Court ordered DNA testing on a congress spokesmen to determine if his child was really his child [6]. Also in December this year a news article announced the establishment of the first DNA profiling databank in Nehru Nagar [7]. Additionally DNA has been used to identify criminals , for instance in the Tandoor Murder DNA testing was used to reveal the identity of the culprit [8].

India hosts both private and public DNA labs. Public labs are sponsored by the Government, and use DNA purely for forensic purposes. For example The Centre for DNA Fingerprinting and Diagnostics (CDFD) located in Hyderabad is sponsored by the Department of Biotechnology and Ministry of Science. CDFD runs DNA testing for: establishment of parentage, identification of mutilated remains, establishment of biological relationships for immigration, organ transplantation, property inheritance cases, identification of missing children and child swapping in hospitals, identification of rapist in rape cases, identification in the case of murder.

Cases are only accepted by CDFD if they are referred by law enforcement agencies or by a court of law. Only an officer of the rank Inspector of Police or above may forward DNA cases to CDFD. Copies of DNA report are released to individuals if they are able to prove needed interest in the case through a notarized affidavit [9]. In 2010 CDFD received 100 cases from law enforcing agencies. Additionally, in 2010 CDFD was given rupees eighteen lakhs thirty nine thousand five hundred and forty five from the Government of India towards DNA fingerprinting services [10]. The Indian Government has also established National Facilities for Training in DNA Profiling in order to train individuals in DNA testing and expand the number of DNA examiners and laboratories available in the country [11].

Examples of private DNA labs include DNA labs India and Truth Labs. DNA labs India runs paternity testing, forensic testing, prenatal testing, and genetic testing [12]. Truth Labs is a private lab that provides legal services directly, without a court or police order [13].

The Complexity of privacy and DNA collection/ testing:
As mentioned above, the personal and sensitive nature of DNA, the use of DNA raises many privacy concerns. The concerns fall into three basic areas: first, if a person has given consent to have his or her DNA used for a specific purpose, must the DNA be destroyed or can it be used for other purposes as well? Related to that, if a person must give consent for a specific purpose, what happens if the person is no longer able to give consent -- if, for example, the person has died? Finally, if the testing of one person's DNA yields information that is likely, or probable, or certain to impact another person, does that person have a right to know the information discovered? There are variations on these questions -- as for example does DNA is permitted to be taken without consent (to test for a crime, perhaps), does that lack of need for consent permit all uses of DNA that others want. Who decides? The complexity of these questions demonstrates that in the situation of DNA collection and testing privacy cannot be protected simply through consent from an individual. Instead the law must permit specific thresholds to be established in order to cover the privacy needs of different situations.

Can DNA evidence be considered self-incriminating evidence?
According to the Supreme Court fingerprinting and other physical evidence is not covered by article 20(3). In the case of State of Bombay v. Kathi Kalu Oghad, the courts answered the question of whether or not the freedom against self-incrimination guaranteed under article 20(3) of the Constitution of India – which is meant to protect a person from torture from the police – can be extended to the collection of DNA? the courts answered this question by upholding that
“To be a witness may be equivalent to ‘furnishing evidence’ in the sense of making oral or written statement, but not in the larger sense of the expression so as to include giving of thumb impression or impression of palm or foot or fingers or specimen writing or exposing a part of the body by an accused person for purposes of identification [14]”

Critique of the DNA Profiling Bill 2007

Does India already have sufficient legislation?
The collection and use of biometrics for identification of criminals legally began in India during the 1920's with the approval of the Identification of Prisoners Bill 1920 [15]. The object of the Bill is to “provide legal authority for the taking of measurements of finger impression, foot-prints, and photographs of persons convicted or arrested…”[16] The Bill is still enforced in India, and in October 2010 was amended by the State Government of Tamil Nadu to include “blood samples” as a type of forensic evidence [17]. Other Indian legislation pertaining to forensic evidence is the CrPC and the Indian Evidence Act. In 2005 section 53A of the CrPC was amended to authorize investigating officers to collect DNA samples with the help of a registered medical practitioner, but the Indian Evidence Act fails to manage science and technology issues effectively [18]. The current state of statutes for DNA collection in India are not sufficient as the neglect to lay out precise procedures for collection, processing, storage, and dissemination of DNA samples. One question to consider though is if the Prisoners Identification Bill, CrPC, and Indian Evidence Act could be amended to incorporate DNA, and the needed safeguards, as a type of forensic evidence for all of India.

