Centre for Internet and Society

Privacy By Design — Conference Report

praskrishna — 2011-08-22T12:03:30Z

How do we imagine privacy? How is privacy being built into technological systems? On April 16th,The Center for Internet and Society hosted Privacy by Design, an Open Space meant to answer these questions and more around the topic of privacy. Below is a summary of the conversations and dialogs from the event.

Introduction

On April 16th, The Center for Internet and Society hosted Privacy by Design, an Open Space meant to foster discussions around questions related to how privacy is being designed into technological systems. The day opened with two basic questions: How do we imagine privacy? And how are individuals building technology systems incorporating privacy into the system? Throughout the day the conversations took many twist and turns, but at the end of the day three basic points about privacy had come out of the many discussions: 1. Privacy cannot be limited to one definition; it is constantly changing based on person and on context 2. To a person - privacy is a function of abuse and violation 3. The increased generation of data that was made possible by web 2.0 has lead to a rise in privacy issues and is significantly changing many traditional concepts, spaces, and relationships – such as what constitutes a public space, and the relationship between a state and its citizens.

Database architecture and privacy

The morning discussion focused on databases and privacy, and began with questions like: How can a database be built to protect privacy? When a database is built, what role does privacy play in the migration of data? Is privacy protected in databases simply by limiting access to certain parts of data sets? Though many of these were left unanswered, the conversation highlighted the fact that th databases are coded to segregate /regulate users and information in order to protect the system. Thus, databases are architected to incorporate privacy in such a way that protects the viability of only the system and not the individual. In our research we have seen many cases of this. Individual’s privacy has been violated because of malfunctioning or poorly constructed databases. For example, currently Indian governmental databases often have incorrect information, individuals do not have the ability to access and change their information, and if an individual’s information is compromised the government is not held accountable, and there is no course of action that an individual can take towards redress.

Security vs. Privacy

Embedded in this understanding of how privacy is built into technological systems is the question of what security is, and when systems are built, whether privacy and security are considered to be essentially the same. Thus far in our research we have distinguished between privacy and security, saying that, security and privacy have an interesting relationship, because they go hand in hand, and yet at the same time have a different focus, because of this differing focus data security and privacy are not the same. Data breaches that contain personal information of any sort that can be matched, tracked or otherwise co-related to a person or persons will result in a privacy breach too. Though data security is critical for protecting privacy, because data security and privacy have different focuses, the principles that each follows are also different and sometimes conflicting. For example, data security focuses on data retention, logging, etc, while privacy focuses on consent, restricted access to data, limited data retention, and anonymity. If security measures are carried out without privacy interests in mind, privacy violations can easily result. Therefore we have thought that data security should influence and support a privacy regime, but not drive it.

security and privacy have an interesting relationship, because they go hand in hand, and yet at the same time have a different focus, because of this differing focus data security and privacy are not the same. Data breaches that contain personal information of any sort that can be matched, tracked or otherwise co-related to a person or persons will result in a privacy breach too. Though data security is critical for protecting privacy, because data security and privacy have different focuses, the principles that each follows are also different and sometimes conflicting. For example, data security focuses on data retention, logging, etc, while privacy focuses on consent, restricted access to data, limited data retention, and anonymity. If security measures are carried out without privacy interests in mind, privacy violations can easily result. Therefore we have thought that data security should influence and support a privacy regime, but not drive it.

The right to be forgotten and regulation of data

The possibility of creating systems with "off switches" also came out of this thread of conversation. For instance, can a database be structured to show only necessary information to third parties based on the context. In this scenario a card would be created that has all of an individual’s information on it, but only the pertinent information will be shown based on the different situations - if, for example, a teenager goes to a bar, the card will only show a third party that he is over 18. This idea is already taking shape in many Western countries, and is similar to the idea of a federated identity system. A question to ask though is if such a system could work for India, or be even more appropriate for India than a system like the UID. The purpose of federated systems of identity is to take context into consideration, and enable users to keep contexts separate, and link information about an individual only takes place when consent is given by the user. In response to the idea of an identity system that allows only certain information to be seen by third parties based on the situation, it was brought out that privacy is not protected simply by the separation of data into public or private categories, because all data have the potential to be misused. The immediate response to this concern was that if all data have the potential to be mis-used – than the use of data should be carefully regulated. The regulation of data though is also a double edged sword. On one hand regulating the use of data can stop a company from misusing information, but on the other hand it can keep a country from having full and equal access to the internet. A question that came out of this discussion on regulation was about the right to be forgotten. Does an individual have the right to regulate all information about themselves that is in the public sphere? Can they ask for their photos or videos to be taken down from the internet? In India this question has yet to be answered by the law, and it is a question that our research is looking into.

The purpose of federated systems of identity is to take context into consideration, and enable users to keep contexts separate, and link information about an individual only takes place when consent is given by the user. In response to the idea of an identity system that allows only certain information to be seen by third parties based on the situation, it was brought out that privacy is not protected simply by the separation of data into public or private categories, because all data have the potential to be misused. The immediate response to this concern was that if all data have the potential to be mis-used – than the use of data should be carefully regulated. The regulation of data though is also a double edged sword. On one hand regulating the use of data can stop a company from misusing information, but on the other hand it can keep a country from having full and equal access to the internet. A question that came out of this discussion on regulation was about the right to be forgotten. Does an individual have the right to regulate all information about themselves that is in the public sphere? Can they ask for their photos or videos to be taken down from the internet? In India this question has yet to be answered by the law, and it is a question that our research is looking into.

Data types and privacy

Emerging from the conversation on database structure, a conversation on types of data in databases was started. The question was raised as to whether or not databases can actually handle certain types of data. The example given was caste-related data. Information about a person’s caste is constantly changing as people lie about their caste, change their caste, and become married and take on another caste. Furthermore, some people do not want to live with their caste and want to shed off their caste. Therefore, can a database accurately represent such a dynamic data set? Is it dangerous to put such a politically volatile concept as caste into a database where it will confine a person to one definition once entered? Another side to this question though is that perhaps it is in fact necessary to try and place a person in one caste, as there benefits enshrined by law based on a person’s caste, and an individual who has the ability to change his/her caste at their whim therefore defeats and takes advantage of governmental benefits. The point was also raised that by placing information like caste and identity into a database, governments have the ability to divide the country into subsets of identities that they decide to generate. Caste is not the only data that faces these complications and issues. For instance religion and race raise similar question. How can you define and represent a person’s relationship with God in a database? How to you represent a child of multiracial parents on a database?

Changes in the relationship between the state and the citizen

It was also brought out that the representation of citizens’ identities on a database changes the relationship between a state and its citizenry. States no longer see citizens as individuals, but instead as data samples. The UID is an example of an e-governance program that if enacted, could further such a change in the relationship between the state and the citizen, as the whole of India will suddenly and ubiquitously be recognized by the Government (and other entities/organizations) according to their aadhaar number. The relationship between the state and the citizen is not the only social change that databases bring about. Databases also change the concept of public space. As web 2.0 has facilitated the generation of large amounts of data, public space has become a space where one enters and interacts as a dataset. For example face book and twitter allow individuals to create datasets of them and interact with other people through their datasets. Beyond social networking online banking and online shopping also push people to form datasets about themselves and interact with services that were traditionally done in person as individuals, as datasets.

Questions of ownership

The above thread of conversation led to the next question of whether or not individuals control technology or whether technology controls individuals. The example of Facebook was used to illustrate this question. Even though Facebook has a privacy policy, once a person engages with Facebook he or she accepts Facebook’s definition of privacy – which is two tiered. On one level Facebook defines user privacy in terms of restriction - allowing the user to limit who can see their profiles. On another level Facebook’s privacy policy allows the company to share and sell personal information. In these ways companies are constructing databases so that instead of the company being the custodian of information – an entity that provides a structure to protect and hold information - the companies are now the owners of information- selling and using individuals information for profit. In India, this is a problem. Companies, once they collect data, treat it as their own - selling and sharing data with third parties, or using it in ways that were not agreed to by the customer. The question of ownership was a critical question for the group. In the discussions it was important to individuals that they had control and ownership over their information. Individuals felt that information that could be traced back to them or their identity belonged to them, and that in order to protect privacy consent should be secured before any information is used. For instance, data mining by websites without notice was seen as a violation of privacy. The collection of data in public places for marketing purposes without a person’s consent or awareness was similarly seen as a privacy violation. It was also brought out from this conversation that the digitization of information has caused a commercialization of information, and that has led to a sense of ownership and need for privacy over information. For example, before, if someone were to take one’s name and mis-use it, that person was charged with defamation – not for violation of privacy – but if someone misuses information that is in a database or online, that person is now charged for a violation of privacy. This shift in thinking is another example of how web 2.0 has increased privacy violations.

Perceptions and expectations of privacy

The day ended with a conversation about the perceptions and expectations of privacy. Privacy as it relates to an individual is almost wholly dependent on expectation, which changes from person to person, from community to community, and from culture to culture. Just as the expectation of privacy varies between individuals, so does the degree of violation. Thus, it is important to recognize the changing nature of privacy, because it explains why it is difficult for the legal system to address all the nuances of privacy with one broad legislation. This point has been crucial in our research thus far as we are consulting with the public, analyzing legislation, and following news items to see if privacy legislation is wanted and needed in India, and if it is - how it should be shaped.

From the conversation on perceptions of privacy and privacy violations it was also brought out that the concept of privacy is on one hand related to the notion of ownership, and on the other hand it is related to the violation. From the experiences shared by individuals, their privacy never became a concern until it was violated, or they learned about someone else’s privacy being violated. This led to the observation that not only is it difficult for the law to address privacy violations because the violation is based on perception, but also because the effect when one’s privacy is violated is often an emotional one.

Conclusion

The conversations held throughout the day showed the dynamic and personal nature of privacy, and how when databases are constructed, and how our lives made digital this personal aspect is easily lost. When we think about the conversations held throughout the day in relation to our initial questions: what are the different ways of imagining privacy, and how is privacy being built into technological systems, besides the three basic themes of privacy highlighted in the beginning of this blog - there emerged to more themes. One theme portrayed an imagination of privacy that is more personal, and that address the emotional component and the perception component to privacy. Another theme portrayed an imagination of privacy that is technologically more controlled, that allows for more personal regulation, more precise segregation of information in a database, and restricted access by third parties. This imagination of privacy can be and is being met by new and developing technologies. Increasingly in many countries technology is being structured with privacy built into the system. The larger question that this open space has raised, and not completely answered is if privacy legislation can adequately protect an individual’s privacy, and if it cannot, can technology can fill the gaps that privacy legislation leaves open.

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy_privacybydesign

The DNA Profiling Bill 2007 and Privacy

elonnai — 2012-03-21T09:40:56Z

In 2007 a bill known as the Draft DNA Profiling Bill was piloted by the Centre for DNA Fingerprinting and Diagnostics, an autonomous organization funded by the Department of Biotechnology, Ministry of Science and Technology, Government of India. The below is a background to DNA collection/analysis in India, and a critique of the Bill a from a privacy perspective.

Introduction

In 2007 a bill known as the Draft DNA Profiling Bill was piloted by the Centre for DNA Fingerprinting and Diagnostics, an autonomous organization funded by the Department of Biotechnology, Ministry of Science and Technology, Government of India[1]. The Bill is pending in parliament. The DNA Profiling Bill looks to legalize the collection and analysis of DNA samples for forensic purposes. We believe that it is important that collection of DNA has associated legislation and regulation, because DNA is sensitive physical evidence that if used correctly can benefit the public good, but if misused can lead to serious privacy and human rights violations. Therefore it is important to create a balance between the constitutional rights of an individual and the public interest and bring accountability and transparency to the practice of DNA collection and testing.

In our research we consulted with GeneWatch UK to learn from their work and experience with DNA testing in the UK. This briefing is meant to give a background on the logistics of DNA testing, highlight ways in which DNA testing raises privacy concerns, and provide a critique of the DNA Profiling Bill.

Background Facts about DNA and DNA testing:

What is DNA: DNA is material that determines a persons hereditary traits such as hair color, eye color, body structure etc. Most DNA is located in the cell nucleus, and wrapped up in small structures called chromosomes. Every person inherits 50% of genetic material from their mother and 50% from their father. Genetic disorders are caused by mutations in a person's DNA, and comparing DNA within families can reveal paternity and non-paternity. DNA is found in every cell of our bodies, and each person has a unique strand of DNA [2]. Thus, DNA is seen as a useful form of identification with marginal room for error [3].

What is a DNA profile/ DNA database, and how can it be used/misused:

When DNA samples are taken from individuals they are analyzed in laboratories to produce a digitized representation of numbers known as a DNA profile. Once created, a DNA profile is stored on a DNA database (i.e. an electronic database) with other identifying information from the individual and information from the crime scene. A DNA profile is based on parts of a person's DNA, so it is not unique to an individual. The probability of an individual's DNA profile matching a stranger's by chance is very small, but not impossible. To collect a sample of DNA police normally use a mouth swab to scrape cells from inside the suspect's cheek. If the individual refuses, their DNA can be obtained by pulling some hairs out of their head (cut hair does not contain DNA, it is only in the roots), if the law allows DNA to be taken without consent. DNA samples are also collected from crime scenes, for example from a blood stain, and analyzed in the same way. DNA samples are sometimes stored indefinitely in the laboratory with a bar code number (or other information) that allows them to be linked back to the individual [3]. Stored DNA profiles from crime scenes can be helpful to exonerate an innocent person who is falsely accused of a crime if their DNA does not match a crime scene DNA profile that is thought to have come from the perpetrator. However, stored DNA profiles from individuals are not needed for exoneration because the individual's DNA can always be tested directly (it does not need to be stored on a database). Collecting DNA profiles from individuals can be useful during an investigation, to compare with a crime scene DNA profile and either exonerate an individual or confirm they are a suspect for the crime. Corroborating evidence is always needed because of the possibility of false matches (which can occur by chance or due to laboratory errors) and because there may be an innocent explanation for an individual's DNA being at a crime scene, or their DNA could have been planted there. Storing DNA profiles from individuals on a database is only useful to implicate those individuals in possible future crimes, not to exonerate innocent people, or to solve past crimes. An individual is implicated as a possible suspect for a crime if their stored DNA profile matches a new crime scene DNA profile that is loaded on to the database. For this reason, most countries only store DNA profiles from individuals who have committed serious crimes and may be at risk of re-offending in the future. Stored DNA profiles could in theory be used to track any individual on the database or to identify their relatives, so strict safeguards are needed to prevent misuse [4].

DNA testing in India:

At present, India does not have a national law that empowers the government to collect and store DNA profiles of convicts, but DNA collection and testing and is taking place in many states. For instance, in Pune the army is currently considering creating DNA profiles of troops who are involved in hazardous tasks inorder to help identify bodies mutilated beyond recognition [5]. In December of this year a judge in the Supreme Court ordered DNA testing on a congress spokesmen to determine if his child was really his child [6]. Also in December this year a news article announced the establishment of the first DNA profiling databank in Nehru Nagar [7]. Additionally DNA has been used to identify criminals , for instance in the Tandoor Murder DNA testing was used to reveal the identity of the culprit [8].

India hosts both private and public DNA labs. Public labs are sponsored by the Government, and use DNA purely for forensic purposes. For example The Centre for DNA Fingerprinting and Diagnostics (CDFD) located in Hyderabad is sponsored by the Department of Biotechnology and Ministry of Science. CDFD runs DNA testing for: establishment of parentage, identification of mutilated remains, establishment of biological relationships for immigration, organ transplantation, property inheritance cases, identification of missing children and child swapping in hospitals, identification of rapist in rape cases, identification in the case of murder.

Cases are only accepted by CDFD if they are referred by law enforcement agencies or by a court of law. Only an officer of the rank Inspector of Police or above may forward DNA cases to CDFD. Copies of DNA report are released to individuals if they are able to prove needed interest in the case through a notarized affidavit [9]. In 2010 CDFD received 100 cases from law enforcing agencies. Additionally, in 2010 CDFD was given rupees eighteen lakhs thirty nine thousand five hundred and forty five from the Government of India towards DNA fingerprinting services [10]. The Indian Government has also established National Facilities for Training in DNA Profiling in order to train individuals in DNA testing and expand the number of DNA examiners and laboratories available in the country [11].

Examples of private DNA labs include DNA labs India and Truth Labs. DNA labs India runs paternity testing, forensic testing, prenatal testing, and genetic testing [12]. Truth Labs is a private lab that provides legal services directly, without a court or police order [13].

