Centre for Internet and Society

Driving in the Surveillance Society: Cameras, RFID tags and Black Boxes...

maria — 2013-07-12T15:26:33Z

In this post, Maria Xynou looks at red light cameras, RFID tags and black boxes used to monitor vehicles in India.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

How many times in your life have you heard of people been involved in car accidents and of pedestrians being hit by red-light-running vehicles? What if there could be a solution for all of this? Well, several countries, including the United States, the United Kingdom and Singapore, have already adopted measures to tackle vehicle accidents and fatalities, some of which include traffic enforcement cameras and other security measures. India is currently joining the league by not only installing red light cameras, but by also including radio frequency identification (RFID) tags on vehicles´ number plates, as well as by installing electronic toll collection systems and black boxes in some automobiles. Although such measures could potentially increase our safety, privacy concerns have arisen as it remains unclear how data collected will be used.

Red light cameras

Last week, the Chennai police announced that it plans to install traffic enforcement cameras, otherwise known as red light cameras, at 240 traffic signals over the next months, in order to put an end to car thefts in the city. Red light cameras, which capture images of vehicles entering an intersection against a red traffic light, have been installed in Bangalore since early 2008 and a study indicates that they have reduced the traffic violation rates. A 2003 report by the National Cooperative Highway Research Programme (NCHRP) examined studies from the previous 30 years in the United States, the United Kingdom, Australia and Singapore and concluded that red light cameras ´improve the overall safety of intersections when they are used´.

However, how are traffic violation rates even measured? According to Barbara Langland Orban, an associate professor of health policy and management at the University of South Florida:

“Safety is measured in crashes, in particular injury crashes, and violations are not a proxy for injuries. Also, violations can be whatever number an agency chooses to report, which is called an ‘endogenous variable’ in research and not considered meaningful as the number can be manipulated. In contrast, injuries reflect the number of people who seek medical care, which cannot be manipulated by the reporting methods of jurisdictions.”

Last year, the Bombay state government informed the High Court that the 100 CCTV cameras installed at traffic junctions in 2006-2007 were unsuitable for traffic enforcement because they lacked the capacity of automatic processing. Nonetheless, red light cameras, which are capable of monitoring speed and intersections with stop signals, are currently being proliferated in India. Yet, questions remain: Do red light cameras adequately increase public safety? Do they serve financial interests? Do they violate driver´s due-process rights?

RFID tags and Black Boxes

A communication revolution is upon us, as Maharashtra state transport department is currently including radio frequency identification (RFID) tags on each and every number plate of vehicles. This ultimately means that the state will be able to monitor your vehicle´s real-time movement and track your whereabouts. RFID tags are not only supposedly used to increase public safety by tracking down offenders, but to also streamline public transport timetables. Thus, the movement of buses and cars would be precisely monitored and would provide passengers minute-to-minute information at bus stops. Following the 2001 amendment of Rule 50 of the Central Motor Vehicles Rules, 1989, new number plates with RFID tags have been made mandatory for all types of motor vehicles throughout India.

RFID technology has also been launched at Maharashtra´s state border check-posts. Since last year, the state government has been circulating RFID stickers to trucks, trailers and tankers, which would not only result in heavy goods vehicles not having to wait in long queues for clearance at check-posts, but would also supposedly put an end to corruption by RTO officials.

By 31 March 2014, it is estimated that RFID-based electronic toll collection (ETC) systems will be installed on all national highways in India. According to Dr. Joshi, the Union Minister for Road Transport and Highways:

“The RFID technology shall expedite the clearing of traffic at toll plazas and the need of carrying cash shall also be eliminated when toll plazas shall be duly integrated with each other throughout India.”

Although Dr. Joshi´s mission to create a quality highway network across India and to increase the transparency of the system seems rational, the ETC system raises privacy concerns, as it uniquely identifies each vehicle, collects data and provides general vehicle and traffic monitoring. This could potentially lead to a privacy violation, as India currently lacks adequate statutory provisions which could safeguard the use of our data from potential abuse. All we know is that our vehicles are being monitored, but it remains unclear how the data collected will be used, shared and retained, which raises concerns.

The cattle and pedestrians roaming the streets in India appear to have increased the need for the installation of an Event Data Recorder (EDR), otherwise known as a black box, which is a device capable of recording information related to crashes or accidents. The purpose of a black box is to record the speed of the vehicle at the point of impact in the case of an accident and whether the driver had applied the brakes. This would help insurance companies in deciding whether or not to entertain insurance claims, as well as to determine whether a driver is responsible for an accident.

Black boxes for vehicles are already being designed, tested and installed in some vehicles in India at an affordable cost. In fact, manufacturers in India have recommended that the government make it mandatory for cars to be fitted with the device, rather than it being optional. But can we have privacy when our cars are being monitored? This is essentially a case of proactive monitoring which has not been adequately justified yet, as it remains unclear how information would be used, who would be authorised to use and share such information, and whether its use would be accounted for to the individual.

Are monitored cars safer?

The trade-off is clear: the privacy and anonymity of our movement is being monitored in exchange for the provision of safety. But are we even getting any safety in return? According to a 2005 Federal Highway Administration study, although it shows a decrease in front-into-side crashes at intersections with cameras, an increase in rear-end crashes has also been proven. Other studies of red light cameras in the US have shown that more accidents have occurred since the installation of traffic enforcement cameras at intersections. Although no such research has been undertaken in India yet, the effectiveness, necessity and utility of red light cameras remain ambiguous.

Furthermore, there have been claims that the installation of red light cameras, ETCs, RFID tags, black boxes and other technologies do not primarily serve the purpose of public security, but financial gain. A huge debate has arisen in the United States on whether such monitoring of vehicles actually improves safety, or whether its primary objective is to serve financial interests. Red light cameras have already generated about $1.5 million in fines in the Elmwood village of Ohio, which leads critics to believe that the installation of such cameras has more to do with revenue enhancement than safety. The same type of question applies to India and yet a clear-cut answer has not been reached.

Companies which manufacture vehicle tracking systems are widespread in India, which constitutes the monitoring of our cars a vivid reality. Yet, there is a lack of statutory provisions in India for the privacy of our vehicle´s real-time movement and hence, we are being monitored without any safeguards. Major privacy concerns arise in regards to the monitoring of vehicles in India, as the following questions have not been adequately addressed: What type of data is collected in India through the monitoring of vehicles? Who can legally authorize access to such data? Who can have access to such data and under what conditions? Is data being shared between third parties and if so, under what conditions?How long is such data being retained for?

And more importantly: Why is it important to address the above questions? Does it even matter if the movement of our vehicles is being monitored? How would that affect us personally? Well, the monitoring of our cars implies a huge probability that it´s not our vehicles per se which are under the microscope, but us. And while the tracking of our movement might not end us up arrested, interrogated, tortured or imprisoned tomorrow...it might in the future. As long as we are being monitored, we are all suspects and we may potentially be treated as any other offender who is suspected to have committed a crime. The current statutory omission in India to adequately regulate the use of traffic enforcement cameras, RFID tags, black boxes and other technologies used to track and monitor the movement of our vehicles can potentially violate our due process rights and infringe upon our right to privacy and other human rights. Thus, the collection, access, use, analysis, sharing and retention of data acquired through the monitoring of vehicles in India should be strictly regulated to ensure that we are not exposed to our defenceless control.

Maneuvering our monitoring

Nowadays, surveillance appears to be the quick-fix solution for everything related to public security; but that does not need to be the case.

Instead of installing red light cameras monitoring our cars´ movements and bombarding us with fines, other ´simple´ measures could be enforced in India, such as increasing the duration of the yellow light between the green and the red, re-timing lights so drivers will encounter fewer red ones or increasing the visibility distance of the traffic lights so that it is more likely for a driver to stop. Such measures should be enforced by governments, especially since the monitoring of our vehicles is not adequately justified.

Strict laws regulating the use of all technologies monitoring vehicles in India, whether red light cameras, RFID tags or black boxes, should be enacted now. Such regulations should clearly specify the terms of monitoring vehicles, as well as the conditions under which data can be collected, accessed, shared, used, processed and stored. The enactment of regulations on the monitoring of vehicles in India could minimize the potential for citizens´ due process rights to be breached, as well as to ensure that their right to privacy and other human rights are legally protected. This would just be another step towards preventing ubiquitous surveillance and if governments are interested in protecting their citizens´ human rights as they claim they do, then there is no debate on the necessity of regulating the monitoring of our vehicles. The question though which remains is:

Should we be monitored at all?

For more details visit https://cis-india.org/internet-governance/blog/driving-in-the-surveillance-society-cameras-rfid-black-boxes

The Privacy (Protection) Bill 2013: A Citizen's Draft

bhairav — 2013-07-12T11:50:20Z

The Centre for Internet and Society has been researching privacy in India since 2010 with the objective of raising public awareness around privacy, completing in depth research, and driving a privacy legislation in India. As part of this work, Bhairav Acharya has drafted the Privacy (Protection) Bill 2013.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

The Privacy (Protection) Bill 2013 contains provisions that speak to data protection, interception, and surveillance. The Bill also establishes the powers and functions of the Privacy Commissioner, and lays out offenses and penalties for contravention of the Bill. The Bill represents a citizen's version of a possible privacy legislation for India, and will be shared with key stakeholders including civil society, industry, and government.

Click to download a full draft of the Privacy (Protection) Bill, 2013.

For more details visit https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-citizens-draft

Future of Privacy in India

praskrishna — 2013-03-26T05:14:45Z

DSCI and ICOMP are organizing a meet on Privacy at the Oberoi Hotel in New Delhi on April 5, 2013. Sunil Abraham will be participating in this event as a speaker.

In recent years, there has been an increasing deployment of ICT in the collection of personal information by both private sector and state agencies. Data is a reason for empowerment for both commercial and public purposes. The prolific use of the Internet for search, social networking cloud computing and e-commerce transactions places increasing amounts of personal information and Internet history in hands of dominant private sector players. Data is undeniably the capital of the Internet. While technology has evolved to be able to collect, store and mine increasing amounts of data for improved public services or for commercial purposes, there are understandable concerns over the lack of accountability for the purposes and limits of the use of personal data. These concerns demand an appropriate regulatory framework for Privacy.

As an important step toward formulating the privacy bill, an Expert Group headed by Justice A P Shah provides inputs based on a study of the international landscape of privacy laws, along with the predominant privacy concerns ensuing from technological advancements. The Committee’s report, submitted in Oct 2012 has recommended Nine Principles as the cornerstone for privacy legislation. While the Privacy Act is under development, DSCI and iCOMP are organizing a meet focusing on the following areas:

Outline an appropriate Indian context for privacy: the nine principles
Presentation of the state of play on privacy in key markets (practices, Issues, regulatory interventions)
Analyse the scope and implications of data collection by public agencies in India.
Analyse privacy challenges and risks related to commercial use of data collected on the Internet by private players
Consider how India can address these challenges and enshrine privacy principles in legislation

Key Speakers

Dr. Gulshan Rai, DG, CERT-In*

Mr. Simon Davis, London School of Economics

Mr. Manoj Joshi, JS, DOPT*

Mr. Kanta Roy, CEO, NeGD*

Dr. Kamlesh Bajaj, CEO, DSCI

Mr. Sunil Abraham, ED, CIS

* To be confirmed

Event Flow

Opening Remark by Mr. S V Divvaakar, Executive Director, ICOMP
Framework for Privacy Regulation in India, By Dr. Kamlesh Bajaj, CEO, DSCI
Keynote Address
‘Privacy :The International state of play’, by Mr. Simon Davis, London School of Economics
Panel Discussion 1: Context of Privacy in India
Panel Discussion 2: Business responsibility in the age of ‘data driven’ transformations

Date: April 5, 2013
Time: 9.00 a.m. to 1.00 p.m.
Venue: Oberoi Hotel, Nilgiri Room, New Delhi

For more details visit https://cis-india.org/news/future-of-privacy-in-india-on-april-5-2013-at-oberoi-hotel-new-delhi

Global Partners Meeting @ London

praskrishna — 2013-03-20T06:37:48Z

Privacy International is organizing the Global Partners Meeting in London from March 22 to 25, 2013. The workshop will be held at the London School of Economics and Political Science. Sunil Abraham and Malavika Jayaram will be participating in this event.

Click to read the full details published by Privacy International here.

The meeting is an opportunity to connect global partners with each other and with researchers, human rights advocates, and privacy and technology experts from over 20 countries. This will provide an opportunity for discussion and debate, that will enrich global research and advocacy agenda for the next two years.

Workshop Overview

The purpose of the three day workshop is as follows:

To understand the privacy discourse and identify the challenges faced in advancing the right to privacy across the globe.
To consolidate our network and look for opportunities for collaboration and cross-pollination for research and advocacy initiatives.
To share experiences about research, dissemination and advocacy strategies that influence policy change.

We envisage this workshop as a launching pad for the work that Privacy International and our global partners will conduct over the next two years under the ambit of the Surveillance and Freedom: Global Understandings and Rights Development (SAFEGUARD) project, funded by the International Development

Research Centre. The focus of the SAFEGUARD project is to understand what are the threats, challenges and obstacles to, and opportunities for, the protection of privacy in developing countries.

Background to the SAFEGUARD project

Nowhere are the challenges to, and opportunities for, privacy protections as dynamic and complex as in the developing world. As these countries seek new measures to develop their economies, build social and technological infrastructures, sustain their social systems, and ensure security they need to consider what are the modern policy frameworks they require to ensure a just society. The windows around these policy frameworks are key opportunities for reflection about rights and democratic values, and in the case of this project, the protection of privacy.

The vast scope and relevance of the right to privacy in this age of technology gives rise to a myriad of challenges and issues, many of which have relevance across, as well as within, borders. This is particularly the case in the developing world, where South-South collaboration is gaining increasing currency in the development sector, and donor countries continue to contribute to and influence policy in recipient countries, particularly with respect to the adoption of new technologies. Many of the trends in developing countries – communications surveillance, biometrics and DNA databases, and identity cards – mirror those being adopted in the global North. Policy laundering and modelling, such as that witnessed with respect to counter-terrorism policies in the aftermath of 9/11 is taking hold in the context of communications surveillance laws and national ID databases. Such phenomena raise concerns not only as to the spread of practices that threaten to undermine privacy, but also with respect to the stifling of national policy discourses and legislative processes.

Conceptual framework

This projects sets out to isolate and understand the challenges to privacy in the developing world. In order to ensure that the research developed is sufficiently targeted to influence policy debates, we have identified a set of themes that cover the range of privacy-related issues and that together will give a comprehensive picture of the difficult relationship between privacy and technology. This set of themes has been developed in collaboration with our partners, who have identified those discussions around which there is perfect storm of advancing surveillance policies and technologies, poor legal and technical safeguards, and a scarcity of research and understanding. We have designed our conceptual framework accordingly.

Research questions

The legal and constitutional landscape: What laws and constitutional provisions exist to protect privacy, how are they implemented and monitored, and where are the legal and policy gaps?

Data protection: What is the state of data protection in partner countries, and what are the local and regional regulatory standards and good practices?

Communications surveillance: What communications surveillance regimes are in place, how are they designed in law and how do they operate in practice?

Adoption of surveillance technologies: Where are governments buying surveillance technologies, and how are they using them? What legal regimes are in place to establish safeguards over the use of advanced surveillance technologies? What is the state of the art in legal protections?

Political intelligence oversight: What is the nature and operation of local intelligence services, what oversight mechanisms are in place, and how can these mechanisms be implemented or enforced?

Politics, Identity, sexual and reproductive health and social sorting: To what the extent do governments misuse personal information to pursue social sorting practices?

Delivery of public services: What is the state of privacy protections in public service delivery, particularly those related to e-health systems and social protection programmes, and how can protections be improved?

ID, DNA and biometrics: What privacy risks are associated with the collection and use of personal information for ID and biometric systems?

