Centre for Internet and Society

Privacy and Security Implications of Public Wi-Fi - A Case Study

vanya — 2016-12-12T12:29:49Z

Today internet is an essential necessity in everyday work and recognizing its vital role, governments across the world including the Indian government, are giving access to public Wi-Fi. However, use of public Wi-Fi brings along with it certain privacy and security risks. This research paper analyses some of these concerns, along with the privacy policies of key ISPs in India providing public Wi-Fi service in Bangalore-namely D-VoIS and Tata Docomo, as a case study to provide suitable recommendations.

Download (PDF)

1. Introduction

2. Global Scenario

3. Overview of Public Wi-Fi in India

4. Indian Policy and Legal Conundrum

5. Public Wi-Fi and Privacy Concerns

5.1. Data Theft

5.2. Tracking an Individual

5.3. Makes the Electronic Devices Prone to Hacking and Setting up Fake Networks

5.4. Illegal Use of Data

6. Ranking Digital Rights Project

6.1. D-VoIS, Bangalore

6.2. Tata Docomo, Bangalore

7. Compliance of Privacy Policies with Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

8. Conclusion and Recommendations

8.1. Commitment

8.2. Freedom of Expression

8.3. Privacy

1. Introduction

Recognizing internet as a critical tool for day-to-day work and facilitating increased access to it in the past few years,^[1] the Indian Government as well as Governments across the world have rolled out plans for offering public Wi-Fi. However, privacy risks of using public Wi-Fi have also been flagged across jurisdictions, which will be discussed in this paper. Apart from highlighting key privacy concerns associated with the use of free public Wi-Fi, this case study aims to analyse the privacy policies of two of the Internet Service Providers in India-namely Tata Docomo^[2] and D-VoiS^[3], which offer public Wi-Fi services in Bangalore city against the indicators listed under the Ranking Digital Rights project^[4], as well as the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011^[5]. Based on this analysis, this paper shall list key recommendations to these ISPs to ensure sound privacy policies and practices with a view to have a balanced framework and ecosystem in light of key privacy considerations, especially in light of public Wi-Fi.

2. Global Scenario

Security and privacy concerns around the use of free and public Wi-Fi have been raised in India^[6] as well as across the globe. In various cities like Bangalore, Delhi, Hyderabad, New York, London, Paris, etc., privacy experts have raised concerns over the public Wi-Fi systems at metro stations, malls, payphones and other such public places.^[7]

For many years, New York City has been in the process of developing a “free” public Wi-Fi project called LinkNYC^[8] to bring wireless Internet access to the residents of the city. However, privacy concerns have been raised by the users and privacy advocates like the New York Civil Liberties Union, where the latter also issued a letter to the Mayor's office regarding this^[9] as the collection of potentially sensitive personal, locational and behavioral data, without adequate safeguards could result in sharing of such data without the data subject’s consent or knowledge. For example, one of the concerns raised has been regarding retention of user's data by CityBridge, the company behind the LinkNYC kiosks, often indefinitely, for building a massive database which carries a risk of security breaches and unwarranted surveillance by the police. ^[10] Also, users are concerned that their internet browsing history may reveal sensitive information about their political views, religious affiliations or medical issues^[11], since registration is required to use LinkNYC by submitting their email addresses and by agreeing to allow CityBridge to collect information about the websites they visit, the duration for which they linger on certain information on a webpage and the links they click on. On the contrary, the privacy policy of CityBridge states that this massive amount of personally identifiable user information would be cleared only if there have been 12 months of user inactivity, raising an alarm in light of privacy concerns.^[12]

In the year 2015, the Information Commissioner’s Office (ICO) conducted a review of public Wi-Fi services on a UK high street, where it was found that the Wi-Fi networks requested for varying levels of personal data, which was also processed for marketing purposes. The results highlighted that while some networks did not request any personal data, others asked for varying amounts, including information regarding name, postal and email address, mobile number, gender, as well as asking for a date of birth as a mandatory requirement (except for gender). During the sign-up process, though some Wi-Fi networks provided users with the choice to opt-in or opt-out for receiving electronic newsletters and updates, others offered no choice at all.^[13] As a result of the review process, the ICO notified Wi-Fi network providers that it had reviewed and advised them of improvements that they could make to their service and issued guidance^[14] regarding the dangers of using public Wi-Fi^[15]. ICO also recommended users to take time to read all the information given by providers of Wi-Fi services before connecting.