Lack of requirement for additional evidence: The preamble of the DNA Profiling Bill states that “The Deoxyribose Nucleic Acid (DNA) analysis of body substances is a powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another, and further to establish the biological relationship, if any, between two individuals, living or dead without any Doubt.” This statement is untrue as DNA test can be compromised under many circumstances including: techniques for declaring a match, the proficiency of examiners, laboratory control standards and statistical problems, and DNA samples can become degraded due to age or exposure to chemical or bacterial agents [19]. Because DNA is not foolproof individuals can be falsely implicated in a crime as a result of an incorrect DNA match. The Bill needs to put in place procedures for the court to recognize the fact that DNA is not 100% foolproof, present the statistics correctly, and require supporting evidence [20].

Scope for DNA Collection: The stated object of the DNA Bill is to: “enhance protection of people and administration of justice, analysis of DNA found at the crime scene, establish identity of victim and offender”. The list of offenses and situations in which the collection and testing of DNA is permitted, found in the Schedule of the Bill, provides for the collection DNA from individuals who are not related to a crime scene, are not victims, and are not criminals. Furthermore, section 13(xxii) allows this list to be expanded by the DNA board. We believe these sections should be omitted from the scope of the Bill, so that it is limited to only identifying individuals who are victims and offenders, and that a statutory body besides the DNA board be given the authority to expand the list of proposed offences [21]. Furthermore, within the Bill there are many places where vague language permits the DNA testing of individuals who are not yet convicted of a crime, which will constitute an invasion of privacy unless the DNA is provided voluntarily to release a person suspected or accused of a crime [22]. Additionally as mentioned above it is critical that the Bill recognizes and allows for different thresholds of privacy when collecting, analyzing and sharing DNA profiles.

Clear definition of when collection of DNA samples can be taken: The schedule of the Bill only lists the offenses and situations for which the collection of DNA is permitted. We believe a provision must be added that clarify when exactly DNA can be collected e.g. whether the DNA can be collected on arrest or on charge, whether the DNA has to be relevant to the offence, or whether the police decide this for themselves, and what are the oversight mechanisms for these decisions [23].

Privacy Principles: The Bill enables the DNA Profiling Board to recommend privacy protection statutes, regulations, and practices concerning: use and dissemination, accuracy, security, and confidentiality, and destruction of DNA information [24]. Privacy principles should not be left to recommendations by the board or to regulations of the Bill, but instead should be incorporated into the Bill itself to ensure that such practices are in place if the Bill is passed. Furthermore, the appropriate collection, access, and retention of DNA information should be specified in this Bill.

Obligations for DNA laboratories: Section 19 of the Bill lays out the obligations of DNA laboratories [25]. We recommend that the implementation of a privacy policy should be mandatory under this section.

Storage of DNA profiles and samples: Currently the Bill allows for the complete storage of DNA of: volunteers, suspects, victims, offenders, children (with parental consent), and convicted persons. DNA samples taken from individuals contain unlimited genetic information (including health-related information) and are not needed for identification purposes once the profiles have been obtained from them, thus we recommend that the bill requires that DNA samples be stored temporarily for quality assurance purposes (e.g. for up to six months) and then destroyed to prevent misuse. This is an important privacy protection, which also reduces the cost of storing samples. The only purpose of retaining DNA profiles on a criminal database is to help identify the individual if they reoffend. Thus we recommend that the criminal databases should be restricted to holding DNA profiles only from convicted persons, and the types of offence and time period for retention should be limited. Although DNA profiles may have alternative uses other than solving crimes (e.g. identifying missing persons) we recommend that the missing persons databases are kept separate from criminal databases. Furthermore, although collecting DNA from victims and volunteers may be useful during the investigation of a crime, DNA profiles obtained from victims and volunteers should be destroyed once an investigation is complete.