Partners

Africa	Latin America	Asia
Zimbabwe Human Rights Forum, Zimbabwe Kenyan Ethical and Legal Issues Network, Kenya Media Institute of Southern Africa, Namibia Jonction, Senegal Centre for Social Sciences Research, University of Cape Town African Platform for Social Protection, Kenya	Dejusticia, Columbia Asociacion por los Derechos Civiles, Argentina Autonomous University of Mexico State, Mexico Centro de Tecnologia y Sociedad, Universidad San Andres, Argentina, in collaboration with the Centro de Tecnologica da Escola de Direito da Fundacao Getulio Vargas, Brasil Instituto NUPEF, Brazil Derechos Digitales, Chile	VOICE, Bangladesh University of Hong Kong, Hong Kong Centre for Internet and Society, India Thai Netizen Network, Thailand Thai Media Policy Center, Thailand Bytes For All, Pakistan Centre for Cyber Law Studies, Indonesia Foundation for Media Alternatives, Philippines

Africa

Latin America

Asia

Zimbabwe Human Rights Forum, Zimbabwe

Kenyan Ethical and Legal Issues Network, Kenya

Media Institute of Southern Africa, Namibia

Jonction, Senegal

Centre for Social Sciences Research, University of Cape Town

African Platform for Social Protection, Kenya

Dejusticia, Columbia

Asociacion por los Derechos Civiles, Argentina

Autonomous University of Mexico State, Mexico

Centro de Tecnologia y Sociedad, Universidad San Andres, Argentina, in collaboration with the Centro de Tecnologica da Escola de Direito da Fundacao Getulio Vargas, Brasil

Instituto NUPEF, Brazil

Derechos Digitales, Chile

VOICE, Bangladesh
University of Hong Kong, Hong Kong
Centre for Internet and Society, India
Thai Netizen Network, Thailand
Thai Media Policy Center, Thailand
Bytes For All, Pakistan
Centre for Cyber Law Studies, Indonesia
Foundation for Media Alternatives, Philippines

Participants

Ababacar Diop
Allan Maleche
Anna Fielder
Anthony Jackson
Arthit Suriyawongkul
Arthur Gwagwa
Ben Hayes
Ben Wagner
Benjamin Barretto
Carly Nyst
Carolin Moeller
Charles Dhewa
Claudio Ruiz
Clement Chen
Danilo Doneda
Eric King
Farjana Akter
Fieke Jansen
Graciela Sulamein
Gus Hosein
Helen Wallace
Juan Camilo Rivera
Karelle Dagon
Katitza Rodriguez
Kevin Donovan
Levinson Kabwato
Malavika Jayaram
Mathias Vermeulen
Michael Rispoli
Nelson Arteaga Botello
Pablo Palazzi
Pirongrong Ramasoota
Ramiro Alvarez Ugarte
Richie Tynan
Sam Smith
Sinta Dewi Rosadi
Shahzad Ahmed
Sinta Dewi Rosadi
Sunil Abraham
Stephanie Perrin
Tavengwa Nhongo
Vera Franz
Vicky Nida
Vivian Newman Pont

Agenda

Friday, March 22, 2013: Reception

Meet with Privacy International staff members and advisors, and workshop participants from more than 20 countries in Latin America, Asia, Africa, Europe and Central Asia. Food and drinks will be provided.

Time: 6.00 p.m.
Location: 2nd Floor, 46 Bedford Row, London WC1R 4LR
Contact: 0207 242 2836
Getting there: Our office is a short walk 10 minute from your hotel. See Map 1 below for directions.

Saturday, March 23, 2013: Day 1 (Objectives and Reviewing the Landscape)

10:00 a.m. - Welcome Breakfast: Setting The Scene
Location: Mercure London Bloomsbury restaurant

Welcome and introduction

Overview of PI’s work in developing countries

Participant introductions

Setting the agenda

12:30 p.m. - Session 1: Reviewing The Landscape
Location: Old Building, Room 3.21, London School of Economics and Political Science, Houghton Street, London WC2A 2AE

Mapping privacy in constitutions

Masterclass 1: communications surveillance laws around the world

Break-out groups on assigned topics, and reporting back

2:30 p.m. - Afternoon tea

Privacy quiz

Masterclass 2: SIM card registration

Building a network: how can PI facilitate your work?

Masterclass 3: Oversight of intelligence agencies

6:00 p.m. - Drinks

7:00 p.m. - Dinner

Location: Tohbang, 164 Clerkenwell Road
http://www.tohbang.com/sub_eng/main.php

Sunday, March 24: Day 2 (Research Topics and Strategies)

Location: Old Building, Room 3.21, London School of Economics and Political Science, Houghton Street, London WC2A 2AE

10:00 a.m. - Recap of day one

Masterclass 4 - The UN Universal Periodic Review

Open-space - research and policy priorities

1:00 p.m. - Lunch
Location: Ship Tavern, Holborn

2:30 p.m. - Reconvene

Open space - research, dissemination and communication strategies

Wrapping up and going forward

6:00 p.m. - Dinner
Location: Wahaca, Charlotte St, http://www.wahaca.co.uk/

For more details visit https://cis-india.org/news/global-partners-meeting-london

Human DNA Profiling Bill 2012 Analysis

Jeremy Gruber — 2013-03-19T09:53:22Z

Jeremy Gruber from the Council for Responsible Genetics, US provides an analysis of the Human DNA Profiling Bill, 2012. He says that India’s updated 2012 Human DNA Profiling Bill offers largely superficial changes from its predecessor, the Draft DNA Profiling Bill, 2007.

Indeed, where there are significant departures from prior language, they tend to raise additional privacy and human rights concerns. Overall the current version of the Bill is littered with significant and striking human rights and privacy concerns and, if passed in its current form, would place India far outside the mainstream of both law and policy in this area. Beyond the privacy and human rights concerns that are addressed in this analysis of the Bill, the breadth of the structural and financial costs of enacting the Bill in its current form should also be seriously considered as they would most certainly be staggeringly high.

Bill Analysis

Introduction

The introduction of the Bill sets out the broad policy objectives of its drafters. The most telling portion in paragraph 1 states: “[DNA analysis] makes it possible to determine whether the source of origin of one body substance is identical to that of another, and further to establish the biological relationship, if any, between two individuals, living or dead without any doubt.” (emphasis added). It is evident that the policy animating the Bill presupposes the objective infallibility of genetic analysis. This patent mistruth underpins the policy rationale for the Bill, and as such casts a long shadow over its substantive provisions. At the very least, it tells the reader (and perhaps one day the court) to broadly interpret the Bill’s language to favor DNA analysis as the privileged solution to investigational and prosecutorial needs. This provision, and indeed the bill as a whole, ignores the occurrence of false matches, cross-contamination, laboratory error and other limitations of forensic DNA analysis.

The introduction goes on to state, truthfully, that “DNA analysis offers sensitive information which, if misused can cause harm to person or society.” However this statement does not acknowledge that DNA analysis often causes more harm when used as intended as part of unnecessarily expansive powers given to law enforcement authorities. Indeed this is further illustrated by language showing the legislative intent to draft a broad based bill that would govern the use of DNA in a variety of civil and criminal proceedings as well as for purposes to be determined at a later point.

Definitions (Chapter II)

A number of the Bill’s definitions are overbroad, further expanding the scope of its later provisions. The “crime scene index” is defined to include “DNA profiles from forensic material found . . . on or within the body of any person, on anything, or at any place, associated with the commission of a specified offence.” Chapter II(2)(iv). A “specified offence” is defined as any “offence listed in Part 1of the Schedule [to the Bill].” Part 1 of the “Schedule,” on page 56 of the Bill , includes in (A) “Offences under Indian Penal Code” without any specification. In the 2007 version of the bill, the language related to criminal offences was incredibly expansive but specified the various crimes covered inc. rape,“offences relating to dowry,” defamation, and “unnatural offenses.” (See 2007 Bill Schedule p. 34). The current Bill version dispenses with such identified crimes and seemingly expands the Schedule to create an “all crimes” database. The new Bill (Section B) further adds a variety of additional offences under special laws ranging from the Medical Termination of Pregnancy Act to the Motor Vehicles Act and empowers the Board to add any new law it wants to the Schedule. Section C of the Schedule identifies a wide variety of civil matters to be included in the Schedule including disputes related to paternity, pedigree, and organ transplantation. In adds additional civil categories not contemplated by prior versions of the Bill including issues related to assisted reproductive technologies, issues related to immigration/emigration and similar to Section B of the Schedule and in another significant departure from previous Bill versions, empowers the Board to include any other civil matter it chooses in the future. The Crime Scene Index also defines victim expansively to include a person “reasonably suspected of being a victim” (Section 2 ii). Taken together, the government is empowered to conduct genetic testing on almost anyone in any way connected with even minor infractions of the criminal law or involved in virtually any civil proceeding.

The definition of “offender” (Section 2y) is not limited to one with a criminal conviction but includes anyone even charged with an offense, thereby expanding coverage of the criminal provisions of the Bill to include individuals who have not yet been convicted of any crime.

The crucial term “suspect” (Section 2zi) is defined as anyone “suspected of having committed an offence.” By intentionally leaving out the qualifier “specified,” the drafters’ intent is plain: to sweep within the Bill’s breadth all persons suspected of any crime whatsoever even if there is insufficient probable cause for arrest. And, accordingly, the Bill defines the “suspects index” to include “DNA profiles derived from forensic material lawfully taken from suspects.”

Furthermore the definitions include a category of persons entitled “volunteers,” (Section 2 zo) defined as “a person who volunteers to undergo a DNA procedure and, in case of a child or incapable person, his parent or guardian having agreed…” There is no additional clarification as to how this category might be treated in practice but without any clear provisions for informed consent, it is highly unlikely that such participation will be truly voluntary; especially without provisions for decision making subsequent to offering the sample such as future expungement from the system.

Taken together the definitions of victim, offender and suspect expand the reach of this Bill to a broad range of potentially innocent individuals involved in the criminal justice system, while the Schedule and definition of “volunteers” sweep a broad range of categories of innocent citizens into the purview of this Bill- including children and the mentally incapacitated-having nothing to do with the criminal justice system. There is simply no corollary in any other country to such expansive authority. The Bill places India far outside the mainstream of policy in this area and raises serious and far ranging human rights concerns

DNA Profiling Board (Chapter III)

The DNA Profiling Board (hereinafter “Board”) is responsible for administering and overseeing the Indian DNA database . Oversight is an important and valuable concept, however the value of such principles in this Bill are completely overshadowed by the expansive powers given to the Board.

The Bill lays out a number of fields from which the members are to be chosen inc. molecular biology, population biology, criminal justice and bioethics. There is no representation from civil society human rights organizations or the criminal defense bar to ensure that privacy, human rights and the general public interest are ensured. Furthermore the Chief Executive Office of the Board is to be a scientist and therefore unlikely to be familiar with criminal justice matters and evaluations of their efficacy. (Chapter III, Section 10)

The Board is given an almost limitless list of responsibilities including “recommendations for maximizing the use of DNA techniques and technologies (Section 10k) and identifying scientific advances that may assist law enforcement (Section 10L). Such powers are particularly concerning because the Bill does not include any privacy provisions whatsoever but rather invests in the Board the power to make “recommendations for privacy protection laws, regulations and practices relating to access to, or use of stored DNA samples or DNA analyses,” as well as “mak[ing] specific recommendations to . . . ensure the appropriate use and dissemination of DNA information [and] take any other necessary steps required to be taken to protect privacy.” (Section 10o and p). Furthermore the Board is given the responsibility of “deliberating and advising on all ethical and human rights issues emanating out of DNA profiling.” (Section 10t).

These provisions are in lieu of any substantive language limiting the scope of the legislation, and protecting privacy and human rights principles (which the bill otherwise lacks.) These are significant omissions. As expressed in the introduction, the stated purpose of the Bill is “to enhance protection of people in the society and [the] administration of justice.” Taken alone, this Bill actually expresses only the government’s interest in the legislation, suggesting an ambiguously wide scope for its provisions. Substantive concepts of individual privacy and human rights are required to counterbalance the interests of the government and provide protections for the equally vital privacy and human rights interests of the individual. As such, limiting privacy and human rights principles should be included alongside the expression of the government’s security interest. Without it, the Board will effectively have carte blanche with regard to what privacy and human rights protections are—or are not—adopted.

Also in a departure from previous versions of this Bill, this Bill expands the Boards powers to include areas of policy beyond the coverage of the Bill’s other provisions including “intellectual property issues. (Section 10i)

Finally, as noted earlier in the discussion of the Schedule (and in a significant departure from previous versions of the Bill), the Board is given total control to expand every category of person to be included under the Bill. In a democratic system of government, such decisions should rest exclusively with the Parliament and therefore be subject to the checks and balances of government as well as the transparency necessary to ensure public participation. Leaving such decision making to an unelected body raises serious human rights concerns.

Approval of Laboratories (Chapter IV)

Sections 13 to 17 provide for the approval by the DNA Profiling Board of DNA laboratories that will process and analyze genetic material for eventual inclusion on the DNA database. Under Section 13, all laboratories must be approved in writing prior to processing or analyzing any genetic material. However, a conflicting provision appears in the next section, Section 14(2), which permits DNA laboratories in existence at the time the legislation is enacted to process or analyze DNA samples immediately, without first obtaining approval.

Either an oversight on the part of the drafters, or the product of overly-vague language, the result is that established genetic laboratories—including whatever genetic material or profiles they may already have for whatever reason—are in effect “grandfathered” into the system. The only review of these laboratories is the post hoc approval of the laboratory by the DNA profiling board. The potential for abuse and error that this conflict of provisions would be best addressed in keeping with the rule articulated in Section 13, i.e. correcting the language of Section 14(2) that allows for laboratories to be “grandfathered” into the system.

Standards, Obligations of DNA Laboratory (Chapter V)

Chapter V, which concerns the obligations of and the standards to be observed by approved DNA laboratories, lacks adequate administrative requirements. For example, Section 21 requires that labs ensure “adequate security” to minimize contamination without providing for accountability in the event of contamination. Similarly, Section 27 provides for audits of DNA laboratories only, withholding from similar scrutiny of the DNA Profiling Board itself. However, the greatest limitation of every Section of this Chapter is that rather than offering any specific substantive requirements, they instead offer categories requiring attention “as may be specified “ by the DNA Board. Any actual standard or obligation by a laboratory is set entirely by the DNA Board. Minimum standards must be set by law to ensure compliance.

Infrastructure and Training (Chapter VI)

Similar to Chapter V, this section offers no legislative benchmarks but rather categories of activities, with further regulation “as may be specified” by the Board. As noted earlier, there are serious concerns in using DNA analysis with regards to false matches, cross-contamination and laboratory error. Not taking such concerns seriously, and taking serious steps to minimize their occurrence, can lead to significant distrust of government and police authority when such incidents occur.

DNA Databank (Chapter VII)

In addition on one national DNA database, the Bill sanctions the several Indian states to maintain their own DNA databases, provided these state-level databases forward copies of their content to the national database. Section 32(3). Section 32(5) states that the indices should include records related thereto” the DNA analysis. (See also Section 35(b)) Such provisions allow for access to “the information” contained in the database, not simply “the DNA profiles” contained in the database. Without further clarification it would appear to authorize an unlimited amount of private information unrelated to identification to be included in the indices.

The national database is envisioned to comprise several sub-databases (Section 32(4)), each to contain the genetic information of a subset of persons/samples, namely: (a) unidentified crime scene samples, (b) samples taken from suspects, (c) samples taken from offenders inc. persons convicted or currently subject to prosecution for criminal offenses (d) samples associated with missing persons, (e) samples taken from unidentified bodies, (f) samples taken from “volunteers,” and finally (g) samples taken for reasons “as may be specified by regulations made by the Board. Section 33 (4) et seq. Putting to one side the breadth of persons subject to inclusion under subcategories (1) through (6), subsection (7) appears on its face to be a “catch all” provision, leaving one only to guess at the circumstances under which its specificities may be promulgated.

A close reading of Section 32(6) strongly suggests that the agency conducting the forensic analyses and populating the DNA database shall retain the actual DNA samples thereafter. This section reads in relevant part:

The “DNA Data Bank shall contain . . . the following information, namely: (a) in case of a profile in the offenders index, the identity of the person from whose body substance or body substances the profile was derived, and (b) in case of all other profiles, the case reference number of the investigation associated with the body substance or body substances from which the profile was derived.

Allowing retention of the biological sample, even after a profile has been created from it, in conjunction with the unlimited ability of the Board to create regulations for additional uses of that sample raises serious privacy and human rights concerns.