In 2006, the European Data Retention Directive 2006/24/EC^[16] was introduced for the retention of communications data by providers of public electronic communications services for national security. The Directive provides an obligation for providers of publicly available electronic communications services and public communications networks to retain traffic and location data for the purpose of the investigation, detection, and prosecution of serious crime.^[17] Also, the Data Retention (EC Directive) Regulations 2009^[18] were introduced to implement the Directive in the UK. However, this was challenged on grounds of insufficient safeguards for the privacy rights of individuals, given the substantial interference which it facilitated with those rights.^[19]

To ensure protection of user’s data and information, the Data Protection Act 1998^[20] in UK obliges businesses retaining people’s data to comply with the law, which involves informing people about what data is being collected and ensure that the data is stored securely.^[21] . Therefore, in case of ISP’s providing public Wi-Fi service, this would relate to the information people provide when they log on, such as their email address. Under the Act, the data protection principles must be complied with by the data controllers and it needs to be ensured that the information is used fairly and lawfully, for limited and stated purposes, used in a way that is adequate, relevant and not excessive, kept for no longer than is absolutely necessary, handled according to people’s data protection rights, kept safe and secure and not transferred outside the European Economic Area without adequate protection.^[22] This would soon be updated and synced with the European Union’s General Data Protection Directive (GDPR).

3. Overview of Public Wi-Fi in India

In India, the public Wi-Fi in some cases has been offered free for a limited duration, in several cities across the country. For example, in 2014, Bangalore became the first city in the country to establish free public Wi-Fi- Namma Wi-Fi (802.11N) to make Bangalore a smart and connected city. The service is offered at MG Road, Brigade Road and four other locations in Bangalore including Traffic and Transit Management Centres (TTMCs) at Shanthinagar, Yeshwanthpur, Koramangala and CMH Road in Indiranagar.^[23] The internet and Wi-Fi service provider for Namma Wi-Fi is D-VoiS Broadband Ltd,a city-based firm.^[24] However, it seems the State Government plans to pull the plug on the project, funds, lack of awareness and difficulty in access as key constraints.^[25] Tata Docomo has inked an agreement with GMR Airports to offer Wi-Fi services at several International Airports in the country, including the Bangalore International Airport. It offers access to access free Wi-Fi service for 45 minutes, following which they users are required to pay for the service online, to continue using the Wi-Fi service.^[26]

Delhi has also introduced free Wi-Fi at its premier shopping hubs of Connaught Place and Khan Market in the year 2014, and BSNL launched a free WiFi service at Karnataka’s Malpe beach in the year 2016 making it the first WiFi beach in the three coastal districts of the state.^[27] The State Governments of Mumbai, Kolkata, Patna and Ahmedabad also offer free Wi-Fi services in limited areas.^[28] As part of the flagship programme by Indian Government, Digital India, the Government announced the rollout of Wi-Fi services by June 2015 at select public places in 25 Indian cities with population of over 10 lakh and tourist destinations by December 2015.^[29] Also, the Government has plans to digitise India by rolling out free Wi-Fi in 2500 towns and cities over a span of 3 years.^[30] Google plans to deploy WiFi at 100 railway stations in partnership with Railtel. Under this scheme, Mumbai Central was the first station to get free Wi-Fi in the year 2016.^[31] Also, Google's Project Loon aims to provide internet connectivity in remote and rural areas in India, which is currently being tested in other countries.^[32].

4. Indian Policy and Legal Conundrum

In light of national security concerns around the misuse of public Wi-Fi, the Department of Telecommunication, GoI, published a regulation^[33] dated February 2009, defining procedures for the establishment and use of public Wi-Fi to prevent misuse of public Wi-Fi and to be able to track the perpetrator in case of abuse. Indeed, the DOT has stated that “Insecure Wi-Fi networks are capable of being misused without any trail of user at later date”.^[34]

As per the 2009 Regulations, DoT has instructed ISPs to enforce centralized authentication using Login ID and Password for each user to ensure that the identity of the user can be traced.^[35] Regarding Wi-Fi services provided at public places, the Regulations state that bulk login IDs shall be created for controlled distribution, with authentication done at a centralized server. The subscribers are required to use public Wi-Fi by registering with temporary user ID and password, in the following methods:

Obtaining copy of photo identity of the subscriber, to be maintained by Licensee for one year; or
Providing details of user ID and password via SMS on subscriber's mobile phone , to be used as his/her identity by keeping the mobile number for one year.

