Centre for Internet and Society

What India can Learn from the Snowden Revelations

elonnai — 2013-10-25T07:29:57Z

Big Brother is watching, across cyberspace and international borders. Meanwhile, the Indian government has few safeguards in theory and fewer in practice. There’s no telling how prevalent or extensive Indian surveillance really is.

The title of the article was changed in the version published by Yahoo on October 23, 2013.

Since the ‘Snowden revelations’, which uncovered the United States government’s massive global surveillance through the PRISM program, there have been reactions aplenty to their impact.

The Snowden revelations highlighted the issue of human rights in the context of the existing cross-border and jurisdictional nightmare: the data of foreign citizens surveilled and harvested by agencies such as the National Security Agency through programs such as PRISM are not subject to protection found in the laws of the country. Thus, the US government has the right to access and use the data, but has no responsibility in terms of how the data will be used or respecting the rights of the people from whom the data was harvested.

The Snowden revelations demonstrated that the biggest global surveillance efforts are now being conducted by democratically elected governments – institutions of the people, by the people, for the people – that are increasingly becoming suspicious of all people.

Adding irony to this worrying trend, Snowden sought asylum from many of the most repressive regimes: this dynamic speaks to the state of society today. The Snowden revelations also demonstrate how government surveillance is shifting from targeted surveillance, warranted for a specific reason and towards a specified individual, to blanket surveillance where security agencies monitor and filter massive amounts of information.

This is happening with few checks and balances for cross-border and domestic surveillance in place, and even fewer forms of redress for the individual. This is true for many governments, including India.

India’s reaction

After the first news of the Snowden revelations, the Indian Supreme Court agreed to hear a Public Interest Litigation requesting that foreign companies that shared the information with US security agencies be held accountable for the disclosure. In response to the PIL, the Supreme Court stated it did not have jurisdiction over the US government.

The response of the Supreme Court of India demonstrates the potency of jurisdiction in today’s global information economy in the context of governmental surveillance. Despite being upset at the actions of America’s National Security Agency (NSA), there is little direct legal action that any government or individual can take against the US government or companies incorporated there.

In the PIL, the demand that companies be held responsible is interesting and representative of a global debate, as it implies that in the context of governmental surveillance, companies have a responsibility to actively evaluate and reject or accept governmental surveillance requests. Although I do not disagree with this as a principle, in reality, this evaluation is a difficult step for companies to take.

For example, in India, under Section 69 of the Information Technology Act, 2000, service providers are penalized with up to seven years in prison for non-compliance with a governmental request for surveillance. The incentives for companies to actually reject governmental requests are minimal, but one factor that could possibly push companies to become more pronounced in their resistance to installing backdoors for the government and complying with governmental surveillance requests is market pressure from consumers.

To a certain extent, this has already started to happen. Companies such as Facebook, Yahoo and Google have created ‘transparency reports’ that provide – at different granularities – information about governmental requests and the company’s compliance or rejection of the same.

In India, P. Rajeev, Member of Parliament from Kerala, has started a petition asking that the companies disclose information on Indian data given to US security agencies. Although transparency by complying companies does not translate directly into regulation of surveillance, it allows the customer to make informed choices and decide whether a company’s level of compliance with governmental requests will impact his/her use of that service.

The PIL also called for the establishment of Indian servers to protect the privacy of Indian data. This solution has been voiced by many, including government officials. Though the creation of domestic servers would ensure that the US government does not have direct and unfettered access to Indian data, as it would require that foreign governments access Indian information through a formal Mutual Legal Assistance Treaty process, it does not necessarily enhance the privacy of Indian data.

As a note, India has MLAT treaties with 34 countries. If domestic servers were established, the information would be subject to Indian laws and regulations.

Snooping

The Snowden Revelations are not the first instance to spark a discussion on domestic servers by the Government of India.

For example, in the back-and-forth between the Indian government and the Canadian company RIM, now BlackBerry, the company eventually set up servers in Mumbai and provided a lawful interception solution that satisfied the Indian government. The Indian government made similar demands from Skype and Google. In these instances, the domestic servers were meant to facilitate greater surveillance by Indian law enforcement agencies.

Currently in India there are a number of ways in which the government can legally track data online and offline. For example, the interception of telephonic communications is regulated by the Indian Telegraph Act, 1885, and relies on an order from the Secretary to the Ministry of Home Affairs. Interception, decryption, and monitoring of digital communications are governed by Section 69 of the Information Technology Act, 2000 and again rely on the order of the executive.

The collection and monitoring of traffic data is governed by Section 69B of the Information Technology Act and relies on the order of the Secretary to the government of India in the Department of Information Technology. Access to stored data, on the other hand, is regulated by Section 91 of the Code of Criminal Procedure and permits access on the authorization of an officer in charge of a police station.

The gaps in the Indian surveillance regime are many and begin with a lack of enforcement and harmonization of existing safeguards and protocols. Presently, India is in the process of realizing a privacy legislation.

In 2012, a committee chaired by Justice AP Shah (of which the Center for Internet and Society was a member) wrote The Report of the Group of Experts on Privacy, which laid out nine national privacy principles meant to be applied to different legislation and sectors – including Indian provisions on surveillance.

The creation of domestic servers is just one example of how the Indian government has been seeking greater access to information flowing within its borders. New requirements for Indian service providers and the creation of projects that go beyond the legal limits of governmental surveillance in India enable greater access to details about an individual on a real-time and blanket basis.

For example, telecoms in India are now required to include user location data as part of the ‘call detail record’ and be able to provide the same to law enforcement agencies on request under provisions in the Unified Access Service and Internet Service Provider Licenses.

At the same time, the Government of India is in the process of putting in place a Central Monitoring System that would provide Indian security agencies the ability to directly intercept communications, bypassing the service provider.

Even if the Central Monitoring System were to adhere to the legal safeguards and procedures defined under the Indian Telegraph Act and Information Technology Act, the system can only do so partially, as both provisions create a clear chain of custody that the government and service providers must follow – that is, the service provider was included as an integral component of the interception process.

If the Indian government implements the Central Monitoring System, it could remove governmental surveillance completely from the public eye. Bypassing the service provider allows the government to fully determine how much the public knows about surveillance. It also removes the market and any pressure that consumers could exert from insight provided by companies on the surveillance requests that they are facing.

Though the Indian government could (and should) be transparent about the amount and type of surveillance it is undertaking, currently there is no legal requirement for the government of India to disclose this information, and security agencies are exempt from the Right to Information Act. Thus, unless India has a Snowden somewhere in the apparatus, the Indian public cannot hope to get an idea of how prevalent or extensive Indian surveillance really is.

Policy vacuum

For any government, the surveillance of its citizens, to some degree, might be necessary. But the Snowden revelations demonstrate that there is a vacuum when it comes to surveillance policy and practices. This vacuum has permitted draconian measures of surveillance to take place and created an environment of mistrust between citizens and governments across the globe.

When governments undertake surveillance, it is critical that the purpose, necessity and legality of monitoring, and the use of the material collected are built into the regime to ensure it does not violate the human rights of the people surveilled, foreign or domestic.

In 2013, the International Principles on the Application of Human Rights to Communications Surveillance were drafted, in part, to address this vacuum. The principles seek to explain how international human rights law applies to surveillance of communications in the current digital and technological environment. They define safeguards to ensure that human rights are protected and upheld when governments undertake surveillance of communications.

When the Indian surveillance regime is measured against these principles, it appears to miss a number of them, and does not fully meet several others. In the context of surveillance projects like the Central Monitoring System, and in order to avoid an Indian version of the PRISM program, India should take into consideration the safeguards defined in the principles and strengthen its surveillance regime to ensure not only the protection of human rights in the context of surveillance, but to also establish trust in its surveillance regime and practices with other countries.

Elonnai Hickok is the Program Manager for Internet Governance at the Centre for Internet and Society, and leads its research on privacy.

For more details visit https://cis-india.org/internet-governance/blog/yahoo-october-23-2013-what-india-can-learn-from-snowden-revelations

Unique Identification Scheme (UID) & National Population Register (NPR), and Governance

elonnai — 2014-04-30T05:03:51Z

This post examines the UID, NPR and Governance as it exists in India. The background note gives a summary of what is the NPR, the legal grounding of NPR, its objectives, and the information which could be collected under the NPR. The post also throws light on the UID, its objectives, process of enrollment in UID, how UID is being adopted by different states in India, and finally the differences and controversies in UID and NPR.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Video

The above video is from the "UID, NPR, and Governance" conference held on March 2, 2013 at TERI, Bangalore.

What is the NPR?
In 2010, the Government of India initiated the NPR which entails the creation of the National Citizens Register. This register is being prepared at the local, sub-district, district, state and national level. The database will contain thirteen categories of demographic information and three categories of biometric data collected from all residents aged five and above. Collection of this information was initially supposed to take place during the House listing and Housing Census phase of Census 2011 during April 2010 to September 2010.[1]

What is the legal grounding of the NPR?
The NPR is legally grounded in the provisions of the Citizenship Act, 1955 and the Citizenship Rules 2003. It is mandatory for every usual resident in India to register in the NPR as per Section 14A of the Citizenship Act, 1955, as amended in 2004. The collection of biometrics is not accounted for in the statute or rules.

What are the objectives of the NPR?
The objectives of the NPR as stated by the Citizenship Act is for the creation of a National Citizen Register. The National Citizen Register is intended to assist in improving security by checking for illegal migration. Additional objectives that have been articulated include: providing services to the residents under government schemes and programmes, checking for identity frauds, and improving planning.[2]

What is the process of enrollment for the NPR?
NPR enrollment is being carried out through house to house canvassing. The Office of the Registrar General and Census Commissioner, India has assigned Department of Information Technology (DIT) the responsibility of collecting and digitizing demographic data in 17 states and 2 Union Territories of India.[2] Collected information will then be printed and displayed in the local area where it is scrutinized by local officers and vetted by local bodies called ´Gram Sabha/Ward Committees´.[4] This process of social audit is meant to bring in transparency, equity, and ensure accuracy.

What information will be collected under the NPR?
The NPR database will include thirteen categories of demographic information and three categories of biometrics. The collection biometrics has not been provided for in the text of the Citizenship Rules, and is instead appears to be authorized through guidelines,[5] which do not have statutory backing. Currently, two iris scans, ten fingerprints, and a photograph are being collected. According to a 2010 Committee note, only the photograph and fingerprints were initially envisioned to be collected.

What is the Resident Identity Card?
The proposed Resident Identity card is a smart card with a micro-processor chip of 6.4 Kb capacity; the demographic and biometric attributes of each individual will be personalized in this chip. The UID number will be placed on the card as well. Currently, the government is only considering the possibility of distributing smart cards to all residents over the age of 18.[6]

What is the UID?
The Unique Identification Authority of India (UIDAI) was established in January 2009 and is part of the Planning Commission of India. UIDAI aims to provide a unique 12 digit ID number to all residents in India on a voluntary basis. The number will be known as AADHAAR. The UIDAI will own and operate a Unique Identification Number database which will contain biometric and demographic data of citizens.[7]

What is the objective of the UID?
According to the UIDAI, the UID will provide identity for individuals. The scheme has been promoted by the UIDAI as enabling a number of social benefits including improving the public distribution system, enabling financial inclusion, and improving the Mahatma Gandhi National Rural Employment Guarantee Scheme (NREGS). Despite these benefits, the UIDAI only guarantees identity, and does not guarantee rights, benefits or entitlement.[8]

What is the process for enrollment in the UID?
To enroll in the UID, individuals must go to enrollment centers with the appropriate documentation. Once documents are verified and biometrics taken, individuals will receive an acknowledgment slip and their UID number will be sent in the mail.[9] The UIDAI will enroll up to 600 million residents in 16 States and territories.[10] Online registration prior to enrollment at a Center is also now being offered.

How is UID being adopted by different States?
The adoption of the UID by different states and platforms has been controversial as the UID is not a mandatory number, yet with states and services adopting the number for different governmental services, the UID is becoming mandatory by default. Some ways in which states are using the UID include:

Gas and vehicles: The UPA Government has required that citizens have a UID number for services such as purchasing cooking gas, issuing a RTI request, and registering vehicles.[11]
Education: The Kerala government has required that all students must have UID number in order to be tracked through the system.[12] This mandate was questioned by the National Commission for Protection of Child Rights.
First Information Reports (FIR’s): The high court in Bombay has ordered the state home department to direct all police stations in Maharashtra to record the Unique Identification (UID) numbers of accused individuals and witnesses filing a FIR.[13]
Banks: The National Payment Corporation of India has collaborated UIDAI and is issuing ‘RuPay cards’ (Dhan Aadhaar cards) which will serve as ATM/micro-ATM cards. In 2011 the Bank of India had issued 250 cards.[14]
Railway: Railways are proposing to use the UID database for bookings and validation of passengers.[15]
Social Security: Commencing January 1, 2013, MGNREGA, the Rajiv Gandhi Awas Yojana (RGAY), the Ashraya housing scheme, Bhagyalakshmi and the social security and pension scheme have included the UID in the Mysore district

Has there been duplication of UID numbers?
According to news reports:

The UIDAI has blacklisted an operator and a supervisor in Andhra Pradesh for issuing fake UID numbers.

The UIDAI is looking into six complaints regarding the misuse of personal data while issuing the UID numbers to individuals.

The UIDAI has received two received complaints regarding duplication of UID numbers.[17]

What are the differences between the UID and NPR?