Moreover, rather than choosing to link the DNA profile data to a specific offender or case, the drafters of the Bill instead link the “body substance or body substances” with that specific offender or case. Whether sloppy drafting or clever nuance, this provision equates the DNA profile with the DNA sample, injecting unneeded—and potentially harmful—ambiguity into the proposed law.

Section 37 (1) allows for indefinite retention of information in the offenders index (which includes individuals charged with an offense but not convicted). This provision raises serious human rights concerns as it would appear to allow indefinite retention of profiles of individuals who have not been convicted of a crime. This directly conflicts with Section 37 (II) which allows for expungement when a certified copy of a court order stating that the individual in question has been acquitted. This provision also appears to conflict with Chapter VIII Section 43(b) which appears to allow indefinite retention of DNA of suspects even after they’ve been excluded from an investigation. Indeed no process or procedures for expungement and removal of records are in place for suspects generally who are never charged or for any of the other categories of indices that are present in the Bill, thereby raising serious question as to how and even whether such profiles can be removed from the Databank.

Confidentiality, Access to DNA Profiles, Samples, and Records (Chapter VIII)

Two further provisions regarding access to the database warrant close scrutiny. First, Sections 39 and 40 confers upon the Board the unlimited power to expand categories for which DNA profiles, samples and records can be used. Considering that the Bill (Section 40(e)) already questionably allows such records to be used for population research, these provisions raise serious questions as to the classes of potential use such private information might be subject.
Sections 40-42 purport to confer upon the police and other authorized individuals direct access to all of the information contained in the national DNA database. While administratively expedient, this arrangement opens up the possibility for misuse. A more prudent system would place the Board (or some administrative subordinate portion thereof) between the police and the content of the DNA database, with the latter having to make specific and particular requests to the former. This would minimize the risks inherent in the more expansive model of database access the bill currently envisions.

Section 45 related to post-conviction DNA testing has the laudable goal of offering “any individual undergoing a sentence of imprisonment or death pursuant to conviction for an offence, may apply to the court which convicted him for an order of DNA testing” in order to prove their innocence. However such an application lists eleven separate criteria that such an applicant must meet before qualifying, and allows a court total discretion in deciding whether all such criteria have been met. High barriers and absolute discretion make such testing highly unlikely and therefore make a provision seeming to offer human rights protections completely hollow.

Offences and Penalties (Chapter X)

This chapter lays out penalties for misuse of the Database. Most notably, the bill specifically excludes a private cause of action for the unlawful collection of DNA, or for the unlawful storage of private information on the national DNA database. A new provision in Section 58 does allow for an aggrieved person to petition the Central Government or Board if an instance of misuse is not being addressed but such provision does not contain any required processes such entities must follow in responding to such a petition, making an otherwise positive new provision relatively empty. Nor does the bill grant an individual right to review one’s personal data contained on the database. Without these key features, there are limited checks against the unlawful collection, analysis, and storage of private genetic information on the database.

Best Practices Analysis

Collection of DNA

With consent: only for a specific investigation (e.g. from a victim or for elimination purposes). Volunteers should not have information entered on a database.	No provision.
Without consent: only from persons suspected of a crime for which DNA evidence is directly relevant i.e. a crime scene sample exists or is likely to exist. Or, broader categories?	No provision.
Requirement for an order by a court? Or allowed in other circumstances?	No provision.
Samples collected by police officers, or only medical professionals? Must take place in a secure location i.e. not on the street, etc.	No provision.
Provision of information for all persons from whom DNA is taken.	No provision.
Crime scenes should be promptly examined if DNA evidence is likely to be relevant, and quality assurance procedures must protect against contamination of evidence.	No provision; regulated at discretion of DNA Profiling Board.

Analysis of DNA

Should take place only in laboratories with quality assurance.	Regulated at discretion of DNA Profiling Board.
Laboratories should be independent of police.	No provision; regulated at discretion of DNA Profiling Board.
Profiling standards must be sufficient to minimize false matches occurring by chance. This must take account of increased likelihood of false matches in transboundary searches, and with relatives.	No provision; regulated at discretion of DNA Profiling Board.

Storage of DNA and Linked Data

Data from convicted persons should be separate from others e.g. missing persons’ databases.	Unclear.
Access to databases and samples must be restricted and there must be an independent and transparent system of governance, with regular information published e.g. annual reports, minutes of oversight meetings.	Access to database at discretion of DNA Data Bank Manager.
Personal identification information should not be sent with samples to laboratories.	No provision; regulated at discretion of DNA Profiling Board.
Any transfer of data e.g. from police station to lab or database, must be secure.	No provision; regulated at discretion of DNA Profiling Board.

Uses of Samples and Data

Research uses should be restricted to anonymised verification of database performance (e.g. checking false matches etc.). Third party access to data for such purposes should be allowed, provided public information on research projects is published. There should be an ethics board.	No provision.
Research uses for other purposes e.g. health research, behavioral research should not be allowed.	No provision.
Uses should be restricted by law to solving crimes or identifying dead bodies/body parts. Identification of a person is not an acceptable use. Missing persons databases (if they exist) should be separate from police databases. .	Ambiguous provisions suggest much wider scope.
Any transfer of data e.g. from police station to lab or database, must be secure.	No provision.

Destruction of DNA and Linked Data

DNA samples should be destroyed once the DNA profiles needed for identification purposes have been obtained from them, allowing for sufficient time for quality assurance, e.g. six months.	DNA samples are retained.
An automatic removals process is required for deletion of data from innocent persons. This must take place within a reasonable time of acquittal, etc.	No provision.
There should be limits on retention of DNA profiles from persons convicted of minor crimes.	No provision.
There should be an appeals process against retention of data.	No provision.
Linked data on other databases (e.g. police record of arrest, fingerprints) should be deleted at the same time as DNA database records.	No provision.
Crime scene DNA evidence should be retained for as long as a reinvestigation might be needed (including to address miscarriages of justice).	DNA evidence permitted to be retained indefinitely.

Use in court

Individuals must have a right to have a second sample taken from them and reanalyzed as a check.	No provision.
Individuals must have a right to obtain re-analysis of crime scene forensic evidence in the event of appeal.	Allowed but with impossibly high barriers.
Expert evidence and statistics must not misrepresent the role and value of the DNA evidence in relation to the crime. .	No provision.

Other

Relevant safeguards must be proscribed by law and there should be appropriate penalties for abuse.	No provision.
Impacts on children and other vulnerable persons (e.g. mentally ill) must be considered.	No provision.
Potential for racial bias must be minimized.	No provision.

Click for more information on the Council for Responsible Genetics.

For more details visit https://cis-india.org/internet-governance/blog/human-dna-profiling-bill-analysis

Workshop on the Unique Identity Number (UID), the National Population Register (NPR) and Governance: What will happen to our data?

maria — 2013-07-12T15:28:50Z

On March 2nd, 2013, the Centre for Internet and Society and the Say No to UID campaign organized a workshop to discuss the present state of the UID and NPR schemes. Some of the questions which were addressed included ´How do the UID and NPR impact citizenship´, ´Why and how is national security linked to UID/NPR´, and ´What is the relationship between UID and Big Data´.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

“The UIDAI will own our data...When we hand over information, we hand over the ownership of that data...”, stated Usha Ramanathan, legal researcher and human rights activist.She also pointed out that, although the UID has been set up by an executive order, there is no statute which legally backs up the UID. In other words, the collection of our data through the UID scheme is currently illegal in India, hinging only on an executive order. However, Usha Ramanathan stated that if the UID scheme is going to be carried out, it is highly significant that a statute for the UID is enacted to prevent potential abuse of human rights, especially since the UIDAI is currently collecting, sharing, using and storing our data on untested grounds.

´What is alarming is that the Indian government has not even attempted to legalize the UID! When a government does not even care about legalizing its actions, then we have much bigger problems...”

The NPR is legally grounded in the provisions of the Citizenship Act 1955 and in the Citizenship Rules 2003 and it is mandatory for every usual resident in India to register with the NPR. Even though the collection of biometrics is not accounted for in the statute or rules, the NPR is currently collecting photographs, iris prints and fingerprints. Concerns regarding the use of biometrics in the UID and NPR schemes were raised during the workshop; biometrics are not infallible and can be spoofed, an individual´s biometrics can change in response to a number of factors (including age, environment and stress), the accuracy of a biometric match depends on the accuracy of the technology used and the larger the population is, the higher the probability of an error. Thus, individuals are required to re-enrol every two to three years, to ensure that the biometric data collected is accurate; but the accuracy of the data is not the only problem. The Indian government is illegally collecting biometrics and as of yet has not amended the 2003 Citizenship Rules to include the collection of biometrics! As Usha Ramanathan stated:

“It´s not really about the UID and the NPR per se...it´s more about the idea of profiling citizens and the technologies which enable this...”

In his presentation, Anant Maringanti, from the Hyderabad Urban Labs and Right to the City Foundation, stated that even though seventy seven lakh duplicates have been found, no action has been taken, other than discarding one of them. Despite the fact that enrolment with the UID is considered to be voluntary, children in India are forced to get a unique identification number as a prerequisite of going to school. Anant emphasized that the UID scheme supposedly provides some form of identity to the poor and marginalised groups in India, but it actually targets some of the most vulnerable groups of people, such as HIV patients and sex workers. Furthermore, though Indians living below the poverty line (BPL) are eligible for direct cash transfer programmes, apparently registration with the UID scheme is considered essential to determine whether beneficiaries belong in the BLP category. This is problematic as individuals who have not enrolled in the UID or do not want to enroll in the UID could risk being denied benefits because they did not enroll and thus were not classified in the BPL category. Anant also pointed out that, linking biometric data to a bank account through the UID scheme is basically exposing personal data to fraud. Anant Maringanti characteristically stated:

“I wish the 100 people applying the UID scheme had UIDs so that we could track them...!”

Following the end of the workshop on the UID and NPR schemes, CIS interviewed Usha Ramanathan and Anant Maringanti:

The workshop can be viewed in two parts:

For more details visit https://cis-india.org/internet-governance/blog/workshop-on-the-uid-and-npr

New $1 Billion RIC Project Casts Doubts on Aadhaar

praskrishna — 2013-04-04T08:28:51Z

The Indian Government is going ahead with a new project dubbed RIC that will effectively undermine the existing UIDAI – Unique Identification Authority of India project and will cost a whopping $1 billion.

This was published in AEG India on March 16, 2013. Sunil Abraham is quoted.

The National Population Register and the Unique Identification Authority of India (UIDAI) are the two organizations which will capture the biometric details of the citizens and will develop the resident identity card (RIC) and create the unique identifier number (UID) popularly known as Aadhar number respectively.

Both the RIC and UID projects are designed to unify the distribution of social and welfare services to the citizens. Sunil Abraham, Executive Director of Centre for Internet and Society India, said that the ID number and the ID smartcard are both different and are not at all complementary as declared by the Indian Government previously.

The ID number and the ID smart card are two completely separate visions. They cannot be mixed up together to make some kind of salad which can be consumed partly, added Abraham.

He said that it was easy for the Indian government to proceed simultaneously with both the projects rather than cancelling the much criticized Aadhaar project.

Minister P. Karunakaran, on March 12 in the Lok Sabha, asked R.P.N. Singh, the Minister of State, to clarify the confusion over the proposed biometric identity card and the UID (Aadhaar number). The government has planned to spend more than US$1 billion to issue the Indian citizens a resident identity card (RIC) which will also feature the Aadhaar number as well.

For more details visit https://cis-india.org/news/aeg-india-march-16-2013-new-dollar-one-billion-ric-project-casts-doubts-on-aadhar

Hacking without borders: The future of artificial intelligence and surveillance

maria — 2013-07-12T15:30:27Z

In this post, Maria Xynou looks at some of DARPA´s artificial intelligence surveillance technologies in regards to the right to privacy and their potential future use in India.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Robots or computer systems controlling our thoughts is way beyond anything I have seen in science fiction; yet something of the kind may be a reality in the future. The US Defence Advanced Research Projects Agency (DARPA) is currently funding several artificial intelligence projects which could potentially equip governments with the most powerful weapon possible: mind control.

Combat Zones That See (CTS)

Source: swanksalot on flickr

Ten years ago DARPA started funding the Combat Zones That See (CTS) project, which aims to ´track everything that moves´ within a city through a massive network of surveillance cameras linked to a centralized computer system. Groundbreaking artificial intelligence software is being used in the project to identify and track all movement within cities, which constitutes Big Brother as a reality. The computer software supporting the CTS is capable of automatically identifying vehicles and provides instant alerts after detecting a vehicle with a license plate on a watch list. The software is also able to analyze the video footage and to distinguish ´normal´ from ´abnormal´ behavior, as well as to discover links between ´places, subjects and times of activity´ and to identify patterns. With the use of this software, the CTS constitute the world´s first multi-camera surveillance system which is capable of automatically analyzing video footage.

Although the CTS project was initially intended to be used for solely military purposes, its use for civil purposes, such as combating crime, remains a possibility. In 2003 DARPA stated that 40 million surveillance cameras were already in use around the world by law enforcement agencies to combat crime and terrorism, with 300 million expected by 2005. Police in the U.S. have stated that buying new technology which may potentially aid their work is an integral part of the 9/11 mentality. Considering the fact that literally millions of CCTV cameras are installed by law enforcement agencies around the world and that DARPA has developed the software that has the capability of automatically analyzing data gathered by CCTV cameras, it is very possible that law enforcement agencies are participating in the CTS network.

However if such a project was used for non-military level purposes, it could raise concerns in regards to data protection, privacy and human rights. As a massive network of surveillance cameras, the CTS ultimately could enable the sharing of footage between private parties and law enforcement agencies without individuals´ knowledge or consent. Databases around the world could be potentially linked to each other and it remains unclear what laws would regulate the access, use and retention of such databases by law enforcement agencies of multiple countries. Furthermore, there is no universal definition for ´normal´ and ´abnormal´ behaviour, thus if the software is used for its original purpose, to distinguish between “abnormal” and “normal” behaviour, and used beyond military purposes, then there is a potential for abuse, as the criteria for being monitored, and possibly arrested, would not be clearly set out.

Mind´s Eye

Source: watchingfrogsboil on flickr

A camera today which is only capable of recording visual footage appears futile in comparison to what DARPA´s creating: a thinking camera. The Mind´s Eye project was launched in the U.S. in early 2011 and is currently developing smart cameras endowed with ´visual intelligence´. This ultimately means that artificial intelligence surveillance cameras can not only record visual footage, but also automatically detect ´abnormal´ behavior, alert officials and analyze data in such a way that they are able to predict future human activities and situations.

Mainstream surveillance cameras already have visual-intelligence algorithms, but none of them are able to automatically analyze the data they collect. Data analysts are usually hired for analyzing the footage on a per instance basis, and only if a policeman detects ´something suspicious´ in the footage. Those days are over. General James Cartwright, the vice chairman of the Joint Chiefs of Staff, stated in an intelligence conference that “Star[ing] at Death TV for hours on end trying to find the single target or see something move is just a waste of manpower.” Today, the Mind´s Eye project is developing smart cameras equipped with artificial intelligence software capable of identifying operationally significant activity and predicting outcomes.

Mounting these smart cameras on drones is the initial plan; and while that would enable military operations, many ethical concerns have arisen in regards to whether such technologies should be used for ´civil purposes.´ Will law enforcement agencies in India be equipped with such cameras over the next years? If so, how will their use be regulated?

SyNAPSE

Source: A Health Blog on flickr

The Terminator could be more than just science fiction if current robots had artificial brains with similar form, function and architecture to the mammalian brain. DARPA is attempting this by funding HRL Laboratories, Hewlett-Packard and IBM Research to carry out this task through the Systems of Neuromorphic Adaptive Plastic Scalable Electronics (SyNAPSE) programme. Is DARPA funding the creation of the Terminator? No. Such artificial brains would be used to build robots whose intelligence matches that of mice and cats...for now.

SyNAPSE is a programme which aims to develop electronic neuromorphic machine technology which scales to biological levels. It started in the U.S. in 2008 and is scheduled to run until around 2016, while having received $102.6 million in funding as of January 2013. The ultimate aim is to build an electronic microprocessor system that matches a mammalian brain in power consumption, function and size. As current programmable machines are limited by their computational capacity, which requires human-derived algorithms to describe and process information, SyNAPSE´s objective is to create biological neural systems which can autonomously process information in complex environments. Like the mammalian brain, SyNAPSE´s cognitive computers would be capable of automatically learning relevant and probabilistically stable features and associations, as well as of finding correlations, creating hypotheses and generally remembering and learning through experiences.