The Complexity of privacy and DNA collection/ testing:
As mentioned above, the personal and sensitive nature of DNA, the use of DNA raises many privacy concerns. The concerns fall into three basic areas: first, if a person has given consent to have his or her DNA used for a specific purpose, must the DNA be destroyed or can it be used for other purposes as well? Related to that, if a person must give consent for a specific purpose, what happens if the person is no longer able to give consent -- if, for example, the person has died? Finally, if the testing of one person's DNA yields information that is likely, or probable, or certain to impact another person, does that person have a right to know the information discovered? There are variations on these questions -- as for example does DNA is permitted to be taken without consent (to test for a crime, perhaps), does that lack of need for consent permit all uses of DNA that others want. Who decides? The complexity of these questions demonstrates that in the situation of DNA collection and testing privacy cannot be protected simply through consent from an individual. Instead the law must permit specific thresholds to be established in order to cover the privacy needs of different situations.

Can DNA evidence be considered self-incriminating evidence?
According to the Supreme Court fingerprinting and other physical evidence is not covered by article 20(3). In the case of State of Bombay v. Kathi Kalu Oghad, the courts answered the question of whether or not the freedom against self-incrimination guaranteed under article 20(3) of the Constitution of India – which is meant to protect a person from torture from the police – can be extended to the collection of DNA? the courts answered this question by upholding that
“To be a witness may be equivalent to ‘furnishing evidence’ in the sense of making oral or written statement, but not in the larger sense of the expression so as to include giving of thumb impression or impression of palm or foot or fingers or specimen writing or exposing a part of the body by an accused person for purposes of identification [14]”

Critique of the DNA Profiling Bill 2007

Does India already have sufficient legislation?
The collection and use of biometrics for identification of criminals legally began in India during the 1920's with the approval of the Identification of Prisoners Bill 1920 [15]. The object of the Bill is to “provide legal authority for the taking of measurements of finger impression, foot-prints, and photographs of persons convicted or arrested…”[16] The Bill is still enforced in India, and in October 2010 was amended by the State Government of Tamil Nadu to include “blood samples” as a type of forensic evidence [17]. Other Indian legislation pertaining to forensic evidence is the CrPC and the Indian Evidence Act. In 2005 section 53A of the CrPC was amended to authorize investigating officers to collect DNA samples with the help of a registered medical practitioner, but the Indian Evidence Act fails to manage science and technology issues effectively [18]. The current state of statutes for DNA collection in India are not sufficient as the neglect to lay out precise procedures for collection, processing, storage, and dissemination of DNA samples. One question to consider though is if the Prisoners Identification Bill, CrPC, and Indian Evidence Act could be amended to incorporate DNA, and the needed safeguards, as a type of forensic evidence for all of India.

Lack of requirement for additional evidence: The preamble of the DNA Profiling Bill states that “The Deoxyribose Nucleic Acid (DNA) analysis of body substances is a powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another, and further to establish the biological relationship, if any, between two individuals, living or dead without any Doubt.” This statement is untrue as DNA test can be compromised under many circumstances including: techniques for declaring a match, the proficiency of examiners, laboratory control standards and statistical problems, and DNA samples can become degraded due to age or exposure to chemical or bacterial agents [19]. Because DNA is not foolproof individuals can be falsely implicated in a crime as a result of an incorrect DNA match. The Bill needs to put in place procedures for the court to recognize the fact that DNA is not 100% foolproof, present the statistics correctly, and require supporting evidence [20].

Scope for DNA Collection: The stated object of the DNA Bill is to: “enhance protection of people and administration of justice, analysis of DNA found at the crime scene, establish identity of victim and offender”. The list of offenses and situations in which the collection and testing of DNA is permitted, found in the Schedule of the Bill, provides for the collection DNA from individuals who are not related to a crime scene, are not victims, and are not criminals. Furthermore, section 13(xxii) allows this list to be expanded by the DNA board. We believe these sections should be omitted from the scope of the Bill, so that it is limited to only identifying individuals who are victims and offenders, and that a statutory body besides the DNA board be given the authority to expand the list of proposed offences [21]. Furthermore, within the Bill there are many places where vague language permits the DNA testing of individuals who are not yet convicted of a crime, which will constitute an invasion of privacy unless the DNA is provided voluntarily to release a person suspected or accused of a crime [22]. Additionally as mentioned above it is critical that the Bill recognizes and allows for different thresholds of privacy when collecting, analyzing and sharing DNA profiles.

Clear definition of when collection of DNA samples can be taken: The schedule of the Bill only lists the offenses and situations for which the collection of DNA is permitted. We believe a provision must be added that clarify when exactly DNA can be collected e.g. whether the DNA can be collected on arrest or on charge, whether the DNA has to be relevant to the offence, or whether the police decide this for themselves, and what are the oversight mechanisms for these decisions [23].

Privacy Principles: The Bill enables the DNA Profiling Board to recommend privacy protection statutes, regulations, and practices concerning: use and dissemination, accuracy, security, and confidentiality, and destruction of DNA information [24]. Privacy principles should not be left to recommendations by the board or to regulations of the Bill, but instead should be incorporated into the Bill itself to ensure that such practices are in place if the Bill is passed. Furthermore, the appropriate collection, access, and retention of DNA information should be specified in this Bill.

Obligations for DNA laboratories: Section 19 of the Bill lays out the obligations of DNA laboratories [25]. We recommend that the implementation of a privacy policy should be mandatory under this section.

Storage of DNA profiles and samples: Currently the Bill allows for the complete storage of DNA of: volunteers, suspects, victims, offenders, children (with parental consent), and convicted persons. DNA samples taken from individuals contain unlimited genetic information (including health-related information) and are not needed for identification purposes once the profiles have been obtained from them, thus we recommend that the bill requires that DNA samples be stored temporarily for quality assurance purposes (e.g. for up to six months) and then destroyed to prevent misuse. This is an important privacy protection, which also reduces the cost of storing samples. The only purpose of retaining DNA profiles on a criminal database is to help identify the individual if they reoffend. Thus we recommend that the criminal databases should be restricted to holding DNA profiles only from convicted persons, and the types of offence and time period for retention should be limited. Although DNA profiles may have alternative uses other than solving crimes (e.g. identifying missing persons) we recommend that the missing persons databases are kept separate from criminal databases. Furthermore, although collecting DNA from victims and volunteers may be useful during the investigation of a crime, DNA profiles obtained from victims and volunteers should be destroyed once an investigation is complete.

Conflicting Clauses: Section 14 of the Bill provides that DNA laboratories can only undertake DNA procedures with the approval, in writing, from the DNA profiling Board. Section 15(2) contradicts this statement by permitting already existing DNA laboratories to function and use DNA already collected even before they receive approval from the DNA profiling Board. We suggest that Section 14 is clearly written so that DNA laboratories that have already been set up are unable to continue functioning until they have met the approval of the DNA Profiling Board, and Section 15(2) should thus be deleted.

Access: According to section 41 of the Bill, the Data Bank Manager is given sole discretion as to who may have access to the DNA database, including persons given access for training purposes [26]. Low standards such as these vest too much discretion in the Data Bank Manager. We recommend that access is strictly limited to trained personnel who have undergone proper security clearance. Furthermore, we recommend that the role of Data Bank Manager be analogous to a custodian for the databank. Thus, the manager would be accountable for the integrity and security of the data held in the DNA databank.

Offenses: Though the Bill provides for penalties such as unauthorized access, disclosure, destruction, alterations, and tampering [27], the Bill fails to provide punishment for the illegal collection of DNA samples. This should be made an offense under the Bill.

Redress: The Bill provides no redress mechanism to an individual whose DNA was illegally used or collected. Furthermore, section 49 (1) only permits the Central Government or DNA Profiling Board to bring complaints to the courts [28]. Thus, we recommend that individuals are enabled to bring charges against entities (such as DNA labs or police officials) for the misuse of their data.

Delegation of powers: The Bill allows the DNA Profiling Board to form committees of the members and delegate them the powers and functions of the board. This clause could allow outsourcing, and could allow a dilution of authority by which the DNA Profiling Board weighs approval or rejection of requests [29]. We recommend that the outsourcing of functions be limited to administration duties and jobs that do not directly relate to the core duties of the DNA Profiling Board.

Access by law enforcement agencies: The Bill currently allows for the DNA Profiling Board to grant law enforcement agencies access to DNA profiles [30]. We recommend that DNA profiles are only accessed by the Data Bank Manager. Law enforcement agencies should send requests for matches to the Data Bank Manager, and the Manger would provide the needed intelligence [31].

Public interest: The Bill allows for DNA laboratories to continue to operate, even if the laboratory has violated the specified procedures, if the DNA Profiling Board finds it in the public interest [32]. We believe that where there have been violations, a laboratory should be required to demonstrate remediation before being allowed to resume operations.

Contamination of DNA samples: Currently the Bill holds laboratories responsible for “minimizing the contamination of DNA.”[33] DNA Laboratories should be held fully and legally responsible for preserving the quality of DNA samples. If a DNA sample is contaminated, and the DNA lab does not follow due diligence to discard the contaminated sample and or collect a new sample, and subsequently the DNA used wrongly against an individual - an individual should have the ability to press charges against the institution.

Audits: The Bill provides for the auditing of DNA laboratories, but the DNA Profiling Board must also undergo annual audits [34].

Indices Held by DNA Banks: Under section 33 (4),(5)The Bill provides for the DNA data bank to set up indices that hold DNA identification records and DNA analysis from: crime scenes, suspects, offenders, missing persons, unknown deceased persons, volunteers and such other indexes as specified by regulations. We believe the DNA data bank should not hold indexes on suspects, missing persons, or volunteers without consent and the ability for the individual to withdraw their consent. Furthermore, the Bill requires the taking of a victim’s DNA, but it is not listed as an index. We recommend that this section be deleted, as the creation of a DNA index is simply another copy of a DNA profile, and it does not serve a particular purpose.

Communicating of DNA Profile with Foreign States: Section 35 permits, with the approval of the Central Government, the sharing of DNA profiles with Foreign States [35]. We recommend that communication and use of a DNA profile with Foreign States should be limited to comparison only.

Access to Data Banks for administration purposes: Section 39 of the Bill permits access to the databank for “administrative purposes”. We recommend that the Bill clarify what exactly constitutes “administrative purposes”, and clarify that the process/procedures that permit access to data banks for administration purposes will not require access to data stored in Data Banks [36].

Enforcement for the removal of innocents: Section 36(3) of the Bill requires that the DNA profile of individuals who are found innocent be removed from the database. This provision should have legal mechanisms to ensure enforcement of the provision e.g. reporting by the Board [37].

Ability to access one’s own DNA Profile: A provision should be added to the Bill that gives individuals the right to ask the police for any of their own details held on police databases, so an individual has the ability to know if their data is being held against the law [38].

Clear Definition of identity: Section 33(6)(i) maintains that the DNA Data Bank will contain in relation to each of the DNA profiles… the “identity of the person”. The Bill needs to define what is "identity" and how “identifying” information can be used. Furthermore, it is important to ensure that no other information (like an identity number) that would allow for function creep, is included in the DNA data base[39].

Transparency of the DNA board: Section 13 of the Bill describes the powers and functions the DNA Board. In this section the DNA board should be required to publish and submit minutes and annual reports including detailed information on how it has exercised all its functions to the public and to Parliament. The report should include: numbers of profiles added to the database; numbers removed on acquittal, numbers of matches and solved crimes; costs; numbers of quality assurance inspections, and breakdowns of these figures by state [40].

Restricted use of DNA database: Section 39 (1) of the Bill permits the DNA database to be used for identification purposes that are not related to solving a crime including the “ identification of victims of: accidents, disasters or missing persons or for such other purposes”. The DNA database should be restricted to the identification of a perpetrator of a specified criminal offence, and consent or a court order must be sought for any other use of the database for identification purposes.

Probability of error published: Because profiles found in the DNA data base are comprised of only parts of individuals DNA, the profiles are not unique to individuals. Thus, the number of false matches that are expected to occur by chance between crime scene DNA profiles and stored individual's profiles depends on how the profiling system used, how complete the crime scene DNA is before it is added to the database (many crime scene DNA stains are degraded and not complete), and how many comparisons are done (i.e. how big the database it is and how often it is searched). With a population the size of India, the number of these false matches could be very high. The DNA board needs to take this probability for error into consideration and publish researched statistics on how many false matches they expect to occur purely by chance, based on the numbers of profiles they expect to store under the proposed criteria for entry and removal of profiles [41].

Cost analysis: The DNA board should publish a cost benefit analysis for the implementation the Bill. This should include the cost of storing samples, collecting sample, and testing samples [42].

Bibliography

http://www.cdfd.org.in/
http://ghr.nlm.nih.gov/handbook/basics/dna
Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007 pg.6, 22
Ibid email conversation with Dr. Wallace from Genewatch UK April 2nd 2002
http://articles.timesofindia.indiatimes.com/2011-01-02/india/28371869_1_dna-data-bank-blood-samples-bodies
http://www.merinews.com/article/justice-s-rabindra-bhatt-orders-dna-test-for-nd-tiwari/15838508.shtml
http://www.dnaindia.com/mumbai/report_nehru-nagar-first-region-in-country-to-have-dna-profiling-database_1477211
Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007. Pg.263
http://www.cdfd.org.in/servicespages/dnafingerprinting.html
ibidhttp://www.cdfd.org.in/image/AR_2009_10.pdf
http://planningcommission.nic.in/plans/planrel/fiveyr/11th/11_v1/11v1_ch8.pdf
http://www.dnalabsindia.com/
http://www.truthlabs.org/
AIR 1961 SC 1808
The Prisoners Identification Bill was most recently amended 1981
http://lawcommissionofindia.nic.in/51-100/report87.pdf
http://www.tn.gov.in/stationeryprinting/extraordinary/2010/305-Ex-IV-2.pdf
Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007 pg. 259
Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007 pg. 245
Email conversation with Dr. Wallace from Genewatch UK. April 2nd
Schedule of offenses 5) Miscarriage or therapeutic abortion, b. Unnatural offenses, 7) Other criminal offenses b. Prostitution 9) Mass disaster b) Civil (purpose of civil cases) c. Identification purpose 10) b) Civil:1) Paternity dispute 2) Marital dispute 3) Infidelity 4) Affiliation c) Personal Identification 1) Living 2) Dead 3) Tissue Remains d)
2 (xxvii) “offender” means a person who has been convicted of or is under trial charged with a specified offense.
2(1)(vii) “crime scene index” means an index of DNA profiles derived from
forensic material found: (a) at any place (whether within or outside India) where a specified offense was, or is reasonably suspected of having been, committed;
or (b) on or within the body of the victim, or a person reasonably
suspected of being a victim, of an offense (DNA Profiling Bill)
Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007 Pg. 291
Section (1) (xv) –(xvi) of DNA Profiling Bill
Section 19 of DNA Profiling Bill
Section 41(i) (ii) of DNA Profiling Bill
Section 45, and section 46 of DNA Profiling Bill
Section 49 (1) of DNA Profiling Bill
Section 52 (2) The DNA Profiling Board may, by a general or special order in writing,
also form committees of the members and delegate to them the powers
and of the Board as may be specified by the regulations.
Section 13(x), Section(2) The DNA Profiling Board may, by a general or special order in writing,also form committees of the members and delegate to them the powers and functions of the Board as may be specified by the regulations.
Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007 Pg. 300
Section 17 (2) of DNA Profiling Bill
Section 22 of DNA Profiling Bill
Section 28 of DNA Profiling Bill
Section 35 (1) of DNA Profiling Bill
Section 39 of DNA Profiling Bill
http://www.genewatch.org/sub-539478
http://www.genewatch.org/sub-539478
http://www.genewatch.org/article.shtml?als[cid]=492860&als[itemid]=567376
Email conversation with Dr. Wallace from Gene Watch UK April 2nd
Standard setting and quality regulation in forensic science. GeneWatch UK submission to the Home Office Consultation.
October 2006.
Standard setting and quality regulation in forensic science. GeneWatch UK submission to the Home Office Consultation.
October 2006.

For more details visit https://cis-india.org/internet-governance/blog/privacy/dna-profiling-bill

An Interview with Activist Shubha Chacko: Privacy and Sex Workers

elonnai — 2012-03-28T06:26:03Z

On February 20th I had the opportunity to speak with Shubha Chacko on privacy and sex workers. Ms. Chacko is an activist who works for Aneka, an NGO based in Bangalore, which fights for the human rights of sexual minorities. In my interview with Ms. Chacko I tried to understand how privacy impacts the lives of sex workers in India. The below is an account of our conversation.

