We are anonymous, we are legion

Panel on Privacy, Surveillance & the UID in the post-Snowden era

praskrishna — 2013-11-26T19:05:54Z

The Centre for Internet and Society (CIS) and the Say No to UID campaign invite you to a discussion on the UID and on the implications of the world's largest biometric data collection scheme in a post-Snowden era. The panel will take place on November 30th at the Institution of Agricultural Technologists in Bangalore.

Probably one of the most important things that we learnt following the Edward Snowden revelations is that our data has value. In fact, what we learnt is that our data has immense value...since it is clearly worth billions of dollars — to say the least.

However, not only does India lack privacy legislation which could safeguard our data from potential abuse, but it is also currently implementing some of the most controversial surveillance schemes in the world, in addition to the world's largest biometric data collection scheme. What's probably more alarming is that such schemes, such as the UID, lack legal backing, as well as public and parliamentary debate!

We aim to change that. As such, the Centre for Internet and Society (CIS) and the Say No to UID campaign jointly invite you to attend a panel which will discuss all of these crucial topics.

Schedule of panel:

3.30pm - 4pm: Tea/Coffee/Refreshments & Registration

4pm - 5.30pm: Panel on Privacy, Surveillance & the UID in the post-Snowden era

5.30pm - 6pm: Q&A and Open Discussion

Panelists:

- Dr. Usha Ramanathan: Academic, Jurist and Activist

- K V Narendra: Director of Rezorce Research Foundation

- Vinay Baindur: Researcher on Urban Local Government & Decentralisation

- Maria Xynou: Policy Associate on the Privacy Project at the Centre for Internet & Society

For more details visit https://cis-india.org/events/panel-on-privacy-surveillance-uid-in-the-post-snowden-era

Panel Discussion on UID/ Aadhar act 2016 and its impact on Social, Security

praskrishna — 2016-04-28T17:02:59Z

Sunil Abraham was a speaker at this event organized by Students Christian Movement of India at SCM House in Bangalore on April 25, 2016. Mathew Thomas and Usha Ramanathan also gave talks.

With the passage of the Aadhaar act 2016 is UID / Aadhar mandatory now? How do we understand the issue of Social Security in the context of the new law? What does it mean for those who need to access their senior citizen pension, rations, school and college scholarships, etc.

How does one understand the money bill route for introducing the bill in Parliament? What are implications of this for the validity of the law?

What will happen to the court cases challenging the UID now?

Where are we now on the thorny issues of surveillance, tracking, profiling, biometrics, private and foreign companies and subsidy? What does the law say?

This discussion will revisit the debates around the UID and examine the implications of the new law.

For more details visit https://cis-india.org/internet-governance/news/panel-discussion-on-uid-aadhar-act-2016-and-its-impact-on-social-security

Panel Discussion on UID – Its Feasibility, Utility and Legality

praskrishna — 2011-05-25T04:11:48Z

A panel discussion on "UID, its feasibility, utility and legality" is being organised by Citizen’s Action Forum, Grahak Shakti and the Centre for Internet and Society. It would be held at The Energy and Resources Institute (at TERI auditorium) in Domlur, Bangalore (near Domlur Club) on Thursday, May 26, 2011. The program commences with lunch at 1 p.m. and ends at 5.30 p.m. You are cordially invited to attend this program.

The panel members would include Mr. Rama Jois (former Chief Justice of Chattisgarh High Court and present Member of Parliament), Mr. Moinul Hassan (Member of Parliament), Mr. Narendra Babu (Member, Legislative Assembly, Karnataka), Mr. V P Sudarshan (former Chairman, Legislative Council of Karnataka and present speaker of Congress party) and Mr. Venkatesh Baberjung, Advocate, High Court of Karnataka.

The National Identity Authority of India Bill, 2010 has been placed before the Parliament by the Government. This Bill has been referred to the Parliamentary Standing Committee on Finance. Mr. Moinul Hassan is a member of this committee. The committee has held one sitting where the Chairman, UIDAI, Mr. Nandan Nilenkani was asked for certain clarifications on the Bill.

The UID project is now under implementation at Mysore. It is scheduled to be launched in Bangalore in June 2011. The Central Government has decided to include caste and religious data in the census. The linkages between UID and the census could come up for discussion among panel members.

UIDAI officials and government officials from the Department of E-Governance, Government of Karnataka have been invited as panel members.

The subject of the discussion is thus topical and of high public interest and importance. We cordially invite you to the lunch and to cover the event so that the public could become aware of issues concerning the same.

The programme schedule is as follows:

1.00 p.m. to 2.00 p.m. - Lunch
2.00 p.m. to 2. 15 p.m. - Welcome and introduction by sponsoring organisations and moderator
2.15 p.m. to 3.00 p.m. - Opening statements by panel members
3.00 p.m. to 4 p.m. - Panel discussions
4.00 p.m. to 4.15 p.m. - Tea
4.15 p.m. to 4.45 p.m. - Panel discussions and questions to panel from audience
4.45 p.m. to 5.15 p.m. - Open House for Audience views
5.15 p.m. to 5.30 p.m. - Concluding remarks by panel members

For more details visit https://cis-india.org/events/uid-panel-discussion

Panel Discussion on Internet Intermediaries, Law and Innovation

jyoti — 2015-06-14T16:37:56Z

CII, Google and Centre For Communications Governance, NLU Delhi hosted a panel discussion on June 2 in New Delhi. Jyoti Panday attended.

