Centre for Internet and Society

Round Table on Privacy and Data Protection at NIPFP

praskrishna — 2017-03-27T16:02:59Z

National Institute of Public Finance & Policy organized a round-table on privacy and data protection on March 24, 2017 in New Delhi.

Click to see the agenda.

For more details visit https://cis-india.org/internet-governance/news/round-table-on-privacy-and-data-protection-at-nipfp

Role of the US Tech Companies in Government Surveillance: A Lecture by Christopher Soghoian

praskrishna — 2012-08-26T11:03:19Z

Christopher Soghoian will deliver a lecture on the role US tech companies play in assisting government surveillance at the Centre for Internet & Society office in Bangalore on August 27, 2012, from 5.00 p.m. to 7.00 p.m.

Your internet, phone and web application providers are all, for the most part, in bed with US and other foreign government agencies. They all routinely disclose their customers' communications and other private data to law enforcement and intelligence agencies. Worse, firms like Google and Microsoft specifically log data in order to assist the government. How many government requests does your ISP get for its customers' communications each year? How many do they comply with? How many do they fight? How much do they charge for the surveillance assistance they provide? Who knows? Most companies have a strict policy of not discussing such topics.

The differences in the privacy practices of the major players in the telecommunications and internet applications market are significant. Some firms retain identifying data for years, while others retain no data at all; some voluntarily provide the government access to user data, while other companies refuse to voluntarily disclose data without a court order; some companies charge government agencies when they request user data, while others disclose it for free. For an individual, later investigated by the police or intelligence services, the data retention practices adopted by their phone company or email provider can significantly impact their freedom.

Unfortunately, although many companies claim to care about end-user privacy, and some even that they compete on their privacy features, none seem to be willing to compete on the extent to which they assist or resist the government in its surveillance activities. Because information about each firms' practices is not publicly known, consumers cannot vote with their wallets, and pick service providers that best protect their privacy.

This talk will pierce the veil of secrecy surrounding these practices. Based upon a combination of Freedom of Information Act requests, off the record conversations with industry lawyers, and investigative journalism, the practices of many of these firms will be revealed.

Christopher's Personal Experience

In the year 2006, the Federal Bureau of Investigation (FBI) raided Christopher’s home at 2.00 a.m. seizing his personal documents and computers. Two attorneys, Stephen Braga and Jennifer Granick came to his defence. With their expert assistance, Christopher was able to get back his possessions within three weeks, and FBI’s criminal and TSA’s civil investigations were closed without any charges being filed.

Jennifer Granick came to Christopher’s assistance once again (joined by Steve Leckar) in 2010 after the Federal Trade Commission’s Inspector General investigated Christopher for using his government badge to attend a closed-door surveillance industry conference. It was at that event that Christopher recorded an executive from wireless carrier ‘Sprint’ bragging about the eight million times his company had obtained GPS data on its customers for law enforcement agencies in the previous years.

To know more, read Christopher Soghoian’s dissertation titled "The Spies We Trust: Third Party Service Providers and Law Enforcement Surveillance". [PDF, 1056 Kb]

About Christopher Soghoian

Christopher Soghoian is a privacy researcher and activist, working at the intersection of technology, law and policy. He is a Principal Technologist and Senior Policy Analyst at the American Civil Liberties Union and is based in Washington, D.C.

Soghoian completed his Ph.D. at Indiana University in 2012, which focused on the role that third party service providers play in facilitating law enforcement surveillance of their customers. In order to gather data, he has made extensive use of the Freedom of Information Act, sued the Department of Justice pro se, and used several other investigative research methods. His research has appeared in publications including the Berkeley Technology Law Journal and been cited by several federal courts, including the Ninth Circuit Court of Appeals.

Between the years, 2009-2010, he was the first ever in-house technologist at the Federal Trade Commission's Division of Privacy and Identity Protection, where he worked on investigations of Facebook, Twitter, MySpace and Netflix. Prior to joining the FTC, he co-created the Do Not Track privacy anti-tracking mechanism now adopted by all of the major web browsers.

He is a TEDGlobal 2012 Fellow, was an Open Society Foundations Fellow between the years, 2011-2012, and was a Student Fellow at the Berkman Center for Internet & Society, Harvard University between 2008 and 2009.

For more details visit https://cis-india.org/internet-governance/role-of-us-tech-companies-in-govt-surveillance

RightsCon Silicon Valley 2016

praskrishna — 2016-04-06T15:10:21Z

RightsCon is the world’s leading event convened around the issues of the internet and human rights. The annual conference convenes business leaders, visionaries, technologists, legal experts, civil society members, activists, and government representatives from across the globe on issues at the intersection of tech and human rights. The event was organized by RightsCon.

Program

This year, we had three days ofprogrammingplus a day of satellite events (Day Zero satellite events + three full days of main programming), tackling some of today’s most challenging business and policy issues: freedom of expression, online harassment and countering violent extremism, privacy and digital security, encryption, network discrimination and connectivity, human rights, trade and business, transparency reporting, digital inclusion, internet governance, and much more. Click here to see our program schedule.

With 250+ sessions and over 1,000 registered participants, RightsCon 2016 provided unparalleled opportunities to engage with leading speakers and organizations, both in sessions and through private meetings and discussions. It was also home to an array of parties, movie screenings, and social events throughout the week to help participants meet others in the space.

Elonnai Hickok participated in the following panels and meetings at RightsCon held at Mission Bay Conference Center in San Francisco, California from March 30 to April 1, 2016:

1. Beyond CSR: Promoting Strong Human Rights Performance - Centre for Law and Democracy
2. Ranking ICT Companies on Digital Rights; A How to Guide - Ranking Digital Rights
3. Who is an Intermediary? Harmonizing Definitions? - CIS
4. Manila Principles: One Year Later - CIS and EFF
5. Cross Border Data Requests - American University Washington College of Law, University of Kentucky College of Law.
6. Closed door meeting for Ranking Digital Rights
7. GNI meeting on Mutual Legal Assistance

More info on the RightsCon website

For more details visit https://cis-india.org/internet-governance/news/rightscon-silicon-valley-2016

Right to Privacy in Peril

vipul — 2015-08-13T15:32:18Z

It seems to have become quite a fad, especially amongst journalists, to use this headline and claim that the right to privacy which we consider so inherent to our being, is under attack. However, when I use this heading in this piece I am not referring to the rampant illegal surveillance being done by the government, or the widely reported recent raids on consenting (unmarried) adults who were staying in hotel rooms in Mumbai. I am talking about the fact that the Supreme Court of India has deemed it fit to refer the question of the very existence of a fundamental right to privacy to a Constitution Bench to finally decide the matter, and define the contours of such right if it does exist.

In an order dated August 11, 2015 the Supreme Court finally gave in to the arguments advanced by the Attorney General and admitted that there is some “unresolved contradiction” regarding the existence of a constitutional “right to privacy” under the Indian Constitution and requested that a Constitutional Bench of appropriate strength.

The Supreme Court was hearing a petition challenging the implementation of the Adhaar Card Scheme of the government, where one of the grounds to challenge the scheme was that it was violative of the right to privacy guaranteed to all citizens under the Constitution of India. However to counter this argument, the State (via the Attorney General) challenged the very concept that the Constitution of India guarantees a right to privacy by relying on an “unresolved contradiction” in judicial pronouncements on the issue, which so far had only been of academic interest. This “unresolved contradiction” arose because in the cases of M.P. Sharma & Others v. Satish Chandra & Others,[1] and Kharak Singh v. State of U.P. & Others,[2] (decided by Eight and Six Judges respectively) the Supreme Court has categorically denied the existence of a right to privacy under the Indian Constitution.

However somehow the later case of Gobind v. State of M.P. and another,[3] (which was decided by a two Judge Bench of the Supreme Court) relied upon the opinion given by the minority of two judges in Kharak Singh to hold that a right to privacy does exist and is guaranteed as a fundamental right under the Constitution of India.[4] Thereafter a large number of cases have held the right to privacy to be a fundamental right, the most important of which are R. Rajagopal & Another v. State of Tamil Nadu & Others,[5] (popularly known as Auto Shanker’s case) and People’s Union for Civil Liberties (PUCL) v. Union of India & Another.[6] However, as was noticed by the Supreme Court in its August 11 order, all these judgments were decided by two or three Judges only.

The petitioners on the other hand made a number of arguments to counter those made by the Attorney General to the effect that the fundamental right to privacy is well established under Indian law and that there is no need to refer the matter to a Constitutional Bench. These arguments are:

(i) The observations made in M.P. Sharma regarding the absence of right to privacy are not part of the ratio decidendi of that case and, therefore, do not bind the subsequent smaller Benches such as R. Rajagopal and PUCL.

(ii) Even in Kharak Singh it was held that the right of a person not to be disturbed at his residence by the State is recognized to be a part of a fundamental right guaranteed under Article 21. It was argued that this is nothing but an aspect of privacy. The observation in para 20 of the majority judgment (quoted in footnote 2 above) at best can be construed only to mean that there is no fundamental right of privacy against the State’s authority to keep surveillance on the activities of a person. However, they argued that such a conclusion cannot be good law any more in view of the express declaration made by a seven-Judge bench decision of this Court in Maneka Gandhi v. Union of India & Another.[7]

(iii) Both M.P. Sharma (supra) and Kharak Singh (supra) were decided on an interpretation of the Constitution based on the principles expounded in A.K. Gopalan v. State of Madras,[8] which have themselves been declared wrong by a larger Bench in Rustom Cavasjee Cooper v. Union of India.[9]

Other than the points above, it was also argued that world over in all the countries where Anglo-Saxon jurisprudence is followed, ‘privacy’ is recognized as an important aspect of the liberty of human beings. The petitioners also submitted that it was too late in the day for the Union of India to argue that the Constitution of India does not recognize privacy as an aspect of the liberty under Article 21 of the Constitution of India.

However these arguments of the petitioners were not enough to convince the Supreme Court that there is no doubt regarding the existence and contours of the right to privacy in India. The Court, swayed by the arguments presented by the Attorney General, admitted that questions of far reaching importance for the Constitution were at issue and needed to be decided by a Constitutional Bench.

