Centre for Internet and Society

Re-thinking Key Escrow

natasha — 2011-08-22T11:44:21Z

Would you make duplicates of your house keys and hand them over to the local police authority? And if so, would you feel safe? Naturally, one would protest this invasion of privacy. Similarly, would it be justified for the government to have a copy of the private key to intercept and decrypt communications? This is the idea behind key escrow; it enables government ‘wiretapping’.

The evolution of technology has allowed for increased communication and interconnectedness among people, markets and institutions all over the globe. This has increasingly facilitated the transaction and exchange of all kinds of information. However, this has raised major ethical concerns surrounding the privacy of communication and security of information. Key encryption is an important tool developed to preserve an individual’s privacy. It involves transforming information, so as to ensure that it is unreadable. The need for encryption is irrefutable.

Governments and authorities are concerned with the difficulties associated with accessing and intercepting the encrypted communication. For lawful interception a recovery key is escrowed with a trusted third party. Key escrow is controversial as it is vulnerable to lawful interception and has the potential to threaten the security of sensitive and personal data. In India, key escrow is a requirement under the Indian Internet Service Provider (ISP) license. This means that an ISP, a law enforcement agency, or other party has the potential to partake in covert surveillance and maliciously use the key, thereby compromising the data.

In a short video Jim X. Dempsey, Vice President of Public Policy at the Centre for Democracy and Technology in Washington, DC reviews the public policy battle over key escrow in the United States that took place in the 1990's. At the time the U.S government’s approach to encryption technology involved the use of key escrow in communication devices. One danger of using key escrow in this way was that it allowed for the commercial use of encryption technology, provided that a copy of the private key is held in escrow by the U.S. government. The use of key escrow also permitted the U.S. government to decrypt all data transmitted across communication networks. The risks associated with the use of key escrow led to widespread dissatisfaction from the private sector in the U.S., which ultimately led to the rejection of encryption technology by the President and Congress. In response to the strong negative feedback given by different stakeholders, the US government lifted the controls on encryption technology thereby allowing it to become widely available.

The use of key escrow in India should be seriously reconsidered. Foremost, it subverts basic constitutional practices by violating various freedoms and civil liberties guaranteed in the fundamental rights. Secondly, it threatens the security of personal information. Lastly, it could significantly hinder the growth of e-commerce, transactions, and purchases made over the Internet. The Indian government should take into consideration the failed attempt in implementing the system of key escrow in the United States when deciding on whether or not to implement the use of key escrow in India.

Please see Jim Dempsey’s account on the Short History of Key Escrow.

For more details visit https://cis-india.org/internet-governance/blog/privacy/key-escrow

Better Understanding of the Idea of Privacy Sought

praskrishna — 2011-08-08T07:40:18Z

Understanding the ways in which an individual's privacy is violated will help provide a better definition of privacy in India. At a public conference called ‘Privacy Matters' held at the Madras Institute of Development Studies (MIDS) here on Saturday, speakers underscored the need for discussions surrounding the privacy bill.

Prashant Iyengar from Privacy India said, "In India, we do not have a set view on privacy. There is a lot of articulation around privacy in law, yet we do not have an omnibus concept." He stressed the importance of bringing about discussions around the adequacy of safeguards.

Post 26/11 terror attacks, the country has seen an enhancement of electronic surveillance and the proliferation of databases that collect information from individuals, said Santhosh Babu, Secretary, Information Technology Department.

"The problem arises when these databases are misused for political or other reasons. In a legal framework, we have to figure out what information can be given out, what cannot and what can be misused," he said. He stressed the importance of databases going through a software development lifecycle to make them more secure.

Speaking from a media practitioner's perspective, Sashi Kumar, Chairman, Media Development Foundation, said it is the business of the media to conduct sting operations especially when people in power are obfuscating information. “Sting operations are legitimate when larger public good is at stake. We have to be aware of this when we discuss the privacy bill. It should not protect people in power and keep exposure at bay,” he said. He also stressed that privacy is closely linked with the dignity of the person. R. Ramamurthy, Chairman, Cyber Society of India said, “The definition of privacy varies from what it was twenty years ago to what it is today. A lot has changed since the internet came to India.” The statutes that govern all forms of communication in India should be revamped, he said. Discussions around privacy in relation to telecommunications, financial transactions, consumer rights and basic rights followed. The conference was a collaborative effort between Privacy India, Citizen Consumer and Civic Action Group, Chennai and MIDS.

A staff reporter from the Hindu covered the event. The original can be read here

For more details visit https://cis-india.org/news/better-understanding-of-privacy

UID: Nothing to Hide, Nothing to Fear?

shilpa — 2011-09-28T11:44:21Z

Isn’t it interesting that authorities ask you about your identity and you end up showing your proof of existence! Isn’t this breaching into one’s personal life? Why so much transparency only from the public side? Why can’t the government be equally transparent to the public?, asks Shilpa Narani.

Before I get into an argument, I would like to share with you that my research is based on a comparative study of articles published on UID in leading newspapers like the Times of India, the Indian Express, the Hindustan Times, and its supplement LiveMint, Business Standard, Asian Age, DNA India, Bangalore Mirror, Deccan Chronicle and Deccan Herald. My research shows that the government officials and the individuals working for the UIDAI, who are involved in proposing identity system, are in fact hide their own identity from the public.

Background

A pan-India project to “identify” each resident was formally inaugurated in 2009, with the establishment of the Unique Identification Authority of India (UIDAI) as an office attached to the Planning Commission.[1] The goal of the Unique ID project is to issue a unique identity number to every resident in the country. The Unique Identification number (UID) will be linked to every resident’s basic demographic and biometric details, and stored in the UIDAI central database.[2] Now a 12 digit number will henceforth decide whether you exist or not? It will decide whether you remain a known or an unknown person? With this blog I would like to highlight the irony in the UIDAI's attempt to establish if a person is known or is unknown with a 12 digit number.

An identity card virus seems to be spreading across India. Everyone is praising the UID and the social, economic, and political improvements it will bring. “The aim of the UID scheme is to bring transparency in the system,'' says Sonia Gandhi.[3] One has to wonder though — if the aim of the UID is to bring transparency, why it is that government and UIDAI officials are not transparent themselves?

Findings

According to my research, in 55 news articles taken from different newspapers mentioned above, there are 66 persons who shared their views on UID only on the condition of anonymity. Most of these individuals were public servants who themselves did not wish to be identified. For instance, one individual was from the department of information technology, who is working on the UID project and with the UIDAI itself.

Total Anonymous

As one can see from the graph above, the total number of anonymous people sharing their perspectives on the UID are more than the total number of identified people sharing their perspective on the UID. Below is a detailed review of UID articles from each newspaper:

Times of India: Out of 13 articles, Times of India quoted nine anonymous sources in which there were HRD officials, civic sources, sources from census operation department, collectorate sources, senior postal officials, UIDAI officials, and unclassified individuals. Times of India only quoted four identified sources.

Indian Express: Out of 10 articles, the Indian Express quoted twelve anonymous sources including sources from senior officials of the AADHAR office, senior Delhi government officials and some unclassified sources. Again only four identified sources were quoted.

LiveMint: Out of 7 articles, the Live Mint quoted 15 anonymous sources including sources from the Information Regulatory and Development Authority (IRDA), UIDAI, Bank of India, a senior SEBI official, sources from ministry, etc. Only 11 sources revealed their identity.

Hindustan Times: Out of 3 articles, there were 6 anonymous sources, and 5 sources that were identified. Anonymous sources were from UIDAI, finance ministry, and other government officials.

Deccan Herald: Out of 11 articles, there were 14 anonymous sources and only 6 were identified. Anonymous sources included UIDAI officials, banks, senior officials from government, and unclassified sources as well.

Asian Age: Out of 4 articles, there were 5 anonymous sources. Anonymous sources included government officials and some unclassified officials.

Power of Identity: Why is anonymity important?

UID has the potential to threaten an individual’s ability to be anonymous in society. Anonymity results when the personal identity or personally identifiable information of a person is not known. As demonstrated above, a certain amount of anonymity already exists in India today, but with the coming of the UID there is the potential that this will be changed.

Conclusion

As Sonia Gandhi herself said, the UID's aim is to bring transparency in the system. Though the government is eager to make the Indian public transparent in their everyday lives, clearly from the analysis above, individuals working for the government and UIDAI are not comfortable being transparent to the public. It is ironic that the individuals developing and working for this scheme are not willing to voice their opinion and be identified, but private individuals are. Though the UID scheme is being promoted as a way to make the people accountable and visible in the eyes of the government, from the very start of the project the UIDAI and government have kept themselves under a cloud of secrecy. The government’s non-transparent attitude towards this project and the unawareness of its use on the people makes the whole scheme shady and unnecessary.

Notes

[1]http://uidai.gov.in/UID_PDF/Front_Page_Articles/Documents/Strategy_Overveiw-001.pdf

[2]http://uidai.gov.in/UID_PDF/Working_Papers/UID_and_iris_paper_final.pdf

[3]http://articles.timesofindia.indiatimes.com/2010-09-30/india/28243557_1_uid-number-unique-id-numbers-tembhli

Download the UID Summary Grid here [Excel, 19kb]

For the summary of articles in newspapers, click here

For more details visit https://cis-india.org/internet-governance/blog/privacy/uid-nothing-to-hide-fear

An Overview of DNA Labs in India

shilpa — 2016-02-02T13:11:31Z

DNA fingerprinting has become the most precise and technologically advanced method for identifying crimes such as murder, kidnapping, robbery and rape. Police and judicial authorities and in some cases even private parties retain this in their records, writes Shilpa in this blog post.

At present, India does not have a national law that empowers the government to collect and store DNA profiles of convicts but if the Parliament of India passes the DNA Profiling Bill,[1] 2007, India will soon join countries such as the US and UK in creating a national DNA database.[2] Government, CBI and organizations connected with the investigation process argue that data retention is necessary to combat terrorism and crime. According to Google Transparency Report [3] for the first half of 2010, India had 1,430 data requests, which made it one of the top nations in generating government inquiries for information.

In this blog I am citing my interviews with DNA labs, Issues regarding lab samples and data, and DNA Profiling Bill 2007 on lab practices. I am thankful to Anthony Jackson and Dr. Helen Wallace, Executive Director from Gene watch UK who helped me with the questionnaire for survey interview.

Interviews with DNA labs

I interviewed few government as well as private labs to find out how DNA practices are being carried out. This was to highlight ways in which DNA testing raises privacy concerns.

In public labs, DNA testing is used for the forensic purposes only. These labs are funded by the government whereas private labs deal with legal as well as private purposes. DNA Labs India (DLI), Truth Labs and Bio-Axis DNA Research Centre (P) Limited are some leading private firms involved in DNA testing.

Dr. Madhusudan Reddy Nandineni, who is the Scientist and In-charge of the Centre for DNA Fingerprinting and Diagnostics (CDFD) talked about the working of DNA practise and services provided by their laboratory. “CDFD located in Hyderabad is an autonomous institution supported by the Department of Biotechnology and Ministry of Science. CDFD provides services for DNA testing for establishment of parentage, identification of mutilated remains, establishment of biological relationships for immigration, organ transplantation, property inheritance cases, identification of missing children and child swapping in hospitals, identification of rapists in rape cases, and murderers in murder cases. CDFD assists police personnel, forensic scientists, lawyers and the judiciary”, says Dr. Madhusudan Nandineni over a telephonic interview.

The ND Tiwari Case (Published in the Deccan Herald, 24 July 2011)
Eighty-five-year-old leader ND Tiwari was asked to undergo a DNA test in the paternity suit filed by Rohit Shekhar who claims to be his biological son. The high court asked the Centre for DNA Fingerprinting and Diagontics (CDFD) at Hyderabad to conduct a DNA test on Tiwari.[4] Also refusing to grant any relief to Tiwari, the court said that considering the age of the leader, it is necessary to have a DNA test so that the Rohit Shekhar is not left without any remedy if something happens to Tiwari. The court said that it is the right of a child to know his or her biological father.[5]

Dr. BK Mahapatra, Assistant Director, Biology & DNA Finger printing Unit at Central Forensic Science Laboratory, Delhi says “CFSL undertakes cases referred by CBI, Delhi police, judiciary, vigilance department of ministries, public undertakings and state/central government departments. We don’t contract with private laboratory to do a DNA testing. We accept all type of DNA cases submissions like criminal, known, unknown, etc. CFSL saves DNA samples for re-testing, however, for this we do have a privacy policy followed by National Accreditation Board for Testing and Calibration Laboratories (NABL). It is an autonomous body under the aegis of the Department of Science and Technology, Government of India and is registered under the Societies Act”, he clarified.

In a telephonic interview with Ravi Kiran Reddy, DNA expert, DLI a, tells us about the services provided and security supervise by the laboratory. “DLI provides services for paternity testing, forensic testing, prenatal testing, and genetic testing. DLI contracted with a private laboratory to do DNA testing. We accept all DNA cases like suicide attempts, cases from Indian Army, etc. DLI saves DNA samples for re-testing for six months and if necessary for life time and a database is also maintained. He further said that to protect and secure database, bar coding is being prepared and therefore, no identity is revealed.

Some of the labs refused to participate in the research exercise like the truth labs. Truth Labs is a private lab that provides legal services directly, without a court or police order.[6] Another private laboratory which provides DNA testing is Bio-Axis DNA Research Centre. It also provide various DNA Identification services for private purposes, legal purposes, peace of mind, confidential purposes, immigration purposes, crime investigation and human identification purposes.[7]

Issues Regarding Lab Samples and Data

Readers may have heard of rapists being caught because of a match between a suspect's DNA and sperm left behind in a victim. Or, as often the case, an innocent person may be released because the DNA of that person does not match that found in a crime scene.[8]

Possibility of Framing Innocents: Kshitij Urs, an Action Aid said, “There can be some problems if one were to rely too much on DNA databases in the criminal justice system as DNA evidence can be planted in a crime scene intentionally”, in an event organised by CIS.
Insecurity of Centralised Storage: With DNA tests, a patient's medical file will contain information they would prefer to be confidential. But the whole idea of general DNA testing will only be effective if the data is stored in a single electronic database, which makes the confidentiality problem extremely pressing. For example, the results of DNA testing might reveal that a person who is legally a child's father isn't really his biological father.[9]
Other Privacy Concerns: DNA contains information that raises a much broader privacy and other civil liberties concerns. It can tell investigators about ourselves, our family members, diseases we may have inherited our physical attributes and broad ancestry. Genetic information can be used in all sorts of discriminatory ways.[10]

What can be done?
There should be a DNA retention policy to protect an individual. It will identify personal data which has to be maintained and contain guidelines for how long certain documents should be kept and how they should be destroyed.[11] In the situation of DNA collection and testing privacy cannot be protected simply through consent from an individual. Instead the law must permit specific thresholds to be established in order to cover the privacy needs of different situations. DNA profiling Bill 2007 will regulate the use of DNA profiles which is pending in the Parliament.

DNA Profiling Bill 2007 on Lab Practices

According to the DNA Profiling Bill there are certain rules for the DNA laboratories which are followed by these labs.

Prohibition for undertaking DNA procedures: It states that DNA laboratories have to take prior permission from the DNA Profiling Board to undertake any DNA procedures.
Security and minimize contamination: There should be proper facility of security and minimize contamination of DNA samples.
Confidentiality, Access to DNA Profiles, Samples and Records: DNA Profiling Bill states that all DNA profiles, samples and records forwarded to the DNA laboratory or any authority of the lab has to be kept confidential.
Use of DNA profiles, samples and records: All DNA profiles, samples and records should be used only for facilitating identification of the perpetrator(s) of a specified offence and also to identify victims of accidents, disasters or missing persons or for such other purposes.
Authorised Access: It also says that information stored on the DNA database system may be accessed by the authorized persons for the purposes of forensic comparison permitted under this Act, administering the DNA database system, accessing any information contained in it by law enforcement officers or any other persons, as may be prescribed, in accordance with provisions of any law for the time being in force, inquest or inquiry.
Restrictions on use of information on DNA profiles, samples and data identification records: Laboratory cannot use the information for any purpose other than the purpose for which the communication or access is permitted.
Destruction, alterations, contamination, tampering with biological evidence: The Bill states that whoever knowingly or intentionally destroys alters, contaminates or tampers with biological evidence will be punishable with imprisonment for a term which may extend to five years, or with fine not exceeding twenty thousand rupees, or with both.[12]

Conclusion

Currently the Bill allows for the complete storage of DNA of criminals, suspects, victims, offenders and volunteers.
There are no standard practices for data retention across lab. Thereby there is an increased risk that data might fall in wrong hands and information may also be misused. Therefore, DNA databases should be restricted to be stored for not more than a limited time period. Such indefinite retention of the DNA profiles of innocent individuals is a disproportionate and unnecessary interference with an individual’s right to privacy.
DNA labs in India have numerous constraints and operating in different level. Therefore, India has to be having even more carefully designed laws.