The Centre for Internet & Society (CIS) participated in the panel discussion on 'Internet Intermediaries, Law and Innovation' hosted by CII, Google and Centre For Communications Governance, NLU Delhi. The panel discussed the impact of the existing provisions on intermediary liability and innovation and sought suggestions and the way forward.

The panel was moderated by Dr Subho Ray, President, IAMAI

Other panelists included:

Mr Anupam Chander, Eminent Global Lawyer & Academician
Mr Apar Gupta, Advocate
Ms Mishi Choudhary, Founding Director , Software Freedom Law Centre
Mr J Sai Deepak, Associate Partner, Litigation Team, Saikrishna & Associates

Mr Indranil Choudhury, Founder and CEO, Lexplosion

Click to download the presentation.

For more details visit https://cis-india.org/internet-governance/news/panel-discussion-on-internet-intermediaries-law-and-innovation

Panel Discussion on E-Commerce at NLSIU

praskrishna — 2013-02-03T10:37:05Z

Pranesh Prakash was a panelist at this event held at the National Law School of India University on January 7, 2013.

Suswagata Roy posted a report of this event in Cool Age on January 19, 2013.

E-Commerce in India has brought about a revolution and has changed the way businesses are conducted. In a short period of time, E-Commerce has seen tremendous growth and has been able to generate a market for itself. This definitely seems to be just the beginning and a bright future awaits it.

Given that E-Commerce is a hot topic and has already given rise to some pertinent legal issues, the Law and Technology Committee of National Law School of India University held a panel discussion on the same on 7^th Jan, 2013 at 4 PM in the Training Centre, NLSIU Campus. The Panel, which consisted of Mr. Stephen Mathias (Partner, Kochhar and Co.), Mr. Pranesh Prakash (Policy Director, Centre for Internet and Society) and Mr. N. Vijayashankar (founder Chairman of Digital Society Foundation), focused on three issues in order to bring forth their key points.

The issues that were highlighted through the discussion were:

1. E-Commerce and Privacy: Privacy and the internet has been an important issue with which the legal community has been grappling for a long time. There are no specific legislations in India which protect privacy especially in relation to the internet. Protecting private and confidential information of the users is a primary concern of E-Commerce websites which also highlights the related issue of data protection. The customers' financial information is in special need of protection. While dealing with this issue questions like who is responsible for such protection, what data can be shared and what usage will it be put to use will have to be looked at? While dealing with privacy how the government will create a balance between protecting confidential information and providing information to the regulators to ensure no sham transactions, money laundering and tax evasion is being carried on needs to be addressed.

2. E-Commerce and its compatibility with other laws: the need for a separate Act:E-Commerce has definitely given rise to a new form of transaction. Thus, related laws such as law of contracts, law of evidence, taxation will all have to evolve to accommodate the new form of legal dealing. Contracts will have to evolve to validate such online transactions while law of evidence will have to evolve in order to sustain disputes based on such transactions. Many pertinent questions relating to intellectual property rights also arise especially in the area of copyrights. While minor amendments have been made to the Indian Evidence Act and to the Information Technology Act, they are not sufficient to handle this advanced method of conducting business. Moreover, the Information Technology Act is an enabling Act and this complicates matters even more. These issues give rise to the obvious question of needing a separate Act to regulate E-Commerce. An E-Commerce bill was drafted in 1998 which has never been given any attention and which may not be relevant anymore after the changes that technology has undergone over more than a decade.

3. E-Commerce and Cyber Crimes: E-Commerce has opened new avenues of dealing with consumers in the virtual world and thus, has opened new modes of proliferation of cyber crimes. It has resulted in an increased need to secure the laws in relation to fraud prevention, money laundering and phishing. It is imperative to look at the cyber laws in India and whether they are sufficient to deal with such issues in the wake of E-Commerce. How should the law deal with such issues and what regulatory compliances are required for E-Commerce websites in order to deal with these issues?

Thus, though E-Commerce is on the rise and is a welcome way of conducting business and has entranced many consumers, its effective utilizations and growth is viable only if a sturdy legal framework is in place. The panel discussion brought forth such issues and discussed the solutions for the same.

For more details visit https://cis-india.org/news/panel-discussion-on-e-commerce-at-nlsiu

Panel discussion on 'How to Avoid Digital ID Systems That Put People at Risk: Lessons from Afghanistan' at Freedom Online Conference

praskrishna — 2021-12-03T14:52:35Z

Amber Sinha participated as a panelist in a panel discussion on How to Avoid Digital ID Systems That Put People at Risk: Lessons from Afghanistan at the Freedom Online Conference yesterday.

The Freedom Online Coalition (FOC) was established in 2011 in response to the growing recognition of the importance of the Internet for the enjoyment of human rights. Periodically, the FOC holds a multistakeholder Conference that aims to deepen the discussion on how online freedoms are helping to promote social, cultural and economic development. The ownership of the Conference program and outputs lies with the host country, most often the Chair of the Coalition during that year.

The aim of the panel was to use the lessons learned from the Afghanistan case to take a critical and realistic look at the implementation of digital identification programs around the world. A video of the panel can be accessed here.