Additionally, the data protection regime in India is governed by section 43A of the Information Technology Act, 2000 and the Rules^[36] notified under it. It obliges corporate bodies which possess, deal or handle any sensitive personal data to implement and maintain reasonable security practices, failing which they would be held liable to compensate those affected by any negligence attributable to this failure. The said Rules also define requirements and safeguards that every Body Corporate is legally required to incorporate into the company's privacy policy. The Rules put restrictions on body corporates on collecting sensitive personal information, and also states that it must obtain prior consent from the “provider of information” regarding “purpose, means and modes of use of the information, along with limiting disclosure of such information.^[37] Most of the ISPs in India being a private company, like D-VoiS and Tata Docomo, are obliged to comply with these provisions. Also, under the model License Agreement for Unified License^[38] by Ministry of Communication & IT, Department of Telecommunications, Government of India, where the Unified Access License Framework allows for a single license for multiple services such as telecom, the internet and television and provides certain security guidelines, privacy of communications is to be maintained by the Licensee (the ISPs in this case) and network security practices and audits are mandated along with penalties for contravention in addition to what is prescribed under the Information Technology Act,2000. It also provides for ensuring unauthorized interception of messages does not take place. Therefore, the ISPs providing public Wi-Fi services in various cities across India would be governed by the data protection regime and could be held liable under these provisions in case of non-compliance with the security measures so stated.

In July 2016, the Telecom Regulatory Authority of India (hereinafter referred as “TRAI”) floated a Consultation paper on Proliferation of Broadband through Public Wi-Fi Networks^[39] with an objective to examine the need of encouraging public Wi-Fi networks in the country from a public policy point of view and discuss the issues as well as solutions in its proliferation. The paper recognises the fact that India is still in a green field deployment phase in terms of adoption of public Wi-Fi services and requires solutions for resolving the challenges and risks being faced in the process and lay a strong foundation to evolve towards a meaningful position in the advancement of initiatives related to Internet of Things, Smart Cities, etc.^[40] This is an important step towards fulfilment of the Digital India scheme of the Indian Government to ensure better connectivity. In the paper, TRAI has advocated development of a payment platform which allows easy access to Wi-Fi services across internet service providers (ISPs) and through any payment instrument.^[41] Besides that, the paper raises issues of various regulatory, licensing or policy measures required to encourage ubiquitous city-wide Wi-Fi networks as well as expansion of Wi-Fi networks in remote or rural areas, along with the issue of encouraging interoperability between the Wi-Fi networks of different service providers, both within the country and internationally, as well as between cellular and Wi-Fi networks.^[42]

5. Public Wi-Fi and Privacy Concerns

Since proliferation of public Wi-Fi in India is happening at a moderate pace, the paper discusses key issues towards this, one of them being the logistics of deploying this service. This section briefly states and acknowledges privacy and security concerns as an important factor that may be posing issues in the adoption of public Wi-Fi services in the country. Since there have been numerous cases of security vulnerabilities in public Wi-Fi networks worldwide, security of networks and cyber crimes is a key issue for consideration.^[43]

Deployment of public wireless access points has made it more convenient for people to access the Internet outside of their offices or homes. Despite advantages like ease of accessibility, connectivity and convenience, public Wi-Fi connection pose serious concerns as well. “The proliferation of public Wi-Fi is one of the biggest threats to consumer data”, says David Kennedy, founder of TrustedSec, a specialised information security consulting company based in the United States of America.^[44] Also, the networks become an easier target with little public awareness about the existence of such threats wherein users expose valuable personal data over Wi-Fi hotspots. The recently released Norton Cyber Security Report 2016^[45] shows how the benefit of constant connectivity is often outweighed by consumer complacency, leaving consumers and their Wi-Fi networks at risk. For the purpose of this report, Norton surveyed 20,000 people (over a 1,000 from India ) which reflects that though users in India may be increasingly becoming aware of the cyber threats they face due to use of public Wi-Fi, they don’t fully understand the accompanying risks and their online behaviour is often contradictory.^[46] Also, it is important to consider that the services which claim to be free, actually generate revenue by advertisements, where the model works by providing free access to internet in exchange for user's’ personal and behavioral data, which is subsequently used to target ads to them.^[47]

Some of the privacy harms stemming from use of public Wi-Fi are listed below.