Introduction

In our research we have been exploring where and how privacy is found in different areas of Indian society, law, and culture. As part of our research we have been holding public conferences across the country to raise awareness and gather opinions around privacy. One area that was discussed in the public conference in Bangalore was the privacy of sex workers. Shubha Chacko, who is from Aneka - an NGO located in Bangalore which fights for the human rights of sexual minorities, made a presentation that focused on the privacy challenges that sex workers in India face. In our interview Ms. Chacko pointed out many misconceptions that society holds about sex workers’ lives. She also detailed the challenges of stigma and discrimination that sex workers face, and described the precarious position that sex workers find themselves in as their work is constantly being pushed out of the public sphere by the law and society. I later interviewed Ms. Chacko to follow up on her presentation on privacy and sex workers. During the interview I had the opportunity to speak with both Ms. Chacko and a board member from the Karnataka Sex Workers Union. The following is meant to provide a perspective on how and in what ways society, law, media and tradition invades the privacy of sex workers. Though the piece is focused on the lives of sex workers, many of the issues raised are not limited to only sex workers, but characterize other marginalized communities as well.

When I began the interview with Ms. Chacko I was hoping to do a piece that looked at the different elements of a sex worker’s life, and identified the points at which their privacy was invaded – such as in contacting a client, going to the doctors, etc. After I began my interview only, I realized how privacy impacts sex workers is much more complicated than a life cycle analysis. Among other things, privacy issues for sex workers prompt questions challenging social definitions of public and private, having the right to an identity and a recognized profession, and having the autonomy to control decisions about oneself.

Basic Facts and Background Information:

Karnataka has been found to have 85,000 sex workers, and India has an estimated 2 million female sex workers [1]

Sex work is not against the law in India, but any commercialized aspect of the trade is prohibited – including running a brothel or soliciting a client.

Sex work is a multi-faceted profession with many positive and negative complexities that are rarely known to the public.

Understanding the Challenge of the Public and the Private

My interview with Ms. Chacko began with my seeking an understanding of the challenges that traditional notions of the public sphere and the private sphere pose for sex workers. Ms. Chacko explained that to understand how privacy impacts the life of a sex worker, it is important to first understand that sex workers by profession confront and question traditional conceptions of the public and the private. Sex and everything associated with it is seen as something that is to be kept only in the private sphere. The work of sex workers brings sex into the public sphere, and thus the workers are seen as being public women not entitled to privacy, because they stand on street corners and conduct their work in the public. This notion that sex workers are public women without a right to privacy shows through in the way they are treated by the media, the police, NGOs, and researchers. An example of this tension and society’s response can be seen in the recent elections. On April 6th, a Times of India news article reported that the election commission will be setting up “special booths” for sex workers to vote in because “while the sex workers had been waiting in queues to cast their votes, common people were not comfortable with that”[2]

What is the Challenge of the Public and the Private?

“It starts with a conception of issues around privacy vis-à-vis sex workers. The general perception is that sex workers are considered “public women”, because they are considered available to the public and because they sell sexual services on the streets (and are seen in contrast to the “good” woman who is confined to the private world of the home This then leads people to assume that then sex workers have are not entitled to privacy. Also sex workers are forced to reckon with issues of sex and sexuality, and if you talk about issues of sexuality - issues that are considered private are forced into the public domain, so sex workers by their presence force these issues into the public domain. So notions of privacy become complicated by this challenge of what is public and private, because the sex workers’ presence brings into the public domain what is private.”

How does this tension of the public and the private translate into privacy violations?

"Due to the stigma around sex work all rights of sex workers are seriously compromised; with impunity. Thus, privacy is a threshold issue.

The violation of privacy happens at various points, for example the way the media deals with them – publishing their photographs, outing them without their consent, talking about them without their consent. There are the police who are often engaged in so called “rescue and rehabilitation” work, but in the process of rescuing the sex workers, disregard the harmful impacts that compromising their right to privacy will do to them. The HIV prevention intervention programs that are in place now that target sex workers (along with other ‘high risk groups”) also erode their right to confidentiality. Besides intimate details of their lives being recorded, their address and other coordinates are noted. This information along with other sensitive information including their HIV status, is often accessible to a host of people and is a potential threat to their privacy and anonymity. Researchers and NGOs too often quiz sex workers about a range of intimate details about their lives with little sensitivity and expect them to be totally candid. These interviews also raise questions that relate to privacy."

Stigma, Discrimination, and Identity

Ms. Chacko also spoke about how the stigma and discrimination that sex workers face invades their privacy. Society views sex workers in one light – as immoral women. This stigma is attached to them permanently and is a source of violence and discrimination in the home, from the state, and from society. The sex workers’ right to anonymity and identity is also restricted because of the stigma attached to their work. Sex workers do not have the ability to control information about themselves, and they face challenges in obtaining official documents like a PAN card or a passport. This stigma and its consequences impedes sex workers from functioning comfortably in society and creates a difficult tension for sex workers to live with. Society denies the presence of sex workers, and police patrol parks and other public areas chasing away individuals whom they believe to be sex workers. The increased passivisation of public spaces – parks, (for example) and the over gentrification of the neighborhoods squeeze them out

In New York, one way that sex workers have overcome this constant and sometimes violent confrontation with society is through the use of mobile phones. Sex workers will contact clients only through mobile phones. This allows them to find their clients in private and anonymous ways, and it eliminates the need of a pimp or other type of ring leader. When I asked Ms. Chacko if sex workers are using this same technique in India, she recognized that they are, but said that it is not a yet widely practiced - especially among women in rural areas.

How Restricting is the Stigma?

“Huge - hardly ever does a person’s entire identity get conflated with her with occupation or livelihood option; the way it does with sex workers. … I mean, for example, if you go to a movie - people would not say; oh, look, there is a researcher come to see a movie - people would call you by name, but if a sex worker goes to a movie they always say: oh, look, there is a sex worker. There is only one side to her identity according to society. And everyone wants to know the same thing - How did they get into sex work. There is an excessive interest in this aspect alone (and generally they are seeking simple answers) - they never ask other questions about them as a person, only about them as a sex worker. Thus, real issues of violence and exploitation are never dealt with”.

HIV Initiatives, Medical Counseling , and Privacy

Medical consultations, especially those related to HIV/AIDS, in many ways violate the privacy of sex workers.

HIV Initiatives

HIV initiatives run by the Government are often invasive and function off of privacy-violating techniques. The government runs many HIV initiatives where sex workers are employed to be “peer educators.” A peer educator’s job is to spread awareness about HIV, distribute condoms, and bring sex workers for HIV testing. The privacy and anonymity of peer educators is compromised in the job title itself. Everyone in the community knows that to be a peer educator, one must also be a sex worker. Thus, if a person is a peer educator or with a peer educator, she is immediately outed and identified as a sex worker. Furthermore, HIV testing is compulsory for sex workers, though on paper it looks as though it is a choice. Because there are quotas that must be filled, sex workers often go through HIV testing without full consent.

How do Government HIV Initiatives Violate Privacy?

“The whole HIV intervention itself violates sex workers’ privacy. Both in the sense that people get jobs as peer educators and they have to carry condoms around and talk to other sex workers, and everyone thinks that if you are a peer educator then you are a sex worker, and there is no protection for these people even though it is sponsored by the state government.”

Line Listing

The HIV programs and testing centers also violate the privacy of sex workers. The clinics have a system known as line listing, which is meant to ensure that there are no duplications in data. In order to ensure this they collect identifying information from sex workers including address and phone number. The information is not protected and is easily accessible to whoever wishes to see it.

Line Listing and Privacy

“HIV programs have a process called line listing, which is to ensure that there is no duplication. So they take all your facts from you, and from that a sex workers address and such go out, and it’s put out with no safeguards.”

HIV Counselors and Doctors

HIV counselors also violate the privacy of sex workers. Though a patient’s HIV status is only supposed to be known to the counselor at the testing clinic and the lab technician, it often becomes the case that HIV results are widely shared. As per protocol, doctors and counselors must follow up with sex workers every three months if a sex worker is HIV negative. This is to ensure that they are still HIV negative, and to provide them treatment at the soonest if they do contract the disease. To carry out this follow-up work, counselors keep a list of patients whom they have seen. This list is supposed to be confidential, but other personnel in the hospital are assigned to do the follow-up phone calls, and thus the list is in fact easily accessible. If a person’s name disappears from the list, it is obvious that the person is now HIV positive, and that person’s privacy is violated and her status known.

How does HIV Counseling compromise Privacy?

“…only the counselor and the lab technician is supposed to know about it, but it turns out a whole number of people know about it, because of follow up. The counselor is supposed to follow up on the list with people every three months for further testing, but if you are positive then you do not need to follow up. Plus, these results are shared with everyone. Because of the stigma attached to HIV there is a need for privacy to be protected, so confidentiality is routinely violated.”

Media and Research

Media

Media was another area of contention that Ms.Chacko pointed out. Though the media plays an important role as being a channel for the voice of sex workers, it can also be intrusive on the sex worker by publishing stories without their consent, or reporting in ways that can be misconstrued. Through their coverage, the media can also deepen the stigma against sex workers and place them under an unwanted social spotlight. For example, a news article in The Hindu spoke about the World Cup bringing an “off day” for sex workers.

“With hoards of supporters glued to their television screens for the World Cup cricket final between India and Sri Lanka on Saturday, sex workers are anticipating a slow day, but they are not disappointed. It is a rare weekend for them with their children. The prospects of fewer clients coming in only buoyed the enthusiasm of the women in Sonagachi, the largest red-light area in the city…”[3]

The media is also often a part of raids by cover stories of brothels being uncovered, and in doing so expose the lives of sex workers, often printing sensitive information, including addresses, while portraying the sex workers as victims. The media, along with NGOs and the police will conduct raids that severely violate the privacy of sex workers. For example, in an Express India article a raid was described that took place in Pune with NGOs and the police in which sex workers were dragged out, beaten, and molested by the police against their will [4].

How does the media violate the privacy of sex workers?

“The media conducts raids, and so do NGOs in an attempt to rescue them. Once they are rescued and taken back with police escorts to their village, the whole village knows that she was in sex work, and then her privacy is violated because she was publicly returned. My problem is not about them being rescued, but they need to have consent from the person. If a person wants to do sex work – this decision needs to be respected. The media is difficult because you don’t want to ask for a ban, so we don’t ask for banning, but we do put pressure on the media to be more responsible in their reporting.”

Research/Films

Ms. Chacko also spoke about how research often violates the privacy of sex workers, in ways that range from the words that are used to describe sex workers to the one-sided victim story that is too often used to describe the lives of sex workers, to the methods researchers use to find their facts. Thus, perhaps without meaning to, research can de-legitimatize the work that sex workers do, and can work to increase the amount of violence or abuse that they are exposed to.

Research and Privacy

“Researchers who are writing a report on sex workers - land up in some village and end up violating their privacy as everyone in the village wants to know why the researchers came. The researchers also ask invasive questions. They want to know details about the sex workers’ lives: what kind of sex they have and with whom? What do they experience with their clients? What is their relationship with their partners? What is the status of their relationship.? They do not have a sense of whether the workers will want to talk about their lives or not…Some people make films and some make them in extremely exploitative ways. Films are also often incorrect and invasive of privacy in that way as well.”

The Role of a Privacy Legislation

In our research, we are looking at how a privacy legislation could help remedy the challenges to privacy that different people face in society; or ,if a privacy legislation cannot offer a solution, if there are other ways in which a legislation or society can offer solutions. When I asked Ms. Chacko if a privacy legislation or the right to privacy could improve the lives of sex workers, she was not certain if a privacy legislation would make a difference directly, and thought it might in fact overlook sex workers because currently they are seen in society as immoral women that are not to be afforded the right to privacy. In fact, it is the law and enforcers of the law itself that is invading their privacy. For example, in a study done by the World Health Organization it was found that in India 70 per cent of sex workers in a survey reported being beaten by the police, and more than 80 per cent had been arrested without evidence [5]. Thus, before a right to privacy can apply to sex workers, sex work itself must be decriminalized and recognized as a legitimate profession worthy of labor rights and other rights. Furthermore the debate around sex work needs to move away from the traditional dialogue of who is having sex and who is not to one that looks at what rights should be protected for every person. At that point perhaps a law which protects dignity and regulates the use of information could be useful. On another note, the UID (the Unique Identification Project) could be a potential benefit for sex workers as it would serve as identity that would give only a yes or no response at the time of a transaction.

Could a Privacy Legislation help?

“Some of the privacy is violated by the raids that happen by the police. So those raids are problematic. What kind of laws would help? One would be to decriminalize sex work itself and also work with society to gain understanding and perspective. Because now people think: they are immoral women ,so what privacy do they deserve? The sexual debate should not be about who is having sex and who is not, but about who has the power…”

The Current Law

In India, the Immoral Trafficking prevention Act ( ITPA) is the law that governs sex work. The ITPA does not make prostitution illegal, but instead tries to target the commercialized aspects of the trade such as brothel keeping, pimping, and soliciting. Though the law does not attack the sex workers as individuals, and its stated purpose is to prevent the trafficking of sex workers, the law has become a tool of harassment and abuse by law enforcement agencies. Sections 5A, 5B, 5C, which pertain to trafficking are the most troublesome, because the clauses do not distinguish between trafficking and sex work, but instead defines them as the same[6]. Thus, the new definitions of prostitution and trafficking leave room for reading all sex work as within the meaning of trafficking, and thus criminalizing sex work by defacto.[7] In addition, under the new Section 5C, clients visiting or found in a brothel will face imprisonment and/or fines [8]. Penalization of clients is a significant modification to the the ITPA, which formally targeted 'third parties' profiting from prostitution and not sex workers or clients themselves [9]. Sex workers have fought for a long time to overturn the ITPA. In June 2008, sex workers went on a hunger strike in the hopes of forcing the bill to be discarded [10]. In 2010 sex workers demonstrated against the amendment of the ITPA that would hold the clients of sex workers liable. Despite their protests and demands for their occupation to be treated equally, the Indian courts are slow to move forward and recognize sex work as a dignified profession. “A woman is compelled to indulge in prostitution not for pleasure but because of abject poverty,” the court said last month. “If such woman is granted opportunity to avail some technical or vocational training, she would be able to earn her livelihood by such vocational training and skill instead of selling her body.” The court has also promised to initiate a program in May for vocational training of sex workers [11]. Unfortunately, vocational training fails to address the actual issues and violations that sex workers face – a fact that was demonstrated by one sex worker’s saying: “If we can’t solicit clients without getting arrested, we will naturally rely on pimps to carry on our trade…What we need are practical measures that free us from exploitation created by the law itself.”

Solutions

One of the most impactful source of aid for sex workers currently is the sex workers union. I had the opportunity to speak with a member from the board of the Karnataka Sex Workers
union. She spoke about the challenges that sex workers face and how the Union provides assistance to the sex workers. The union helps them obtain benefits, helps with enrolling their children in schools, and answers questions that they would not be able to seek legal or other assistance on. The union is a confidential and safe space for sex workers to function in society. The person interviewed feels as though the information about herself that should be kept confidential is: her medical information, her clients, where she meets her clients, and information about her family. Ms. Chacko also spoke about the positives that an identity scheme like the UID could have on sex workers, because the transactions would be done through a yes/ no response, and no one will be denied a UID number. Most importantly, Ms. Chacko stressed that it is important to recognize sex work as a legitimate profession,and focus on the actual problems, rather than limiting the debate to stigmas around sex. The interview with Ms. Chacko demonstrated that protection of sex workers’ and sexual minorities’ privacy cannot be addressed simply by a law, but must be embodied by an ethos and a culture before that law is meaningful.

Bibliography

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy_privacyandsexworkers

Limits to Privacy

praskrishna — 2012-12-14T10:28:59Z

In this chapter we attempt to build a catalogue of these various justifications, without attempting to be exhaustive, with the objective of arriving at a rough taxonomy of such frequently invoked terms. In addition we also examine some the more important justifications such as “public interest” and “security of the state” that have been invoked in statutes and upheld by courts to deprive persons of their privacy.

For more details visit https://cis-india.org/internet-governance/publications/limits-privacy.pdf

Privacy and the Information Technology Act — Do we have the Safeguards for Electronic Privacy?