Voluntary vs. Mandatory: It is compulsory for all Indian residents to register with the NPR, while registration with the UIDAI is considered voluntary. However, the NPR will store individuals UID number with the NPR data and place it on the Resident Indian Card. In this way and others, the UID number is becoming compulsory by various means.
Number vs. Register: UID will issue a number, while the NPR is the prelude to the National Citizens Register. Thus, it is only a Register. Though earlier the MNIC card was implemented along the coastal area, there has been no proposal to extend the MNIC to the whole country. The smart card that is proposed under the NPR has only been raised for discussion, and there has been no official decision to issue a card.
Statute vs. Bill: The enrollment of individuals for the NPR is legally backed by the Citizenship Act, except in relation to the collection of biometrics, while the UID as proposed a bill which has not been passed for the legal backing of the scheme.
Authentication vs. Identification: The UID number will serve as an authenticator during transactions. It can be adopted and made mandatory by any platform. The National Resident Card will signify resident status and citizenship. It is unclear what circumstances the card will be required for use in.
UIDAI vs. RGI: The UIDAI is responsible for enrolling individuals in the UID scheme, and the RGI is responsible for enrolling individuals in the NPR scheme. It is important to note that the UIDAI is located in the Planning Commission, but its status is unclear, as the NIC had indicated that the data held is not being held by the government.
Door to door canvassing vs. center enrollment: Individuals will have to go to an enrollment center and register for the UID, while the NPR will carry out part of the enrollment of individuals through door to door canvassing. Note: Individuals will still have to go to centers for enrolling their biometrics for the NPR scheme.
Prior documentation vs. census material: The UID will be based off of prior forms of documentation and identification, while the NPR will be based off of census information.
Online vs. Offline: For authentication of an individual’s UID number, the UID will require mobile connectivity, while the NPR can perform offline verification of an individual’s card.

What is the controversy between the UID and NPR?

Effectiveness: There is controversy over which scheme would be more effective and appropriate for different purposes. For example, the Ministry of Home Affairs has argued that the NPR would be more suited for distributing subsidies than the UID, as the NPR has data linking each individual to a household.[18]
Legality of sharing data: Both the legality of the UID and NPR collecting data and biometrics has been questioned. For example, it has been pointed out that the collection of biometric information through the NPR, is beyond the scope of subordinate legislation. Especially as this appears to be left only to guidelines.[19] Collection of any information under the UID scheme is being questioned as the Bill has not been approved by the Parliament.
Accuracy: The UIDAI's use of multiple registrars and enrolment agencies, the reliance on 'secondary information' via existing ID documents for enrollment in the UID, and the original plan to enroll individuals via the 'introducer' system has raised by Home Minister Chidambaram in January 2012 about how accurate the data collected by the UID is is that will be collected.[20] To this extent, the UIDAI has changed the introducer system to a ‘verifier’ system. In this system, Government officials verify individuals and their documents prior to enrolling them.
Biometrics: Though biometrics are mandatory for the UID scheme, according to information on the NPR website, if an individual has already enrolled with the UID, they will not need to provide their biometrics again for the NPR. Application of this standard has been haphazard as some individuals have been required to provide biometrics for both the UID and the NPR, and others have not been required to provide biometrics for the NPR.[21]

What court cases have been filed against the UID?
The following cases are currently filed in courts around the country:

Supreme Court:

K S Puttaswamy, a retired judge of Karnataka High Court filed a Public Interest Litigation (PIL) in the Supreme Court challenging the legality of UIDAI.[22]

Chandigarh: A petition was filed in Chandigarh by Sanjeev Pandey which sought to quash executive order passed in violation of the Motor Vehicles Act, 1988, and Central Motor Vehicle Rules, 1989 by which UID cards had been made mandatory for registration of vehicles and grant of learner/regular driving license.[23]
Karnataka: Mathew Thomas and Mr. VK Somasekhar have filed a civil suit in the Bangalore City Civil Courts (numbered 8181 of 2012) asking for the UID project to be stopped. The suit was dismissed, and they have appealed the case to the High Court (numbered 1780 and 1825 of 2013).
Chennai: A PIL has been filed in the Madras High Court challenging the constitutional validity of the UIDAI and its issue of UID numbers.[24]
Bombay: In January 2012 a case was filed in the Mumbai high Court. The petitioners to the case are R. Ramkumar, G. Nagarjuna, Kamayani Mahabal, Yogesh Pawar and Vickram Crishna & Ors.

What is the relationship between UID, NPR, and National Security
The UID and the NPR have both stated improving security as an objective for the projects. To this extent, it is envisioned that the UID and the NPR could be used to track and identify individuals, and determine if they are residents of India. In the case of the NPR, a distinction will be made between residents and citizens. Yet, concerns have also been raised that these projects instead raise national security threats, given the size of the databases that will be created, the centralized nature of the databases, the sensitive nature of the information held in the databases, and the involvement of international agencies.[25]

What is the relationship between UID and Big Data?
Aspects of the UID scheme allow it to generate a large amount of data from a variety of sources. Namely, the UID scheme aims to capture 12 billion fingerprints, 1.2 billion photographs and 2.4 billion iris scans and can be adopted by any platform. This data in turn can be stored, analyzed, and used for a number of purposes by a number of stakeholders in both the government and the private sectors. This is already happening to a certain extent as in November 2012 the UID established a Public Data Portal for the UID project. According to UIDAI officials the data portal will allow for big data analysis using crowd sourcing models.[26]

How is UID being used for BPL direct cash transfers?
Registration with the UID scheme is considered essential to determine whether beneficiaries belong in the BPL category and to provide transparency to the distribution of cash. In this way, the UID requirement is thought to prevent the leakage of social security benefits and subsidies to non-intended beneficiaries, as cash will only be made available to the person identified by the UID as the intended recipient. One of the main prerequisites of a below poverty line (BPL) direct cash transfer in India has become the registration with the UIDAI and the acquisition of a UID number. For example:

The "Cash for Food" programme requires that individuals applying for aid have a bank account, and a UID number. The money is transferred, electronically and automatically, to the bank account and the beneficiary should be able to withdraw it from a micro-ATM using the UID number.[27] It is important to note that micro-ATMs are not actual ATMs, but instead are handheld machines which may give information on bank balance and such, but will not dispense or maintain privacy of transaction. Most importantly, the transaction is mediated though a banking correspondent.
The government plans to cover the target BPL families and deposit USD 570 billion per year in the bank accounts of 100 million poor families by 2014.[28]
Currently, only beneficiaries of thirteen government schemes and LPG connection holders have been identified as being entitled to register for a UID number.[29] Though these schemes have been identified, as of yet, adoption has happened in very few districts.

What are the concerns regarding the use of biometrics in the UID and NPR scheme?
Both the UID and the NPR rely on biometrics as a way to identify individuals. Yet, many concerns have been raised about the use of biometrics in terms of legality, effectiveness, and accuracy of the technology. With regards to the accuracy and effectiveness of biometrics – the following concerns have been raised:

Biometrics are not infallible: Inaccuracies can arise from variations in individuals attributes and inaccuracies in the technology.
Environment matters: An individual’s biometrics can change in response to a number of factors including age, environment, stress, activity, and illness.
Population size matters: Because biometrics have differing levels of stability – the larger the population is the higher the possibility for error is.
Technology matters: The accuracy of a biometric match also depends on the accuracy of the technology used. Many aspects of biometric technology can change including: calibration, sensors, and algorithms.
Spoofing: It is possible to spoof a fingerprint and fool a biometric reader.[30]

[1]. Government of India. Ministry of Home Affairs. Office of the Registrar General & Census Commissioner. http://bit.ly/IiySDh

[2]. This is according to a 2010 Cabinet note and the official website of the NPR.

[3]. Department of Information Technology: http://ditnpr.nic.in/frmStatelist.aspx - These include: (1) Arunachal Pradesh (2) Assam (3) Bihar (4) Chhattisgarh (5) Haryana (6) Himachal Pradesh (7)Jammu & Kashmir (8) Jharkhand (9) Madhya Pradesh (10)Meghalaya (11)Mizoram (12)Punjab (13)Rajasthan (14)Sikkim (15)Tripura (16)Uttar Pradesh (17)Uttarakhand Union Territories:-(1) Dadra & Nagar Haveli (2) Chandigarh.

[4]. Government of India. Ministry of Home Affairs. Office of the Registrar General & Census Commissioner: http://bit.ly/IiySDh

[5]. Department of Information Technology. National Population Register. Question 22. What are the procedures to be followed for creating the NPR? The procedures to be followed for creating the NPR have been laid down in the Citizenship (Registration of Citizens and issue of National Identity Cards) Rules, 2003, and the guidelines being issued from time to time.

[6]. The Unique Identification Government of India. Ministry of Home Affairs. Office of the Registrar General & Census Commissioner: http://censusindia.gov.in/2011-Common/IntroductionToNpr.html Authority of India. http://uidai.gov.in/

[7]. Unique Identification Authority of India. http://uidai.gov.in/

[8]. The point was made by R. Ramachandran. How reliable is UID? Frontline. Volume 28- Issue 24: November 19- December 02, 2011. Available at: http://bit.ly/13UMiSv

[9]. For more information see: How to get an Aadhaar. http://bit.ly/R2jBOP

[10]. Mazumdar. R. UIDAI targets 400 million enrolments by mid 2013, Aadhar hopes to give unique identity to some 1.2 bn residents. Economic Times. December 2012. Available at: http://bit.ly/ZC3Yve. Last accessed: February 28th 2013.

[11]. Malu. B. The Aadhaar Card – What are the real intentions of the UPA Government? DNA. February 18^th 2013. Available at: http://bit.ly/150BXRj. Last accessed: February 28th 2013.

[12]. Government of Kerala. General Education Department Circular No. 52957/G2?2012/G.Edn. Available at: http://bit.ly/15Oiq8J

[13]. Plumber, M. Make UID numbers must in FIRs: Bombay HC. DNA. October 2011. Available at: http://bit.ly/tVsInl. Last accessed: February 28th 2013.

[14]. Press Information Bureau. Government of India. Identity Card to Every Adult Resident of the Country under NPR; No Card being issued by UIDAI. December 2011. Available at: http://bit.ly/tJwZG1

[15]. TravelBiz. Railways to use Aadhar database for passenger validation. February 2013. Available at: http://bit.ly/YcW5wl. Last accessed: February 28th 2013.

[16]. Vombatkere. S.G. Questions for Mr. Nilekani. The Hindu. February 2013. Available at: http://bit.ly/YqPlK1. Last accessed: February 28th 2013.

[17]. Economic Times. UIDAI orders probe into duplication of Aadhaar numbers. http://bit.ly/ZORowg. Last accessed: February 28th 2013.

[18]. Jain. B. Battle over turf muddies waters. Times of India. February 2013. Available at: http://bit.ly/16ud3gm. Last accessed: February 28th 2013

[19]. Rediff. Aadhaar’s allocation is Parliament’s contempt. February 2013. Available at: http://bit.ly/Y638JS. Last accessed: February 28th 2013.

[20]. Ibid 17.

[21]. Times of India. Confused over Aadhaar, Cabinet clears GoM. February 2013. Available at http://bit.ly/UTH2JS. Last accessed: February 28th 2013.

[22]. Times of India. Supreme Court notice to govt on PIL over Aadhar. December 2012. Available at: http://bit.ly/13UNs0i. Last accessed: February 2013.

[23]. The Indian Express. HC issues notice to Centre, UT over mandatory UID for license. January 2013. Available at: http://bit.ly/WJq43M. Last accessed: February 28th 2013.

[24]. Economic Times. PIL seeks to scrap Nandan Nilekani’s Aadhar project. January 2012. Available at: http://bit.ly/zB1H07. Last accessed: February 28th 2013.

[25]. Times of India. UID poses national security threat: BJP. January 2012. Available at: http://bit.ly/WeM6KA. Last accessed: February 28th 2013.

[26]. Zeenews. UIDAI launches Public Data Portal for Aadhaar. November 8th 2012. Available at: http://bit.ly/T9NdX3. Last Accessed: November 12th 2012.

[27]. Punj, S. Wages of Haste: Implementing the cash transfer scheme is proving a challenge. January 2013. Available at: http://bit.ly/1024Dwo. Last accessed: February 28th 2013.

[28]. The International Business Times. India to Roll Out World’s Biggest Direct Cash Transfer Scheme for the Poor. November 2012. Available at: http://bit.ly/UYbtw4. Last accessed: February 28th 2013.

[29]. Mid Day. Do not register for Aadhaar card before March 15: UID in –charge. February 2013. Available at: http://bit.ly/Xymx9d. Last accessed: February 28th 2013.

[30]. These points were raised in the following frontline article Ibid: Ramachandran, R. How reliable is UID? Frontline. Volume 28 – Issue 24 November 19th – December 2nd 2011. Available at: http://bit.ly/13UMiSv. Last accessed February 28th 2013.

For more details visit https://cis-india.org/internet-governance/blog/uid-and-npr-a-background-note

Understanding the Right to Information

elonnai — 2013-06-12T11:39:05Z

Elonnai Hickok summarises the Right to Information Act, 2005, how it works, how to file an RTI request, the information that an individual can request under the Act, the possible responses and the challenges to the citizen and the government. She concludes by saying that there are many structural changes that both citizens and governmental officers can make to improve the system.