Giving some insight into its reasoning to refer this issue to a Constitutional Bench, the Court did seem to suggest that its decision to refer the matter to a larger bench was more an exercise in judicial propriety than an action driven by some genuine contradiction in the law. The Court said that if the observations in M.P. Sharma (supra) and Kharak Singh (supra) were accepted as the law of the land, the fundamental rights guaranteed under the Constitution of India would get “denuded of vigour and vitality”. However the Court felt that institutional integrity and judicial discipline require that smaller benches of the Court follow the decisions of larger benches, unless they have very good reasons for not doing so, and since in this case it appears that the same was not done therefore the Court referred the matter to a larger bench to scrutinize the ratio of M.P. Sharma (supra) and Kharak Singh (supra) and decide the judicial correctness of subsequent two judge and three judge bench decisions which have asserted or referred to the right to privacy.

[1] AIR 1954 SC 300. In para 18 of the Judgment it was held: “A power of search and seizure is in any system of jurisprudence an overriding power of the State for the protection of social security and that power is necessarily regulated by law. When the Constitution makers have thought fit not to subject such regulation to constitutional limitations by recognition of a fundamental right to privacy, analogous to the American Fourth Amendment, we have no justification to import it, into a totally different fundamental right, by some process of strained construction.”

[2] AIR 1963 SC 1295. In para 20 of the judgment it was held: “… Nor do we consider that Art. 21 has any relevance in the context as was sought to be suggested by learned counsel for the petitioner. As already pointed out, the right of privacy is not a guaranteed right under our Constitutionand therefore the attempt to ascertain the movement of an individual which is merely a manner in which privacy is invaded is not an infringement of a fundamental right guaranteed by Part III.”

[3] (1975) 2 SCC 148.

[4] It is interesting to note that while the decisions in both Kharak Singh and Gobind were given in the context of similar facts (challenging the power of the police to make frequent domiciliary visits both during the day and night at the house of the petitioner) while the majority in Kharak Singh specifically denied the existence of a fundamental right to privacy, however they held the conduct of the police to be violative of the right to personal liberty guaranteed under Article 21, since the Regulations under which the police actions were undertaken were themselves held invalid. On the other hand, while Gobind held that a fundamental right to privacy does exist in Indian law, it may be interfered with by the State through procedure established by law and therefore upheld the actions of the police since they were acting under validly issued Regulations.

[5] (1994) 6 SCC 632.

[6] (1997) 1 SCC 301.

[7] (1978) 1 SCC 248.

[8] AIR 1950 SC 27.

[9] (1970) 1 SCC 248.

For more details visit https://cis-india.org/internet-governance/blog/right-to-privacy-in-peril

Right to Privacy Bill 2010 — A Few Comments

elonnai — 2012-03-22T06:26:14Z

Earlier this year, in February 2011, Rajeev Chandrasekhar introduced the Right to Privacy Bill, 2010 in the Rajya Sabha. The Bill is meant to “provide protection to the privacy of persons including those who are in public life”. Though the Bill states that its objective is to protect individuals’ fundamental right to privacy, the focus of the Bill is on the protection against the use of electronic/digital recording devices in public spaces without consent and for the purpose of blackmail or commercial use.

Specific Recommendations

The use of electronic recording devices in public is an important and expansive aspect of privacy, which is yet to be directly covered by Indian law. Though the Bill addresses the basic usage of electronic devices with built-in cameras, it frames the violation as a personal violation. In doing so, the Bill has taken a punitive approach, making it criminal to take photographs in situations outside of the laid-out regulations, rather than protective in nature, i.e., working to protect individuals from harassment and blackmail, and offer forms of redress to those damaged.

The Bill fails to address scenarios such as Google street view, satellite photographs, news channels, and live feeds at events and conferences. In these situations live data is being transmitted and posted on the Web for public to view by the media. When looking at the dilemma of photographs being taken in public by the media, the privacy interests are different to those that are based on control of personal information alone. They are substantive, as opposed to informational, and engage directly with individual dignity, autonomy, and the freedom of expression. For example, the interest in freedom of expression encompasses both those of the photographers and journalists producing material for his/her journal. Can a journalist print a photograph taken in a public space — of a public figure, which the public figure did not consent to, and which that person considers defamatory?

Interestingly, Europe has strong laws regulating the taking of photographs in public spaces, but these rules are covered by the Protection from Harassment Act, 1997 (UK), which speaks specifically to the media’s behaviour towards public figures — or they fall under a tort of misuse. In the US taking photographs only becomes an issue in the use of the photograph. Essentially anyone can be photographed without consent except when they have secluded themselves in places where they have a reasonable expectation of privacy such as dressing rooms, restrooms, medical facilities, or inside a private residence. This legal standard applies regardless of the age, sex, or other attributes of the individual. Once a photograph is taken, and if that photograph is used for commercial gain without consent or publicizes an otherwise private person inappropriately, then that person can be held liable under the tort of misappropriation.

Specific Comments to the Bill

Misguiding Title

The title of the Bill is, the Personal Data Protection Bill, 2006," but the scope of the Bill is focused on regulating the use of electronic recording devices, and it does not include many aspects of privacy. So we recommend that the title of the Bill be modified to "The Electronic Recording Devices Bill, 2010".

Inappropriate Blanket Use of Privacy

The introduction to the Bill states that its purpose is "for the protection of the right to privacy of persons including those who are in public life so as to protect them from being blackmailed or harassed or their image and reputation being tarnished in order to spoil their public life and for the prevention of misuse of digital technology for such purposes and for matters connected therewith and incidental thereto."

Comment: Notwithstanding the fact that violations of privacy extend beyond blackmail, harassment, and defamation, and that digital technologies are not the only vehicles for privacy violations, it is important to qualify that privacy is not a blanket right, and that for public persons, the privacy that they are afforded is determined by balancing their interest against the public interest.

Narrow Definition of Public Figures

Section 2 (b) of the Bill states: "persons in public life" includes the representatives of the people in Parliament, state legislatures, local self government bodies, and office bearers of recognized political parties

Comment: Persons in public life include persons beyond the political sphere, specifically those in higher positions that influence the behaviour, lifestyles, and culture of the general population. Thus, we recommend that this definition be extended to include actors, actresses, athletes, artists, and musicians, CEOs, and authors.

Insufficient Limits to the Right to Privacy

Section 3 (1) states: “Notwithstanding anything contained in any other law for the time being in force every person, including persons in public life, shall have the right to privacy which shall be exclusive, unhindered and there shall be no unwarranted infringement thereof by any other person, agency, media or anyone:

Provided that sub-section (1) of section 3 shall not apply in cases of corruption, and misuse of official positions by persons in public life.

Comment: We recommend that the right to privacy, as any right, need not be identified as exclusive or unhindered. The right to privacy must be determined on a case by case basis relative to the public interest, and, while cases of corruption and misuse of official position by persons in public life certainly qualify, they do not encompass the wider variety of situations in which an individual’s right to privacy should be limited. For instance, if a public figure speaks out on an issue in a way that contradicts an earlier position that was captured on video, shouldn’t that be allowed to be made public? If a public figure is photographed in a morally questionable position, shouldn’t that be allowed to be made public? Indeed, even for private individuals, privacy is a matter of context. In airports and other sensitive public places it is commonly accepted that an individual’s right to privacy can be limited. If an individual has a disease such as HIV, under what circumstances should some or all of the greater public should be informed and their right to privacy may be limited?

Limited Scope of Technology

Section 4 of the Bill states: "No person shall use a cellular phone with an inbuilt camera, if it does not produce a sound of at least 65 decibels and flash a light when used to take a picture of any object or person, as the case may be.

Comment: We recommend that this clause clarifies if only cellular phones, and not cameras, computers, or other devices with built-in cameras are required to produce the sound of at least 65 decibels.

Overly Complicated Clauses

Section 5 of the Bill states: Notwithstanding anything contained in any other law for the time being in force, no person shall make digital recording or take photographs or make videography in any manner whatsoever of:

Section 5(a): any part or whole of a human body which is unclothed or partially clothed without the consent of the person concerned.

Section 5 (b): any part or whole of a human body at any public place without the consent of the person concerned and

Section 5 (c): the personal and intimate relationship of any couple in a home, hotel, resort, or any place within the four walls by hidden digital or other cameras and such other instruments, or any place within the four walls by hidden digital cameras and such other instruments…with the intent of blackmail or of making commercial gains from it or otherwise.

Comment: Section 5 currently lists certain circumstances in which photographs are not allowed to be taken of individuals in public without consent if they are to be used for the purpose of commercial gain or blackmail. Blackmail or commercial gains are not the only ways in which digital recordings of people can be misused. Certainly, taking such pictures to post for purposes of hurting one’s reputation or causing humiliation is as reprehensible as taking pictures for commercial gain, so the provision is too narrow. It may also be overboard, because a person may be captured in an artistic or political photograph but have, for example, bare arms or legs. That would be a picture of a part of a human body at a public place. We recommend that the list of offences include misappropriation and false light, and that the manner of the picture-taking not be limited to clauses (a) to (c) above.

Section 5 is the first instance in which the use of digital recordings for commercial gain has been mentioned as a violation in the Bill. We recommend that commercial gain as a violation should be added to the introduction of the Bill.

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-bill-2010

Right to be Forgotten: A Tale of Two Judgements

amber — 2017-04-07T02:27:03Z

In the last few months, there have been contrasting judgments from two Indian high courts, Karnataka and Gujarat, on matters relating to the right to be forgotten. The two high courts heard pleas on issues to do the right of individuals to have either personal information redacted from the text of judgments available online or removal of such judgment from publically available sources.

While one High Court (Karnataka) ordered the removal of personal details from the judgment,^[1] the other (Gujarat) dismissed the plea^[2]. In this post, we try to understand the global jurisprudence on the right to be forgotten, and how the contrasting judgments in India may be located within it.