List of Laboratories

Central Forensic Science Laboratory, Delhi
Dr. BK Mahapatra
Associate Biology Division
Ph: 9312523536, 24360095
Mail: ssofs_dfs@dfs.gov.in

Centre For Fingerprinting and Diagnostics (CDFD), Hyderabad
Dr. Madhusudan Nandineni
Scientist and In-charge
Ph: 24749331, 24749330
Mail: dsp@cdfd.org.in

DNA Labs India, Hyderabad
Ravi Kiran Reddy
Ph: 9395142800
Mail: info@dnalabsindia.org

Bio-Axis DNA Research Centre
Ph: 9246338983
Mail: drc@dnares.in

Truth Labs, Hyderabad
Ph: 9490690222, 04023390999
Mail: gandhi@truthlabs.org

Notes

[1]http://timesofindia.indiatimes.com/topic/DNA-Profiling-Bill

[2]http://www.gene-watch.org/blog/post/India-May-Soon-Have-a-National-DNA-Database.aspx

[3]Amy Miller, “Google’s new tool shows which countries are censoring the internet” http://www.law.com/jsp/cc/PubArticleCC.jsp?id=1202472346375

[4]Paternity case: No relief for N D Tiwari as Supreme Court allows DNA test http://www.indianexpress.com/news/paternity-case-no-relief-for-n-d-tiwari-as/762146/

[5]Paternity case: ND Tiwari to provide blood sample for DNA test http://www.deccanherald.com/content/165408/paternity-case-nd-tiwari-provide.html

[6]http://www.truthlabs.org/

[7]Bio-Axis Research Centre, http://www.dnatestinginindia.ewebsite.com

[8]Sujatha Byravan , A public, private database http://www.indiatogether.org/2009/sep/hrt-dnadb.htm

[9]Vibhor Verdhan, Data Retention Policies- An Emerging Requirement & Various Compliances http://www.legalserviceindia.com/article/l428-Data-Retention-Policies.html

[10]Andrei Kislyakov , DNA testing: pros & cons http://en.rian.ru/analysis/20090104/119294260.html

[11]Vibhor Verdhan, Data Retention Policies- An Emerging Requirement & Various Compliances

[12]DNA Profiling Bill http://dbtindia.nic.in/DNA_Bill.pdf

Click here for the Survey Questions

Deoxyribonucleic acid (DNA) is the main constituent of the chromosomes of all organisms, and is found in the form of a double helix within the nucleus of every somatic cell. Consequently, a small sample of human body cells can be decoded to reveal a pattern that is shared only by a genetically identical twin. The DNA of each individual does not change during his lifetime. This technique is commonly used in police investigations and is termed ‘DNA fingerprinting. For more see the Wikipedia definition of DNA.

For more details visit https://cis-india.org/internet-governance/blog/privacy/dna-overview

Consumer Privacy in e-Commerce

sahana — 2012-03-28T04:53:17Z

Looking at the larger picture of national security versus consumer privacy, Sahana Sarkar says that though consumer privacy is important in the world of digital technology, individuals must put aside some of their civil liberties when it comes to the question of national security, as it is necessary to prevent societal damage.

What is Consumer Privacy?

In today’s digital economy generating consumer information is inevitable. Though some companies use the personal information they obtain to improve and provide more services to consumers, many companies use the information in an irresponsible manner.

In countries that do provide legal protection for consumer privacy, it is never protected as an absolute right. Consumer privacy is not considered an absolute right for three reasons:

What constitutes consumer privacy is culturally, contextually, individually defined
Consumer privacy often conflicts with other market rights
The ownership of a consumer's private information is debated — as consumer's believe they own the information and businesses believe they own the information.

In order to understand consumer privacy it is useful to outline the privacy expectations and strategies of both consumers and businesses, and to also examine the protection measures taken by firms to safeguard consumer information. The major privacy concerns held by consumer's can be broken down into three main domains:

Consumers want to be informed about the type of information that is being collected from them.
Consumers need to know that they a certain degree of control over the personal information that is being collected.
Consumers need to be assured that their personal information will be secure and will not be abused or stolen.

Though privacy has been defined by many as the "right to be let alone", its application in today’s modern world is not that straightforward. We live in a world where our purchasing behavior, both online and offline, is shared and used invisibly. For instance, if an individual uses a social networking site, it is possible for a third party application to access personal information that is shared. Similarly, if an individual uses a warranty card or loyalty card during a purchase, it is possible for third parties, like data brokers, to collect and use the individuals' personal information.

For instance,15 consumer privacy groups have filed a complaint against Facebook for limiting user's ability to browse anonymously. The complaint was regarding the fact that users only had the choice to designate personal information as publicly linkable, or to not provide information at all. Though Facebook claims to ensure users control over their personal data by allowing users to choose their privacy settings, it does not clarify that these setting can change at any given point. Moreover, the latest privacy embarrassment that hit Facebook proves again that Facebook does not protect users’ privacy. A few weeks ago Facebook admitted to passing personal information of its users onto different gaming applications. These gaming applications have in turn passed the information on to advertisers who otherwise could not have accessed the information.[1]

Breach of Privacy in Information Collection

Internet users often fear the loss of personal privacy, because of the ability businesses and their websites have to collect, store, and process personal data. For example, sites extract information from consumers through a form, and then record data about their user’s browsing habit. After collecting user information, the sites match the data with their personal and demographic information to create a profile of the user’s preferences, which is then used to promote targeted advertisements or provide customized services. The sites might also engage in web lining through which they price a consumer according to their profiles.

Online there are two main ways in which sites collect user information:

Sites collect information directly through a server software. Sites often use automatic software logs to do this.
A third party extracts information from the site without the consumer’s knowledge. Sites often place cookies on websites to extract user information.

Automatic software logs and third party cookie placement are two overlooked aspect of information collection. Cookies work by collecting personal information while a user surfs the net, and then feeds the information back to a Web server. Cookies are either used to remember the user, or are used by network advertising agencies to target product advertisements based on long term profiles of user’s buying and surfing habits. An example of a website that uses cookies is 'double click'. Web bugs are used by advertising networks to add information to the personal profiles stored in cookies. Web bugs are also used in junk email campaigns to see how many visits the site gets. Cookies and web bugs are just two out of hundreds of technologies used to collect personal information. [2]

Challenges Posed by Protection of Consumer Privacy

In conclusion, I would like to talk about the difficulty in maintaining a balance between the legal collections of information and protecting privacy of consumers. Above I demonstrated how this conflict arises between businesses and consumers — and is rooted in businesses wanting personal information for commercial reasons, and a user wanting protection and control over their own information. This conflict can also arise between consumers, businesses, and political bodies. An example that demonstrates this is the ongoing conflict between RIM (Research in Motion) and the Government of India. The Government of India has issued a warning against RIM saying that it would suspend its blackberry operations if they do not adhere to the Indian laws and regulations.

The Ministry of Home Affairs is demanding that RIM allow access to encrypted content that flows in and out of India. In other words the Government of India wants RIM to allow the security forces to have access to data sent using Blackberries by reducing encryption levels, or by providing the government with the decryption keys. The demand by the government is somewhat ironic as Blackberry manufacturers have developed the Blackberry encryption key to protect the consumers’ privacy during any business deal, so that information is not compromised. On the other side of the debate, the government is demanding access to Blackberry communications, because their inability to decrypt the codes makes countering the threats to national security difficult. This is especially true for a country like India, which is constantly facing threats from Maoists, and extremist Islamic groups.

This example highlights an important question: what is more important — national security or consumer privacy? In 2010, RIM agreed to negotiate access to consumer messages only where access requests are within local laws. Blackberry also agreed to not make any specific deals with consumers, and to make its enterprise systems security and confidentiality non-negotiable.

Conclusion

Though, consumer privacy is very important especially in a world of digital technology, however, when we speak of national security, I feel that individuals must set aside some of their civil liberties — at least to the extent that it is necessary to prevent societal damage. For a clearer understanding of national security vs consumer privacy look at the case of RIM Vs Indian Government in the following sites:

[1]http://www.ft.com/cms/s/0/198599e6-dc5f-11df-a0b9-00144feabdc0.html#axzz1O00LowtN

[2]http://cyber.law.harvard.edu/olds/ecommerce/privacytext.htmlFor an overview of some of these new data-collection technologies, along with some information on privacy-enhancing technologies such as P3P, see Developing Technologies.

For more details visit https://cis-india.org/internet-governance/blog/privacy/consumer-privacy-e-commerce

Video Surveillance and Its Impact on the Right to Privacy

Vaishnavi Chillakuru — 2011-09-29T05:35:56Z

The need for video surveillance has grown in this technologically driven era as a mode of law enforcement. Video Surveillance is very useful to governments and law enforcement to maintain social control, recognize and monitor threats, and prevent/investigate criminal activity. In this regard it is pertinent to highlight that not only are governments using this system, but residential communities in certain areas are also using this system to create a safer environment.

However, this move is fundamentally opposed by many civil rights and privacy groups across different jurisdictions and have expressed concern that by allowing continual increases in government surveillance of citizens that we will end up in a mass surveillance society, with extremely limited, or non-existent political and/or personal freedoms.

European Union

The Data Protection Directive [1]of 1995, a Directive was issued by the European Union (EU) to regulate the processing and free movement of personal data. In pursuance with this Directive, every country of the EU passed a legislation to govern the protection of personal data. In this regard, the United Kingdom (UK) enacted the Data Protection Act (DPA) in 1998 and the same was brought into force in the year 2001.

The DPA sets forth eight, Data Protection Principles (DPP)[2] to protect personal data in the public sphere. Although video surveillance has not been explicitly referred to in the legislation, the definition given by the DPA is broad enough to encompass it. The application of these principles to video surveillance has been made explicit through the publication of the CCTV Code of Practice (CoP) by the information commissioner. The CoP does not apply to surveillance cameras used for household purposes. Images captured for recreational purposes with a camera, video recorder, etc., are also exempt. The main features of the CoP have been summarized below:

It is important to ascertain who has the responsibility for the control of the images i.e., deciding what is to be recorded, how the images should be used and to whom they may be disclosed. The body which makes these decisions is called the data controller and is responsible for the compliance with the DPA. The body has to notify the information commissioner as to who the data controller is.
An impact assessment should be done to evaluate the scheme’s impact on the privacy rights of the public. While conducting such an assessment, the data controller should take into account what benefits can be gained, whether better solutions exist, and what effect it may have on individuals. The results of the assessment should be used to determine whether video surveillance is justified and if so, how it should be operated.
The camera equipment should be chosen so as to fulfill the purposes for which the surveillance is being carried out. They should have the necessary technical specification so that the images are of appropriate quality. The camera should be positioned in such a way that only those areas which are intended to be the subject of surveillance are covered.
Viewing of live feed must be restricted to authorized personnel only. The data controller should try and protect the images from public view. Disclosure of recorded images should also be controlled and limited to the purpose for which the surveillance was set up. All other requests for viewing images should be considered carefully and balanced against the privacy rights of other individuals who may be affected by the disclosure of the images.
The DPA does not prescribe any minimum or maximum period of retention. It should be ascertained keeping in mind the purpose for which the surveillance system was set up. However, the images should not be kept for longer than is strictly necessary.
There should be prominently placed signs to let people know that they are in an area which is under video surveillance. This can be supplemented by an audio announcement in places where public announcements are already being used, such as in stations. Systems in public spaces and shopping centres should have signs giving the name and contact details of the company, organisation or authority responsible.
Staff operating the system needs to be aware of the rights of the individual under the DPA.

Canada

Canada has two federal laws which deal with privacy — the Privacy Act, 1985 and the Personal Information Protection and Electronic Documents Act, 2000 (PIPEDA). The former protects privacy rights by limiting the collection, use and disclosure of personal information by the federal government departments and agencies whereas the latter deals with the collection, use and disclosure of personal information by private sector organizations. In addition to these two legislations, every province or territory has their own privacy legislations.

A privacy commissioner is appointed to receive and investigate complaints filed by Canadian citizens pertaining to allegations of violation of the Acts. They also conduct research into privacy issues and promote awareness. The privacy commissioner reports directly to the House of Commons and the Senate. Every province or territory may also have its own commissioner or ombudsman authorized to investigate complaints. The Office of the Privacy Commissioner of Canada (OPC) published two sets of guidelines in order to define and circumscribe the use of video surveillance and ensure that the impact on privacy is minimized.

The first set of guidelines is meant to guide the regulation of video surveillance (by law enforcement agencies) in public spaces i.e., in places where there is free and unrestricted access to everyone. These guidelines were drawn up after extensive discussions between the OPC and the Royal Canadian Mount Police (RCMP). However, these guidelines are to be considered merely as an aid and notwithstanding anything stated in the guidelines, the RCMP has the right to carry out its functions as it deems fit. Some of the important pointers are[3]

Video surveillance should only be used to address a "real and pressing problem" which is of sufficient in magnitude so as to warrant the overriding of the privacy rights of citizens. Hence, there should be "real and verifiable" instances of crime or concern for public safety.
Video surveillance should be conducted only as a last resort i.e., in circumstances where there in no other less privacy-intrusive alternative.
A "privacy impact assessment" should be conducted beforehand to assess the degree of interference that will result due to the video surveillance.
Relevant stakeholders (for example, members of the communities that will be affected by the surveillance systems) should be considered before arriving at a decision.
Video surveillance must comply with all applicable laws including over arching laws such as the Canadian Charter of Rights and Freedoms.
The video surveillance should be conducted in such a way that impact on the privacy rights of citizens is minimized. For example, limited use of video surveillance (e.g., for limited periods of day, public festivals, peak periods) should be preferred to be always on surveillance if it will achieve substantially the same result.
The public should be informed that they are under surveillance. Clear signs should be put up mentioning the perimeter of the surveillance areas, the person responsible for surveillance and his contact details in case of any queries.
Security of the equipment and images should be assured.
People whose images are recorded should be able to request access to their recorded personal information.

The second set of guidelines is with respect to video surveillance in private sector organizations. These guidelines apply to overt video surveillance of the public by private sector organizations in publicly accessible areas. They do not apply to covert video surveillance nor do they apply to the surveillance of employees.

"Determine whether a less privacy-invasive alternative to video surveillance would meet your needs.
Establish the business reason for conducting video surveillance and use video surveillance only for that reason.
Develop a policy on the use of video surveillance.
Limit the use and viewing range of cameras as much as possible.
Inform the public that video surveillance is taking place.
Store any recorded images in a secure location, with limited access, and destroy them when they are no longer required for business purposes.
Be ready to answer questions from the public. Individuals have the right to know who is watching them and why, what information is being captured, and what is being done with recorded images.
Give individuals access to information about themselves. This includes video images.
Educate camera operators on the obligation to protect the privacy of individuals.
Periodically evaluate the need for video surveillance."

United States of America

Statutory laws governing the regulation of video surveillance in America are scarce. While there are some state laws which regulate aspects of public video surveillance, there are virtually no federal laws which directly deal with it. However, video surveillance implicates certain constitutional doctrines — especially the first and the fourth amendments. Although it cannot be denied that the liberties enshrined by these amendments can be severely affected by continuous surveillance, so far, the American courts and jurisprudence on the subject have been very permissive.

Another important directive is the "Fair Information Practices" (FIP) originating from the recommendations written by the United States Government which provide certain rights to individuals with respect to the use and dissemination of personal information. Although these guidelines do not have the force of law, they can prove to be a valuable guide for the treatment of any government-held record containing personally identifiable information. The rights of individuals listed by the FIP, in their most basic form, have been given below:[4]

"Notice and awareness of the purpose of data collection, and how such information is used;
Consent to the collection of personal information, and choice concerning how it is used;
Access to and participation in the process of data collection and use, including the right to correct errors;
Integrity and security adequate to protect the information against loss or misuse; and
Redress and accountability for injury resulting from loss or misuse of personal information."

Also, the American Bar Association, in 1999, published standards for technologically-assisted physical surveillance, including video surveillance. Some of the key points of these guidelines are given below:

While regulating the use of video surveillance for law enforcement purposes, certain factors should be kept in mind. For example, the nature of the law enforcement objective or objectives sought to be achieved, the extent to which the surveillance will achieve the law enforcement objectives, the nature and extent of the crime involved, etc.
The extent to which the surveillance invades privacy should be assessed. While conducting such an assessment, care should be taken to enhance the privacy of the location under surveillance by taking into consideration the nature of the place, activity, condition, or location.
Alternate measures should be preferred over video surveillance in order to maintain a balance between the right to privacy and the need for surveillance.
Notice of the surveillance should be given when appropriate.
The scope of the surveillance should be limited to its authorized objectives and be terminated when those objectives are achieved.

Australia

Neither the Australian Federal Constitution nor the Constitutions of the six states and two territories contain any express provisions relating to privacy. However, there are several state and federal privacy laws governing specific sectors and aspects. The primary federal statute is the Privacy Act of 1988 (PA). This statute was enacted in a bid to give effect to Australia's commitment to the International Covenant on Civil and Political Rights and the Organization for Economic Cooperation and Development (OECD). There are four key areas of application of the Act out of which only two are relevant in the context of video surveillance. The first is the eleven Information Privacy Principles (IPPs), based on the OECD Guidelines. These principles are applicable to federal government agencies. The second is the National Privacy Principles (NPP) which regulates private sector organizations. However, private organizations can set forth their own "code of practice" and get it approved by the privacy commissioner as long as it does not go against the broad framework laid down by the NPPs.

Apart from the PA, each state or territory may have its own laws or practices regarding video surveillance. For instance, covert video surveillance in New South Wales is governed by the Workplace Video Surveillance Act, 1998. The Government of New South Wales also published a report on CCTV in public places. Similarly, Victoria is governed by the Surveillance Devices Act, 1999 and Western Australia by the Surveillance Devices Act, 1998. However, South Australia, Tasmania, Northern Territory and Australian Capital Region have no legislation dealing with the use of video surveillance.