5.1. Data Theft

With hackers finding it easy to access personal information of the data subjects, data can be hijacked by unauthorized internet access by spoofing the MAC and IP addresses of the authenticated user’s device or by use of default settings (saved passwords or IPs).^[48] The following kinds of data is at a risk of being stolen and further misused:

demographic and locational data^[49]
forms of personal information acting as identifiers like financial information, social and personal information^[50]
private information like passwords to social networking sites, email accounts and banking websites^[51]
historical data from the devices^[52]

5.2. Tracking an Individual

Like cell phones, Wi-Fi devices have unique identifiers that can be used for tracking purposes which can cause potential security issues. Tracking by using a Wi-Fi hotspot can also lead to third party harms like stalking.^[53] To receive or use a service, often websites require the user to share their personal information such as name, age, ZIP code, or personal preferences, which is many times shared with advertisers and other third parties, without the knowledge or consent of the users.^[54]

5.3. Makes the Electronic Devices Prone to Hacking and Setting up Fake Networks

A recent experiment conducted by the chief scientist at mobile security firm Appknox at the Bengaluru International Airport, India, found that the wireless devices could be easily hacked over the airport’s free Wi-Fi network due to the easily exploitable security holes in the software made by Apple, Google, and Microsoft.^[55] A similar experiment was backed by the European law enforcement agency, Europol, where a mobile hotspot was created in central London^[56] and the hacker was able to gain access to passwords, apps, and even credit card and banking information with ease.^[57] Lack of secure softwares and prevalence of open, unprotected Wi-Fi has made it fairly easy for hackers to set up fake twin access points that give them access to data histories and personal information.^[58] This makes is easy to track data histories of users. Even if certain softwares use encryption codes, a simple decryption software can be used to obtain the information.^[59]

5.4. Illegal Use of Data

By authorities: the authorities have easier access to people’s browsing details and habits, and with justification in the name of national security, could be used to monitor the people without their consent.^[60]

Wi-Fi provider: can sell the user’s demographic and location information. ^[61] Also, it was revealed in a study that the personal information of users is often transmitted by service providers without encryption. Anyone along the path between the user and the service’s data center can then intercept this information, opening users to grave privacy and security risks.^[62]

By hackers: steal information and hack into unsuspecting victim’s bank accounts and misuse corporate financial information and secrets^[63]

6. Ranking Digital Rights Project

The "Ranking Digital Rights" project, an ongoing international non-profit research initiative, aims to promote greater respect for freedom of expression and privacy by focusing on the policies and practices of companies in the information communications technology (ICT) sector^[64], rank such companies in this light, and undertake research to develop the ranking methodology.^[65]

In November 2015, the Ranking Digital Rights project launched the Corporate Accountability Index. Since several actors like the Internet and telecommunications companies, software producers, and device and networking equipment manufacturers exert growing influence over the political and civil lives of people all over the world, it is important to state that these organisations share a responsibility to respect human rights. For this purpose, 16 Internet and telecommunications companies were evaluated according to 31 indicators, which focused on corporate disclosure of policies and practices that affect users’ freedom of expression and privacy.^[66]

The data produced by the index can help companies improve their policies, practices and help them identify challenges faced by companies in meeting their corporate obligations to respect human rights like Freedom of Expression and Privacy in the digital space.^[67] Some of the key corporate practices which affect these rights are :

How companies handle government requests to hand over user data or restrict content;
How companies enforce their own terms of service;
What information companies collect about users and how long they retain it; and
To whom they share or sell user information.^[68]

The 2015 Corporate Accountability Index assesses transparency levels of the World’s most powerful Internet and telecommunications companies regarding their commitments, policies and practices that affect users’ freedom of expression and privacy and evaluates what companies share about these practices and offers recommendations for improvement. The methodology adopted relies on publicly available information so that advocates, researchers, journalists, policy makers, investors, and users can understand the extent to which different companies respect freedom of expression and privacy, and make appropriate policy, investment, and advocacy decisions. Also, public disclosures would enable researchers and journalists to investigate and verify the accuracy of company statements.^[69]

For the purpose of this research, we would apply this index and the indicators to the internet service provider of public Wi-Fi in Bangalore-D-VoiS Ltd. and Tata Docomo to understand how comprehensive their privacy policies are when compared to global standards and make informed recommendations. Analysing policies against the index can help these companies identify best practices, as well as the obstacles they face in meeting their corporate obligations to respect human rights in the very digital spheres they helped to create.^[70] The information has been gathered and analysed on the basis of publicly available information, and this can help companies empower users to make informed decisions about how they use technology, which would help build trust between users and companies in the long run.^[71]

6.1. D-VoIS^[72], Bangalore

For the purpose of this case study, the Privacy Policies of D-VoIS have been analysed on the basis of the Corporate Accountability index, and the answers can be accessed in Annex 1.