Background

The ‘right to be forgotten’ has gained prominence since a matter was referred to the Court of Justice of European Union (CJEU) in 2014 by a Spanish court.^[3] In this case, Mario Costeja González had disputed the Google search of his name continuing to show results leading to an auction notice of his reposed home. The fact that Google continued to make available in its search results, an event in his past, which had long been resolved, was claimed by González as a breach of his privacy. He filed a complaint with the Spanish Data Protection Agency (AEPD in its Spanish acronym), to have the online newspaper reports about him as well as related search results appearing on Google deleted or altered. While AEPD did not agree to his demand to have newspaper reports altered, it ordered Google Spain and Google, Inc. to remove the links in question from their search results. The case was brought in appeal before the Spanish High Court, which referred the matter to CJEU. In a judgement having far reaching implications, CJEU held that where the information is ‘inaccurate, inadequate, irrelevant or excessive,’ individuals have the right to ask search engines to remove links with personal information about them. The court also ruled that even if the physical servers of the search engine provider are located outside the jurisdiction of the relevant Member State of EU, these rules would apply if they have branch office or subsidiary in the Member State.

The ‘right to be forgotten’ is a misnomer, and essentially when we speak of it in the context of the proposed laws in EU, we refer to the rights of individuals to seek erasure of certain data that concerns them. The basis of what has now evolved into this right is contained in the 1995 EU Data Protection Directive, with Article 12 of the Directive allowing a person to seek deletion of personal data once it is no longer required.

Critical to our understanding of the rationale for how the ‘right to be forgotten’ is being framed in the EU, is an appreciation of how European laws perceive privacy of individuals. Unlike the United States (US), where privacy may be seen as a corollary of personal liberty protecting against unreasonable state intrusions, European laws view privacy as an aspect of personal dignity, and are more concerned with protection from third parties, particularly the media. The most important way in which this manifests itself is in where the burden to protect privacy rights lie. In Europe, privacy policy often dictates intervention from the state, whereas in the US, in many cases it is up to the individuals to protect their privacy.^[4]

Since the advent of the Internet, both the nature and quantity of information existing about individuals has changed dramatically. This personal information is no longer limited to newspaper reports and official or government records either. Our use of social media, micro-discussions on Twitter, photographs and videos uploaded by us or others tagging us, every page or event we like, favourite or share—all contribute to our digital footprint. Add to this the information created not by us but about us by both public and private bodies storing data about individuals in databases, our digital shadows begin to far exceed the data we create ourselves. It is abundantly clear that we exist in a world of Big Data, which relies on algorithms tracking repeated behaviour by our digital selves. It is in this context that a mechanism which enables the purging of some of this digital shadow makes sense.

Further, it is not only the nature and quantity of information that has changed, but also the means through which this information can be accessed. In the pre-internet era, access to records was often made difficult by procedural hurdles. Permissions or valid justifications were required to access certain kinds of data. Even for the information available in the public domain, often the process of gaining access were far too cumbersome. Now digital information not only continues to exist indefinitely, but can also be easily accessed readily through search engines. It is in this context that in a 2007 paper, Viktor Mayer-Schöenberger pioneered the idea of memory and forgetting for the digital age.^[5] He proposed that all forms of personal data should have an additional meta data of expiration date to switch the default from information existing endlessly to having a temporal limit after which it is deleted. While this may be a radical suggestion, we have since seen proposals to allow individuals some control over information about them.

In 2016, the EU released the final version of the General Data Protection Regulation. The regulation provides for a right to erasure under Article 17, which would enable a data-subject to seek deletion of data.^[6] Notably, except in the heading of the provision, Article 17 makes no reference to the word ‘forgetting.’ Rather the right made available in this regulation is in the form of making possible ‘erasure’ and ‘abstention from further dissemination.’ This is significant because what the proposed regulations provide for is not an overarching framework to enable or allow ‘forgetting’ but a limited right which may be used to delete certain data or search results. Providing a true right to be forgotten would pose issues of interpretation as to what ‘forgetting’ might mean in different contexts and the extent of measures that data controllers would have to employ to ensure it. The proposed regulation attempts to provide a specific remedy which can be exercised in the defined circumstances without having to engage with the question of ‘forgetting’.

The primary arguments made against the ‘right to be forgotten’ have come from its conflict with the right to freedom of speech. Jonathan Zittrain has argued against the rationale that the right to be forgotten merely alters results on search engines without deleting the actual source, thus, not curtailing the freedom of expression.^[7] He has compared this altering of search results to letting a book remain in the library but making the catalogue unavailable. According to Zittrain, a better approach would be to allow data subjects to provide their side of the story and more context to the information about them, rather than allowing any kind of erasure. Unlike in the US, the European approach is to balance free speech against other concerns. So while one of the exceptions in sub-clause (3) of Article 17 provides that information may not be deleted where it is necessary to exercise the right to free speech, free speech does not completely trump privacy as the value that must be protected. On the other hand, US constitutional law would tend to give more credence to the First Amendment rights and allow them to be compromised in very limited circumstances. As per the position of the US Supreme Court in Florida Star v. B.J.F., lawfully obtained information may be restricted from publication only in cases involving a ‘state interest of the highest order’. This position would allow any potential right to be forgotten to be exercised in the most limited of circumstances and privacy and reputational harm would not satisfy the standard. For these reasons the rights to be forgotten as it exists in Article 17 may be unworkable in the US.

Issues in application

Significant technical challenges remain in the effective and consistent application of Article 17 of the EU Directive. One key issue is concerned with how ‘personal data’ is defined and understood, and how its interpretation will impact this right in different contexts. According to Article 17 of the EU directive, the term ‘personal data’ includes any information relating to an individual. Some ambiguity remains about whether information which may not uniquely identify a person, but as a part of small group, could be considered within the scope of personal data. This becomes relevant, for instance, where one seeks the erasure of information which, without referring to an individual, points fingers towards a family. At the same time, often the piece of information sought to be erased by a person may contain personal information about more than one individual. There is no clarity over whether a consensus of all the individuals concerned should be required, and if not, on what parameters should the wishes of one individual prevail over the others. Another important question, which is as yet unanswered, is whether the same standards for removal of content should apply to most individuals and those in public life.

The issue of what is personal data and can therefore be erased gets further complicated in cases of derived data about individuals used in statistics and other forms of aggregated content. While, it would be difficult to argue that the right to be forgotten needs to be extended to such forms of information, not erasing such derived content poses the risk of the primary information being inferred from it. In addition, Article 17(1)(a) provides for deletion in cases where the data is no longer necessary for the purposes for which they were collected or used. The standards for circumstances which satisfy this criteria are, as yet, unclear and may only be fully understood through a consistent application of this law.

Finally, once there are reasonable grounds to seek erasure of information, it is not clear how this erasure will be enforced practically. It may not be prudent to require that all copies of the impugned data are deleted such that they may not be recovered, to the extent technologically possible. A more reasonable solution might be to permit the data to continue to remain available in encrypted forms, much like certain records are sealed and subject to the strictest confidentiality obligations. In most cases, it may be sufficient to ensure that the records of the impugned data is removed from search results and database reports without actually tampering with information as it may exist. These are some of the challenges which the practical application of this right will face, and it is necessary to take them into account in enforcing the proposed regulations.

The two Indian judgments

In the first case, (before the Gujarat High Court), the petitioner entered a plea for “permanent restraint [on] free public exhibition of the judgment and order.” The judgment in question concerned proceeding against the petitioner for a number of offences, including culpable homicide amounting to murder. The petitioner was acquitted, both by the Sessions court and the High Court before which he was pleading. The petitioner’s primary contention was that despite the judgment being classified as ‘unreportable’, it was published by an online repository of judgments and was also indexed by Google search. The decision of the High Court to dismiss the petition, rest of the following factors: a) failure on the part of the petitioner to show any provisions in law which are attracted, or threat to the constitutional right to life and liberty, b) publication on a website does not amount to ‘reporting’, as reporting only refers to that by law reports.

While the second point of reasoning made by the courts is problematic in terms of the function of precedent served by the reported judgments, and the basis for reducing the scope of ‘reporting’ to only law reports, the first point is of direct relevance to our current discussion. The lack of available legal provisions points to the absence of data protection legislation in India. Had there been a privacy legislation which addressed the issues of how personal information may be dealt with, it is possible that it may have had instructive provisions to address situation like these. In the absence of such law, the only recourse that an individual has is to seek constitutional protection under one of the fundamental rights, most notably Article 21, which over the years, has emerged as the infinite repository of unenumerated rights. However, typically rights under Article 21 are of a vertical nature, i.e., available only against the state. Their application in cases where a private party is involved remains questionable, at best.

In contrast, in the second case, the Karnataka High Court ruled in favor of the petitioner. In this case, the petitioner’s daughter instituted both criminal and civil proceedings against a person. However, later they arrived at a compromise and one of the conditions was quashing all the proceedings which had been initiated. The petitioner had raised concerns about the appearance of his daughter’s name in the cause title and was easily searchable. The court, while making vague references to “trend in the Western countries where they follow this as a matter of rule “Right to be forgotten” in sensitive cases involving women in general and highly sensitive cases involving rape or affecting the modesty and reputation of the person concerned, held in the petitioner’s favor, and order that the name be redacted from the cause title and the body of the order before releasing to any service provider. The second judgment is all the more problematic for while it makes a reference to jurisprudence in other countries, yet it does not base it on the fundamental right to privacy, but to the idea of modesty and reputation of women, which has no clear legal basis on either Indian or comparative jurisprudence.

Conclusion

The above two cases demonstrate the problem of lack of a clear legal basis being employed by the judiciary in interpreting the right to be forgotten. Not only were no clear legal provisions in Indian law were taken refuge of while ruling on the existence of this right, the court also do not engage in any analysis of comparative jurisprudence such as the GDPR or the Costeja judgment. Such ad-hoc jurisprudence underlines the need for a data protection legislation, as in its absence, it is likely that divergent views are taken upon this issue, without a clear legal direction. It is likely that most matters concerning the right to erasure concern private parties as data controllers. In such cases, the existing jurisprudence on the right to privacy as interpreted under Article 21 may also be of limited value. Further, as has been pointed out above, the right to be forgotten needs to be a right qualified by conditions very clearly, and its conflict with the right to freedom of expression under Article 19. Therefore, it is imperative that a comprehensive data protection law addresses these issues.