Introduction

The Right to Information Act, 2005 (RTI) was created in 2005 and marked an important time in Indian legislative history. The Right to Information enables citizens to hold the government accountable and ensure that it is a transparent body. Questions that can be asked by the citizen to the government range from anything that may concern to some meeting notes to why a teacher is not present in a public school, etc. In the current RTI system there are many challenges that are inhibiting the government’s efficient delivery of the RTI as a service to the people. This has changed the concept of how the citizens view the RTI, as the government feels harassed and the citizens feel as though their rights are being unjustly denied. Additionally, individuals have turned the RTI into a redressal mechanism rather than a way to ensure transparency and learn/understand how their government is functioning. The use of the RTI as a redressal mechanism has created a relationship of animosity between the government and citizens. The below note outlines the ecosystem of the RTI and notes specific challenges that both citizens and the government face.[1]

The RTI Ecosystem

RTI work flow

An individual files an RTI with the central/ state public information officer (PIO) or a specific PIO. PIOs are often not trained, and rarely apply for the position, but are instead designated.
Within five days the information is to be forwarded to the correct PIO.
The PIO must open a file and dispose of the request within 30 days.
If the PIO fails to reply to the applicant by either approving or denying a request, the PIO is liable to pay a fine of Rs. 250 for each day of delay.
If information is electronically uploaded, it is stored in any format the officer chooses (jpeg, pdf, html, etc).
Except for land records and staff records, files are retained for a maximum of one year.
If the PIO does not dispose of the request, there is scope for an appeal within 30-45 days to the appellate authority.
There is scope for a second appeal to the information commissioner if the authority does not respond within 90 days or the answer is found to be unsatisfactory.
The final decision of the information commissioner is binding.

Filing an RTI request

Though there is no specific format an individual must follow when submitting an RTI, when filing a request, individuals must include:

His /her name and address.
The name and address of the public information officer (PIO).
The particulars of information/documents required (limited to 150 words and one subject matter).
The time period of the information required.
Proof of payment.
Signature.
Proof if the individual is a BPL holder.[2]

Information that an individual can request under the RTI Act

Inspection of work, documents, and records
Taking notes, extracts or certified copies of documents or records.
Taking certified samples of material.
Obtaining of information in the form of diskettes, floppies, tapes, and video cassettes, or in any other electronic mode, or through printouts where such information is stored in a computer, or in any other device.
Obtaining the status of an RTI request or complaint.

Note: If an individual is requesting third party information, the PIO must inform the third party and provide the individual the opportunity to state a reason for not disclosing the information.

Accepted format of requested materials and records

Material requested can be in any format including: records, documents, memos, emails, opinions, advices, press releases, circulars, orders, logbooks, contracts, reports, papers, samples, models, and data material held in any electronic form.
Records requested can include: any document, manuscript and file, any microfilm, microfiche and facsimile copy of a document, and reproduction of image or images embodied in such microfilm (whether enlarged or not), and any other material produced by a computer or any other device.

Possible Responses to an RTI request

An information officer can respond to an RTI in the following ways:

Transfer request to appropriate PIO within five days and notify the applicant about the transfer.
Provide the requested information within 30 days.
Reject the request information within 30 days stating the reasons for rejection, the period within which an appeal against such rejection may be preferred, and the details of the appellate authority.
Not respond to the applicant. If no response is received within 30 days the officer is liable for a penalty of Rs. 250 per day.

Appeal/Complaint Process

First appeal can be filed after 30 days or if the information given was unsatisfactory. The appeal must include: name and address of the appellant, name and address of the PIO involved, brief facts leading to appeal, relief sought, grounds for appeal, and copies of the application or documents involved, including copies of the reply, if received from the PIO.
Second appeal must contain: name and address of the applicant, and name and address of the PIO involved, particulars of the Order including the number if any against which the appeal is preferred, brief facts leading to the appeal, if appeal/complaint is preferred against deemed refusal then the particulars of the application, including number and date and name, address of the PIO to whom the application was originally made, relief sought, grounds for the relief, verification by the applicant, any other information which the commission may deem necessary for deciding during the appeal, self attested copies of the application or documents involved, copies of the documents relied upon by the appellant and referred to in the appeal, and an index of the documents referred to in the appeal.
A complaint must include: name and address of the complainant, name and address of the state PIO against whom the complaint is being made, facts leading to the complaint, particulars of the application [number, date, name and address of the PIO (three copies)], relief sought, grounds and proof for relief, verification of the complainant (three copies), index of documents referred to in the complaint, and any other necessary information.[3]

Challenges to the Citizen

Knowing the correct Public Information Officer

Knowing which public information officer to mail in the RTI request is the first difficulty that an individual faces. As noted above in 2008 there were a total of 73,256 recorded public information commissioners in the State of Karnataka. New public information commissioners are created every day, because the RTI extends not only to any department of the government, but to any sub-contracted company, organization, school, or NGO that is receiving government funding and doing work on behalf of the government directly or indirectly. Lists of PIOs can be found on department bulletin boards and websites, but there is no clear method for an individual to know what information each PIO is the custodian over. Thus, they are left to determine on their own, and rely on the PIO to forward their application to the correct individual.

Filing in the correct format

Though it is stated in the law what language an RTI request will be accepted in, and what information should be included – individuals are often unaware of the guidelines and unaware of how to correctly fill out an RTI request. An incorrectly formatted request is one of the major reasons for rejection of a request by the PIO.

Language

In the State of Karnataka, RTIs can be filed only in two languages: Kannada and English. By law, RTI responses are given only in the language that the department works in on a daily basis, and in English. The information that is supplied through the request is given in its original language. For example, if you ask for a document that is originally in Marathi, the document will be photo copied and sent to you. No translation of documents takes place, because it is not the job function of the officer to translate documents.

Appeals

If an individual is denied information, or does not receive a reply within 30 days, they have the option of seeking an appeal through an appellate authority. In 2008 Karnataka had 5416 Appellate Authorities. Currently, because of the backlog in appeal cases and the slow functioning of the system, an individual might have to wait for upto one year for his/her appeal to be heard. Often at this point the information is no longer relevant or needed.

Privacy

In some cases individuals are denied a request for information based on the grounds that it would invade the privacy of the public officer. This is sometimes the case and sometimes not the case. Finding the right balance between the right to information and privacy is important, as protecting an individual’s privacy is crucial, but privacy should not be used as a reason for the government to be less transparent to the citizen and be used as a way to deny a citizen the information that they are entitled to.[4]

Challenges in the RTI System for the Government

Too many RTI requests and no system to record duplicates: As the figure shows above, in 2008, the Karnataka Government received 42208 RTI requests. Currently, it is not possible to know how many of these requests were duplicates since departments handling RTIs do not make it a practice to upload and organize filed RTI requests in a format easily accessible to citizens. Thus, there is no present system in place to track, upload, and store past RTI's in a meaningful way.
Additional overhead in recording, organizing, accessing, and storing data: In the current system every time an RTI request is received by the government, they open a new file for that request. Though in some ways this system of storage simplifies the process of finding past RTIs, it adds an additional overhead cost as photocopies must be made, new files created, and correctly added to the organized system. Each state follows its own method of recording, organizing, accessing, and storing data – thus, currently it is not possible to easily access the information from another state or combine information from two separate states.
Lack of compliance with section 4(d) pro-active disclosure: Under section 4 (d), the government is required to pro-actively disclose a pre-determined data to the public via websites and other useful modes. Currently there is very little compliance with section 4(d) from governmental departments. There are many factors that contribute to the low rate of compliance that exist including lack of resources and lack of proper enforcement. If governmental departments were to comply with section 4(d) then the load of RTI requests and the time each request must take to answer could be lightened considerably as the government could respond by pointing citizens to the already disclosed information.

Conclusion

Though the Right to Information is an important right, the above entry looks at some of the weaknesses and challenges in the system. There are many structural changes that both citizens and governmental officers can make to improve the system such as pro-actively disclosing information, ensuring that an RTI is filed correctly, and creating a system for organizing previously asked questions. Alongside of these structural changes it is also critical that a positive culture of transparency and accountability is fostered throughout society, thus encouraging citizens to actively engage with the government and exercise their right to information.

Notes

[1].I am grateful to N. Vikram Simha, RTI activist, for his insight and feedback into the RTI system.

[2].N. Vikram Simha, Right to Information Act of 2005: Guide for Citizens.

[3].N. Vikram Simha, Right to Information: Trend Ahead. Karanataka State Chartered Accountants Association, Bangalore

[4].N. Vikram Simha, RTI and Protection of Individual Privacy

For more details visit https://cis-india.org/internet-governance/understanding-right-to-information

UIDAI Practices and the Information Technology Act, Section 43A and Subsequent Rules

elonnai — 2014-03-06T07:00:21Z

UIDAI practices and section 43A of the IT Act are analyzed in this post.

In the 52^nd Report on Cyber Crime, Cyber Security, and the Right to Privacy – in evidence provided, the Department of Electronics and Information Technology stated “...Section 43A and the rules published under that Section cover the entire privacy in case of digital data. These are being followed by UIDAI also and other organisations...” (pg.46) [1]

This blog post explains the requirements found under Section 43A of the Information Technology Act 2000 and the subsequent Information Technology “ Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011[2] and analyses publicly available documents from the UIDAI website[3] as well as the UIDAI enrolment form[4] to demonstrate the ways in which:

UIDAI practices are in line with section 43A and the Rules,
UIDAI practices are not in line with section 43A and the Rules,
UIDAI practices are partially in with section 43A and the Rules
Where more information is needed to draw a conclusion.

Applicability and Scope

Section 43A of the Information Technology Act 2008 and subsequent Rules apply only to Body Corporate and to digital information.

Body Corporate under the Information Technology Act 2008 is defined as:

“Any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities”

UIDAI Practices - not in line: The UIDAI is not a body corporate. The UIDAI is an attached office under the aegis of the Planning Commission that was set up by an executive order.[5]

The UIDAI collects, processes, stores, and shares both digital and non-digital information. As section 43A and subsequent Rules apply only to digital information, there is not sufficient protection provided over all the information collected, processed, stored, and used by the UIDAI.

Privacy Policy on Website

Rule 4 requires body corporate to provide a privacy policy on their website. The privacy policy must include:

Clear and easily accessible statements of its practices and policies
Type of personal or sensitive personal data or information collected
Purpose of collection and usage of such information
Disclosure of information including sensitive personal information
Reasonable security practices and procedures as provided under rule 8

UIDAI Practices - Partially in Line

Though the UIDAI has placed a privacy policy[6] on their website, the privacy policy only addresses the use of website and does not comprehensively provide clear and accessible statements about all of the UIDAI’s practices and policies.
The UIDAI privacy policy does not state the specific types of personal or sensitive data that could be collected, but instead states “As a general rule, this website does not collect Personal Information about you when you visit the site. You can generally visit the site without revealing Personal Information, unless you choose to provide such information.”

Features on the UIDAI website that require individuals to provide personal information and sensitive personal information include: Booking an appointment, checking aadhaar status, enrolling for e-aadhaar, enrolling for aadhaar, updating aadhaar data. Types of information required for these services include: mobile number, name, address, gender, date of birth, and enrolment ID.[7]

The privacy policy goes on to state: “If you are asked for any other Personal Information you will be informed how it will be used if you choose to give it. If at any time you believe the principles referred to in this privacy statement have not been followed, or have any other comments on these principles, please notify the webmaster through the Contact Us page. Note: The use of the term "Personal Information" in this privacy statement refers to any information from which your identity is apparent or can be reasonably ascertained.”
The UIDAI privacy policy does explain the purpose for collection of information on the website and the use of collected information.
The UIDAI privacy policy does not address the possibility of disclosure of information collected by the UIDAI from the use of its website, except in the case of when an individual provides his/her email at which point the privacy policy states “Your e-mail address will not be used for any other purpose, and will not be disclosed without your consent.”
The UIDAI privacy policy does not provide information about the security practices adopted by the UIDAI.

Consent

Rule 5 requires that prior to the collection of sensitive personal data, the body corporate must obtain consent, either in writing or through fax regarding the purpose of usage before collection of such information.

UIDAI Practices - in Line
The UIDAI collects written consent from individuals through the enrolment form for the issuance of an Aadhaar number.

Collection Limitation

Rule 5 (2) requires that body corporate only collect sensitive personal data if it is connected to a lawful purpose and if it is considered necessary for that purpose.

UIDAI Practices - in Line
The Aadhaar enrolment form requires only the necessary sensitive personal data for the issuance of an Aadhaar number. Individuals are given the option to provide banking and financial information.

Notice During Direct Collection

Rule 5(3) requires that while collecting information directly from an individual the body corporate must provide the following information:

The fact that the information is being collected
The purpose for which the information is being collected
The intended recipients of the information
The name and address of the agency that is collecting the information
The name and address of the agency that will retain the information

UIDAI Practices - Partially in Line
The Aadhaar enrolment form does not provide the following information:

The intended recipients of the information
The name and address of the agency collecting the information
The name and address of the agency that will retain the information

Retention Limitation

Rule 5(4) requires that body corporate must retain sensitive personal data only for as long as it takes to fulfil the stated purpose or otherwise required under law.

UIDAI Practices - Unclear
It is unclear from publicly available information what the UIDAI retention practices are.

Use Limitation

Rule 5(5) requires that information must be used for the purpose that it was collected for.

UIDAI Practices - Unclear
It is unclear from publicly available information if the UIDAI is using collected information only for the purpose for which it was collected for.

Right to Access and Correct

Rule 5(6) requires body corporate to provide individuals with the ability to review the information they have provided and access and correct personal or sensitive personal information.

UIDAI Practices - Partially in Line
Though the UIDAI provides individuals with the ability to access and correct personal information, as stated on the enrolment form, correction is free only if changed within 96 hours of enrolment. Additionally, as stated on the enrolment form, if an individual chooses to allow for the UIDAI to facilitate the opening of a bank account and link present bank accounts to the UID number, this information, after being provided, cannot be corrected. The UIDAI website has a portal for updating information, but only name, address, gender, data of birth, and mobile number can be updated through this method. [9]

Right to ‘Opt Out’ and Withdraw Consent

Rule 5(7) requires that body corporate must provide individuals with the option of 'opting out' of providing data or information sought. Individuals also have the right to withdraw consent at any point of time. Body corporate has the right to withdraw services if consent is withdrawn.