Prashant Iyengar — 2012-12-14T10:29:12Z

How do the provisions of the Information Technology Act measure up to the challenges of privacy infringement? Does it provide an adequate and useful safeguard for our electronic privacy? Prashant Iyengar gives a comprehensive analysis on whether and how the Act fulfils the challenges and needs through a series of FAQs while drawing upon real life examples.

What kinds of computer related activities impinge on privacy?

Although Information and Communications Technologies (ICTs) have greatly enhanced our capacities to collect, store, process and communicate information, it is ironically these very capacities of technology which make us vulnerable to intrusions of our privacy on a previously impossible scale. Firstly, data on our own personal computers can compromise us in unpleasant ways — with consequences ranging from personal embarrassment to financial loss. Secondly, transmission of data over the Internet and mobile networks is equally fraught with the risk of interception — both lawful and unlawful — which could compromise our privacy. Thirdly, in this age of cloud computing when much of "our" data — our emails, chat logs, personal profiles, bank statements, etc., reside on distant servers of the companies whose services we use, our privacy becomes only as strong as these companies’ internal electronic security systems. Fourthly, the privacy of children, women and minorities tend to be especially fragile in this digital age and they have become frequent targets of exploitation. Fifthly, Internet has spawned new kinds of annoyances from electronic voyeurism to spam or offensive email to ‘phishing’ — impersonating someone else’s identity for financial gain — each of which have the effect of impinging on one’s privacy.

Although there are a number of technological measures through which these risks can be reduced, it is equally important to have a robust legal regime in place which lays emphasis on the maintenance of privacy. This note looks at whether and how the Information Technology Act that we currently have in India measures up to these challenges of electronic privacy [1].

What provisions in the IT Act protect against violations of privacy?

At the outset, it would be pertinent to note that the IT Act defines a ‘computer resource’; expansively as including a “computer, computer system, computer network, data, computer database or software” [2]. As is evident, this definition is wide enough to cover most intrusions which involve any electronic communication devices or networks — including mobile networks. Briefly, then IT Act provides for both civil liability and criminal penalty for a number of specifically proscribed activities involving use of a computer — many of which impinge on privacy directly or indirectly. These will be examined in detail in the following sub-sections.

Intrusions into computers and mobile devices

accessing

downloading/copying/extraction of data or extracts any data

introduction of computer contaminant[3];or computer virus[4]

causing damage either to the computer resource or data residing on it

disruption

denial of access

facilitating access by an unauthorized person

charging the services availed of by a person to the account of another person,

destruction or diminishing of value of information

stealing, concealing, destroying or altering source code with an intention

The Act provides for the civil remedy of “damages by way of compensation” for damages caused by any of these actions. In addition anyone who “dishonestly” and “fraudulently” does any of these specified acts is liable to be punished with imprisonment for a term of upto three years or with a fine which may extend to five lakh rupees, or with both[5].

Bangalore techie convicted for hacking govt site (2009, Deccan Herald)[6]

In November 2009, The Additional Chief Metropolitan Magistrate, Egmore, Chennai, sentenced N G Arun Kumar, a techie from Bangalore to undergo a rigorous imprisonment for one year with a fine of Rs 5,000 under section 420 IPC (cheating) and Section 66 of IT Act (hacking).

Investigations had revealed that Kumar was logging on to the BSNL broadband Internet connection as if he was the authorised genuine user and ‘made alteration in the computer database pertaining to broadband Internet user accounts’ of the subscribers.

The CBI had registered a cyber crime case against Kumar and carried out investigations on the basis of a complaint by the Press Information Bureau, Chennai, which detected the unauthorised use of broadband Internet.

The complaint also stated that the subscribers had incurred a loss of Rs 38,248 due to Kumar’s wrongful act. He used to ‘hack’ sites from Bangalore as also from Chennai and other cities, they said.

Children's privacy online

As computers and the Internet become ubiquitous children have increasingly become exposed to crimes such as pornography and stalking that make use of their private information. The newly inserted section 67B of the IT Act (2008) attempts to safeguard the privacy of children below 18 years by creating a new enhanced penalty for criminals who target children.

The section firstly penalizes anyone engaged in child pornography. Thus, any person who “publishes or transmits” any material which depicts children engaged in sexually explicit conduct, or anyone who creates, seeks, collects, stores, downloads, advertises or exchanges this material may be punished with imprisonment upto five years (seven years for repeat offenders) and with a fine of upto Rs. 10 lakh.

Secondly, this section punishes the online enticement of children into sexually explicitly acts, and the facilitation of child abuse, which are also punishable as above.

Viewed together, these provisions seek to carve out a limited domain of privacy for children from would-be sexual predators.

The section exempts from its ambit, material which is justified on the grounds of public good, including the interests of "science, literature, art, learning or other objects of general concern". Material which is kept or used for bona fide "heritage or religious purpose" is also exempt.

In addition, the newly released Draft Intermediary Due-Diligence Guidelines, 2011 [7]require ‘intermediaries’[8]to notify users not to store, update, transmit and store any information that is inter alia, “pedophilic” or “harms minors in any way”. An intermediary who obtains knowledge of such information is required to “act expeditiously to work with user or owner of such information to remove access to such information that is claimed to be infringing or to be the subject of infringing activity”. Further, the intermediary is required to inform the police about such information and preserve the records for 90 days.

Electronic Voyeurism

Although once regarded as only the stuff of spy cinema, the explosion in consumer electronics has lowered the costs and the size of cameras to such an extent that the threat of hidden cameras recording people’s intimate moments has become quite real. Responding to the growing trend of such electronic voyeurism, a new section 66E has been inserted into the IT Act which penalizes the capturing, publishing and transmission of images of the "private area" [9]of any person without their consent, "under circumstances violating the privacy" [10] of that person.

This offence is punishable with imprisonment of upto three years or with a fine of upto Rs. two lakh or both.

Phishing – or Identity Theft

The word 'phishing' is commonly used to describe the offence of electronically impersonating someone else for financial gain. This is frequently done either by using someone else’s login credentials to gain access to protected systems, or by the unauthorized application of someone else’s digital signature in the course of electronic contracts. Increasingly a new type of crime has emerged wherein sim cards of mobile phones have been ‘cloned’ enabling miscreants to make calls on others' accounts. This is also a form of identity theft.

Two sections of the amended IT Act penalize these crimes:

Section 66C makes it an offence to “fraudulently or dishonestly” make use of the electronic signature, password or other unique identification feature of any person. Similarly, section 66D makes it an offence to “cheat by personation” [11] by means of any ‘communication device’[12] or 'computer resource'.

Both offences are punishable with imprisonment of upto three years or with a fine of upto Rs. one lakh.

Mumbai Police Solves Phishing scam [13]

In 2005, a financial institute complained that they were receiving misleading emails ostensibly emanating from ICICI Bank’s email ID.

An investigation was carried out with the emails received by the customers of that financial institute and the accused were arrested. The place of offence, Vijaywada was searched for the evidence. One laptop and mobile phone used for committing the crime was seized.

The arrested accused had used open source code email application software for sending spam e-mails. He had downloaded the same software from the Internet and then used it as it is.

He used only VSNL to spam the e-mail to customers of the financial institute because VSNL email service provider does not have spam box to block the unsolicited emails.

After spamming e-mails to the institute customers he got the response from around 120 customers of which 80 are genuine and others are not correct because they do not have debit card details as required for e-banking."

The customers who received his e-mail felt that it originated from the bank. When they filled the confidential information and submitted it the said information was directed to the accused. This was possible because the dynamic link was given in the first page (home page) of the fake website. The dynamic link means when people click on the link provided in spam that time only the link will be activated. The dynamic link was coded by handling the Internet Explorer onclick () event and the information of the form will be submitted to the web server (where the fake website is hosted). Then server will send the data to the configured e-mail address and in this case the e-mail configured was to the e-mail of the accused. All the information after phishing (user name, password, transaction password, debit card number and PIN, mother’s maiden name) which he had received through the Wi-Fi Internet connectivity of Reliance.com was now available on his Acer laptop.

This crime was registered under section 66 of the IT Act, sections 419, 420, 465, 468 and 471 of the Indian Penal Code and sections 51, 63 and 65 of the Indian Copyright Act, 1957 which attract the punishment of three years imprisonment and fine upto Rs 2 lac which the accused never thought of.

Spam and Offensive Messages

Although the advent of e-mail has greatly enhanced our communications capacities, most e-mail networks today remain susceptible to attacks from spammers who bulk-email unsolicited promotional or even offensive messages to the nuisance of users. Among the more notorious of these scams is/was the so-called "section 409 scam" in which victims receive e-mails from alleged millionaires who induce them to disclose their credit information in return for a share in millions.

Section 66A of the IT Act attempts to address this situation by penalizing the sending of:

any message which is grossly offensive or has a menacing character
false information for the purpose of causing annoyance, inconvenience, danger, insult, criminal intimidation, enmity, hatred or ill-will
any electronic e-mail for the purpose of causing annoyance or inconvenience, or to deceive the addressee about the origin of such messages;

This offence is punishable with imprisonment upto three years and with a fine[14]

Hoax E-mails [15]

In 2009, a 15-year-old Bangalore teenager was arrested by the cyber crime investigation cell (CCIC) of the city crime branch for allegedly sending a hoax e-mail to a private news channel. In the e-mail, he claimed to have planted five bombs in Mumbai, challenging the police to find them before it was too late.

According to police officials, at around 1p.m. on May 25, the news channel received an e-mail that read: “I have planted five bombs in Mumbai; you have two hours to find it.” The police, who were alerted immediately, traced the Internet Protocol (IP) address to Vijay Nagar in Bangalore. The Internet service provider for the account was BSNL, said officials.

Minor Hoax Spells Major Trouble

Sixteen-year-old Rakesh Patel (name changed), a student from Ahmedabad, sent an e-mail to a private news channel on March 18, 2008, warning officials of a bomb on an Andheri-bound train. In the e-mail, he claimed to be a member of the Dawood Ibrahim gang. Three days later, the crime investigation cell (CCIC) of the city police arrested the boy under section 506 (ii) for criminal intimidation. He was charge-sheeted on November 28, 2008.
Status: Patel was given a warning by a juvenile court
A 14-year-old Colaba boy sent a hoax e-mail to a TV channel in Madhya Pradesh, three days after the July 26, 2008, Ahmedabad bomb blasts. He claimed that 29 bombs would go off in Jabalpur. He was picked up by officers of the anti-terrorism squad (ATS) who, with the help of the MP police, were able to trace the e-mail to a cyber café in Colaba.
Status: No FIR was registered. The Cuffe Parade police registered a non-cognizable (NC) complaint against him, and the boy was allowed to go home after the police gave him a “strict warning”.
Shariq Khan, 18, was arrested in Bhopal on July 26, 2006, for sending out three e-mails claiming to be a member of the terrorist organisation, which the police believed was behind the 7/11 train bombings. He was arrested by the Bhopal police. Later, the ATS brought the boy to Mumbai and also booked him for a five-year-old unsolved case where an unknown accused had sent e-mail warnings to the department of Atomic Energy (DAE) in 2001.
Status: The police filed a charge-sheet against Shariq who claimed that he had sent the e-mails for fun. Trial is pending in a juvenile court. Shariq is presently out on bail in Bhopal.
On February 26, 2006, a 17-yearold student from Jamnabai Narsee School called an Alitalia flight bound to Milan at 2 a.m. telling them there was a bomb on board. He wanted to stop his girlfriend from going abroad. She was one of the 12 students on their way to attend a mock United Nations session in Geneva.
Status: After being grilled by the police, he was arrested, but let out on bail.

Lawful Interception and monitoring of electronic communications under the IT Act

In addition to violations of privacy by criminal and the mischievous minded, electronic communications and storage are also a goldmine for governmental supervision and surveillance. This section provides a brief overview of the provisions in the IT Act which circumscribe the powers of the state to intercept electronic communications.

The newly amended IT Act completely rewrote its provisions in relation to lawful interception. The new section 69 dealing with “power to issue directions for interception or monitoring or decryption of any information through any computer resource” is much more elaborate than the one it replaced, In October 2009, the Central Government notified rules under section 69 which lay down procedures and safeguards for interception, monitoring and decryption of information (the “Interception Rules 2009”). This further thickens the legal regime in this context.

Unlawful Intercept

In August 2007, Lakshmana Kailash K., a techie from Bangalore was arrested on the suspicion of having posted insulting images of Chhatrapati Shivaji, a major historical figure in the state of Maharashtra, on the social-networking site Orkut. The police identified him based on IP address details obtained from Google and Airtel – Lakshmana’s ISP. He was brought to Pune and detained for 50 days before it was discovered that the IP address provided by Airtel was erroneous. The mistake was evidently due to the fact that while requesting information from Airtel, the police had not properly specified whether the suspect had posted the content at 1:15 p.m. or a.m.

Taking cognizance of his plight from newspaper accounts, the State Human Rights Commission subsequently ordered the company to pay Rs 2 lakh to Lakshmana as damages [16].

The incident highlights how minor privacy violations by ISPs and intermediaries could have impacts that gravely undermine other basic human rights [17].

In addition to section 69, the Government has been empowered under the newly inserted section 69B to "monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource".

"Traffic data" has been defined in the section to mean “any data identifying or purporting to identify any person, computer system or computer network or any location to or from which communication is or may be transmitted.” Rules have been issued by the Central Government under this section (the “Monitoring and Collecting Traffic Data Rules, 2009”) which are similar, although with important distinctions, to the rules issued under section 69.

Thus, there are two parallel interception and monitoring regimes in place under the Information Technology Act. In the paragraphs that follow, we provide an overview of the regime of surveillance under section 69 — since they are more targeted towards the individual, and consequently the threats to privacy are more severe — while highlighting important differences in the rules drafted under section 69.

Who may lawfully intercept?

Section 69 empowers the “Central Government or a state government or any of its officers specially authorised by the Central Government or the state government, as the case may be” to exercise powers of interception under this section.

Under the Interception Rules 2009, the secretary in the Ministry of Home Affairs has been designated as the "competent authority", with respect to the Central Government, to issue directions pertaining to interception, monitoring and decryption. Similarly, the respective state secretaries in charge of Home Departments of the various states and union territories are designated as "competent authorities" to issue directions with respect to the state government [18].

	Central Government	State/Union Territory
Ordinary Circumstances	Secretary in the Ministry of Home Affairs	Secretary in charge of Home Departments of State
Emergency	Head or second senior most officer of security and law enforcement	Authorized officer not below the rank of Inspectors General of Police

However, an exception is made in cases of emergency, either

in remote areas where obtaining prior directions from the competent authority is not feasible or

for ‘operational reasons’ where obtaining prior directions is not feasible.

In such cases it would be permissible to carry out interception after obtaining the orders of the Head or second senior most officer of security and law enforcement at the central level, and an authorized officer not below the rank of Inspector General of Police at the state or union territory level. The order must be communicated to the competent authority within three days of its issue, and approval must be obtained from the authority within seven working days, failing which the order would lapse.

Where a state/union territory wishes to intercept/monitor or decrypt information beyond its territory, the competent authority for that state must make a request to the competent authority of the Central Government to issue appropriate directions.

Under what circumstances a direction to intercept may be issued?

Purposes for which interception may be directed

Under section 69, the powers of interception may be exercised by the authorized officers “when they are satisfied that it is necessary or expedient” to do so in the interest of:

sovereignty or integrity of India,

defense of India,

security of the state,

friendly relations with foreign states or

public order or

preventing incitement to the commission of any cognizable offence relating to above or

for investigation of any offence.

Under section 69B, the competent authority may issue directions for monitoring for a range of “cyber security”[20] purposes including, inter alia, “identifying or tracking of any person who has breached, or is suspected of having breached or being likely to breach cyber security”.

Contents of direction

The reasons for ordering interception must be recorded in writing [21].

In the case of a direction under section 69, in arriving at its decision, the competent authority must consider alternate means of acquiring the information other than issuing a direction for interception [22]. The direction must relate to information sent or likely to be sent from one or more particular computer resources to another (or many) computer resources [23]. The direction must specify the name and designation of the officer to whom information obtained is to be disclosed, and also specify the uses for which the information is to be employed [24].

Duration of interception and periodic review

Once issued, an interception direction issued under section 69 remains in force for a period of 60 days (unless withdrawn earlier), and may be renewed for a total period not exceeding 180 days [25]. A direction issued under section 69B does not expire automatically through the lapse of time and theoretically would continue until withdrawn.