Although this original type of computational device could be beneficial to predict natural disasters and other threats to security based on its cognitive abilities, human rights questions arise if it were to be used in general for surveillance purposes. Imagine surveillance technologies with the capacity of a human brain. Imagine surveillance technologies capable of remembering your activity, analyzing it, correlating it to other facts and/or activities, and of predicting outcomes; and now imagine such technology used to spy on us. That might be a possibility in the future.

Such cognitive technology is still in an experimental phase and although it could be used to tackle threats to security, it could also potentially be used to monitor populations more efficiently. No such technology currently exists in India, but it could only be a matter of time before Indian law enforcement agencies start using such artificial intelligence surveillance technology to supposedly enhance our security and protect us.

Brain-Computer Interface (BCI)

Remember Orwell's ´Thought Police´? Was Orwell exaggerating just to get his point across? Well, the future appears to be much scarier than Orwell's vision depicted in 1984. Unlike the ´Thought Police´ which merely arrested individuals who openly expressed ideas or thoughts which contradicted the Party´s dogma, today, technologies are being developed which can literally read our thoughts.

Once again, DARPA appears to be funding one of the world´s most innovative projects: the Brain-Computer Interface (BCI). The human brain is far better at pattern matching than any computer, whilst computers have greater analytical speed than human brains. The BCI is an attempt to merge the two together, and to enable the human brain to control robotic devices and other machines. In particular, the BCI is comprised of a headset (an electroencephalograph - an EEG) with sensors that rest on the human scalp, as well as of software which processes brain activity. This enables the human brain to be linked to a computer and for an individual to control technologies without moving a finger, but by merely thinking of the action.

Ten years ago it was reported that the brains of rats and monkeys could control robot arms through the use of such technologies. A few years later brainstem implants were developed to tackle deafness. Today, brain-computer interface technologies are able to directly link the human brain to computers, thus enabling paralyzed people to conduct computer activity by merely thinking of the actions, as well as to control robotic limbs with their thoughts. BCIs appear to open up a new gateway for disabled persons, as all previously unthinkable actions, such as typing on a computer or browsing through websites, can now be undertaken by literally thinking about them, while using a BCI.

Brain-controlled robotic limbs could change the lives of disabled persons, but ethical concerns have arisen in regards to the BCI´s mind-reading ability. If the brain can be used to control computers and other technologies, does that ultimately mean that computers can also be used to control the human brain? Researchers from the University of Oxford and Geneva, and the University of California, Berkley, have created a custom programme that was specially designed with the sole purpose of finding out sensitive data, such as an individuals´ home location, credit card PIN and date of birth. Volunteers participated in this programme and it had up to 40% success in obtaining useful information. To extract such information, researchers rely on the P300 response, which is a very specific brainwave pattern that occurs when a human brain recognizes something that is meaningful, whether that is personal information, such as credit card details, or an enemy in a battlefield. According to DARPA:

´When a human wearing the EEG cap was introduced, the number of false alarms dropped to only five per hour, out of a total of 2,304 target events per hour, and a 91 percent successful target recognition rate was introduced.´

This constitutes the human brain as a new warfighting domain of the twenty-first century, as experiments have proven that the brain can control and maneuver quadcopter drones and other military technologies. Enhanced threat detection through BCI´s scan for P300 responses and the literal control of military operations through the brain, definitely appear to be changing the future of warfare. Along with this change, the possibility of manipulating a soldier´s BCI during conflict is real and could lead to absolute chaos and destruction.

Security expert, Barnaby Jack, of IOActive demonstrated the vulnerability of biotechnological systems, which raises concerns that BCI technologies may also potentially be vulnerable and expose an individual's´ brain to hacking, manipulation and control by third parties. If the brain can control computer systems and computer systems are able to detect and distinguish brain patterns, then this ultimately means that the human brain can potentially be controlled by computer software.

Will BCI be used in the future to interrogate terrorists and suspects? What would that mean for the future of our human rights? Can we have human rights if authorities can literally hack our brain in the name of national security? How can we be protected from abuse by those in power, if the most precious thing we have - our thoughts - can potentially be hacked? Human rights are essential because they protect us from those in power; but the privacy of our thoughts is even more important, because without it, we can have no human rights, no individuality.

Sure, the BCI is a very impressive technological accomplishment and can potentially improve the lives of millions. But it can also potentially destroy the most unique quality of human beings: their personal thoughts. Mind control is a vicious game to play and may constitute some of the scariest political novels as a comedy of the past. Nuclear weapons, bombs and all other powerful technologies seem childish compared to the BCI which can literally control our mind! Therefore strict regulations should be enacted which would restrict the use of BCI technologies to visually impaired or handicapped individuals. Though these technologies currently are not being used in India, explicit laws on the use of artificial intelligence surveillance technologies should be enacted in India, to help ensure that they do not infringe upon the right to privacy and other human rights.

Apparently, anyone can buy Emotiv or Neurosky BCI online to mind control their computer with only $200-$300. If the use of BCI was imposed in a top-down manner, then maybe there would be some hope that people would oppose its use for surveillance purposes; but if the idea of mind control is being socially integrated...the future of privacy seems bleak.

For more details visit https://cis-india.org/internet-governance/blog/hacking-without-borders-the-future-of-artificial-intelligence-and-surveillance

A Comparison of the Draft DNA Profiling Bill 2007 and the Draft Human DNA Profiling Bill 2012

maria — 2013-07-12T15:32:08Z

In this post, Maria Xynou gives us a comparison of the Draft DNA Profiling Bill 2007 and the Draft Human DNA Profiling Bill 2012.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Last April, the most recent version of the DNA Profiling Bill was leaked in India. The draft 2007 DNA Profiling Bill failed to adequately regulate the collection, use, sharing, analysis and retention of DNA samples, profiles and data, whilst its various loopholes created a potential for abuse. However, its 2012 amended version is not much of an improvement. On the contrary, it excessively empowers the DNA Profiling Board, while remaining vague in terms of collection, use, analysis, sharing and storage of DNA samples, profiles and data. Due to its ambiguity and lack of adequate safeguards, the draft April 2012 Human DNA Profiling Bill can potentially enable the infringement of the right to privacy and other human rights.

**Draft 2007 DNA Profiling Bill vs. Draft 2012 Human DNA Profiling Bill**

1. Composition of the DNA Profiling Board

Amendment: The Draft 2007 DNA Profiling Bill listed the members which would be appointed by the Central Government to comprise the DNA Profiling Board. A social scientist of national eminence, as stated in section 4(q) of Chapter 3, was included. However, the specific section has been deleted from the Draft 2012 Human DNA Profiling Bill and no other social scientist has been added to the list of members to comprise the DNA Profiling Board. Despite the amendments to the section on the composition of the Board, no privacy or human rights expert has been included.

Analysis: The lack of human rights experts on the board can potentially be problematic as a lack of expertise on privacy laws and other human rights laws can lead to the regulation of DNA databases without taking privacy and other civil liberties into consideration.

DNA 2007 Bill (Section 4): “The DNA Profiling Board shall consist of the following members appointed by the Central Government from amongst persons of ability, integrity and standing who have knowledge or experience in DNA profiling including molecular biology, human genetics, population biology, bioethics , social sciences, law and criminal justice or any other discipline which would, in the opinion of the Central Government, be useful to DNA Profiling , namely: (a) a Renowned Molecular Biologist to be appointed by the Central Government Chairperson, (b) Secretary, Ministry of Law and Justice, or his nominee ex-officio Member; (c) Chairman, Bar Council of India, New Delhi or his nominee ex-officio Member; (d) Vice Chancellor, NALSAR University of Law, Hyderabad ex-officio Member; (e) Director, Central Bureau of Investigation or his nominee ex-officio Member; (f) Chief Forensic Scientist, Directorate of Forensic Science, Ministry of Home Affairs, New Delhi ex-officio Member; (g) Director, National Crime Records Bureau, New Delhi ex-officio Member; (h) Director, National Institute of Criminology and Forensic Sciences, New Delhi ex-officio Member; (i) a Forensic DNA Expert to be nominated by Secretary, Ministry of Home Affairs, New Delhi, Government of India Member; (j) a DNA Expert from All India Institute of Medical Sciences, New Delhi to be nominated by its Director, Member; (k) a Population Geneticist to be nominated by the President, Indian National Science Academy, New Delhi Member; (l) an Expert to be nominated by the Director, Indian Institute of Science, Bangalore Member; (m) Director, National Accreditation Board for Testing and Calibration of Laboratories, New Delhi ex-officio Member; (n) Director, Centre for Cellular and Molecular Biology, Hyderabad ex-officio Member; (o) Representative of the Department of Bio-technology, Government of India, New Delhi to be nominated by Secretary, DBT, Ministry of S&T, Government of India Member; (p) The Chairman, National Bioethics Committee of Department of Biotechnology, Government of India, New Delhi ex-officio Member; (q) a Social Scientist of National Eminence to be nominated by Secretary, MHRD, Government of India Member; (r) four Directors General of Police representing different regions of the country to be nominated by MHA Members; (s) two expert Members to be nominated by the Chairperson Members (t) Manager, National DNA Data Bank ex-officio Member; (u) Director, Centre for DNA and Fingerprinting and Diagnostics (CDFD), Hyderabad ex-officio Member Secretary”

DNA April 2012 Bill (Section 4):“The Board shall consist of the following Members appointed from amongst persons of ability, integrity and standing who have knowledge or experience in DNA profiling including molecular biology, human genetics, population biology, bioethics, social sciences, law and criminal justice or any other discipline which would be useful to DNA profiling, namely:- (a) A renowned molecular biologist to be appointed by the Central Government- Chairperson; (b) Vice Chancellor of a National Law University established under an Act of Legislature to be nominated by the Chairperson- ex-officio Member; (c) Director, Central Bureau of Investigation or his nominee (not below the rank of Joint Director)- ex-officio Member; (d) Director, National Institute of Criminology and Forensic Sciences, New Delhi- ex-officio Member;(e) Director General of Police of a State to be nominated by Ministry of Home Affairs, Government of India- ex-officio Member; (f) Chief Forensic Scientist, Directorate of Forensic Science, Ministry of Home Affairs, Government of India - ex-officio Member (g) Director of a Central Forensic Science Laboratory to be nominated by Ministry of Home Affairs, Government of India- ex-officio Member; (h) Director of a State Forensic Science Laboratory to be nominated by Ministry of Home Affairs, Government of India- ex-officio Member; (i) Chairman, National Bioethics Committee of Department of Biotechnology, Government of India- ex-officio Member; (j) Director, National Accreditation Board for Testing and Calibration of Laboratories, New Delhi- exofficio Member; (k) Financial Adviser, Department of Biotechnology, Government of India or his nominee- ex-officio Member; (l) Two molecular biologists to be nominated by the Secretary, Department of Biotechnology, Ministry of Science and Technology, Government of India- Members; (m) A population geneticist to be nominated by the President, Indian National Science Academy, New Delhi- Member; (n) A representative of the Department of Biotechnology, Government of India to be nominated by the Secretary, Department of Biotechnology, Ministry of Science and Technology, Government of India- Member; (o) Director, Centre for DNA and Fingerprinting and Diagnostics (CDFD), Hyderabad- ex-officio Member- Secretary”

2. Powers and functions of the Chief Executive Officer

Amendment: Although the Chief Executive Officer´s (CEO) powers and functions are set out in the 2007 Draft DNA Bill, these have been deleted from the amended 2012 Draft Bill. The Draft 2012 Bill merely states how the CEO will be appointed, the CEO´s status and that the CEO should report to the Member Secretary of the Board. As for the powers and functions of the CEO, the 2012 Bill states that they will be specified by the Board, without any reference to what type of duties the CEO would be eligible for. Furthermore, section 10(3) has been added which determines that the CEO will be ´a scientist with understanding of genetics and molecular biology´.

Analysis: The lack of legal guidelines which would determine the scope of such regulations indicates that the CEO´s power is subject to the Board. This could create a potential for abuse, as the CEO´s power and the criteria for the creation of the regulations by the Board are not legally specified. Although an understanding of genetics and molecular biology is a necessary prerequisite for the specific CEO, an official understanding of privacy and human rights laws should also be a prerequisite to ensure that tasks are carried out adequately in regards to privacy and data protection.

DNA 2007 Bill (Section 11):“(1) The DNA Profiling Board shall have a Chief Executive Officer who shall be appointed by the Selection Committee consisting of Chairperson and four other members nominated by the DNA Profiling Board. (2) The Chief Executive Officer shall be of the rank of Joint Secretary to the Govt. of India and report to the Member Secretary of the DNA Profiling Board. (3)The Chief Executive Officer appointed under sub-section (1)shall exercise powers of general superintendence over the affairs of the DNA Profiling Board and its day-to-day management under the direction and control of the Member Secretary. (4) The Chief Executive Officer shall be responsible for the furnishing of all returns, reports and statements required to be furnished, under this Act and any other law for the time being in force, to the Central Government. (5) It shall be the duty of the Chief Executive Officer to place before the DNA Profiling Board for its consideration and decision any matter of financial importance if the Financial Adviser suggests to him in writing that such matter be placed before the DNA Profiling Board.”
DNA April 2012 Bill (Section 10): “(1) There shall be a Chief Executive Officer of the Board who shall be appointed by a selection committee consisting of the Chairperson and four other Members nominated by the Board. (2) The Chief Executive Officer shall be a person not below the rank of Joint Secretary to the Government of India or equivalent and he shall report to the Member-Secretary of the Board. (3) The Chief Executive Officer shall be a scientist with understanding of genetics and molecular biology. (4) The Chief Executive Officer appointed under subsection (1) shall exercise such powers and perform such duties, as may be specified by the regulations made by the Board, under the direction and control of the Member-Secretary”

3. Functions of the Board

Amendment: The section on the functions of the DNA Profiling Board of the 2007 Draft DNA Profiling Bill has been amended. In particular, sub-section 12(j) of the Draft 2012 Human DNA Profiling Bill states that the Board would ´authorise procedures for communication of DNA profile for civil proceedings and for crime investigation by law enforcement and other agencies´. The equivalent sub-section in the 2007 Draft DNA Bill restricted the Board´s authorisation to crime investigation by law enforcement agencies, and did not include civil proceedings and other agencies.

Analysis: This amendment raises concerns, as the ´other agencies´ and the term ´civil proceedings´ are not defined and remain vague. The broad use of the terms ´other agencies´ and ´civil proceedings´ could create a potential for abuse, as it is unclear which parties would be authorised to use DNA profiles and under what conditions, nor is it clear what ´civil proceedings´ entail.

DNA 2007 Bill (Section 13(x)): The DNA Profiling Board constituted under section 3 of this Act shall exercise and discharge the following powers and functions, namely: “authorize communication of DNA profile for crime investigation by law enforcement agencies;”

DNA April 2012 Bill (Section 12(j)): The Board shall exercise and discharge the following functions for the purposes of this Act, namely: “authorizing procedures for communication of DNA profile for civil proceedings and for crime investigation by law enforcement and other agencies;”

4. Regional DNA Data Banks

Amendment: Section 33(1) of the 2007 Draft DNA Profiling Bill has been amended and its 2012 version (section 32(1)) states that the Central Government will establish a National DNA Data Bank and ´as many Regional DNA Data Banks thereunder, for every state or group of States, as necessary´.

Analysis: This amendment enables the potential establishment of infinite regional DNA Data Banks without setting out the conditions for their function, how they would use data, how long they would retain it for or who they would share it with. The establishment of such regional data banks could potentially enable the access to, analysis, sharing and retention of huge volumes of DNA data without adequate regulatory frameworks restricting their function.

DNA 2007 Bill (Section 33(1)): “The Central Government shall, by a notification published in the Gazette of India, establish a National DNA Data Bank.”
DNA April 2012 Bill (Section 32(1)): “The Central Government shall, by notification, establish a National DNA Data Bank and as many Regional DNA Data Banks thereunder for every State or a group of States, as necessary.

5. Data sharing

Section 33(2) of the 2007 Draft DNA Profiling Bill has been amended and section 32(2) of the 2012 draft Human DNA Profiling Bill includes that every state government should establish a State DNA Data Bank which should share the information with the National DNA Data Bank.