UIDAI Practices - Partially in Line
The UID enrolment form provides individuals with one ‘optional’ field - the option of having the UIDAI open a bank account and link it to the individuals UID number or having the UIDAI link present bank accounts to individuals UID number. No other option to ‘opt out’ or withdraw consent is present on the enrolment form or the UIDAI privacy policy, terms of use, or website.

Security of Information

Rule 8 requires that body corporate must secure information in accordance with the ISO 27001 standard. These practices must be audited on an annual basis or when the body corporate undertakes a significant up gradation of its process and computer resource.

UIDAI Practices - Unclear
The security practices adopted by the UIDAI are not mentioned in the website privacy policy, on the website, or on the enrolment form, thus it is unclear from publicly available information if the UID is compliant with ISO 27001 standards. Though the UIDAI has been functioning since 2010, and it is unclear from publicly available information if annual audits of the UIDAI security practices have been undertaken.

Disclosure with Consent

Rule 6 requires that body corporate must have consent before disclosing sensitive personal data to any third person or party, except in the case with Government agencies for the purpose of verification of identity, prevention, detection, investigation, including cyber incidents and prosecution and punishment of offenses, on receipt of a written request.

UIDAI Practices - Partially in Line
In the enrolment form, consent for disclosure is stated as ‘‘I have no objection to the UIDAI sharing information provided by me to the UIDAI with agencies engaged in delivery of welfare services.” This is a blanket statement and allows for all future possibilities of sharing and disclosure of information provided with any organization that the UIDAI deems as ‘engaged in the delivery of welfare services’.

The UIDAI privacy policy only addresses the disclosure of an individual’s email address with consent. Though not directly addressing disclosure, the UIDAI privacy policy also states “ We will not identify users or their browsing activities, except when a law enforcement agency may exercise a warrant to inspect the service provider's logs.”

Prohibition on Publishing and Further Disclosure

Rule 6(3) and 6(4) prohibit the body corporate from publishing sensitive personal data or information. Similarly, organizations receiving sensitive personal data are not allowed to disclose it further.

UIDAI Practices - in Line
The UDAI does not publish sensitive personal data. It is unclear what practices and standards registrars and enrolment agencies are functioning under.

Requirements for Transfer of Sensitive Personal Data

Rule 7 requires that body corporate may transfer sensitive personal data into another jurisdiction only if the country ensures the same level of protection.

UIDAI Practices - Unclear
It is unclear from publicly available information if information collected by the UIDAI is transferred outside of India.

Establishment of Grievance Officer

Rule 5(9) requires that body corporate must establish a grievance officer and the details must be posted on the body corporates website and grievances must be addressed within a month of receipt.

UIDAI Practices - in Line
The website of the UIDAI provides details of a grievance officer that individuals can contact.[10] It is unclear from publicly available information if grievances are addressed within a month.

[1]. http://164.100.47.134/lsscommittee/Information%20Technology/15_Information_Technology_52.pdf

[2]. http://dispur.nic.in/itact/it-procedures-sensitive-personal-data-rules-2011.pdf

[3]. http://uidai.gov.in/

[4]. http://www.jharkhand.gov.in/marpdf/Aadhar-enrolmentform.pdf

[5]. http://uidai.gov.in/organization-details.html

[6]. http://uidai.gov.in/privacy-policy.html

[7]. http://resident.uidai.net.in/home

[8]. http://www.jharkhand.gov.in/marpdf/Aadhar-enrolmentform.pdf

[9]. https://ssup.uidai.gov.in/web/guest/ssup-home

[10]. http://uidai.gov.in/contactus.html

For more details visit https://cis-india.org/internet-governance/blog/uid-practices-and-it-act-sec-43-a-and-subsequent-rules

UID & Privacy - A Call for Papers

elonnai — 2012-03-21T10:03:44Z

Privacy India is inviting individuals to author short papers focused on Unique Identity (UID) and Privacy. Selected candidates will have their papers published on the CIS website, and their transportation and accommodation provided for the “Privacy Matters” conference being held in Kolkata on 22 January 2010.

Topic

Privacy and the UID

Submission Deadline

By 15 January 2010 to admin@privacyindia.org

Word Length

3,000-5,000 words

Topic Summary

The Aadhaar scheme, or Unique Identity (UID) scheme is a plan to provide citizens identity cards that are tied to their unique biometric data – such as their fingerprints or retinal scans. Although the most frequently cited justification for this project is to ensure the secure delivery of relief to beneficiaries of government aid schemes, it is clear that the uses to which it will be put exceed this narrow mandate.

As India embarks on one of its most ambitious techno-administrative projects to date, there is surprisingly little clarity or introspection into the implications of having such a concentrated identity locked into a single card. In particular it appears that the grave threats to privacy the scheme poses have not received due attention. Although the final draft UID Bill circulated by the UIDAI in October 2010 contains some provisions that reference privacy, there seems to be a tacit assumption that privacy is an expendable or at least a less-desirable privilege that can be attended to fully once the scheme is in fully in place.

We invite individuals to author short inter-disciplinary papers that engage various topics on the theme of Privacy and the UID, including but not limited to the following:

Comparative studies on privacy and national identity card schemes in other countries

Privacy and the UID Bill

How will a project such as the UID change the relationship between the state, the individual, and the market?

Selected candidates will have their papers published on the CIS website, and their transportation and accommodation provided for the “Privacy Matters” conference being held in Kolkata on January 22nd 2010.

Who We Are

Privacy India was set up with the collaboration of the Centre for Internet and Society (CIS) and Society in Action Group (SAG), under the auspices of the international organization ‘Privacy International’. Privacy International is a non-profit group that provides assistance to civil society groups, governments, international and regional bodies, the media and the public in a number of countries (see www.privacyinternational.org). Privacy India's objective is to raise awareness, spark civil action and promoting democratic dialogue around privacy challenges and violations in India. In furtherance of this goal we aim to draft and promote an over-arching privacy legislation in India by drawing upon legal and academic resources and consultations with the public.

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy_callforpapers

The Privacy Rights of Whistleblowers

elonnai — 2012-03-22T05:47:16Z

The recent disclosures from Wikileaks have shown that the right to information, whistle-blowing, and privacy are interconnected. This note looks at the different ways in which the three are related, as well as looking at the benefits and drawbacks to Wikileaks in terms of privacy.

Introduction

In a recent interview, the Canadian Privacy Commissioner was quoted as saying “Information and the manipulation of information is the key to power. Those who can control the information can influence society enormously.” History and present-day society have both proven the truth in this statement. It is one among many reasons that the right to information is important to uphold. In India, and in other countries, there are statutes – in India, the Right To Information Act – that entitles the public to request and receive information that pertains to public bodies and their conduct, information that is publicly available because it is intrinsically related to the public interest. An entirely separate but equally critical way in which the public is kept informed is through whistle-blowing. Traditionally, whistle-blowing is any disclosure made in the name of public interest. Recent events such as the Ratan Tata case and the leaks of US diplomatic cables have brought to light the relationship between the public’s right to information, the rights of whistleblowers, and the rights of individuals to privacy. These recent cases have shown that the right to information, whistle-blowing, and the right to privacy are interconnected, because privacy can provide individuals with the means to sustain autonomy against potentially overwhelming forces of government and persons who might have mixed motivations. The right to information and whistle-blowing are means by which the government is held accountable to the public if they violate the law or the public trust. The Wikileaks case and the Ratan Tata case raise important questions about when those two interests need to give way to private interests. One of the key questions that Wikileaks raises is: if whistleblowing is supposed to be disclosure in the public interest -- i.e., to protect the public – should disclosure of personal information be permissible only if a person can demonstrate that he/she is trying to remedy or avoid actual wrongdoing rather than simply publishing information that is "interesting to the public?"

What is a Whistleblower and how does a Whistleblower Benefit from Wikileaks?

Whistleblowing is the modern counterpart to “informers” – people who reveal others’ wrongdoing. Much whistleblowing occurs by going "up the chain" in a person's own department or agency or company. If the person is reporting wrongdoing and the person ultimately goes to the authorities about illegal activity, the individual reporting the leak can sometimes get immunity for his or her own actions, can sometimes collect part of the penalties, and can under certain statutes in some countries even bring suit if the company retaliates against him -- for example, by firing him. In this way traditional whistleblowing places the responsibility for legal and ethical conduct on employees who are better situated to see wrongdoing than outsiders would be. In many countries, a person may present information of a whistleblowing nature to a judicial body. The judicial body then determines the validity of the information, the degree of public interest involved, and the proper form of redress to be taken. The judicial body offers legal protection to the whistleblower. Another method of whistleblowing is to leak information to the press. Once information is in the public domain – at least if there is freedom of press -- the information can no longer be covered up. Neither the right to free press, nor the right to protection as a whistleblower is universal. The current critique of the Indian Whistle Blowing Bill is that the right to protection will not be ensured. A Times of India article issued in September 2010 pointed out that the Whistle Blowing Act’s biggest weakness is that the Bill’s Central Vigilance Commission is designated to play both the role as competent authority to deal with complaints file by whistleblowers and as the tribunal to protect whistleblowers. Structuring the power to allow one body to fulfil both functions runs the risk of bias and could breed distrust that would cause people to avoid the system altogether. The article complained that the Bill has no teeth, and that even if the Commission believes that the whistleblowing is valid, it is able only to give advice rather than actually to prosecute individuals. The article recites extreme instances in which individuals have blown the whistle and paid for it with their lives. For example: in 2005 a manager of the Indian Oil Corporation was killed after exposing a scheme in adulterated petrol, and in 2010 an RTI activist was killed after exposing land scams in Mahrashtra. In these situations, Wikileaks is an interesting and powerful tool for individuals who either do not want to leak their information to a judicial body or are not protected if they do so in their own country. Leaking information to Wikileaks is in one sense analogous to leaking information to the press, but it is not precisely the same because it is not a news media outlet, but instead is a way for a person to post information on a mass media outlet. It should be noted, however, that informants who leak to Wikileaks are not afforded the same immunity that individuals who leak to authorities are granted. When an individual shares documents or information with Wikileaks, the site in turn acts as a platform to publish the information on the web and with the press. Being an independent entity that is neither tied down to a certain territory, government, or entity – Wikileaks has the pull of non-bias. But the strength of Wikileaks is also its weakness. When 250,000 diplomatic cables were posted, there was no one who understood the context of the content to monitor to ensure that everything was appropriate to post. As a result, the information was transmitted to an audience who normally would not be entitled to it. By doing so, the leaked information placed individual diplomats in precarious positions that could potentially put them in harm’s way and unnecessarily damage their reputations, as well as putting the reputation of the United States on the line.

Privacy and Whistleblowing

As a result the United States is looking to press charges against Julian Assange, founder of Wikileaks, for espionage. The way in which Wikileaks leaked information and the nature of the leak has brought privacy into the picture. When looking at the act of whistleblowing through the lens of privacy, there are obvious privacy concerns for the whistleblower, for the person or entity whose information has been leaked, and for possible third parties involved. Paul Chadwick, the Victorian Privacy Commissioner, pointed out that for the whistleblower the main privacy concerns include the individual’s identity, safety, and reputation. For the alleged wrongdoer the privacy concerns include: identity, safety, employment, and liberty (where sanctions may include imprisonment). For third parties, reputation and safety can both be jeopardized by disclosures by whistleblowers. The Wikileaks leaks squarely present the question whether intent should be brought into the analysis of privacy and whistleblowers. If a whistleblower is disclosing with the intent protect the public, the protections afforded to this person should weigh differently against the privacy interests of alleged wrongdoers and third parties than for someone who is simply defining the public interest as “interesting to the public,” or, worse, as seen in the false leak by Pakistan against India, is looking to leak information to disrupt public interest. Even though Wikileaks works to protect the anonymity of individuals who leak information, it is not bound by any law to protect the privacy of individuals involved in the leak. The concept behind Wikileaks is important. By interacting with government information, it has the ability to bring accountability and transparency to governments, but the only regulation over Wikileaks is internal (and thus inherently subjective). Wikileaks needs to change its structure to take into account leaks shared without the intent of protecting the public interest and even then needs to monitor to prevent leaks that could place individuals in precarious situations or damage reputations with no validating information.

Sources:

http://www.ctv.ca/generic/generated/static/business/article1833688.html

Chadwick, Paul. Whistleblowing, Transparency, and Privacy: Aspects of the relationship between Victoria’s Whistleblowers Protection Act and the Information Privacy Act.

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-wikilileaks-whistleblowers

The Omnishambles of UID, shrouded in its RTI opacity

elonnai — 2013-02-19T11:04:30Z

The Centre for Internet & Society sponsored Colonel Mathew Thomas to hold a workshop at the fourth National Right to Information (RTI) organized by the National Campaign for People's Right to Information, held in Hyderabad from February 15 to 18, 2013.

Click below to see Colonel Mathew Thomas's presentation

Omnishambles of UID Shrouded in its Opacity

For more details visit https://cis-india.org/internet-governance/blog/omnishambles-of-uid-shrouded-in-its-rti-opacity

The DNA Profiling Bill 2007 and Privacy

elonnai — 2012-03-21T09:40:56Z

In 2007 a bill known as the Draft DNA Profiling Bill was piloted by the Centre for DNA Fingerprinting and Diagnostics, an autonomous organization funded by the Department of Biotechnology, Ministry of Science and Technology, Government of India. The below is a background to DNA collection/analysis in India, and a critique of the Bill a from a privacy perspective.