^[1] Sri Vasunathan vs The Registrar, available at http://www.iltb.net/2017/02/karnataka-hc-on-the-right-to-be-forgotten/

^[2] Dharmraj Bhanushankar Dave v. State of Gujarat, available at https://drive.google.com/file/d/0BzXilfcxe7yueXFJWG5mZ1pKaTQ/view.

^[3] Google Spain et al v. Mario Costeja González, available at http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&docid=152065.

^[4] http://www.europarl.europa.eu/RegData/etudes/STUD/2015/536459/IPOL_STU(2015)536459_EN.pdf

^[5] Mayer-Schoenberger, Viktor, Useful Void: The Art of Forgetting in the Age of Ubiquitous Computing (April 2007). KSG Working Paper No. RWP07-022. Available at SSRN: https://ssrn.com/abstract=976541 or http://dx.doi.org/10.2139/ssrn.976541.

^[6] Article 17 (1) states: The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;

(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

(d) the personal data have been unlawfully processed;

(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

^[7] Zittrain, Jonathan, “Don’t Force Google to ‘Forget’”, The New York Times, May 14, 2014. Available at https://www.nytimes.com/2014/05/15/opinion/dont-force-google-to-forget.html.

For more details visit https://cis-india.org/internet-governance/blog/right-to-be-forgotten-a-tale-of-two-judgments

Right to be forgotten poses a legal dilemma in India

praskrishna — 2014-06-09T10:02:25Z

The “right to be forgotten” judgment has raised a controversy, while some argue that it upholds an individual’s privacy, others say it leaves a lot of room for interpretation.

The article by Leslie D' Monte was published in Livemint on June 5, 2014. Sunil Abraham gave his inputs.

Medianama.com has become perhaps the first Indian website to be asked by an individual to remove a link, failing which the user would approach Google Inc. to delete the link under the “right to be forgotten” provision granted by a European court. There’s one hitch: India doesn’t have any legal provision to entertain or process such request.

In his request to the media website, the individual cited a landmark 13 May judgment by the Court of Justice of the European Union (EU), which said users could ask search engines like Google or Bing to remove links to web pages that contain information about them.

According to the judgement, the user is also free to approach “the competent authorities in order to obtain, under certain conditions, the removal of that link from the list of results” if the search engines do not comply.

“...this individual told us of a plan to appeal to Google on the basis of the judgment of the European Court of Justice, and asked us to either convert the public post into a non-indexable post, such that it may not be surfaced by search engines, or to modify the individual’s name, place and any references to his/her employer in the post that we’ve written, so that it cannot be linked directly to the individual,” said Nikhil Pahwa, founder of medianama.com.

Pahwa did not reveal the identity of the individual, who made the request on 31 May. Medianama, according to Pahwa, had written about the individual “a few years ago, protesting against attacks on his/her freedom of speech.” It did not give details. The media website reported about the request on 2 June.

Under legal pressure, the individual eventually relented and retracted the request.

The individual, Pahwa said, requested medianama.com to retain only his last name on the web page, cautioning that if the website does not do so, he would submit the URL (uniform resource locator or address of that link) of that web page to Google in a “right to be forgotten” request.

This, Pahwa said, “might hurt our search ranking, or lead to a blanket removal of our website from Google’s search index.”

“This is a tricky one, and we’ve declined this request,” said Pahwa. He added that “the implications for media are immense, since digital data, which is a recording of online history, will be affected.”

The EU ruling came after a Spanish national complained in 2010 that searching his name in Google threw up links to two newspaper webpages which reported a property auction to recover social security debt he once owed, even though the information had become irrelevant since the proceedings had since been resolved.

Following the ruling, Google put up an online form (mintne.ws/1oYVP5Y), inviting users in Europe to submit their requests.

“...we will assess each individual request and attempt to balance the privacy rights of the individual with the public’s right to know and distribute information,” the form reads.

“When evaluating your request, we will look at whether the results include outdated information about you, as well as whether there’s a public interest in the information—for example, information about financial scams, professional malpractice, criminal convictions, or public conduct of government officials...”

A Google spokesman said on Tuesday that the company had received over 41,000 requests to be forgotten so far.

On the first day itself, Google had received 12,000 requests.

“Almost a third of the requests were in relation to accusations of fraud, 20% were in relation to violent/serious crimes, and around 12% regarded child pornography arrests. More than 1,500 of these requests are believed to have come from people in the UK. An ex-politician seeking re-election, a paedophile and a GP (general practitioner) were among the British applicants”, according to a 2 June report inThe Telegraph of London.

The “right to be forgotten” judgment has raised a controversy. While some argue that it upholds an individual’s privacy, others say it leaves a lot of room for interpretation.

In an interview to Mint on 26 May, Anupam Chander, director of the California International Law Center, reasoned that if a person could simply scrub all the bad information about him from being searchable on the Internet, she/he could do so by claiming that such information was “no longer relevant”.

“Do we want search engines to then judge whether information remains “relevant” or is somehow “inadequate” under the threat of liability for leaving information accessible? An Internet sanitized of accessible negative information will only tell half the truth,” he argued.

The ruling is not binding on India and applies only to EU countries.

According to legal experts, the country has no provision for a right to be forgotten, either in the Information Technology (IT) Act 2000 (amended in 2008) or the IT Rules, 2011. India, for that matter, does not even have a privacy act as yet.

“In India, we do not have a concept of the right to be Forgotten. It’s a very Western concept,” said Pavan Duggal, a cyberlaw expert and Supreme Court advocate.

Still, intermediaries like search engines and Internet services providers, under the country’s IT Act and IT Rules, have the obligation to exercise due diligence if an aggrieved party sends them a written notice, he said.

According to Sunil Abraham, executive director of the Centre for Internet and Society, an Internet rights lobby group, “right to be forgotten” cases should pass the “public interest” test.

“Privacy protection should not have a chilling effect on transparency. The question is: Does the content (which a user wants to be removed) serve a public interest that outweighs the harm that it is doing to the individual concerned? If no public interest is being served, there is no point in knowing what the content is all about. The complication with the EU ruling is that it wants intermediaries and over-the-top providers to play the role of judges,” said Abraham.

For more details visit https://cis-india.org/news/livemint-leslie-d-monte-june-5-2014-right-to-be-forgotten-poses-legal-dilemma-in-india

Revisiting Aadhaar: Law, Tech and Beyond

praskrishna — 2017-05-19T14:47:32Z

Udbhav Tiwari attended a panel on "Revisiting Aadhaar: Law, Tech and Beyond" held at the India International Centre Annexe on May 9, 2017 in New Delhi, organised by the Software Freedom Law Centre (SFLC.in) in collaboration with Digital Empowerment Foundation and IT for Change.

The panel consisted of:

Saikat Datta; Policy Director, Centre for Internet and Society (Moderator)
Anivar Aravind; Founder/Director at Indic Project
Anupam Saraph; Professor and Future Designer
Prasanna S; Advocate
Shyam Divan; Senior Advocate, Supreme Court
Srinivas Kodali; Co-founder at Open Stats
Osama Manzar; Founder and Director, Digital Empowerment Foundation
Usha Ramanathan; Legal Researcher

The panel was quite enlightening (and Saikat was a stellar moderator), with Mr. Divan's elucidation on the arguments made in the court for the Aadhaar case in particular being a great learning experience. Benjamin and Sheetal (both interns in the Delhi office) along with Sumandro also attended the event.

The other learning was that for people who have attended multiple such panels/seminars and meetings on Aadhaar, they can have a lot of repeated content. I passed on the feedback to SFLC about how they could possibly include a small 10 to 15 minute session in future such panels on developments since the previous such event on the Aadhaar and include practical aspects about what people can do about minimising the harms that we are all slowly being co opted into facing with the system.

More info about the event here.

For more details visit https://cis-india.org/internet-governance/news/revisiting-aadhaar-law-tech-and-beyond

Rethinking the Internet: The Way Forward

praskrishna — 2013-03-13T04:53:21Z

Telecom Italia and Financial Times are organizing this event at Telecom Italia Future Centre in Italy on March 21 and 22, 2013. Pranesh Prakash is participating in this event.

Overview

The advent of smartphones and other mobile devices, and the resulting explosive growth in internet usage have transformed the way that societies communicate. The internet is a major driver for global economies as it continues to create new forms of interaction, and offers unprecedented business opportunities and profitable collaborations. The evolution of the internet is however also contributing to changing social perceptions of privacy and copyright, and concerns are developing about the security of countries and organisations, and the liabilities of internet intermediaries.

Another crucial issue is internet governance. Some doubts have been cast on the effectiveness of the present decision-making model in setting the basis for an investment-conducive and future-proof framework, and in balancing the interests of all the players involved in the market scenario.

Rethinking the Internet: The Way Forward, organised by the Financial Times and Telecom Italia, will contribute to this debate by featuring interactive CEO-level workshops that explore the impact of the internet on business models, the role of public and private collaborations in enabling innovation, the key policy, governance and security considerations that need to be addressed, and future implications of the internet evolution for all players in the global communications industry.