For more details visit https://cis-india.org/internet-governance/news/panel-discussion-how-to-avoid-digital-id-systems-that-put-people-at-risk

Panel Discussion – Intermediary Liability & Freedom of Expression in India

praskrishna — 2014-04-04T10:10:32Z

Bhairav Acharya will participate in a panel discussion on ‘Intermediary Liability & Freedom of Expression’ on Wednesday evening (26th March 2014) from 6:00 pm onwards at the India International Centre Annex. The event is organized by the Centre for Communication Governance at NLU Delhi in association with the Global Network Initiative, Washington D.C.

The panel comprises of three eminent personalities: Shyam Divan, Senior Advocate, Supreme Court of India; Siddharth Varadarajan, Journalist and Senior Fellow, Centre for Public Affairs and Critical Theory, New Delhi and; Jermyn Brooks, Independent Chair, Global Network Initiative, Washington D.C.

The objective of the panel was to focus on the Indian legal framework governing Internet platforms and explore questions related to Internet intermediaries and the balance that should be involved in regulations affecting user-generated content, in the context of the civil liberties that are key to democracy, in particular free expression and privacy. The discussion was aimed at drawing connections between this ostensibly Internet-related issue and the traditional media, to highlight recurring issues and useful perspectives.

For more details, click here.

For more details visit https://cis-india.org/news/panel-discussion-intermediary-liability-and-freedom-of-expression-in-india

Pandemic Technology takes its Toll on Data Privacy

Aman Nair and Pallavi Bedi — 2021-06-26T06:52:52Z

The absence of any legal framework has meant these tools are now being used for purposes beyond managing the pandemic.

The article by Aman Nair and Pallavi Bedi was published in the Deccan Herald on June 13, 2021.

People show Arogya Setu App installed in their phones while travelling by special New Delhi-Bilaspur train from New Delhi Railway Station. Credit: PTI File Photo

Jabalpur: A beneficiary shows his certificate on his mobile phone after receiving COVID-19 vaccine dose, at Gyan Ganga College in Jabalpur, Saturday, May 15, 2021. (PTI Photo)

At a time when technology is spawning smart solutions to combat Covid-19 worldwide, India’s digital response to the pandemic has stoked concerns that surveillance could pose threats to the privacy of the personal data collected. Be it apps or drones, there is widespread criticism that digital tools are being misused to share information without knowledge or consent. At the other end of the spectrum, the great urban-rural digital divide is hampering the already sluggish vaccination drive, exposing vulnerable populations to a fast-mutating virus.

Last year, the Centre, states and municipal corporations launched more than 70 apps relating to Covid-19, demonstrating the country’s digital-driven approach to handling the pandemic. Chief among these was the central government’s contact tracing app Aarogya Setu. Launched under the Digital India programme, the app quickly came under scrutiny over data privacy.

As per its privacy policy, Aarogya Setu collects personal details such as name, age, sex, profession and location. As there is no underlying legislation forming its basis, and in the absence of a personal data protection bill, serious privacy concerns regarding the collection, storage and use of personal data have been raised.

The government has attempted to mitigate these concerns with reassurances that the data will be used solely in tracing the spread of the virus. However, recent reports from the Kulgam district of Jammu and Kashmir point to the sharing of application data with police. This demonstrates how easy it is to use personal data for purposes other than which it was collected, and presents a serious threat to citizen privacy.

Though Aarogya Setu was initially launched as ‘consensual’ and ‘voluntary’, it soon became mandatory for individuals to download the app for various purposes such as air and rail travel (this order was subsequently withdrawn) and for government officials. Initially it was also mandatory for the private sector, but this was later watered down to state that employers should, on a ‘best effort basis', ensure that the app is downloaded by all employees having compatible phones. However, the ‘best effort basis’ soon translated into mandatory imposition for certain individuals, especially those working in the ‘gig economy’.

Several states had also launched apps for various purposes ranging from contact tracing of suspected Covid patients to monitoring the movement of quarantined patients. As a report by the Centre for Internet and Society observed, given the attention on Aarogya Setu, most of the apps launched by the state governments escaped scrutiny and public attention.Most of these apps either did not have a privacy policy or the policy was vague and often did not provide important details such as who was collecting the data, the time period for retaining the data and whether personal data could be shared with other departments, most notably, law enforcement.Apart from contact tracing apps, the pandemic also ushered in a wave of other apps and digital tools by the government. These include systems such as drones to check whether people are following Covid-19 norms and facial recognition cameras to report to the police whether someone has broken quarantine. Similar to Aarogya Setu, these tools have also largely been brought about in the absence of a legal and regulatory framework.
The absence of any legal framework has meant these tools are now being used for purposes beyond managing the pandemic.

The government is now planning to use facial recognition technology along with Aadhaar toauthenticate people before giving them vaccine shots.

Aarogya Setu is now linked with the vaccination process. Beneficiaries have been provided an option to register through Aarogya Setu. The pandemic has also provided a means for the government to bring in changes to health policies and introduce the National Health Data Management Policy for the creation of a Unique Health Identity Number for citizens.

Vaccination and digital platforms

The use of digital technology has extended to the vaccination process through the deployment of the Covid Vaccine Intelligence Network (Co-WIN) platform.During the first phase of inoculation, beneficiaries were required to register on the Co-WIN app while in the subsequent phases, registration was to be done on the Co-WIN website. The beneficiary is required to upload a photo identity proof.

While Aadhaar has been identified as one of the seven documents that can be uploaded for this, the Health Ministry has clarified that Aadhaar is not mandatory for registration either through Co-WIN or through Aarogya Setu. However, as per media reports, certain vaccination centres still seem to insist on Aadhaar identity even though beneficiaries may have used another identity proof to register on the Co-WIN website.