Within seven days of its issue, a copy of a direction issued under either section 69 or section 69B must be forwarded to the review committee constituted to oversee wiretapping under the Indian Telegraph Act [26]. Every two months, the review committee is required to meet and record its findings as to whether the direction was validly issued in light of section 69(3) [27]. If the review committee is of the opinion that it was not, it can set aside the direction and order destruction of all information collected [28].

What powers of interception do they have?

The competent authority may, in his written direction “direct any agency of the appropriate government to intercept monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource”[29].

Accordingly, the subscriber or intermediary or any person in charge of the computer resource is must, if required by the designated government agency, extend all facilities, equipment and technical assistance to:

provide access to or secure access to the computer resource generating, transmitting, receiving or storing such information; or

intercept, monitor, or decrypt[30] the information, as the case may be; or

provide information stored in computer resource.

The intermediary must maintain records mentioning the intercepted information, the particulars of the person, e-mail account, computer resource, etc., that was intercepted, the particulars of the authority to whom the information was disclosed, number of copies of the information that were made, the date of their destruction, etc. [31]. This list of requisitions received must be forwarded to the government agency once every 15 days to ensure their authenticity [32].

In addition, a responsibility is cast on the intermediary to put in place adequate internal checks to ensure that unauthorized interception does not take place, and extreme secrecy of intercepted information is maintained [33].

How long can information collected during interception be retained?

Interception rules require all records, including electronic records pertaining to interception to be destroyed by the government agency “in every six months except in cases where such information is required or likely to be required for functional purposes”. In the case of the Monitoring and Collecting of Traffic Data Rules 2009, this period is nine months from the date of creation of record.

In addition, all records pertaining to directions for interception and monitoring are to be destroyed by the intermediary within a period of two months following discontinuance of interception or monitoring, unless they are required for any ongoing investigation or legal proceedings. In the case of Monitoring Rules, this period is six months from the date of discontinuance.

What penalties accrue to intermediaries and subscribers for resisting interception?

Section 69 stipulates a penalty of imprisonment upto a term of seven years and fine for any “subscriber or intermediary or any person who fails to assist the agency” empowered to intercept.

Data Protection under the IT Act

Data Retention Requirements of 'Intermediaries'

Section 67C of the amended IT Act mandates ‘intermediaries’[34] to maintain and preserve certain information under their control for durations which are to be specified by law.

Any intermediary who fails to retain such electronic records may be punished with imprisonment up to three years and a fine.

Liability for body-corporates under section 43A

The newly inserted section 43A makes a start at introducing a mandatory data protection regime in Indian law. The section obliges corporate bodies who ‘possess, deal or handle’ any ‘sensitive personal data’ to implement and maintain ‘reasonable’ security practices, failing which they would be liable to compensate those affected by any negligence attributable to this failure.

It is only the narrowly-defined ‘body corporates’ [35] engaged in ‘commercial or professional activities’ who are the targets of this section. Thus government agencies and non-profit organisations are entirely excluded from the ambit of this section [36].

“Sensitive personal data or information” is any information that the Central Government may designate as such, when it sees fit to.

The “reasonable security practices” which the section obliges body corporates to observe are restricted to such measures as may be specified either “in an agreement between the parties” or in any law in force or as prescribed by the Central Government.

By defining both “sensitive personal data” and “reasonable security practice” in terms that require executive elaboration, the section in effect pre-empts the courts from evolving an iterative, contextual definition of these terms.

Mphasis BPO Fraud: 2005 [37]

In December 2004, four call centre employees, working at an outsourcing facility operated by MphasiS in India, obtained PIN codes from four customers of MphasiS’ client, Citi Group. These employees were not authorized to obtain the PINs.

In association with others, the call centre employees opened new accounts at Indian banks using false identities. Within two months, they used the PINs and account information gleaned during their employment at MphasiS to transfer money from the bank accounts of CitiGroup customers to the new accounts at Indian banks.

By April 2005, the Indian police had tipped off to the scam by a U.S. bank, and quickly identified the individuals involved in the scam. Arrests were made when those individuals attempted to withdraw cash from the falsified accounts, $426,000 was stolen; the amount recovered was $230,000.

Draft Reasonable Security Practices Rules 2011 [38]

In February 2011, the Ministry of Information and Technology, published draft rules under section 43A in order to define “sensitive personal information” and to prescribe “reasonable security practices” that body corporates must observe in relation to the information they hold.

Sensitive Personal Information
Rule 3 of these Draft Rules designates the following types of information as ‘sensitive personal information’:

password;

user details as provided at the time of registration or thereafter;

information related to financial information such as Bank account / credit card / debit card / other payment instrument details of the users;

physiological and mental health condition;

medical records and history;(vi) Biometric information;

information received by body corporate for processing, stored or processed under lawful contract or otherwise;

call data records;

This however, does not apply to “any information that is freely available or accessible in public domain or accessible under the Right to Information Act, 2005”.

They and “any person” holding sensitive personal information are forbidden from “keeping that information for longer than is required for the purposes for which the information may lawfully be used”[40]

Mandatory Privacy Policies for body corporates

Rule 4 of the draft rules enjoins a body corporate or its representative who “collects, receives, possess, stores, deals or handles” data to provide a privacy policy “for handling of or dealing in user information including sensitive personal information”. This policy is to be made available for view by such “providers of information” [41]. The policy must provide details of:

Type of personal or sensitive information collected under sub-rule (ii) of rule 3;
Purpose, means and modes of usage of such information;
Disclosure of information as provided in rule 6 [42].

Prior Consent and Use Limitation during Data Collection

In addition to the restrictions on collecting sensitive personal information, body corporate must obtain prior consent from the “provider of information” regarding “purpose, means and modes of use of the information”. The body corporate is required to “take such steps as are, in the circumstances, reasonable”[43] to ensure that the individual from whom data is collected is aware of :

the fact that the information is being collected; and
the purpose for which the information is being collected; and
the intended recipients of the information; and
the name and address of :
the agency that is collecting the information; and
the agency that will hold the information.

During data collection, body corporates are required to give individuals the option to opt-in or opt-out from data collection [44]. They must also permit individuals to review and modify the information they provide "wherever necessary" [45]. Information collected is to be kept securely [46], used only for the stated purpose [47] and any grievances must be addressed by the body corporate “in a time bound manner” [48].

Unlike "sensitive personal information" there is no obligation to retain information only for as long as is it is required for the purpose collected.

Limitations on Disclosure of Information

The draft rules require a body corporate to obtain prior permission from the provider of such information obtained either “under lawful contract or otherwise” before information is disclosed [49]. The body corporate or any person on its behalf shall not publish the sensitive personal information [50]. Any third party receiving this information is prohibited from disclosing it further [51]. However, a proviso to this sub-rule mandates information to be provided to ‘government agencies’ for the purposes of “verification of identity, or for prevention, detection, investigation, prosecution, and punishment of offences”. In such cases, the government agency is required to send a written request to the body corporate possessing the sensitive information, stating clearly the purpose of seeking such information. The government agency is also required to “state that the information thus obtained will not be published or shared with any other person” [52].

Sub-rule (2) of rule 6 requires “any information” to be “disclosed to any third party by an order under the law for the time being in force.” This is to be done “without prejudice” to the obligations of the body corporate to obtain prior permission from the providers of information [53].

Reasonable Security Practices

Rule 7 of the draft rules stipulates that a body corporate shall be deemed to have complied with reasonable security practices if it has implemented security practices and standards which require:

a comprehensive documented information security program; and

information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected.

In case of an information security breach, such body corporate will be “required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security program and information security policies”.

The rule stipulates that by adopting the International Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements”, a body corporate will be deemed to have complied with reasonable security practices and procedures.

The rule also permits “industry associations or industry clusters” who are following standards other than IS/ISO/IEC 27001 but which nevertheless correspond to the requirements of sub-rule 7(1), to obtain approval for these codes from the government. Once this approval has been sought and obtained, the observance of these standards by a body corporate would deem them to have complied with the reasonable security practice requirements of section 43A.

Penalties and Remedies for breach of Data Protection

Civil Liability for Corporates

As mentioned above, any body corporates who fail to observe data protection norms may be liable to pay compensation if:

it is negligent in implementing and maintaining reasonable security practices, and thereby

causes wrongful loss or wrongful gain to any person;[54]

Claims for compensation are to be made to the adjudicating officer appointed under section 46 of the IT Act. Further, details of the powers and functions of this officer are given in succeeding sections of this note.

Criminal liability for disclosure of information obtained in the course of exercising powers under the IT Act

Section 72 of the Information Technology Act imposes a penalty on “any person” who, having secured access to any electronic record, correspondence, information, document or other material using powers conferred by the Act or rules, discloses such information without the consent of the person concerned. Such unauthorized disclosure is punishable “with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.”

Criminal Liability for unauthorized disclosure of information by any person of information obtained under contract

Section 72A of the IT Act imposes a penalty on any person [55] (including an intermediary) who

has obtained personal information while providing services under a lawful contract and

discloses the personal information without consent of the person,

with the intent to cause, or knowing it is likely to cause wrongful gain or wrongful loss [56]

Such unauthorised disclosure to a third person is punishable with imprisonment upto three years or with fine upto Rs five lakh, or both.

Whom to call? Adjudicatory Mechanism and Remedies under the IT Act

This section provides a brief outline of the mechanism installed by the IT Act to activate the various remedies and penalties prescribed in various sections of the Act. As a victim of online intrusion, how does one use the IT Act to seek redressal?

As mentioned above, the IT Act provides for both the civil remedy of damages in compensation (Chapter IX) as well as criminal penalties for offences such as imprisonment and fine (Chapter XI). In general, claiming a civil remedy does not bar one from seeking criminal prosecution and ideally both should be pursued together. For clarity, in the sections that follow, we will be discussing the two procedures separately.

Civil Damages and Compensation

Whom to approach?

Section 46 of the IT Act empowers the Central Government to appoint “adjudication officers” to adjudicate whether any person has committed any of the contraventions described in Chapter IX of the Act (See section 2.1 and 4.2 above) and to determine the quantum of compensation payable. Accordingly, the Central Government has designated the secretaries of the Department of Information Technology of each of the states or union territories as the “adjudicating officer” with respect to each of their territories [57].

However, a pecuniary limit has been placed on the powers of adjudicating officers, and they may only adjudicate cases where the quantum of compensation claimed does not exceed Rs. five crores. In cases where the compensation claimed exceeds this amount, jurisdiction would vest in the “competent court”, under the Code of Civil Procedure [58].

Section 61 of the Act bars ordinary civil courts from jurisdiction over matters which the adjudicating officers have been empowered to decide under this Act.

When must a complaint be filed?

The Limitation Act provides that a suit must be filed within three years from when the right to sue accrues [59].

What is the procedure?

Section 46 and the rules framed under that section provide elaborate guidelines on the procedure that is to be followed by the adjudicating officer. Thus, the adjudicating officer is required to give the accused person “a reasonable opportunity for making representation in the matter”. Thereafter, if , on an inquiry, “he is satisfied that the person has committed the contravention, he may impose such penalty or award such compensation as he thinks fit in accordance with the provisions of that section.”

In order to carry out their duties adjudicating officer have been invested with the powers of a civil court which are conferred on the cyber appellate tribunal [60]. Additionally, they have the power to punish for their contempt undert the Code of Criminal Procedure.

Rules framed under the section provide further details on the procedure that must be followed and provide for the issuance of a “show cause notice”, manner of holding enquiry, compounding of offences, etc. [61].

Section 47 provides that in adjudging the quantum of compensation, the adjudicating officer shall have due regard to the following factors, namely:—

the amount of gain of unfair advantage, wherever quantifiable, made as a result of the default;

the amount of loss caused to any person as a result of the default;

the repetitive nature of the default.

Where must a complaint be filed and in what format?

The complaint must be made to the adjudicating officer of the state or union territory on the basis of location of computer system, computer network. The complaint must be made on a plain paper in the format provided in the Performa attached to the rules [62].

In case the offender or computer resource is located abroad, it would be deemed, for the purpose of prosecution to be located in India [63].

How long does the process take?

The Rules direct that the whole matter should be heard and decided “as far as possible” within a period of six months [64].

How much does it cost?

The Rules stipulates a variable fee payable by a bank draft calculated on the basis of damages claimed by way of compensation

a) Upto Rs. 10,000	10% ad valorem rounded off to nearest next hundred
b) From 10001 to Rs.50000	Rs. 1000 plus 5% of the amount exceeding Rs.10,000 rounded off to nearest next hundred
c) From Rs.50001 to Rs.100000	Rs. 3000/- plus 4% of the amount exceeding Rs. 50,000 rounded off to nearest next hundred
d) More than Rs. 100000	Rs.5000/- plus 2% of the amount exceeding Rs. 100,000 rounded off to nearest next hundred

Appeals to the Cyber Appellate Tribunal and the High Court

The Act provides for the constitution of a cyber appellate tribunal to hear appeals from cases decided by the adjudicating officer.

Within 25 days of the copy of the decision being made available by the adjudicating officer, the aggrieved party may file an appeal before the cyber appellate tribunal.

Section 57 provides that the appeal filed before the cyber appellate tribunal shall be dealt with by it as expeditiously as possible and endeavor shall be made by it to dispose of the appeal finally within six months from the date of receipt of the appeal. Section 62 gives the right of appeal to a high court to any person aggrieved by any decision or order of the cyber appellate tribunal on any question of fact or law arising out of such order. Such an appeal must be filed within 60 days from the date of communication of the decision or order of the cyber appellate tribunal.

Can contraventions be compounded (compromised) with the offender?

Except in the case of repeat offenders, contraventions may be compromised by the adjudicating officer or between the parties either before or after institution of the suit. Where any contravention has been compounded the IT Act provides that “no proceeding or further proceeding, as the case may be, shall be taken against the person guilty of such contravention in respect of the contravention so compounded”[65].

Criminal Penalties

The process described above applies to “contraventions” under Chapter IX of the Act. In addition to being liable to pay compensation, in the cases falling under section 43, such offenders may also be liable for criminal penalties such as imprisonment and fines [66]. This sub-section of this paper deals with the procedure to be followed with respect to the criminal offences set out under Chapter XI of the Act (for example, see sections 2.2 to 2.5 above).

Whom to approach? Who can take cognizance of offences and investigate them?

Section 78 of the IT Act empowers police officers of the rank of Inspectors and above to investigate offences under the IT Act.

Many states have set up dedicated cyber crime police stations to investigate offences under this Act [67]. Thus, for example, the State of Karnataka has set up a special cyber crime police station responsible for investigating all offences under the IT Act with respect to the entire territory of Karnataka [68].

When must a complaint be lodged?

Although there is no time limit prescribed by the IT Act or the Code of Criminal Procedure with respect to when an FIR must be filed, in general, courts tend to take an adverse view when a significant delay has occurred between the time of occurrence of an offence and it’s reporting to the nearest police station.

The Code of Criminal Procedure forbids courts from taking cognizance of cases after three years “if the offence is punishable with imprisonment for a term exceeding one year but not exceeding three years”. Where either the commission of the offence was not known to the person aggrieved, or where it is not known by whom the offence committed, this period is computed from the date on which respectively the offence or the identity of the offender comes to the knowledge of the person aggrieved [69].

What is the procedure?

No special procedure is prescribed for the trial of cyber offences and hence the general provisions of criminal procedure would apply with respect to investigation, charge sheet, trial, decision, sentencing and appeal.

Can offences be compounded?

Offences punishable with imprisonment of upto three years are compoundable by a competent court. However, repeat offenders cannot have their subsequent offences compounded. Additionally, offences which “affect the socio-economic conditions of the country” or those committed against a child under 18 years of age or against women cannot be compounded [70].

Bibliography

[1].The IT Act is only one of the various laws which safeguard citizens from violations of online privacy. In addition, in the domain of finance, for instance, various RBI regulations mandate strong security protocols with respect to data held by financial institutions. Since this is the subject of a different dispatch on banking and privacy which we have brought out, these regulations are omitted from this discussion.

[2].Section 2(k) of the IT Act defines ‘computer’ as any electronic magnetic, optical or other high-speed data processing device or system which performs logical, arithmetic, and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software, or communication facilities which are connected or related to the computer in a computer system or computer network.