Agenda Day One: Thursday, March 22, 2013

10:30- 11:05	Registration and networking
11:05- 11:15	Chair's opening remarks
11:15- 11:30	Welcome address by Telecom Italia
11:30- 01:30	Introduction to Rethinking the Internet How will the internet continue to evolve and what implications does this have for future business models? Who will be the key industry players in the next 10 years and which collaborations, investments and infrastructure developments will yield sustainable growth? How sustainable is the internet as a business model? Will excessive policy-making and regulatory controls curb innovation? Where is the industry heading now?
01:30- 02:30	Lunch
02:30 - 04:30	A New Internet Governance What are the latest developments in internet governance policy-making? What changes can be expected in the near future? How can policy groups and organisations work together to create a balanced and fair internet governance model? What are the limitations of the current recommendations and what improvements need to be made? What are the implications for privacy, online anonymity and data protection?
04:30- 05:00	Refreshments
05:00 - 07:00	Internet Security What new threats and challenges are being created by the internet evolution and how are governments legislating for this? As cybersecurity continues to become a threat, can policies keep up with industry innovations and technological advances? How can a truly global internet be monitored and managed by international jurisdictions with different national priorities? What role do non-governmental entities have to play in policing the internet and making it more secure?
07:00 - 07:10	Chair's concluding remarks
07:10	Drinks reception, followed by Dinner

Agenda Day Two: Friday, March 23, 2013

08:30- 08:50	Arrival and networking
08:50- 09:00	Chair's opening remarks
09:00- 11:00	Internet Privacy and Copyrights Co-operation between policy-makers and industry players is critical in encouraging an open communications ecosystem. What pitfalls need to be avoided to ensure that all stakeholder interests are taken into account, including those of the customer? What safeguards need to be put into place to ensure that sensitive data is protected? How is copyright protected in the new digital age? Can the rights of content creators be protected whilst embracing an open internet? Does net neutrality necessarily equal internet freedom? And how is the right government intervention – internet freedom balance maintained?
11:00- 11:30	Refreshments
11:30- 01:30	Internet after OTT Why are commercial agreements among telco and other communication providers so critical to the provision of internet-enabled products and services? What collaborations are necessary to ensure that internet development and investment contribute to economic growth and market competition? And what role does policy have to play in supporting these commercial initiatives?
01:30- 02:30	Lunch
02:30- 04:00	Overview of Key Themes raised during the Two Day Meeting
04:00	Conclusion

Currently confirmed to participate now include:

Alessandro Acquisti, Associate Professor of Information Technology and Public Policy, Carnegie Mellon University

Jan Philipp Albrecht MdEP / MEP, Member, European Parliament

Virgilio Augusto Fernandes Almeida, Secretary for Information Technology Policies, Ministry of Science, Technology and Innovation (MCTI-SEPIN), Brazil

Suleyman Anil, Head, Cyber Defence Section, Emerging Security Challenges Division, NATO

Johannes M Bauer, Professor, Telecommunication, Information Studies, and Media and Director of Special Programs, Quello Center for Telecommunication Management & Law, Michigan State University

Franco Bernabè, Chairman and CEO of Telecom Italia

Anne Bouverot, Director General & Member of the Board, GSMA

Peter Bradwell, Campaigner, Open Rights Group

Angelo Maria Cardani, Chairman, AGCOM

James W. Cicconi, Senior Executive Vice President-External and Legislative Affairs, AT&T Services, Inc

Giuseppe Corasaniti, General Prosecutor, Italian Supreme Court

Juan Carlos De Martin, Faculty co-director, nexa center for internet & society, Politecnico di Torino and Faculty Fellow, berkman center for internet & society, Harvard University

Adrian Farrel, Routing Area Director, IETF, Juniper Networks and Old Dog Consulting

William W Fisher, Wilmer Hale Professor of Intellectual Property Law and Faculty Director, Berkman Center for Internet and Society, Harvard University

Luigi Gambardella, Chairman Executive Board, ETNO

Hartmut Richard Glaser, Executive Secretary/CGI.br, Brazilian Internet Steering Committee

David A. Gross, Former U.S. Coordinator for International Communications and Information Policy and Partner, Wiley Rein LLP

Ian Hargreaves, Professor of Digital Economy, Cardiff University

James Harkin, Author and Director, Flockwatching

Ahmad Abdulkarim Julfar, CEO, Etisalat Group

Dr Robert E Kahn, TCP/IP co-creator and Chairman, CEO and President, Corporation for National Research Initiatives (CNRI)

Loz (Laurence) Kaye, Leader, Pirate Party UK

Thomas M. Lenard, President and Senior Fellow, Technology Policy Institute

Gerd Leonhard, Futurist, Author and CEO, The Futures Agency

Jonathan Liebenau, Reader in Technology Management, Department of Management, London School of Economics

Robert Levine, Journalist and Author of Free Ride

Patrice Lyons, Corporate Counsel, Corporation for National Research Initiatives (CNRI)

Joe McNamee, Executive Director, European Digital Rights

Milton L Mueller, Professor, School of Information Studies, Syracuse University

Eli Noam, Director, Columbia Institute for Tele-Information, Professor of Finance and Economics and Garrett Professor of Public Policy and Business Responsibility, Columbia University Business School

Sam Paltridge, Directorate of Science Technology and Industry, OECD

Prof. Francesco Pizzetti, Chairman, Privacy Authority

Pranesh Prakash, Policy Director, Centre for Internet and Society

Philip R. Reitinger, Senior Vice President and Chief Information Security Officer, Sony Corporation

Dr Georg Serentschy, CEO Telecommunications, RTR-GmbH (Austrian Regulatory Authority for Broadcasting and Telecommunications)

Michael Skapinker, Assistant Editor and Columnist, Financial Times

Christopher Soghoian, Principal Technologist and Senior Policy Analyst, American Civil Liberties Union

Dr. Hamadoun I. Touré, Secretary General, International Telecommunication Union (ITU)

Nico van Eijk, Professor of Media and Telecommunications Law and Director of the Institute for Information Law, University of Amsterdam

Ben Verwaayen, CEO, Alcatel-Lucent

Philip L. Verveer, Ambassador, U.S. Coordinator, International Communications and Information Policy, US Department of State

Richard Waters, West Coast Editor, Financial Times

Christopher S Yoo, John H. Chestnut Professor of Law, Communication, and Computer & Information Science, Founding Director, Center for Technology, Innovation and Competition, University of Pennsylvania Law School

For more details visit https://cis-india.org/news/rethinking-the-internet

Rethinking Privacy: The Link between Florida v. Jardines and the Surveillance of Nature Films

praskrishna — 2014-07-28T05:51:48Z

Bhairav Acharya gave a talk on "Rethinking Privacy" at an event organized by the Indian Institute of Technology, Madras (IIT-M) on July 11, 2014.

In a 2010 article in Continuum: Journal of Media & Cultural Studies, Brett Mills proposed that animals have a right to privacy and that wildlife documentaries, specifically BBC's Nature's Great Events (2009), invaded this right without an examination of animal conservation ethics. In the 2013 Florida v. Jardines decision, the Supreme Court of the United States re-examined the constitutional validity of 'dog sniff laws' that permitted police animals to enter the threshold of private property to conduct 'minimally invasive warant-less searches' and 'Terry stops'; this was the latest in a long line of Fourth Amendment cases that examine the ethics of conserving and protecting public order. I attempt to draw links between the two scenarios that highlight the dissonance between sociological and jurisprudential constructions of privacy.

For more details visit https://cis-india.org/news/rethinking-privacy

Rethinking National Privacy Principles: Evaluating Principles for India's Proposed Data Protection Law

amber — 2017-09-11T02:22:01Z

This report is intended to be the first part in a series of white papers that CIS will publish which seeks to contribute to the discussions around the enactment of a privacy legislation in India. In subsequent pieces we will focus on subjects such as regulatory framework to implement, supervise and enforce privacy principles, and principles to regulate surveillance in India under a privacy law.

Edited by Elonnai Hickok and Vipul Kharbanda

This analysis intends to build on the substantial work done in the formulation of the National Privacy Principles by the Committee of Experts led by Justice AP Shah.1 This brief, hopes to evaluate the National Privacy Principles and the assertion by the Committee that right to privacy be considered a fundamental right under the Indian Constitution. The national privacy principles have been revisited in light of technological developments such as big data, Internet of Things, algorithmic decision making and artificial intelligence which are increasingly playing a greater role in the collection and processing of personal data of individuals, its analysis and decisions taken on the basis of such analysis. The solutions and principles articulated in this report are intended to provide starting points for a meaningful and nuanced discussion on how we need to rethink the privacy principles that should inform the data protection law in India.

Click to read the full blog post

For more details visit https://cis-india.org/internet-governance/blog/rethinking-national-privacy-principles

Rethinking DNA Profiling in India

elonnai — 2012-10-29T08:00:01Z

DNA profile databases can be useful tools in solving crime, but given that the DNA profile of a person can reveal very personal information about the individual, including medical history, family history and so on, a more comprehensive legislation regulating the collection, use, analysis and storage of DNA samples needs included in the draft Human DNA Profiling Bill.

Elonnai Hickok's article was published in Economic & Political Weekly, Vol - XLVII No. 43, October 27, 2012

DNA evidence was first accepted by the courts in India in 1985,[1] and in 2005 the Criminal Code of Procedure was amended to allow for medical practitioners, after authorisation from a police officer who is not below the rank of sub-inspector, to examine a person arrested on the charge of committing an offence and with reasonable grounds that an examination of the individual will bring to light evidence regarding the offence. This can include

"the examination of blood, blood stains, semen, swabs in case of sexual offences, sputum and sweat, hair samples, and finger nail clippings, by the use of modern and scientific techniques including DNA profiling and such other tests which the registered medical practitioner thinks necessary in a particular case."[2]

Though this provision establishes that authorisation is needed for collection of DNA samples, defines who can collect samples, creates permitted circumstances for collection, and lists material that can be collected, among other things, it does not address how the collected DNA evidence should be handled, and what will happen to the evidence after it is collected and analysed. These gaps in the provision indicate the need for a more comprehensive legislation regulating the collection, use, analysis and storage of DNA samples, including for crime-related purposes in India.

The initiative to draft a Bill regulating the use of DNA samples for crime-related reasons began in 2003, when the Department of Biotechnology (DoB) established a committee known as the DNA Profiling Advisory Committee to make recommendations for the drafting of the DNA profiling Bill 2006, which eventually became the Human DNA Profiling Bill 2007.[3] The 2007 draft Bill was prepared by the DoB along with the Centre for DNA Fingerprinting and Diagnostics (CDFD).[4]

The CDFD is an autonomous institution supported by the DoB. In addition to the CDFD, there are multiple Central Forensic Science Laboratories in India under the control of the Ministry of Home Affairs and the Central Bureau of Investigation,[5], along with a number of private labs [6] which analyse DNA samples for crime-related purposes.

