Centre for Internet and Society

Should you worry about identity theft?

Admin — 2017-11-26T11:24:56Z

Laws in India regarding data protection may be weak, but following basic cyber hygiene rules can make your own defences stronger.

The article by Shaikh Zoaib Saleem was published in Livemint on September 20, 2017. Pranesh Prakash quoted.

Earlier this month, US-based credit information company Equifax Inc. said its systems had been struck by a cybersecurity incident that may have affected about 143 million US consumers. A report by Bloomberg said the incident could be ranked among one of the largest data breaches in history. The intruders accessed names, social security numbers, birth dates, addresses, driver’s licence numbers and also credit card numbers, Equifax said in a statement.

While this reiterates what cyber security professionals say, that nothing is hack proof, it does remind us of the range of cyber crimes, which revolve around identity theft and frauds. It gives us a chance to reflect upon how well prepared we are, if a cyber attack strikes us, or if our personally identifiable data gets leaked.

According to the Norton Cyber Security Insights Report 2016, 49% of India’s online population, or more than 115 million Indians, are affected by cybercrime at some point with the country ranking second in terms of highest number of victims. “No government or organisation creates something that is designed to fail deliberately. People find the gaps in that system and then try to misuse it,” said Ritesh Chopra, country manager, consumer business unit, Symantec India, a cyber security company.

While it can be debated as to who should take the blame in different instances, one underlying theme is following basic cyber hygiene. “There are several mobile apps that leak data. While downloading and installing an app, you may give out access to several other things in your device,” said Chopra.

Most cyber crimes involve leak or breach of public information, which leads to identity fraud. Let’s take a look at what an identity fraud could mean.

Identity theft and frauds

Everything that we do online is linked to a digital identity—an email ID, a phone number or even an IP address of a device. Harshil Doshi, strategy security consultant, Forcepoint India, a cyber security firm, said that as long as the leaked information is limited to names, email addresses, addresses and mobile numbers, there may not be a reason for worrying. “There needs to be a distinction between what information is publicly available and what can be used only privately. People also talk about Aadhaar leaks. As long as it is not my fingerprint and retina scan, there is no cause of concern, because information like name and address are anyway public,” he said.

However, not everyone agrees with this point of view. Pranesh Prakash, policy director at advocacy group Centre for Internet and Society, said email addresses, date of birth and mobile phone number of an individual are not necessarily public information. “Work-related email addresses may be publicly available online but personal ones are not,” he said. Prakash, however, added that our notion of public information keeps changing.

Identity fraud impact

The concept of identity theft has become complicated as our digital lives expand. “Everything about you as an individual is your identity, including something personal like blood group and medical history. Your social media profile, bank transactions, blogs or online comments are also a part of this. From a fraud perspective, it is equally complex,” said Chopra.

Your identity can be impersonated in several ways. “The most common methods of identity fraud all require collecting publicly-available information about you,” said Prakash. For example, celebrity leaks in the US (cloud storage was hacked) happened also because there is more information about celebrities publicly available than for an average individual, he said.

Another example could be misuse of information regarding foreign exchange. “In India, there is a limit of buying foreign exchange worth $30,000 for an individual in a year. If information on how many times you exhaust that limit falls in the wrong hands, it can be used for money laundering in your name. How many people think about how PAN and passport copy that one shares to buy foreign exchange, can be misused?” said Chopra.

Further, health insurance can be fudged and somebody can use the benefit under your name or buy restricted medicines misusing your medical prescription.

What the law says

There are provisions in the Indian Penal Code that deal with issues like cheating by impersonation to some extent. “There isn’t anything that adequately covers activities such as getting access to your personal data, which leads to identity fraud, or sufficiently penalizes things like data breaches or data leaks that facilitate identity fraud,” said Prakash.

The government is working towards data protection laws. A committee for data protection framework has been constituted under Justice B.N. Srikrishna, former judge of Supreme Court.

But it needs to be seen what comes out of these deliberations. “I am quite apprehensive, yet hopeful, about what the committee will produce, especially because they will need to deal with protection of biometric data, leaks of which will be far worse than any other leaks because biometrics is something that cannot be changed at will subsequent to a leak, unlike one’s phone number, email address or password,” said Prakash.

According to cyber security professionals, prevention seems the only way out. “We have forgotten the difference between the real and virtual worlds. In the real world, if somebody knocks at your door, you will check before opening the door ,” said Chopra. The problem for individuals starts when we click on a malicious link or download a file like a song or an image which could have a malware loaded on it. Once it enters our system, it immediately starts stealing information.

While the law may take some time to evolve and address the issues arising out of larger data breaches from corporate entities or even from the government, it is important to be vigilant, which includes having complex passwords, not sharing passwords, being aware of suspicious emails and messages and downloading files and software only from reputed sources. While this alone may not guarantee you protection online, it certainly minimises the risk.

For more details visit https://cis-india.org/internet-governance/news/livemint-shaikh-zoaib-saleem-september-20-2017-should-you-worry-about-identity-theft

Rethinking National Privacy Principles: Evaluating Principles for India's Proposed Data Protection Law

amber — 2017-09-11T02:22:01Z

This report is intended to be the first part in a series of white papers that CIS will publish which seeks to contribute to the discussions around the enactment of a privacy legislation in India. In subsequent pieces we will focus on subjects such as regulatory framework to implement, supervise and enforce privacy principles, and principles to regulate surveillance in India under a privacy law.

Edited by Elonnai Hickok and Vipul Kharbanda

This analysis intends to build on the substantial work done in the formulation of the National Privacy Principles by the Committee of Experts led by Justice AP Shah.1 This brief, hopes to evaluate the National Privacy Principles and the assertion by the Committee that right to privacy be considered a fundamental right under the Indian Constitution. The national privacy principles have been revisited in light of technological developments such as big data, Internet of Things, algorithmic decision making and artificial intelligence which are increasingly playing a greater role in the collection and processing of personal data of individuals, its analysis and decisions taken on the basis of such analysis. The solutions and principles articulated in this report are intended to provide starting points for a meaningful and nuanced discussion on how we need to rethink the privacy principles that should inform the data protection law in India.

Click to read the full blog post

For more details visit https://cis-india.org/internet-governance/blog/rethinking-national-privacy-principles

MediaNama - #NAMAprivacy: The Future of User Data (Delhi, Sep 6)

sumandro — 2017-09-05T10:22:12Z

MediaNama is hosting a full day conference on "the future of user data in India", on the 6th of September 2017, which is particularly significant given the recent Supreme Court ruling on the fundamental right to privacy, and two government consultations: one at the TRAI, and another at MEITY. This discussion is supported by Facebook, Google, and Microsoft. Sumandro Chattapadhyay, Research Director, will participate as a speaker in the session titled "regulating storage, sharing and transfer of data."