Conflicting Clauses: Section 14 of the Bill provides that DNA laboratories can only undertake DNA procedures with the approval, in writing, from the DNA profiling Board. Section 15(2) contradicts this statement by permitting already existing DNA laboratories to function and use DNA already collected even before they receive approval from the DNA profiling Board. We suggest that Section 14 is clearly written so that DNA laboratories that have already been set up are unable to continue functioning until they have met the approval of the DNA Profiling Board, and Section 15(2) should thus be deleted.

Access: According to section 41 of the Bill, the Data Bank Manager is given sole discretion as to who may have access to the DNA database, including persons given access for training purposes [26]. Low standards such as these vest too much discretion in the Data Bank Manager. We recommend that access is strictly limited to trained personnel who have undergone proper security clearance. Furthermore, we recommend that the role of Data Bank Manager be analogous to a custodian for the databank. Thus, the manager would be accountable for the integrity and security of the data held in the DNA databank.

Offenses: Though the Bill provides for penalties such as unauthorized access, disclosure, destruction, alterations, and tampering [27], the Bill fails to provide punishment for the illegal collection of DNA samples. This should be made an offense under the Bill.

Redress: The Bill provides no redress mechanism to an individual whose DNA was illegally used or collected. Furthermore, section 49 (1) only permits the Central Government or DNA Profiling Board to bring complaints to the courts [28]. Thus, we recommend that individuals are enabled to bring charges against entities (such as DNA labs or police officials) for the misuse of their data.

Delegation of powers: The Bill allows the DNA Profiling Board to form committees of the members and delegate them the powers and functions of the board. This clause could allow outsourcing, and could allow a dilution of authority by which the DNA Profiling Board weighs approval or rejection of requests [29]. We recommend that the outsourcing of functions be limited to administration duties and jobs that do not directly relate to the core duties of the DNA Profiling Board.

Access by law enforcement agencies: The Bill currently allows for the DNA Profiling Board to grant law enforcement agencies access to DNA profiles [30]. We recommend that DNA profiles are only accessed by the Data Bank Manager. Law enforcement agencies should send requests for matches to the Data Bank Manager, and the Manger would provide the needed intelligence [31].

Public interest: The Bill allows for DNA laboratories to continue to operate, even if the laboratory has violated the specified procedures, if the DNA Profiling Board finds it in the public interest [32]. We believe that where there have been violations, a laboratory should be required to demonstrate remediation before being allowed to resume operations.

Contamination of DNA samples: Currently the Bill holds laboratories responsible for “minimizing the contamination of DNA.”[33] DNA Laboratories should be held fully and legally responsible for preserving the quality of DNA samples. If a DNA sample is contaminated, and the DNA lab does not follow due diligence to discard the contaminated sample and or collect a new sample, and subsequently the DNA used wrongly against an individual - an individual should have the ability to press charges against the institution.

Audits: The Bill provides for the auditing of DNA laboratories, but the DNA Profiling Board must also undergo annual audits [34].

Indices Held by DNA Banks: Under section 33 (4),(5)The Bill provides for the DNA data bank to set up indices that hold DNA identification records and DNA analysis from: crime scenes, suspects, offenders, missing persons, unknown deceased persons, volunteers and such other indexes as specified by regulations. We believe the DNA data bank should not hold indexes on suspects, missing persons, or volunteers without consent and the ability for the individual to withdraw their consent. Furthermore, the Bill requires the taking of a victim’s DNA, but it is not listed as an index. We recommend that this section be deleted, as the creation of a DNA index is simply another copy of a DNA profile, and it does not serve a particular purpose.