This sharing of DNA data between state and national DNA Data Banks could potentially increase the probability of data being accessed, shared, analysed and retained by unauthorised third parties. Furthermore, specific details, such as which information should be shared, how often and under what conditions, have not been specified.

DNA 2007 Bill (Section 33(2)): “A State Government may, by notification in the Official Gazette, establish a State DNA Data Bank.”
DNA April 2012 Bill (Section 32(2)):“Every State Government may, by notification, establish a State DNA Data Bank which shall share the information with the National DNA Data Bank.”

6. Data retention

Amendment: Section 32(3) of the 2012 draft DNA Bill has been amended from its original 2007 form to include that regulations on the retention of DNA data would be drafted by the DNA Profiling Board.

Analysis: This amendment does not set out the DNA data retention period, nor who would have the authority to access such data and under what conditions. Furthermore, regulations on the retention of such data would be drafted by the DNA Profiling Board, which could increase their probability of being subject to bias and lack of transparency.

DNA 2007 Bill (Section 33(3)): “The National DNA Data Bank shall receive DNA data from State DNA Data Banks and shall store the DNA Profiles received from different laboratories in the format as may be specified by regulations.”
DNA April 2012 Bill (Section 32(3)): “The National DNA Data Bank shall receive DNA data from State DNA Data Banks and shall store the DNA profiles received from different laboratories in the format as may be specified by the regulations made by the Board.”

7. Data Bank Manager

Amendment: Section 33 has been added to the 2012 draft Human DNA Profiling Bill and establishes a DNA Data Bank Manager, who would carry out ´all operations of and concerning the National DNA Data Bank´.

Analysis: All such operations are not clearly specified and could create a potential for abuse. The DNA Data Manager would have the same type of status as the Chief Executive Officer, but he/she would be required to have an understanding of computer applications and statistics, possibly to support data mining efforts. However, the powers and duties that the DNA Data Bank Manager would be expected to have are not specified in the Bill, which merely states that they would be specified by regulations made by the DNA Profiling Board.

DNA 2012 Bill (Section 33):“(1) All operations of and concerning the National DNA Data Bank shall be carried out under the supervision of a DNA Data Bank Manager who shall be appointed by a selection committee consisting of Chairperson and four other Members nominated by the Board.(2) The DNA Data Bank Manager shall be a person not below the rank of Joint Secretary to the Government of India or equivalent and he shall report to the Member-Secretary of the Board.(3) The DNA Data Bank Manager shall be a scientist with understanding of computer applications and statistics. (4) The DNA Data Bank Manager appointed under sub-section (1) shall exercise such powers and perform such duties, as may be specified by the regulations made by the Board, under the direction and control of the Member-Secretary.”

8. Communication of DNA profiles to foreign agencies

Amendment: The 2007 Draft DNA Profiling Bill has been amended and sub-sections 35(2, 3) have been excluded from the 2012 Draft Human DNA Profiling Bill. These sub-clauses prohibited the use of DNA profiles for purposes other than the administration of the Act, as well as the communication of DNA profiles. Furthermore, sub-section 36(1) has been added to the 2012 Bill, which authorises the communication of DNA profiles to international agencies for the purposes of crime investigation.

Analysis: The exclusion of sub-sections 35(2, 3) from the 2012 Bill indicates that the use and communication of DNA profiles without prior authorisation may be legally permitted, which raises major privacy concerns. Sub-section 36(1) does not define a ´crime investigation´, which indicates that DNA profiles could be shared with international agencies for loosely defined ´criminal investigations´ or even for civil proceedings. The lack of a strict definition to the term ´crime investigation´, as well as the broad reference to foreign states and international agencies raises concerns, as it remains unclear who will have access to information, for how long, under what conditions and whether that data will be retained.

DNA 2007 Bill (Sections 35(2,3)): “(2) No person who receives the DNA profile for entry in the DNA Data Bank shall use it or allow it to be used for purposes other than for the administration of this Act. (3) No person shall, except in accordance with the provisions hereinabove, communicate or authorize communication, or allow to be communicated a DNA profile that is contained in the DNA Data Bank or information that is referred to in sub-section (1) of Section 34”
DNA April 2012 Bill (Section 36(1)): “On receipt of a DNA profile from the government of a foreign state, an international organisation established by the governments of states or an institution of any such government or international organization, the National DNA Data Bank Manager may compare the DNA profile with those in the DNA Data Bank in order to determine whether it is already contained in the Data Bank and may then communicate through Central Bureau of Investigation or any other appropriate agency of the Central Government and with the prior approval of the Central Government information referred to in subsection (1) of section 35 to that government, international organisation or institution.”

9. Data destruction

Amendment: Section 37 of the 2007 draft DNA Profiling Bill states that the DNA Data Bank Manager shall expunge the DNA analysis of a person from the DNA index once the court has certified that the conviction of a person has been set aside. The 2007 Bill had no particular reference to data retention. The equivalent clause (37) of the 2012 draft DNA Bill, however, not only states that individuals´ DNA data will be kept on a ´permanent basis´, but also that the DNA Data Bank Manager shall expunge a DNA profile under the same conditions under the 2007 Bill.

Analysis: This amendment indicates that Indians´ DNA data will be kept indefinitely and that it will be deleted only once the court has cleared an individual from conviction. This raises major concerns, as it does not clarify under what conditions individuals can have access to data during its retention, nor does it give ´non-convicts´ the opportunity to have their data deleted from the data bank.

DNA 2007 Bill (Section 37): “The Data Bank Manager shall, on receiving a certified copy of the order of the court that has become final establishing that the conviction of a person included in the DNA data bank has been set aside, expunge forthwith the DNA analysis of such person from the DNA index. Explanation:- For the purposes of this section, a court order is not ‘final’ till the expiry of the period of limitation for filing an appeal, or revision application, or review if permissible under the law, with respect to the order setting aside the conviction.”
DNA April 2012 Bill (Section 37):“(1) Subject to sub-sections (2) and (3), the information in the offenders’ index pertaining to a convict shall be kept on a permanent basis. (2) The DNA Data Bank Manager shall, on receiving a certified copy of the order of the court that has become final establishing that the person in respect of whom the information is included in the offenders’ index has been acquitted of the charge against him, expunge forthwith the DNA profile of such person from the offenders’ index, under intimation to the individual concerned, in such manner as may be prescribed. (3) The DNA Data Bank Manager shall, on receiving a certified copy of the order of the court that has become final establishing that the conviction of a person in respect of whom the information is included in the offenders’ index has been set aside, expunge forthwith the DNA profile of such person from the offenders’ index, under intimation to the individual concerned, in such manner as may be prescribed.”

10. Use of DNA profiles and DNA samples and records

Amendment: Section 39 of the 2007 draft DNA Profiling Bill has been amended and the equivalent section of the 2012 DNA Bill (section 39) states that DNA profiles, samples and records can be used for purposes related to ´other civil matters´ and ´other purposes´, as specified by the regulations made by the DNA Profiling Board.

Analysis: The vague use of the terms ´other civil matters´ and ´other purposes´ can create a potential for abuse, especially since the Board will not be comprised by an adequate amount of members with legal expertise on civil matters. This section enables the use of DNA data for potentially any purpose, as long as it is enabled by the Board. Furthermore, the section does not specify who can be authorised to use DNA data under such conditions, which raises further concerns.

DNA 2007 Bill (Section 39): “(1)All DNA profiles, samples and records shall solely be used for the purpose of facilitating identification of the perpetrator(s) of a specified offence: Provided that such records or samples may be used to identify victims of accidents, disasters or missing persons or for such other purposes. (2) Information stored on the DNA data base system may be accessed by the authorized persons for the purposes of: (i) forensic comparison permitted under this Act; (ii) administering the DNA data base system; (iii) accessing any information contained in the DNA database system by law enforcement officers or any other persons, as may be prescribed, in accordance with provisions of any law for the time being in force; (iv) inquest or inquiry; (v) any other purpose as may be prescribed: Provided that nothing contained in this section shall apply to information which may be used to determine the identity of any person.”
DNA April 2012 Bill (Section 39): “All DNA profiles and DNA samples and records thereof shall be used solely for the purpose of facilitating identification of the perpetrator of a specified offence under Part I of the Schedule: Provided that such profiles or samples may be used to identify victims of accidents or disasters or missing persons or for purposes related to civil disputes and other civil matters listed in Part I of the Schedule or for other purposes as may be specified by the regulations made by the Board.”

11. Availability of DNA profiles and DNA samples

Amendment: Section 40 of the 2007 draft DNA Bill has been amended and an extra paragraph has been included to the equivalent 2012 Bill. In particular, section 40 enables the availability of DNA profiles and samples in criminal cases, judicial proceedings and for defence purposes among others.

Analysis: ´Criminal cases´ are loosely defined and could enable the availability of DNA data on low profile cases.

DNA 2007 Bill (Section 40):“The information on DNA profiles, samples and DNA identification records shall be made available only : (i) to law enforcement agencies for identification purposes in a criminal case; (ii) in judicial proceedings, in accordance with the rules of admissibility of evidence; (iii) for facilitating decisions in cases of criminal prosecution; (iv) for defense purposes, to a victim or the accused to the extent relevant and in connection with the case in which such accused is charged; (v) for population statistics data base, identification, research and protocol development, or for quality control provided that it does not contain any personally identifiable information and does not violate ethical norms, as specified by rules. (vi) for any other purposes as specified by rules.”
DNA April 2012 Bill (Section 40):“Information relating to DNA profiles, DNA samples and records relating thereto shall be made available in the following instances, namely:- (a) for identification purposes in criminal cases, to law enforcement agencies; (b) in judicial proceedings, in accordance with the rules of admissibility of evidence; (c) for facilitating decisions in cases of criminal prosecution; (d) for defence purposes, to the accused to the extent relevant and in connection with the case in which such accused is charged; (e) for creation and maintenance of a population statistics database that is to be used, as prescribed, for the purposes of identification research, protocol development or quality control provided that it does not contain any personally identifiable information and does not violate ethical norms; or (f) in the case of investigations related to civil dispute and other civil matter listed in Part I of the Schedule, to the concerned parties to the said civil dispute or civil matter and to the concerned judicial officer or authority; or (g) for any other purposes, as may be prescribed.”

12. Restriction on access to information in DNA Data Banks

Amendment: Section 43 has been added to the 2012 draft Human DNA Profiling Bill which states that access to information shall be restricted in cases when a DNA profile derives from a victim or a person who has been excluded as a suspect.

Analysis: This section implies that everyone who does not belong in these two categories has his/her data exposed to (unauthorised) access by third parties.

DNA April 2012 Bill (Section 43): “Access to the information in the National DNA Data Bank shall be restricted in the manner as may be prescribed if the information relates to a DNA profile derived from- (a) a victim of an offence which forms or formed the object of the relevant investigation, or (b) a person who has been excluded as a suspect in the relevant investigation.”

13. Board exemption from tax on wealth and income, profits and gains

Amendment: Section 53 of the 2007 draft DNA Bill on “Returns and Reports” on behalf of the Board has been deleted and section 62 on the Board exemption from tax on wealth and income, profits and gains, has been added to the 2012 DNA Bill.

Analysis: Although the 2007 DNA Bill stated that the Central Government was authorised to issue directions, this has been replaced by section 64 of the 2012 DNA Bill, which authorises the DNA Profiling Board to issue directions.

DNA 2007 Bill (Section 53):“(1) The DNA Profiling Board shall furnish to the Central Government at such time and in such form and manner as may be specified by rules or as the Central Government may direct, such returns and statements as the Central Government may, from time to time, require. (2) Without prejudice to the provisions of sub-section (1), the DNA Profiling Board shall, within ninety days after the end of each financial year, submit to the Central Government a report in such form, as may be prescribed, giving a true and full account of its activities, policy and programmes during the previous financial year. (3) A copy of the report received under sub-section (2) shall be laid, as soon may be after it is received, before each House of Parliament.”
DNA April 2012 Bill (Section 62): “Notwithstanding anything contained in- (a) the Wealth-tax Act, 1957; (b) the Income-tax Act, 1961; or (c) any other enactment for the time being in force relating to tax, including tax on wealth, income, profits or gains or the provision of services,- the Board shall not be liable to pay wealth-tax, income-tax or any other tax in respect of its wealth, income, profits or gains derived.”

For more details visit https://cis-india.org/internet-governance/blog/comparison-of-draft-dna-profiling-bills

Indian ID crisis unveils Aadhaar doubts

praskrishna — 2013-03-15T04:52:49Z

Two separate organizations are capturing biometric data of over 1 billion Indians, creating fresh doubts in the government's justification to catalogue citizens.

The blog post by Mahesh Sharma was published in ZD Net on March 14, 2013. Sunil Abraham is quoted.

A new US$1 billion national identity card project has undermined the Indian government's ambitious "Aadhaar" project to catalogue the biometric details of over 1 billion citizens.

Indians' biometric details are being captured by two separate organizations: the National Population Register, to develop the resident identity card (RIC); and the Unique Identification Authority of India (UIDAI), to create a unique identifier (UID), commonly referred to as "Aadhaar" number.

Both projects are designed to streamline the distribution of welfare and social services to citizens--a process that is currently mired in corruption.

In an interview with ZDNet, Centre for Internet and Society's India executive director, Sunil Abraham, said the ID smartcard and ID number are fundamentally different, not complementary, as the government has previously said.

"Those are two very separate visions. You cannot mix them up and make some kind of salad and have a little bit of this and a little bit of that. You have to go the whole hog in one direction," Abraham said.

He said it was easier for the government to proceed with both projects, rather than cancel Aadhaar, which has been criticized over reports there were duplicate biometric information and data abuse.

"The government is afraid it made a mistake," Abraham said. "It could just continue to create a hodgepodge of both ideas, both visions, and continue making big mistakes and have ghosts [in the UID system] and large scale corruption."

On March 12, India's house of representatives, the Lok Sabha, Member of Parliament, P. Karunakaran asked the Minister of State, R.P.N. Singh, to clarify the overlap between the proposed biometric identity card and UID. Singh confirmed the government would spend over US$1 billion (55.52 billion rupees) to issue a resident identity card (RIC) that featured the Aadhaar number.

"The RIC would enable both online and offline authentication of identity in a secure manner and will complement the efforts of Aadhaar," Singh said in a written response. To avoid duplication, he explained that if citizen biometric data was already captured by the UIDAI, then the Aadhaar number would be recorded on the RIC smart card.

Independent lawyer Usha Ramanathan told ZDNet the government had overstepped its legal bounds. She said the UIDAI has demonstrated biometrics are imperfect but the government has persisited with the project.

"The UID is lawless. Now we will have an RIC which will be lawless," Ramanathan said. "All we are offered is the UIDAI 'confidence' that the project will work."

"Privacy and personal security continue to be unprotected. And there seems to be an inexhaustible amount of money to experiment on the whole population," she noted.

For more details visit https://cis-india.org/news/zdnet-mahesh-sharma-march-14-2013-indian-id-crisis-unveils-aadhar-doubts

Unique Identification Scheme (UID) & National Population Register (NPR), and Governance

elonnai — 2014-04-30T05:03:51Z

This post examines the UID, NPR and Governance as it exists in India. The background note gives a summary of what is the NPR, the legal grounding of NPR, its objectives, and the information which could be collected under the NPR. The post also throws light on the UID, its objectives, process of enrollment in UID, how UID is being adopted by different states in India, and finally the differences and controversies in UID and NPR.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Video

The above video is from the "UID, NPR, and Governance" conference held on March 2, 2013 at TERI, Bangalore.

What is the NPR?
In 2010, the Government of India initiated the NPR which entails the creation of the National Citizens Register. This register is being prepared at the local, sub-district, district, state and national level. The database will contain thirteen categories of demographic information and three categories of biometric data collected from all residents aged five and above. Collection of this information was initially supposed to take place during the House listing and Housing Census phase of Census 2011 during April 2010 to September 2010.[1]

What is the legal grounding of the NPR?
The NPR is legally grounded in the provisions of the Citizenship Act, 1955 and the Citizenship Rules 2003. It is mandatory for every usual resident in India to register in the NPR as per Section 14A of the Citizenship Act, 1955, as amended in 2004. The collection of biometrics is not accounted for in the statute or rules.