Details

Time: September 6th 2017, 9 am to 4:30 pm

Venue: Gulmohar Hall, India Habitat Centre, Lodhi Road (please enter from Gate #3)

Agenda: https://www.medianama.com/2017/08/223-agenda-namaprivacy-future-of-user-data/

Announced Speakers

Chinmayi Arun, Centre for Communication Governance at NLU Delhi
Malavika Raghavan, IFMR Finance Foundation
Renuka Sane, NIPFP
Smitha Krishna Prasad, Centre for Communication Governance at NLU Delhi
Ananth Padmanabhan, Carnegie India
Avinash Ramachandra, Amazon
Hitesh Oberoi, Naukri
Jochai Ben-Avie, Mozilla
Mrinal Sinha, Mobikwik
Murari Sreedharan, Bankbazaar
Sumandro Chattapadhyay, Centre for Internet and Society

Facilitators

Saikat Datta, Asia Times Online
Shashidar KJ, MediaNama
Nikhil Pahwa, MediaNama

Attendees

We have confirmed 140+ attendees from: Adobe, Amber Health, Amazon, APCO Worldwide, Bank Bazaar, Bloomberg-Quint, Blume Ventures, Broadband India Forum, Business Standard, BuzzFeed News, CCOAI, CEIP, Change Alliance, Chase India, CIS, CNN News18, DEF, Deloitte, DNA, DSCI, E2E Networks, British High Commission, Eurus Network Services, FICCI, Firefly Networks, Flipkart, Forrester Research, Fortumo, DoT, MEITY, IAMAI, IBM, ICRIER, IFMR Finance Foundation, IIMC, Indian Law Institute, Indic Project, Info Edge, ISPAI, IT for Change, ITU-APT, Jamia Millia Islamia, Jindal Global Law School, Mimir Technologies, Mozilla, Newslaundry, NIPFP, Nishith Desai Associates, NIXI, NLU-Delhi, ORF, Paytm, PLR Chambers, PRS Legislative Research, Publicis Groupe, Quartz India, Reliance Jio, Reuters, Saikrishna & Associates, Scroll.in, SFLC.in, Spectranet, The Economics Times, The Indian Express, The Times of India, The Wire, Times Internet, Twitter, and more.

For more details visit https://cis-india.org/internet-governance/news/medianama-namaprivacy-the-future-of-user-data-delhi-sep-6

Privacy is now a right in India. Here's what that means for the tech industry

Admin — 2017-08-31T14:35:45Z

India's top court has put tech companies on notice.

The blog post by Rishi Iyengar was published by CNN Tech on August 29, 2017.

In ruling that privacy is a fundamental right, the country's Supreme Court singled out tech firms for gathering huge amounts of data: Facebook knows who we are friends with, the justices wrote, while Alibaba studies our shopping habits and Airbnb tracks our travel.

"This can have a stultifying effect on the expression of dissent and difference of opinion, which no democracy can afford," the court said last week. "There is an unprecedented need for regulation regarding [how] such information can be stored, processed and used."

Indian internet activists hailed the decision, but warned that the debate about how tech giants collect and use data is only just beginning.

"These companies must brace for [legal action]," said Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society. "Individuals who are unhappy with the treatment of their personal information can now take them to court, because it is an infringement of a fundamental right."

The UN Conference on Trade and Development said that while the United States, European Union, China and other nations have established similar protections, roughly 60 developing countries have no rules that govern how the tech industry should collect and use personal data.

Activists say legal protections are needed to keep tech firms from irresponsibly harvesting data. Internet giants including Facebook and Google have built their business models around aggregating information about their users, and then marketing it to retailers. Some firms sell the data to third parties.

The global battle lines are being drawn: The U.S. government recently asked the Supreme Court to compel Microsoft (MSFT, Tech30) to hand over user data stored overseas, and the U.K. has proposed legislation that would allow users to ask platforms to delete their posts. The EU has taken several tech firms to task over privacy concerns.

Now the debate is heating up in the world's largest democracy. Nikhil Pahwa, an internet activist and founder of tech website MediaNama, said the Indian court's ruling gives campaigners a major tool in the fight to keep data private.

"We've now been given a right which allows us to argue for our rights against practices of different companies," Pahwa said.

The ruling could even cause problems for the Indian government, which is pushing its own controversial biometric ID card program. Nearly 1.2 billion people -- 92% of India's population -- have registered for the Aadhaar scheme, which links their fingerprints and iris scans to a unique 12-digit number.

The program is designed to make welfare payments and medical services much more efficient. But skeptics have bristled at recent orders that seek to make the biometric ID mandatory when opening a bank account or filing taxes.

"I don't want an Aadhaar number," Pahwa said. "I want to have the right to live in my country ... in a manner that I'm not being surveilled and watched."

Activists are also worried about how their data may be used and protected by third parties. Microsoft, for example, announced in July that it had integrated the biometric program with Skype Lite, a low-bandwidth version of the communications app made for the Indian market.

"If ... your fingerprints are your passwords -- and they're passwords that you can't change -- once they're gone they're gone forever," Pahwa said or potential data leaks.

The Indian government, which argued before the Supreme Court that privacy was not a fundamental right, said following the ruling that it was working on a stringent data protection law. Technology minister Ravi Shankar Prasad told local media that the new rules would be in place by December.

The National Association of Software and Services Companies, which represents India's tech industry, welcomed the Supreme Court's verdict.

"This landmark judgment will ensure that protection of citizen's privacy is a cardinal principle in our growing digital economy," NASSCOM president R Chandrashekhar said in a statement. "It will enhance citizens' trust in digital services."

Microsoft (MSFT, Tech30), Google (GOOGL, Tech30), Facebook (FB, Tech30) and Uber, which all operate in India, did not respond to requests for comment. Local tech players including Ola and Flipkart also did not respond. Amazon (AMZN, Tech30), which is investing heavily in the country, said that it complies with local laws and "has a high bar" for data protection and privacy.

Abraham, from the Centre for Internet and Society, said that "regulatory innovation" is needed to rein in large firms without making life difficult for Indian startups.

"We need to prevent the internet giants from dancing around the regulations with large legal teams, and we need to prevent onerous regulations from crushing emerging firms," he said. "If our lawmakers and parliament are innovative, we can leapfrog straight to the age of big data."

For more details visit https://cis-india.org/internet-governance/news/cnn-tech-august-29-2017-rishi-iyengar-privacy-is-now-a-right-in-india

CIS Statement on Right to Privacy Judgment

amber — 2017-08-31T18:13:14Z

In an emphatic endorsement of the right to privacy, a nine judge constitutional bench unanimously upheld a fundamental right to privacy. The events leading to this bench began during the hearings in the ongoing Aadhaar case, when in August 2015, Mukul Rohatgi, the then Attorney General stated that there is no constitutionally guaranteed right to privacy.

reliance was on two Supreme Court judgments in MP Sharma v Satish Chandra (1954) and Kharak Singh v State of Uttar Pradesh (1962): both cases, decided by eight- and six-judge benches respectively, denied the existence of a constitutional right to privacy. As the subsequent judgments which upheld the right to privacy were by smaller benches, he claimed that MP Sharma and Kharak Singh still prevailed over them, until they were overruled by a larger bench. This landmark judgment was in response to a referral order to clear the confusion over the status of privacy as a right.

We, at the Centre for Internet and Society (CIS) welcome this judgement and applaud the depth and scope of the Supreme Court’s reasoning. CIS has been producing research on the different aspects of the right to privacy and its implications for the last seven years and had the privilege of serving on the Justice AP Shah Committee and contributing to the Report of the Group of Experts on Privacy.[1] We are honoured that some of our research has also been cited by the judgment.[2] Such judicial recognition is evidence of the impact sound research can have on policymaking.

In the course of a 547 page judgment, the bench affirmed the fundamental nature of the right to privacy reading it into the values of dignity and liberty. The judgment is instructive in its reference to scholarly works and jurisprudence not only in India but other legal systems such as USA, South Africa, EU and UK, while recognising a broad right to privacy with various dimensions across spatial, informational and decisional spheres. We note with special appreciation that women’s bodily integrity and citizens’ sexual orientation are among those aspects of privacy that were clearly recognised in the judgment. For researchers studying privacy and its importance, this judgment is of great value as it provides clear reasoning to reject oft-quoted arguments which are used to deny privacy’s significance. The judgement is also cognizant of the implications of the digital age and emphasise the need for a robust data protection framework.