Japan

The Constitution of Japan does not contain any express provisions guaranteeing the right to privacy. Till 2003, even statutory law in the field of data protection was non-existent and the government followed a policy of self regulation. It was only in 2003 that the Japanese Parliament enacted the Protection of Personal Information Act. The law underlying privacy in Japan[6] protects only personal information that is obtained and held by administrative agencies, private agencies. It seeks to set forth penal provisions in order to curb leakage of personal information by the government. The subsequent amendments to this Act have widened its scope to cover data that is paper based as well as computerized. Therefore, it can be said that the instant legislation is broad enough to encompass video surveillance data as well.

In this regard it is set forth that there exists no consolidated law to govern video-surveillance systems. Nevertheless, Japan uses video surveillance systems in order to assist the law enforcement agencies. The National Police Agency uses a video surveillance system called the "N system"[7] in order to record license plate numbers of vehicles on roads, highways, etc. This facilitates effective and efficacious law enforcement in Japan. Furthermore, Tokyo police have been operating surveillance cameras on utility poles and buildings to monitor pedestrians in the several densely populated districts of the city.[8] However, this mechanism has been challenged severely by litigants and many privacy groups in the court of law.

Conclusion

We have now moved into an age where security seems to be the primary issue for most countries and their citizens. Video surveillance is increasingly being used to assuage the fears of the citizens and bring perpetrators to justice. In such a scenario, the issue of privacy rights of individuals seems to have taken a backseat. While some countries such as Canada and Britain have attempted to strike a balance between the need for surveillance and the privacy rights of the people, other countries such as the United States of America and Japan do not seem to have made much progress in terms of creating video surveillance norms or regulations to protect the privacy rights of citizens.

Considering the pressing need for video surveillance to address national security issues, India surprisingly has no laws on the same. In this regard, India needs to draw from the experience of the United Kingdom and Canada. The first step is to enact laws permitting video surveillance.

These laws should be tightly worded and strictly connoted, considering the encroachment on civil liberties. Further, in order to balance security with privacy, the next step is to create an office for the information commissioner. It should be created and powers should be conferred to ensure that the privacy related disputes are handled efficiently and expeditiously. Furthermore, the misuse of the powers conferred upon surveillance authorities should be deterred by giving further powers to the commissioner to impose pecuniary liability.

Bibliography

European Union

Canada

United States of America:

Australia:

Japan

https://www.privacyinternational.org/article/phr2006-japan#[45]

Notes

[1]Directive 95/46/EC.

[2]See http://www.ico.gov.uk/for_organisations/data_protection/the_guide/the_principles.aspx (eight data protection principles)

[3]Full guidelines: http://www.priv.gc.ca/information/guide/vs_060301_e.cfm.

[4]Full guidelines: http://www.americanbar.org/publications/criminal_justice_section_archive/crimjust_standards_taps_blk.html#9.

[5]http://www.proactivestrategies.com.au/library/Loss%20Prevention/Video%20Surveillance%20National%20article.PDF.

[6]This law extends to private businesses, government organizations and independent administrative agencies.

[7]540 locations on expressways and major highways throughout the country; it automatically records the license plate number of every passing car.

[8]This regime has also been litigated upon thoroughly with lawyers claiming the same to be unconstitutional.

For more details visit https://cis-india.org/internet-governance/blog/privacy/video-surveillance-privacy

Privacy Matters, Guwahati — Event Report

praskrishna — 2011-08-26T10:31:08Z

On June 23, a public seminar on “Privacy Matters” was held at the Don Bosco Institute in Karhulli, Guwahati. It was organised by IDRC, Society in Action Group, IDEA Chirang, an NGO initiative working with grassroots initiatives in Assam, Privacy India and CIS and was attended by RTI activists and grass roots NGO representatives from across the North Eastern region: Manipur, Arunachal Pradesh, Tripura, Nagaland, Assam and Sikkim. The event focused on the challenges and concerns of privacy in India.

Unfortunately many of the scheduled invitees had to drop out owing to developments on the Lokpal issue at the Centre, and simultaneously Guwahati was witnessing unrest following an agitation over land rights that left three persons dead.

Welcoming the participants, Prashant Iyengar, lead researcher for Privacy India, gave an introduction to the objectives of Privacy India, and briefed the gathering about the thematic “Privacy Matters” consultations previously held across the country in Kolkata, Bangalore and Ahmedabad. Mr. Iyengar also gave a background to issues that India is facing in concern with privacy, explaining the many contexts that privacy can be found in, and raising questions such as: Why is privacy important? How can it be maintained with the way technology is encroaching upon our lives? And how can we make privacy laws functional?

"Privacy objectives are to raise awareness, spark civil action and promote democratic dialogue around privacy challenges and violations in India. One of Privacy India’s goals is to build consensus towards the promulgation of a comprehensive privacy legislation in India through consultation with the public, legislators and the legal and academic community."

Prashant Iyengar, Privacy India.

Event Sessions

The structure of the event was one of open discussion, with presentations made by those who wanted to share. Throughout the day, the conversation fell into three main topics including: privacy and the RTI, privacy and the UID, and privacy and surveillance in the context of North East India.

Privacy and the RTI

Prashant Iyengar opened the discussion on privacy and the RTI by highlighting the tension between the need for transparency of the State, and the need to protect the privacy of public figures. For many participants privacy and transparency was a new concept that they had just started thinking about. Participant Rakesh (HRLN, Manipur) spoke on the shortcomings that he saw in the RTI Act noting that though the RTI brings some transparency to society, many citizens still do not understand the extent of their Right to Information as it is protected under the Act. Furthermore, the RTI Act is still not applied equally across the country, and the transparency that the RTI tries to achieve is still in very nascent stages. Lowang, a participant from Aru nachal Pradesh, shared the importance of drawing a line between privacy and transparency when it comes to information related to education and health. Anjuman Azra Begum, a research scholar working on indigenous people rights, noted the irony of the RTI as it is meant to bring transparency to the state, yet all ministers and MLA’s take an oath of secrecy, not transparency. Anjuman also spoke on the fact that the RTI often fails to protect the privacy of sensitive issues, such as sexual balance. She echoed Rakesh’s comment on the inaccessibility of the RTI, sharing that for a common person to exercise his/her rights is a very daunting task. Anthony Debbarmun, a human rights activist from Tripura noted that he felt that the North Eastern states are by and large seen as resource (land) by the centre and has shown no concern for citizens and their well-being. Government is seen as a dictator in this region, hence the question — Transparency for whom?, Privacy for Whom? The distinction between the transparency brought about by the RTI and individual privacy was also made. It was pointed out that the RTI is concerned with transparency of the State, but individual privacy is separate from this concept.

Personal Experiences Shared

Anjuman Azra Begum shared her sister’s experience with the RTI. Her sister had applied for a job in 2008. Their family filed an RTI for details of the procedure, but was denied details by the RTI officer, who said that furnishing details would violate the privacy of other candidates. This example raises questions about when it is appropriate for RTI officers to withhold information in the name of privacy, and what mechanisms can be put in place to ensure that the RTI does not use privacy as a way to deny information. Lowang also shared his experience with the RTI. He had filed an RTI asking for answer sheets because he doubted the appointment of police personnel. He was told that the cost in total would be Rs.2000, when in reality each sheet costs Rs.2 — the misconstruing of facts was another example of how RTI officials restrict access information indirectly. From these examples the concern about RTI officials using privacy as an excuse to deny information was brought to the surface. To highlight the problems with the current implementation of the RTI and the lack of basic knowledge of how to use the RTI Mhao Lotha from the DICE Foundation shared a personal experience of his friend who had filed an RTI against the fishery department, and the RTI official simply shouted at her. L. Rima told a similar story as Mhao Lotha. In her experience the RTI is good in theory, but in practice it has become a commercial platform, where officers pay money to applicants for RTI cases to be taken off.

From the discussion and the shared experiences it was clear that the RTI, although a strong law on paper, still faces many challenges in implementation that a privacy law could also face, and that the fact that if more privacy is brought into the RTI, it will become yet another way for the State to avoid disclosing information.

Questions to Consider

Can a privacy law be made to be functional in the same way that the RTI is functional?
In terms of the RTI who should have more privacy? Who should be more transparent? Can NGOs be held accountable under the RTI?
What mechanism should be established to enforce the balance between privacy and transparency?

Privacy and Security/Law Enforcement in the North East of India

Another important discussion held during the conference was the practices of law enforcement in the North East, security, and privacy. Because the North East is in a state of armed conflict several laws such as the Armed Forces Special Powers Act, Sedition Act and provisions in the IPC give immunity to security forces. This has led to gross violation of citizens’ privacy by law enforcement agencies — as the acts give large amounts

of power to law enforcement agencies with little or no accountability, and the acts are often misused. Furthermore, the security laws that exist in the North East explicitly prohibit access to individual personal information. For example, in the Assam Police Manual, which is followed by police in the North East — no papers can be given out to the public except to the investigation officer — this includes personal information such as medical records and post-mortem reports. Anjuman shared an example of how this rule violates individual privacy. In her example, a victim was not allowed access her own medical report, but her medical records were being circulated among police, doctors, and media. This example highlights how privacy and the right to information can go hand in hand as it was the victim’s right to access her own medical file, and at the same time getting access to her own medical file is an act of personal privacy protection.

Personal Experiences Shared

Participants shared how individual privacy is often violated by the army, as it is allowed to enter and search any space without warrant, if there is any type of “suspicion”. They also shared how phone tapping and random monitoring is a common practice by both the army and civil police. For example, one day the police recorded a conversation by Director of the Police, Wireless who was giving a lecture on how to lead an effective agitation. The transcript was handed to the high court and the director punished. Other examples include policemen frisking women in public, newspapers publishing police frisking women in public, and law enforcement agencies compelling pregnant women to give birth in open in front of people. The discussion surrounding privacy and security/law enforcement highlighted an important way in which privacy is violated in the North East. The unregulated action of law enforcement acts as a very real and dangerous way in which individual privacy is violated on a daily basis.

Questions to Consider

Can privacy legislation regulate the acts of law enforcement agencies?
Will privacy legislation be implemented differently in the North East because of the armed conflict?
Will a privacy law supersede other laws such as the AFSPA?

Privacy and the UID

During the conference the discussion also briefly focused on the UID and privacy. It was shared that there had yet to be UID consultations in the North East of India. The only information individuals had about the UID was that it was going to allow individuals to access BPL benefits more easily.

Questions around the UID included: why is the UID needed for citizens living within their own country? How will the UID impact and help families who send their children to gather rations from the ration shops? What is the connection between the UID and the expected privacy law? What is the connection between the UID and intelligence agencies? What would UID mean to people living in border areas?

Conclusion

Privacy as a Fundamental Right

In the closing discussion Prashant Iyengar shared different examples of privacy in Indian case law, and the various ways in which the Supreme Court has defined privacy as a right that is implicit in the right to life. The participants discussed what privacy means to them, and what they thought a right to privacy should entail. Among the points raised, it was brought up that privacy should be a right that is legally protected for sovereign individuals. The law should also include parameters and limitations in order to protect an individual’s autonomy. Furthermore, privacy should be understood and linked to the concept of human rights and individual rights. From the closing session, and the above sessions many themes and questions pertaining to privacy came out that will need to be addressed when considering the way forward for a privacy legislation including:

Property rights and privacy
Privacy rights of minorities
Privacy and the UID
Privacy and law enforcement agencies
Privacy as a fundamental right
The interplay of privacy law and traditional law

Download the Event Report here [PDF, 178 kb]

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-guwahati-report

Right to Privacy Bill 2010 — A Few Comments

elonnai — 2012-03-22T06:26:14Z

Earlier this year, in February 2011, Rajeev Chandrasekhar introduced the Right to Privacy Bill, 2010 in the Rajya Sabha. The Bill is meant to “provide protection to the privacy of persons including those who are in public life”. Though the Bill states that its objective is to protect individuals’ fundamental right to privacy, the focus of the Bill is on the protection against the use of electronic/digital recording devices in public spaces without consent and for the purpose of blackmail or commercial use.

Specific Recommendations

The use of electronic recording devices in public is an important and expansive aspect of privacy, which is yet to be directly covered by Indian law. Though the Bill addresses the basic usage of electronic devices with built-in cameras, it frames the violation as a personal violation. In doing so, the Bill has taken a punitive approach, making it criminal to take photographs in situations outside of the laid-out regulations, rather than protective in nature, i.e., working to protect individuals from harassment and blackmail, and offer forms of redress to those damaged.

The Bill fails to address scenarios such as Google street view, satellite photographs, news channels, and live feeds at events and conferences. In these situations live data is being transmitted and posted on the Web for public to view by the media. When looking at the dilemma of photographs being taken in public by the media, the privacy interests are different to those that are based on control of personal information alone. They are substantive, as opposed to informational, and engage directly with individual dignity, autonomy, and the freedom of expression. For example, the interest in freedom of expression encompasses both those of the photographers and journalists producing material for his/her journal. Can a journalist print a photograph taken in a public space — of a public figure, which the public figure did not consent to, and which that person considers defamatory?

Interestingly, Europe has strong laws regulating the taking of photographs in public spaces, but these rules are covered by the Protection from Harassment Act, 1997 (UK), which speaks specifically to the media’s behaviour towards public figures — or they fall under a tort of misuse. In the US taking photographs only becomes an issue in the use of the photograph. Essentially anyone can be photographed without consent except when they have secluded themselves in places where they have a reasonable expectation of privacy such as dressing rooms, restrooms, medical facilities, or inside a private residence. This legal standard applies regardless of the age, sex, or other attributes of the individual. Once a photograph is taken, and if that photograph is used for commercial gain without consent or publicizes an otherwise private person inappropriately, then that person can be held liable under the tort of misappropriation.

Specific Comments to the Bill

Misguiding Title

The title of the Bill is, the Personal Data Protection Bill, 2006," but the scope of the Bill is focused on regulating the use of electronic recording devices, and it does not include many aspects of privacy. So we recommend that the title of the Bill be modified to "The Electronic Recording Devices Bill, 2010".

Inappropriate Blanket Use of Privacy

The introduction to the Bill states that its purpose is "for the protection of the right to privacy of persons including those who are in public life so as to protect them from being blackmailed or harassed or their image and reputation being tarnished in order to spoil their public life and for the prevention of misuse of digital technology for such purposes and for matters connected therewith and incidental thereto."

Comment: Notwithstanding the fact that violations of privacy extend beyond blackmail, harassment, and defamation, and that digital technologies are not the only vehicles for privacy violations, it is important to qualify that privacy is not a blanket right, and that for public persons, the privacy that they are afforded is determined by balancing their interest against the public interest.

Narrow Definition of Public Figures

Section 2 (b) of the Bill states: "persons in public life" includes the representatives of the people in Parliament, state legislatures, local self government bodies, and office bearers of recognized political parties

Comment: Persons in public life include persons beyond the political sphere, specifically those in higher positions that influence the behaviour, lifestyles, and culture of the general population. Thus, we recommend that this definition be extended to include actors, actresses, athletes, artists, and musicians, CEOs, and authors.

Insufficient Limits to the Right to Privacy

Section 3 (1) states: “Notwithstanding anything contained in any other law for the time being in force every person, including persons in public life, shall have the right to privacy which shall be exclusive, unhindered and there shall be no unwarranted infringement thereof by any other person, agency, media or anyone:

Provided that sub-section (1) of section 3 shall not apply in cases of corruption, and misuse of official positions by persons in public life.

Comment: We recommend that the right to privacy, as any right, need not be identified as exclusive or unhindered. The right to privacy must be determined on a case by case basis relative to the public interest, and, while cases of corruption and misuse of official position by persons in public life certainly qualify, they do not encompass the wider variety of situations in which an individual’s right to privacy should be limited. For instance, if a public figure speaks out on an issue in a way that contradicts an earlier position that was captured on video, shouldn’t that be allowed to be made public? If a public figure is photographed in a morally questionable position, shouldn’t that be allowed to be made public? Indeed, even for private individuals, privacy is a matter of context. In airports and other sensitive public places it is commonly accepted that an individual’s right to privacy can be limited. If an individual has a disease such as HIV, under what circumstances should some or all of the greater public should be informed and their right to privacy may be limited?

Limited Scope of Technology

Section 4 of the Bill states: "No person shall use a cellular phone with an inbuilt camera, if it does not produce a sound of at least 65 decibels and flash a light when used to take a picture of any object or person, as the case may be.

Comment: We recommend that this clause clarifies if only cellular phones, and not cameras, computers, or other devices with built-in cameras are required to produce the sound of at least 65 decibels.

Overly Complicated Clauses

Section 5 of the Bill states: Notwithstanding anything contained in any other law for the time being in force, no person shall make digital recording or take photographs or make videography in any manner whatsoever of:

Section 5(a): any part or whole of a human body which is unclothed or partially clothed without the consent of the person concerned.

Section 5 (b): any part or whole of a human body at any public place without the consent of the person concerned and

Section 5 (c): the personal and intimate relationship of any couple in a home, hotel, resort, or any place within the four walls by hidden digital or other cameras and such other instruments, or any place within the four walls by hidden digital cameras and such other instruments…with the intent of blackmail or of making commercial gains from it or otherwise.