Introduction

In 2007 a bill known as the Draft DNA Profiling Bill was piloted by the Centre for DNA Fingerprinting and Diagnostics, an autonomous organization funded by the Department of Biotechnology, Ministry of Science and Technology, Government of India[1]. The Bill is pending in parliament. The DNA Profiling Bill looks to legalize the collection and analysis of DNA samples for forensic purposes. We believe that it is important that collection of DNA has associated legislation and regulation, because DNA is sensitive physical evidence that if used correctly can benefit the public good, but if misused can lead to serious privacy and human rights violations. Therefore it is important to create a balance between the constitutional rights of an individual and the public interest and bring accountability and transparency to the practice of DNA collection and testing.

In our research we consulted with GeneWatch UK to learn from their work and experience with DNA testing in the UK. This briefing is meant to give a background on the logistics of DNA testing, highlight ways in which DNA testing raises privacy concerns, and provide a critique of the DNA Profiling Bill.

Background Facts about DNA and DNA testing:

What is DNA: DNA is material that determines a persons hereditary traits such as hair color, eye color, body structure etc. Most DNA is located in the cell nucleus, and wrapped up in small structures called chromosomes. Every person inherits 50% of genetic material from their mother and 50% from their father. Genetic disorders are caused by mutations in a person's DNA, and comparing DNA within families can reveal paternity and non-paternity. DNA is found in every cell of our bodies, and each person has a unique strand of DNA [2]. Thus, DNA is seen as a useful form of identification with marginal room for error [3].

What is a DNA profile/ DNA database, and how can it be used/misused:

When DNA samples are taken from individuals they are analyzed in laboratories to produce a digitized representation of numbers known as a DNA profile. Once created, a DNA profile is stored on a DNA database (i.e. an electronic database) with other identifying information from the individual and information from the crime scene. A DNA profile is based on parts of a person's DNA, so it is not unique to an individual. The probability of an individual's DNA profile matching a stranger's by chance is very small, but not impossible. To collect a sample of DNA police normally use a mouth swab to scrape cells from inside the suspect's cheek. If the individual refuses, their DNA can be obtained by pulling some hairs out of their head (cut hair does not contain DNA, it is only in the roots), if the law allows DNA to be taken without consent. DNA samples are also collected from crime scenes, for example from a blood stain, and analyzed in the same way. DNA samples are sometimes stored indefinitely in the laboratory with a bar code number (or other information) that allows them to be linked back to the individual [3]. Stored DNA profiles from crime scenes can be helpful to exonerate an innocent person who is falsely accused of a crime if their DNA does not match a crime scene DNA profile that is thought to have come from the perpetrator. However, stored DNA profiles from individuals are not needed for exoneration because the individual's DNA can always be tested directly (it does not need to be stored on a database). Collecting DNA profiles from individuals can be useful during an investigation, to compare with a crime scene DNA profile and either exonerate an individual or confirm they are a suspect for the crime. Corroborating evidence is always needed because of the possibility of false matches (which can occur by chance or due to laboratory errors) and because there may be an innocent explanation for an individual's DNA being at a crime scene, or their DNA could have been planted there. Storing DNA profiles from individuals on a database is only useful to implicate those individuals in possible future crimes, not to exonerate innocent people, or to solve past crimes. An individual is implicated as a possible suspect for a crime if their stored DNA profile matches a new crime scene DNA profile that is loaded on to the database. For this reason, most countries only store DNA profiles from individuals who have committed serious crimes and may be at risk of re-offending in the future. Stored DNA profiles could in theory be used to track any individual on the database or to identify their relatives, so strict safeguards are needed to prevent misuse [4].

DNA testing in India:

At present, India does not have a national law that empowers the government to collect and store DNA profiles of convicts, but DNA collection and testing and is taking place in many states. For instance, in Pune the army is currently considering creating DNA profiles of troops who are involved in hazardous tasks inorder to help identify bodies mutilated beyond recognition [5]. In December of this year a judge in the Supreme Court ordered DNA testing on a congress spokesmen to determine if his child was really his child [6]. Also in December this year a news article announced the establishment of the first DNA profiling databank in Nehru Nagar [7]. Additionally DNA has been used to identify criminals , for instance in the Tandoor Murder DNA testing was used to reveal the identity of the culprit [8].

India hosts both private and public DNA labs. Public labs are sponsored by the Government, and use DNA purely for forensic purposes. For example The Centre for DNA Fingerprinting and Diagnostics (CDFD) located in Hyderabad is sponsored by the Department of Biotechnology and Ministry of Science. CDFD runs DNA testing for: establishment of parentage, identification of mutilated remains, establishment of biological relationships for immigration, organ transplantation, property inheritance cases, identification of missing children and child swapping in hospitals, identification of rapist in rape cases, identification in the case of murder.

Cases are only accepted by CDFD if they are referred by law enforcement agencies or by a court of law. Only an officer of the rank Inspector of Police or above may forward DNA cases to CDFD. Copies of DNA report are released to individuals if they are able to prove needed interest in the case through a notarized affidavit [9]. In 2010 CDFD received 100 cases from law enforcing agencies. Additionally, in 2010 CDFD was given rupees eighteen lakhs thirty nine thousand five hundred and forty five from the Government of India towards DNA fingerprinting services [10]. The Indian Government has also established National Facilities for Training in DNA Profiling in order to train individuals in DNA testing and expand the number of DNA examiners and laboratories available in the country [11].

Examples of private DNA labs include DNA labs India and Truth Labs. DNA labs India runs paternity testing, forensic testing, prenatal testing, and genetic testing [12]. Truth Labs is a private lab that provides legal services directly, without a court or police order [13].

The Complexity of privacy and DNA collection/ testing:
As mentioned above, the personal and sensitive nature of DNA, the use of DNA raises many privacy concerns. The concerns fall into three basic areas: first, if a person has given consent to have his or her DNA used for a specific purpose, must the DNA be destroyed or can it be used for other purposes as well? Related to that, if a person must give consent for a specific purpose, what happens if the person is no longer able to give consent -- if, for example, the person has died? Finally, if the testing of one person's DNA yields information that is likely, or probable, or certain to impact another person, does that person have a right to know the information discovered? There are variations on these questions -- as for example does DNA is permitted to be taken without consent (to test for a crime, perhaps), does that lack of need for consent permit all uses of DNA that others want. Who decides? The complexity of these questions demonstrates that in the situation of DNA collection and testing privacy cannot be protected simply through consent from an individual. Instead the law must permit specific thresholds to be established in order to cover the privacy needs of different situations.

Can DNA evidence be considered self-incriminating evidence?
According to the Supreme Court fingerprinting and other physical evidence is not covered by article 20(3). In the case of State of Bombay v. Kathi Kalu Oghad, the courts answered the question of whether or not the freedom against self-incrimination guaranteed under article 20(3) of the Constitution of India – which is meant to protect a person from torture from the police – can be extended to the collection of DNA? the courts answered this question by upholding that
“To be a witness may be equivalent to ‘furnishing evidence’ in the sense of making oral or written statement, but not in the larger sense of the expression so as to include giving of thumb impression or impression of palm or foot or fingers or specimen writing or exposing a part of the body by an accused person for purposes of identification [14]”

Critique of the DNA Profiling Bill 2007

Does India already have sufficient legislation?
The collection and use of biometrics for identification of criminals legally began in India during the 1920's with the approval of the Identification of Prisoners Bill 1920 [15]. The object of the Bill is to “provide legal authority for the taking of measurements of finger impression, foot-prints, and photographs of persons convicted or arrested…”[16] The Bill is still enforced in India, and in October 2010 was amended by the State Government of Tamil Nadu to include “blood samples” as a type of forensic evidence [17]. Other Indian legislation pertaining to forensic evidence is the CrPC and the Indian Evidence Act. In 2005 section 53A of the CrPC was amended to authorize investigating officers to collect DNA samples with the help of a registered medical practitioner, but the Indian Evidence Act fails to manage science and technology issues effectively [18]. The current state of statutes for DNA collection in India are not sufficient as the neglect to lay out precise procedures for collection, processing, storage, and dissemination of DNA samples. One question to consider though is if the Prisoners Identification Bill, CrPC, and Indian Evidence Act could be amended to incorporate DNA, and the needed safeguards, as a type of forensic evidence for all of India.

Lack of requirement for additional evidence: The preamble of the DNA Profiling Bill states that “The Deoxyribose Nucleic Acid (DNA) analysis of body substances is a powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another, and further to establish the biological relationship, if any, between two individuals, living or dead without any Doubt.” This statement is untrue as DNA test can be compromised under many circumstances including: techniques for declaring a match, the proficiency of examiners, laboratory control standards and statistical problems, and DNA samples can become degraded due to age or exposure to chemical or bacterial agents [19]. Because DNA is not foolproof individuals can be falsely implicated in a crime as a result of an incorrect DNA match. The Bill needs to put in place procedures for the court to recognize the fact that DNA is not 100% foolproof, present the statistics correctly, and require supporting evidence [20].

Scope for DNA Collection: The stated object of the DNA Bill is to: “enhance protection of people and administration of justice, analysis of DNA found at the crime scene, establish identity of victim and offender”. The list of offenses and situations in which the collection and testing of DNA is permitted, found in the Schedule of the Bill, provides for the collection DNA from individuals who are not related to a crime scene, are not victims, and are not criminals. Furthermore, section 13(xxii) allows this list to be expanded by the DNA board. We believe these sections should be omitted from the scope of the Bill, so that it is limited to only identifying individuals who are victims and offenders, and that a statutory body besides the DNA board be given the authority to expand the list of proposed offences [21]. Furthermore, within the Bill there are many places where vague language permits the DNA testing of individuals who are not yet convicted of a crime, which will constitute an invasion of privacy unless the DNA is provided voluntarily to release a person suspected or accused of a crime [22]. Additionally as mentioned above it is critical that the Bill recognizes and allows for different thresholds of privacy when collecting, analyzing and sharing DNA profiles.

Clear definition of when collection of DNA samples can be taken: The schedule of the Bill only lists the offenses and situations for which the collection of DNA is permitted. We believe a provision must be added that clarify when exactly DNA can be collected e.g. whether the DNA can be collected on arrest or on charge, whether the DNA has to be relevant to the offence, or whether the police decide this for themselves, and what are the oversight mechanisms for these decisions [23].

Privacy Principles: The Bill enables the DNA Profiling Board to recommend privacy protection statutes, regulations, and practices concerning: use and dissemination, accuracy, security, and confidentiality, and destruction of DNA information [24]. Privacy principles should not be left to recommendations by the board or to regulations of the Bill, but instead should be incorporated into the Bill itself to ensure that such practices are in place if the Bill is passed. Furthermore, the appropriate collection, access, and retention of DNA information should be specified in this Bill.

Obligations for DNA laboratories: Section 19 of the Bill lays out the obligations of DNA laboratories [25]. We recommend that the implementation of a privacy policy should be mandatory under this section.

Storage of DNA profiles and samples: Currently the Bill allows for the complete storage of DNA of: volunteers, suspects, victims, offenders, children (with parental consent), and convicted persons. DNA samples taken from individuals contain unlimited genetic information (including health-related information) and are not needed for identification purposes once the profiles have been obtained from them, thus we recommend that the bill requires that DNA samples be stored temporarily for quality assurance purposes (e.g. for up to six months) and then destroyed to prevent misuse. This is an important privacy protection, which also reduces the cost of storing samples. The only purpose of retaining DNA profiles on a criminal database is to help identify the individual if they reoffend. Thus we recommend that the criminal databases should be restricted to holding DNA profiles only from convicted persons, and the types of offence and time period for retention should be limited. Although DNA profiles may have alternative uses other than solving crimes (e.g. identifying missing persons) we recommend that the missing persons databases are kept separate from criminal databases. Furthermore, although collecting DNA from victims and volunteers may be useful during the investigation of a crime, DNA profiles obtained from victims and volunteers should be destroyed once an investigation is complete.

Conflicting Clauses: Section 14 of the Bill provides that DNA laboratories can only undertake DNA procedures with the approval, in writing, from the DNA profiling Board. Section 15(2) contradicts this statement by permitting already existing DNA laboratories to function and use DNA already collected even before they receive approval from the DNA profiling Board. We suggest that Section 14 is clearly written so that DNA laboratories that have already been set up are unable to continue functioning until they have met the approval of the DNA Profiling Board, and Section 15(2) should thus be deleted.

Access: According to section 41 of the Bill, the Data Bank Manager is given sole discretion as to who may have access to the DNA database, including persons given access for training purposes [26]. Low standards such as these vest too much discretion in the Data Bank Manager. We recommend that access is strictly limited to trained personnel who have undergone proper security clearance. Furthermore, we recommend that the role of Data Bank Manager be analogous to a custodian for the databank. Thus, the manager would be accountable for the integrity and security of the data held in the DNA databank.

Offenses: Though the Bill provides for penalties such as unauthorized access, disclosure, destruction, alterations, and tampering [27], the Bill fails to provide punishment for the illegal collection of DNA samples. This should be made an offense under the Bill.

Redress: The Bill provides no redress mechanism to an individual whose DNA was illegally used or collected. Furthermore, section 49 (1) only permits the Central Government or DNA Profiling Board to bring complaints to the courts [28]. Thus, we recommend that individuals are enabled to bring charges against entities (such as DNA labs or police officials) for the misuse of their data.

Delegation of powers: The Bill allows the DNA Profiling Board to form committees of the members and delegate them the powers and functions of the board. This clause could allow outsourcing, and could allow a dilution of authority by which the DNA Profiling Board weighs approval or rejection of requests [29]. We recommend that the outsourcing of functions be limited to administration duties and jobs that do not directly relate to the core duties of the DNA Profiling Board.

Access by law enforcement agencies: The Bill currently allows for the DNA Profiling Board to grant law enforcement agencies access to DNA profiles [30]. We recommend that DNA profiles are only accessed by the Data Bank Manager. Law enforcement agencies should send requests for matches to the Data Bank Manager, and the Manger would provide the needed intelligence [31].