The right to privacy has been read into into Article 21 (Right to life and liberty), and Part III (Chapter on Fundamental Rights) of the Constitution. This means that any limitation on the right in the form of reasonable restrictions must not only satisfy the tests evolved under Article 21, but where loss of privacy leads to infringement on other rights, such as chilling effects of surveillance on free speech, the tests for constitutionality under those provisions for also be satisfied by the limiting action. This provides a broad protection to citizens’ privacy which may not be easily restricted. We expect that this judgment will have far reaching impacts, not just with respect to the immediate Aadhaar case, but also to in a score of other matters such as protection of sexual choice by decriminalising Section 377 of the Indian Penal Code, oversight of statutory search and seizure provisions such as Section 132 of the Income Tax Act, personal data collection and processing practices by both state and private actors and mass surveillance programmes in the interest of national security.

As this judgment comes in response to a referral order, the judges were not dealing with any questions of fact to ground the legal principles in. Subsequent judgments which deal with privacy will apply these principles and further evolve the contours of this right on a case-by-case basis. For now, we welcome this judgment and look forward to its consistent application in the future.

[1]. http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf

[2]. CIS was quoted in the judgement on footnote 46, page 33 and 34: http://supremecourtofindia.nic.in/pdf/LU/ALL%20WP(C)%20No.494%20of%202012%20Right%20to%20Privacy.pdf The quote is " Illustratively, the Centre for Internet and Society has two interesting articles tracing the origin of privacy within Classical Hindu Law and Islamic Law. See Ashna Ashesh and Bhairav Acharya ,“Locating Constructs of Privacy within Classical Hindu Law”, The Centre for Internet and Society, available at https://cis-india.org/internet-governance/blog/loading-constructs-of-privacy-within-classical-hindu-law. See also Vidushi Marda and Bhairav Acharya, “Identifying Aspects of Privacy in Islamic Law”, The Centre for Internet and Society, available at https://cis-india.org/internet-governance/blog/identifying-aspects-of-privacy-in-islamic-law " Further, research commissioned by CIS cited in the judgment includes a reference in page 201 footnote 319, "Bhairav Acharya, “The Four Parts of Privacy in India”, Economic & Political Weekly (2015), Vol. 50 Issue 22, at page 32."

For more details visit https://cis-india.org/internet-governance/blog/cis-statement-on-right-to-privacy-judgment

Aadhaar may be made must for market investments: Good to curb laundering but what about data security?

Admin — 2017-08-23T00:17:50Z

Aadhaar seems to be the master-key to get accesses into doors which once were never shut. Take for instance, your financial investments. Aadhaar may soon become mandatory for buying shares and mutual funds, according to a report in The Economic Times.

The article by Bindisha Sarang was published by First Post on August 10, 2017.

This move to link the 12 digit number to financial transactions being considered by the government and markets regulator Sebi is yet another attempt to stop the flow of black money entering into the financial markets.

It’s not clear if Aadhaar will replace PAN, or whether it will be in addition to providing PAN details.

As far as linking Aadhaar for buying mutual funds and shares is concerned, the proposed move will probably impact those who use multiple PANs for investments, and those brokers who, in collusion with such people, invest illegal funds in markets. For the common man, it is unlikely to make any major difference.

Over the last few months, the government has made Aadhaar mandatory for a number of services, especially those related to your finances. Aadhaar is currently used as one of the KYC documents for your dealings in the financial sector but it's definitely not a compulsory document.

Though the government's decision to make Aadhaar mandatory for income tax returns filing has turned controversial, the government has made it clear that it intents to replace PAN with Aadhaar.

The reason being cited by the government is the issues with PAN, especially the duplicate numbers that being used to launder money by the tax cheats. Just last month, the government deactivated 11.44 lakh PANs for this reason.

The ET report cites market participants as saying that PAN, though unique for every individual for income-tax assessment purpose, has not been successful in preventing the laundering of money in the financial markets. According to brokers, multiple PANs and fake demat accounts are still being used to push illegal money into the stock market. The proposal to make Aadhaar mandatory for market dealings has to be seen in this context.

Suresh Sadagopan, a Mumbai-based certified financial planner, says, "The move is to clean the system used by crooks. For honest investors, it is just an additional step in the process of investing."

Sadagopan admits that there are concerns regarding the security of data. "A large amount of data is publicly available even today, which is a bad thing," he said.

This indeed is a big concern. Nandan Nilekani, former chief of Unique Identification Authority of India that issues Aadhaar, recently voiced his concerns over this.

"There hasn't been a hack to Aadhaar systems. People have tried to get access to OTPs (one-time passwords) and game others' details and capture them. It's not really a hack, but absolutely, security is going to be a big concern," Nilekani was quoted as saying in a report in The Times of India. He was speaking at an event by the Confederation of Indian Industry (CII) on Tuesday.

In May, the Bengaluru-based Centre for Internet and Society had published a report saying about government websites have leaked Aadhaar data of over 130 million users. The government, however, vehemently denied the development.

Despite all these, the move to make Aadhaar mandatory in financial markets is positive and goes well with the government's battle to curb black money generation.

However, with stock market investment too coming under Aadhaar, the government should move quickly to secure data from potential misuse.

For more details visit https://cis-india.org/internet-governance/news/firstpost-bindisha-sarang-august-10-2017-aadhaar-may-be-made-must-for-market-investments-good-to-curb-laundering-but-what-about-data-security

Privacy laws: Alternatives to consent

Admin — 2017-08-23T00:00:32Z

As changes in technology have made it near impossible to obtain informed consent, the solution may lie in an accountability-based standard for privacy protection.

The article was published in the Livemint on August 11, 2017. Pranesh Prakash was quoted.

On 1 August, the government set in motion the process of drafting a new data protection law by setting up a panel under the guidance of former Supreme Court judge B.N. Srikrishna. The panel has been asked to suggest the principles to be considered while framing a data protection law. Most lawmakers around the world resort to consent as the default model to protect personal privacy. But is consent really the best and only way to provide meaningful control and to protect the individual?

In an earlier article in this series we discussed the various reasons why consent is no longer the best way to protect personal privacy. Today, traditional point-to-point transfers of data have been replaced with data flows through distributed systems, making it difficult for individuals to know which organizations are processing their data and for what purposes. This context makes it impossible to obtain valid individual consent. Machine learning systems do not need explicit programming and can teach themselves from mountains of data. This makes consent particularly inappropriate, as given the fraud prevention purposes for which these tools are used, seeking consent would prejudice the very purpose of processing.

Europe’s new General Data Protection Regulation (GDPR), which will come into force in May 2018, seems to suggest that accountability will become the new basis for compliance. According to experts, the transition period until the new rules come into force will be all about getting data controllers to adopt accountability measures to ensure greater security and trust around processing.

The new rules “advocate a risk-based approach with the data subject at its centre, so controllers will need to assess any risks to individuals posed by their processing activities and what measures they need to take to address them. The requirements also identify common factors for controllers to take into account when making those assessments, like the state of the art, the cost of implementation and the nature, scope and purposes of data processing,” according to a paper by Irish law firm Matheson.

In India, a paper by Rahul Matthan, a fellow at the Bengaluru-based policy think tank Takshashila Institute, bats for the adoption of a similar model that would hold data controllers and processors accountable for any harm caused to data subjects, irrespective of the consent they may have obtained. Instead of requiring data controllers to obtain consent for the collection and subsequent use of personal data, Matthan suggests the implementation of a rights-based model for data privacy that will impute a set of data rights for everyone rather than look to specific terms and conditions that they have entered into with each site they sign up to.

The accountability model will have the greatest impact on companies that deal with personal data, increasing their obligations to ensure that their actions do not, even inadvertently, result in breach of the privacy of their subscribers. What do these firms think about a new model where privacy is not based so much on the specific policies that their users agree to, but on a much broader obligation to be accountable for their actions?

“When we think about new products, we design them from the ground up with privacy in mind,” a Facebook Inc. spokesperson said in an emailed response. “We complete thorough privacy reviews of our products so that innovation does not come at the expense of choice and control. We integrate tools people can use to control their information and make personal privacy choices.”