Comment: Section 5 currently lists certain circumstances in which photographs are not allowed to be taken of individuals in public without consent if they are to be used for the purpose of commercial gain or blackmail. Blackmail or commercial gains are not the only ways in which digital recordings of people can be misused. Certainly, taking such pictures to post for purposes of hurting one’s reputation or causing humiliation is as reprehensible as taking pictures for commercial gain, so the provision is too narrow. It may also be overboard, because a person may be captured in an artistic or political photograph but have, for example, bare arms or legs. That would be a picture of a part of a human body at a public place. We recommend that the list of offences include misappropriation and false light, and that the manner of the picture-taking not be limited to clauses (a) to (c) above.

Section 5 is the first instance in which the use of digital recordings for commercial gain has been mentioned as a violation in the Bill. We recommend that commercial gain as a violation should be added to the introduction of the Bill.

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-bill-2010

Privacy & Media Law

Sonal Makhija — 2012-12-14T10:26:51Z

In her research, Sonal Makhija, a Bangalore-based lawyer, tries to delineate the emerging privacy concerns in India and the existing media norms and guidelines on the right to privacy. The research examines the existing media norms (governed by Press Council of India, the Cable Television Networks (Regulation) Act, 1995 and the Code of Ethics drafted by the News Broadcasting Standard Authority), the constitutional protection guaranteed to an individual’s right to privacy upheld by the courts, and the reasons the State employs to justify the invasion of privacy. The paper further records, both domestic and international, inclusions and exceptions with respect to the infringement of privacy.

Introduction

Last year’s satirical release, Peepli [Live], accurately captured what takes place in media news rooms. The film revolves around a debt-ridden farmer whose announcement to commit suicide ensue a media circus. Ironically, in the case of the Radia tapes, the same journalists found themselves in the centre of the media’s frenzy-hungry, often intrusive and unverified style of reporting.[1] Exposés, such as, the Radia tapes and Wikileaks have thrown open the conflict between the right to information, or what has come to be called ‘informational activism’, and the right to privacy. Right to information and the right to communicate the information via media is guaranteed under Article 19(1) (a) of the Constitution of India. In State of Uttar Pradesh v Raj Narain,[2] the Supreme Court of India held that Article 19(1) (a), in addition, to guaranteeing freedom of speech and expression, guarantees the right to receive information on matters concerning public interest. However, more recently concerns over balancing the right to information with the right to privacy have been raised, especially, by controversies like the Radia-tapes.

For instance, last year Ratan Tata filed a writ petition before the Supreme Court of India alleging that the unauthorised publication of his private conversations with Nira Radia was in violation of his right to privacy. The writ, filed by the industrialist, did not challenge the action of the Directorate-General of Income Tax to record the private conversations for the purpose of investigations. Instead, it was challenging the publication of the private conversations that took place between the industrialist and Nira Radia by the media. Whether the publication of those private conversations was in the interest of the public has been widely debated. What the Tata episode brought into focus was the need for a law protecting the right to privacy in India.

India, at present, does not have an independent statute protecting privacy; the right to privacy is a deemed right under the Constitution. The right to privacy has to be understood in the context of two fundamental rights: the right to freedom under Article 19 and the right to life under Article 21 of the Constitution.

The higher judiciary of the country has recognised the right to privacy as a right “implicit in the right to life and liberty guaranteed to the citizens of this country by Article 21”. The Indian law has made some exceptions to the rule of privacy in the interest of the public, especially, subsequent to the enactment of the Right to Information Act, 2005 (RTI). The RTI Act, makes an exception under section 8 (1) (j), which exempts disclosure of any personal information which is not connected to any public activity or of public interest or which would cause an unwarranted invasion of privacy of an individual. What constitutes an unwarranted invasion of privacy is not defined. However, courts have taken a positive stand on what constitutes privacy in different circumstances.

The purpose of this paper is to delineate the emerging privacy concerns in India and the existing media norms and guidelines on the right to privacy. At present, the media is governed by disparate norms outlined by self-governing media bodies, like the Press Council of India, the Cable Television Networks (Regulation) Act, 1995 and the Code of Ethics drafted by the News Broadcasting Standard Authority (NBSA). The paper examines the existing media norms, constitutional protection guaranteed to an individual’s right to privacy and upheld by courts, and the reasons the State employs to justify the invasion of privacy. The paper records, both domestic and international, inclusions and exceptions with respect to the infringement of privacy.

The paper traces the implementation of media guidelines and the meanings accorded to commonly used exceptions in reporting by the media, like, ‘public interest’ and ‘public person’. This paper is not an exhaustive attempt to capture all privacy and media related debates. It does, however, capture debates within the media when incursion on the right to privacy is considered justifiable. The questions that the paper seeks to respond to are: When is the invasion on the right to privacy defensible? How the media balances the right to privacy with the right to information? How is ‘public interest’ construed in day-to-day reporting? The questions raised are seen in the light of case studies on the invasion of privacy in the media, the interviews conducted with print journalists, the definition of the right to privacy under the Constitution of India and media’s code of ethics.

Constitutional Framework of Privacy

The right to privacy is recognised as a fundamental right under the Constitution of India. It is guaranteed under the right to freedom (Article 19) and the right to life (Article 21) of the Constitution. Article 19(1) (a) guarantees all citizens the right to freedom of speech and expression. It is the right to freedom of speech and expression that gives the media the right to publish any information. Reasonable restrictions on the exercise of the right can be imposed by the State in the interests of sovereignty and integrity of the State, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence. Article 21 of the Constitution provides, "No person shall be deprived of his life or personal liberty except according to procedure established by law." Courts have interpreted the right to privacy as implicit in the right to life. In R.Rajagopal v. State of T.N.[3]; and PUCL v. UOI[4], the courts observed that the right to privacy is an essential ingredient of the right to life.

For instance, in R. Rajagopal v State of Tamil Nadu, Auto Shankar — who was sentenced to death for committing six murders — in his autobiography divulged his relations with a few police officials. The Supreme Court in dealing with the question on the right to privacy, observed, that the right to privacy is implicit in the right to life and liberty guaranteed to the citizens of the country by Article 21. It is a ‘right to be left alone.’ "A citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, child-bearing and education among other matters.” The publication of any of the aforesaid personal information without the consent of the person, whether accurate or inaccurate and ‘whether laudatory or critical’ would be in violation of the right to privacy of the person and liable for damages. The exception being, when a person voluntarily invites controversy or such publication is based on public records, then there is no violation of privacy.

In PUCL v. UOI,[5]which is popularly known as the wire-tapping case, the question before the court was whether wire-tapping was an infringement of a citizen’s right to privacy. The court held that an infringement on the right to privacy would depend on the facts and circumstances of a case. It observed that, "telephone conversation is an important facet of a man's private life. Right to privacy would certainly include telephone-conversation in the privacy of one's home or office. Telephone-tapping would, thus, infract Article 21 of the Constitution of India unless it is permitted under the procedure established by law." It further observed that the right to privacy also derives from Article 19 for "when a person is talking on telephone, he is exercising his right to freedom of speech and expression."

In Kharak Singh v. State of U.P,[6] where police surveillance was being challenged on account of violation of the right to privacy, the Supreme Court held that domiciliary night visits were violative of Article 21 of the Constitution and the personal liberty of an individual.

The court, therefore, has interpreted the right to privacy not as an absolute right, but as a limited right to be considered on a case to case basis. It is the exceptions to the right to privacy, like ‘public interest’, that are of particular interest to this paper.

International Conventions

Internationally the right to privacy has been protected in a number of conventions. For instance, the Universal Declaration of Human Rights, 1948 (UDHR) under Article 12 provides that:

"No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, or to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."

The UDHR protects any arbitrary interference from the State to a person’s right to privacy. Similarly, International Covenant on Civil and Political Rights, 1976 (ICCPR) under Article 17 imposes the State to ensure that individuals are protected by law against “arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. [7]

Thus, ensuring that States enact laws to protect individual’s right to privacy. India has ratified the above conventions. The ratification of the Conventions mandates the State to take steps to enact laws to protect its citizens. Although, human right activists have periodically demanded that the State take adequate measures to protect human rights of the vulnerable in society, the right to privacy has received little attention.

Similarly, Article 16 of the Convention on the Rights of the Child (CRC) provides protection to a minor from any unlawful interference to his/her right to privacy and imposes a positive obligation on States who have ratified the convention to enact a law protecting the same. India does have safeguards in place to protect identity of minors, especially, juveniles and victims of abuse. However, there are exceptions when the law on privacy does not apply even in case of a minor.

The right to privacy, therefore, is not an absolute right and does not apply uniformly to all situations and all class of persons. For instance, privacy with respect to a certain class of persons, like a person in public authority, affords different protection as opposed to private individuals.

Public Person

In case of a representative of the public, such as a public person, the right to privacy afforded to them is not of the same degree as that to a private person. The Press Council of India (PCI) has laid down Norms of Journalistic Conduct, which address the issue of privacy. The PCI Norms of Journalistic Conduct, recognises privacy as an inviolable human right, but adds a caveat; that the degree of privacy depends on circumstances and the person concerned.

In the landmark judge’s asset case, CPIO, Supreme Court of India vs Subhash Chandra Agarwal,[8] the court recognised the tension between the right to information and the right to privacy, especially, with respect to public persons. The case arose from an application filed by a citizen who was seeking information under the RTI Act on whether judges of high courts and Supreme Court were filing asset declarations in accordance with full resolution of the Supreme Court. The court held that information concerning private individuals held by public authority falls within the ambit of the RTI Act. It remarked that whereas public persons are entitled to privacy like private persons, the privacy afforded to private individuals is greater than that afforded to those in public authority, especially in certain circumstances.

The court commented:

"A private citizen's privacy right is undoubtedly of the same nature and character as that of a public servant. Therefore, it would be wrong to assume that the substantive rights of the two differ. Yet, inherent in the situation of the latter is the premise that he acts for the public good, in the discharge of his duties, and is accountable for them. The character of protection, therefore, afforded to the two classes — public servants and private individuals, is to be viewed from this perspective. The nature of restriction on the right to privacy is therefore, of a different order; in the case of private individuals, the degree of protection afforded is greater; in the case of public servants, the degree of protection can be lower, depending on what is at stake."

In testing whether certain information falls within the purview of the RTI Act, the court said one should consider the following three tests:

whether the disclosure of the personal information is with the aim of providing knowledge of the proper performance of the duties and tasks assigned to the public servant in any specific case;
whether the information is deemed to comprise the individual's private details, unrelated to his position in the organization, and,
whether the disclosure will furnish any information required to establish accountability or transparency in the use of public resources.

Would this rule hold true for information on relatives/ friends of public persons? The rule is that, unless, private information on relatives/friends of public person’s impacts public interest and accountability, the information should not be revealed.

In 2010, the media reported that Sunanda Pushkar, a close friend of the Minister of State for External Affairs, Shashi Tharoor, holds a significant holding in the IPL Kochi team. The media exposure led to the exit of Shashi Tharoor from the government. While the media’s questioning of Pushkar’s holdings was legitimate, the media’s reporting on her past relationships and how she dressed had no bearing on public interest or accountability.[9] The media accused Pushkar of playing proxy for Tharoor in the Rs. 70 crore sweat equity deal. Much of the media attention focussed on her personal life, as opposed to, how she attained such a large stake in the IPL Kochi team. It minutely analysed her successes and failures, questioned her ability and accused her of having unbridled ambition and greed for money and power.[10]

If one was to consider the rules of privacy set by the court in the judges assets’ case much of the personal information published by the media on Tharoor and Pushkar, failed to shed light on the IPL holdings or the establishment of the nexus between the IPL holdings and the government involvement.

The tests delineated by the court in considering what personal information regarding a public authority may be shared under the RTI Act, can be adopted by the media when reporting on public officials. If personal information divulged by the media does not shed light on the performance of a public official, which would be of public interest, then the information revealed violates the standards of privacy. Personal details which have no bearing on public resources or interests should not be published.

The media coverage of the Bombay terror attacks displayed the same lack of restraint, where the minutest details of a person’s last communication with his/her family were repeatedly printed in the media. None of the information presented by the media revealed anything new about the terror attack or emphasised the gravity of the attack.

A senior journalist, who talked off the record and reported on the Mumbai terror attacks, agreed that the media overstepped their limits in the Mumbai terror attacks. As per her, violation of privacy takes place at two stages: the first time, when you overstep your boundaries and ask a question you should not have, and the second, when you publish that information. Reflecting on her ten years of reporting experience, she said, “Often when you are covering a tragedy, there is little time to reflect on your reporting. Besides, if you, on account of violating someone’s privacy, choose not to report a story, some competing paper would surely carry that story. You would have to defend your decision to not report the story to your boss.” The competitiveness of reporting and getting a story before your competitor, she agreed makes even the most seasoned journalists ruthless sometimes. Besides, although PCI norms exist, not many read the PCI norms or recall the journalistic ethics when they are reporting on the field.[11]

The PCI Norms reiterate that the media should not intrude "the privacy of an individual, unless outweighed by genuine overriding public interest, not being a prurient or morbid curiosity."[12] The well accepted rule, however, is that once a matter or information comes in the public domain, it no longer falls within the sphere of the private. The media has failed to make the distinction between what is warranted invasion of privacy and what constitutes as an unwarranted invasion of privacy. For instance, identity of a rape or kidnap victim that would further cause discrimination is often revealed by the media.

Safeguarding Identity of Children

The Juvenile Justice (Care and Protection of Children) Act lays down that the media should not disclose the names, addresses or schools of juveniles in conflict with the law or that of a child in need of care and protection, which would lead to their identification. The exception, to identification of a juvenile or child in need of care and protection, is when it is in the interest of the child. The media is prohibited from disclosing the identity of the child in such situations.

Similarly, the Convention on the Rights of the Child (CRC) stipulates that:

Article 16

No child shall be subjected to arbitrary or unlawful interference with his or her privacy, family, or correspondence, nor to unlawful attacks on his or her honour and reputation.
The child has the right to the protection of the law against such interference or attacks.

Article 40 of the Convention, states that the privacy of a child accused of infringing penal law should be protected at all stages of the proceedings.

Almost all media, print and broadcast, fail to observe these guidelines. Prashant Kulkarni[13] (name changed), who was a photographer with Reuters a few years ago, said that in Reuters photographs taken by photojournalists could not be altered or edited, to ensure authenticity.

As far as taking photographs of certain vulnerable persons is concerned, he admitted to photographing street children who are drug addicts on the streets of Mumbai. The photographs were published by Reuters. However, when he was on an assignment for an NGO working with children, the NGO cautioned him about photographing children who are drug addicts, to protect their identity. Similarly, identity of HIV and AIDS patients, including children, should be protected and not revealed. Children affected with HIV and AIDS should not be identified by name or photograph, even if consent has been granted by the minor’s parents/guardian.

As a rule, Kulkarni said, he does not seek consent of individuals when he is taking their photographs, if they are in a public place. If they do not object, the assumption is that they are comfortable with being photographed. The PCI norms do not expressly provide that consent of a person should be sought. But, journalists are expected to exercise restraint in certain situations. Likewise, identifying juveniles in conflict with law is restricted. This includes taking photographs of juveniles that would lead to their identification.

Kulkarni, who extensively covered the Bombay train blasts in 2006, explains, "At the time of the Bombay train explosions, I avoided taking pictures that were gory or where dead people could be identified. However, I did take photographs of those injured in the blast and were getting treated in government hospitals. I did not expressly seek their consent. They were aware of being photographed. That is the rule I have applied, even when I was on an assignment in West Africa. I have never been on an assignment in Europe, so am not sure whether I would have applied the same rule of thumb. Nonetheless, now as a seasoned photographer, I would refrain from taking pictures of children who are drug addicts."

Safeguarding Identity of Rape Victims

Section 228A of the Indian Penal Code makes disclosure of the identity of a rape victim punishable. In the recent Aarushi Talwar murder case and the rape of an international student studying at the Tata Institute of Social Sciences (TISS) the media frenzy compromised the privacy of the TISS victim and besmirched the character of the dead person.[14] In the TISS case, the media did not reveal the name of the girl, but revealed the name of the university and the course she was pursuing, which is in violation of the PCI norms. In addition to revealing names of individuals, the PCI norms expressly states that visual representation in moments of personal grief should be avoided. In the Aarushi murder case, the media repeatedly violated this norm.

The media in both cases spent enough newsprint speculating about the crimes. Abhinav Pandey[15] (name changed), a senior journalist reporting on crime, agrees that the media crossed its boundaries in the TISS case by reporting sordid details of how the rape took place. "Names of victims of sexual crime cannot be reported. In fact, in many instances the place of stay and any college affiliation should also be avoided, as they could be easily identified. Explicit details of the offence drawn from the statement given by the victim to the police are irrelevant to the investigation or to the public at large. Similarly, names of minors and pictures, including those of juveniles, have to be safeguarded."

"Crime reporters receive most of their stories from the police. Therefore, one has to be careful before publishing the story. At times in the rigour of competitive journalism, if you decide to publish an unverified story, as a good journalist you should present a counter-point. As a seasoned journalist it is easy to sense when a story is being planted by the police. If you still want to carry the story, one has to be careful not to taint the character of a person," he adds.