Summary

On the basis of the indicators and the information available, it can be ascertained that:

The Company has a freely available and understandable Privacy Policy and Terms of Use, though only in the English language.

The company does not commit to notify users in case of changes in the privacy policy of the company.

The company states circumstances in which it would restrict use of its services, along with reasons for content restriction.

The Company commits to the principle of data minimization, discloses circumstances when it shares information with third parties, and provides users with options to control the company’s collection and sharing of their information

Deploys industry standards for security of products and services.

Analysis

Commitment: D-VoIS fares low on Commitment since it has made no overarching public commitments to protect users’ freedom of expression or privacy in a manner that meets the Index’s criteria. The Company lacks adequate top-level policy commitments to users’ freedom of expression and privacy, establishing executive and management oversight over these issues, creating a process for human rights impact assessment, and lacks stakeholder engagement and a grievance mechanism.

Freedom of Expression: The Company also fares low on Freedom of Expression as the terms of services, though easily available, are only in English language. Also, it does not commit to notify users about changes to the terms of service. While the company discloses what content and activities it prohibits , it provides no information about how the company notifies these restrictions to the users.

Regarding transparency about content restriction requests, since the Indian law prevents the company from disclosing government requests for content removal^[73], but it does not prevent the company from publishing more information about private requests for content restriction. D-VoIS does not provide any information with respect to this.

Privacy: D-VoIS is required by law to have a privacy policy available on its website, this policy is available in English, but not in other languages spoken in India. Also, D-VoIS does not disclose what user information is collected, how and why, nor does it offer users meaningful access to their information. D-VoIS does not disclose any information regarding retention of user information, and the company could improve its disclosures about what user information it collects and how long it is retained.

Though the company discloses information about its security practices, it does not disclose any information regarding its efforts to educate users about security threats. It also does not disclose information regarding requests by non-governmental entities for user data.

6.2. Tata Docomo^[74], Bangalore

The Privacy Policy and Terms & Conditions of Tata Docomo have been analysed on the basis of the Corporate Accountability index, and the answers can be accessed in Annex 2.

Summary

On the basis of the indicators and the information available, it can be ascertained that:

The Company has a freely available and understandable Data Privacy Policy and Terms of Use, though only in English language.

The Company has established electronic and administrative safeguards designed to secure the information collected to prevent unauthorized access to or disclosure of that information and to ensure it is used appropriately.

The company states circumstances in which it would restrict use of its services, along with reasons for content restriction. The company’s disclosed policies and practices demonstrate how it works to avoid contributing to actions that may interfere with the right to freedom of expression, except where such actions are lawful, proportionate and for a justifiable purpose.

The Company clearly states the kind of information collected, ways of collection and the reasons for collection as well as sharing.

Deploys industry standards for security of products and services

Analysis

Commitment: Tata Docomo fares low on Commitment since it has made no overarching public commitments to protect users’ freedom of expression or privacy in a manner that meets the Index’s criteria. Though the Company has established electronic and administrative safeguards designed to secure the information collected, it lacks adequate top-level policy commitments to users’ freedom of expression and privacy, establishing executive and management oversight over these issues, creating a process for human rights impact assessment, and lack of stakeholder engagement.

Freedom of Expression: The Company fares low on Freedom of Expression as the terms of services, though easily available, are only in English language. Also, it does not commit to notify users about changes to the terms of service. While the company discloses what content and activities it prohibits , it provides no information about how the company notifies these restrictions to the users.

Regarding transparency about content restriction requests, since the Indian law prevents the company from disclosing government requests for content removal, it does not prevent the company from publishing more information about private requests for content restriction. Tata Docomo does not provide any information with respect to that.

Privacy: Tata Docomo is required by law to have a privacy policy available on its website, this policy is available in English, but not in other languages spoken in India. No information is publically available regarding users option to control company's collection of information. Tata Docomo discloses that user information shall be retained as long as required and does not mention a specific duration for the same. Though the company discloses information about its security practices, it does not disclose any information regarding its efforts to educate users about security threats. It also does not disclose information regarding requests by non-governmental entities for user data.