Public interest: The Bill allows for DNA laboratories to continue to operate, even if the laboratory has violated the specified procedures, if the DNA Profiling Board finds it in the public interest [32]. We believe that where there have been violations, a laboratory should be required to demonstrate remediation before being allowed to resume operations.

Contamination of DNA samples: Currently the Bill holds laboratories responsible for “minimizing the contamination of DNA.”[33] DNA Laboratories should be held fully and legally responsible for preserving the quality of DNA samples. If a DNA sample is contaminated, and the DNA lab does not follow due diligence to discard the contaminated sample and or collect a new sample, and subsequently the DNA used wrongly against an individual - an individual should have the ability to press charges against the institution.

Audits: The Bill provides for the auditing of DNA laboratories, but the DNA Profiling Board must also undergo annual audits [34].

Indices Held by DNA Banks: Under section 33 (4),(5)The Bill provides for the DNA data bank to set up indices that hold DNA identification records and DNA analysis from: crime scenes, suspects, offenders, missing persons, unknown deceased persons, volunteers and such other indexes as specified by regulations. We believe the DNA data bank should not hold indexes on suspects, missing persons, or volunteers without consent and the ability for the individual to withdraw their consent. Furthermore, the Bill requires the taking of a victim’s DNA, but it is not listed as an index. We recommend that this section be deleted, as the creation of a DNA index is simply another copy of a DNA profile, and it does not serve a particular purpose.

Communicating of DNA Profile with Foreign States: Section 35 permits, with the approval of the Central Government, the sharing of DNA profiles with Foreign States [35]. We recommend that communication and use of a DNA profile with Foreign States should be limited to comparison only.

Access to Data Banks for administration purposes: Section 39 of the Bill permits access to the databank for “administrative purposes”. We recommend that the Bill clarify what exactly constitutes “administrative purposes”, and clarify that the process/procedures that permit access to data banks for administration purposes will not require access to data stored in Data Banks [36].

Enforcement for the removal of innocents: Section 36(3) of the Bill requires that the DNA profile of individuals who are found innocent be removed from the database. This provision should have legal mechanisms to ensure enforcement of the provision e.g. reporting by the Board [37].

Ability to access one’s own DNA Profile: A provision should be added to the Bill that gives individuals the right to ask the police for any of their own details held on police databases, so an individual has the ability to know if their data is being held against the law [38].

Clear Definition of identity: Section 33(6)(i) maintains that the DNA Data Bank will contain in relation to each of the DNA profiles… the “identity of the person”. The Bill needs to define what is "identity" and how “identifying” information can be used. Furthermore, it is important to ensure that no other information (like an identity number) that would allow for function creep, is included in the DNA data base[39].

Transparency of the DNA board: Section 13 of the Bill describes the powers and functions the DNA Board. In this section the DNA board should be required to publish and submit minutes and annual reports including detailed information on how it has exercised all its functions to the public and to Parliament. The report should include: numbers of profiles added to the database; numbers removed on acquittal, numbers of matches and solved crimes; costs; numbers of quality assurance inspections, and breakdowns of these figures by state [40].

Restricted use of DNA database: Section 39 (1) of the Bill permits the DNA database to be used for identification purposes that are not related to solving a crime including the “ identification of victims of: accidents, disasters or missing persons or for such other purposes”. The DNA database should be restricted to the identification of a perpetrator of a specified criminal offence, and consent or a court order must be sought for any other use of the database for identification purposes.

Probability of error published: Because profiles found in the DNA data base are comprised of only parts of individuals DNA, the profiles are not unique to individuals. Thus, the number of false matches that are expected to occur by chance between crime scene DNA profiles and stored individual's profiles depends on how the profiling system used, how complete the crime scene DNA is before it is added to the database (many crime scene DNA stains are degraded and not complete), and how many comparisons are done (i.e. how big the database it is and how often it is searched). With a population the size of India, the number of these false matches could be very high. The DNA board needs to take this probability for error into consideration and publish researched statistics on how many false matches they expect to occur purely by chance, based on the numbers of profiles they expect to store under the proposed criteria for entry and removal of profiles [41].

Cost analysis: The DNA board should publish a cost benefit analysis for the implementation the Bill. This should include the cost of storing samples, collecting sample, and testing samples [42].

Bibliography

http://www.cdfd.org.in/
http://ghr.nlm.nih.gov/handbook/basics/dna
Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007 pg.6, 22
Ibid email conversation with Dr. Wallace from Genewatch UK April 2nd 2002
http://articles.timesofindia.indiatimes.com/2011-01-02/india/28371869_1_dna-data-bank-blood-samples-bodies
http://www.merinews.com/article/justice-s-rabindra-bhatt-orders-dna-test-for-nd-tiwari/15838508.shtml
http://www.dnaindia.com/mumbai/report_nehru-nagar-first-region-in-country-to-have-dna-profiling-database_1477211
Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007. Pg.263
http://www.cdfd.org.in/servicespages/dnafingerprinting.html
ibidhttp://www.cdfd.org.in/image/AR_2009_10.pdf
http://planningcommission.nic.in/plans/planrel/fiveyr/11th/11_v1/11v1_ch8.pdf
http://www.dnalabsindia.com/
http://www.truthlabs.org/
AIR 1961 SC 1808
The Prisoners Identification Bill was most recently amended 1981
http://lawcommissionofindia.nic.in/51-100/report87.pdf
http://www.tn.gov.in/stationeryprinting/extraordinary/2010/305-Ex-IV-2.pdf
Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007 pg. 259
Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007 pg. 245
Email conversation with Dr. Wallace from Genewatch UK. April 2nd
Schedule of offenses 5) Miscarriage or therapeutic abortion, b. Unnatural offenses, 7) Other criminal offenses b. Prostitution 9) Mass disaster b) Civil (purpose of civil cases) c. Identification purpose 10) b) Civil:1) Paternity dispute 2) Marital dispute 3) Infidelity 4) Affiliation c) Personal Identification 1) Living 2) Dead 3) Tissue Remains d)
2 (xxvii) “offender” means a person who has been convicted of or is under trial charged with a specified offense.
2(1)(vii) “crime scene index” means an index of DNA profiles derived from
forensic material found: (a) at any place (whether within or outside India) where a specified offense was, or is reasonably suspected of having been, committed;
or (b) on or within the body of the victim, or a person reasonably
suspected of being a victim, of an offense (DNA Profiling Bill)
Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007 Pg. 291
Section (1) (xv) –(xvi) of DNA Profiling Bill
Section 19 of DNA Profiling Bill
Section 41(i) (ii) of DNA Profiling Bill
Section 45, and section 46 of DNA Profiling Bill
Section 49 (1) of DNA Profiling Bill
Section 52 (2) The DNA Profiling Board may, by a general or special order in writing,
also form committees of the members and delegate to them the powers
and of the Board as may be specified by the regulations.
Section 13(x), Section(2) The DNA Profiling Board may, by a general or special order in writing,also form committees of the members and delegate to them the powers and functions of the Board as may be specified by the regulations.
Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007 Pg. 300
Section 17 (2) of DNA Profiling Bill
Section 22 of DNA Profiling Bill
Section 28 of DNA Profiling Bill
Section 35 (1) of DNA Profiling Bill
Section 39 of DNA Profiling Bill
http://www.genewatch.org/sub-539478
http://www.genewatch.org/sub-539478
http://www.genewatch.org/article.shtml?als[cid]=492860&als[itemid]=567376
Email conversation with Dr. Wallace from Gene Watch UK April 2nd
Standard setting and quality regulation in forensic science. GeneWatch UK submission to the Home Office Consultation.
October 2006.
Standard setting and quality regulation in forensic science. GeneWatch UK submission to the Home Office Consultation.
October 2006.

For more details visit https://cis-india.org/internet-governance/blog/privacy/dna-profiling-bill

[···]

kaeru — 2025-11-19T17:19:28Z

For more details visit https://cis-india.org/internet-governance/blog/

Surveillance Technologies

elonnai — 2012-03-22T05:40:24Z

The following post briefly looks at different surveillance technologies, and the growing use of the them in India.

Surveillance...

New security technologies are constantly emerging that push the edge between privacy and a reasonable level of security. Society's tolerance level is constantly being tested by governments who use surveillance and monitoring technologies to protect the nation. Governments claim that they need absolute access to citizens life. They need to monitor phones, look through emails, peer into files – in-order to maintain security and protect against terrorism. Though as a side note, in an Economic Times article published on Nov. 4 2010 it was reported that government computers were being hacked into through viruses, and top secret documents were being stolen. The irony of the story is that the viruses were introduced to the computers through porn websites visited by officials.

...In a Car? On the Street? In an Airport?

Despite the fact that governmental monitoring might make the common man uncomfortable, the reality is that governments will always win the national security vs privacy fight. The story becomes more complicated when it moves from the government directly monitoring individuals, to security agencies monitoring individuals. For instance the use of full body scanners at airports, or trucks equipped with scatter x-ray machines used to control crime in neighborhoods - is a much more heated debate. There are other ways in which to check passengers for banned items, and other ways to keep crime off the streets without mandating that individuals submit themselves to invasive scans, or scanning unaware individuals.

...In the Movie Theater????..for Marketing Purposes????

Surveillance technology has now been taken even another step further. No longer is it being just used to prevent violent crimes or terrorist attacks. Today the movie industry is using controversial anti-piracy tools to protect the films they produce. For instance the security company Aralia Systems manufacturers products such as: CCTV cameras and anti-camcorder systems that shine infrared light beams on audiences as they watch a movie. The light beams reflect off camcorders and alerts the theater that there are camcorders present. Though this practice can be seen as invasive - individuals might be opposed to being probed by light beams throughout movies, the extent of potential privacy invasion does not stop there. Aralia Systems has partnered with Machine Vision Lab and has created a system that harvests audiences emotions and movements as they watch movies. The data can then be used by market researchers to better tailor their behavioral advertising schemes. Essentially movie theater monitoring has merged surveillance technologies with behavioral marketing technologies in a twisted invasion of movie watchers personal privacy.

Is this technology in India?

Though behavioral monitoring and piracy technologies such as ones produced by Aralia Systems are not yet used in Indian movie theaters – security measures against piracy are used. Movie theaters across India are equipped with metal detectors at the door, and security personel check your handbag or back pack for camcorders. According to a Indian Express article, the organization Allegiance Against Copyright Theft believes one of the reasons monitoring technology is not yet used in theaters is because there is no present Indian legislation that penalizes recording in halls. Once legislation is passed, they speculate there will be a push to use these technologies. Even though monitoring technology is not yet used in theaters, monitoring of consumers behavior is increasing. Recently in India the WPP owned research agency IMRB International has developed an online audience measurement system that uses tailored metering technology to track the sites that users visit. The Web Audience Measurement System has launched this technology in a sample size of 21,000 Indian households, covering 90,000 individuals. IMRB has said that the meters are capable of capturing usage data from multiple computers, and that they can then use the information to market to the individual. Does it seem ironic to anyone that companies now charge for a service – movie tickets, internet services, telephone services – and make an extra profit by data mining at the expense of a persons privacy?

Sources

http://economictimes.indiatimes.com/news/politics/nation/Govt-depts-asked-not-to-store-sensitive-info-on-Net-connected-computers/articleshow/6874631.cms
http://www.research-live.com/news/technology/imrb-unveils-web-measurement-service-for-indian-market/4003941.article
http://blogs.computerworld.com/17276/anti_piracy_tool_will_harvest_market_your_emotions?source=rss_blogs
http://www.indianexpress.com/news/antipiracy-unit-joins-hands-with-cinema-halls-to-curb-camcording/695439/2

For more details visit https://cis-india.org/internet-governance/blog/privacy/surveillance-technologies

Surveillance Camp IV: Disproportionate State Surveillance - A Violation of Privacy

elonnai — 2013-02-19T12:37:09Z

This is the fourth in a series of posts mapping global surveillance challenges discussed at EFF's State Surveillance and Human Rights Camp in Rio de Janeiro, Brazil. This article has been co-written with Elonnai Hickok — Centre for Internet and Society India, and a speaker at EFF's Camp.

This article by Katitza Rodriguez and Elonnai Hickok was originally published by the Electronic Frontier Foundation on February 13, 2013.

States around the world are faced daily with the challenge of protecting their populations from potential and real threats. To detect and respond to them, many governments surveil communication networks, physical movements, and transactional records. Though surveillance by its nature compromises individual privacy, there are exceptional situations where state surveillance is justified. Yet, if state surveillance is unnecessary or overreaching, with weak legal safeguards and a failure to follow due process, it can become disproportionate to the threat—infringing on people's privacy rights.

Internationally, regulations concerning government surveillance of communications vary in approach and effectiveness, often with very weak or nonexistent legal safeguards. Some countries have strong regulations for the surveillance of communications, yet these regulations may be largely ineffective or unenforceable in practice. Other countries have no legal safeguards or legal standards differing vastly according to the type of communication data targeted. This is why, EFF organized at the end of last year a State Surveillance and Human Rights Camp in Brazil to build upon this discussion and focused on how states are facilitating unnecessary and disproportionate surveillance of communications in ways that lead to privacy violations.

State-Mandated Identity Verification

In 2012 the Constitutional Court in South Korea declared that country's "real-name identification system" unconstitutional. The system had mandated that any online portal with more than 100,000 daily users had to verify the identity of their users.[1]This meant that the individual has to provide their real name before posting comments online. The legal challenge to this system was raised by People's Solidarity for Participatory Democracy (PSPD)'s Public Law Center and Korean Progressive Network—Jinbonet among others.