A Twitter Inc. spokesperson did not directly address the question of accountability but pointed to its updated privacy policy, new privacy tools and past efforts in advocacy of privacy.

In general, corporations are likely to find accountability to be an easy standard to comply with. Most already adhere to this higher standard of care as, regardless of the specific terms of their privacy policies, the public relations fallout that would result from a privacy breach due to their negligence will have a huge impact on subscriber confidence in their services.

To that extent, most companies already think of themselves as being responsible for the personal privacy of their users above and beyond the specific terms and conditions of their privacy policy.

But can accountability totally replace consent? Opinions are divided.

“Substituting accountability for consent is neither simple nor easy,” said Pranesh Prakash, policy director at the Centre for Internet and Society, a Bengaluru-based think tank. “With current consent models, one doesn’t necessarily need to prove specific harm, whereas accountability models might require it, and that would be difficult, and especially impossible given the current state of courts.”

Secondly, while a rights/fiduciary model brings flexibility for data controllers data users, it comes at the cost of uncertainty, he argued.

“Consent brings in some amount of inflexibility but with the benefit of certainty,” he said. “If we move to a rights and fiduciary duty model, that would mean the entity using your data cannot do anything against your best interests, just as your accountant, or your doctor, or your lawyer owe you a high standard of care. But with that increased duty, there comes the added flexibility in terms of using data anonymously, in a way that doesn’t cause much harm while providing benefits.”

“I agree that consent, in theory, provides greater certainty,” counters Matthan, “However, it is questionable whether we can actually benefit from that certainty. In today’s context, it is impossible to obtain truly informed consent. We must, therefore, find an alternative mechanism to protect the privacy of our citizens. Accountability shifts the responsibility of determining whether or not a particular use of data will harm an individual away from that person, who has little or no ability to accurately decide that for himself, to the data controller, who has a far greater ability to do so.”

Others, such as advocate and cyber law expert N.S. Nappinai, say that it should not be a question of either/or and that both consent and accountability are needed for a robust data protection law.

“A huge loophole in the laws across the world, including the very robust GDPR, which will come into effect in 2018, is the sharing of third-party data, as in social media,” said Nappinai. “Data protection laws address the need for consent of the user who is sharing content. Many times, the user isn’t sharing sensitive or personal information only about themselves; it can be about a much larger audience or set of data subjects. When one is dealing with that kind of data, which a third party has shared about a data subject, it is not enough to have only accountability or consent but also vesting of responsibility.”

“For now the least threshold of protection that the GDPR offers—i.e., of the ‘right to be forgotten’—ought to at least be codified in other jurisdictions including India to ensure protection of such third-party data that is shared, in effect without their consent,” she added.

Models for a new privacy protection framework

There are alternative mechanisms in the privacy toolkit and existing legal regimes that, in the appropriate contexts, are able to deliver privacy protection and meaningful control more effectively than consent. Though these mechanisms already exist, they must be better understood, further developed and more broadly accepted, suggest researchers at the International Association of Privacy Professionals (IAPP). Here are a few examples of such mechanisms.

• Legitimate-interest processing: This is particularly relevant, according to IAPP, as it provides the necessary flexibility to face future technology and business process changes, while requiring organizations to be proactive, think hard and consider and mitigate risks and harmful impacts on individuals as they process personal data.

Legitimate-interest processing can legitimize many ordinary business uses of data, such as improving and marketing a company’s own products or services, or ensuring information and network security.

It also plays an increasingly significant role in the context of Big Data, the Internet of Things and machine learning by enabling beneficial uses of data where consent is not feasible and the benefits of the proposed uses outweigh any privacy risks or other harmful impact on individuals.

• Focus on risk and impact on individuals: This approach, IAPP has said, puts individuals firmly at the centre of an organization’s information management practices and results in better protection and compliance for individuals, especially in contexts where individual consent is neither required nor feasible.

• Individuals’ rights to access and correction: The ability of individuals to have access to their data and be able to correct inaccurate or obsolete data is an essential mechanism of control that should be made available as widely as possible.

Access and correction are also intrinsically related to transparency and organizations may be able to innovate here too, IAPP researchers have noted.

• Fair processing: Fair processing is a standalone data protection principle in many data privacy laws in Europe and beyond. Over the years, practitioners and regulators have equated fairness with providing privacy notices to individuals. Fair processing, however, goes beyond privacy notices and IAPP researchers believe the time has come to resurrect this principle back into practice.

This is the third of a four-part series on privacy. Read the first part here and the second part here.

For more details visit https://cis-india.org/internet-governance/news/livemint-august-11-2017-privacy-laws-alternatives-to-consent

Infographic: The Impending Right to Privacy Judgment

Amber Sinha and Pooja Saxena — 2017-08-22T23:50:44Z

The ruling will be important not just for the immediate Aadhaar case but also numerous other matters to do with state intrusions, decisional autonomy and informational privacy.

The article was published in the Wire on August 17, 2017.

Over the last month, a nine-judge constitutional bench of the Supreme Court has heard arguments on the existence of a fundamental right to privacy in India. Media coverage of judicial hearings in the apex court is often ripe with inaccuracies, thanks in no small measure to the court’s own restrictive policies, which, for instance, prevent video recordings. In this case, the arguments – which were heard over the course of three weeks – were widely reported in much greater detail and with fidelity, thanks largely to the live tweets by Gautam Bhatia and Prasanna S. (the entire collection of tweets is available here).

The availability of the entire set of written arguments made available by LiveLaw was another rich source for anyone following this matter in detail. The ruling by the bench will be of extreme importance not just for the immediate Aadhaar case, which has witnessed gross delays, but also numerous other matters in the future to do with state intrusions, decisional autonomy and informational privacy.

The questions before this bench are two fold – do the judgments in M.P. Sharma and Others vs Satish Chandra (decided by an eight-judge bench in 1954) and Kharak Singh vs State of UP and Others (decided by a six-judge bench in 1962) lead to the conclusion that there is no fundamental right to privacy, and whether the decisions in the later cases upholding a right to privacy were correct.

This infographic tries to unpack the hearings in the court into distinct issues, and the key arguments advanced by both the sides on them. The arguments from both sides on a particular question have been presented side by side for better appreciation, even though they were not argued together

Given the nature of the exercise, some of the arguments made in the infographic are bound to be a simplification of the actual issue. But it is hoped that this will provide a good overview of the issues argued.

Research and writing by Amber Sinha. Design by Pooja Saxena. Amber Sinha is a lawyer and works at the Centre for Internet and Society. Pooja Saxena is a typeface and graphic designer, specialising in Indic scripts.

For more details visit https://cis-india.org/internet-governance/blog/the-wire-amber-sinha-and-pooja-saxena-august-17-2017-infographic-the-impending-right-to-privacy-judgment

Here’s why we need a lot more discussion on India’s new DNA Profiling Bill

elonnai — 2017-08-21T23:48:03Z

The DNA Profiling Bill 2017 is still missing a number of safeguards that would enable individual rights. The implications of creating regional and national level DNA databanks need to be fully understood and publicly debated.

The article was published in the Hindustan Times on August 7, 2017.

The first step towards a DNA Profiling Bill was taken in 2007 with the ‘Draft DNA Profiling Bill” by the Centre for DNA Fingerprinting and Diagnostics. Since then, there has been a 2012, 2015, and a 2016 version of the Bill - the last not available to the public. In 2013, the Department of Biotechnology formulated an Expert Committee to deliberate on concerns raised about the Bill and finalise the text. The “Use and Regulation of DNA Based Technology Bill 2017” and the report by the Law Commission is a further evolution of the legislation and dialogue. The 2017 Bill contains a number of improvements from previous versions - yet there are still outstanding concerns that remain.