What are the objectives of the NPR?
The objectives of the NPR as stated by the Citizenship Act is for the creation of a National Citizen Register. The National Citizen Register is intended to assist in improving security by checking for illegal migration. Additional objectives that have been articulated include: providing services to the residents under government schemes and programmes, checking for identity frauds, and improving planning.[2]

What is the process of enrollment for the NPR?
NPR enrollment is being carried out through house to house canvassing. The Office of the Registrar General and Census Commissioner, India has assigned Department of Information Technology (DIT) the responsibility of collecting and digitizing demographic data in 17 states and 2 Union Territories of India.[2] Collected information will then be printed and displayed in the local area where it is scrutinized by local officers and vetted by local bodies called ´Gram Sabha/Ward Committees´.[4] This process of social audit is meant to bring in transparency, equity, and ensure accuracy.

What information will be collected under the NPR?
The NPR database will include thirteen categories of demographic information and three categories of biometrics. The collection biometrics has not been provided for in the text of the Citizenship Rules, and is instead appears to be authorized through guidelines,[5] which do not have statutory backing. Currently, two iris scans, ten fingerprints, and a photograph are being collected. According to a 2010 Committee note, only the photograph and fingerprints were initially envisioned to be collected.

What is the Resident Identity Card?
The proposed Resident Identity card is a smart card with a micro-processor chip of 6.4 Kb capacity; the demographic and biometric attributes of each individual will be personalized in this chip. The UID number will be placed on the card as well. Currently, the government is only considering the possibility of distributing smart cards to all residents over the age of 18.[6]

What is the UID?
The Unique Identification Authority of India (UIDAI) was established in January 2009 and is part of the Planning Commission of India. UIDAI aims to provide a unique 12 digit ID number to all residents in India on a voluntary basis. The number will be known as AADHAAR. The UIDAI will own and operate a Unique Identification Number database which will contain biometric and demographic data of citizens.[7]

What is the objective of the UID?
According to the UIDAI, the UID will provide identity for individuals. The scheme has been promoted by the UIDAI as enabling a number of social benefits including improving the public distribution system, enabling financial inclusion, and improving the Mahatma Gandhi National Rural Employment Guarantee Scheme (NREGS). Despite these benefits, the UIDAI only guarantees identity, and does not guarantee rights, benefits or entitlement.[8]

What is the process for enrollment in the UID?
To enroll in the UID, individuals must go to enrollment centers with the appropriate documentation. Once documents are verified and biometrics taken, individuals will receive an acknowledgment slip and their UID number will be sent in the mail.[9] The UIDAI will enroll up to 600 million residents in 16 States and territories.[10] Online registration prior to enrollment at a Center is also now being offered.

How is UID being adopted by different States?
The adoption of the UID by different states and platforms has been controversial as the UID is not a mandatory number, yet with states and services adopting the number for different governmental services, the UID is becoming mandatory by default. Some ways in which states are using the UID include:

Gas and vehicles: The UPA Government has required that citizens have a UID number for services such as purchasing cooking gas, issuing a RTI request, and registering vehicles.[11]
Education: The Kerala government has required that all students must have UID number in order to be tracked through the system.[12] This mandate was questioned by the National Commission for Protection of Child Rights.
First Information Reports (FIR’s): The high court in Bombay has ordered the state home department to direct all police stations in Maharashtra to record the Unique Identification (UID) numbers of accused individuals and witnesses filing a FIR.[13]
Banks: The National Payment Corporation of India has collaborated UIDAI and is issuing ‘RuPay cards’ (Dhan Aadhaar cards) which will serve as ATM/micro-ATM cards. In 2011 the Bank of India had issued 250 cards.[14]
Railway: Railways are proposing to use the UID database for bookings and validation of passengers.[15]
Social Security: Commencing January 1, 2013, MGNREGA, the Rajiv Gandhi Awas Yojana (RGAY), the Ashraya housing scheme, Bhagyalakshmi and the social security and pension scheme have included the UID in the Mysore district

Has there been duplication of UID numbers?
According to news reports:

The UIDAI has blacklisted an operator and a supervisor in Andhra Pradesh for issuing fake UID numbers.

The UIDAI is looking into six complaints regarding the misuse of personal data while issuing the UID numbers to individuals.

The UIDAI has received two received complaints regarding duplication of UID numbers.[17]

What are the differences between the UID and NPR?

Voluntary vs. Mandatory: It is compulsory for all Indian residents to register with the NPR, while registration with the UIDAI is considered voluntary. However, the NPR will store individuals UID number with the NPR data and place it on the Resident Indian Card. In this way and others, the UID number is becoming compulsory by various means.
Number vs. Register: UID will issue a number, while the NPR is the prelude to the National Citizens Register. Thus, it is only a Register. Though earlier the MNIC card was implemented along the coastal area, there has been no proposal to extend the MNIC to the whole country. The smart card that is proposed under the NPR has only been raised for discussion, and there has been no official decision to issue a card.
Statute vs. Bill: The enrollment of individuals for the NPR is legally backed by the Citizenship Act, except in relation to the collection of biometrics, while the UID as proposed a bill which has not been passed for the legal backing of the scheme.
Authentication vs. Identification: The UID number will serve as an authenticator during transactions. It can be adopted and made mandatory by any platform. The National Resident Card will signify resident status and citizenship. It is unclear what circumstances the card will be required for use in.
UIDAI vs. RGI: The UIDAI is responsible for enrolling individuals in the UID scheme, and the RGI is responsible for enrolling individuals in the NPR scheme. It is important to note that the UIDAI is located in the Planning Commission, but its status is unclear, as the NIC had indicated that the data held is not being held by the government.
Door to door canvassing vs. center enrollment: Individuals will have to go to an enrollment center and register for the UID, while the NPR will carry out part of the enrollment of individuals through door to door canvassing. Note: Individuals will still have to go to centers for enrolling their biometrics for the NPR scheme.
Prior documentation vs. census material: The UID will be based off of prior forms of documentation and identification, while the NPR will be based off of census information.
Online vs. Offline: For authentication of an individual’s UID number, the UID will require mobile connectivity, while the NPR can perform offline verification of an individual’s card.

What is the controversy between the UID and NPR?

Effectiveness: There is controversy over which scheme would be more effective and appropriate for different purposes. For example, the Ministry of Home Affairs has argued that the NPR would be more suited for distributing subsidies than the UID, as the NPR has data linking each individual to a household.[18]
Legality of sharing data: Both the legality of the UID and NPR collecting data and biometrics has been questioned. For example, it has been pointed out that the collection of biometric information through the NPR, is beyond the scope of subordinate legislation. Especially as this appears to be left only to guidelines.[19] Collection of any information under the UID scheme is being questioned as the Bill has not been approved by the Parliament.
Accuracy: The UIDAI's use of multiple registrars and enrolment agencies, the reliance on 'secondary information' via existing ID documents for enrollment in the UID, and the original plan to enroll individuals via the 'introducer' system has raised by Home Minister Chidambaram in January 2012 about how accurate the data collected by the UID is is that will be collected.[20] To this extent, the UIDAI has changed the introducer system to a ‘verifier’ system. In this system, Government officials verify individuals and their documents prior to enrolling them.
Biometrics: Though biometrics are mandatory for the UID scheme, according to information on the NPR website, if an individual has already enrolled with the UID, they will not need to provide their biometrics again for the NPR. Application of this standard has been haphazard as some individuals have been required to provide biometrics for both the UID and the NPR, and others have not been required to provide biometrics for the NPR.[21]

What court cases have been filed against the UID?
The following cases are currently filed in courts around the country:

Supreme Court:

K S Puttaswamy, a retired judge of Karnataka High Court filed a Public Interest Litigation (PIL) in the Supreme Court challenging the legality of UIDAI.[22]

Chandigarh: A petition was filed in Chandigarh by Sanjeev Pandey which sought to quash executive order passed in violation of the Motor Vehicles Act, 1988, and Central Motor Vehicle Rules, 1989 by which UID cards had been made mandatory for registration of vehicles and grant of learner/regular driving license.[23]
Karnataka: Mathew Thomas and Mr. VK Somasekhar have filed a civil suit in the Bangalore City Civil Courts (numbered 8181 of 2012) asking for the UID project to be stopped. The suit was dismissed, and they have appealed the case to the High Court (numbered 1780 and 1825 of 2013).
Chennai: A PIL has been filed in the Madras High Court challenging the constitutional validity of the UIDAI and its issue of UID numbers.[24]
Bombay: In January 2012 a case was filed in the Mumbai high Court. The petitioners to the case are R. Ramkumar, G. Nagarjuna, Kamayani Mahabal, Yogesh Pawar and Vickram Crishna & Ors.

What is the relationship between UID, NPR, and National Security
The UID and the NPR have both stated improving security as an objective for the projects. To this extent, it is envisioned that the UID and the NPR could be used to track and identify individuals, and determine if they are residents of India. In the case of the NPR, a distinction will be made between residents and citizens. Yet, concerns have also been raised that these projects instead raise national security threats, given the size of the databases that will be created, the centralized nature of the databases, the sensitive nature of the information held in the databases, and the involvement of international agencies.[25]

What is the relationship between UID and Big Data?
Aspects of the UID scheme allow it to generate a large amount of data from a variety of sources. Namely, the UID scheme aims to capture 12 billion fingerprints, 1.2 billion photographs and 2.4 billion iris scans and can be adopted by any platform. This data in turn can be stored, analyzed, and used for a number of purposes by a number of stakeholders in both the government and the private sectors. This is already happening to a certain extent as in November 2012 the UID established a Public Data Portal for the UID project. According to UIDAI officials the data portal will allow for big data analysis using crowd sourcing models.[26]

How is UID being used for BPL direct cash transfers?
Registration with the UID scheme is considered essential to determine whether beneficiaries belong in the BPL category and to provide transparency to the distribution of cash. In this way, the UID requirement is thought to prevent the leakage of social security benefits and subsidies to non-intended beneficiaries, as cash will only be made available to the person identified by the UID as the intended recipient. One of the main prerequisites of a below poverty line (BPL) direct cash transfer in India has become the registration with the UIDAI and the acquisition of a UID number. For example:

The "Cash for Food" programme requires that individuals applying for aid have a bank account, and a UID number. The money is transferred, electronically and automatically, to the bank account and the beneficiary should be able to withdraw it from a micro-ATM using the UID number.[27] It is important to note that micro-ATMs are not actual ATMs, but instead are handheld machines which may give information on bank balance and such, but will not dispense or maintain privacy of transaction. Most importantly, the transaction is mediated though a banking correspondent.
The government plans to cover the target BPL families and deposit USD 570 billion per year in the bank accounts of 100 million poor families by 2014.[28]
Currently, only beneficiaries of thirteen government schemes and LPG connection holders have been identified as being entitled to register for a UID number.[29] Though these schemes have been identified, as of yet, adoption has happened in very few districts.

What are the concerns regarding the use of biometrics in the UID and NPR scheme?
Both the UID and the NPR rely on biometrics as a way to identify individuals. Yet, many concerns have been raised about the use of biometrics in terms of legality, effectiveness, and accuracy of the technology. With regards to the accuracy and effectiveness of biometrics – the following concerns have been raised:

Biometrics are not infallible: Inaccuracies can arise from variations in individuals attributes and inaccuracies in the technology.
Environment matters: An individual’s biometrics can change in response to a number of factors including age, environment, stress, activity, and illness.
Population size matters: Because biometrics have differing levels of stability – the larger the population is the higher the possibility for error is.
Technology matters: The accuracy of a biometric match also depends on the accuracy of the technology used. Many aspects of biometric technology can change including: calibration, sensors, and algorithms.
Spoofing: It is possible to spoof a fingerprint and fool a biometric reader.[30]

[1]. Government of India. Ministry of Home Affairs. Office of the Registrar General & Census Commissioner. http://bit.ly/IiySDh

[2]. This is according to a 2010 Cabinet note and the official website of the NPR.

[3]. Department of Information Technology: http://ditnpr.nic.in/frmStatelist.aspx - These include: (1) Arunachal Pradesh (2) Assam (3) Bihar (4) Chhattisgarh (5) Haryana (6) Himachal Pradesh (7)Jammu & Kashmir (8) Jharkhand (9) Madhya Pradesh (10)Meghalaya (11)Mizoram (12)Punjab (13)Rajasthan (14)Sikkim (15)Tripura (16)Uttar Pradesh (17)Uttarakhand Union Territories:-(1) Dadra & Nagar Haveli (2) Chandigarh.

[4]. Government of India. Ministry of Home Affairs. Office of the Registrar General & Census Commissioner: http://bit.ly/IiySDh

[5]. Department of Information Technology. National Population Register. Question 22. What are the procedures to be followed for creating the NPR? The procedures to be followed for creating the NPR have been laid down in the Citizenship (Registration of Citizens and issue of National Identity Cards) Rules, 2003, and the guidelines being issued from time to time.

[6]. The Unique Identification Government of India. Ministry of Home Affairs. Office of the Registrar General & Census Commissioner: http://censusindia.gov.in/2011-Common/IntroductionToNpr.html Authority of India. http://uidai.gov.in/

[7]. Unique Identification Authority of India. http://uidai.gov.in/

[8]. The point was made by R. Ramachandran. How reliable is UID? Frontline. Volume 28- Issue 24: November 19- December 02, 2011. Available at: http://bit.ly/13UMiSv

[9]. For more information see: How to get an Aadhaar. http://bit.ly/R2jBOP

[10]. Mazumdar. R. UIDAI targets 400 million enrolments by mid 2013, Aadhar hopes to give unique identity to some 1.2 bn residents. Economic Times. December 2012. Available at: http://bit.ly/ZC3Yve. Last accessed: February 28th 2013.

[11]. Malu. B. The Aadhaar Card – What are the real intentions of the UPA Government? DNA. February 18^th 2013. Available at: http://bit.ly/150BXRj. Last accessed: February 28th 2013.

[12]. Government of Kerala. General Education Department Circular No. 52957/G2?2012/G.Edn. Available at: http://bit.ly/15Oiq8J

[13]. Plumber, M. Make UID numbers must in FIRs: Bombay HC. DNA. October 2011. Available at: http://bit.ly/tVsInl. Last accessed: February 28th 2013.

[14]. Press Information Bureau. Government of India. Identity Card to Every Adult Resident of the Country under NPR; No Card being issued by UIDAI. December 2011. Available at: http://bit.ly/tJwZG1

[15]. TravelBiz. Railways to use Aadhar database for passenger validation. February 2013. Available at: http://bit.ly/YcW5wl. Last accessed: February 28th 2013.

[16]. Vombatkere. S.G. Questions for Mr. Nilekani. The Hindu. February 2013. Available at: http://bit.ly/YqPlK1. Last accessed: February 28th 2013.

[17]. Economic Times. UIDAI orders probe into duplication of Aadhaar numbers. http://bit.ly/ZORowg. Last accessed: February 28th 2013.

[18]. Jain. B. Battle over turf muddies waters. Times of India. February 2013. Available at: http://bit.ly/16ud3gm. Last accessed: February 28th 2013

[19]. Rediff. Aadhaar’s allocation is Parliament’s contempt. February 2013. Available at: http://bit.ly/Y638JS. Last accessed: February 28th 2013.

[20]. Ibid 17.

[21]. Times of India. Confused over Aadhaar, Cabinet clears GoM. February 2013. Available at http://bit.ly/UTH2JS. Last accessed: February 28th 2013.

[22]. Times of India. Supreme Court notice to govt on PIL over Aadhar. December 2012. Available at: http://bit.ly/13UNs0i. Last accessed: February 2013.

[23]. The Indian Express. HC issues notice to Centre, UT over mandatory UID for license. January 2013. Available at: http://bit.ly/WJq43M. Last accessed: February 28th 2013.

[24]. Economic Times. PIL seeks to scrap Nandan Nilekani’s Aadhar project. January 2012. Available at: http://bit.ly/zB1H07. Last accessed: February 28th 2013.

[25]. Times of India. UID poses national security threat: BJP. January 2012. Available at: http://bit.ly/WeM6KA. Last accessed: February 28th 2013.

[26]. Zeenews. UIDAI launches Public Data Portal for Aadhaar. November 8th 2012. Available at: http://bit.ly/T9NdX3. Last Accessed: November 12th 2012.