[3].Section 43 defines "computer contaminant" as any set of computer instructions that are designed— (a) to modify, destroy, record, transmit data or program residing within a computer, computer system or computer network; or (b) by any means to usurp the normal operation of the computer, computer system, or computer network;

[6].Section 66 of the IT Act. Anon, 2009. Bangalore techie convicted for hacking govt site. Deccan Herald. Available at: http://goo.gl/jCvAh. [Accessed March 29, 2011];

[7].The Information Technology (Due Diligence observed by Intermediaries Guidelines) Rules, 2011;

[8].‘Intermediary’ has been defined very expansively under section 2(w) of the Act to mean, with respect to any electronic record, “any person who on behalf of another person receives, stores or transmits that record, or provides any service with respect to that record and includes telecom service providers, network service providers, Internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes

[9].‘Private area’ has been defined in section 66E as “the naked or undergarment clad genitals, pubic area, buttocks or female breast”.

[10].Defined as “circumstances in which a person can have a reasonable expectation that (i) he or she could disrobe in privacy, without being concerned that an image of his or her private area was being captured or (ii) any part of his or her private area would not be visible to the public regardless of whether that person is in a public or private place”. See explanation to Section 66E

[11]."Cheating by personation" is a crime defined under section 416 the Indian Penal Code. According to that section, “a person is said to "cheat by personation" if he cheats by pretending to be some other person, or by knowingly substituting one person for another, or representing that he or any other person is a person other than he or such other person really is." The explanation to the section adds that "the offence is committed whether the individual personated is a real or imaginary person". Two illustrations to the section further elaborate its meaning: (a) A cheats by pretending to be a certain rich banker of the same name. A cheats by personation (b) A cheats by pretending to be B, a person who is deceased. A cheats by personation.

[12].Communication device" has been defined to mean "cell phones, personal digital assistance (sic) or combination of both or any other device used to communicate send or transmit any text, video, audio or image".

[13].2005. Cyber Crime Cell, Mumbai: Case of Phishing. Mumbai Police. Available at: http://www.cybercellmumbai.com/case-studies/case-of-fishing [Accessed March 23, 2011].

[14]. Although no maximum limit is prescribed for the fine under this section, Section 63 of the Indian Penal Code declares that “Where no sum is expressed to which a fine may extend, the amount of fine to which the offender is liable is unlimited, but shall not be excessive”.

[15].Hafeez, M., 2009. Crime Line: Curiosity was his main motive, say city police. Crime Line. Available at: http://mateenhafeez.blogspot.com/2009/05/curiosity-was-his-main-motive-say-city.html [Accessed March 23, 2011].

[16]. Holla, A., 2009. Wronged, techie gets justice 2 yrs after being jailed. Mumbai Mirror. Available at: http://www.mumbaimirror.com/index.aspx?page=article&sectid=2&contentid=200906252009062503144578681037483 [Accessed March 23, 2011].

[18]. By contrast, rules framed under Section 69B designates only the Secretary to the Government of India in the Department of Information Technology under the Ministry of Communications and IT as the “competent authority” to issue orders of interception.

[19].It is unclear what these “operational reasons” could mean. The text of the rules provide no useful guidance.

[20].“Cyber security breach” is defined as meaning “any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly acceptable security policy resulting in unauthorized access, denial of service, disruption, unauthorized use of a computer resource for processing or storage of information or changes to date, information without authorization”. Rule 2(f) of the Monitoring and Collecting of Traffic Data Rules 2009.

[21].Rule 7 of the Interception Rules 2009; Rule 3(3) of the Monitoring and Collecting of Traffic Data Rules 2009

[22].Rule 8 of the Interception Rules 2009

[23]. Rule 9 of the Interception Rules 2009

[24].Rule 10 of the Interception Rules 2009;

[25].Rule 11 of the Interception Rules 2009

[26].Rule 7 of the Interception Rules 2009

[27].Rule 22 of the Interception Rules 2009

[28]. Ibid

[29].Section 69 of the IT Act.

[30].The intermediary is required to assist in the decryption only to the extent that the intermediary has control over the decryption key. See Sub-Rule 13(3) of the Interception Rules 2009. Rule 17 enjoins the holder of a decryption key to provide decryption assistance when directed to by the competent authority.

[31].Rule 16 of the Interception Rules 2009

[32].Rule 18 of the Interception Rules 2009

[33]. Rule 20 of the Interception Rules 2009; Rules 10 & 11 of the Monitoring and Collecting of Traffic Data Rules 2009. Failure to maintain secrecy of data may attract punishment under Section 72 of the Information Technology Act.

[34].Supra n. 6 for definition

[35].Section 43A defines "'body corporate" as any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;

[36].This does not necessarily mean that these entitles are exempt from taking reasonable care to safeguard information that they collect, maintain or control – only that remedies against the government must be sought under general common law, rather than under the IT Act.

[37].Anon, 2005. The MphasiS Scandal – And How it Concerns U.S. Companies Considering Offshore BPO. Carretek. Available at: http://www.carretek.com/main/news/articles/MphasiS_scandal.htm [Accessed March 29, 2011]. See also Anon, 2005. MphasiS case: BPOs feel need to tighten security. Indian Express. Available at: http://www.expressindia.com/news/fullstory.php?newsid=44856 [Accessed March 29, 2011].

[38]. The Information Technology (Reasonable security practices and procedures and sensitive personal information) Rules, 2011. Available at http://www.mit.gov.in/sites/upload_files/dit/files/senstivepersonainfo07_02_11.pdf, last accessed February 15th, 2011.

[39].Rule 5 of the Draft Rules.

[40]. This is perhaps a bit vague, since the potential ‘lawful uses’ are numerous and could be inexhaustible. It is unclear whether “lawful usage” is coterminous with “the uses which are disclosed to the individual at the time of collection”. In addition, this rule is framed rather weakly since it does not impose a positive obligation (although this is implied) to destroy information that is no longer required or in use.

[41].“Provider of data” is not the same as individuals to whom the data pertains, and could possibly include intermediaries who have custody over the data. We feel this privacy policy should be made available for view generally – and not only to providers of information. In addition, it might be advisable to mandate registration of privacy policies with designated data controllers.

[42]. This is well framed since it does not permit body corporates to frame privacy policies that detract from Rule 6.

[43].One wonders about the convoluted language used here when a simpler phrase like “take reasonable steps” alone might have sufficed - reasonableness has generally been interpreted by courts contextually. As the Supreme Court has remarked, “`Reasonable’ means prima facie in law reasonable in regard to those circumstances of which the actor, called upon to act reasonably, knows or ought to know. See Gujarat Water Supply and Sewage Board v. Unique Erectors (Guj) AIR 1989 SC 973.

[44].Sub-Rule 5(7).

[45].Sub-Rule 5(6). It is unclear what would count as a ‘necessary’ circumstance and who would be the authority to determine such necessity.

[46].Sub-Rule 5(8).

[47].Sub-Rule 5(5).

[48].Sub-Rule 5(9).

[49]. Sub-Rule 6(1) There are two problems with this rule. First, it requires prior permission only from the provider of information, and not the individual to whom the data pertains. In effect this whittles down the agency of the individual in being able to control the manner in which information pertaining to her is used. Second, it is not clear whether this information includes “sensitive personal information”. The proviso to this rule includes the phrase “sensitive information”, which would suggest that such information would be included. This makes it even more important that the rule require that prior permission be obtained from the individual to whom the data pertains and not merely from the provider of information.

[50].Sub-Rule 6(3).

[51].Sub-Rule 6(4).

[52].This is a curious insertion since it begs the question as to the utility of such a statement issued by the requesting agency. What are the sanctions under the IT Act that may be attached to a government agencies that betrays this statement? Why not instead, insert a peremptory prohibition on government agencies from disclosing such information (with the exception, perhaps, of securing conviction of offenders)?

[53].This sub-rule does not distinguish between orders issued by a court and those issued by an administrative/quasi-judicial body.

[54]. “Wrongful loss” and “wrongful gain” have been defined by Section 23 of the Indian Penal Code. Accordingly, "Wrongful gain" is gain by unlawful means of property which the person gaining is not legally entitled. "Wrongful loss"- "Wrongful loss" is the loss by unlawful means of property to which the person losing it is legally entitled.” The section also includes this interesting explanation “Gaining wrongfully, losing wrongfully- A person is said to gain wrongfully when such person retains wrongfully, as well as when such person acquires wrongfully. A person is said to lose wrongfully when such person is wrongfully kept out of any property as well as when such person is wrongfully deprived of property”. Following this, it could be possible to argue that the retention of data beyond the period of its use would amount to a “wrongful gain”.

[55]. Section 3(39) of the General Clauses Act defines a person to include “any company or association or body of individuals whether incorporated or not”. An interesting question here would be whether the State can be considered “a person” so that it can be held liable for unauthorized disclosure of personal information. In an early case of Shiv Prasad v. Punjab State AIR 1957 Punj 150, the Punjab High Court had excluded this possibility. However, the case law on this point has not been consistent. In Ramanlal Maheshwari v.Municipal Committee, the MP High Court held that the Municipal Council could be treated as a ‘person’ for the purpose of levying a fine attached to a criminal offence. Statutory corporate bodies (such as the proposed UID Authority of India) have been held to be ‘persons’ for purposes of law . See Commissioners, Port of Calcutta v. General Trading Corporation, AIR 1964 Cal 290. Here under the Calcutta Port Act, Port Commissioners were declared to be a “body corporate”, and hence were held to be a ‘person’.

[56].See supra n. 44.

[57]. See G.S.R.240(E) New Delhi, the 25th March, 2003 available at < http://www.mit.gov.in/content/it-act-notification-no-240> .

[58].See Section 46(1A).

[59].Schedule I, Part X of the Limitation Act “Suits for which there is no prescribed period.”

[60].The powers of the Cyber Appellate Tribunal under Section 58 include the powers of (a) summoning and enforcing the attendance of any person and examining him on oath; (b) requiring the discovery and production of documents or other electronic records; (c) receiving evidence on affidavits; (d) issuing commissions for the examination of witnesses or documents; (e) reviewing its decisions; (f) dismissing an application for default or deciding it ex parte.

[61].Information Technology (Qualification and Experience of Adjudicating Officers and Manner of holding Enquiry) Rules, 2003 [GSR 220(E)] Available at <http://cca.gov.in/rw/resource/notification-gsr220e.pdf?download=true>.

[62]. Ibid Rule 4(b).

[63]. Section 75.

[64]. Ibid, Rule 4(k).

[65]. Section 63 of the Act.

[66].Prior to amendment in 2008, contraventions listed in Section 43 were only liable to be compensated by damages through civil proceedings. Thus in 2007, the Madras High Court annulled an FIR lodged in a police station which listed an activity mentioned in 43(g). See S. Sekar vs The Principal General Manager < http://indiankanoon.org/doc/182565/> This position has however been changed with the new Section 66 which makes all actions listed in Section 43 an offence when committed with dishonest or fraudulent intent. Thus an FIR can be lodged with respect to these activities as well.

[67].An incomplete list of cyber crime cells of police in different states can be viewed at <http://infosecawareness.in/cyber-crime-cells-in-india>.

[68]. Home and Transport3 Secretariat, Notification no. HD 173 POP 99 Bangalore, Dated 13th September 2001 Available at < http://cyberpolicebangalore.nic.in/pdf/notification_1.pdf>.

[69]. Sections 468 and 469 of the Code of Criminal Procedure, 1973.

[70]. Section 77A of the Information Technology Act.

Click below to download files of your choice:

PDF [347 kb]
Open Office [51 kb]
Word File [55 kb]

For more details visit https://cis-india.org/internet-governance/blog/privacy/safeguards-for-electronic-privacy

Is Data Protection Enough?

elonnai — 2012-03-22T05:28:51Z

The following note looks briefly at different sides of the privacy debate, and asks the question whether a Data Protection law is enough privacy protection for India.

In a recent article, Rahul Matthan explained how many threats to personal privacy come from a lack of data protection laws – particularly in the context of the UID – and he thus urges India to pass a law that is focused on data protection. He said, “We don’t question this lack of personal space. It is part of the compromise we make when we choose to live in India.” Though his argument has a surface appeal, there are also many cases emerging in the news today that suggest that India is concerned with a much broader scope of privacy than just data protection. In the DNA, a news article covered a recent court decision that concluded that watching pornography at home is not an obscenity and does not qualify as a public exhibition, even when there are visitors to the home. In that case, police arrested persons who hosted a party under section 292 (obscenity) of the Indian Penal Code for watching pornography and housing strippers. The judge ruled that the activities that were taking place were done in private and thus did not amount to an offense under section 292. This is an important decision about the protections of spatial privacy being afforded to individuals. The bungalow was considered a private space, and the computer a private possession. In other words, India does have a greater understanding of privacy and the need for its protection, and it extends beyond data protection. In another news item, the Hindu reported that 5,000 to 6,000 phones are tapped on average daily. The article speculated that this number could increase in response to the 2G scam and other scams that are coming out. The type of privacy violation that wiretapping poses is likewise not a question of data protection, but of how a nation guards against an unwanted invasion of personal space and when security takes precedence over privacy. Are Indian citizens willing to subject themselves to phone taps to try to eliminate – or at least minimize – the number of scams that are occurring? In yet another news item, it was reported that in the North, councils are attempting to ban the sale of cell phones to unmarried women to help prevent unsolicited affairs with members from different castes. This again raises questions not of data protection or informational privacy, but of personal privacy. How will phone companies know that a woman is married? Will parents suddenly begin regulating their daughters’ phones? Does an existing legislation afford protection to women in this situation? Though data protection is a component of privacy, it is only one component. There are many definitions of privacy, and privacy in itself is somewhat of a difficult word to define, but India should recognize that there are privacy protections and privacy debates that extend beyond data protection. It is too easy to characterize India as large and communal and overlook these important questions.

Returning to Rahul Matthan’s article, Matthan says, “The vast majority of our country that remains under-served by the government will gladly exchange personal privacy for better public service.” I was particularly intrigued by this statement, because it suggests that privacy is an expendable right, and that government service cannot improve without privacy compromises. The logical extension of this concept is that privacy is not a fundamental right but only a consumer issue, and that policymakers can always trade off privacy in exchange for better public benefits, for better security, and for cheaper products. A legal system needs to address the case at hand, but it needs to be mindful of the larger consequences as well. There is no doubt that the UID project demands a data protection law, but India is facing questions of privacy that extend beyond data protection, and the steps that are being taken to answer those questions need to be applauded and brought into the current debate. If we legislate away rights, we must do so by weighing the cost and finding it acceptable.

Sources

http://www.thehindu.com/news/national/article905944.ece

http://is.gd/hJWD8 http://is.gd/hJWSX

http://news.yahoo.com/s/afp//lifestyleindiatelecommarriage

Matthan, Rahul. The Mint:Technology. Nov. 24 2010

For more details visit https://cis-india.org/internet-governance/blog/privacy/is-data-protection-enough

Surveillance Technologies

elonnai — 2012-03-22T05:40:24Z

The following post briefly looks at different surveillance technologies, and the growing use of the them in India.

Surveillance...

New security technologies are constantly emerging that push the edge between privacy and a reasonable level of security. Society's tolerance level is constantly being tested by governments who use surveillance and monitoring technologies to protect the nation. Governments claim that they need absolute access to citizens life. They need to monitor phones, look through emails, peer into files – in-order to maintain security and protect against terrorism. Though as a side note, in an Economic Times article published on Nov. 4 2010 it was reported that government computers were being hacked into through viruses, and top secret documents were being stolen. The irony of the story is that the viruses were introduced to the computers through porn websites visited by officials.

...In a Car? On the Street? In an Airport?

Despite the fact that governmental monitoring might make the common man uncomfortable, the reality is that governments will always win the national security vs privacy fight. The story becomes more complicated when it moves from the government directly monitoring individuals, to security agencies monitoring individuals. For instance the use of full body scanners at airports, or trucks equipped with scatter x-ray machines used to control crime in neighborhoods - is a much more heated debate. There are other ways in which to check passengers for banned items, and other ways to keep crime off the streets without mandating that individuals submit themselves to invasive scans, or scanning unaware individuals.

...In the Movie Theater????..for Marketing Purposes????

Surveillance technology has now been taken even another step further. No longer is it being just used to prevent violent crimes or terrorist attacks. Today the movie industry is using controversial anti-piracy tools to protect the films they produce. For instance the security company Aralia Systems manufacturers products such as: CCTV cameras and anti-camcorder systems that shine infrared light beams on audiences as they watch a movie. The light beams reflect off camcorders and alerts the theater that there are camcorders present. Though this practice can be seen as invasive - individuals might be opposed to being probed by light beams throughout movies, the extent of potential privacy invasion does not stop there. Aralia Systems has partnered with Machine Vision Lab and has created a system that harvests audiences emotions and movements as they watch movies. The data can then be used by market researchers to better tailor their behavioral advertising schemes. Essentially movie theater monitoring has merged surveillance technologies with behavioral marketing technologies in a twisted invasion of movie watchers personal privacy.