Communicating of DNA Profile with Foreign States: Section 35 permits, with the approval of the Central Government, the sharing of DNA profiles with Foreign States [35]. We recommend that communication and use of a DNA profile with Foreign States should be limited to comparison only.

Access to Data Banks for administration purposes: Section 39 of the Bill permits access to the databank for “administrative purposes”. We recommend that the Bill clarify what exactly constitutes “administrative purposes”, and clarify that the process/procedures that permit access to data banks for administration purposes will not require access to data stored in Data Banks [36].

Enforcement for the removal of innocents: Section 36(3) of the Bill requires that the DNA profile of individuals who are found innocent be removed from the database. This provision should have legal mechanisms to ensure enforcement of the provision e.g. reporting by the Board [37].

Ability to access one’s own DNA Profile: A provision should be added to the Bill that gives individuals the right to ask the police for any of their own details held on police databases, so an individual has the ability to know if their data is being held against the law [38].

Clear Definition of identity: Section 33(6)(i) maintains that the DNA Data Bank will contain in relation to each of the DNA profiles… the “identity of the person”. The Bill needs to define what is "identity" and how “identifying” information can be used. Furthermore, it is important to ensure that no other information (like an identity number) that would allow for function creep, is included in the DNA data base[39].

Transparency of the DNA board: Section 13 of the Bill describes the powers and functions the DNA Board. In this section the DNA board should be required to publish and submit minutes and annual reports including detailed information on how it has exercised all its functions to the public and to Parliament. The report should include: numbers of profiles added to the database; numbers removed on acquittal, numbers of matches and solved crimes; costs; numbers of quality assurance inspections, and breakdowns of these figures by state [40].

Restricted use of DNA database: Section 39 (1) of the Bill permits the DNA database to be used for identification purposes that are not related to solving a crime including the “ identification of victims of: accidents, disasters or missing persons or for such other purposes”. The DNA database should be restricted to the identification of a perpetrator of a specified criminal offence, and consent or a court order must be sought for any other use of the database for identification purposes.

Probability of error published: Because profiles found in the DNA data base are comprised of only parts of individuals DNA, the profiles are not unique to individuals. Thus, the number of false matches that are expected to occur by chance between crime scene DNA profiles and stored individual's profiles depends on how the profiling system used, how complete the crime scene DNA is before it is added to the database (many crime scene DNA stains are degraded and not complete), and how many comparisons are done (i.e. how big the database it is and how often it is searched). With a population the size of India, the number of these false matches could be very high. The DNA board needs to take this probability for error into consideration and publish researched statistics on how many false matches they expect to occur purely by chance, based on the numbers of profiles they expect to store under the proposed criteria for entry and removal of profiles [41].

Cost analysis: The DNA board should publish a cost benefit analysis for the implementation the Bill. This should include the cost of storing samples, collecting sample, and testing samples [42].