It is also pertinent to note that the website did not have a privacy policy till the Delhi High Court issued directions on June 2, 2021. The privacy policy hyperlinked on the Co-WIN app directed the user to the Health Data Policy of the National Health Data Management Policy, 2020.

The vaccination drive has been used as a means to push the health identity project forward as beneficiaries who have opted to provide Aadhaar identity proof have also been provided with a health identity number on their vaccination certificate. It is interesting to note that Co-WIN’s privacy policy now states that if the beneficiary uses Aadhaar as identity proof, it can 'opt' to get a Unique Health Id.However, as a recent report revealed, health identity numbers have already been generated for certain beneficiaries without obtaining consent from them for the purpose.

Have the apps been successful?

One could argue that privacy concerns are a worthwhile tradeoffin order to contain the spread of thepandemic. But it is worth examining how successful these technologies have been. In reality, the use of digital technology at every stage of combating the pandemic has clearly highlighted the extent of our digital divide. As per data from TRAI, there are around 750 million Internet subscribers in India,which is only a little more than half of India’s estimated 1.3 billion citizens — with this gap having a significant impact on the efficacy of the government’s strategies. Aarogya Setu has fallen far short of its goal, of having near universal adoption. It has limited adoption in much of the country. This has severely limited its efficacy in tracing the spread of the virus. Research from Maulana Azad Medical College has cited socio-economic inequalities,educational barriers and the lack of smartphone penetration as being the key causes behind the app’s limited success, pointing back to the digital divide. Moreover, the app has also brought with it a host of associated problems including lateral surveillance and function creep caused by the addition of new features. All of which, along with the previously mentioned privacy concerns, have served to hamper public trust and adoption.

A similar situation is seen in the case of vaccination and the Centre’s Co-WIN web portal. The need for registration, first on the Co-WIN app and later on the Co-WIN web portal, has disproportionately affected those who either have no or limited digital access. Many of them belong to vulnerable groups such as migrant and informal sector workers (mainly from disadvantaged castes), LGBTQIA + individuals, sex workers and both urban and rural poor. These issues have also been acknowledged by the Supreme Court, which raised serious concerns about the government being able to achieve its stated object of universal vaccination.

As the inoculation exercise opened up for the 18-45 age group, it increasingly favoured the urban population who possessed the technological and digital literacy to either create or access a host of tools. One need to only look at the wave of automated CO-WIN bots that arose as soon as the vaccination process was expanded to see how these dynamics manifested.

Ultimately, the digital-driven approach that the governments have adopted has resulted in a number of issues — most notably, data privacy and exclusion. Going forward, government strategies must actively account for these factors and ensure that citize rights are adequately protected.

For more details visit https://cis-india.org/internet-governance/blog/deccan-herald-aman-nair-and-pallavi-bedi-june-13-2021-pandemic-technology-takes-its-toll-on-data-privacy

PAI WG Labor and Economy Meeting

Admin — 2018-05-05T09:35:07Z

Elonnai Hickok co-chaired the first PAI Labor and Economy WG in NYC on April 25, 2018.

Agenda

For more details visit https://cis-india.org/internet-governance/news/pai-wg-labor-and-economy-meeting

Packets, net neutrality and gaming public policy outcomes

Admin — 2019-08-28T15:15:37Z

Gurshabad Grover attended Prof. Vishal Misra's lecture on net neutrality at Has Geek in Bangalore on August 15, 2019.

For more details visit https://cis-india.org/internet-governance/news/packets-net-neutrality-and-gaming-public-policy-outcomes

Oyo Hotels’ Real-Time Digital Record Database Sparks Privacy Fears

Admin — 2019-01-18T02:26:50Z

Oyo Hotels’ pilot to maintain a real-time digital database of guests and plan to share it with law-enforcement agencies has triggered privacy concerns.

The article by Nishant Sharma was published by Bloomberg Quint on January 16, 2019. Pranesh Prakash was quoted.

The digital check-in and check-out database of guests will do away with the conventional arrival and departure registers, Aditya Ghosh, chief executive India and South Asia at the hotel chain said at a CII event, according to a report in Business Standard. That will make the process efficient and transparent and the SoftBank-backed startup has received acceptance from governments of Haryana, Rajasthan and Telangana for the proposed digitisation of guest entry and departure records, the report said quoting Ghosh.

That triggered an outrage on social media, with users calling it invasion of privacy.

Oyo, in an emailed statement to BloombergQuint, said it will provide information to the law-enforcement agencies about who is staying only after an information order is issued by the police. The company said it will create “stronger data security net”. Oyo, however, didn't clarify who will maintain the data centres.

Centralisation of data of any kind isn't good and will make data more fragile, Sunil Abraham, founder of research think tank Center for Internet and Society, told BloombergQuint. “If someone manages to break into the police data, or where the data is stored then they will be able to have the access to the data. It is always good to store data locally.”

Just last year, Marriott International Inc. reported a hack in which passport numbers, emails and mailing addresses of 327 million of its 500 million Starwood guests was leaked.

To be sure, police always have access to data of customers staying at hotels, one way or the another. As per existing regulations, all hotels, bed and breakfasts and guest-houses have to make an entry of guests checking in and out in a register. This can be checked by the local police when an information order is presented.