Is this technology in India?

Though behavioral monitoring and piracy technologies such as ones produced by Aralia Systems are not yet used in Indian movie theaters – security measures against piracy are used. Movie theaters across India are equipped with metal detectors at the door, and security personel check your handbag or back pack for camcorders. According to a Indian Express article, the organization Allegiance Against Copyright Theft believes one of the reasons monitoring technology is not yet used in theaters is because there is no present Indian legislation that penalizes recording in halls. Once legislation is passed, they speculate there will be a push to use these technologies. Even though monitoring technology is not yet used in theaters, monitoring of consumers behavior is increasing. Recently in India the WPP owned research agency IMRB International has developed an online audience measurement system that uses tailored metering technology to track the sites that users visit. The Web Audience Measurement System has launched this technology in a sample size of 21,000 Indian households, covering 90,000 individuals. IMRB has said that the meters are capable of capturing usage data from multiple computers, and that they can then use the information to market to the individual. Does it seem ironic to anyone that companies now charge for a service – movie tickets, internet services, telephone services – and make an extra profit by data mining at the expense of a persons privacy?

Sources

http://economictimes.indiatimes.com/news/politics/nation/Govt-depts-asked-not-to-store-sensitive-info-on-Net-connected-computers/articleshow/6874631.cms
http://www.research-live.com/news/technology/imrb-unveils-web-measurement-service-for-indian-market/4003941.article
http://blogs.computerworld.com/17276/anti_piracy_tool_will_harvest_market_your_emotions?source=rss_blogs
http://www.indianexpress.com/news/antipiracy-unit-joins-hands-with-cinema-halls-to-curb-camcording/695439/2

For more details visit https://cis-india.org/internet-governance/blog/privacy/surveillance-technologies

'Privacy Matters', Ahmedabad: Conference Report

praskrishna — 2011-04-04T04:45:49Z

On 26 March 2011, civil society, lawyers, judges, students and NGO’s, gathered together at the Ahmedabad Management Association to take part in 'Privacy Matters' – a public conference organised by Privacy India in partnership with IDRC and Research Foundation for Governance in India (RFGI) — to discuss the challenges of privacy in India, with an emphasis on national security and privacy. The conference was opened by Prashant Iyengar, head researcher at Privacy India and Kanan Drhu, director of RFGI. Mr. Iyengar explained Privacy India’s mandate to raise awareness of privacy, spark civil action, and promote democratic dialogue around privacy challenges and violations in India. RFGI is a think tank established in 2009 which aims to research, promote, and implement various reforms to improve the legal and political process in Gujarat and across India. ‘Privacy Matters – Ahmedabad’ is the third conference out of the eight that Privacy India will be hosting across India. The next conference will take place in Hyderabad on 9 April 2011. It will focus on human rights and privacy.

The keynote speech, delivered by Usha Ramanathan, focused on links not often made between privacy and social phenomenon.

Ms. Usha Ramanathan opened the conference by examining the links not often made between privacy and personal security, between databases and national security, and the centrality of dislodging privacy in projects of social control. In her presentation she spoke about the inverse relationship between national and personal security, making the point that an important part of privacy is the ability of an individual to secure their own person. Today, because national security follows a policy of ubiquitous surveillance, it is almost impossible for an individual to secure their person from the state. Ms. Ramanathan also traced the beginnings of ubiquitous surveillance to the increasing global fear of terrorism, and the national break down of the criminal justice system in India. Instead of looking to the roots of terrorism and the roots of failure in the criminal justice system, the Indian State has responded to both these factors by superimposing a system of surveillance on top of the existing rule. Consequently, the state has become pan-optical — closely following the movement of its entire population. The state has been able to achieve this level of surveillance through technology, which it has used to create identifiers for its population. The use of technology by the state mediates a link between corporate interest and state interest. Thus, by facilitating the easy and ubiquitous creation of identifiers and surveillance, technology is changing the idea and the nature of privacy. For example, it is now important that a privacy law allows for individuals to protect and secure their identity, something that every individual has and every individual controls, while regulating the creation and external use of identifiers — something that is used by another (not you) to distinguish a person from the rest of the population.

Questions to Consider

How can privacy legislation work to positively regulate the use of technology by the government, so that invasion of privacy does not consequently become state policy?

How can privacy legislation distinguish between and work to protect an identity while regulating the creation and use of personal information as identifiers?

Session I of the Conference featured a Judicial Perspective of Privacy and a Presentation on the Connections between Privacy and the Federal Income Tax Regime in India.

Privacy and the Constitution

J N Bhatt, the former Chief Justice of Gujarat and Bihar, and currently the head of the Gujarat State Law Commission, spoke about privacy as a fundamental right that has been written into articles 19 and 21 of the Constitution of India. Important points from his presentation include:

As privacy is already a recognized fundamental right, the question at hand is not if there is a right to privacy, but instead how can the right to privacy be best proliferated.

Within the question of how a privacy can best be proliferated, is a question about rights and duties. Wherever there is a right to privacy there is also a corresponding duty to privacy — as rights and duties are interdependent.

Though privacy has been recognized as a fundamental right in India, when looking at the actual assertion of the right, it is important to be aware of the cultural realities of India. India is a country with 39 per cent of her population living below the poverty line, with an even lower literacy rate, and there is a direct connection between the assertion of civil liberties, an individual’s civic sense, and education.

When looking at how to best proliferate the right to privacy, governance and common law, a methodology to reach the poorest of the poor should be laid out first.

Questions to Consider

What is the best way to proliferate the right to privacy ?

What legal structures need to be in place to ensure that the poor can assert their right to privacy?
What social structures need to be in place to ensure that the poor can assert their right to privacy?

Privacy and the Indian Tax Regime

Professor Amal Dhru, visiting professor from the Indian Institute of Management, Ahmedabad and a practicing Chartered Accountant spoke on the connections between privacy and the federal income tax regime in India. In his presentation he explained how the information collected by the federal income tax regime in India can be both useful in holding a citizen accountable, and invasive of one’s personal privacy if mis-used. Important points from his presentation include:

The Indian tax regime highlights the tension between public interest as tax evasion is considered an exception to the right to privacy as it is a matter of public interest.

There is a lack of confidence in the existing banking and tax system in India. For example in the business sector, Indian investors have deposited over 700 billion dollars abroad as they are given complete privacy and security over their money.

Though there is a lack of confidence in the current banking and tax system, a tighter law is not necessarily the solution. For example, studies have found that tighter tax regimes lead to greater evasion, while looser tax regimes have higher compliance rates.

On April 1, 2011 the new tax codes for India will be implemented. The reform will give enormous power to tax offices, and as the tax authorities will become equipped to do taxes smarter – this will come at a cost to citizen’s privacy.

Questions to Consider

Just as a tighter tax law leads to a higher percentage of tax evasion, will a tight privacy law simply lead to greater numbers of privacy violations?

What creates public confidence in a law?

Should a privacy legislation be responsible for defining the public good?

Should privacy protection of tax-related information be incorporated into a privacy legislation or contained only in tax law?

To what extent should tax authorities be allowed to investigate potential tax evasion i.e., one’s computer, house or e-mail?

How does one balance the private vs. the public good?

Session II of the Conference focused on National Security and Privacy, and Cultural Conceptions of Privacy

National Security and Privacy

In the second session on Privacy and National Security, Colonel Mathew Thomas spoke on privacy and national security. Colonel Thomas is a management consultant and activity leader for development centers and has held top positions in the Indian Army, and the Defence Research and Development Organisation, where he headed the missile manufacturing facility. Sharing his personal experiences in the army he explained the connection between privacy and national security. Important points from his presentation include:

National Security is often not an internal threat, but instead an external threat.

There is a connection between the increase in surveillance and liberalization of Government.

More surveillance does not bring more security.

Foreign software poses as a threat to national security.

Greater security is gained through intelligent use and analysis of data.

A strong national security plan should not rely solely on surveillance of its citizens. Instead national security should be brought about through strong economic policies, non-reliance on foreign software, neutrality in foreign policy, fair trade policies, rural development and prevention of migration to cities, and having a politically honest and accountable governance.

Questions to Consider

Is it effective for privacy to be compromised in the name of anti- terror laws?
Can the development and distribution of indigenous software protect national privacy?
How can strong economic policies indirectly protect an individual's privacy?
How can a strong foreign policy protect an Indian citizen's privacy when it is stored or sent abroad?

Privacy as a Cultural Construct

Gagan Sethi from the Centre for Social Justice, Ahmedabad shared his opinion on privacy. Important points from his presentation include:

Privacy is a cultural construct that changes with context, perspective, and time.
When considering a privacy policy it is important to create a policy that does not strictly define what privacy is and what it is not, but instead create a policy that defines and promotes a common respect for human dignity.

Questions to Consider

If a privacy policy is developed to promote a common respect for human dignity – will it be effective?

Can you develop a policy that has a loose definition and mandate, but has strong legal teeth?

Session III of the Conference focused on Minority Identities and Privacy, Prisoner Rights, and Cyber Security.

Privacy and Minority Identities

Bobby Kuhnu, a lawyer and activist, presented in the third session on Privacy, Minority Identities, and Security. In his talk Mr. Kuhnu through the use of three examples examined the ideological underpinnings of the discourse on privacy and its bearings on socially marginalized identities in the context of the Indian State and the constitutional right to privacy. Important points from his presentation include:

In India, names can be sensitive and personal information like one’s religion, family, caste, and background can all be known through a name.
Because of the sensitivity of a person’s name, many people do not feel safe or comfortable in their own identity.
Reservation lists and public postings of information, can and have been used to discriminate and violate another’s privacy.

Questions to Consider

Should a privacy legislation requirement throughout institutions and government bodies that names should not be publicly displayed to the point of identification?
What is the most effective way of legally protecting an individual from discrimination based on their name?

Perspectives of Privacy

In the last portion of the day, Yash Sampat and Aditya Yagnik spoke on the origins of privacy and privacy in the cyber world. Vimmi Surti spoke on prisoner's rights and privacy and Ramswaroop Chaudhary presented on minority identities in South Asia and privacy. Important points from their presentation include:

Internet has led to an increase in privacy violations.
The result of privacy infringements is often the deprivation of individuals from safe access to services availed to them.
When looking at privacy as the protection of human dignity, prisoner’s rights are violated through overcrowding in prisons, poor health, and poor sanitation.

Questions to Consider

Are there legal mechanisms that can be put in place to ensure the least amount of deprivation to services when an individual’s privacy is invaded?

To what extent should prisoners be availed the right to privacy?

The concluding session was a time for discussion and opinion sharing

From the closing session, and the above sessions many themes and questions pertaining to privacy came out that will need to be addressed when considering the way forward for a privacy legislation including:

Regulation of ubiquitous surveillance in the name of national security
Regulation over public display of names and personal information
The need to distinguish between identity and identifier.
The need to protect an individual's identity while regulating the production and use of identifiers.
Privacy rights and prisoners: what does the right to privacy mean to a prisoner, i.e., clean facilities and health care.
Can the right to privacy be a platform for individuals to claim sanitary/safe working and living conditions.
Recognize the changing nature of privacy rights in a technological society.
Privacy implications of biometric usage.
Creation of a definition of when privacy rights will supersede identification needs.
How can government institutions, like the tax department, incorporate and protect the right to privacy with the collection of large amounts of data for more efficient services.
Privacy and the family

Download the report and agenda here [pdf - 452kb]

Also see Matthew's presentation [powerpoint file 116kb]

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-matters-report-from-ahmedabad

Privacy and Governmental Databases

elonnai — 2012-03-22T05:41:38Z

In our research we have found that most government databases are incrementally designed in response to developments and improvements that need to be incorporated from time to time. This method of architecting a system leads to a poorly designed database with many privacy risks such as: inaccurate data, incomplete data, inappropriate disclosure of data, inappropriate access to data, and inappropriate security over data. To address these privacy concerns it is important to analyze the problem that is being addressed from the perspective of potential and planned interoperability with other government databases. Below is a list of problems and recommendations concerning privacy, concerning government databases.

Government Databases and recommendations for privacy practices

Citizen-State relationships and privacy standards
Government databases foster different types of relationships between the state and its citizenry. For instance: User databases, service providing databases, and information providing databases. Each one these relationships requires a different level of privacy. Thus, it is important to identify the type of relationship that the database will foster in order to determine what type of privacy model to implement.
Specific privacy policy

Each government database should have a specific privacy policy that are tailored to the information that they hold. Each policy should cover the following areas:
- data collection
- digitization
- usage
- storage
- security
- disclosure
- retrieval
- access (inter departmental and public)
- anonymization, obfuscation and deletion.
Personal vs. personal sensitive and public vs. non-public data categories

Data in government databases requires varying degrees of privacy safeguards. The division of personal information vs. non personal information etc. creates distinct

categories for security levels over data and permissibility of public disclosure. Ex of personal information: Name, address, telephone number, religion. Ex of non-personal data: gender, age. This could work to avoid situations such as the census - where a person’s name, address, age, etc, were all printed for the public eye.
Standardization of Privacy Policies and Access Control

Government databases should all be designed upon interoperable standards so that the databases can "talk" to each other. The ability to coalesce databases strengthens the potential for use and reuse by different stakeholders. Furthermore, the interoperability of systems helps to avoid the creation of silos that hold multiple copies of the same data. To protect the privacy in interoperable systems - restricted and authorized access within departments and between departments is key. The Department of Information Technology has recently published a "Government Interoperability Framework" titled "Interoperability Framework for eGovernance" This policy document is the appropriate place to articulate interoperable privacy policies that could be adopted across eGovernance projects.
Record of breach notification

If data breach occurs in government database, the breach should be recorded and the appropriate individuals notified.
Anonymization/obfuscation and deletion policies

Once the purpose for which the data has been collected has been served it must be anonymized/obfuscated or deleted as appropriate. All data-sets cannot be deleted as bulk aggregate data is very useful to those interested in trend analysis. Anonymizing/obfuscating the personal details of a data set ensures that privacy is protected during such trend analysis.
Accountability for accuracy of data

Frequently data that is collected and entered into government databases is not accurate, because the departments are not collecting the data themselves. Thus, they feel no responsibility for its accuracy. If a mechanism is built into each database for identification of each data source this brings accountability for data accuracy.
Appropriate uses of government databases

Businesses should feel automatically entitled to aggregate and consolidate public information from government databases because it is technically possible to do so. Their uses of government database must be guided by policies that define "appropriate usage."
Access, updation and control of personal information

Citizens must be able to access and update their information. Furthermore, they should be able to define to a certain extent access control to their information - which would automatically make them eligible or ineligible for various government services.

Bibliography

Rezhui, Abdemounaam. Preserving Privacy in Web Services. Department of Computer Sciences, Virginia Tech.
Medjahed, Brahim. Infrastructure for E-Government Web Services. IEEE Internet Computing, Virgina Tech. January/Feburary 2003.

Mladen, Karen. A Report of Research on Privacy for Electronic Government. Privacy in Canada

joi.ito.com/privacyreport/Contents_Distilled/.../Canada_E_p252-314.pdf

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-govt-databases

Open Letter to the Finance Committee: UID and Transactions

praskrishna — 2011-02-24T13:35:11Z

Since official documentation from the UIDAI is very limited, we assume that data pertaining to transactions would comprise of the Aadhaar number, identifier of the authenticating device, date-time stamp, and approval/rejection/error code. Recording and maintaining of data pertaining to transactions is very important because it increases transparency and accountability through an audit trail. However, storage of such sensitive data creates many privacy risks, because more often than not metadata gives you as much intelligence as raw data.

For example – even if you didn’t have access to the Radia recordings – just knowing who she called, when, how frequently, in what order, and for how long, will give quite a comprehensive picture. Thus, we believe that such data should not be fully stored in a central database. By way of an open letter, we suggest three alternative ways of storing and securing data relating to transactions, so that transparency and accountability is preserved without enabling surveillance or profiling of individuals.

Partial storage of data relating to transactions

Once a transaction is processed, half of the UID number is stored in the central database, while the other half of the number is stored with the service provider. Thus, for an agency to reconstruct the audit trail they must seek consent from the service provider and the UIDAI for information regarding a specific transaction. The process would follow steps like these:

Send part of the Aadhaar number to the CIDR
Service provider stores part of the Aadhaar number locally.
Law enforcement and intelligence agencies seeking transaction data securing required approvals from the Home Ministry and then request data from the UIDAI and service provider
Data is provided by UIDAI and the service provider and combined to reconstruct the audit trail.