Bibliography

http://www.cdfd.org.in/
http://ghr.nlm.nih.gov/handbook/basics/dna
Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007 pg.6, 22
Ibid email conversation with Dr. Wallace from Genewatch UK April 2nd 2002
http://articles.timesofindia.indiatimes.com/2011-01-02/india/28371869_1_dna-data-bank-blood-samples-bodies
http://www.merinews.com/article/justice-s-rabindra-bhatt-orders-dna-test-for-nd-tiwari/15838508.shtml
http://www.dnaindia.com/mumbai/report_nehru-nagar-first-region-in-country-to-have-dna-profiling-database_1477211
Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007. Pg.263
http://www.cdfd.org.in/servicespages/dnafingerprinting.html
ibidhttp://www.cdfd.org.in/image/AR_2009_10.pdf
http://planningcommission.nic.in/plans/planrel/fiveyr/11th/11_v1/11v1_ch8.pdf
http://www.dnalabsindia.com/
http://www.truthlabs.org/
AIR 1961 SC 1808
The Prisoners Identification Bill was most recently amended 1981
http://lawcommissionofindia.nic.in/51-100/report87.pdf
http://www.tn.gov.in/stationeryprinting/extraordinary/2010/305-Ex-IV-2.pdf
Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007 pg. 259
Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007 pg. 245
Email conversation with Dr. Wallace from Genewatch UK. April 2nd
Schedule of offenses 5) Miscarriage or therapeutic abortion, b. Unnatural offenses, 7) Other criminal offenses b. Prostitution 9) Mass disaster b) Civil (purpose of civil cases) c. Identification purpose 10) b) Civil:1) Paternity dispute 2) Marital dispute 3) Infidelity 4) Affiliation c) Personal Identification 1) Living 2) Dead 3) Tissue Remains d)
2 (xxvii) “offender” means a person who has been convicted of or is under trial charged with a specified offense.
2(1)(vii) “crime scene index” means an index of DNA profiles derived from
forensic material found: (a) at any place (whether within or outside India) where a specified offense was, or is reasonably suspected of having been, committed;
or (b) on or within the body of the victim, or a person reasonably
suspected of being a victim, of an offense (DNA Profiling Bill)
Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007 Pg. 291
Section (1) (xv) –(xvi) of DNA Profiling Bill
Section 19 of DNA Profiling Bill
Section 41(i) (ii) of DNA Profiling Bill
Section 45, and section 46 of DNA Profiling Bill
Section 49 (1) of DNA Profiling Bill
Section 52 (2) The DNA Profiling Board may, by a general or special order in writing,
also form committees of the members and delegate to them the powers
and of the Board as may be specified by the regulations.
Section 13(x), Section(2) The DNA Profiling Board may, by a general or special order in writing,also form committees of the members and delegate to them the powers and functions of the Board as may be specified by the regulations.
Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007 Pg. 300
Section 17 (2) of DNA Profiling Bill
Section 22 of DNA Profiling Bill
Section 28 of DNA Profiling Bill
Section 35 (1) of DNA Profiling Bill
Section 39 of DNA Profiling Bill
http://www.genewatch.org/sub-539478
http://www.genewatch.org/sub-539478
http://www.genewatch.org/article.shtml?als[cid]=492860&als[itemid]=567376
Email conversation with Dr. Wallace from Gene Watch UK April 2nd
Standard setting and quality regulation in forensic science. GeneWatch UK submission to the Home Office Consultation.
October 2006.
Standard setting and quality regulation in forensic science. GeneWatch UK submission to the Home Office Consultation.
October 2006.

For more details visit https://cis-india.org/internet-governance/blog/privacy/dna-profiling-bill

The DNA Bill has a sequence of problems that need to be resolved

Shweta Mohandas and Elonnai Hickok — 2019-01-15T02:36:11Z

In its current form, it’s far from comprehensive and fails to adequately address privacy and security concerns.

The opinion piece was published by Newslaundry on January 14, 2019.

On January 9, Science and Technology Minister Harsh Vardhan introduced the DNA Technology (Use and Application) Regulation Bill, 2018, amidst opposition and questions about the Bill’s potential threat to privacy and the lack of security measures. The Bill aims to provide for the regulation of the use and application of DNA technology for certain criminal and civil purposes, such as identifying offenders, suspects, victims, undertrials, missing persons and unknown deceased persons. The Schedule of the Bill also lists civil matters where DNA profiling can be used. These include parental disputes, issues relating to immigration and emigration, and establishment of individual identity. The Bill does not cover the commercial or private use of DNA samples, such as private companies providing DNA testing services for conducting genetic tests or for verifying paternity.