[27]. Punj, S. Wages of Haste: Implementing the cash transfer scheme is proving a challenge. January 2013. Available at: http://bit.ly/1024Dwo. Last accessed: February 28th 2013.

[28]. The International Business Times. India to Roll Out World’s Biggest Direct Cash Transfer Scheme for the Poor. November 2012. Available at: http://bit.ly/UYbtw4. Last accessed: February 28th 2013.

[29]. Mid Day. Do not register for Aadhaar card before March 15: UID in –charge. February 2013. Available at: http://bit.ly/Xymx9d. Last accessed: February 28th 2013.

[30]. These points were raised in the following frontline article Ibid: Ramachandran, R. How reliable is UID? Frontline. Volume 28 – Issue 24 November 19th – December 2nd 2011. Available at: http://bit.ly/13UMiSv. Last accessed February 28th 2013.

For more details visit https://cis-india.org/internet-governance/blog/uid-and-npr-a-background-note

Responding to govt requests is a challenge for online firms: Colin Maclay

praskrishna — 2013-03-15T05:07:10Z

Colin M. Maclay, MD of Berkman Center for Internet and Society at Harvard, on challenges in cyberspace.

Colin M. Maclay, MD of Berkman Center for Internet and Society at Harvard mentions about the Centre for Internet and Society, Bangalore in his interview done by LiveMint. The article was published in LiveMint on March 13, 2013.

Mumbai: Colin M. Maclay, managing director of the Berkman Center for Internet and Society at Harvard University, says that companies such as Google Inc. and Facebook Inc. are facing their greatest challenge in responding appropriately to governments that demand user information from them as part of regular practice or to abuse power. In an email interview to Mint on Wednesday, Maclay underscored the policy gaps on the Internet, differences in cyber laws across nations and the forces transforming education, media and technology companies online. He hopes to elaborate on some of these views in Mumbai on Thursday, the concluding day of Ficci Frames,a conclave on the media and entertainment industry that began on Tuesday. Edited excerpts:

How vulnerable are we because of the information shared on email platforms such as Gmail or Yahoomail or on social networks like Facebook?

We are vulnerable in many ways as we share information about ourselves and our friends, sometimes wisely and other times indiscriminately. But this information is later shared with many third-party tracking networks so that the highest bidder can advertise to us the product they think we want. That information is also sold to other interested parties, from businesses to governments. Other business offerings like facial recognition software only make the proposition spookier. Many of them want to responsibly monetize our data typically for advertising or improving their service offerings although we may not all agree on what that means in practice.

Are any laws being considered in the US to protect people’s privacy online?

Privacy around telephony, wiretaps for instance, is much better than Internet-related government requests. There are a host of laws and regulations around privacy in the US, but many of my colleagues would likely say that they are inadequate—not keeping up with the technology, actual use or business practice. They are also in conflict with European laws, which suggests the need to resolve these differences. In this gap, practices like the Google and Twitter Transparency Reports are significant steps forward in telling what governments are actually doing around the world with respect to online privacy and expression. India’s government has a noteworthy presence in these reports, as does the US.

Is it easier for the government to get personal information of suspects’ activity online from Google or Facebook than it would be through an offline search warrant?

There are questionable requests made to companies to provide user information, censor content or other such action by law enforcement agencies in various jurisdictions. Often it is legitimate, and companies should respond accordingly, while at other times, companies may overreach unintentionally, requesting much more information than they need or broader censorship due to their own lack of understanding. In other cases, as part of regular practice or in an informal abuse of power, governments will make requests that do not hold up scrutiny to the rule of law and due process. They may have political or economic motivations, for instance. It’s in discerning between these cases, and figuring out how to respond appropriately, that the companies face their greatest challenge.

Has the freedom of expression been limited by the governments?

The OpenNet initiative, a research collaboration between the Citizen Lab at the University of Toronto and the Berkman Center at Harvard, has documented the rise of state-sponsored Internet censorship from a handful of countries a decade ago to over 40 countries today. Beyond technical control, there is a massive increase in copyright-related takedowns that include legitimate takedowns, plus many attempts at economic and political control. There are informal legal and process controls on content. There is also a wide range of self-censorship that’s difficult to document.

How are these companies addressing the issue?

In recognition of the difficult situation, companies such as Google, Microsoft Corp., Yahoo Inc. (Facebook is an observer at present), non-government organizations like Human Rights Watch, Center for Democracy and Technology (CDSA) and the Centre for Internet and Society in Bangalore and investors like Calvert Investments Inc. and F&C Asset Management Plc, founded the Global Network Initiative (GNI) in October 2008 to protect and advance privacy and freedom of expression online.

Cybercrimes like credit card frauds surface time and again...why is the Internet still not secure enough?

It goes back to beginnings of the Internet, it was built to be open rather than secure. That said, there are a variety of different concerns, including organizations doing an inadequate job of securing the credit card data they hold. That’s their fault and it seems there should be policy solutions that require better security and exact penalties for lapses and bad practice to encourage better behaviour. Credit card fraud online and offline is a problem, and unfortunately it sometimes effectively punishes countries with risk by automatically denying cards—effectively leaving users in those countries without access to e-commerce.

On the good side, top universities around the world now offer online education, How is it transforming the education system?

Like many analog institutions that are adopting digital resources, it’s unclear what will happen. Hopefully it will lower prices, increase learning opportunities, and improve learning all in a sustainable way. We can’t deny, however, the role of in-person interaction whether it’s while seeing friends, dating or doing business and learning is no different.

Looking at trends, laptops began replacing desktops and now tablets are becoming a preferred personal computing device. What’s next?

A decade ago it was laptops or mobiles, and the price of laptops came down, but the mobile network proliferated even faster. Smartphones continued to drop in price and increase in potential, laptops are lighter than ever, tablets have come up, even operating systems are beginning to converge. Now, immersive experiences like Google Glass are coming. It’s hard to know what’s next, but I hope that device convergence will serve as an enabler rather than a limiter.

For more details visit https://cis-india.org/news/livemint-ruchita-saxena-march-13-2013-responding-to-govt-requests-is-a-challenge-for-online-firms

Rethinking the Internet: The Way Forward

praskrishna — 2013-03-13T04:53:21Z

Telecom Italia and Financial Times are organizing this event at Telecom Italia Future Centre in Italy on March 21 and 22, 2013. Pranesh Prakash is participating in this event.

Overview

The advent of smartphones and other mobile devices, and the resulting explosive growth in internet usage have transformed the way that societies communicate. The internet is a major driver for global economies as it continues to create new forms of interaction, and offers unprecedented business opportunities and profitable collaborations. The evolution of the internet is however also contributing to changing social perceptions of privacy and copyright, and concerns are developing about the security of countries and organisations, and the liabilities of internet intermediaries.

Another crucial issue is internet governance. Some doubts have been cast on the effectiveness of the present decision-making model in setting the basis for an investment-conducive and future-proof framework, and in balancing the interests of all the players involved in the market scenario.

Rethinking the Internet: The Way Forward, organised by the Financial Times and Telecom Italia, will contribute to this debate by featuring interactive CEO-level workshops that explore the impact of the internet on business models, the role of public and private collaborations in enabling innovation, the key policy, governance and security considerations that need to be addressed, and future implications of the internet evolution for all players in the global communications industry.

Agenda Day One: Thursday, March 22, 2013

10:30- 11:05	Registration and networking
11:05- 11:15	Chair's opening remarks
11:15- 11:30	Welcome address by Telecom Italia
11:30- 01:30	Introduction to Rethinking the Internet How will the internet continue to evolve and what implications does this have for future business models? Who will be the key industry players in the next 10 years and which collaborations, investments and infrastructure developments will yield sustainable growth? How sustainable is the internet as a business model? Will excessive policy-making and regulatory controls curb innovation? Where is the industry heading now?
01:30- 02:30	Lunch
02:30 - 04:30	A New Internet Governance What are the latest developments in internet governance policy-making? What changes can be expected in the near future? How can policy groups and organisations work together to create a balanced and fair internet governance model? What are the limitations of the current recommendations and what improvements need to be made? What are the implications for privacy, online anonymity and data protection?
04:30- 05:00	Refreshments
05:00 - 07:00	Internet Security What new threats and challenges are being created by the internet evolution and how are governments legislating for this? As cybersecurity continues to become a threat, can policies keep up with industry innovations and technological advances? How can a truly global internet be monitored and managed by international jurisdictions with different national priorities? What role do non-governmental entities have to play in policing the internet and making it more secure?
07:00 - 07:10	Chair's concluding remarks
07:10	Drinks reception, followed by Dinner

Agenda Day Two: Friday, March 23, 2013

08:30- 08:50	Arrival and networking
08:50- 09:00	Chair's opening remarks
09:00- 11:00	Internet Privacy and Copyrights Co-operation between policy-makers and industry players is critical in encouraging an open communications ecosystem. What pitfalls need to be avoided to ensure that all stakeholder interests are taken into account, including those of the customer? What safeguards need to be put into place to ensure that sensitive data is protected? How is copyright protected in the new digital age? Can the rights of content creators be protected whilst embracing an open internet? Does net neutrality necessarily equal internet freedom? And how is the right government intervention – internet freedom balance maintained?
11:00- 11:30	Refreshments
11:30- 01:30	Internet after OTT Why are commercial agreements among telco and other communication providers so critical to the provision of internet-enabled products and services? What collaborations are necessary to ensure that internet development and investment contribute to economic growth and market competition? And what role does policy have to play in supporting these commercial initiatives?
01:30- 02:30	Lunch
02:30- 04:00	Overview of Key Themes raised during the Two Day Meeting
04:00	Conclusion

Currently confirmed to participate now include:

Alessandro Acquisti, Associate Professor of Information Technology and Public Policy, Carnegie Mellon University

Jan Philipp Albrecht MdEP / MEP, Member, European Parliament

Virgilio Augusto Fernandes Almeida, Secretary for Information Technology Policies, Ministry of Science, Technology and Innovation (MCTI-SEPIN), Brazil

Suleyman Anil, Head, Cyber Defence Section, Emerging Security Challenges Division, NATO

Johannes M Bauer, Professor, Telecommunication, Information Studies, and Media and Director of Special Programs, Quello Center for Telecommunication Management & Law, Michigan State University

Franco Bernabè, Chairman and CEO of Telecom Italia

Anne Bouverot, Director General & Member of the Board, GSMA

Peter Bradwell, Campaigner, Open Rights Group

Angelo Maria Cardani, Chairman, AGCOM

James W. Cicconi, Senior Executive Vice President-External and Legislative Affairs, AT&T Services, Inc

Giuseppe Corasaniti, General Prosecutor, Italian Supreme Court

Juan Carlos De Martin, Faculty co-director, nexa center for internet & society, Politecnico di Torino and Faculty Fellow, berkman center for internet & society, Harvard University

Adrian Farrel, Routing Area Director, IETF, Juniper Networks and Old Dog Consulting

William W Fisher, Wilmer Hale Professor of Intellectual Property Law and Faculty Director, Berkman Center for Internet and Society, Harvard University

Luigi Gambardella, Chairman Executive Board, ETNO

Hartmut Richard Glaser, Executive Secretary/CGI.br, Brazilian Internet Steering Committee

David A. Gross, Former U.S. Coordinator for International Communications and Information Policy and Partner, Wiley Rein LLP

Ian Hargreaves, Professor of Digital Economy, Cardiff University

James Harkin, Author and Director, Flockwatching

Ahmad Abdulkarim Julfar, CEO, Etisalat Group

Dr Robert E Kahn, TCP/IP co-creator and Chairman, CEO and President, Corporation for National Research Initiatives (CNRI)

Loz (Laurence) Kaye, Leader, Pirate Party UK

Thomas M. Lenard, President and Senior Fellow, Technology Policy Institute

Gerd Leonhard, Futurist, Author and CEO, The Futures Agency

Jonathan Liebenau, Reader in Technology Management, Department of Management, London School of Economics

Robert Levine, Journalist and Author of Free Ride

Patrice Lyons, Corporate Counsel, Corporation for National Research Initiatives (CNRI)

Joe McNamee, Executive Director, European Digital Rights

Milton L Mueller, Professor, School of Information Studies, Syracuse University

Eli Noam, Director, Columbia Institute for Tele-Information, Professor of Finance and Economics and Garrett Professor of Public Policy and Business Responsibility, Columbia University Business School

Sam Paltridge, Directorate of Science Technology and Industry, OECD

Prof. Francesco Pizzetti, Chairman, Privacy Authority

Pranesh Prakash, Policy Director, Centre for Internet and Society

Philip R. Reitinger, Senior Vice President and Chief Information Security Officer, Sony Corporation

Dr Georg Serentschy, CEO Telecommunications, RTR-GmbH (Austrian Regulatory Authority for Broadcasting and Telecommunications)

Michael Skapinker, Assistant Editor and Columnist, Financial Times

Christopher Soghoian, Principal Technologist and Senior Policy Analyst, American Civil Liberties Union

Dr. Hamadoun I. Touré, Secretary General, International Telecommunication Union (ITU)

Nico van Eijk, Professor of Media and Telecommunications Law and Director of the Institute for Information Law, University of Amsterdam

Ben Verwaayen, CEO, Alcatel-Lucent

Philip L. Verveer, Ambassador, U.S. Coordinator, International Communications and Information Policy, US Department of State

Richard Waters, West Coast Editor, Financial Times

Christopher S Yoo, John H. Chestnut Professor of Law, Communication, and Computer & Information Science, Founding Director, Center for Technology, Innovation and Competition, University of Pennsylvania Law School

For more details visit https://cis-india.org/news/rethinking-the-internet

Draft Human DNA Profiling Bill (April 2012): High Level Concerns

elonnai — 2013-07-12T15:36:59Z

In 2007 the Draft Human DNA Profiling Bill was piloted by the Centre for DNA Fingerprinting and Diagnostics, with the objective of regulating the use of DNA for forensic and other purposes. In February 2012 another draft of the Bill was leaked. The February 2012 Bill was drafted by the Department of Biotechnology. Another working draft of the Bill was created in April 2012. The most recent version of the Bill seeks to create DNA databases at the state, regional, and national level.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Each database will contain profiles of victims, offenders, suspects, missing persons and volunteers for the purpose of establishing identity in criminal and civil proceedings. The Bill also establishes a process for certifying DNA laboratories, and creating a DNA board for overseeing the carrying out of the Act. Though it is important to carefully regulate the use of DNA for criminal purposes, and such a law is needed in India, the present working draft of the Bill is lacking important safeguards and contains overreaching provisions, which could lead to violation of individual rights. The text of the 2012 draft is still being discussed and has not been finalized. Below are high level concerns that CIS has with the April 2012 draft Human DNA Profiling Bill.

Broad offences and instances of when DNA can be collected

The schedule of the Bill lists applicable instances for human DNA profiling and addition to the DNA database. Under this list, the Bill lays out nine Acts, for example the Indian Penal Code and the Protection of Civil Rights Act, and states that offences under these Acts are applicable instances of human DNA profiling. This allows the scope of the database to be expansive, as any individual who has committed an offence found under any of these Acts to be placed on the DNA database, and might include offences for which DNA evidence is not useful.

In the schedule under section C Civil disputes and other civil matters the Bill lists a number of civil disputes and civil matters for which DNA can be taken and entered onto the database. For example:

(v) Issues relating to immigration or emigration
(vi) Issues relating to establishment of individual identity
(vii) Any other civil matter as may be specified by the regulations of the Board

In these instances no crime has been committed and there is no justification for taking the DNA of the individual without their consent. In cases of civil disputes

Recommendation: Offences for which DNA can be collected must be criminal and must be specified individually by the Bill. When DNA is used in civil cases, the consent of the individual must be taken. In civil cases a DNA profile should not be stored on the database. DNA profiling and storage on a database should not be allowed in instances like v, vi, vii listed above.

Inadequate level of authorization for sharing of information

The Bill allows for the DNA Data Bank Manager to determine when it is appropriate to communicate whether the DNA profile received is already contained in the Data Bank, and any other information contained in the Data Bank in relation to the DNA profile received.