"For instance, in my reporting if I find that the information will not add to the investigation, I will not include it in my copy. Last year, we had anonymous letters being circulated among crime reporters which alleged corruption among senior IPS officers. Instead of publishing the information contained in those letters with the names of the IPS officers, we published a story on corruption and cronyism on IPS officers. In the Faheem Ansari matter, who was an accused in the 26/11 trial, I had received his email account password. Accessing his account also amounts to violation of privacy. But, we only published the communication between him and some handlers in Pakistan, which we knew would have an impact on the investigation. Our job requires us to share information in the public domain, sometimes we would violate privacy. Nonetheless, one has to be cautious."

Trial by Media & Media Victimisation

The PCI norms lay down the guidelines for reporting cases and avoiding trial by media. The PCI warns journalists not to give excessive publicity to victims, witnesses, suspects and accused as that amounts to invasion of privacy. Similarly, the identification of witnesses may endanger the lives of witnesses and force them to turn hostile. Zaheera Sheikh, who was a key witness in the Gujarat Best Bakery case, was a victim of excessive media coverage and sympathy. Her turning hostile invited equal amount of media speculation and wrath. Her excessive media exposure possibly endangered her life. Instead, of focussing on the lack of a witness protection program in the country, the media focussed on the twists and turns of the case and the 19 year old’s conflicting statements. The right of the suspect or the accused to privacy is recognised by the PCI to guard against the trial by media.

Swati Deshpande,[16] a Senior Assistant Editor (Law) at the Times of India, Mumbai, observes that, “As a good journalist one will always have more information than required, but whether you publish that information or exercise restraint is up to you.” In a span of 11 years of court reporting, as per her, there have been instances when she has exercised the option of not reporting certain information that could be defamatory and cannot be attributed. If an allegation is made in a court room, but is not supported by evidence or facts, then it is advisable that it be dropped from the report.

"In the Bar Dancers’ case which was before the Bombay High Court, the petition made allegations of all kinds against certain ministers. I did not report that, although I could have justified it by saying it is part of the petition, and I was just doing my job. The allegation was neither backed by facts nor was it of public interest. As a rule one should report on undisputed facts. Then again, with court reporting one is treading on safer grounds, as opposed to other beats."

"In cases of rape when facts are part of the judgement, you report facts that are relevant to the judgement or give you an insight on why the court took a certain view and add value to the copy. One should avoid a situation where facts revealed are offensive or reveal the identity of the victim. The past history of both the victim and the accused should not be reported."

She admitted, that "Media reporting often gives the impression that the accused has committed the crime or the media through its independent investigation wing has found a particular fact. When in fact, it has relied entirely on the information given by the police and failed to question or verify the facts by an independent source. The result is that most crime reporting is one-sided, because the information received from the police is rarely questioned."

As per her, to a certain degree the publication of Tata–Radia conversations did violate Tata’s privacy. "Media needs to question itself prior to printing on how the information is of public interest. Of course, as a journalist you do not want to lose out on a good story, but there needs to be gate keeping, which is mostly absent in most of the media today."

In the Bofors pay-off case[17] the High Court of Delhi, observed that, “The fairness of trial is of paramount importance as without such protection there would be trial by media which no civilised society can and should tolerate. The functions of the court in the civilised society cannot be usurped by any other authority.”[18] It further criticised the trend of police or the CBI holding a press conference for the media when investigation of a crime is still ongoing. The court agreed that media awareness creates awareness of the crime, but the right to fair trial is as valuable as the right to information and freedom of communication.

The 200th report of the Law Commission dealt with the issue of Trial by media: Free Speech vs Fair Trial under Criminal Procedure. The report, focussed on the pre-judicial coverage of a crime, accused and suspects, and how it impacts the administration of justice. The Contempt of Courts Act, under section 2 defines criminal contempt as:

"…the publication, (whether by words, spoken or written or by signs, or by visible representations, or otherwise), of any matter or the doing of any other act whatsoever which
(i) … … … …
(ii) prejudices or interferes or tends to interfere with the due course
of any judicial proceedings; or
(iii) interferes or tends to interfere with or obstructs or tends to obstruct, the administration of justice in any manner."

Section 3(1) of the Act exempts any publication and distribution of publication, "if the publisher had no reasonable grounds for believing that the proceeding was pending”. In the event, the person is unaware of the pendency, any publication (whether by words spoken or written or signs or visible representations) interferes or tends to interfere with or obstructs “the course of justice in connection with any civil or criminal proceeding pending at the time of publication, if at that time he had no reasonable grounds for believing that the proceeding was pending." The report emphasizes that publications during the pre-trial stage by the media could affect the rights of the accused. An evaluation of the accused’s character is likely to affect or prejudice a fair trial.

If the suspect’s pictures are shown in the media, identification parades of the accused conducted under Code of Civil Procedure would be prejudiced. Under Contempt of Court Act, publications that interfere with the administration of justice amount to contempt. Further, the principles of natural justice emphasise fair trial and the presumption of innocence until proven guilty. The rights of an accused are protected under Article 21 of the Constitution, which guarantees the right to fair trial. This protects the accused from the over-zealous media glare which can prejudice the case. Although, in recent times the media has failed to observe restraint in covering high-profile murder cases, much of which has been hailed as media’s success in ensuring justice to the common man.

For instance, in the Jessica Lal murder case, the media took great pride in acting as a facilitator of justice. The media in the case whipped up public opinion against the accused and held him guilty even when the trial court had acquitted the accused. The media took on the responsibility of administering justice and ensuring the guilty are punished, candle light vigils and opinion polls on the case were organised by the media. Past history of the accused was raked up by the media, including photographs of the accused in affluent bars and pubs in the city were published after he was acquitted. The photographs of Manu Sharma in pubs insinuated how he was celebrating after his acquittal.

The Apex Court observed that the freedom of speech has to be carefully and cautiously used to avoid interference in the administration of justice. If trial by media hampers fair investigation and prejudices the right of defence of the accused it would amount to travesty of justice. The Court remarked that the media should not act as an agency of the court.[19]

The Court, commented, "Presumption of innocence of an accused is a legal presumption and should not be destroyed at the very threshold through the process of media trial and that too when the investigation is pending."[20]

Sting Operations

On 30 August, 2007 Live India, a news channel conducted a sting operation on a Delhi government school teacher forcing a girl student into prostitution. Subsequent to the media exposé, the teacher Uma Khurana[21] was attacked by a mob and was suspended by the Directorate of Education, Government of Delhi. Later investigation and reports by the media exposed that there was no truth to the sting operation. The girl student who was allegedly being forced into prostitution was a journalist. The sting operation was a stage managed operation. The police found no evidence against the teacher to support allegations made by the sting operation of child prostitution. In this case, the High Court of Delhi charged the journalist with impersonation, criminal conspiracy and creating false evidence. The Ministry of Information and Broadcasting sent a show cause notice to TV-Live India, alleging the telecast of the sting operation by channel was “defamatory, deliberate, containing false and suggestive innuendos and half truths."[22]

Section 5 of the Cable Television Networks (Regulation) Act, 1995 and the Cable Television Network Rules (hereafter the Cable Television Networks Act), stipulates that no programme can be transmitted or retransmitted on any cable service which contains anything obscene, defamatory, deliberate, false and suggestive innuendos and half truths. The Rules prescribes a programming code to be followed by channels responsible for transmission/re-transmission of any programme.

The programme code restricts airing of programmes that offend decency or good taste, incite violence, contains anything obscene, defamatory, deliberate, false and suggestive innuendos and half truths, criticises, maligns or slanders any individual in person or certain groups, segments of social, public and moral life of the country and affects the integrity of India, the President and the judiciary. The programme code provided by the Rules is exhaustive. The Act empowers the government to restrict operation of any cable network it thinks is necessary or expedient to do so in public interest.

The court observed that false and fabricated sting operations violate a person’s right to privacy. It further, observed, "Giving inducement to a person to commit an offence, which he is otherwise not likely and inclined to commit, so as to make the same part of the sting operation is deplorable and must be deprecated by all concerned including the media.” It commented that while “…sting operations showing acts and facts as they are truly and actually happening may be necessary in public interest and as a tool for justice, but a hidden camera cannot be allowed to depict something which is not true, correct and is not happening but has happened because of inducement by entrapping a person."[23]

The court criticised the role of the media in creating situations of entrapment and using the ‘inducement test’. It remarked that such inducement tests infringe upon the individual's right to privacy. It directed news channels to take steps to prohibit “reporters from producing or airing any programme which are based on entrapment and which are fabricated, intrusive and sensitive.[24]

The court proposed a set of guidelines to be followed by news channels and electronic media in carrying out sting operations. The guidelines direct a channel proposing to telecast a sting operation to obtain a certificate from the person who recorded or produced the same certifying that the operation is genuine to his knowledge. The guidelines propose that the Ministry of Information and Broadcasting should set up a committee which would have the powers to grant permission for telecasting sting operations. The permission to telecast a sting operation should be granted by the committee only if it is satisfied about the overriding public interest to telecast the sting operation. The guidelines mandate that, in addition, to ensuring accuracy, the operation should not violate a person’s right to privacy, "unless there is an identifiable large public interest” for broadcasting or publishing the material. However, the court failed to define what constitutes 'larger public interest'.

The PCI norms also lay down similar guidelines which require a newspaper reporting a sting operation to obtain a certificate from the person involved in the sting to certify that the operation is genuine and record in writing the various stages of the sting. The decision to report the sting vests with the editor who merely needs to satisfy himself that the sting operation is of public interest.

In addition, to the Cable Television Networks Act and the PCI norms, the News Broadcasting Standard Authority (NBSA) was set up in 2008 as a self-regulatory body by News Broadcasters Association.[25] The primary objective of the NBSA is to receive complaints on broadcasts. The NBSA has drafted a Code of Ethics and Broadcasting Standards governing broadcasters and television journalists. The Code of Ethics provides guiding principles relating to privacy and sting operations that broadcasters should follow.

With respect to privacy, the Code directs channels not to intrude into the private lives of individuals unless there is a “clearly established larger and identifiable public interest for such a broadcast.” Any information on private lives of persons should be “warranted in public interest.” Similarly, for sting operations, the Code directs that they should be used as “a last resort” by news channels and should be guided by larger public interest. They should be used to gather conclusive evidence of criminality and should not edit/alter visuals to misrepresent truth.

In a recent judgement on a supposed sting operation conducted by M/s. Associated Broadcasting Company Pvt. Limited[26] on TV9 on ‘Gay culture rampant in Hyderabad’, the NBA took suo motu notice of the violation of privacy of individuals with alternate sexual orientation and misuse of the tool of sting operation. NBA in its judgement held that the Broadcaster had violated clauses on privacy, sting operations and sex and nudity of the Code of Ethics. It further, observed, that the Broadcaster and the story did not reveal any justifiable public interest in using the sting operation and violating the privacy of individuals. In this particular case, the Broadcaster had revealed the personal information and faces of supposedly gay men in Hyderabad to report on the ‘underbelly’ of gay culture and life. However, the news report, as NBSA observed, did not prove any criminality and was merely a sensational report of gay culture allegedly prevalent in Hyderabad.

The PCI norms provide that the press should not tape-record conversations without the person’s express consent or knowledge, except where it is necessary to protect a journalist in a legal action or for “other compelling reason.” What constitutes a compelling reason is left to the discretion of the journalist.

It was in the 1980s, that the first sting operation on how women were being trafficked was carried out by the Indian Express reporter Ashwin Sarin. As part of the sting, the Express purchased a tribal girl called Kamla. Subsequently, in 2001, the sting operation conducted by Tehelka exposed corruption in defence contracts using spy cams and journalists posing as arms dealers. The exposé on defence contracts led to the resignation of the then defence minister George Fernandes. Sting operations gained legitimacy in India, especially in the aftermath of the Tehelka operation, exposing corruption within the government. The original purpose of a sting operation or an undercover operation was to expose corruption. Stings were justifiable only when it served a public interest. Subsequent to the Tehelka exposé, stings have assumed the status of investigative journalism, much of which has been questioned in recent times, especially, with respect to ethics involved in conducting sting operations and the methods of entrapment used by the media. Further, stings by Tehelka, where the newspaper used sex workers to entrap politicians have brought to question the manner in which stings are operated. Although, the overriding concern surrounding sting operations has been its authenticity, as opposed to, the issue of personal privacy.

For instance, in March 2005 a television news channel carried out a sting operation involving Bollywood actor Shakti Kapoor to expose the casting couch phenomenon in the movie industry. The video showing Shakti Kapoor asking for sexual favours from an aspiring actress, who was an undercover reporter, was received with public outrage. Nonetheless, prominent members of the media questioned the manner in which the sting was conducted. The sting was set up as an entrapment. The court has taken a strong view against the use of entrapment in sting operations. In the case of the Shakti Kapoor sting, privacy of the actor was clearly violated. The manner in which the sting was conducted casts serious doubt on who was the victim.[27]

Additionally, the sting violated the PCI norms. It failed to provide a record of the various stages of how the sting operation was conducted. In United Kingdom, the media when violating privacy of a person has to demonstrate that it is in the interest of the public.

International Law on Media & Privacy Ethics

United Kingdom

The Press Complaints Commission (PCC), UK is a self-regulatory body similar to NBA. The PCC has put down code of ethics to be followed by journalists. The PCC guidelines provide that everyone has the right to privacy and editors must provide reason for intrusions to a person’s privacy. This includes photographing individuals in private places without their consent. Interestingly, private places include public or private property "where there is a reasonable expectation of privacy." In India however, as Kulkarni pointed out, photographs are taken without the consent of an individual if he/she is in a public space.

Like the PCI norms, the PCC Code lays down guidelines to follow when reporting on minors (below 16 years of age) who have been victims of sexual assault. As per the guidelines, the identity of the children should be protected. Further, relatives or friends of persons convicted or accused of a crime should not be identified without their consent, unless the information is relevant to the story. References to a person’s race, colour, sexual orientation and gender should be avoided. For instance, the media reportage of the TISS rape case, which revealed the nationality and colour of the victim, would be in violation of the PCC Code. In the TISS rape case, the information on the nationality and colour of the victim was not only irrelevant to the story, but as amply demonstrated by the media it reinforced prejudices against white women as ‘loose or amoral’.[28]

As far as sting operations are concerned, the PCC lays down that the press must not publish material acquired by hidden camera or clandestine devices by intercepting private messages, emails or telephone calls without consent. However, revealing private information in cases of public interest is an exception to the general rule to be followed with respect to individual privacy. The PCC defines public interest to include, but it is not restricted to:

"i) Detecting or exposing crime or serious impropriety
ii) Protecting public health and safety
iii) Preventing the public from being misled by an action or statement of an individual or organisation"

It requires editors to amply demonstrate that a publication is of public interest. In case the material is already in public domain the same rules of privacy do not apply. However, in cases involving children below 16 years of age, editors must demonstrate exceptional public interest that overrides the interest of the child. Tellingly, the PCC recognises freedom of expression as public interest.

The PCC, to ensure that persons are not hounded by the media have started issuing desist orders. The PCC issues a desist notice to editors to prevent the media from contacting the person. Preventive pre-publication is when the PCC pre-empts a story that may be pursued or published and attempts to either influence the reporting of the story in a way that it is not in violation of a person’s privacy or persuades the media house not to publish the story. The PCC, however, does not have the powers to prevent publication.

Further, United Kingdom is a member of the European Convention on Human Rights (ECHR), which guarantees the right to privacy under Article 8 of the Convention: "Everyone has the right to respect for his private and family life, his home and his correspondence."

However, there is no independent law which recognises the right to privacy. The judiciary however has protected the right to privacy in several occasions, like in the famous J.K. Rowling case where the English Court held, that a minor’s photograph without the consent of the parent or guardian, though not offensive, violates the child’s right to privacy.[29]

France

The French legal system protects the right to privacy under: Article 9 of the Civil Code.

Article 9 of the Civil Code states:

Everyone has the right to respect for his private life. Without prejudice to compensation for injury suffered, the court may prescribe any measures, such as sequestration, seizure and others, appropriate to prevent or put an end to an invasion of personal privacy; in case of an emergency those measures may be provided for by an interim order. The right to privacy allows anyone to oppose dissemination of his or her picture without their express consent.

Article 9 covers both the public and private spheres, and includes not merely the publication of information but also the method of gathering information. Also, in France violation of one’s privacy is a criminal offence. This includes recording or transmitting private conversations or picture of a person in a private place without the person’s consent. This implies that privacy is not protected in a public place. Any picture taken of a person dead or alive, without their prior permission, is prohibited. Buying of such photographs where consent of a person also constitutes as an offence. Journalists, however, are not disqualified from the profession if they have committed such an offence.[30]

France has the Freedom of the Press of 29 July 1881 which protects minors from being identified and violent and licentious publication which targets minors. It punishes slander, publication of any information that would reveal the identity of a victim of a sexual offence, information on witnesses and information on court proceedings which include a person’s private life.[31]

Sweden

Privacy is protected in Sweden under its Constitution. All the four fundamental laws of the country: the Instrument of Government, the Act of Succession, the Freedom of the Press Act, and the Fundamental Law on Freedom of Expression protect privacy. The Instrument of Government Act of 1974 provides for the protection of individual privacy. It states that freedom of expression is limited under Article 13 of the Constitution:

"Freedom of expression and freedom of information may be restricted having regard to the security of the Realm, the national supply, public safety and order, the integrity of the individual, the sanctity of private life, or the prevention and prosecution of crime. Freedom of expression may also be restricted in economic activities. Freedom of expression and freedom of information may otherwise be restricted only where particularly important reasons so warrant."