Positive changes in the Bill include provisions for consent, defined instances for deletion of profiles, limitation on purpose of the use of data in the DNA Data Bank, defined instances fo r destruction of biological samples, and the ability for an individual to request a re-test of bodily substances if they believe contamination has occurred.

Despite these changes the Bill still has an overly broad schedule defining instances of when DNA profiling can be used and is missing a number of safeguards that would enable individual rights. These include a right to notification of storage and access to information on the DNA databank, the right to appeal and challenge storage of DNA samples, and right to access and review personal information stored on the DNA Data Bank.

It is concerning that the 2017 Bill has left the defining of privacy and security safeguards to regulation — including implementation and sufficiency of protection, appropriate use and dissemination of DNA information, accuracy, security and confidentiality of DNA information, timely removal and deletion of obsolete or inaccurate DNA information, and other steps as necessary. Furthermore, though the Law Commission cites the use of the 13 CODIS (Combined DNA Index System) profiling standard as a means to protecting privacy in its report — this standard has yet to find its way in the text of the Bill.

The implications of creating regional and national level DNA databanks need to be fully understood and publicly debated. DNA is not foolproof - false matches can take place for multiple reasons. Importantly, the usefulness of DNA based technology to a legal system and the impact on individual rights is dependent and reflective of the social, legal, and political environment the technology is used in. DNA based technology can be a powerful tool for law enforcement, and it is important that a robust process and structure is given to the collection of DNA samples from a crime scene to the laboratory for analysis, to the DNA Bank for storage and comparison, but this structure needs to also be fully cognizant of the rights of individuals and the potential for misuse of the technology.

As society continues to rapidly become more and more data centric, and that data increasingly is a direct extension of the person, it is critical that legislation that is developed has clear protections of rights. In addition to amendments to the text of the draft 2017 Bill, this includes enacting a comprehensive privacy legislation in India. It is worrying that in the conclusion of its report, the Law Commission has referred to whether privacy is an integral part of Article 21 of the Constitution as merely “a matter of academic debate.” Privacy is recognised as a fundamental right in many democratic contexts – including many of those reviewed by the Law Commission as examples of contexts with DNA Profiling laws.

Policy needs to evolve past protections that are limited to process oriented legal privacy provisions, but instead to protections that are comprehensive — accounting for process and enabling the individual to control and know how her/his data is being used and by whom. Other countries have recognised this and are taking important steps to empower the individual. India needs to do the same for its citizens.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-elonnai-hickok-august-7-2017-here-is-why-we-need-a-lot-more-discussion-on-indias-new-dna-profiling-bill

Privacy is not a unidimensional concept

amber — 2017-08-07T08:02:20Z

Right to privacy is important not only for our negotiations with the information age but also to counter the transgressions of a welfare state. A robust right to privacy is essential for all citizens in India to defend their individual autonomy in the face of invasive state actions purportedly for the public good. The ruling of this nine-judge bench will have far-reaching impact on the extent and scope of rights available to us all.

This article, written by Amber Sinha was published in the Economic Times on July 23, 2017.

In a disappointing case of judicial evasion by the apex court, it has taken over 600 days since a reference order passed in August 11, 2015, for this bench to be constituted. Over two days of arguments, the counsels for the petitioners have presented before the court why the right to privacy, despite not finding a mention in the Constitution of India, is a fundamental right essential to a person’s dignity and liberty, and must be read into not one but multiple articles of the Constitution. The government will make its arguments in the coming week.

One must wonder why we are debating the contours of the right to privacy, which 40 years of jurisprudence had lulled us into believing we already had. The answer to that can be found in a series of hearings in the Aadhaar case that began in 2012. Justice KS Puttaswamy, a former Karnataka High Court judge, filed a petition before the Supreme Court, questioning the validity of the Aadhaar project due its lack of legislative basis (since then the Aadhaar Act was passed in 2016) and its transgressions on our fundamental rights. Over time, a number of other petitions also made their way to the apex court, challenging different aspects of the Aadhaar project. Since then, five different interim orders by the Supreme Court have stated that no person should suffer because they do not have an Aadhaar number. Aadhaar, according to the court, could not be made mandatory to avail benefits and services from government schemes. Further, the court has limited the use of Aadhaar to specific schemes: LPG, PDS, MGNREGA, National Social Assistance Programme, the Pradhan Mantri Jan Dhan Yojna and EPFO.

The real spanner in the works in the progress of this case was the stand taken by Mukul Rohatgi, then attorney general of India who, in a hearing before the court in July 2015, stated that there is no constitutionally guaranteed right to privacy. His reliance was on two Supreme Court judgments in MP Sharma v Satish Chandra (1954) and Kharak Singh v State of Uttar Pradesh (1962): both cases, decided by eight- and six-judge benches respectively, denied the existence of a constitutional right to privacy. As the subsequent judgments which upheld the right to privacy were by smaller benches, Rohatgi claimed that MP Sharma and Kharak Singh still prevailed over them, until they were overruled by a larger bench.

The reference to a larger bench has since delayed the entire matter, even as a number of government schemes have made Aadhaar mandatory. This reading of privacy as a unidimensional concept by the courts is, with due respect, erroneous. Privacy, as a concept, includes within its scope, spatial, familial, informational and decisional aspects. We all have a legitimate expectation of privacy in our private spaces, such as our homes, and in our personal relationships. Similarly, we must be able to exercise some control over how personal data, like our financial information, are disseminated. Most importantly, privacy gives us the space to make autonomous choices and decisions without external interference. All these dimensions of privacy must stand as distinct rights. In MP Sharma, the court rejected a certain aspect of the right of privacy by refusing to acknowledge a right against search and seizure. This, in no way prevented the court, even in the form of a smaller bench, from ruling on any other aspects of privacy, including those that are relevant to the Aadhaar case.

The limited referral to this bench means that the court will have to rule on the status of privacy and its possible limitations in isolation, without even going into the details of the Aadhaar case (based on the nature of protection that this bench accords to privacy, the petitioners and defendants in the Aadhaar case will have to argue afresh on whether the project does impede on this most fundamental right). There are no facts of the case to ground the legal principles in, and defining the contours of a right can be a difficult exercise. The court must be wary of how any limits they put on the right may be used in future. Equally, it is important to articulate that any limitations on the right to privacy due to competing interests such as national security and public interest must be imposed only when necessary and always be proportionate.

It will not be enough for the court to merely state that we have a constitutional right to privacy. They would be well advised to cut through the muddle of existing privacy jurisprudence, and unequivocally establish the various facets of the right. Without that, we may not be able to withstand the modern dangers of surveillance, denial of bodily integrity and self-determination through forcible collection of information. The nine judges, in their collective wisdom, must not only ensure that we have a right to privacy, but also clearly articulate a robust reading of this right capable of withstanding the growing interferences with our autonomy.

For more details visit https://cis-india.org/internet-governance/privacy-is-not-a-unidimensional-concept

High Level Comparison and Analysis of the Use and Regulation of DNA Based Technology Bill 2017

elonnai — 2017-08-11T02:16:52Z

This blog post seeks to provide a high level comparison of the 2017 and 2015 DNA Profiling Bill - calling out positive changes, remaining issues, and missing provisions.

In July 2017 the Law Commission published a report on DNA profiling and the “Draft Use and Regulation of DNA Based Technology Bill 2017”. India has been contemplating a draft DNA Profiling Bill since 2007. There have been two publicly available versions of the bill, 2012, and 2015, and one version in 2016. In 2013, the Department of Biotechnology formulated an Expert Committee to discuss different aspects and issues raised regarding the Bill towards finalizing the text. The Centre for Internet and Society was a member of the Expert Committee, and in its conclusion, issued a note of dissent to the Expert Committee for DNA Profiling.

This post provides a high level overview of the Use and Regulation of DNA Based Technology Bill 2017 and calls out positive changes from the 2015 Bill, remaining issues, and missing provisions. The post also calls out if, and where, CIS's recommendations to the Expert Committee have been incorporated.