7. Compliance of Privacy Policies with Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

The Privacy Policy and Terms & Conditions of D-VoIS and Tata Docomo have been analysed on the basis of the security measures and procedures stated under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 to ascertain how sound and compliant the framework is with the existing data protection regime in India. The comparison can be accessed in Annex 3.

Comparing the requirements listed under the Rules with the policies of both the companies, it can be said that though the websites of both companies provide privacy policies and are easily accessible, they lack crucial information regarding consent of the user before collection as well as sharing of information. Also, though the policies state the purpose of sharing such data with third parties, it does not state the purpose of collection of the information. The policies are also silent regarding the requirements to be complied with before transferring personal data into another jurisdiction . There is also no information about the companies having a grievance officer. Additionally, though the terms of services of D-VoIS state that the customer may choose to restrict the collection or use of their personal information, both companies do not specifically provide for an opt out mechanism to its users.

8. Conclusion and Recommendations

To allay the numerous concerns regarding privacy and security with respect to public Wi-Fi’s, the ISPs must have a sound Privacy Policy in place. For this purpose, adherence to the indicators as listed under the Corporate Accountability Index, along with requirements for security of personal information stated under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 and improving the policies accordingly shall greatly contribute to protection of Freedom of Expression and ensure Privacy of user information. Ensuring compliance with the existing data protection regime in the country becomes more important in light of the growing privacy and security concerns due to proliferation of free and public Wi-Fi service in India. Adequate measures like acquiring consent for collection and sharing of user data, commitment by company executives to ensure protection of rights of individuals, adoption of security standards, creating awareness about security concerns, etc. by such corporate must be considered to ensure protection of personal information and reduce the likelihood of a data breach. Both D-VoIS and Tata Docomo must consider the following recommendations in order to meet the criteria set by the Ranking Digital Rights project, ensuring commitment towards protection of right to freedom of expression and privacy of the users.

8.1. Commitment

Set in place an oversight mechanism to monitor how the company’s policies and practices affect freedom of expression and privacy. In case the Company already has that in place, information regarding the same must be made publically available for greater transparency.
Also, they must conduct regular, comprehensive, and credible due diligence, such as human rights impact assessments, to identify how all aspects of their business impact freedom of expression and privacy.
In addition to that, they must Provide for a remedy or grievance mechanism. The Telecom Regulatory Authority of India also requires that all service providers have redress mechanisms. In case the Company already has that in place, information regarding the same must be made publically available for greater transparency.

8.2. Freedom of Expression

The Companies must make an effort to make the Terms of Service available in the most commonly spoken languages by its users, besides English.
Also, it is recommended that the Companies must ensure to provide meaningful notice to users regarding change in terms of service.
Besides disclosing what content and activities the companies prohibit, they must disclose information regarding how it enforces these prohibitions and should provide examples regarding the circumstances under which it may suspend service to individuals or areas to help users understand such policies.
The Companies must also disclose information regarding the process for evaluating and responding to requests from third parties to restrict content or service. Additionally, it must disclose how long it retains user information, publish process for evaluating and responding to requests from government and other third parties for stored user data and/or real-time communications.

8.3. Privacy

Though both the Companies disclose that the user information shall be shared with third parties, and Tata Docomo discloses what information is collected and how, yet there should be no legal impediment for the companies to improve its disclosures about what user information it collects, with whom it is shared, and how long it is retained to protect the privacy of the users.
Though Tata Docomo allows the users to review and correct their Personal Information collected by the Company, D-VoIS must release information regarding whether the users are able to view, download or otherwise obtain all of the information about them that the company holds. In case it does not allow, the Company must duly change its policy regarding the same.
The Companies must also publish information to help users defend against cyber threats.

^[1] The Financial Express, ‘Free wi-fi: Digital Dilemma’, February 22, 2015,

http://www.financialexpress.com/article/economy/free-Wi-Fi-digital-dilemma/45804/

^[2] Tata Docomo, http://www.tatadocomo.com/

^[3] D-VoIS Communication Pvt. Ltd. http://www.dvois.com/

^[4] Ranking Digital Rights, https://rankingdigitalrights.org/

^[5] the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. Available at : http://www.wipo.int/edocs/lexdocs/laws/en/in/in098en.pdf