Chances of manipulating information in such a register is high, and at times police go through the data without having an information order as well, said an industry executive requesting anonymity.

Srinivas Kodali, a cybersecurity expert, said such a centralised database makes business sense for Oyo because they will get access to data not just of people who booked through them but also of others who checked in without booking online. “Because there is no law, the entities can do it.”

Pranesh Prakash, a technology policy analyst and affiliated fellow at CIS, sees this as an invasion of privacy in the absence of law. Digitisation of data can be allowed only after there’s a law on what happens in the case it’s misused. There is no legal framework about how and where the data will be used, he said.

For more details visit https://cis-india.org/internet-governance/news/bloomberg-quint-nishant-sharma-january-16-2019-oyo-hotels-real-time-digital-record-database-sparks-privacy-fears

OWASP Seasides Conference

Admin — 2019-03-07T23:53:47Z

Karan Saini attended the OWASP Seasides security conference held on February 27 and 28, 2019 at Cavelossim, Goa. The event was organized by OWASP Seasides.

For conference details click here.

For more details visit https://cis-india.org/internet-governance/news/owasp-seasides-conference

Overview and Concerns Regarding the Indian Draft DNA Profiling Act

GeneWatch UK & the Council for Responsible Genetics, US — 2012-07-11T11:30:38Z

The Indian Code of Criminal Procedure was amended in 2005 to enable the collection of a host of medical details from accused persons upon their arrest. Section 53 of the Cr.PC provides that upon arrest, an accused person may be subjected to a medical examination if there are “reasonable grounds for believing” that such examination will afford evidence as to the crime.

The scope of this examination was expanded in 2005 to include “the examination of blood, blood-stains, semen, swabs in case of sexual offences, sputum and sweat, hair samples and finger nail clippings by the use of modern and scientific techniques including DNA profiling and such other tests which the registered medical practitioner thinks necessary in a particular case.”

In Thogorani Alias K. Damayanti v. State of Orissa and Ors, 2004 Cri. LJ 4003 (Ori), the Orissa High Court affirmed the legality of ordering a DNA test in criminal cases to ascertain the involvement of persons accused. Refusal to cooperate would result in an adverse inference drawn against the accused.

After weighing the privacy concerns involved, the court laid down the following considerations as relevant before the DNA test could be ordered: “(i) the extent to which the accused may have participated in the commission of the crime; (ii) the gravity of the offence and the circumstances in which it is committed; (iii) age, physical and mental health of the accused to the extent they are known; (iv) whether there are less intrusive and practical ways of collecting evidence tending to confirm or disprove the involvement of the accused in the crime; (v) the reasons, if any, for the accused for refusing consent.” Id.

In brief, the 2007 draft DNA Profiling Bill (hereinafter “Bill”) pending before parliament attempts to create an ambitious centralized DNA bank that would store DNA records of virtually anyone who comes within any proximity to the criminal justice system. Specifically, records are maintained of suspects, offenders, missing persons and “volunteers.” The schedule to the Bill contains an expansive list of both civil and criminal cases where DNA data can be collected including cases of abortion, paternity suits and organ transplant. In all fairness, the Bill contains provisions limiting access to and use of information contained in the database, and provides for the deletion of a person’s DNA profile upon their acquittal.

2007 Draft DNA Profiling Bill

Preamble (§ 1)

Section 1 of the Bill sets out the broad policy objectives of its drafters. The most telling portion of § 1 states: “[DNA analysis] makes it possible to determine whether the source of origin of one body substance is identical to that of another, and further to establish the biological relationship, if any, between two individuals, living or dead without any doubt.” Bill, § 1 (emphasis added). Although it later makes mention of potential harms resulting from governmental misuse of genetic information technology, it is evident that the policy animating the Bill presupposes the objective infallibility of genetic analysis. This patent mistruth underpins the policy rationale for the Bill, and as such casts a long shadow over its substantive provisions. At the very least, it tells the reader (and perhaps one day the court) to broadly interpret the Bill’s language to favor DNA analysis as the privileged solution to investigational and prosecutorial needs.

Definitions (§ 2)

A number of the Bill’s definitions are overbroad, further expanding the scope of its later provisions. The “crime scene index” is defined to include “DNA profiles from forensic material found . . . on or within the body of any person, on anything, or at any place, associated with the commission of a specified offence.” Id., § 2(1)(vii) et seq. A “specified offence” is defined as any of a number of more serious crimes, “or any other offence specified in the Schedule [to the Bill].” The so-called “Schedule,” tucked neatly on page 34 of the Bill’s 35 pages, lists a hodgepodge of various crimes from rape, to “offences relating to dowry,” defamation, and “unnatural 3 offenses.”[1] Taken together, the government is empowered to conduct genetic testing on almost anyone in any way connected with even minor infractions of the criminal law.

Furthermore, the crucial term “suspect” is defined as anyone “suspected of having committed an offence.” Id., § 2(1)(xxxvi). By intentionally leaving out the qualifier “specified,” the drafters’ intent is plain: to sweep within the Bill’s breadth all persons suspected of any crime whatsoever. And, accordingly, the Bill defines the “suspects index” to include “DNA profiles derived from forensic material lawfully taken from suspects.” Id., § 2(1)(xxxvix). It is hard to imagine anybody of subsequent regulation that could adequately circumscribe this manifest affront to personal privacy and bodily integrity.