Storage of the public keys with a custodian

Similar to the model followed in the new wiretapping regulations1, the transaction details in the central database is secured using several custodians. Thus, no single entity has complete knowledge of access to the database. And if the transaction details are leaked to the public, the custodian can be held responsible for negligence. Thus, for an agency to reconstruct the audit trail they must seek approvals and request encrypted data. The process would follow steps like these:

Encrypt transaction data with the public key of the ‘custodian’
Store encrypted data in CIDR
Law enforcement and intelligence agencies seeking transaction details require approvals from the Home Ministry, and then request encrypted data from the UIDAI.
The custodian on receipt of the necessary approvals decrypts the data using his/her private key, and then the audit trail becomes available.

Complete storage of transaction details at the service provider level

After a transaction is processed, the information is encrypted and stored in a de-centralized manner with the service provider, thus agencies or individuals can only access information regarding a specific transaction at a specific organization. The process would follow steps like these:

Encrypt transaction data
Store encrypted data at service provider level
Law enforcement and intelligence agencies seeking transaction details require approvals from the Home Ministry, and then request encrypted data from each service provider. Audit trail is reconstructed by merging data sets from different service providers.
The CIDR will only hold Aadhaar number, date-time stamp, and approval/rejection/error code.

Note

1 http://timesofindia.indiatimes.com/india/Tapping-norms-Govt-will-erase-private-talk/articleshow/7407633.cms

For more details visit https://cis-india.org/internet-governance/blog/privacy/uid-and-transactions

Open Letter to the Finance Committee: Operational Design

praskrishna — 2011-02-17T10:02:46Z

The objective of the UID project is to provide identity infrastructure that is not susceptible to fraud or error. This note highlights parts of the operational design of the project, which are flawed. We plead that each point be taken into consideration and that the design be suitably revised.

Flawed aspects of the operational design

During enrolment: false identities

Initial proof of one’s identity is best proved through multiple, standardized documents. The UID lists seventeen acceptable documents.1 Acceptance and verification of only one of these identities is necessary for enrolment. This is a lower standard than existing forms of identity such as the Passport or the PAN card.2

During transactions: technology will not solve corruption

In every transaction that requires the use of the Aadhaar number, there are four points where corruption is possible and delivery of services will not take place:

The technology fails, and does not perform authentication;
The authority fails and delivers a false positive or false negative;
The local administrator fails to deliver the service after authentication;
The biometric fails due to biological changes, and thus the individual is denied benefits; and
Fraudulent use of face biometrics at the transaction level.

During transactions: high cost of centralization with limited benefits

Verifying unique identity for every transaction will introduce an unnecessary authentication overhead. In the UID Bill, there is provision for standardized authentication fees.3

At some point service providers will pass on the authentication cost through a required authentication fee to the residents. This will take place with no entitlement of any service or guarantee against fraud.

During redressal: no guarantee of quick and adequate remedies

The delivery of services is guaranteed only when there is an optional way for transactions to be completed. If an Aadhaar number holder attempts to complete a transaction, and the UIDAI rejects it, the individual can make a request for re-verification with the registrar.4

If the UIDAI still rejects the request, the individual must file a complaint to the UIDAI contact centre and wait for appropriate remedial action,5 yet the UIDAI is not liable for the loss of service.

During upgrades of the system: patchwork approach to data protection

It is more secure to have pro-active data protection than re-active data protection. The data protection legislation that is meant to secure data processed in the UID project will be established only after the UID bill becomes law. One can only assume that the UID will respond to every new policy development in a patchwork fashion.

1http://uidai.gov.in/index.php?option=com_fsf&view=faq&Itemid=206&catid=24

2 http://passport.nic.in/, http://nrisharejunction.com/pan.aspx

3 Chapter 3, Section 23 (2) (o): The National Identification Authority of India Bill 2010

4 http://uidai.gov.in/UID_PDF/Front_Page_Articles/Documents/Strategy_Overveiw-001.pdf

5 http://uidai.gov.in/images/FrontPageUpdates/aadhaarhandbookver1.2.pdf pg.18

For more details visit https://cis-india.org/internet-governance/blog/privacy/operational-design

Open Letter to the Finance Committee: UID Budget

praskrishna — 2011-02-17T11:18:16Z

This note presents the aspects of the UID project, which have not been considered or incorporated into the UID’s budget. The costs include re-enrollment, loss in human time, and the cost of the audit function.

Cost of re-enrollment
In the report 'Biometrics Design Standards for UID Applications' 1 a pilot study in India concluded that about two to five per cent of the people did not have viable biometric data. These data have not been taken into account when setting the program budget. Over time biometrics modify, thus re-enrollment will be required. The UIDAI states that given the changing nature of biometric data – biometrics would be collected every five years for children and every ten years for adults. The current project does not give us a clear picture as to what extent the re-enrollment will be required, and how the additional costs will be accounted for.
Cost of loss in human time
A time motion study is a tool used to enhance business efficiency and ensure cost effectiveness by reducing the number of motions in performing a task. In their budget, the UIDAI has accounted for the salaries of individuals associated directly with the UIDAI. The UIDAI has not accounted for the loss in human time that will take place by individuals whose daily routine will be impacted by the UID. If a time motion study were to be done only on the UID project, one would find that individuals not paid by the UIDAI, lose potential wages due to the unpaid time they must dedicate towards the scheme – or that businesses will be forced to compensate for the extra time required for each transaction by providing additional personnel. For example: On a train the number of train masters present is calculated according to how many individuals each ticket master can check and process. With the UID, in order to prevent fraud around subsidized train tickets , individuals on the train will have their biometrics checked and authenticated. The below diagram demonstrates how authenticating an individual by their UID and biometric incurs a loss in human time, and thus, the process of collecting train tickets will require more train masters to complete.
Current Process:
- Present ticket to train master
- Train master checks identity card and identity on ticket
- Train master ticks ticket, and ticks his list to indicate verification
Process with biometrics:
- Present Aadhaar number, fingerprint , and ticket to train master
- Train master takes a reading of your fingerprint and sends it to the central database
- Train master waits for approval from the CIDR
- The CIDR gives a yes or no response
- If the answer is no – the train master swipes your finger five times, and then finds alternate forms of identification
- Train master provides proof of verification
Cost of audit function
The bulk of the UID enabled transactions will have financial implications. Every financial transaction involves three or four parties: the person who collects the payment, the person who prepares the documentation, the person who approves the documentation, and finally the person who audits the documentation. In such a context the technology can play the role of the person who: collects, prepares, and approves each transaction. The role of auditing the transaction cannot be played by technology. The audit function is human, and the audit function needs to be worked into the project budget.

1 “Biometrics Design Standards for UID Applications" pg.22

For more details visit https://cis-india.org/internet-governance/blog/privacy/uid-budget

Open Letter to the Finance Committe: Biometrics

praskrishna — 2011-02-17T13:12:22Z

This note points out the weaknesses inherent in biometrics and the pitfalls in using them. It recommends procedural safeguards that should be adopted by the UID in order to make the use of biometrics more secure and inclusive.

Biometrics are not centrally stored and are used only for identification

Biometrics, as our first letter notes 1 are better suited for identification, and are inappropriate for authentication. Therefore, the central server need not store biometric information, and need only store the public key of each citizen's digital signature.2 Biometrics on a smart card for authentication will allow service providers to determine if the card is being carried by the right person. This configuration of biometrics has many positives. It is :
- Cost effective
- More secure
- Places the control of biometric information in the hands of the data subject
Use encrypted data, rather than live data

The UID scheme has stated that biometrics will be encrypted, but has not provided further details. 3
It is recommended that biometrics are:
- Encrypted whenever it is used, stored and transferred;
- A biometric should be encrypted to such a degree that it is not possible to reconstruct the biometric data; and
- After an encrypted version of the biometric is made, the original biometric should be deleted.
In order to perform an identification check – the biometrics presented should be encrypted and then compared to the encrypted version stored on the card. If the card is stolen – the thief would not be able to harvest biometrics.
Security clearance for all associated entities and personnel

UID registrations and transactions will be handled by 'registrars' or in other words personnel who work at organizations not directly under the control of the UIDAI. A clear process associated with who can perform transactions and a proper audit system is needed to prevent 'insider' attacks.
Clearly defined alternate identification factors

There are many situations in which a biometric cannot be accepted in a transaction. For example, when the biometric changes, is misread, or is unreadable. The UID has recognized this possibility and has stated: “In case of authentication, the operator needs to find an alternate method of authentication if fingerprint verification fails. The operator/application would not know the cause of verification failure. A timeout will be implemented in service after five attempts.”4
The alternative identity factors that will be accepted need to be clearly defined and articulate.
Standards for acceptance of biometric as authentication factor

The UIDAI has proposed a whole range of authentication factors – pin, password, partial biometrics, full biometrics, mobile phone and combination's thereof. 5 Some of these authentication factors may also be presented by the data subject over the Internet. As our previous letters have stated – some authentication factors are more secure than others. Therefore, the UIDAI should publish standards for acceptance of different authentication factors based on the security requirements of different types of transactions. Even if biometrics are used as an authentication standard – in our opinion it should only be used for trivial transactions without major financial or citizenship implications.

Footnotes:

1http://www.cis-india.org/advocacy/igov/privacy-india/letter-to-finance-committee

2 Distinguish and separate the authentication process from the identification process: Identification is a comparison of one set of biometric data against all sets of collected biometrics in one central database to verify the identity of the owner of the biometric data. Authentication is a comparison of a biometric against a stored template to validate the existence of that specific biometric

3 http://uidai.gov.in/index.php?option=com_fsf&view=faq&Itemid=206&catid=7

4 Biometric Design Standards for UID Applications: pg 37

5 UIDAI Strategy Overview. Creating a Unique Identity Number for Every Resident in India. Pg. 28

For more details visit https://cis-india.org/internet-governance/blog/privacy/biometrics

Open Letter to the Finance Committee: Finance and Security

praskrishna — 2011-02-17T11:57:42Z

This note explores the three connections between finance and security and demonstrates the cost implications of operating a centrally designed identity management system as proposed by the UID. In doing so, it shows how the monitoring, storing, and securing of transactional data in a centralized database fall short of meeting the project's objectives of authentication, and thus is an additional cost. Further, it is argued that the blanket monitoring of the transaction database is not an effective method of detecting fraud, and is an expensive component of the project.

Operating a centralized identity management system that requires the use of a remote database for every transaction is always more expensive than a decentralized identity management system that could optionally use a local database.

Centralized database costs

Both public and private keys must be centrally stored
All transactions require connectivity for the sending and receiving of authentication of data, and have an associated connectivity cost
Securing all data at a central database has augmented costs

Decentralized database costs

Only the public key must be centrally stored
Some transactions require connectivity for the sending and receiving of authentication data

The cost of building an identity management system that includes recording, monitoring, and securing each transaction is more than the cost of building only an identity authentication system. The goal of the project is to identify a person. Recording each transaction will add unnecessary cost.

Cost of identity authentication system
Cost of monitoring transactions	> Cost of identity authentication system
Cost of securing transaction data

Increasing security or fighting fraud can be done in two ways - having a targeted approach or through blanket monitoring. The UID scheme, through the monitoring of the transaction database featuring trillions of transaction by 1.2 billion people is a blanket approach, and will provide lower return on investment than a targeted approach.

For more details visit https://cis-india.org/internet-governance/blog/privacy/finance-and-security

Privacy Matters — Conference Report

praskrishna — 2011-01-27T10:22:55Z

A one-day conference on Privacy Matters was held on Sunday, 23 January 2011 at the National University of Juridical Sciences (NUJS) Law School in Kolkata. This was the first of a series of eleven conferences on ‘privacy’ that Privacy India is scheduled to host in different Indian cities from January to June this year. Members of Parliament, Sri Manoj Bhattacharya from the Revolutionary Socialist Party (RSP) and Sri Nilotpal Basu from the Communist Party of India (Marxist) CPI (M) spoke in the conference. Students, the civil society and lawyers also participated in it.

Introduction

The conference was held to discuss elements of the privacy legislation that has been proposed to the Parliament of India, and the UID Bill and project. The conference focused on the tensions between privacy and society that exist in India today, and acted as a space for opinion sharing and discussion. Privacy India which was formed under the auspices of Privacy International, a UK based organization that works to protect the right of privacy around the world, the Centre for Internet and Society (CIS), an NGO based in Bangalore, and Society in Action Group (SAG), an NGO based in Delhi joined hands to host this event.

Rajan Gandhi, founder of SAG opened the conference with an explanation of the mandate of Privacy India, the objective of which is of raising awareness, sparking civil action and promoting democratic dialogue around privacy challenges and violations in India. One of Privacy India's goals is to build consensus towards the promulgation of comprehensive privacy legislation in India through consultations with the public, legislators and the legal and academic community.

Keynote

The keynote speech was delivered by Dr. Sudhir Krishnaswamy professor of law and governance. Dr. Krishnaswamy began by outlining the present situation of privacy in India. The right to privacy has been read into Sections 19 and 21 of the Constitution of India through case law, which has defined privacy — among other things — as the right to personal autonomy, the right against unreasonable search and seizure, and as a fundamental right that is critical to the person, but does not supersede public or national interest. Dr. Krishnaswamy also raised many intriguing questions including: what does privacy mean to India — is it linked to a person’s dignity and their honour? Or is it purely concerned with misappropriation of information, and further is privacy in India an issue of the individual or an issue of the family and the community? He also described the philosophical groundings of privacy as being in the right to dignity, the right to autonomy, and the misappropriation of information.

Privacy Challenges

The conference was spread into three sessions. In the first session Prashant Iyengar, head researcher of the project at Privacy India, spoke about the challenges that India specifically is facing in shaping a privacy legislation including: the need to balance the right to information/transparency and privacy, the need to create a definition of privacy that does not exclude lower classes and is not a negative right, but instead a positive right, and the problem of ubiquitous surveillance that is happening in society today. Elonnai Hickok, policy analyst at Privacy India, spoke specifically on wire tapping, and the Nira Radia tapes. In her presentation she first outlined other countries definitions of privacy which include: the right to be left alone, the protection from unauthorized searches, and the right to control information about oneself through consent. Using the case study of Nira Radia and Ratan Tata she spoke about the rising concern of wire tapping in the country as being indicative of a social change and relationship of the state and government. Elonnai also raised questions concerning whether privacy should be made inversely proportional to public figures, and if public interest will always supersede the private right of individuals.

UID and Privacy

The second session of the conference focused on the UID Bill and privacy. Presentations from NUJS student Amba Kak and Sai Vinod raised concerns about the UID project and privacy. Their presentation also compared and contrasted identity schemes of other countries with the UID. A few similarities that they found amongst all scheme were: the collection of data, the processing of data, and the storing of data. Deva Prasad from the National Law School of Bangalore presented on constitutional elements of the UID scheme ranging from loopholes in the Bill to connections that can be made when the UID Bill is placed in the larger picture. Sri Manoj Bhattacharya (MP) from RSP voiced his concerns of the UID, and emphasized that by giving an individual a number which acts as their fundamental identity which they use to function in society, the government in fact is eroding an individual’s actual identity, and that is an invasion of privacy. Sri Nilotpal Basu (MP) from CPI (M) spoke out strongly against the UID, voicing that his greatest concern with the UID is that it will be a way for corporate bodies to target individuals as consumers, and that privacy legislation could be used as a way for corporate bodies to hide from the public eye.

Conclusion

In the concluding session the floor was opened up to the public for questions and opinion sharing. Many participants shared what they believed needed to be included in privacy legislation, and what issues a privacy legislation needs to address. A few of these include: privacy rights and the media, privacy and the right to information, the privacy rights of minorities, and the privacy rights of the government. Also types of regulatory models for privacy were discussed. For instance, should privacy in India be represented and protected through a data protection law, or should privacy be seen as a fundamental right to privacy? Should privacy be represented through a broad framework, or through sector specific statutes? What should the redressal and enforcement mechanisms look like?

As seen from the presentations and the comments at the conference one thing which is clear is that privacy is an issue that concerns every person in India. Over the next six months Privacy India will be conducting ten more conferences in different Indian cities to engage the public in dialogues of privacy and raise awareness around the issues of privacy. The next workshop will be held on 5 February 2011 in Bangalore.

Download the conference summary here

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-nujsconference-summary