If enacted, the 2017 Bill will establish national and regional DNA data banks that will maintain five different types of indices: a crime scene index, missing persons, offenders, suspects, and unknown deceased persons. The data banks will be led by a Director, responsible for communicating information with requesting entities, foreign states, and international organizations. Information relating to DNA profiles, DNA samples, and records maintained in a DNA laboratory can be made available in six instances: to law enforcement and investigating agencies, in judicial proceedings, for facilitating prosecution and adjudication of criminal cases, for taking defence of an accused, for investigation of civil disputes, and other cases which might be specified by regulations. Offences related to unauthorized disclosure of information in the DNA data bank, obtaining information from DNA data banks without authorization, unlawful access to information in the DNA Data Bank, using DNA sample or result without authorization, and destroying, altering, contaminating, or tampering with biological evidence.

Below are some key positive changes from the 2015 Bill, remaining issues, and missing safeguards from the 2017 Bill:

Positive Changes: The Bill contains a number of positive changes from the 2015 draft. Key ones include:

Consent: Section 21 prohibits the taking of samples from arrested persons without consent, except in the case of a specified offence - a specified offence being any offence punishable with death or imprisonment for a term exceeding seven years. If consent is refused, a magistrate can order the taking of the sample. This can be in the case of any matter listed in the Schedule of the Act. Section 22 provides for consent from volunteers. It is important to note that despite being an improvement from the 2015 Bill, which did not address instances of collection with our without consent, this provision is still broad as the list of offences under the Schedule is expansive and can be further expanded by the Central Government. Furthermore, the Magistrate can overrule a refusal of consent of the parent or guardian of a voluneet who is a minor, which does not provide adequate protection to childrens' rights.
Deletion: Section 31 defines instances for deletion of suspect profiles, under trial profiles, and all other profiles. Though a step in the right direction, as the 2015 Bill only addressed retention and deletion of the offenders index, this provision does not address the automatic removal of innocents.
Purpose limitation: Section 33 limits the purpose of profiles in the DNA Data Bank to that of facilitating identification. This is a positive step from the 2015 Bill - which enabled use of DNA profiles for the creation and maintenance of a population statistics data bank. Section 34 also limits the purposes for which information relating to DNA profiles, samples, and records can be made available.
Destruction of samples: Section 20 defines instances for destruction of DNA samples. Destruction of samples was not address in the 2015 Bill, and is an important protection as it prevents samples from being re-analyzed.
Comparison of profiles: Section 29 clarifies that if the individual is not an offender or a suspect, their information will not be compared with DNA profiles in the offenders’ or suspects index. This creates an important distinction between types of indices held in the data bank and the purpose for the same i.e missing persons are not treated as potential offenders. In the 2015 Bill, profiles entered in the offenders or crime scene index could be compared by the DNA Data Bank Manger against all profiles contained in the DNA Data Bank.
Re-testing: Section 24 allows for an accused person to request for a re-examination of fresh bodily substances if it is believed the sample has been contaminated. The closest provision to this in the 2015 was the creation a post - conviction right for DNA profiling - which is now deleted. It is important to note that fresh samples can easily be obtained from individuals, but if contamination happens at a crime scene, it is much more difficult to obtain a fresh sample.
Limiting Indices and including a crime scene index: The 2017 Bill limits the number of indices to five - a crime scene index, missing persons, offenders, suspects, and unknown deceased persons. This is an improvement from the 2015 Bill which provides for the maintenance of indices in the DNA Bank and includes a missing person’s index, an unknown deceased person’s index, a volunteers’ index, and such other DNA indices as may be specified by regulation.

Remaining Issues: There are some remaining issues in the 2017 Bill. Some of these include:

Delegating and Expanding through Regulation: The Bill delegates a number of procedures to regulation - many which should be in the text of the Bill. For example: the format for receiving and storing DNA profiles, and additional criteria for entry, retention, and deletion of DNA profiles. Furthermore, a number of provisions allow for expansion through regulation. For example, the sources from which DNA can be collected from to be expanded as specified by regulations. Further purposes for making DNA profiles available can be defined by regulation. Important procedures such as privacy and security safeguards are also left to regulation.
Broad Powers and Composition of the Board: The Bill designates twenty one responsibilities to the Board. As pointed out in 1, many of these should be detailed in the text of the legislation.

While serving on the Expert Committee,CIS recommended that the functions of the DNA Profiling Board should be limited to licensing, developing standards and norms, safeguarding privacy and other rights, ensuring public transparency, promoting information and debate and a few other limited functions necessary for a regulatory authority. This recommendation has not been incorporated.

Ideally, the Board should also include privacy experts, an expert in ethics, as well as civil society. Towards this, the Board should be comprised of separate Committees to address these different functions. There should be a Committee addressing regulatory issues pertaining to the functioning of Data Banks and Laboratories and an Ethics Committee to provide independent scrutiny of ethical issues.

As a positive note, the reduction of the size of the Board was agreed upon by the Expert Committee from 16 members (2012 Bill) to 11 members. This reccomendation has been incorporated.

CIS also provided language regarding how the Board could consult with the public:The Board, in carrying out its functions and activities, shall be required to consult with all persons and groups of persons whose rights and related interests may be affected or impacted by any DNA collection, storage, or profiling activity. The Board shall, while considering any matter under its purview, co-opt or include any person, group of persons, or organisation, in its meetings and activities if it is satisfied that that person, group of persons, or organisation, has a substantial interest in the matter and that it is necessary in the public interest to allow such participation. The Board shall, while consulting or co-opting persons, ensure that meetings, workshops, and events are conducted at different places in India to ensure equal regional participation and activities. This language has not been fully incorporated

Lack of Authorization Procedure: Though the Bill defines instances of when DNA information can be made available, it fails to establish or refer to an authorization process for making information available and the decision currently seems to rest with the DNA Bank Director.
Expansive Schedule: The Bill creates a schedule containing a list of matters for DNA testing which includes whole acts and a range of civil disputes and matters that are broad and do not relate to criminal cases - most notably “issues relating to immigration or emigration and issues relating to establishment of individual identity.”
Unclear Data Stored: Though the Bill clarifies the circumstance that the identity of the individual will be associated with a profile, it allows for ‘information of data based on DNA testing and records relating thereto” to be stored, yet it is unclear what information this would entail.
Lack of procedures for chain of custody: Presently, the Bill defines quality assurance procedures for a sample that is already at the lab. There are no provisions defining a process for the examination of a crime scene and laying down standards for the chain of custody of a sample from the crime scene to a DNA laboratory.

Missing Safeguards:

There are some safeguards that, if added, would strengthen the Bill and ensure rights to the individual:

Notification to the individual: There are no provisions that ensure that notification is given to an individual if his/her information is accessed or made available.
Right to challenge: There are no provisions that give the individual the right to challenge the storage of their DNA.
Established profiling standard: Though the Law Commission report refers to the 13 CODIS standard, the Bill does not mandate the use of the 13 CODIS profiling standard.
Reporting standard: There are no standards for how matches or other information should be communicated from the DNA director to the authority or receiving entity including instances of partial matches.
Right to access and review: There are no provisions that allow an individual to review his/her information contained in the regional or the national database.
Lack of costing: There is no cost estimate in the report or a requirement for one to be carried out.
Study for the potential for false matches: This must consider the size of the population and large family size, i.e. relatively large numbers of closely related people and is particularly necessary given the the size over population as large as India's.

Importantly, in the DNA Expert Committee, CIS requested the Expert Committee that the Bill be brought in line with the nine national principles defined in the Report of Experts on Privacy led by Justice AP Shah. These include the principles of notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, openness, and accountability. These principles have not been fully incorporated.