The Bill has seen several iterations and revisions from when it was first introduced in 2007. However, after repeated expert consultations, the Bill even at its current stage is far from a comprehensive legislation. Experts have articulated concerns that the version of the Bill that was presented post the Puttaswamy judgement still fails to make provisions that fully uphold the privacy and dignity of the individual. The hurry to pass the Bill by pushing for it by extending the winter session and before the Personal Data Protection Bill is brought before Parliament is also worrying. The Bill was passed in the Lok Sabha with only one amendment: which changed the year of the Bill from 2018 to 2019.

Need for a better-drafted legislation

Although the Schedule of the Bill includes certain civil matters under its purview, some important provisions are silent on the procedure that is to be followed for these civil matters. For example, the Bill necessitates the consent of the individual for DNA profiling in criminal investigation and for identifying missing persons. However, the Bill is silent on the requirement for consent in all civil matters that have been brought under the scope of the Bill.

The omission of civil matters in the provisions of the Bill that are crucial for privacy is just one of the ways the Bill fails to ensure privacy safeguards. The civil matters listed in the Bill are highly sensitive (such as paternity/maternity, use of assisted reproductive technology, organ transplants, etc.) and can have a far-reaching impact on a number of sections of society. For example, the civil matters listed in the Bill affect women not just in the case of paternity disputes but in a number of matters concerning women including the Domestic Violence Act and the Prenatal Diagnostic Techniques Act. Other matters such as pedigree, immigration and emigration can disproportionately impact vulnerable groups and communities, raising raises concerns of discrimination and abuse.

Privacy and security concerns

Although the Bill makes provisions for written consent for the collection of bodily substances and intimate bodily substances, the Bill allows non-consensual collection for offences punishable by death or imprisonment for a term exceeding seven years. Another issue with respect to collection with consent is the absence of safeguards to ensure that consent is given freely, especially when under police custody. This issue was also highlighted by MP NK Premachandran when he emphasised that the Bill be sent to a Parliamentary Standing Committee.

Apart from the collection, the Bill fails to ensure the privacy and security of the samples. One such example of this failure is Section 35(b), which allows access to the information contained in the DNA Data Banks for the purpose of training. The use of these highly sensitive data—that carry the risk of contamination—for training poses risks to the privacy of the people who have deposited their DNA both with and without consent.

An earlier version of the Bill included a provision for the creation of a population statistics databank. Though this has been removed now, there is no guarantee that this provision will not make its way through regulation. This is a cause for concern as the Bill also covers certain civil cases including those relating to immigration and emigration.

Conclusion

In July 2018, the Justice Sri Krishna Committee released the draft Personal Data Protection Bill. The Bill was open for public consultation and is now likely to be introduced in Parliament in June. The PDP Bill, while defining “sensitive personal data”, provides an exhaustive list of data that can be considered sensitive, including biometric data, genetic data and health data. Under the Bill, sensitive personal data has heightened parameters for collection and processing, including clear, informed, and specific consent. Ideally, the DNA Bill should be passed after ensuring that it is in line with the PDP Bill.

The DNA Bill, once it becomes a law, will allow for law enforcement authorities to collect sensitive DNA data and database the same for forensic purposes without a number of key safeguards in place with respect to security and the rights of individuals. In 2016 alone, 29,75,711 crimes under various provisions the Indian Penal Code were reported. One can only guess the sheer number of DNA profiles and related information that will be collected from both criminal and specified civil cases. The Bill needs to be revised to reduce all ambiguity with respect to the civil cases, and also to ensure that it is in line with the data protection regime in India. A comprehensive privacy legislation should be enacted prior to the passing of this Bill.

There are still studies and cases that show that DNA testing can be fallible. The Indian government needs to ensure that there is proper sensitisation and training on the collection, storage and use of DNA profiles as well as the recognition and awareness of the fact that the DNA tests are not infallible amongst key stakeholders, including law enforcement and the judiciary.