Section 35 (1): “…shall communicate, for the purposes of the investigation or prosecution in a criminal offence, the following information to a court, tribunal, law enforcement agency, or DNA laboratory in India which the DNA Data Bank Manager considers is concerned with it, appropriate, namely (a) as to whether the DNA profile received is already contained in the Data Bank; and (b) any information, other than the DNA profile received, is contained in the Data Bank in relation to the DNA profile received.”

Recommendation: The Data Bank Manager should not be given the power to determine appropriate instances for the communication of information. Law enforcement agencies, DNA laboratories, etc. should be required to gain prior authorization, from the DNA Board, before requesting the disclosure of information from the DNA Data Bank Manager. Upon receiving proof of authorization, the DNA databank can share the requested information.

Inaccurate understanding of infallibility of DNA

The preamble to the Bill inaccurately states:

The Dexoxyribose Nucleic Acid (DNA) analysis of body substances is a powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another, and further to establish the biological relationship, if any between two individuals, living or dead without any doubt.

Recommendation: The Bill should recognize that DNA evidence is not infallible. For example, false matches can occur based on the type of profiling system used, and that error can take place in the chain of custody of the DNA sample.

The “definition” of DNA profiling is too loose in the Bill. Any technology used to create DNA profiles is subject to error. The estimate of this error should be experimentally obtained, rather than being a theoretical projection.

Inadequate access controls

The Bill only restricts access to information on the DNA database that relates to a victim or to a person who has been excluded as a suspect in relevant investigations.

Section 43: Access to the information in the National DNA Data Bank shall be restricted in the manner as may be prescribed if the information relates to a DNA profile derived from a) a victim of an offence which forms or formed the object of the relevant investigation, or b) a person who has been excluded as a suspect in the relevant investigation.

Recommendation: Though it is important that access is restricted in these instances, access should also be restricted for: volunteers, missing persons, and victims. Broad access to every index in the database should not be permitted when a DNA sample for a crime is being searched for a match. Ideally, a crime scene index will be created, and samples will only be compared to that specific crime scene. The access procedure should be transparent with regular information published in an annual report, minutes of oversight meetings taken, etc.

Lack of standards and process for collection of DNA samples

In three places the Bill mentions that a procedure for the collection of DNA profiles will be established, yet no process is enumerated in the actual text of the Bill.

Section 12 (w) “The Board will have the power to… specify by regulation, the list of applicable instances of human DNA profiling and the sources and manner of collection of samples in addition to the lists contained in the Schedule.

Section 66(d) “The Central Government will have the power to make Rules pertaining to… The list of applicable instances of human DNA profiling and the sources and manner of collection of samples in addition to the lists contained in the Schedule under clause (w) of section 12.
Schedule: In the title “List of applicable instances of Human DNA Profiling and Sources and Manner of Collection of Samples for DNA Profiling”. But the schedule does not detail the manner of collection of samples for DNA profiling.

Recommendation: According to the Criminal Procedure Code, section 53 and 54, DNA samples can only be collected by certified medical professionals. This must be reflected by the Bill. The Bill should also state that the collection of DNA must take place in a secure location and in a secure manner. When DNA is collected, consent must be taken, unless the individual is convicted of a crime for which DNA evidence is directly relevant or the court has ordered the collection. When DNA is collected, personal identification information should not be sent with samples to laboratories, and all transfers of data (from police station to lab) must be secure. Upon collection, information regarding the collection of information and potential use and misuse of DNA information must be provided to the individual.

Inadequate appeal process

The provisions in the Bill allow aggrieved individuals to bring complaints to the DNA Board. If the complaint is not addressed, the individual can take the complaint to the court. Though grievances can be taken to the Board and the court, it is not clear if the individual has the right to appeal the collection, analysis, sharing, and use of his/her DNA. The text of section 58 implies that the Board and the Central government will have the power to take action based on complaints. This power was not listed above in the sections where the powers of the board and the central government are defined, thus it is unclear what actions the Board or the Central Government would be able to take on complaint.

Section 58: No court shall take cognizance of any offence punishable under this Act or any rules or regulations made thereunder save on a complaint made by the Central Government or its officer or Board or its officer or any other person authorized by them: Provided that nothing contained in this sub-section shall prevent an aggrieved person from approaching a court, if upon his application to the Central Government or the Board, no action is taken by them within a period of three months from the date of receipt of the application.

Recommendation: Individuals should be allowed to appeal a decision to collect DNA or share a DNA profile, and take any grievance directly to the court. If the Board or the Central Government will have a role in hearing complaints, etc. These must be enumerated in the provisions of the Act.

Inclusion of population testing

Though the main focus of the Bill is for the use of DNA in criminal and civil cases, the provisions of the Bill also allow for population testing and research to be done on collected samples.

Section 4: The Board shall consist of the following Members appointed from amongst persons of ability, integrity, and standing who have knowledge or experience in DNA profiling including.. (m) A population geneticist to be nominated by the President, Indian National Science Academy, Den Delhi-Member.

Section 40: Information relating to DNA profiles, DNA samples and records relating thereto shall be made available in the following instances, namely, (e) for creation and maintenance of a population statistics database that is to be used, as prescribed, or the purposes of identification research, protocol development or quality control provide that it does not contain any personally identifiable information and does not violate ethical norms.

Recommendation: Delete these provisions. If DNA testing is going to done for population analysis purposes, regulations for this must be provided for in a separate legislation, stored in separate database, informed consent taken from each participant, and an ethics board must be established. It is not sufficient or ethical to conduct population testing only on DNA samples from victims, offenders, suspects, and volunteers.

Provisions delegated to regulation that need to be incorporated into text of Bill

The Bill empowers the board to formulate regulations for, and the Central Government to make Rules to, a number of provisions that should be within the text of the Bill itself. By leaving these provisions to Regulations and Rules, the Bill is a skeleton which when enacted will only allow for DNA Labs to be certified and DNA databases to be established. Aspects that need to be included as provisions include:

Section 12: The Board shall exercise and discharge the following functions for the purposes of this Act namely

Section 12(j) – authorizing procedures for communication of DNA profile for civil proceedings and for crime investigation by law enforcement and other agencies.
Section 12(p) – making specific recommendations to (ii) ensure the accuracy, security, and confidentiality of DNA information, (iii) ensure the timely removal and destruction of obsolete, expunged or inaccurate DNA information (iv) take any other necessary steps required to be taken to protect privacy.
Section 12(w) – Specifying, by regulation, the list of applicable instances of human DNA profiling and the sources a manner of collection of samples in addition to the lists contained in the Schedule.
Section 12(u) – establishing procedure for cooperation in criminal investigation between various investigation agencies within the country and with international agencies.
Section 12(x) – Enumerating the guidelines for storage of biological substances and their destruction.

Section 65(1) The Central Government may, by notification, make rules for carrying out the purposes of this Act

Section 65 (c) – The officials who are authorized to receive the communication pertaining to information as to whether a person’s DNA profile is contained in the offenders’ index under sub-section (2) of section 35
Section 65 (d) – The manner in which the DNA profile of a person from the offenders’ index shall be expunged under sub-section (2) of section 37
Section 65 (e) – The manner in which the DNA profile of a person from the offender’s index shall be expunged under sub-section (3) of section 37
Section 65 (h) – The manner in which access to the information in the DNA data Bank shall be restricted under section 43
Section 65 (zg) – Authorization of other persons, if any, for collection of non-intimate forensic procedures under Part II of the Schedule.

Broad Language that needs to be specified or deleted

There are a number of places in the Bill which use broad and vague language. This is problematic as it expands the potential scope of the Bill. Instances where broad language is used includes:

Preamble: There is, thus, need to regulate the use of human DNA Profiles through an Act passed by the Parliament only for Lawful purposes of establishing identity in a criminal or civil proceeding and for other specified purposes.

Section 12: The Board may make regulations for (j) authorizing procedures for communications of DNA profile for civil proceedings and for crime investigation by law enforcement and other agencies.
Section 12: The Board may make regulations for (y) undertaking any other activity which in the opinion of the Board advances the purposes of this Act.
Section 12: The Board may make regulations for (z) performing such other functions as may be assigned to it by the Central Government from time to time.
Section 32: The indices maintained under sub-section (4) shall include information of data based on DNA analysis prepared by a DNA laboratory duly approved by the Board under section 15 of the Act and of records relating thereto, in accordance with the standards as may be specified by the regulations made by the Board.
Section 35 (1) On receipt of a DNA profile for entry in the DNA Data Bank, the DNA Data Bank Manager shall cause it to be compared with the DNA profiles in the DNA Data Bank and shall communication, for purposes of the investigation or prosecution in a criminal offence, the following information…(a) as to whether the DNA profile received is already contained in the Data Bank and (b) any information other than the DNA profile received, is contained in the Data Bank in relation to the DNA profile received. (2) The information as to whether a person’s DNA profile is contained in the offenders’ index may be communicated to an official who is authorized to receive the same as prescribed.
Section 39: All DNA profiles and DNA samples and records thereof shall be used solely for the purpose of facilitating identification of the perpetrator of a specified offence under Part I of the Schedule. Provided that such profiles or samples may be used to identify victims of accidents or disasters or missing persons or for purposes related to civil disputes and other civil matters listed in Part 1 of the Schedule for other purposes as may be specified by the regulations made by the board.
Section 40: Information relating to DNA profiles, DNA samples and records relating thereto shall be made available in the following instances, namely (g) for any other purposes, as may be prescribed.
Schedule, C Civil disputes and other civil matters vii) any other civil matter as may be specified y the regulations made by the Board.

Recommendation: All broad and vague language should be deleted and replaced with specific language.

Jurisdiction

Section 1(2) It extends to the whole of India.

Section 2(f) “Crime scene index” means an index of DNA profiles derived from forensic material found (i) at any place (whether within or outside of India) where a specified offence was, or is reasonably suspected of having been, committed.

The validity of DNA profiles found outside of India is unclear as the Act only extends to the whole of India.

Inconsistent provisions

The Bill contains provisions that are inconsistent including:

Preamble … from collection to reporting and also to establish a National DNA Data Bank and for matters connected therewith or incidental thereto.
Section 32 (1) The Central Government shall, by notification establish a National DNA Data Bank and as many Regional DNA Data Banks there under for every State or a group of States, as necessary. (2) Every State Government may, by notification establish a State DNA Data Bank which shall share the information with the National DNA Data Bank. The National DNA Data Bank shall receive DNA data from State DNA Data Banks…

Recommendation: The introduction to the Bill states that only a National DNA Data Bank will be established, yet in the provisions of the Bill it states that Regional and State level DNA databanks will also be established. It should be clarified in the introduction to the Bill that state level, regional level, and a national level DNA database will be created.

Inadequate qualifications of DNA Data Bank Manager

Section 33: “The DNA Data Bank Manager shall be a person not below the rank of Joint Secretary to the Government of India or equivalent and he shall report to the Member –Secretary of the Board. The DNA Data Bank Manager shall be a scientist with understanding of computer applications and statistics.”

Recommendation: This is not sufficient qualifications. The DNA Data Bank Manager needs to have experience and expertise handling, working with, and managing DNA for forensic purposes.

Lack of restrictions on labs seeking certification

According to section 16(2), before withdrawing approval granted to a DNA laboratory...the Board will give time to the laboratory...for taking necessary steps to comply with such directions...and conditions.”
Recommendation: This section should specify that during the time period of gaining certification, the DNA laboratory is not allowed to process DNA.

Incomplete terms for use of DNA in courts

Section 45 of the Bill allows any individual undergoing a sentence of imprisonment or under sentence of death to apply to the court which convicted him for an order for DNA testing. The Bill lists seven conditions that must be met for this DNA evidence to be accepted and used in court.
Recommendation: This section speaks only to the use of DNA in courts upon request by a convicted individual. This section should lay down standards for all instances of use of DNA in courts. Included in this, the provision should clarify that when DNA is used, corroborating evidence will be required in courts, and if confirmatory samples will be taken from defendants. Individuals should also have the right to have a second sample taken and re-analyzed as a check, and individuals must have a right to obtain re-analysis of crime scene forensic evidence in the event of appeal.

Inadequate privacy protections

Besides section 38 which requires that all DNA profiles, samples, and records are kept confidential, the Bill leaves all other privacy protections to be recommended by the DNA profiling Board.

Section 12(o) The Board shall exercise and discharge the following functions…“Making recommendation for provision of privacy protection laws, regulations and practices relating to access to, or use of, store DNA samples or DNA analyses with a view to ensure that such protections are sufficient.”

Recommendation: Basic privacy protections such as access, use, and storage of DNA samples should be written into the provisions of the Bill and not left as recommendations for the Board to make.

Missing Provisions

Notification to the individual: There are no provisions that ensure that notification is given to an individual if his/her information is legally accessed or shared. Notification to the individual would be appropriate in section 36, which allows for the sharing of DNA profiles with foreign states, and section 35, which allows for the sharing of information with a court, tribunal, law enforcement agency, or DNA laboratory. As part of the notification, an individual should be given the right to appeal the decision.
Consent: There are no provisions which speak to consent being taken from individuals whose DNA is collected. Consent must be taken from volunteers, missing persons (or their families), victims, and suspects. DNA can be taken compulsorily from offenders after they have been convicted. If an individual refuses to provide a DNA sample, a judge can override the decisions and order that a DNA sample be taken. In all cases that DNA is collected without consent, it must be clear that DNA evidence is directly relevant to the case.
Right to request deletion of DNA profile from database: There are no provisions which give volunteers (children volunteers when they become adults), victims, and missing persons the right to request that their profile be deleted from the DNA database. This could be provided in section 37 which speaks to the expunction of records of acquitted convicts.
Right of individuals to bring a private cause of action: There are no provisions which give the individual the right to bring a privacy cause of action for the unlawful storage of private information in the national, regional, or state DNA database. This is an important check against the unlawful collection, analysis, and storage of private genetic information on the database.
Right to review one's personal data: There are no provisions that allow an individual to review his/her information contained on the state, regional, or national database. This is an important check against the unlawful collection, analysis, and storage of private genetic information on the database.
Independence of DNA laboratories and DNA banks from the police: There are no provisions which ensure that DNA laboratories and DNA data banks remain independent from the police. This is an important check in ensuring against the tampering of DNA evidence.
Established profiling standard: The Bill does not mandate the use of one single profiling standard. This is important in order to minimize false matches occurring by chance and to ensure consistency across DNA testing and profiling.
Destruction of DNA samples: There are no provisions mandating that original samples of DNA be deleted. DNA samples should be destroyed once the DNA profiles needed for identification purposes have been obtained from them – allowing for sufficient time for quality assurance (six months). Furthermore, only a barcode and no identifying details should be sent to labs with samples for analysis.

For more details visit https://cis-india.org/internet-governance/blog/draft-human-dna-profiling-bill-april-2012

UID has no legal sanctity, says lawyer-activist

praskrishna — 2013-03-11T06:08:32Z

‘Iris scanning adopted for the UID project is flawed as the iris keeps changing’

This article was published in the Hindu on March 3, 2013. CIS organized a workshop at the event.

Unique Identification Authority of India (UIDAI) and the UID project have no legal sanctity, said independent law researcher and human rights activist Usha Ramanathan on Saturday.

Speaking at a workshop on the UID, the National Population Register and Governance, organised by the Centre for Internet and Society, Ms. Ramanathan said the UIDAI has “no clear legal status.” “The fact that there are no limits placed on its functioning is deeply worrying,” she remarked.

Ms. Ramanathan pointed out that an agency, which was created by a mere executive order in 2009, now “owns” the data obtained from Indian citizens. Although the UIDAI has said enrolment is not mandatory, a host of providers of essential services – from ration shops to LPG distributors and now even railway tickets – require Aadhaar authentication.

The idea of using biometric validation of identities was adopted despite there “being no evidence of its viability anywhere in the world,” Ms. Ramanathan said. In fact, several reports have established the failure of biometrics as a means of validating identities, she claimed. The iris scanning, which has been adopted for the UID project is flawed because the iris does change over time, she said.

Anant Maringati, a geographer from Hyderabad, said the “positive” potential of the project have been usurped by entities such as microfinance institutions, which sue them to track those who have defaulted on loans.

‘An agency, which was created by a mere executive order in 2009, now owns the data obtained from Indian citizens’

‘Although the UIDAI has said enrolment is not mandatory, providers of essential services seek Aadhaar authentication’

For more details visit https://cis-india.org/news/the-hindu-march-3-2013-uid-has-no-legal-sanctity