Sweden has a Press Council which was established in 1916. The Council consists of the Swedish Newspaper Publishers' Association, the Magazine Publishers' Association, the Swedish Union of Journalists and the National Press Club. The Council consists of "a judge, one representative from each of the above-mentioned press organisations and three representatives of the general public who are not allowed to have any ties to the newspaper business or to the press organisations."

Additionally, there is an office of the Press Ombudsman which was established in 1969. Earlier the Swedish Press Council used to deal with complaints on violations of good journalistic practice. After the setting up of the Press Ombudsman, the complaints are first handled by the Press Ombudsman, who is empowered to take up matters suo motu. "Any interested members of the public can lodge a complaint with the PO against newspaper items that violate good journalistic practice. But, the person to whom the article relates to must provide a written consent, if the complaint is to result in a formal criticism of the newspaper."[33]

The Swedish Press Council reports that in the recent years, 350-400 complaints have been registered annually, of which most concern coverage of criminal matters and invasion of privacy.

Sweden, additionally, has a Code of Ethics which applies to press, radio and television. The Code of Ethics was adopted by the Swedish Co-operation Council of the Press in September 1995. The Code of Ethics for Press, Radio and Television in Sweden has been drawn up by the Swedish Newspaper Publishers' Association, the Magazine Publishers' Association, the Swedish Union of Journalists and the National Press Club.

The Code of Ethics lay down norms to be followed in respect of privacy. It states that caution should be exercised when publishing information that:

Infringes on a persons’ privacy, unless it is obviously in public interest,
Information on suicides or attempted suicides
Information on victims of crime and accidents. This includes publication of pictures or photographs[34]

Race, sex, nationality, occupation, political affiliation or religious persuasion in certain cases, especially when such information is of no importance, should not be published.

One should exercise care in use of pictures, especially, retouching a picture by an electronic method or formulating a caption to deceive the reader. In case a picture has been retouched, it should be indicated below the photograph.

Further, the Code asks journalists to consider “the harmful consequences that might follow for persons if their names are published” and names should be published only if it is in the public interest. Similarly, if a person’s name is not be revealed, the media should refrain from publishing a picture or any particulars with respect to occupation, title, age, nationality, sex of the person, which would enable identification of the person.

In case of court reporting or crime reporting, the Code states that the final judgement of the Court should be reported and given emphasis, as opposed to conducting a media trial. In addition, Sweden has incorporated the ECHR in 1994.

Japan

The Japan Newspaper Publishers & Editors Association or Nihon Shinbun Kyokai (NSK),[35] was established in 1946 as an independent and voluntary organisation to establish the standard of reporting, and protect and promote interests of the media. The organisation as part of its mandate has developed the Canon of Journalism, which provides for ethics and codes members of the body should follow. The Canon recognises that with the easy availability of information, the media constantly has to grapple with what information should be published and what should be held back. The Code provides that journalists have a sense of responsibility and should not hinder public interests. In addition, to ensuring accuracy and fairness, the Code states that respect of human rights, includes respect for human dignity, individual honour and right to privacy. Right to privacy is acknowledged as a human right.

Japan does not have an information ministry or organs like the PCC in the U.K. or the Press Ombudsman in Sweden. Apart from the Canon, the NSK has a code for marketing of newspapers, an advertising code and the Kisha club guidelines.[36]

Japan in 2003 formulated the Personal Information Protection Act, which regulates public and private sector. The Act, which came into effect in 2005, aims to ensure that all personal data collected by the public and private sector are handled with care. The Act requires that the purpose of collecting personal information and its use should be specified, information should be acquired by fair means, any information should not be supplied to third parties without prior consent of the individual concerned.

Netherlands

The right to privacy is protected under Article 10 of the Netherlands Constitution. Further, the Article also provides for the enactment of Rules for dissemination of personal data and the right of persons to be informed when personal data is being recorded.

Netherlands also has the Netherlands Press Council which keeps the media in check. The Code of the International Federation of Journalists and the Code of Conduct for Dutch Journalists was drafted by the Dutch Society of Editors-in-Chief to establish media reporting standards. These guidelines can be disregarded by the media only in cases involving social interest.

The Code recognises:

That a person’s privacy should not be violated when there is no overriding social interest;
In cases concerning public persons violation of privacy would take place, but they have the right to be protected, especially, if that information is not of public interest;
The media should refrain from publishing pictures and images of persons without prior permission of persons. Similarly, the media should not publish personal letters and notes without the prior permission of those involved;
The media should refrain from publishing pictures and information of suspects and accused; and
Details of criminal offence should be left out if they would add to the suffering of the victim or his/her immediate family and if they are not needed to demonstrate the nature and gravity of the offence or the consequences thereof.

Conclusion

The right to privacy in India has failed to acquire the status of an absolute right. The right in comparison to other competing rights, like, the right to freedom of speech & expression, the right of the State to impose restrictions on account of safety and security of the State, and the right to information, is easily relinquished. The exceptions to the right to privacy, such as, overriding public interest, safety and security of the State, apply in most countries. Nonetheless, as the paper demonstrates, unwarranted invasion of privacy by the media is widespread. For instance, in the UK, Sweden, France and Netherlands, the right to photograph a person or retouching of any picture is prohibited unlike, in India where press photographers do not expressly seek consent of the person being photographed, if he/she is in a public space. In France, not only is the publication of information is prohibited on account of the right to privacy, but the method in which the information is procured also falls within the purview of the right to privacy and could be violative. This includes information or photograph taken in both public and private spaces. Privacy within public spaces is recognised, especially, “where there is reasonable expectation of privacy.” The Indian norms or code of ethics in journalism fail to make such a distinction between public and private space. Nor do the guidelines impose any restrictions on photographing an individual without seeking express consent of the individual.

The Indian media violates privacy in day-to-day reporting, like overlooking the issue of privacy to satisfy morbid curiosity. The PCI norms prohibit such reporting, unless it is outweighed by ‘genuine overriding public interest’. Almost all the above countries prohibit publication of details that would hurt the feelings of the victim or his/her family. Unlike the UK, where the PCC can pass desist orders, in India the family and/or relatives of the victims are hounded by the media.

In India, the right to privacy is not a positive right. It comes into effect only in the event of a violation. The law on privacy in India has primarily evolved through judicial intervention. It has failed to keep pace with the technological advancement and the burgeoning of the 24/7 media news channels. The prevalent right to privacy is easily compromised for other competing rights of ‘public good’, ‘public interest’ and ‘State security’, much of what constitutes public interest or what is private is left to the discretion of the media.

Notes

[1]The Radia Tapes’ controversy concerns recording of conversations between the lobbyist Nira Radia and politicians, industrialists, bureaucrats and journalists with respect to the 2G spectrum scam. The tapes were recorded by the Income Tax Department. The role played by the media, especially some prominent journalists, in scam has been questioned. A handful of magazines and newspapers have questioned the media ethics employed by these journalists, whose recorded conversations are in the public domain or have been published by a few political magazines. The publication of the recorded conversations by a few media publications has received a sharp reaction from the said journalists. They have accused those media journals of unverified reporting and conducting a smear campaign against them.

[2]1975 AIR 865, 1975 SCR (3) 333.

[3](1994) 6 S.C.C. 632.

[4]AIR 1997 SC 568.

[5]AIR 1997 SC 568.

[6]AIR 1997 SC 568.

[7]International Covenant on Civil and Political Rights, Part III Art. 17. Available at: http://www2.ohchr.org/english/law/ccpr.htm [Last accessed 20//04/2011].

[8]W.P. (C) 288/2009

[9]PTI, Media just turned me into a 'slut' in IPL row: Sunanda Pushkar, 23/04/2010 Available at http://articles.timesofindia.indiatimes.com/2010-04-23/india/28149154_1_sunanda-pushkar-shashi-tharoor-ipl-kochi [Last accessed 20/04/2011].

[10]Vrinda Gopinath, "Got A Girl, Named Sue", 26/04/2010 Available at http://www.outlookindia.com/article.aspx?265098 [Last accessed 20/04/2011]

[11]Interview with Senior Assistant Editor, Hindustan Times, on 18.04.11.

[12]Guideline 6 (i) Right to Privacy, Norm if Journalistic Conduct, PCI.

[13]Interview with a freelance photographer and a former Reuters photographer on 16.04.11.

[14]Kumar, Vinod, “Raped American student’s drink not spiked in our bar,” 16.04.09 Available at http://www.mid-day.com/news/2009/apr/160409-Mumbai-News-Raped-American-student-date-drug-CafeXO-Tata-Institute-of-Social-Sciences.htm, Anon, “Party pics boomerangon TISS rape victim” , 04 .05.09, Available at http://www.mumbaimirror.com/index.aspx?page=article§id=15&contentid=2009050420090504031227495d8b4e80f [Last Accessed April 20,2011].

[15]Interview with Abhinav Pandey, crime reporter with a leading newspaper, on 21.04.11.

[16]Interview with Swati Deshpande, Senior Assistant Editor (Law), Times of India, on 15.04.11.

[17]Crl.Misc.(Main) 3938/2003

[18]Ibid.

[19]Sidhartha Vashisht @ Manu Sharma vs State (Nct Of Delhi), Available at http://www.indiankanoon.org/doc/1515299/.

[20]Ibid

[21]WP(Crl.) No.1175/2007

[22]Ibid

[23]Ibid

[24]Ibid

[25]NBA is a community formed by private television & current affairs broadcasters. As per the NBA website, it currently has 20 leading news channels and current affairs broadcaster as its members. Complaints can be filed against any of the broadcasters that are members of NBA on whom the Code of Ethics is binding.

[26]For additional details, please refer to the website: http://www.nbanewdelhi.com/authority-members.asp [Last Accessed April 20,2011]

[27]TNN, “'Full video will further embarrass Shakti', 15.03.2005 Available at http://articles.timesofindia.indiatimes.com/2005-03-15/mumbai/27849089_1_sting-operation-shakti-kapoor-film-industry.

[28]For more details please refer to the PCC website: http://www.pcc.org.uk/ [Last Accessed April 20,2011].

[29]Singh, A., May 2008, “JK Rowling wins privacy case over son's photos”http://www.telegraph.co.uk/news/uknews/1936471/JK-Rowling-wins-privacy-case-over-sons-photos.html [Last Accessed April 20,2011].

[30]For more details, please refer to: http://www.kbkcl.co.uk/2008/03/privacy-law-the-french-experience/ and http://ambafrance-us.org/spip.php?article640 [Last Accessed April 20,2011].

[31]For more details, please refer to:http://www.ambafrance-uk.org/Freedom-of-speech-in-the-French.html [Last Accessed April 20,2011].

[32]http://www.po.se/english/how-self-regulation-works [Last Accessed April 20,2011].

[33]Ibid.

[34]Please refer to this website for additional details: http://ethicnet.uta.fi/sweden/code_of_ethics_for_the_press_radio_and_television and http://www.po.se/english/code-of-ethics/85-code-of-ethics-for [Last Accessed April 20,2011].

[35]http://www.pressnet.or.jp/english/index.htm [Last Accessed April 20,2011].

[36]Kisha Clubs, are clubs where only a few media houses/newspapers have access to public institution information. They have been criticised for its lack of openness and encouraging monopoly on reporting.

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-media-law

When Data Means Privacy, What Traces Are You Leaving Behind?

Noopur Raval — 2011-11-24T09:24:03Z

How do you know yourself to be different from others? What defines the daily life that you live and the knowledge you produce in the span of this life? Is all that information yours or are you a mere stakeholder on behalf of the State whose subject you are? What does privacy really mean? In a society that is increasingly relying on information to identify people, collecting and archiving ‘personal’ details of your lives, your name, age, passport details, ration card number, call records etc, how private is your tweet, status update, text message or simply, your restaurant bill?

The CIC (central information commission) that arbitrates decisions on RTI appeals in case of conflict of interest provides interesting notions of what the State thinks is privacy. Ironically, the cornerstones of RTI that is privacy and its invasion are yet to be defined in the context of the judiciary. Then, how does the CIC decide what is private enough and what can be revealed to anyone? Of course, it relies on the discretion of its judges who attempt to draw from a range of sources that include the principles of natural justice drawn from western jurisprudence to quotes by Gandhi and Aristotle to the UK Data Protection Act, 1998 and US Torts that define invasion of privacy. To begin with, let us examine who constitutes the private sphere. As ruled in case of Mr. Ajeet Kumar Khanna vs Punjab & Sind Bank on 29 July, 2008 and Mr. G. Atchaiah vs State Bank of India on 22 August, 2008, the appellant can seek information only for himself/herself. Anyone outside the self, commonly believed as the personal connection, sons, daughters, parents or even spouse is not allowed information of a relative. One needs a distinct power of attorney for right to information. The contradiction is that one does not need to state the purpose for asking information, thereby making unnecessary any connection with the person you want information about.

CIC has been increasingly relying on the UK Data Protection Act, 1998 to make a correlation between data and privacy. Hence, to map privacy and its invasion, the RTI act depends on the UK Data Protection Act that classifies the following as sensitive personal data:

We have no equivalent of UK's Data Protection Act, 1998, Sec 2 of which, titled Sensitive Personal Data, reads as follows: In this Act "sensitive personal data" means personal data consisting of information as to:

The racial or ethnic origin of the data subject
His political opinions
His religious beliefs or other beliefs of a similar nature
Whether he is a member of a Trade Union
His physical or mental health or condition
His sexual life
The commission or alleged commission by him of any offence
Any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

While this blanket reference to sensitive personal data does not account for nuances in the Indian context, it also does not capture the essence of public-private interaction. It is mostly at the intersection of the public domain and the individual that the demarcation occurs. While personal family photographs lying in my attic may constitute a beautiful memory that can be proudly displayed on my walls, it is when one acknowledges the dual nature of any information source, the potential of these photographs to contribute to larger politicized information narratives, that their access and usage comes to define the real crux of the privacy debate.

The US Restatement of the Law, Second, Torts, defines the Intrusion to Privacy more generally in the following manner: “One, who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person.” Of course, we don’t know whether a father paying for bills and wanting access to his daughter’s cell phone records can be seen as highly offensive to a reasonable person in the Indian context. In the context of the recent Padmanabhswamy Templetreasure trove found in Kerala, since under the Ancient Monuments and Archaeological Sites and Remains Act 1958, such sites qualify as sites of ‘national importance’ and imply a certain larger public interest, would one be able to access such 'nationally personal data' pertaining to a temple (public space) owned by a family trust registered with the government (publicly private), containing a national treasure lying locked on geographical territory (public) that is rightly shared by all citizens?

Here’s how the CIC defined the personal and the extent of personal in the context of state as illustrated in Mr. Kanhiya Lal vs MCD, GNCT, Delhi on 13 June, 2011.To qualify for this exemption the information must satisfy the following criteria:

It must be personal information

Words in a law should normally be given the meanings given in common language. In common language we would ascribe the adjective 'personal' to an attribute which applies to an individual and not to an institution or a corporate. From this it flows that 'personal' cannot be related to Institutions, organizations or corporate. (Hence, we could state that section 8 (1) (j) cannot be applied when the information concerns institutions, organizations or corporate). The phrase 'disclosure of which has no relationship to any public activity or interest' means that the information must have some relationship to a public activity. Various public authorities in performing their functions routinely ask for 'personal' information from Citizens, and this is clearly a public activity. When a person applies for a job, or gives information about himself to a public authority as an employee, or asks for a permission, licence or authorisation, all these are public activities. The information sought in this case by the appellant has certainly been obtained in the pursuit of a public activity. We can also look at this from another aspect. The State has no right to invade the privacy of an individual. There are some extraordinary situations where the State may be allowed to invade on the privacy of a Citizen. In those circumstances special provisos of the law apply, always with certain safeguards. Therefore it can be argued that where the State routinely obtains information from Citizens, this information is in relationship to a public activity and will not be an intrusion on privacy.

In that case, does data at several layers demand for us to relook privacy from the subject positions we acquire at different levels and hence, the larger private collectives that we partake of?

For more details visit https://cis-india.org/internet-governance/blog/privacy/when-data-is-privacy

My Experiment with Scam Baiting

sahana — 2012-03-13T10:43:28Z

Today, as I am sure many of you have experienced, Internet scams are widespread and very deceptive. As part of my research into privacy and the Internet, I decided to follow a scam and attempt to fully understand how Internet scams work, and what privacy implications they have for Internet users. Though there are many different types of scams that take place over the Internet —identity scams, housing scams, banking scams— just to name a few. I decided to look in depth at the lottery scam.

Day 1: July 4, 2011

On July 4, I received a spam mail from Shell BP Manchester England (lamarc65@cs.com). The e-mail informed me that my e-mail address had won a sum of $550,000 which was held on July 3, 2011 in England. In order to claim my prize the e-mail instructed me to confirm the receipt of the mail by submitting a few of my personal details to one Dr. Mohammed Al Maliki. This is an extract from the letter asking for my information:

Information Requested:

Your full Name:
Contact address:
Your Telephone:
Your Age:
Your occupation:
Your country of origin:

Congratulations.
Yours Sincerely,
Mrs Roseline Lott
Shell Prize announcer, England.