For more details visit https://cis-india.org/internet-governance/blog/high-level-comparison-and-analysis-of-the-use-and-regulation-of-dna-based-technology-bill-2017

Should an Inability to Precisely Define Privacy Render It Untenable as a Right?

amber — 2017-08-04T01:49:56Z

The judges may still be able to articulate the manner in which limits for a right to privacy may be arrived at, without explicitly specifying them.

The article was published in the Wire on August 2, 2017.

Ludwig Wittgenstein wrote in his book, Philosophical Investigations, that things which we expect to be connected by one essential common feature, may be connected by a series of overlapping similarities, where no one feature is common. Instead of having one definition that works as a grand unification theory, concepts often draw from a common pool of characteristics. Drawing from overlapping characteristics that exist between family members, Wittgenstein uses the phrase ‘family resemblances’ to refer to such concepts.

In his book, Understanding Privacy, Daniel Solove makes a case for privacy being a family resemblance concept. Responding to the discontent in conceptualising privacy, Solove attempted to ground privacy not in a tightly defined idea, but around a web of diverse yet connected ideas. Some of the diverse human experiences that we instinctively associate with privacy are bodily privacy, relationships and family, home and private spaces, sexual identity, personal communications, ability to make decisions without intrusions and sharing of personal data. While these are widely diverse concepts, intrusions upon or interferences with these experiences are all understood as infringements of our privacy.

Other scholars too have recognised this dynamic, evolving and difficult to pinpoint nature of privacy. Robert Post described privacy as a concept “engorged with various and distinct meanings.” Helen Nissenbaum advocates a dynamic idea of privacy to be understood in terms of contextual norms.

The ongoing arguments in the Supreme Court on the existence of a constitutional right to privacy can also be viewed in the context of the idea of privacy as a family resemblance concept. In their arguments, the counsels for the petitioners have tried to make a case for privacy as a multi-dimensional fundamental right. Senior advocate Gopal Subramanium argued before the court that privacy inheres in the concept of liberty and dignity under Constitution of India, and is presupposed by various other rights such as freedom of speech, good conscience, and freedom to practice religion. He further goes on say that there are four aspects to privacy – spatial, decisional, informational and the right to develop personality. Shyam Divan, also arguing for the petitioners, further added that privacy includes the right to be left alone, freedom of thought, freedom to dissent, bodily integrity and informational self-determination.

When the chief justice brought up the need to define the extent of the right to privacy, the counsels raised concerns about the right being defined too specifically. This reluctance was borne out of the recognition that by its very nature, the right to privacy is a cluster of rights, with multiple dimensions manifesting themselves in different ways depending on the context. Both advocates, Subramaniam and Arvind Datar, argued that court must not engage in an exercise to definitively catalog all the different aspects of the right, foreclosing the future development of the law on point. This reluctance was also a result of the fact that the court has isolated the question of the existence of the right to privacy and how it may apply in the case of the Aadhaar project. Usually judges are able to ground legal principles in the relevant facts of the case while developing precedents. The referral to this bench is only on the limited question of the existence of a constitutional right to privacy. Therefore, any limits that are articulated by the court on the right exist without the benefit of a context.

On the other hand, the Attorney General (AG) argued that this very aspect of privacy was a rationale for not declaring it a fundamental right. At various points during the arguments, he indicated that the ambiguous and vague nature of the concept of privacy made it unsuitable as a fundamental right. Similarly, Tushar Mehta, arguing for Unique Identification Authority of India, also sought to deny privacy’s existence as a fundamental right as it is too subjective and vague.

The above argument assumes that the inability to precisely define privacy renders its untenable as a right. The key question is whether this lack of a common denominator makes privacy too vague a right, liable to expansive misinterpretations. Conceptions that do not have fixed and sharp boundaries, are not boundless. What it means is that the boundaries can often be fuzzy and in a state of constant evolution, but the limits and boundaries always exist.

At one point during the hearings, Justice Rohinton Nariman wanted the counsels to work on the parameters of challenge for state action with respect to privacy. As mentioned earlier, in the absence of facts to work with, such an exercise is fraught with risks. However, the judges may still be able to articulate the manner in which such limits may be arrived at, without specifying them. Justice Nariman himself later agrees that the judicial examination must proceed on a case by case basis, taking into account not only the tests under Article 14,19 and 21 under which petitioners have tried to locate privacy, but also under any other concurrent rights which may be infringed.

The AG also argued that the infringement of privacy in itself does not amount to a violation of the rights under Article 21, rather in some cases the transgressions on privacy may lead to an infringement of a person’s right to liberty and only in such cases should the fundamental rights be invoked. Thus, the argument made was that there was no need to declare privacy as a fundamental right but only to acknowledge that limiting privacy may sometimes lead to violations of the already existing rights. This argument may have been more cogent had he identified specific dimensions of privacy which, according to him, do not qualify as fundamental rights. However, this might have meant conceding that other dimensions of privacy, in fact do amount to fundamental rights.

It must be remembered that the problem of changing or multiple meanings is not limited to privacy. As the bench noted, drawing comparisons to the concepts of ‘liberty’ and ‘dignity’, these are constitutionally recognised values which equally suffer from a multitude of meanings based on context. The government’s position here is in line with critiques of privacy that Solove seeks to bust in his book. The idea of privacy evolves with time and people. And people, whether from a developed or developing polity, have an instinctive appreciation for it. The absence of a precise definition does not necessarily do great disservice to a concept, especially one that is fundamental to our freedoms.

For more details visit https://cis-india.org/internet-governance/blog/the-wire-amber-sinha-august-2-2017-should-an-inability-to-precisely-define-privacy-render-it-untenable-as-a-right

Aadhar: Privacy is not a unidimensional concept

amber — 2017-08-23T01:50:19Z

Right to privacy is important not only for our negotiations with the information age but also to counter the transgressions of a welfare state. A robust right to privacy is essential for all Indian citizens to defend their individual autonomy in the face of invasive state actions purportedly for the public good.

The article was published in the Economic Times on July 23, 2017.

The ruling of this nine-judge bench will have far-reaching impact on the extent and scope of rights available to us all. In a disappointing case of judicial evasion by the apex court, it has taken over 600 days since a reference order was passed in August 11, 2015, for this bench to be constituted. Over two days of arguments, the counsels for the petitioners have presented before the court why the right to privacy, despite not finding a mention in the Constitution of India, is a fundamental right essential to a person’s dignity and liberty, and must be read into not one but multiple articles of the Constitution. The government will make its arguments in the coming week.

For more details visit https://cis-india.org/internet-governance/blog/economic-times-july-23-2017-amber-sinha-aadhar-privacy-is-not-a-unidimensional-concept

Calls for law change after Indians left in dark over data leaks

Admin — 2017-07-20T14:38:51Z

Fears Indian telecom upstart Reliance Jio suffered a major data breach, compromising the personal data of over 100 million customers, have prompted calls for India to adopt more robust laws to protect consumers.

The blog post by Rahul Bhatia and Sankalp Phartiyal was published by Reuters on July 14, 2017.

Jio has repeatedly denied any breach took place and said that names, telephone numbers and email addresses of Jio users on a website called "Magicapk" appeared to be "unauthentic." The website was later shut down.

The company, part of conglomerate Reliance Industries Ltd, said on Monday that its subscriber data was safe and protected by the highest levels of security.

However, Jio filed a complaint the same day alleging unlawful access to its systems, police have told Reuters.

Jio did not respond to requests for comment.

In contrast to companies in the European Union, which has stringent data protection standards, companies in India do not have to disclose data breaches to clients, information security professionals said.

"It raises questions of security and accountability," said Pranesh Prakash, policy director at the Centre for Internet and Society (CIS), a research organization.

People complained on Twitter about personal information of Jio users being available on the Magicapk site. Several local news outlets said their checks had led them to believe a leak had occurred.