^[6] See : http://indianexpress.com/article/technology/technology-others/public-wifi-can-be-used-to-steal-private-information-it-security-expert/, http://www.aljazeera.com/indepth/features/2016/03/india-unlocking-public-wi-fi-hotspots-160308072320835.html , http://www.business-standard.com/article/technology/indians-most-willing-to-share-personal-data-over-public-wifi-116083000673_1.html and http://articles.economictimes.indiatimes.com/2015-05-20/news/62413108_1_corporate-espionage-hotspots-bengaluru-airport

^[7] Scroll, ‘Free wifi in Delhi is good news but here is the catch’, November 21, 2014, http://scroll.in/article/690755/free-wifi-in-delhi-is-good-news-but-here-is-the-catch

^[8] LinkNYC, https://www.link.nyc/

^[9] See : http://www.nyclu.org/files/releases/city%20wifi%20letter.pdf

^[10] The Huffingtonpost, ‘Maybe You Shouldn't Use Public Wi-Fi In New York City’, March 16, 2016, http://www.huffingtonpost.in/entry/public-wifi-nyc_us_56e96b1ce4b0b25c9183f74a

^[11] NYCLU, ‘City’s Public Wi-Fi Raises Privacy Concerns’, March 16, 2016,

http://www.nyclu.org/news/citys-public-wi-fi-raises-privacy-concerns

^[12] NYCLU, ‘City’s Public Wi-Fi Raises Privacy Concerns’, March 16, 2016,

http://www.nyclu.org/news/citys-public-wi-fi-raises-privacy-concerns

^[13]Information Commissioner’s Office Blog, ‘Be wary of public Wi-Fi’September 25, 2015, https://iconewsblog.wordpress.com/2015/09/25/be-wary-of-public-Wi-Fi/

^[14]Information Commissioner’s Office Blog, ‘Be wary of public Wi-Fi’September 25, 2015, https://iconewsblog.wordpress.com/2015/09/25/be-wary-of-public-Wi-Fi/

^[15]Marketing Law, ‘The ICO sounds a warning on public wi-fi and privacy’, November 24, 2015,

http://marketinglaw.osborneclarke.com/data-and-privacy/the-ico-sounds-a-warning-on-public-Wi-Fi-and-privacy/

^[16]Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32006L0024

^[17] Feiler, L., "The Legality of the Data Retention Directive in Light of the Fundamental Rights to Privacy and Data Protection", European Journal of Law and Technology, Vol. 1, Issue 3, 2010, http://ejlt.org/article/view/29/75

^[18] The Data Retention (EC Directive) Regulations 2009 http://www.legislation.gov.uk/ukdsi/2009/9780111473894/pdfs/ukdsi_9780111473894_en.pdf

^[19] Purple, ‘Update on the legal implications of offering public WiFi in the UK’, September 10, 2014, http://purple.ai/update-legal-implications-offering-public-wifi-uk/

^[20] Data Protection Act 1998, http://www.legislation.gov.uk/ukpga/1998/29/contents

^[21] Wireless Social, http://www.wireless-social.com/how-it-works/legal-compliance/

^[22] Data Protection Act 1998, https://www.gov.uk/data-protection/the-data-protection-act

^[23]The Hindu, ‘Free wifi on M.G. Road and Brigade Road from Friday’, January 23, 2014, http://www.thehindu.com/news/cities/bangalore/free-wifi-on-mg-road-and-brigade-road-from-friday/article5606757.ece

^[24]The Telegraph, ‘Free Wi-fi on tech city streets- Bangalore offers five public hotspots’, January 25, 2014, http://www.telegraphindia.com/1140125/jsp/nation/story_17863705.jsp#.VwIv_Zx97IU

^[25]Economic Times, ‘Karnataka Govt pulls the plug on public Wi-Fi spots in Bengaluru’, March 15, 2016, http://tech.economictimes.indiatimes.com/news/internet/karnataka-govt-pulls-the-plug-on-public-Wi-Fi-spots-in-bengaluru/51404414

^[26] Medianama, ‘Why Don’t Indian Airports Offer Free WiFi To Passengers?’, May 22, 2013, http://www.medianama.com/2013/05/223-indian-airports-free-wifi/

^[27]Hindustan Times, ‘BSNL launches free public WiFi at Karnataka’s Malpe beach’, January 25, 2016, http://www.hindustantimes.com/tech/bsnl-launches-free-public-wifi-on-karnataka-s-malpe-beach/story-XVM06KQKIcoyqV8CLJoYzJ.html