Deciding to reply to the email and see what happened, I responded to Dr. Mohammed Al Maliki (dr.mohamedmalik@gmail.com) with the information that the e-mail had asked, only I substituted my real information with the following fake information:

Shaiza Sarkar
B-196, CR Park, New Delhi - 110019
09916000603
23 yrs old
India

To my surprise he replied to my mail the same day at 4:59pm. In this mail he informed me that he had sent my details to Lloyds Bank who would be responsible for the payment of my prize. He asked me to inform him after I receive a mail from the bank. The e-mail contained a phone number for me to call. I tried to call the number mentioned in the mail but there was no reply.

Again to my surprise, I received a mail from Lloyds Bank at 6:58 p.m. the same day with a list of documents and details that I was supposed to send them to claim the prize money. Lloyds Bank had also attached a deposit certificate to ‘prove’ that Shell Petroleum Development Company had deposited the prize money in the bank. Below is an extraction of the e-mail I received from Lloyds Bank.

"FROM THE DESK OF DR. MOHAMED MALIK
REGIONAL CLAIMS AGENT,
SHELL PETROLEUM INTERNATIONAL LOTTERY PROGRAM.
Regional Office:
St James Court, Great Park Road,
Almondsbury Park, Bradley Stoke,
Bristol BS32 4QJ, England
Contact: +447035974608
“LLOYDS BANK PLC
ADMINISTRATIVE HEADQUARTERS.
LONDON, ENGLAND, UNITED KINGDOM.
REF...FILENOS2345/LTB
ATTENTION: SARKAR SHAIZA
*REGARDING YOUR PRIZE FROM SHELL PETROLEUM DEVELOPMENT COMPANY*
PLEASE SEND US THE DOCUMENTS BELOW;
1. A CERTIFICATE OF AWARD FROM SHELL PETROLEUM CONTACT DR MOHAMED MALIK
2. A SCANNED COPY OF EITHER YOUR DRIVERS LICENSE OR YOUR INTERNATIONAL PASSPORT OR WORK I.D CARD.
3. A SWORN AFFIDAVIT OF CLAIM FROM THE CROWN COURT HERE IN LONDON,YOU ARE REQUIRED TO CONTACT [DR MOHAMED MALIK]YOUR AGENT FOR ALL THIS.
SIR PAUL WISCONFIELD.
HEAD OF OPERATIONS.
LLOYDS TSB BANK PLC

Day 2: July 5, 2011

The next day I informed Dr. Mohammed Al Maliki of the above letter from the bank, as instructed to at 8:58 p.m. At 9:45 p.m., Dr. Mohammed Al Maliki emailed me back with the certificate of award from Shell Petroleum Development Company with my fake name printed on it.

Though the first two documents that Lloyds Bank required me to obtain were standard enough, the turning point in this entire scam was the third document that Lloyds Bank asked me to acquire. The third document asked me to present a sworn affidavit of claim from the Crown Court in London. Following the instructions given by the bank, I again emailed Dr. Mohammed Al Maliki. He replied with instructions for me to contact Barrister Wilson Burrows (ESQ) of Wilson and Co. Law Chambers for this document. I tried to search for Wilson and Co. Chambers on the Internet and found that no company with such a name exists.

This is the certificate of award provided to me by Dr. Mohammed Al Maliki:

Day 3: July 6, 2011

At 1:47 p.m. I mailed Wilson and Co. Law Chambers informing them about the sworn affidavit that I required in order to claim the lottery prize. The same day at 8:25 p.m. the Law Chambers sent me the following mail with an application form, and asked me to transfer 520 pounds through a Western Union Money Transfer to the Chamber’s Accountant Mr. Preston Doyle. I checked the address provided in the mail to see if it existed. The Google map showed that the given pin code “L14JJ”- London - was a pin code for Liverpool, Merseyside UK, which is not London , and not where Wilson and Co. Law Chambers claimed to be based. Additionally, the Law Chambers attached a form for the affidavit in this mail.

Below is an extract from the email I received from Wilson and Co. Law Chambers:
“The Principal Attorney
Wilson and co Chambers
#18 Harms Road Manchester
L14JJ - London.
Supreme Solicitors, Principal Attorneys and Property Managers
Kind Attention: Client,
As stated in the attached form, the completed form should be returned with the Court Oath Fee. For further processing, see below fees;
Court Oath Fee: 250 Pounds
Attorney Fee: 270 Pounds
------------------------------------------
Total Fee: 520 Pounds
-----------------------------------------
To send this money, go to any WESTERN UNION MONEY TRANSFER OFFICE nearest to you and make the payment to the Chamber's Accountant - Mr. Preston Doyle with the following details -
Receiver's Name: Mr. Preston Doyle
Receiver's Location: London, United Kingdom.
Receiver's Address: #18 Harms Road Manchester, L14JJ – London
Amount: £ 520.00 (Five Hundred and Twenty Pounds)
Regards,
Mrs.Wilson Burrows(ESQ)
(Registrar)
Mrs. Ivon Samuel (KBE) (Secretary)”

Day 4: July 7, 2011

After receiving the e-mail asking for a money transfer, I was curious and wished to probe more. Thus, I wrote to Wilson and Co Law Chambers and explained that a Western Union Transfer was not available in my village. The same day at 6:48 p.m. the Law Chambers sent me a mail saying that the Honourable Chamber recognizes only Western Union Transfer as the safest mode for transactions. I did not reply to this mail, as I knew I would not be able to go any further with my investigation. Though I was disappointed because this was the end to my investigation into lottery scams, and I still had questions that I wanted answered, the last e-mail the Law Chambers sent me was very interesting. In the last email sent to me by the Law Chambers requested (in a very pushy tone) that I should not tell anyone about my prize money, and that it was in fact in my best interest not to tell anyone.

Below is the extract of this mail:

“So do not discuss your winning with anybody until your prize has been transferred to you. It is for your own good. And it is at that time alone that you can be used for advert purposes by our company. So the success of this transfer lies sorely in your hands. These are the exact words from the Director this morning.”

Regards,

Mrs.Wilson Burrows (ESQ)

(Registrar)

His Lordship, Justice Ivon Samuel (KBE) (Secretary)

Day 5: July 8, 2011

Originally I wrote to the Law Chambers telling them I did not have access to a Western Union for the purpose of seeing if they use other mediums to receive money. Surprisingly, at 1:47 p.m. Wilson and Co. Law Chambers emailed me. The e-mail said that they would grant me the privilege of using a direct deposit of the 250 pounds into their correspondents account in India. In the mail they asked me to confirm that I would use this method of payment, and that once confirmed, that they would furnish me with their correspondent’s account details. Interested, I confirmed. After my e-mail confirmation at 9:47 p.m. they emailed me the details of their correspondent in India.

Below are the details of the account that I was supposed to transfer the money into:

This is the account details you will deposit the money into:
Account Name: L. MOHAN SINGH
Bank name: HDFC BANK
Branch: DELHI
Account number: 0609190004391
Ifsc Code : HDFC0000609
Pan Card: DDMPS9075M

Day 6: July 11, 2011

I did not deposit the money (obviously) and I did not e-mail the bank or the Law Chambers, I did receive a mail from Wilson and Co. Law Chambers informing me that their reputable organization would not tolerate my laxity. Unfortunately, because I could not pay the fee to their correspondent and obtain the affidavit, I was unable to follow the scam any further. Despite this dead end I was curious to know if they would provide me with the phone number of their Indian correspondent. Thus, I wrote them a mail to humbly apologise for the delay. I further asked them to provide me with the correspondent’s phone number claiming that the bank was rejecting his profile due to security protocols.

Day 7: July 12, 2011

The Law Chambers responded, informing me that they did not wish to give the correspondents number. In their e-mail they made it quite clear that for online banking all that is needed is the IFSC code. Therefore, I had to stop here.

This is the extract of the mail they sent me when I asked for the phone number:

The Principal Attorney
Wilson and co Chambers
#18 Harms Road Manchester
L14JJ - London.
Supreme Solicitors, Principal Attorneys and Property Managers

Kind Attention: Client,
This Honorable Chambers is in receipt of your mail. It is very important for you to know that laxity will not be accepted anymore. For the online transfer of this payment, you do not need any phone number, all you need is the IFSC Code already supplied to you. Once more, the IFSC Code is HDFC0000609. That is all you need to make an online transfer.

While I stopped following the scam at this point, many people might have continued with the process without any knowledge of it being a scam. Thus, one should be very sceptical about individuals or organizations who ask for personal and banking information.

Conclusions

In my experiment with scam baiting, I realized that:

They introduced me to various parties to make this entire scheme look professional. I initially assumed that I would have to carry out the process with the Shell Petroleum Development Company alone.
In the beginning of the experiment I initially thought the scam was about taking my account number and hacking into it. During my experiment I realized that the scam was not designed to make money by emptying my bank account, but instead was designed to profit off of the various admission fees such as the Sworn Affidavit.
Due to the speed by which they were able to respond to my emails, I realized that they had pre-prepared fake documents – ready to send to anyone who emailed them regarding claiming the offered lottery prize.
Throughout all of our e-mail exchanges I noticed that the individuals behind the scam only used a G-mail account. Curious, I checked their IP address – hoping to find out more information and possibly track their location – but found that Google does not reveal senders IP address information (which is in fact a very good thing in terms of privacy protection!)

For a detailed understanding of different types of scams visit here.

For more details visit https://cis-india.org/internet-governance/blog/privacy/scam-baiting

The Walls Have Ears

praskrishna — 2011-07-06T06:26:25Z

The proposed Privacy Bill seems skewed towards the state rather than the citizen, writes Saikat Datta. This news was published in the Outlook magazine, issue, July 11, 2011.

Sometimes the best of intentions can camouflage the worst of motives. On the face of it, the government’s bid to bring in a privacy bill is a welcome move, a long-overdue measure. But after an initial approach paper prepared by lawyers and bureaucrats in November last year, the government went into a secretive huddle. Now a leaked April 19, 2011, version of the bill raises several disturbing questions.

"The idea behind it was to protect privacy but not short-circuit the current systems to combat terror."

K.M. Chandrashekhar, Ex-cabinet secretary

While recognising the need for privacy, the government has also slipped in several clauses that could severely restrict the freedom of the press if enacted in its current form. Worse, it could actually make journalists liable for prosecution as well as imprisonment up to five years. And if that was not bad enough, it does little or nothing to prevent the government from invading a citizen’s privacy. In fact, it will legitimise all forms of intrusion by the state and collection of a wide variety of data from individuals.

TV news channels could be the most affected by this. Sting operations could become a very risky thing in the future, with section four of the proposed bill saying that any form of filming/recording can be deemed as surveillance and anyone doing so without proper authorisation would be liable for prosecution. So if someone was to secretly catch on camera MPs accepting cash for posing questions in Parliament, or record a bureaucrat demanding bribes, chances are he/she will be doing time in jail.

While the proposed draft draws a distinction between data and personal information, it still leaves little room for journalists. For instance, if a reporter were to use "personal information" of an individual for an article without his/her written consent, it will amount to a civil offence and immediately attract a penalty of up to Rs. 1 lakh. If the journalists were to repeat the "offence" by publishing another story using the same material, the penalty goes up to Rs. 5 lakh. So, is the UPA government, under the scanner for a plethora of scams, trying to muzzle the media? It certainly seems so.

"The bill, in its current form, brings an element of pre-censorship that violates our right to speech. It’s disturbing."

Now when it comes to the government’s right to invade a citizen’s privacy, the proposed legislation offers little immunity. It will uphold all existing laws of phone-tapping, interception of communications, collection of statistics and personal data with impunity. "The proposed bill doesn’t change any system or structure of surveillance that are in place today," says Usha Ramanathan, a law researcher who has worked extensively on privacy issues. "Look at the Collection of Statistics Act passed by Parliament last year. You can be penalised for not sharing the information that the government seeks from you. This is very disturbing."

Usha Ramanathan, Law Researcher

Ramanathan’s discomfiture has its reasons. "In the past three years, the government has become far more intrusive than it ever was. All this is asserting the sovereignty of the state over the citizen when the Constitution says that the citizen is supreme. This bill, in its current form, also brings in an element of pre-censorship that violates our fundamental right to speech as well as several judgements of the Supreme Court that ruled against pre-censorship."

On the other hand, former cabinet secretary K.M. Chandrashekhar, a prime mover behind the bill during his tenure, feels that the security needs of the state warrant "lawful" intrusion by it. “The idea was to protect privacy but not short-circuit the current surveillance systems in place for combating terrorism."

"While we accept the primacy of public interest, we must be very, very careful about what is public interest."
Satyananda Mishra, CIC

As far as protecting privacy is concerned, of course all is not bad with the proposed bill. Prashant Iyengar, a researcher with the Centre for Internet and Society (CIS), a Bangalore-based NGO that has played a leading role in shaping the public discourse on this issue, is hopeful. "For the first time, this bill creates a strong liability for the government. This means that the government can be held liable and penalised for the violation of privacy. It also establishes a routine civil liability against the government for all its lapses in protecting the privacy of citizens... which is very good.” But Prashant also feels that the bill has a long way to go before it resolves some inherent contradictions. “The proposed Act must recognise the concept of public interest while it protects privacy. That is an element missing from the current discourse."

Satyananda Mishra, the chief information commissioner and a former secretary, DoPT, has a nuanced view of the proposed bill. He feels public interest must outweigh privacy in every case. "But while we accept the primacy of public interest, we must be very, very careful about what is public interest," he says.

Mishra, in many ways the country’s biggest trustee of transparency in public life today, suggests a few key modifications in the conditions in the proposed legislature. "We need to understand that after the enactment of the RTI Act, it has become incumbent upon us to have some form of inherent disclosure in all our public dealings. This will also safeguard our privacy from the government."

The relationship between citizen and government, says Mishra, is guided by a social contract. "People elect governments and trust them with their lives and liberty in the promise that the government will exercise its powers for their welfare. But there could be instances where the government breaks that promise. It could legitimately tap someone’s phone through legal means, but with malicious intent."

To prevent this, Mishra suggests a modification to the proposed Privacy Act. "Let there be disclosure of all such events, after a reasonable period of time, of any effort by the government to invade the privacy of citizens. For instance, if it needs to tap the phones of a person, then it must be disclosed after a period of time. After all, phones can be tapped legally only to protect the interests of the state. So it should either lead to a criminal prosecution or a disclosure after a reasonable amount of time has elapsed. That is the only way we will be able to curb the intrusive powers of the state and protect the privacy of citizens." Prashant of CIS agrees with Mishra’s suggestion. "In the United States, all wire-tapping laws have a clause for disclosure. This way, a citizen will know if his privacy has been violated lawfully or not."

Now if a reporter were to use "personal info" without consent, it will mean a civil offence, a penalty of Rs. 1 lakh.

While the government will take its time to introduce the bill in Parliament, it needs to be more transparent in its deliberations. Right now two ministries are working simultaneously on the same bill. While the ministry of law and justice under Veerappa Moily is busy shaping its draft, the ministry of personnel, training and public grievances under the prime minister is busy formulating its own version. While they work on it, what both ministries must recognise is that nothing is private about public policy.

Click here to see the story originally published by Outlook

For more details visit https://cis-india.org/news/walls-have-ears

Aadhaar’s moment of truth

praskrishna — 2011-07-05T07:16:58Z

It’s time for the unique identity project to answer tough questions it has dodged so far, writes MA Arun in the Deccan Herald.

On June 25, 2009, Prime Minister Manmohan Singh generated one of the biggest feel-good headlines of UPA2. He appointed former Infosys CEO Nandan Nilekani as Chairperson of Unique Identification Authority of India (UIDAI), which had been set up to assign a unique number to every resident of the country.

UIDAI – billed as the world’s largest e-governance project – presented a numbing technical challenge. Fingerprint and iris samples of one billion plus Indian residents had to be collected along with details of name, gender, birth date and address. A unique identity had to be assigned to each resident in return and then authenticate it online whenever called for.

Nilekani using his stature in the IT industry assembled a smart team of engineers, who could take the challenge head on. He also started tirelessly crisscrossing the country promoting the project and tying up with different government agencies and PSUs.

He addressed countless gatherings conveying a simple message: Indian growth has bypassed the poor and giving them legal identity was the first step in acknowledging their existence and making government services accessible.

In the last two years, there has been a little change in his script and in the response of the audience, which has by and large remained breathless and adulatory. There have been a few jarring notes. Once in a while he is accosted by individuals and organisations, who say the project takes away their privacy.

Most memorably, on January 7, 2011, Nilekani faced an uncharacteristically unruly audience at IISc, Bangalore, which demanded strong protection to privacy. People who attended the meeting found Nilekani evasive as protesting students waved placards outside the venue, urging him to go back.

But for the media, this reporter included, the dissenting opinion from possibly fringe protesters, sounded exaggerated, making too much of a small issue, debating an academic issue of little practical value.

Perhaps reflecting the larger prevailing sentiments on Aadhaar, Sujeet Pillai of Feecounter, says with the rise of social networking, privacy has already eroded. "We put more information on Facebook and Twitter than we share with Aadhaar. The benefits of the project outweigh the cost," he adds.

Many say it is only the middleclass which worries about privacy, while the poor would be more concerned about the benefits. Trying to address privacy concerns, Aadhaar officials have maintained they collect just basic details, enrollment is voluntary and information is encrypted. Your approval is required to authenticate your identity and while revealing who you are, the system just gives a yes or no response, they say.