"A rule to report breaches exists, but it is unenforceable," says Prakash. "It says you're not liable if you're following reasonable security practices. What 'reasonable' means is not defined."

Advocates of stronger laws in India say a data breach in countries with more stringent cyber laws, such as Britain or the United States, would prompt an inquiry by regulators.

After reports of a data leak at Verizon earlier this week, for example, the U.S. telecoms firm quickly responded with an explanation of what had occurred, how it had happened and the extent of the problem.

"India is at a nascent stage. For good norms in Asia, look to Singapore. It's been praised for not having cyber security issues by the UN," Srinivas Kodali, an independent security researcher, said.

Not a Priority

"We don't have full-menu data protection laws," said Apar Gupta, a Supreme Court lawyer working on data privacy issues. "We don't even have an institutional framework or expert body to implement the limited data protection regulations that do exist. It's so limited it's more accurate to say no law exists."

In May alone, there were two data security incidents in India.

The records of 17 million customers of Zomato, a popular food-delivery app, were put on sale online. Zomato initially advised customers that their passwords were secure, but later advised users to change them.

Separately, a CIS report said the Aadhaar numbers of as many as 135 million Indians had leaked from government databases and could be found online. (bit.ly/2tOseSV)

The number, similar to a U.S. social security number, is unique to each Indian citizen and the Aadhaar database also stores a user's biometric data. The government is pushing for Aadhaar numbers to be used in everything from opening bank accounts to filing tax returns.

For India, data privacy is not a priority, said Amry Junaideen, a risk advisor at audit firm Deloitte.

"From an organizational perspective there's really no incentive other than being a good corporate citizen, to report a breach," he said, noting that in the European Union and United States the regulatory framework is basically for the good of the consumer, but that this is not the case in India.

India, home to the back offices of many large multinationals and outsourcing companies, has also unsuccessfully sought "data-secure" status from the European Union since 2012.

The status is vital for information sharing between entities in the EU and India, because it means the EU is satisfied that data protection rules in a country meet its standards, so data of EU citizens can be sent to that jurisdiction.

Raman Chima, policy director at Access Now, which advocates stronger digital rights, says weak data privacy laws are likely the main stumbling block to "data-secure" status.

In 2010, a European Union study of data protection in India noted there were "no aspects of India's data protection which would unequivocally be regarded as 'adequate' by European Union standards as yet".

Reporting by Rahul Bhatia and Sankalp Phartiyal; Editing by Euan Rocha and Neil Fullick

For more details visit https://cis-india.org/internet-governance/news/reuters-july-14-2017-rahul-bhatia-and-sankalp-phartiyal-calls-for-law-change-after-indians-left-in-dark-over-data-leaks

Social Activist Alleges Threat By Police Officer Over Possession of Aadhaar

Admin — 2017-07-20T14:31:12Z

Social activist Shabnam Hashmi recorded a policeman telling her those without address proof and Aadhaar could be “eliminated”.

The article by Gaurav Vivek Bhatnagar was published in the Wire on July 16, 2017. Pranesh Prakash was quoted.

Well-known social activist Shabnam Hashmi held a press conference to say she was threatened on the telephone by a police officer at the Lajpat Nagar police station warning her that the government had launched a ‘surround and eliminate’ campaign against people whose addresses are not known and who do not possess Aadhaar numbers or cards. This is now a standing instruction to all police stations, Hashmi was told. Moreover, the officer – accused of threatening and abusing Hashmi when she called him on the night of July 14 to know why the husband of a woman, who learns stitching at a training centre run by the NGO Pehchan at Jaitpur in south-east Delhi, had been summoned at a late hour – insisted that police personnel were well within their rights to act in this way.

The police may brush aside this assertion as the concerned officer’s personal opinion, or they may deny the veracity of the conversation, which Hashmi recorded and shared with the media; but she and other anti-Aadhaar activists say the interaction raises questions about the consequences – intended or unintended – of the Centre’s stress on making Aadhaar mandatory for the personal liberty and civil rights of ordinary residents.

Many Aadhaar critics have, in the past, expressed the fear that the irresponsible use or misuse of Aadhaar could lead to India becoming a ‘surveillance state’ or ‘police state’ by placing enormous discretionary powers in the hands of unscrupulous state officials.

Petitioners in SC had cautioned against misuse of Aadhaar

Earlier this year, Communist Party of India leader Binoy Viswam had filed a petition in the Supreme Court questioning the introduction of Section 139 AA of the IT Act to link Aadhaar cards with PAN cards. Subsequently, in an interview in April this year, he had noted that “the citizens are becoming instruments in the hands of the state” as “by taking fingerprints, iris scans and other details of the citizens of the country, the state is becoming the custodian of its people.” He had also expressed the fear that “the state can use this data according to its whims and fancies”.

Viswam could not have been more correct. Much before the use of data, “elements” of the state have started using the ruse of creation of data itself as a convenient tool to threaten and intimidate people and this is precisely what happened in the case of Hashmi.

Recalling the incident, Hashmi, who is the founding trustee of Pehchan, said the NGO runs a small centre in Jaitpur extension where it teaches school dropouts to appear for class 10 and 12 examinations and also runs sewing classes for women.

Hashmi said that at around 9 pm on July 14, Haseen, the husband of Mubina, one of the trainees, was summoned by a sub-inspector to the Lajpat Nagar police station regarding a complaint. When Hashmi called up the police station to find out what the summons was about, the policeman allegedly “hurled abuses”, and used “highly derogatory and uncivilised language” during the conversation.

Though Hashmi did not have a recorder in her phone at the time of the first call, she subsequently downloaded one and later recorded her conversation with the same officer.

In this conversation, the policeman is heard reasoning with Hashmi that he had not summoned Haseen at a late hour. He claimed that he used harsh language in the first conversation since she had not identified herself and had only proclaimed herself to be a social worker. It also comes across in the conversation that Hashmi had told the man in the earlier conversation that he was drunk while being on duty and that this had irked him. It emerged that the cop had got an inkling that she was recording the later conversation, because of which he apparently mellowed down.

The issue assumes significance as after declaring twice in the past that Aadhaar cannot be made mandatory for delivering services, the Supreme Court had recently upheld the validity of an Income Tax law amendment linking PAN with Aadhaar for filing tax returns.

Former Attorney General Mukul Rohatgi had argued that the government was “entitled to have identification” and that “as constituents of society people can’t claim immunity from identification.” Rohatgi had insisted that “no right is absolute, right to body is not absolute. Under extreme cases even right to life can be taken away, under due process.”

Experts have often cautioned against Aadhaar misuse

According to legal experts, the illegalities related to Aadhaar do not just end with such arguments. Writing for The Wire, Prashant Reddy T., a research associate at the School of Law, Singapore Management University, had noted that in the past couple of months the “Modi government has increasingly used its rule-making powers under various laws in a manner which is contrary to the law of the land.” He was referring to the Centre’s announcement to mandatorily link Aadhaar numbers to all non-small bank accounts, failing which, access to the bank accounts would be disabled after December 31.

“As is often the case with this government, the question now is whether this new mandatory Aadhaar requirement (and the threatened punishment) is legal,” the expert had asked.

Earlier this year, writing for the Hindustan Times, Pranesh Prakash, policy director at the Centre for Internet and Society, and an affiliated fellow at Yale Law School’s Information Society Project, had referred to the immense potential of Aadhaar for profiling and surveillance. He had called for fundamentally altering Aadhaar, saying that if the rampant misuse of surveillance and wilful ignorance of the law by the state were anything to go by, the future looked bleak.

For more details visit https://cis-india.org/internet-governance/news/the-wire-gaurav-vivek-bhatnagar-july-16-2017-social-activist-alleges-threat-by-police-officer-over-possession-of-aadhaar