Korea University professor Kyung-shin Park, Chair of PSPD's Law Center told EFF that portals and phone companies would disclose identifying information about six million users annually—in a country of only 50 million people. The South Korean Government was using perceived online abuses as a convenient excuse to discourage political criticism, professor Park told EFF:

The user information shared with the police most commonly has been used by the government to monitor the anti-governmental sentiments of ordinary people. All this has gone on because the government, the legislature, and civil society have not clearly understood the privacy implications of turning over identifying information of individuals.

The decision by the South Korean Constitutional Court to declare the "real identification system" unconstitutional was a win for user privacy and anonymity because it clearly showed that blanket mandates for the disclosure of identifying information, and the subsequent sharing of that data without judicial authorization, are a disproportionate measure that violates the rights of individuals.[2]

States Restrict Encryption and Demand Backdoors

Some States are seeking to block, ban, or discourage the use of strong encryption and other privacy enhancing tools by requiring assistance in decrypting information. In India service providers are required to ensure that bulk encryption is not deployed. Additionally, no individual or entity can employ encryption with a key longer than 40 bits. If the encryption equipments is higher than this limit, the individual or entity will need prior written permission from the Department of Telecommunications and must deposit the decryption keys with the Department.[3]The limitation on encryption in India means that technically any encrypted material over 40 bits would be accessible by the State. Ironically, the Reserve Bank of India issued security recommendations that banks should use strong encryption as higher as 128-bit for securing browser.[4]In the United States, under the Communications Assistance for Law Enforcement Act, telecommunication carriers are required to provide decryption assistance only if they already possess the keys (and in many communications system designs, there's no reason carriers should need to possess the keys at all). In 2011, the US Government proposed a bill that would place new restrictions on domestic development or use of cryptography, privacy software, and encryption features on devices. The bill has not been adopted.

Allowing only low levels of encryption and requiring service providers to assist in the decryption of communications, facilitates surveillance by enabling States easier access to data and preventing individuals from using crypto tools to protect their personal communications.

States Establish Blanket Interception Facilities

In Colombia, telecommunications network and service providers carrying out business within the national territory must implement and ensure that interception facilities are available at all times to state agencies as prescribed by law. This is to enable authorized state agencies to intercept communications at any point of time. In addition to providing interception facilities, service providers must also retain subscriber data for a period of five years, and provide information such as subscriber identity, invoicing address, type of connection on request, and geographic location of terminals when requested.

Though Colombia has put in place regulations for the surveillance of communications, these regulations allow for broad surveillance and do not afford the individual clear rights in challenging the same.

Conclusion

The examples above demonstrate that, although state surveillance of communications can be justified in exceptional instances, it leads to the violation of individual privacy when implemented without adequate legal safeguards. Clearly there is a need for international principles articulating critical and necessary components of due process for the surveillance of communications. Those strong legal safeguards are necessary not only in countries that don't have laws in place, but also in countries where laws are lacking and fail to adequately protect privacy. Last year, EFF organized the State Surveillance and Human Rights Camp to discuss a set of International Principles on State Surveillance of Communications, a global effort led by EFF and Privacy International, to define, articulate, and promote legal standards to protect individual privacy when the state carries out surveillance of communications.

[1].Constitutional Court's Decision 2010 Hunma 47, 252 (consolidated) announced August 28, 2012.

[2].The illegality of this practice was proved by a High Court decision handed down 2 months after the Constitutional Court's decision in August 2012. Seoul Appellate Court 2011 Na 19012, Judgment Announced October 18, 2012. This case was prepared and followed singularly by PSPD Public Interest Law Center.

[3].License Agreement for Provision of Internet Services Section 2.2 (vii)

[4].Reserve Bank of India. Internet Banking Guidelines. Section (f (2)).

For more details visit https://cis-india.org/internet-governance/blog/eff-feb-13-2013-katitza-rodriguez-and-elonnai-hickok-surveillance-camp-iv-disproportionate-state-surveillance-a-violation-of-privacy

State Surveillance and Human Rights Camp: Summary

elonnai — 2013-07-12T16:02:51Z

On December 13 and 14, 2012, the Electronic Frontier Foundation organized the Surveillance and Human Rights Camp held in Rio de Janeiro, Brazil. The meeting examined trends in surveillance, reasons for state surveillance, surveillance tactics that governments are using, and safeguards that can be put in place to protect against unlawful or disproportionate surveillance.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

The camp also examined different types of data, understanding tools that governments can use to access data, and looked at examples of surveillance measures in different contexts. The camp was divided into plenary sessions and individual participatory workshops, and brought together activists, researchers, and experts from all over the world. Experiences from multiple countries were shared, with an emphasis on the experience of surveillance in Latin America. Among other things, this blog summarizes my understanding of the discussions that took place.

The camp also served as a platform for collaboration on the Draft International Principles on Communications Surveillance and Human Rights. These principles seek to set an international standard for safeguards to the surveillance of communications that recognizes and upholds human rights, and provide guidance for legislative changes related to communications and communications meta data to ensure that the use of modern communications technology does not violate individual privacy. The principles were first drafted in October 2012 in Brussels, and are still in draft form. A global consultation is taking place to bring in feedback and perspective on the principles.

The draft principles were institutionalized for a number of reasons including:

Currently there are no principles or international best standards specifically prescribing necessary and important safeguards to surveillance of communication data.
Practices around surveillance of communications by governments and the technology used by governments is rapidly changing, while legislation and safeguards protecting individual communications from illegal or disproportionate surveillance are staying the same, and thus rapidly becoming outdated.
New legislation that allows surveillance through access to communication data that is being proposed often attempts to give sweeping powers to law enforcement for access to data across multiple jurisdictions, and mandates extensive cooperation and assistance from the private sector including extensive data retention policies, back doors, and built in monitoring capabilities.
Surveillance of communications is often carried out with few safeguards in place including limited transparency to the public, and limited forms of appeal or redress for the individual.

This has placed the individual in a vulnerable position as opaque surveillance of communications is carried out by governments across the world — the abuse of which is unclear. The principles try to address these challenges by establishing standards and safeguards which should be upheld and incorporated into legislation and practices allowing the surveillance of communications.

A summary of the draft principles is below. As the principles are still a working draft, the most up to date version of the principles can be accessed here .

Summary of the Draft International Principles on Communications Surveillance and Human Rights

Legality: Any surveillance of communications undertaken by the government must be codified by statute.

Legitimate Purpose: Laws should only allow surveillance of communications for legitimate purposes.

Necessity: Laws allowing surveillance of communications should limit such measures to what is demonstrably necessary.

Adequacy: Surveillance of communications should only be undertaken to the extent that is adequate for fulfilling legitimate and necessary purposes.

Competent Authority: Any authorization for surveillance of communications must be made by a competent and independent authority.

Proportionality: All measures of surveillance of communications must be specific and proportionate to what is necessary to achieve a specific purpose.

Due process: Governments undertaking surveillance of communications must respect and guarantee an individual’s human rights. Any interference with an individual's human rights must be authorized by a law in force.

User notification: Governments undertaking surveillance of communications must allow service providers to notify individuals of any legal access that takes place related to their personal information.

Transparency about use of government surveillance: The governments ability to survey communications and the process for surveillance should be transparent to the public.

Oversight: Governments must establish an independent oversight mechanism to ensure transparency and accountability of lawful surveillance measures carried out on communications.

Integrity of communications and systems: In order to enable service providers to secure communications securely, governments cannot require service providers to build in surveillance or monitoring capabilities.

Safeguards for international cooperation: When governments work with other governments across borders to fight crime, the higher/highest standard should apply.

Safeguards against illegitimate access: Governments should provide sufficient penalties to dissuade against unwarranted surveillance of communications.

Cost of surveillance: The financial cost of the surveillance on communications should be borne by the government undertaking the surveillance.

Types of Data

The conversations during the camp reviewed a number of practices related to surveillance of communications, and emphasized the importance of establishing the draft principles. Setting the background to various surveillance measures that can be carried out by the government, the different categories of communication data that can be easily accessed by governments and law enforcement were discussed. For example, law enforcement frequently accesses information such as IP address, account name and number, telephone number, transactional records, and location data. This data can be understood as 'non-content' data or communication data, and in many jurisdictions can easily be accessed by law enforcement/governments, as the requirements for accessing communication data are lower than the requirements for accessing the actual content of communications. For example, in the United States a court order is not needed to access communication data whereas a judicial order is needed to access the content of communications.[1]

Similarly, in the UK law enforcement can access communication data with authorization from a senior police officer.[2]

It was discussed how it is concerning that communication data can be accessed easily, as it provides a plethora of facts about an individual. Given the sensitivity of communication data and the ability for personal information to be derived from the data, the ease that law enforcement is accessing the data, and the unawareness of the individual about the access- places the privacy of users at risk.

Ways of Accessing Data

Ways in which governments and law enforcement access information and associated challenges was discussed, both in terms of the legislation that allows for access and the technology that is used for access.

Access and Technology

In this discussion it was pointed out that in traditional forms of accessing data governments are no longer effective for a number of reasons. For example, in many cases communications and transactions, etc., that take place on the internet are encrypted. The ubiquitous use of encryption means more protection for the individual in everyday use of the internet, but serves as an obstacle to law enforcement and governments, as the content of a message is even more difficult to access. Thus, law enforcement and governments are using technologies like commercial surveillance software, targeted hacking, and malware to survey individuals. The software is sold off the shelf at trade shows by commercial software companies to law enforcement and governments. Though the software has been developed to be a useful tool for governments, it was found that in some cases it has been abused by authoritarian regimes. For example in 2012, it was found that FinSpy, a computer espionage software made by the British company Gamma Group was being used to target political dissidents by the Government of Bahrain. FinSpy has the ability to capture computer screen shots, record Skype chats, turn on computer cameras and microphones, and log keystrokes.[3]

In order to intercept communications or block access to sites, governments and ISPs also rely on the use of deep packet inspection (DPI).[4] Deep packet inspection is a tool traditionally used by internet service providers for effective management of the network. DPI allows for ISP's to monitor and filter data flowing through the network by inspecting the header of a packet of data and the content of the packet.[5] With this information it is possible to read the actual content of packets, and identify the program or service being used.[6]

DPI can be used for the detection of viruses, spam, unfair use of bandwidth, and copyright enforcement. At the same time, DPI can allow for the possibility of unauthorized data mining and real time interception to take place, and can be used to block internet traffic whether it is encrypted or not.[7]

Governmental requirements for deep packet inspection can in some cases be found in legislation and policy. In other cases it is not clear if it is mandatory for ISP's to provide DPI capabilities, thus the use of DPI by governments is often an opaque area. Recently, the ITU has sought to define an international standard for deep packet inspection known as the "Y.2770" standard. The standard proposes a technical interoperable protocol for deep packet inspection systems, which would be applicable to "application identification, flow identification, and inspected traffic types".[8]

Access and Legislation

The discussions also examined similarities across legislation and policy which allows governments legal access to data. It was pointed out that legislation providing access to different types of data is increasingly becoming outdated, and is unable to distinguish between communications data and personal data. Thus, relevant legislation is often based on inaccurate and outdated assumptions about what information would be useful and what types of safeguards are necessary. For example, it was discussed how US surveillance law has traditionally established safeguards based on assumptions like: surveillance of data on a personal computer is more invasive than access to data stored in the cloud, real-time surveillance is more invasive than access to stored data, surveillance of newer communications is more invasive than surveillance of older communications, etc. These assumptions are no longer valid as information stored in the cloud, surveillance of older communications, and surveillance of stored data can be more invasive than access to newer communications, etc. It was also discussed that increasingly relevant legislation also contains provisions that have generic access standards, unclear authorization processes, and provide broad circumstances in which communication data and content can be accessed. The discussion also examined how governments are beginning to put in place mandatory and extensive data retention plans as tools of surveillance. These data retention mandates highlight the changing role of internet intermediaries including the fact that they are no longer independent from political pressure, and no longer have the ability to easily protect clients from unauthorized surveillance.

1]. EFF. Mandatory Data Retention: United States. Available at: https://www.eff.org/issues/mandatory-data-retention/us
[2].Espiner, T. Communications Data Bill: Need to Know. ZDNet. June 18th 2012. http://www.zdnet.com/communications-data-bill-need-to-know-3040155406/
[3]. Perlroth, M. Software Meant to Fight Crime is Used to Spy on Dissidents. The New York Times. August 30th 2012. Available at: http://www.nytimes.com/2012/08/31/technology/finspy-software-is-tracking-political-dissidents.html?_r=0
[4]. Wawro, A. What is Deep Packet Inspection?. PCWorld. February 1st 2012. Available at: http://www.pcworld.com/article/249137/what_is_deep_packet_inspection_.html
[5]. Geere, D. How deep packet inspection works. Wired. April 27th 2012. Available at: http://www.wired.co.uk/news/archive/2012-04/27/how-deep-packet-inspection-works
[6]. Kassner. M. Deep Packet Inspection: What You Need to Know. Tech Republic. July 27th 2008. Available at: http://www.techrepublic.com/blog/networking/deep-packet-inspection-what-you-need-to-know/609
[7]. Anonyproz. How to Bypass Deep Packet Inspection Devices or ISPs Blocking Open VPN Traffic. Available at: http://www.anonyproz.com/supportsuite/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=138
[8].Chirgwin. R. Revealed: ITU's deep packet snooping standard leaks online: Boring tech doc or Internet eating monster. The Register. December 6th 2012. Available at: http://www.theregister.co.uk/2012/12/06/dpi_standard_leaked/

For more details visit https://cis-india.org/internet-governance/blog/state-surveillance-human-rights-camp-summary

Stand up for Digital Rights

elonnai — 2016-06-13T15:30:12Z

The Centre for Internet & Society (CIS) invites you to a discussion on a set of recommendations for Ethical Tech, a report on human rights and private online intermediaries which describes key areas where such actors have responsibilities. The event will be held at CIS office in Bangalore on June 15, 2016 from 5 p.m. to 7 p.m.