Over the last year Aadhaar has picked up steam and observers, who expected the bureaucracy to resist, given its anti-corruption overtone, are mildly surprised. Various government departments are embracing it in competition. Several central ministries, state governments, PSUs have begun to tie their programmes to the Aadhaar number.

Aadhaar officials say they are on course to enroll 600 million by 2014 and by October this year they expect to start enrolling one million numbers a day. The pilot projects at Mysore, Tumkur and Hyderabad have already enrolled 85 per cent of the population and the project is ramping up to other districts and states.

Early last month the Cabinet Committee on Security in a seemingly unrelated move gave partial approval for a Home ministry project, National Intelligence Grid (Natgrid). The development alarmed the privacy advocates to again raise a cry over Aadhaar. Among other things, Natgrid, being run by an ex-army man, Capt Raghu Raman, reportedly seeks to integrate 21 databases - railways, airlines, stock exchanges, income tax, bank account details, credit card transactions, visa and immigration records, telecom service providers and chemical vendors.

Most of us reading this article appear in many these databases, which today are islands of information controlled by different government agencies. They cover different segments of the population and may overlap to some extent. Stitching together these disparate databases together would require a mammoth exercise to uniquely identify all Indian residents. That is precisely what Aadhaar, the missing link, is doing, say critics.

"If Aadhaar ever succeeds in assigning a unique number to all residents, it will take a maximum of two years to create a common Natgrid database. Using a terminal in his office, a cop would be able to watch whatever you do - travelling, talking, buying - in real time. The surveillance technology is pretty straightforward," says noted security expert and IIT Mumbai alumni, Dr Samir Kelekar of Teknotrends.

The system is being designed to catch terrorists and criminals, say Natgrid supporters. "But why subject the entire population to potentially the same level of surveillance," asks Sunil Abraham of Centre for Internet and Society.

Noted jurist Usha Ramanathan says since 2008 several measures such as the Collection of Statistics Act, The Information Technology Act, Aadhaar, National Grid have come about to collect information about people. “After 9/11 in the guise of homeland security USA expanded police powers. Something similar is happening in India after 26/11,” she says.

The claims of Aadhaar benefiting the poor is untested as there has been no feasibility study, she adds. "This is a security project masquerading as an anti-poverty project," says Abraham.

Aadhaar has eluded a debate so far on these issues, say critics. Ramanathan says she made three attempts in November 2009, July 2010 and February 2011 to engage Nilekani, Aadhaar Director General R S Sharma and few other project officials on the issue.

Dubious demands

A New Delhi-based Aadhaar government official, speaking on the condition of anonymity, said there was no discussion within the project on the potential risks it posed. "The main focus is in making a paradigm shift in governance and reaching out to the poor to ensure that the Rs 3,26,000 crore being spent on subsidy is not pilfered," he said.

But he went on to acknowledge that Aadhaar was like 'nuclear energy', which could be used to either make bombs or generate electricity. “It is for the media and civil society to apply pressure for the right safeguards," he said.

While the engineers and bureaucrats are steamrolling the project, the laws of the land and the promised safeguards are yet to catch up with it.

Indian judiciary has also given a free hand to the law enforcement authorities to conduct surveillance. According to the latest Google Transparency Report, Indian government officials made 67 requests to remove contentious items from various Google services between July to December 2010. Only 6 requests were backed by court orders and rest were demands made by police and other executive agencies.

Why is Nilekani who has emerged as the face of Aadhaar silent about the security dimension of the project, ask critics. After all, the Infosys credo is to ‘disclose when in doubt’, they point out. "Nilekani and team are good people without any evil intention. They have never lived in villages and believe that technology can solve any problem," says Abraham.

Ramanathan differs. "In 2009, I would have said he was unaware of the possible risks of Aadhaar. I will not attribute that innocence to him anymore. People in power tend to be blinded by it," she says.

"Their response has varied from ‘nobody else is asking these questions’, ‘have not come prepared to address these issues today’ and ‘we will get back to you’," she says.

Critics also accuse Aadhaar officials of presenting a misleading picture. Enrollment started as a voluntary exercise, but is now being made mandatory to get LPG cylinders. "They were supposed to collect only basic details, but Aadhaar enrollment forms now ask for email ids and phone numbers," Ramanathan said.

This news appeared in the Deccan Herald on 5 July 2011. The original post can be read here.

For more details visit https://cis-india.org/news/aadhaar-truth

Sorry Wrong Number

praskrishna — 2011-07-08T04:11:02Z

The government’s ambitious project to give a unique identification number to every Indian citizen is running woefully behind schedule. T.V. Jayan investigates the problems that beset the project. The news was published in the Telegraph on 3 July 2011.

It was supposed to be a smooth, if mammoth, operation — one where a 12-digit unique identification (UID) or aadhaar number would be provided to every Indian citizen within a specified time frame. Yet less than a year after Prime Minister Manmohan Singh and United Progressive Alliance chairperson Sonia Gandhi launched it with much fanfare in Maharashtra’s Nandurbar district, the ambitious project seems mired in problems.

In Nandurbar itself, the pace of implementation has been agonisingly slow. As against the enrolment target of 2.6 lakh people by June end, only 1.17 lakh people have been enrolled so far.

And Nandurbar is just one case in point. In most districts and states, the Unique Identification Authority of India (UIDAI), the body that is overseeing the project, is struggling to meet its target. Only three states have crossed the one million mark in providing aadhaar numbers to their citizens. Andhra Pradesh leads the pack with nearly 3.5 million UIDs, followed by Karnataka (1.82 million) and Maharashtra (1.6 million). The total enrolment, according to the UIDAI website, stands at 9.5 million as on June 27. The plan, though, is to provide aadhaar numbers to 600 million people by 2014 — a target that will surely remain way out of reach if the UIDAI continues with its current pace of work.

Forget the debate on whether or not the UID project will compromise a citizen’s right to privacy. Right now, the big issue facing it is that it’s beset with a host of operational problems. “There are issues at all levels — conceptual, technology, logistics and at the implementation stages. Unless we resolve them fast, there could be inordinate delays. The project could even be derailed,” says a senior manager at one of the biggest enrolment agencies empanelled with the UIDAI, on condition of anonymity.

The UID programme works something like this. The UIDAI has appointed a large number of registrars, which are either state or central government departments, or public sector banks and insurance companies. The registrars, in turn, have enlisted the services of private firms to enrol people and collect demographic and biometric data such as their finger prints, iris scans and so on. So far 209 firms have been enlisted as enrolment agencies (EAs). While most of them are information technology firms, stock broking companies, financial service companies and even printing presses have been commissioned to obtain the UID enrolment data.

Once the EAs collect the information, the data packets are sent to the respective registrar to be vetted and thence to the UIDAI’s Central Identities Data Repository (CIDR) in Bangalore. The CIDR checks the data packets for authenticity and makes sure that there has been no duplication of data — in case an individual has been enrolled more than once. When all the processes are cleared, a UID number is generated against the person’s name, which is delivered to him or her by post.

Incidentally, the government is yet to announce the cost of the entire project, although UIDAI director general Ram Sewak Sharma reveals that the cost of generating each aadhaar number would be about Rs 150.

What is also slowing down the project is the process of “de-duplication” of data. UIDAI technology head Srikanth Nadhamuni admits that the biometric service providers who help the CIDR check duplication in biometric records now take a couple of minutes to process a single data packet. As a result, right now the UIDAI can issue fewer than 50,000 aadhaar numbers a day. And yet, it plans to generate one million numbers daily by October this year. To achieve this target the UIDAI should be processing 11 data packets per second during a 24-hour cycle.

UIDAI director general Sharma feels that these are niggling problems that will soon be resolved. “Kindly understand that the world has not seen this scale of de-duplication thus far,” he exclaims. “The IT systems, both hardware and software, are continuously being tuned to scale up to these numbers.”

UIDAI’s chief technology architect Prashant Varma is also optimistic. “These things need not be done sequentially. If we have enough computing power it can be carried out in a parallel manner,” he says, adding that more hardware is on its way to streamline the de-duplication process.

But others hold out a much bleaker view. “The de-duplication algorithm will get slower and slower as the size of the database grows. The authority has also not been transparent about the de-duplication process,” says Sunil Abraham, executive director of the Centre for Internet and Society (CIS), Bangalore.

Enrolment agencies too say that the problem is far more serious than what the UIDAI admits. “Currently, they are processing data packets that we had sent in April,” says the state head of an EA working with the commissioner of civil supplies in Andhra Pradesh.

Again, the fact that the UIDAI is taking an inordinately long time to generate the aadhaar numbers — about three to four months from the time of data collection, in place of a month as originally planned — is creating its own complications. Thanks to the time lag, a citizen who is unsure of his UID status may go to another enrolment agency associated with yet another registrar. So his data is collected again and sent to the CIDR for registration once more. This leads to duplication of data and hence, further increases the de-duplication workload.

What’s more, it also hits the margins of enrolment agencies as the UIDAI pays only once for someone’s data. So any EA that unwittingly collects the personal data of a citizen the second time will not be paid for its pains.

In fact, the EAs are beginning to realise that the work is barely financially viable for them. Having procured the enrolment job through competitive bidding, they are now finding out that the rates are abysmally low. “If one EA quotes a low price, others are asked to match it if they want to work with the same registrar,” says an executive with an EA, who does not wish to reveal his or his agency’s name.

“For instance, a Noida-based firm, which bagged the tender for 200 enrolment stations to be set up in Hyderabad from the commissioner of civil supplies in Andhra Pradesh, had quoted a figure of Rs 23 per enrolment. We all knew this was a ridiculously low amount as an ideal per capita enrolment cost should be between Rs 30 and 35. But others working in the Hyderabad area had no choice but to quote a figure very close to it,” he says.

Then again, because enrolment agencies are paid only after their enrollees have received the UID numbers, and because these numbers are taking months to be generated, the EAs are not getting paid on time. “We are already working on tiny margins. So if the cash flow is tight, we find it difficult to pay salaries to people who work on the ground,” says an enrolment agency official.

Admittedly, while the profitability of an EA need not be the UIDAI’s concern, it certainly needs to check if enrolment is being affected because the EAs are cutting corners to stay within their budgets.

The EAs are also witnessing high attrition rates among enrolment operators. These operators, who have to clear a certification exam before they can enrol people, work for three or four months and leave if some other agency offers them more money, reveals Sudhanva Kimmane of Comat Technologies, a Bangalore-based EA. Since getting a new operator certified takes about 20 to 25 days, the deadline goes for a toss.

Sometimes, the unreasonable demands of state governments also lead to delays. Karnataka, for instance, has asked registrars working in the state to gather information on as many as 19 counts. “Filling out so many additional fields reduces the number of enrolments that an operator can complete in a day and thus makes our targets go awry,” says an EA working in Karnataka.

Experts feel that one of the biggest flaws of the UID project is that it was launched all across the country without trial runs in small areas. “Whether in the private sector or the public sector, if a new project is being undertaken, it is usually tested in a small area before being launched on a large scale,” says an IT expert who has been involved with launching e-governance programmes in Kerala. “This way you suss out the feasibility of the project. Also, it helps to resolve all possible problems that may be encountered during the full roll-out. Why didn’t they first test the UID programme in a district, and then in a state before taking it pan India,” he asks.

With so many problems bedevilling the project, many people are sceptical of its success. Asks R. Ramakumar, associate professor at the Tata Institute of Social Sciences, Mumbai, “Will the benefits accruing from the project justify the huge expenses involved?” He points out that a similar project in the UK — that aimed to create a National Identity Register — was scrapped by the government in December. The London School of Economics, which analysed the proposal, found that the cost could end up being 10 times more than what was envisaged. “If the technologies involved are so infallible, why did a few developed countries which tried to use them drop them eventually,” he asks.

Clearly, there are too many uncomfortable questions facing the UIDAI right now. It remains to be seen if it is merely experiencing teething troubles or if India’s zillion-rupee aadhaar number scheme will tie itself into knots even before it gets to the halfway mark.

GLITCHES GALORE

Slipping targets: Only three states have crossed the one million mark in providing aadhaar numbers to their citizens. Total enrolment stands at 9.5 million as on June 27. The goal is to provide aadhaar numbers to 600 million people by 2014.

Slow data crunching: Processing each data packet now takes a couple of minutes. To achieve the target of generating one million UID numbers daily by October this year, the UIDAI should be processing 11 data packets a second during a 24-hour cycle.

Devil is in duplication: Since the UIDAI is taking about three to four months to generate an aadhaar number, a citizen who is unsure of his UID status may go to another enrolment agency. So his data are collected again and sent to the CIDR for registration once more. This increases the de-duplication workload and slows down the entire process even more.

High attrition rates: Enrolment operators, who have to clear a certification exam before they can enrol people, work for three or four months and leave if some other agency offers them more money. Since getting a new operator certified takes about 20 to 25 days, the enrolment agency’s target goes for a toss.

Click here to read the original in the Telegraph

For more details visit https://cis-india.org/news/sorry-wrong-number

Privacy and Security Can Co-exist

sunil — 2012-03-21T09:05:57Z

The blanket surveillance the Centre seeks is not going to make India more secure, writes Sunil Abraham in this article published in Mail Today on June 21, 2011.

TODAY, the national discourse around the “ right to privacy” posits privacy as antithetical to security.

Nothing can be farther from the truth. Privacy is a necessary but not sufficient condition for security. A bank safe is safe only because the keys are held by a trusted few. No one else can access these keys or has the ability to duplicate them. The 2008 amendment of the IT Act and their associated rules notified April 2011 propose to eliminate whatever little privacy Indian netizens have had so far. Already as per the Internet Service Provider ( ISP) licence, citizens using encryption above 40- bit were expected to deposit the complete decryption key with the Ministry of Communications and Information Technology. This is as intelligent as citizens of a neighbourhood making duplicates of the keys to their homes and handing them over at the local police station.

Surveillance

Surveillance in any society is like salt in cooking — essential in small quantities but completely counter- productive even slightly in excess. Blanket surveillance makes privacy extinct, it compromises anonymity, essential ingredients for democratic governance, free media, arts and culture, and, most importantly, commerce and enterprise. The Telegraph Act only allowed for blanket surveillance as the rarest of the rare exception. The IT Act, on the other hand, mandates multitiered blanket surveillance of all lawabiding citizens and enterprises.

When your mother visits the local cybercafe to conduct an e- commerce transaction, at the very minimum there are two levels of blanket surveillance. According to the cyber- cafe rules, all her transaction logs will be captured and stored by the operator for a period of one year. This gentleman would also have access to her ID document and photograph. The ISPs would also store her logs for two years to be in compliance with the ISP licence ( even though none of them publish a data- retention policy). Some e- commerce website, to avoid liability, will under the Intermediary Due Diligence rules also retain logs.

Data retention at the cyber- cafe, by the ISP and also by the application service provider does not necessarily make Indian cyberspace more secure. On the contrary, redundant storage of sensitive personal information only opens up multiple points of failure and leaks — in the age of Nira Radia and Amar Singh no sensible bank would accept such intrusion into their core business processes.

Surveillance capabilities are not a necessary feature of information systems.

They have to be engineered into these systems. Once these features exist they could potentially serve both the legally authorised official and undesirable elements.

Terrorists, cyber- warriors and criminals will all find systems with surveillance capabilities easier to compromise.

In other words, surveillance compromises security at the level of system design. There were no Internet or phone lines in the Bin Laden compound — he was depending on a store and forward arrangement based on USB drives. Do we really think that registration of all USB drives, monitoring of their usage and the provision of back doors to these USBs via a master key would have led the investigators to him earlier?

Myth

Increase in security levels is not directly proportional to an increase in levels of surveillance gear. This is only a myth perpetuated by vendors of surveillance software and hardware via the business press. You wouldn't ask the vendors of Xray machines how many you should purchase for an airport, would you? An airport airport with 2,000 X- ray machines is not more secure than one with 20. But in the age of UID and NATGRID, this myth has been the best route for reaching salestargets using tax- payers’ money.

Surveillance must be intelligent, informed by evidence and guided by a scientific method. Has the ban on public WiFi and the current ID requirements at cyber- cafes led to the arrest of terrorists or criminals in India? Where is the evidence that more resource hungry blanket surveillance is going to provide a return on the investment? Unnecessary surveillance is counter- productive and distracts the security agenda with irrelevance.

Finally, there is the question of perception management. Perceptions of security do not only depend on reality but on personal and popular sentiment. There are two possible configurations for information systems — one, where the fundamental organising principle is trust and second, where the principle is suspicion.

Systems based on suspicion usually give rise to criminal and corrupt behaviour.

Perception

If the state were to repeatedly accuse its law- abiding citizens of being terrorists and criminals it might end up provoking them into living up to these unfortunate expectations. If citizens realise that every moment of their digital lives is being monitored by multiple private and government bodies, they will begin to use anonymisation and encryption technology round the clock even when it is not really necessary. Ordinary citizens will be forced to visit the darker and nastier corners of the Internet just to download encryption tools and other privacy enabling software. Like prohibition this will only result in further insecurity and break- down of the rule of law.

The writer is executive director of the Bangalore- based Centre for Internet and Society.

Read the original published in Mail Today here

For more details visit https://cis-india.org/internet-governance/blog/privacy-and-security