For more details visit https://cis-india.org/internet-governance/blog/newslaundry-elonnai-hickok-and-shweta-mohandas-january-14-2019-dna-bill-has-a-sequence-of-problems-that-need-to-be-resolved

The Digital is Political

nishant — 2016-06-05T03:58:46Z

To speak of technology is to speak of human life and living.

The article was published in the Indian Express on March 20, 2016.

“You are supposed to write about the internet, why do you keep talking about all this politics?” I was taken aback when I was faced with this question. It is true – since the year has begun, I have talked about digital education and the ways in which it needs to account for unexpected and underserved communities, about net neutrality and why the Indian government needs to build a stronger, safer, and a more inclusive digital ecosystem. I have written about freedom of speech and expression and how this is going to be the year when we stand together to save the internet from vested interests that seek to convert it from a public commons into a private commodity.

In my head, all these questions — of inclusion, of access, of presence, of rights — are questions of human life and living, but they are also those that are being hugely restructured by the internet and digital technologies. When faced with the query, I was reminded of a deep-seated division that has been at the heart of digital cultures.

Way back in the ’90s, when the internet was still a space of science fiction and the World Wide Web was in its nascent stages, there was a distinction made between Virtual Reality (VR) and Real Life (RL). The presumption in the construction of these categories was that the digital is only an escape, the technological is merely a prosthesis, and the internet is just a thing that a few geeks engaged with in their free time. However, the last three decades have made this distinction between VR and RL redundant.

We live in digital times. The digital is not just something we use strategically and specifically to do a few tasks. Our very perception of who we are, how we connect to the world around us, and the ways in which we define our domains of life, labour, and language are hugely structured by the digital technologies. The digital is ubiquitous and hence, like air, invisible. We live within digital systems, we live with intimate gadgets, we interact through digital media, and even though we might all be equally digital natives, there is no denying the fact that the very presence and imagination of the digital has dramatically restructured our lives. The digital, far from being a tool, is a condition and context that defines the shapes and boundaries of our understanding of the self, the society, and the structures of governance.

The pervasive nature of the digital technologies and internet can be found at multiple levels. For instance, we do not think about going online anymore, because most of our devices are connected 24×7 to the digital web. Even when we are not online, sunk in a bad network connection, or protecting our precious data usage, we know that our avatars and digital identities are online and talking without us.

So established is this phenomenon that we even have a name for the anxiety it creates: FOMO — the Fear Of Missing Out. Similarly, the digital can be located at the level of human understanding. We are used to thinking of ourselves as digital systems. We talk about our primary identity as one marked by information overload. We often complain, when faced with too many demands on our time and space, that we don’t have enough bandwidth to deal with new problems, and we are not referring to digital connectivity.

The digital also has space at the level of policy and governance. If you, like the many millions of Indians, have registered for an Aadhaar card, you have already been marked by a digital identity whether or not you have broadband access. When our government launches Digital India campaigns, it is not merely about an economic model of growth, but it is suggesting that the digital is going to be at the foundations of the new India that we want to build for the future.

If the digital is so central to our fundamental understanding of the self, the society, and the state, then surely it is time to stop thinking that these technologies have nothing to do with politics? There remains a forced imagination of technologies as devices, as tools, as prostheses which do not have any other role than the performing of a function. However, this is a fallacy, because not only do technologies shape our sense of who we are, but they also prescribe new templates and models of who we are going to be. In the process, these technologies take political action, create social structures, mobilise cultural possibilities, and often, because they are technologies that are still elite and available to the privileged few in the country, they enable decisions which are not always fair, open, and just.

Hence, a technological decision cannot be read merely as a technical decisions but as human decisions. To speak of technology is to speak of human life and living. To write about technology is to write about politics, because a separation between the two is not only futile but downright dangerous.

For more details visit https://cis-india.org/internet-governance/blog/indian-express-march-20-2016-nishant-shah-digital-is-political