In 2007, the draft Human DNA Profiling Bill was made public, but was never introduced in Parliament. In February 2012, a new version of the Bill was leaked. If passed, the Bill will establish state-level DNA databases which will feed into a national-level DNA database, and proposes to regulate the use of DNA for the purposes of

"enhancing protection of people in the society and the administration of justice."[7]

The Bill will also establish a DNA Profiling Board responsible for 24 functions, including specifying the list of instances for human DNA profiling and the sources of collection, enumerating guidelines for storage and destruction of biological samples, and laying down standards and procedures for establishment and functioning of DNA laboratories and DNA Data Banks.[8] The lack of harmonisation and clear policy indicates that there is a need in India for standardising the collection and use of DNA samples. Although DNA evidence can be useful for solving crimes, the current 2012 draft Bill is missing critical safeguards and technical standards essential to preventing the misuse of DNA and protecting individual rights.

Concerns that have been raised with regards to the Bill are both intrinsic, including problems with effectiveness of achieving the set objectives, and extrinsic, including concerns with the fundamental principles of the Bill. For example, the use of DNA material as evidence and the subsequent creation of a DNA database can be useful for solving crimes when the database contains DNA profiles from[9] from DNA samples[10] only from crime scenes, and is restricted to DNA profiles from individuals who might be repeat offenders. If a wide range of DNA profiles are added to the database, the effectiveness of the database decreases, and the likelihood of a false match increases as the ability to correctly identify a criminal depends on the number of crime scene DNA profiles on the database, and the number of false matches that occur is proportional to the number of comparisons made (more comparisons = more false matches).[11] This inverse relationship between the effectiveness of the DNA database and the size of the database was found in the UK when it was proven that the expansion of the UK DNA database did not help to solve more crimes, despite millions of profiles being added to the database.[12]

The current scope of the draft 2012 Bill is not limited to crimes for which samples can be taken and placed in the database. Instead the Bill creates indexes within every databank including: crime scene indexes, suspects index, offender’s index, missing persons index, unknown deceased persons’ index, volunteers’ index, and such other DNA indices as may be specified by regulations made by the Board.[13] How independent each of these indices are, is unclear. For example, the Bill does not specify when a profile is searched for in the database – if all indices are searched, or if only the relevant indices are searched, and the Bill requires that when a DNA profile is added to the databank, it must be compared with all the existing profiles.[14] The Bill also lists a range of offences for which DNA profiling will be applicable and DNA samples collected, and used for the identification of the perpetrator including, unnatural offences, individual identification, issues relating to assisted reproductive technologies, adultery, outraging the modesty of women etc.[15] Though the Bill is not incorrect in its list of offences where DNA profiling could be applicable, it is unclear if DNA profiles from all the listed offenses will be stored on the database. If it is the case that the DNA profiles will be stored, it would make the scope of the database too broad.

Unlike other types of identifiers, such as fingerprints, DNA can reveal very personal information about an individual, including medical history, family history and location.[16] Thus, having a DNA database with a broad scope and adding more DNA profiles onto a database, increases the potential for misuse of information stored on the database, because there is more opportunity for profiling, tracking of individuals, and access to private data. In its current form, the Bill protects against such misuse to a certain extent by limiting the information that will be stored with a DNA profile and in the indices,[17] but the Bill does not make it clear if the DNA profiles of individuals convicted for a crime will be stored and searched independently from other profiles. Additionally, though the Bill limits the use of DNA profiles and DNA samples to identification of perpetrators,[18] it allows for DNA profiles/DNA samples and related information related to be shared for creation and maintenance of a population statistics database that is to be used, as prescribed, for the purpose of identification research, protocol development, or quality control provided that it does not contain any personally identifiable information and does not violate ethical norms.”[19]

An indication of the possibility of how a DNA database could be misused in India can be seen in the CDFD’s stated objectives, where it lists "to create DNA marker databases of different caste populations of India."[20] CDFD appears to be collecting this data by requiring caste and origin of state to be filled in on the identification form that is submitted with any DNA sample.[21] Though an argument could be made that this information could be used for research purposes, there appears to be no framework over the use of this information and this objective. Is the information stored along with the DNA sample? Is it used in criminal cases? Is it revealed during court cases or at other points of time?

Similarly, in the Report of the Working Group for the Eleventh Five Year Plan, it lists the following as a possible use of DNA profiling technology:

"Human population analysis with a view to elicit profiling of different caste populations of India to use them in forensic DNA fingerprinting and develop DNA databases."[22]

This objective is based on the assumption that caste is an immutable genetic trait and seems to ignore the fact that individuals change their caste and that caste is not uniformly passed on in marriage. Furthermore, using caste for forensic purposes and to develop DNA databases could far too easily be abused and result in the profiling of individuals, and identification errors. For example, in 2011 the UK police, in an attempt to catch the night stalker Delroy Grant, used DNA to (incorrectly) predict that he originated from the Winward Islands. The police then used mass DNA screenings of black men. The police initially eliminated Delroy Grant as a suspect because another Delroy Grant was on the DNA database, and the real Delroy Grant was eventually caught when the police pursued more traditional forms of investigation.[23]

Other uses for DNA databases and DNA samples in India have been envisioned over the years. For example, in 2010 the state of Tamil Nadu sought to amend the Prisoners Identification Act 1920 to allow for the establishment of a prisoners’ DNA database – which would require that any prisoner’s DNA be collected and stored.[24] In another example, the home page of BioAxis DNA Research Centre (P) Limited, a private DNA laboratory offering forensic services states,

"In a country like India which is densely populated there is huge requirement for these type of databases which may help in stopping different types of fraud like Ration card fraud, Voter ID Card fraud, Driving license fraud etc. The database may help the Indian police to differentiate the criminals and non criminals."[25] Not only is this statement incorrect in stating that a DNA database will differentiate between criminals and non-criminals, but DNA evidence is not useful in stopping ration card fraud etc. as it would require that DNA be extracted and authenticated for every instance of service. In 2012, the Department of Forensic Medicine and Toxicology at AFMC Pune proposed to establish a DNA data bank containing profiles of armed forces personnel.[26] And in Uttar Pradesh, the government ordered mandatory sampling for DNA fingerprinting of dead bodies.[27] These examples raise important questions about the scope of use, collection and storage of DNA profiles in databases that the Bill is silent on.

The assumption in the Bill that DNA evidence is infallible is another point of contention. The preamble of the Bill states that, "DNA analysis of body substances is a powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another, and further to establish the biological relationship, if any, between two individuals, living or dead with any doubt."[28]

This statement ignores the possibility of false matches, cross-contamination, and laboratory error[29] as DNA evidence is only as infallible as the humans collecting, analysing, and marshalling the evidence. These mistakes are not purely speculative, as cases that have relied on DNA as evidence in India demonstrate that the reliability of DNA evidence is questionable due to collection, analysis, and chain of custody errors. For example, in the Aarushi murder case the forensic expert who testified failed to remember which samples were collected at the scene of the crime[30] in the French diplomat rape case, the DNA report came out with both negative and positive results;[31] and in the Abhishek rape case the DNA sample had to be reanalysed after initial analysis did not prove conclusive.[32] Yet the Bill does not mandate a set of best practices that could help in minimising these errors, such as defining what profiling system will be used nationally, and defining specific security measures that must be taken by DNA laboratories – all of which are currently left to be determined by the DNA board.[33]

The assumption in the preamble that DNA can establish if a relationship exists between two individuals without a doubt is also misleading as it implies that the use of DNA samples and the creation of a database will increase the conviction rate, when in actuality the exact number of accurate convictions resulting purely from DNA evidence is unknown, as is the number of innocent people who are falsely accused of a crime based on DNA evidence in India. This misconception is reflected on the website of the Department of Biotechnology’s information page for CDFD where it states:

"…The DNA fingerprinting service, given the fact that it has been shown to bring about dramatic increase in the conviction rate, will continue to be in much demand. With the crime burden on the society increasing, more and more requests for DNA fingerprinting are naturally anticipated. For example, starting from just a few cases of DNA fingerprinting per month, CDFD is now handling similar number of cases every day."[34]

In addition to the claim that the DNA fingerprinting service has shown a dramatic increase in the conviction rate, is not supported by evidence in this article, according to the CDFD 2010-2011 annual report, the centre analysed DNA from 57 cases of deceased persons, 40 maternity/paternity cases, four rape and murder cases, eight sexual assault cases, and three kidney transplantation cases.[35] This is in comparison to the 2006 – 2007 annual report, which quoted 83 paternity/maternity dispute cases, 68 identification of deceased, 11 cases of sexual assault, eight cases of murder, and two cases of wildlife poaching.[36] From the numbers quoted in the CDFD annual report, it appears that paternity/maternity cases and identification of the deceased are the most frequent types of cases using DNA evidence.

Other concerns with the Bill include access controls to the database and rights of the individual. For example, the Bill does not require that a court order be issued for access to a DNA profile, and instead leaves it in the hand of the DNA bank manager to determine if communication of information relating to a match to a court, tribunal, law enforcement agency, or DNA laboratory is appropriate.[37]

Additionally, the Data Bank Manager is empowered to grant access to any information on the database to any person or class of persons that he/she considers appropriate for the purposes of proper operation and maintenance or for training purposes.[38] The low standards for access that are found in the Bill are worrisome as the possibility for tampering of evidence and analysis is increased.

The Bill is also missing important provisions that would be necessary to protect the rights of the individual. For example, individuals are not permitted a private cause of action for the unlawful collection, use, or retention of DNA, and individuals do not have the right to access their own information stored on the database.[39] These are significant gaps in the proposed legislation as it restricts the rights of the individual.

In conclusion, India could benefit from having a legislation regulating, standardising, and harmonising the use, collection, analysis, and retention of DNA samples for crime-related purposes. The current 2012 draft of the Bill is a step in the right direction, and an improvement from the 2007 DNA Profiling Bill. The 2012 draft draws upon best practices from the US and Canada, but could also benefit from drawing upon best practices from countries like Scotland. Safeguards missing from the current draft that would strengthen the Bill include: limiting the scope of the DNA database to include only samples from a crime scene for serious crimes and not minor offenses, requiring the destruction of DNA samples once a DNA profile is created, clearly defining when a court order is needed to collect DNA samples, defining when consent is required and is not required from the individual for a DNA sample to be taken, and ensuring that the individual has a right of appeal.