The discussion intends to launch a report on human rights and private online intermediaries, which describes key areas where such actors have responsibilities and provides a detailed set of recommendations for Ethical Tech. This work is the culmination of a year long research project led by the Centre for Law and Democracy (CLD), in collaboration with the Arabic Network for Human Rights Information (ANHRI), the Centre for Internet and Society (CIS), Open Net Korea, the Center for Studies on Freedom of Expression and Access to Information at the University of Palermo (CELE) and researchers with the University of Ottawa and the Munk School of Global Affairs at the University of Toronto. The key themes for discussion would include:

General Human Rights Responsibilities and Private Online Intermediaries
Expanding Access
Net Neutrality
Content Moderation
Privacy
Transparency and Informed Consent
Responding to State Interferences

We look forward to meeting you and making this forum for knowledge exchange a success.

For more details visit https://cis-india.org/internet-governance/events/stand-up-for-digital-rights

Should Ratan Tata be Afforded the Right to Privacy?

elonnai — 2012-03-21T10:03:20Z

The Ratan Tata case has raised many important questions pertaining to privacy. This note looks at a few of those questions, and the debate that centers around them.

Introduction

In 2008 and 2009 conversations between Nira Radia- a professional corporate lobbyist , and many different individuals were intercepted by Income Tax officials. The interception was approved by the Ministry of Home Affairs. The interception was conducted for suspected tax evasion, possible money laundering, and restricted financial practices. The individuals included: A. Raja, the then Cabinet Minister of the Ministry of Communications and Information Technology; Ratan Tata, a client of Nira Radia and Chairman of the Tata group of companies; and various journalists including: Barkha Dutt, NDTV journalist alleged to have lobbied in support of A. Raja’s appointment as minister, and Vir Sanghvi, editor of the Hindustan Times alleged to have edited articles reducing the blame in the Nira Radia tapes. Earlier this year, these conversations were leaked to the media by an unknown source. The leak exposed a scam to manipulate the upcoming auctioning off of the 2G spectrum. In response to his leaked conversations with his consultant Nira Radia, Ratan Tata has filed a petition in the Supreme Court, claiming that his privacy has been invaded. Tata claims that the conversations were private, and that the tapes should be withdrawn from the public. He has not objected to the use of the tapes in court, acknowledging that they were obtained legally. On December 2nd the Supreme Court issued a notice to restrain the unauthorised publication of the intercepted tapes [1].

Questions of Privacy

The Nira Radia tapes case raises many important questions about privacy, wiretapping, transparency and ethics. It will be interesting to see how the court rules on different issues as the case progresses. First, it will be meaningful to see how the court responds to Tata’s plea for privacy. Indian courts have seen only a handful of cases that have directly appealed for protection of privacy as a fundamental right [2]. The type of privacy that has been invaded in this situation is unclear. If one looks at the privacy invasion as the data that was improperly protected, thus leading to the leak, the Tax Department may be found to have violated the informational privacy of Tata. If one looks at the invasion of privacy as the fact that personal contents of conversations were made public with the intent to expose the 2G scam, the claim is really one that his personal privacy has been invaded. Because India does not have a specific legislation on privacy, there is no clear definition of what privacy is, and whether or not Tata has had his privacy invaded. The decision by the courts will help to clarify how Indian society defines privacy, and where the line between public and private falls.

Is the Information Public Knowledge?

Whether or not the information intercepted in the phone conversations is public knowledge is an important question to answer. Though the 2G spectrum belongs to the people, and the conversations that were intercepted were planning a scam to defraud the Indian exchequer, the conversations were meant to be private. So, does the public have a right to know the content of the conversations, or does Ratan Tata have the right to privacy. The legislation that addresses the release of public information, and defines the categories of information that are considered to be private, is the Right to Information Act 2005. In India in recent years the right to knowledge has become a cornerstone of Indian civil liberties. The Right to Information Act 2005 embodies this liberty. The RTI mandates timely response to a citizen’s request for government information, and in its preamble affirms the policy that “…democracy requires an informed citizenry and transparency of information which are vital to its functioning and also to contain corruption and to hold Governments and their instrumentalities accountable to the governed”[3]. Under the Act, public information about or held by the government must be given to citizens upon request. Unlike in some countries, such as Canada, where the Right to Information is bolstered by a privacy law [4], the Indian legislation only contains sections that detail exceptions of data that cannot be disclosed, and the conditions for third party release. These exceptions are laid out in section 8, and in section 11 release of records to a third party is outlined.

Are the Conversations Considered Public Knowledge and Would they be Released by an RTI?

In a recent interview Prashant Bhushan, Supreme Court Advocate responded to a similar question with the following statement [5]:

Bhushan: "Firstly the conversations which have come out in the public domain are not private conversations. They are conversations between Nira Radia with various public servants, with various journalists etc in her official capacity as a paid professional lobbyist and fixer for her principles.Therefore, there is hardly anything personal in these conversations. These are all professional conversations or conversations about deal making, fixing, subverting public policy etc.These conversations would be available to every citizen even under the Right to Information Act because the only objection that one could raise would be on the ground of 81(J) of the Right to Information Act which says - information which relates to personal information, the disclosure of which has no relationship to any public activity or interest. This information has relationship to public activity or interest. It also says - or which would cause unwarranted invasion of the privacy of the individual unless the public authority is satisfied, unless the information officer is satisfied that the larger public interest justifies the disclosure of such an information. In this case there is overwhelming public interest which warrants the disclosure of this information because this shows all kinds of deal making, fixing going on."

As Bushan has pointed out, it is possible to make the argument that the taped conversations should be categorized as public knowledge. They took place between public officials and journalists, and pertain to an issue that deeply impacts the public as a whole. Thus, a preliminary question that should be asked is whether Tata’s conversations would be revealed through an RTI, or whether his conversation would fall under the exemption of personal information found in section 8(j):

“ Information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information:

Provided that the information which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.”

It is interesting to note the structure of this exemption. By the use of the word “or” the legislation suggests that unwarranted invasion of individual privacy may trigger the exemption, even if the information has a relationship to a public activity or interest. But the added caveat says that the larger public interest could justify the release of even purely private information. In addition, what constitutes “personal” information is never defined in the legislation. Thus, whether Tata’s conversations were personal in nature will have to be determined by the courts. Even if the nature of Tata’s wiretapped conversations was deemed not to be personal information, there still is an argument that they could still not be released to the public through an RTI, because Tata is not a Tax Department official, and the RTI requires disclosure of information about the Tax Department or officials in the tax department, not information about individuals who are under investigation by the Tax department.

Was the Leak of the Tape Legal?

Though the recording of the tapes by the Tax Department appears to be legal under the Telegraph Act 1885 section 5(2), the leak of the tape was not. Section 5(2) reads:

Section 5(2) – (2) On the occurrence of any public emergency, or in the interest of the public safety, the Central Government or a State Government or any officer specially authorised in this behalf by the Central Government or a State Government may, if satisfied that it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence, for reasons to be recorded in writing, by order, direct that any message or class of messages to or from any person or class of persons, or relating to any particular subject, brought for transmission by or transmitted or received by any telegraph, shall not be transmitted, or shall be intercepted or detained, or shall be disclosed to the Government making the order or an officer thereof mentioned in the order:

Provided that press messages intended to be published in India of correspondents accredited to the Central Government or a State Government shall not be intercepted or detained, unless their transmission has been prohibited under this sub-section.

Though the Telegraph Act does not lay out specific procedures as to how wiretapped information is to be protected and secured, under section 23 and 24 it is not permitted for any person to illegally obtain the contents of an intercepted telegraph.

23. Intrusion into signal-room, trespass in telegraph office or obstruction – If any person –

1. without permission of competent authority, enters the signal-room of a telegraph office of the Government, or of a person licensed under this Act, or

2. enters a fenced enclosure round such a telegraph office in contravention of any rule or notice not to do so, or

3. refuses to quit such room or enclosure on being requested to do so by any officer or servant employed therein,or

4. willfully obstructs or impedes any such officer or servant in the performance of his duty, he shall be punished with fine which may extend to five hundred rupees.

24. Unlawfully attempting to learning the contents of messages – If any person does any of the acts mentioned in section 23 with the intention of unlawfully learning the contents of any message, or of committing any offence punishable under this Act, he may (in addition to the fine with which he is punishable under section 23) be punished with imprisonment for a term which may extend to one year.

Is it Important that the Leak was Illegal: A Question About the Public Good

Clearly, from the above clauses, and in this situation, the Tax Department could argue that firstly they are not responsible for the leak, and that the illegality of the release of the tapes is subservient to the need to protect public safety. But what constitutes the greater good? In the case of Babu Ram 8 Verma Vs. State of Uttar Pradesh (1971) the Supreme Court has interpreted that the expression “public interest” as an act beneficial to the general public and an action taken for public purpose[6]. When considering whether the information is for the public good, the simple answer seems to be yes, the exposure of the 2G scam does benefit the “public interest”, but this should not be the complete answer. The reason that there are laws to regulate the dissemination of information is to protect information from being presented in a way that prejudices a person or discloses information that the public does not have a right to know. It is courts – not individuals – who should decide that the public does have a right to know before the information is disseminated. The information on the tapes could have been brought to the public’s attention by other - legal - means. Namely, the Tax Department could have filed for a new warrant to use the wiretapped information pertaining to the 2G scam, and disclosed the materials in connection with the Comptroller and Auditor General of India.

Concerns about Privacy and the Right to Information: Not a Balance, but a Partnership

The concern that privacy will be used to weaken transparency and to conceal crimes and corruption is often voiced as an obstacle to instituting a firm privacy law. Privacy is not a shield, and should not be misunderstood for one. A privacy legislation should bring clarity to the Right to Information. It should create a concise framework and understanding of what information is always acceptable to disclose, and what information is not acceptable to disclose without court authorization. In this situation, a privacy law could have clarified that conversations among private citizens are presumptively private, and that a court must determine otherwise. Though many people believe that the right to privacy and the right to transparency is a balance in which one right will always subordinate the other, this is not necessarily true. For instance if we look at how the two rights are at work when a voter is about to go to the polling stations, it is easy to see how they are related. The right to privacy can be understood, inter alia, as the right to be safe in one’s own identity. This is crucial for voting. If you look at this with focus on the candidate for election, there is a both the need to know as much information about that individual in order to make a informed choice, but if too much, unrelated information is known about a candidate, the election could be compromised.

Conclusion: Will Ratan Tata be Afforded the Right to Privacy?

In conclusion, the Nira Radia and Ratan Tata case raises many fundamental questions about privacy. In his white paper on privacy Vakul Sharma pointed out two important cases that could pertain to this situation. The first case is the case of People’s Union for Civil Liberties (PUCL) v. Union of India6, the Supreme Court held that the telephone tapping by Government under S. 5(2) of Telegraph Act, 1885 amounts infraction of Article 21 of the Constitution of India. Right to privacy is a part of the right to “life” and “personal liberty” enshrined under Article 21 of the Constitution. The said right cannot be curtailed “except according to procedure established by law”[7]. It will be interesting to see if the courts follow a similar reasoning in this case, because though the tap was legal, the leak was illegal. Or,i f exceptions will be made under the assumption of the greater public good. The second important case was State v. Charulata Joshi, in which the Supreme Court held that “the constitutional right to freedom of speech and expression conferred by Article 19(1)(a) of the Constitution which includes the freedom of the press is not an absolute right. The press must first obtain the willingness of the person sought to be interviewed and no court can pass any order if the person to be interviewed expresses his unwillingness”[8]. Perhaps the courts will instead follow the logic in this case, and rule that the press had no right to publish the recorded and that by doing so, Ratan Tata’s privacy was invaded. No matter what the court’s decision is, it is clear that in light of the Nira Radia case, the UID, and many other arising situations – India needs to come to a decision about whether it wants privacy legislation, and, if so, what a privacy legislation should look like.

Bibliography:

1. http://en.wikipedia.org/wiki/2G_spectrum_scam http://economictimes.indiatimes.com/news/politics/nation/On-Tatas-plea-apex-court-sends-notice-to-govt /articleshow /7028580.cms

http://www.moneycontrol.com/news/management/ratan-tataright-to-privacy-_502063.html

http://economictimes.indiatimes.com/news/politics/nation/Phone-taps-should-not-be-leaked-Chidambaram/articleshow/7036765.cm

2.The following are a few cases that pertain to privacy: R. Rajagopal v. State of Tamil Nadu5, People’s Union for Civil Liberties (PUCL) v. Union of India6, Gobind v. State of M.P.

3.The Right to Information Act 2005. Preamble.

4.The Canadian Access to Information Act was created in 1985, and is meant to complement the Privacy Act

5.http://www.moneycontrol.com/news/management/ratan-tataright-to-privacy-_502063.html

6.Chakraborty, B.K. RTI and Protection of Individual Privacy. Tripura Information Commissio

7.Sharma, Vakul. White Paper on Privacy Protection in India. Section 5

8.Sharma, Vakul. White Paper on Privacy Protection in India. Section 3

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-ratantata

Short-term Consultant (IETF)

elonnai — 2018-04-21T15:44:49Z

The Centre for Internet & Society is seeking an individual with a strong understanding of IETF standards to work with us on writing 7 Human Rights Considerations for Internet standards and active drafts that are relevant to public interest. Additionally, the individual will help develop a longer term work-plan, expertise and approach for engagement in the IETF.

Note: This position is consultancy based on output.

Compensation: Based on experience and output.

Application requirements: two writing samples or other examples of technical work and CV

Contact: sunil@cis-india.org

For more details visit https://cis-india.org/jobs/vacancy-for-short-term-consultant-ietf