DNA Profiling Board (§§3 to 13)

The DNA Profiling Board (hereinafter “Board”) is responsible for administering and overseeing the Indian DNA database. §3 et seq. Among its several enumerated powers, the Board is charged with “recommend[ing] privacy protection statutes, regulations and practices relating to access to, or use of stored DNA samples or DNA analyses,” as well as “mak[ing] specific recommendations to . . . ensure the appropriate use and dissemination of DNA information [and] take any other necessary steps require to be taken to protect privacy.” §13(1)(xv) to (xvi). This provision is in lieu of any substantive principle limiting the scope of the legislation, which the bill otherwise lacks.

This is a significant omission. As expressed in the preamble, the stated purpose of the Bill is “to enhance protection of people in the society and [the] administration of justice.” §1. Taken alone, this expresses only the government’s interest in the legislation, suggesting an ambiguously wide scope for its provisions. A substantive concept of individual privacy is required to counterbalance the interests of the government and provide protections for the equally vital privacy interests of the individual. As such, a limiting privacy principle should be included alongside the expressing in §1 of the government’s security interest. Without it, the Board will effectively have carte blanche with regard to what privacy protections are—or are not—adopted.

Approval of Laboratories (§§14 to 18)

Sections 14 to 18 provide for the approval by the DNA Profiling Board of DNA laboratories that will process and analyze genetic material for eventual inclusion on the DNA database. Under §14, all laboratories must be approved in writing prior to processing or analyzing any genetic material. However, a conflicting provision appears in the next section, §15(2), which permits DNA laboratories in existence at the time the legislation is enacted to process or analyze DNA samples immediately, without first obtaining approval.

Either an oversight on the part of the drafters, or the product of overly-vague language, the result is that established genetic laboratories—including whatever genetic material or profiles they may already have for whatever reason—are in effect “grandfathered” into the system. The only review of these laboratories is the post hoc approval of the laboratory by the DNA profiling board. The potential for abuse and error that this conflict of provisions would be best addressed in keeping with the rule articulated in §14, i.e. correcting the language of §15(2) that allows for laboratories to be “grandfathered” into the system.

Standards, Obligations of DNA Laboratory (§§19 to 28)

Chapter V, which concerns the obligations of and the standards to be observed by approved DNA laboratories, lacks adequate administrative provisions. For example, §22 requires that labs ensure “adequate security” to minimize contamination without providing for accountability in the event of contamination. Similarly, §28 provides for audits of DNA laboratories only, withholding from similar scrutiny of the DNA Profiling Board itself.

National DNA Database (§§33 to 37)

In addition on one national DNA database, the Bill sanctions the several Indian states to maintain their own DNA databases, provided these state-level databases forward copies of their content to the national database. Id., § 33(3). The national database is envisioned to comprise several sub-databases, each to contain the genetic information of a subset of persons/samples, namely: (1) unidentified crime scene samples, (2) samples taken from suspects, (3) samples taken from persons convicted or currently subject to prosecution for “subject offences,” (4) samples associated with missing persons, (5) samples taken from unidentified bodies, (6) samples taken from “volunteers,”[3] and finally (7) samples taken for reasons “as may be specified by regulations. Id., § 33(4) et seq. Putting to one side the breadth of persons subject to inclusion under subcategories (1) through (6), subsection (7) appears on its face to be a “catch all” provision, leaving one only to guess at the circumstances under which its specificities may be promulgated. Id.

A close reading of § 33(6) strongly suggests that the agency [4]conducting conducting the forensic analyses and populating the DNA database shall retain the DNA samples thereafter. This section reads in relevant part:

The DNA Data Bank shall contain . . . the following information, namely: (i) in the case of a profile in the offenders index, the identity of the person from whose body substance or body substances the profile was derived, and (ii) in case of all other profiles, the case reference number of the investigation associated with the body substance or body substances from which the profile was derived. Id., § 33(6).

Rather than choose to link the DNA profile data to a specific offender or case, the drafters of the Bill instead like the “body substance or body substances” with that specific offender or case. Whether sloppy drafting or clever nuance, this provision elides the DNA profile with the DNA sample, injecting unneeded—and potentially harmful—ambiguity into the proposed law.

Confidentiality, Access to DNA Profiles, Samples, and Records (§§ 38-44)

Further compounding this ambiguity, § 36 entitled “Access to Information” opens the door to much more than DNA profiles alone being kept on the government database. In all three of its subsections it purports to govern access to “the information” contained in the database, not “the DNA profiles” contained in the database. Id., § 36(1) et seq. Subsection 2 employs even broader language, covering “the information in the offenders’ index pertaining to a convict.” Id. Taken at face value, this provision of the Bill suggests that any and all sort of “information . . . pertaining to a convict” that might be derived from his or her DNA can be stored on the database. Even if prudential oversight provisions elsewhere in the Bill suggests a tightly-controlled techno-forensic apparatus, the overbroad construction of provisions such as §§ 33 and 36 raise significant questions about the wisdom of enacting the text in this form.

Two further provisions regarding access to the database warrant close scrutiny. First, §§ 39 and 40 purport to confer upon the police direct access to all of the information contained in the national DNA database. While administratively expedient, this arrangement opens up the possibility for misuse. A more prudent system would place the Board (or some administrative subordinate portion thereof) between the police and the content of the DNA database, with the latter having to make specific and particular requests to the former. This would minimize the risks inherent in the more expansive model of database access the bill currently envisions.