[1]. Law Commission of India. Review of the Indian Evidence Act 1872. Pg. 43 Available at: http://lawcommissionofindia.nic.in/reports/185thReport-PartII.pdf. Last accessed: October 9th 2012.
[2]. Section 53. The Criminal Code of Procedure, 1973. Available at: http://www.vakilno1.com/bareacts/crpc/s53.htm. Last accessed October 9th 2012.
[3]. Department of Biotechnology. Ministry of Science & Technology GOI. Annual Report 2009 – 2010. pg. 189. Available at: http://dbtindia.nic.in/annualreports/DBT-An-Re-2009-10.pdf. Last Accessed October 9th 2012.
[4]. Chhibber, M. Govt Crawling on DNA Profiling Bill, CBI urges it to hurry, cites China. The Indian Express. July 12 2010. Available at: http://www.indianexpress.com/news/govt-crawling-on-dna-profiling-bill-cbi-urges-it-to-hurry-cites-china/645247/0. Last accessed: October 9th 2012.
[5]. Perspective Plan for Indian Forensics. Final report 2010. Table 64.1 -64.3 pg. 264-267. Available at: http://mha.nic.in/pdfs/IFS%282010%29-FinalRpt.pdf. Last accessed: October 9th 2012. And CBI Manual. Chapter 27. Available at: http://mha.nic.in/pdfs/IFS%282010%29-FinalRpt.pdf. Last accessed: October 9th 2012.
[6]. For example: International Forensic Sciences, DNA Labs India (DLI), Truth Labs and Bio-Axis DNA Research Centre (P) Limited.
[7]. Draft Human DNA Profiling Bill 2012. Introduction.
[8]. Id. section 12(a-z)
[9]. Id. Definition l. “DNA Profile” means results of analysis of a DNA sample with respect to human identification.
[10]. Id. Definition m. “DNA sample” means biological specimen of any nature that is utilized to conduct CAN analysis, collected in such manner as specified in Part II of the Schedule.
[11]. The UK DNA database and the European Court of Human Rights: Lessons India can learn from UK mistakes. PowerPoint Presentation. Dr. Helen Wallace, Genewatch UK. September 2012.
[12]. Hope, C. Crimes solved by DNA evidence fall despite millions being added to database. The Telegraph. November 12th 2008. Available at: http://www.telegraph.co.uk/news/uknews/law-and-order/3418649/Crimes-solved-by-DNA-evidence-fall-despite-millions-being-added-to-database.html. Last accessed: October 9th 2012
[13]. Draft Human DNA Profiling Bill 2012. Section 32 (4(a-g))
[14]. Id. Section 35
[15]. Id. Schedule: List of applicable instances of Human DNA Profiling and Sources of Collection of Samples for DNA Test.
[16]. Gruber J. Forensic DNA Databases. Council for Responsible Genetics. September 2012. Powerpoint presentation.
[17]. Draft Human DNA Profiling Bill 2012. Section 32 (5)- 6)(a)-(b^[+] . Indices will only contain DNA identification records and analysis prepared by the laboratory and approved by the DNA Board, while profiles in the offenders index will contain only the identity of the person, and other profiles will contain only the case reference number.
[18]. Id. Section 39
[19]. Id. Section 40(c)
[20]. CDFD. Annual Report 2010-2011. Pg19. Available at: http://www.cdfd.org.in/images/AR_2010_11.pdf. Last accessed: October 9th 2012.
[21]. Caste and origin of state is a field of information that is required to be completed when an ‘identification form’ is sent to the CDFD along with a DNA sample for analysis. Form available at: http://www.cdfd.org.in/servicespages/dnafingerprinting.html
[22]. Report of the Working Group for the Eleventh Five Year Plan (2007 – 2012). October 2006. Pg. 152. Section: R&D Relating Services. Available at: http://planningcommission.nic.in/aboutus/committee/wrkgrp11/wg11_subdbt.pdf. Last accessed: October 9th 2012
[23]. Evans. M. Night Stalker: police blunders delayed arrest of Delroy Grant. March 24th 2011. The Telegraph. Available at: http://www.telegraph.co.uk/news/uknews/crime/8397585/Night-Stalker-police-blunders-delayed-arrest-of-Delroy-Grant.html. Last accessed: October 10th 2012.
[24]. Narayan, P. A prisoner DNA database: Tamil Nadu shows the way. May 17th 2012. Available at: http://timesofindia.indiatimes.com/india/A-prisoner-DNA-database-Tamil-Nadu-shows-the-way/iplarticleshow/5938522.cms. Last accessed: October 9th 2012.
[25]. BioAxis DNA Research Centre (P) Limited. Website Available at: http://www.dnares.in/dna-databank-database-of-india.php. Last accessed: October 10th 2012.
[26]. Times of India. AFMC to open DNA profiling centre today. February 2012. Available at:http://articles.timesofindia.indiatimes.com/2012-02-08/pune/31037108_1_dna-profile-dna-fingerprinting-data-bank. Last accessed: October 10th 2012.
[27]. Siddiqui, P. UP makes DNA sampling mandatory with postmortem. Times of India. September 4th 2012. Available at:http://articles.timesofindia.indiatimes.com/2012-09-04/lucknow/33581061_1_dead-bodies-postmortem-house-postmortem-report. Last accessed: October 10th 2012.
[28]. Draft DNA Human Profiling Bill 2012. Introduction
[29]. Council for Responsible Genetics. Overview and Concerns Regarding the Indian Draft DNA Profiling Bill. September 2012. Pg. 2. Available at: http://cis-india.org/internet-governance/indian-draft-dna-profiling-act.pdf/view. Last accessed: October 9th 2012.
[30]. DNA. Aarushi case: Expert forgets samples collected from murder spot. August 28th 2012. Available at: http://www.dnaindia.com/india/report_aarushi-case-expert-forgets-samples-collected-from-murder-spot_1733957. Last accessed: October 10th 2012.
[31]. India Today. Daughter rape case: French diplomat’s DNA test is inconclusive. July 7th 2012. Available at: http://indiatoday.intoday.in/story/french-diplomat-father-rapes-daughter-dna-test-bangalore/1/204270.html. Last accessed: October 10th 2012.
[32]. The Times of India. DNA tests indicate Abhishek raped woman. May 30th 2006. Available at: http://articles.timesofindia.indiatimes.com/2006-05-30/india/27826225_1_abhishek-kasliwal-dna-fingerprinting-dna-tests. Last accessed: October 10th 2012.
[33]. Draft Human DNA Profiling Bill 2012. Section 18-27.
[34]. Department of Biotechnology. DNA Fingerprinting & Diagnostics, Hyderabad. Available at: http://dbtindia.nic.in/uniquepage.asp?id_pk=124. Last accessed: October 10 2012.
[35]. CDFD Annual Report 2010 – 2011.Pg.19. Available at: http://www.cdfd.org.in/images/AR_2010_11.pdf. Last accessed: October 10th 2012.
[36]. CDFD Annual Report 2006-2007.Pg. 13. Available at: http://www.cdfd.org.in/images/AR_2006_07.pdf. Last accessed: October 10th 2012.
[37]. Draft Human DNA Profiling Bill 2012. Section 35
[38]. Id. Section 41.
[39].Council for Responsible Genetics. Overview and Concerns Regarding the Indian Draft DNA Profiling Bill. September 2012. Pg. 9 Available at: http://cis-india.org/internet-governance/indian-draft-dna-profiling-act.pdf/view. Last accessed: October 9th 2012.

For more details visit https://cis-india.org/internet-governance/blog/epw-web-exclusives-oct-27-2012-elonnai-hickok-rethinking-dna-profiling-india

Rethinking Acquisition of Digital Devices by Law Enforcement Agencies

Harikartik Ramesh — 2022-05-02T09:27:54Z

This article has been selected as a part of The Right to Privacy and the Legality of Surveillance series organized in collaboration with the RGNUL Student Research Review (RSRR) Journal.

Read the article originally published in RGNUL Student Research Review (RSRR) Journal

Abstract

The Criminal Procedure Code was created in the 1970s when the concept of the right to privacy was highly unacknowledged. Following the Puttuswamy I (2017) judgement of the Supreme Court affirming the right to privacy, these antiquated codes must be re-evaluated. Today, the police can acquire digital devices through summons and gain direct access to a person’s life, despite the summons mechanism having been intended for targeted, narrow enquiries. Once in possession of a device, the police attempt to circumvent the right against self-incrimination by demanding biometric passwords, arguing that the right does not cover biometric information . However, due to the extent of information available on digital devices, courts ought to be cautious and strive to limit the power of the police to compel such disclosures, taking into consideration the right to privacy judgement.

Keywords: Privacy, Criminal Procedural Law, CrPc, Constitutional Law

Introduction

New challenges confront the Indian criminal investigation framework, particularly in the context of law enforcement agencies (LEAs) acquiring digital devices and their passwords. Criminal procedure codes delimiting police authority and procedures were created before the widespread use of digital devices and are no longer pertinent to the modern age due to the magnitude of information available on a single device. A single device could provide more information to LEAs than a complete search of a person’s home; yet, the acquisition of a digital device is not treated with the severity and caution it deserves. Following the affirmation of the right to privacy in Puttuswamy I (2017), criminal procedure codes must be revamped, taking into consideration that the acquisition of a person’s digital device constitutes a major infringement on their right to privacy.

Acquisition of digital devices by LEAs through summons

Section 91 of the Criminal Procedure Code (CrPc) grants powers to a court or police officer in charge of a police station to compel a person to produce any form of document or ‘thing’ necessary and desirable to a criminal investigation. In Rama Krishna v State, ‘necessary’ and ‘desirable’ have been interpreted as any piece of evidence relevant to the investigation or a link in the chain of evidence. Abhinav Sekhri, a criminal law litigator and writer, has argued that the wide wording of this section allows summons to be directed towards the retrieval of specific digital devices.