Second, and more concerning, § 41 permits the Data Bank Manager to grant access to the database to “any person or class of persons that the Data Bank Manager considers appropriate.” This is a sweeping provision. It vests in one individual the ability to permit almost anyone access to the DNA database—without administrative review or oversight of any kind. Taken together with the general lack of administrative safeguards in the bill, § 41 again places the government’s interest in investigating crime far above individual privacy rights.

Omissions

Most notably, the bill specifically excludes a private cause of action for the unlawful collection of DNA, or for the unlawful storage of private information on the national DNA database. Nor does the bill grant an individual right to review one’s personal data contained on the database. Without these two key features, there is effectively no check against the unlawful collection, analysis, and storage of private genetic information on the database.

Best Practices Analysis

Collection of DNA

With consent: only for a specific investigation (e.g. from a victim or for elimination purposes). Volunteers should not have information entered on a database	No provision
Without consent: only from persons suspected of a crime for which DNA evidence is directly relevant i.e. a crime scene sample exists or is likely to exist. Or, broader categories?	No provision
Requirement for an order by a court? Or allowed in other circumstances?	No provision
Samples collected by police officers, or only medical professionals? Must take place in a secure location i.e. not on the street etc.	No provision
Provision of information for all persons from whom DNA is taken	No provision
Crime scenes should be promptly examined if DNA evidence is likely to be relevant, and quality assurance procedures must protect against contamination of evidence	No provision; regulated at discretion of DNA Profiling Board

Analysis of DNA

Should take place only in laboratories with quality assurance	Regulated at discretion of DNA Profiling Board
Laboratories should be independent of police	No provision; regulated at discretion of DNA Profiling Board
Profiling standards must be sufficient to minimise false matches occurring by chance. This must take account of increased likelihood of false matches in transboundary searches, and with relatives.	No provision; regulated at discretion of DNA Profiling Board

Storage of DNA

Data from convicted persons should be separate from others e.g. missing persons’ databases	Unclear
Access to databases and samples must be restricted and there must be an independent and transparent system of governance, with regular information published e.g. annual reports, minutes of oversight meetings	Access to database at discretion of DNA Data Bank Manager
Personal identification information should not be sent with samples to laboratories	No provision; regulated at discretion of DNA Profiling Board
Any transfer of data e.g. from police station to lab or database, must be secure	No provision; regulated at discretion of DNA Profiling Board

User Samples and Data

Research uses should be restricted to anonymised verification of database performance (e.g. checking false matches etc.). Third party access to data for such purposes should be allowed, provided public information on research projects is published. There should be an ethics board.	No provision
Research uses for other purposes e.g. health research, behavioural research should not be allowed.	No provision
Uses should be restricted by law to solving crimes or identifying dead bodies/body parts. Identification of a person is not an acceptable use. Missing persons databases (if they exist) should be separate from police databases.	Ambiguous provisions suggest much wider scope
Familial searching should be restricted e.g. ordered by a court? Or not used? Or regulated for use in special cases?	No provision

Destruction of DNA and Linked Datas

DNA samples should be destroyed once the DNA profiles needed for identification purposes have been obtained from them, allowing for sufficient time for quality assurance, e.g. six months	DNA samples are retained
An automatic removals process is required for deletion of data from innocent persons. This must take place within a reasonable time of acquittal etc.	No provision
There should be limits on retention of DNA profiles from persons convicted of minor crimes	No provision
There should be an appeals process against retention of data	No provision
Linked data on other databases (e.g. police record of arrest, fingerprints) should be deleted at the same time as DNA database records	No provision
Crime scene DNA evidence should be retained for as long as a reinvestigation might be needed (including to address miscarriages of justice)	DNA evidence permitted to be retained indefinitely

Use in Court

Individuals must have a right to have a second sample taken from them and reanalysed as a check	No provision
Individuals must have a right to obtain re-analysis of crime scene forensic evidence in the event of appeal	No provision
Expert evidence and statistics must not misrepresent the role and value of the DNA evidence in relation to the crime	No provision

Other

Relevant safeguards must be proscribed by law and there should be appropriate penalties for abuse	No provision
Impacts on children and other vulnerable persons (e.g. mentally ill) must be considered	No provision
Potential for racial bias must be minimised	No provision

[1]. No examples are given as to which unnatural offences are intended, leaving the reader wondering. Perhaps a DNA test of witchcraft?
[2]. Section 15(2) does mandate that such laboratories petition the DNA Profiling Board for approval within six months after the legislation is enacted.
[3].Per § (2)(1)(xxxxiii) of the Definitions, a “volunteer” is “a person who volunteers to undergo a DNA procedure.” The definition does not require that the “volunteer” be informed of the nature, purpose, or possible consequences of his generosity; nor is any such requirement specified elsewhere in the Bill.
[4].Or, as is laid out in great detail in §§ 14-32, at the privately-contracted forensics laboratory.

Note: § is a symbol for 'section'.

For more details visit https://cis-india.org/internet-governance/indian-draft-dna-profiling-act

Over 30 organisations, industry bodies oppose proposal to ban vape content

praskrishna — 2019-03-03T05:49:54Z

More than 30 organisations and industry bodies, including Ficci, CII and the Cellular Operators Association of India, have written to the Electronics and IT Ministry (MeitY), urging it not to ban online content related to the Electronic Nicotine Delivery Systems (ENDS).

The article by Press Trust of India was carried in the Times of India on February 28, 2019.

Other major organisations supporting this include Asia Internet Coalition, Broadband India Forum, Internet Freedom Foundation, Data Security Council of India, Heart Care Foundation of India, and The Centre for Internet and Society.

The draft amendment to the intermediary guidelines rules proposes new regulations for intermediaries (digital platforms), including a clause on banning online content that promotes ENDS.

These entities, in a statement on Thursday, said citizens have the right to access information on safer alternatives to smoking. The submissions form part of the 609-page document.

"...(These) organisations have opposed the ban on content related to ENDS citing overstepping of IT ministry's jurisdiction, violation of consumer rights, no legal backing for the action and use of vague terminology that can lead to misinterpretation and overregulation," it added.

Vape refers to electronic cigarettes or similar devices that simulate the experience of smoking a cigarette.

The statement quoted Association of Vapers India Director Samrat Chowdhery as saying that it is encouraging that many organisations concerned with public health have sought removal of the proposed ban on ENDS content.

"India is reeling under a tobacco epidemic which causes nearly a million deaths a year. We stated in our submission that denying people access to information on safer alternatives will, therefore, be highly detrimental and in violation of Article 21 of our constitution," he added.

The Data Security Council of India (DSCI), a Nasscom initiative, said the terms and expressions used are ambiguous and may be deemed unconstitutional.

Amnesty India said it "is concerned that the rules use vague and overly broad terms to identify expression that can be restricted, going well beyond both Indian and international human rights standards on freedom of expression". SR SR HRS

For more details visit https://cis-india.org/internet-governance/news/times-of-india-pti-february-28-2019-over-30-organisations-industry-bodies-oppose-proposal-to-ban-vape-content

Outrage before sharing

praskrishna — 2015-09-20T17:08:14Z

Has the social media converted people into a lynch mob that seeks out justice and passes judgement instantly, without bothering to hear both sides of the story?

The article by Nikhil Varma was published in the Hindu on September 9, 2015. Rohini Lakshané was quoted.

The Internet has changed the way we communicate in more ways than we can imagine. Apart from being a medium to share pictures and updates with family and friends, social media has also become an arena where political debates are a commonplace and people are quick to make judgements. The social media space has become one where superlatives are commonly used and videos or conversations about inappropriate behaviour or even a tweet or Facebook post has a tendency to go viral and snowball into a shaming of the individual or organisation in question, without bothering to hear out the other side of the story. Outraging can be over anything, from the faults of the Government, to lay people who sometimes find themselves the subject of an online shaming campaign.

Recently, an FB user put up pictures of a person, who she claimed misbehaved with her on a street in Delhi. Within a few hours, the man’s picture went viral and he was arrested by the police, even as he was called names and abused on social media networks. A few days later, eyewitness accounts corroborated the man’s account of the incident. The response online now put the girl at fault and blamed her for politicising the issue. The initial response to the video of the Rohtak sisters bashing up alleged molesters also saw the outrage shifting sides.

How does one deal with people making judgements with a click of a button? Does online shaming dent the chances of people getting justice in genuine cases of assault?

Rohini Lakshané, a researcher at the Centre for Internet and Society says, “Online, public shaming is a useful and often effective strategy for calling out unacceptable behaviour when recourse to other remedies is tedious, time-consuming, or non-existent. Its flipside is that shaming online could lead to mob justice or a witch-hunt. The onus should be on the viewers or readers of such an act of shaming to not take the law into their own hands and on the news media to do their basic duty of checking facts before publishing or broadcasting anything.”

She adds, “People use social networking sites, among other things, as verandas where they can gather gossip, and talk about their interests. If people jumping the gun and being judgemental offline isn’t a cause for concern, I don’t see why it should be when it happens online.”

On checks, Rohini contends, “They would not be in the interest of free speech. It would, of course, make a difference if social media users paused to think.”

V. Shakti, Social Media and Branding Professional, points out that the mass adoption of social media platforms has had positive and negative effects. “It has ensured that anyone can reach out and get any information. The flip side is that this power to reach millions needs to be handled with care and responsibility. The Jasleen Kaur incident is a glaring reflection. Such is the mindset of people online that anyone who is shamed is assumed guilty and derided. Sometimes the shaming does permanent damage to the target and the effects are life-long. The minute Jasleen posted a picture online, even the media jumped in calling the guy a ‘pervert’, if this were some other country, they would be sued. We need to understand that un-shaming is not an option and hence be careful when throwing mud at someone online. Remember, it could be you tomorrow. Think, verify and then act. Like I always say, there are three sides to every story - yours, mine and the truth.”

For psychiatrist and Integrative medicine specialist Shyam Bhatt, online shaming is a combination of a sense of mob justice and the feeling of participating in a cause. “It is easy to sign up for a cause online, you can click share and feel good about yourself. People also tend to get swayed by what their friend circles are talking about.”

Social media user Praveen Rao feels an attempt to feel involved with causes is responsible for this phenomenon.

“It is important for people to check the authenticity and wait for a clear picture to emerge before talking about something. However, in the rush to appear clued in, people tend to share anything that goes viral, without pausing to think if someone’s life could be ruined. It is a good tool to call out genuine cases of misbehaviour and assault, but mob justice should be avoided.”

For more details visit https://cis-india.org/internet-governance/news/hindu-nikhil-varma-september-9-2015-outrage-before-sharing