As summons are target-specific, the section has minimal safeguards. However, several issues arise in the context of summons regarding digital devices. In the current day, access to a user’s personal device can provide comprehensive insight into their life and personality due to the vast amounts of private and personal information stored on it. In Riley v California, the Supreme Court of the United States (SCOTUS) observed that due to the nature of the content present on digital devices, summons for them are equivalent to a roving search, i.e., demanding the simultaneous production of all contents of the home, bank records, call records, and lockers. The Riley decision correctly highlights the need for courts to recognise that digital devices ought to be treated distinctly compared to other forms of physical evidence due to the repository of information stored on digital devices.

The burden the state must surpass in order to issue summons is low as the relevancy requirement is easily provable. As noted in Riley, police must identify which evidence on a device is relevant. Due to the sheer amount of data on phones, it is very easy for police to claim that there will surely be some form of connection between the content on the device and the case. Due to the wide range of offences available for Indian LEAs to cite, it is easy for them to argue that the content on the device is relevant to any number of possible offences. LEAs rarely face consequences for slamming the accused with a huge roster of charges – even if many of them are baseless – leading to the system being prone to abuse. The Indian Supreme Court in its judgement in Canara Bank noted that the burden of proof must be higher for LEAs when investigations violate the right to privacy. Tarun Krishnakumar notes that the trickle-down effect of Puttuswamy I will lead to new privacy challenges with regards to a summons to appear in court. Puttuswamy I, will provide the bedrock and constitutional framework, within which future challenges to the criminal process will be undertaken. It is important for the court to recognise the transformative potential within the Puttuswamy judgement to help ensure that the right to privacy of citizens is safeguarded. The colonial logic of policing – wherein criminal procedure law was merely a tool to maximise the interest of the state at the cost of the people – must be abandoned. Courts ought to devise a framework under Section 91 to ensure that summons are narrowly framed to target specific information or content within digital devices. Additionally, the digital device must be collected following a judicial authority issuing the summons and not a police authority. Prior judicial warrants will require LEAs to demonstrate their requirement for the digital device; on estimating the impact on privacy, the authority can issue a suitable summons. Currently, the only consideration is if the item will furnish evidence relevant to the investigation; however, judges ought to balance the need for the digital device in the LEA’s investigation with the users’ right to privacy, dignity, and autonomy.

Puttuswamy I provides a triple test encompassing legality, necessity, and proportionality to test privacy claims. Legality requires that the measure be prescribed by law, necessity analyses if it is the least restrictive means being adopted by the state, and proportionality checks if the objective pursued by the measure is proportional to the degree of infringement of the right. The relevance standard, as mentioned before, is inadequate as it does not provide enough safeguards against abuse. The police can issue summons based on the slightest of suspicions and thus get access to a digital device, following which they can conduct a roving enquiry of the device to find evidence of any other offence, unrelated to the original cause of suspicion.

Unilateral police summons of digital devices cannot pass the triple test as it is grossly disproportionate and lacks any form of safeguard against the police. The current system has no mechanism for overseeing the LEAs; as long as LEAs themselves are of the view that they require the device, they can acquire it. In Riley, SCOTUS has already held that warrantless seizure of digital devices constitutes a violation of the right to privacy. India ought to also adopt a requirement of a prior judicial warrant for the procurement of devices by LEAs. A re-imagined criminal process would have to abide by the triple test in particular proportionality wherein the benefit claimed by the state ought not to be disproportionate to the impact on the fundamental right to privacy; and further, a framework must be proposed to provide safeguards against abuse.

Compelling the production of passwords of devices

In police investigations, gaining possession of a physical device is merely the first step in acquiring the data on the device, as the LEAs still require the passcodes needed to unlock the device. LEAs compelling the production of passcodes to gain access to potentially incriminating data raises obvious questions regarding the right against self-incrimination; however, in the context of digital devices, several privacy issues may crop up as well.

In Kathi Kalu Oghad, the SC held that compelling the production of fingerprints of an accused person to compare them with fingerprints discovered by the LEA in the course of their investigation does not violate the right to protection against self-incrimination of the accused. It has been argued that the ratio in the judgement prohibits the compelling of disclosure of passwords and biometrics for unlocking devices because Kathi Kalu Oghad only dealt with the production of fingerprints in order to compare the fingerprints with pre-existing evidence, as opposed to unlocking new evidence by utilising the fingerprint. However, the judgement deals with self-incrimination and does not address any privacy issues.

The right against self-incrimination approach alone may not be enough to resolve all concerns. Firstly, there may be varying levels of protection provided to different forms of password protections on digital devices; text- and pattern-based passcodes are inarguably protected under Art. 20(3) of the Constitution. However, the protection of biometrics-based passcodes relies upon the correct interpretation of the Kathi Kalu Oghad precedent. Secondly, Art. 20(3) only protects the accused in investigations and not when non-accused digital devices are acquired by LEAs and the passcodes of the devices demanded.

Therefore, considering the aforementioned points, it is pertinent to remember that the right against self-incrimination does not exist in a vacuum separate from privacy. It originates from the concept of decisional autonomy – the right of individuals to make decisions about matters intimate to their life without interference from the state and society. Puttuswamy I observed that decisional autonomy is the bedrock of the right to privacy, as privacy allows an individual to make these intimate decisions away from the glare of society and/or the state. This has heightened importance in this context as interference with such autonomy could lead to the person in question facing criminal prosecution. The SC in Selvi v Karnataka and Puttuswamy I has repeatedly affirmed that the right against self-incrimination and the right to privacy are linked concepts, with the court observing that the right to remain silent is an integral aspect of decisional autonomy.

In Virendra Khanna, the Karnataka High Court (HC) dealt with the privacy and self-incrimination concerns caused by LEAs compelling the disclosure of passwords. The HC brushes aside concerns related to privacy by noting that the right to privacy is not absolute and that an exception to the right to privacy is state interest and protection of law and order (para 5.11), and that unlawful disclosure of material to third parties could be an actionable wrong (para 15). The court’s interpretation of privacy effectively provides a free pass for the police to interfere with the right to privacy under the pretext of a criminal investigation. This conception of privacy is inadequate as the issue of proportionality is avoided, and the court does not attempt to ensure that the interference is proportionate with the outcome.

US courts also see the compelling of production of passcodes as an issue of self-incrimination as well as privacy. In its judgement in Application for a Search Warrant, a US court observed that compelling the disclosure of passcodes existed at an intersection of the right to privacy and self-incrimination; the right against self-incrimination serves to protect the privacy interests of suspects.

Disclosure of passwords to digital devices amounts to an intrusion of the privacy of the suspect as the collective contents on the digital device effectively amount to providing LEAs with a method to observe a person’s mind and identity. Police investigative techniques cannot override fundamental rights and must respect the personal autonomy of suspects – particularly, the choice between silence and speech. Through the production of passwords, LEAs can effectively get a snapshot of a suspect’s mind. This is analogous to the polygraph and narco-analysis test struck down as unconstitutional by the SC in Selvi as it violates decisional autonomy.

As Sekhri noted, a criminal process that reflects the aspirations of the Puttuswamy judgement would require LEAs to first explain with reasonable detail the material which they wish to find in the digital devices. Secondly, they must provide a timeline for the investigation to ensure that individuals are not subjected to inexhaustible investigations with police roving through their devices indefinitely. Thirdly, such a criminal process must demand, a higher burden to be discharged from the state if the privacy of the individual is infringed upon. These aspirations should form the bedrock of a system of judicial warrants that LEAs ought to be required to comply with if they wish to compel the disclosure of passwords from individuals. The framework proposed above is similar to the Virendra Khanna guidelines, as they provide a system of checks and balances that ensure that the intrusion on privacy is carried out proportionately; additionally, it would require LEAs to show a real requirement to demand access to the device. The independent eyes of a judicial magistrate provide a mechanism of oversight and a check against abuse of power by LEAs.

Conclusion

The criminal law apparatus is the most coercive power available to the state, and, therefore, privacy rights will become meaningless unless they can withstand it. Several criminal procedures in the country are rooted in colonial statutes, where the rights of the populace being policed were never a consideration; hence, a radical shift is required. However, post-1947 and Puttuswamy, the ignorance and refusal to submit to the rights of the population can no longer be justified and significant reformulation is necessary to guarantee meaningful protections to device owners. There is a need to ensure that the rights of individuals are protected, especially when the motivation for their infringement is the supposed noble intentions of the criminal justice system. Failing to defend the right to privacy in these moments would be an invitation for allowing the power of the state to increase and inevitably become absolute.

For more details visit https://cis-india.org/internet-governance/blog/rethinking-acquisition-of-digital-devices-by-law-enforcement-agencies

Response to the Pegasus Questionnaire issued by the SC Technical Committee

Anamika Kundu, Digvijay, Arindrajit Basu, Shweta Mohandas and Pallavi Bedi — 2022-04-13T14:45:41Z

On March 25, 2022, the Supreme Court appointed Technical Committee constituted to examine the allegations of alleged unauthorised surveillance using the Pegasus software released a questionnaire seeking responses and comments from the general public.

The questionnaire had 11 questions and the responses had to be submitted through an online form- which was available here. The last date for submitting the response was March 31, 2022. CIS had submitted the following responses to the questions in the questionnaire. Access the Response to the Questionnaire

For more details visit https://cis-india.org/internet-governance/blog/response-to-pegasus-questionnaire-issued-by-sc-technical-committee

Response Submission on TRAI's Consultation Paper on Privacy, Security and Ownership of Data in Telecom Sector

Amber Sinha, Elonnai Hickok and Udbhav Tiwari — 2019-03-13T00:27:30Z

CIS submitted its comments on the consultation paper on privacy, security and ownership of data in telecom sector which was published by the Telecom Regulatory Authority of India on August 9, 2017.

The submission is divided in four parts. The first part introduces the document, the second part gives an overview of CIS and its work, the third part contains general comments on the consultation paper and the fourth part contains specific comments on questions posed in the consultation paper. Click to read the full submission made to the Telecom Regulatory Authority of India on November 6, 2017.

For more details visit https://cis-india.org/telecom/blog/response-submission-on-trais-consultation-paper-on-privacy-security-and-ownership-of-data-in-telecom-sector