^[28]TechTree, ‘Problems With Free City-Wide Wi-Fi Hotspots In India’, September 28, 2015,

http://www.techtree.com/content/features/9914/problems-free-city-wide-Wi-Fi-hotspots-india.html#sthash.2ZSf9kq7.dpuf

^[29]India Today, ‘25 Indian cities to get free public Wi-Fi by June 2015’, December 17, 2014, http://indiatoday.intoday.in/technology/story/25-indian-cities-to-get-free-public-Wi-Fi-by-june-2015/1/407214.html

^[30]Business Insider, ‘Modi Government To Roll Out Free Wi-Fi In 2,500 Towns And Cities To Make India Digital’, January 23, 2015, http://www.businessinsider.in/Modi-Government-To-Roll-Out-Free-Wi-Fi-In-2500-Towns-And-Cities-To-Make-India-Digital/articleshow/45989339.cms

^[31]RailTel launches free high-speed public Wi-Fi service with Google at Mumbai Central, http://www.railtelindia.com/images/Mumbai.pdf

^[32]Economic Times, ‘Google may get government nod to conduct pilot for Project Loon in India’, May 24, 2016,

http://economictimes.indiatimes.com/tech/internet/google-may-get-government-nod-to-conduct-pilot-for-project-loon-in-india/articleshow/52408455.cms

^[33]Department of Telecommunications, Ministry of Communications & IT, Government of India, February 23, 2009, http://www.dot.gov.in/sites/default/files/Wi-%20fi%20Direction%20to%20UASL-CMTS-BASIC%2023%20Feb%2009.pdf

^[34] Scroll, ‘Free wifi in Delhi is good news but here is the catch’ November 21, 2014, http://scroll.in/article/690755/free-wifi-in-delhi-is-good-news-but-here-is-the-catch

^[35]MojoNetworks, ‘Complying with DoT Regulation on Secure Use of WiFi: Less in Letter, More in Spirit’, http://www.mojonetworks.com/fileadmin/pdf/Implementing_DoT_Regulation_on_WiFi_Security.pdf

^[36] Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

^[37]The Centre for Internet & Society, ‘Privacy and the Information Technology Act — Do we have the Safeguards for Electronic Privacy?’, April 7, 2011, http://cis-india.org/internet-governance/blog/privacy/safeguards-for-electronic-privacy

^[38]License Agreement for Unified License, http://www.dot.gov.in/sites/default/files/Unified%20Licence.pdf

^[39] Telecom Regulatory Authority of India, ‘Consultation Paper on Proliferation of Broadband through Public Wi-Fi Networks’ July 13, 2016, https://www.mygov.in/sites/default/files/mygov_1468492162190667.pdf

^[40] Telecom Regulatory Authority of India, ‘Consultation Paper on Proliferation of Broadband through Public Wi-Fi Networks’ July 13, 2016, https://www.mygov.in/sites/default/files/mygov_1468492162190667.pdf

^[41] The Economic Times, ‘Trai floats consultation paper to boost broadband through Wi-Fi in public places’, July 14, 2016, http://economictimes.indiatimes.com/articleshow/53195586.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst

^[42] Telecom Regulatory Authority of India, ‘Consultation Paper on Proliferation of Broadband through Public Wi-Fi Networks’ July 13, 2016, https://www.mygov.in/sites/default/files/mygov_1468492162190667.pdf

^[43]Mint, ‘Trai issues paper on public Wi-Fi networks’ July 14, 2016, http://www.livemint.com/Industry/1jVgso2R2Lz4NR5IYFaCtN/Trai-issues-paper-on-public-WiFi-networks.html

^[44]Forbes,’How To Avoid Data Theft When Using Public Wi-Fi’, March 4, 2014, http://www.forbes.com/sites/amadoudiallo/2014/03/04/hackers-love-public-wi-fi-but-you-can-make-it-safe/#373c75e32476

^[45]Symantec, ‘Norton Cyber Security Insights Report’, 2016, https://www.symantec.com/content/dam/symantec/docs/reports/2016-norton-cyber-security-insights-report.pdf

^[46]The Indian Express, ‘Indian cybercrime victims don’t learn from past experience: Norton Report’, November 18, 2016, http://indianexpress.com/article/technology/tech-news-technology/indian-users-complacent-when-it-comes-to-cyber-security-norton-report/

^[47]Mashable, ‘This is the real price you pay for 'free' public Wi-Fi’, January 26, 2016, http://mashable.com/2016/01/25/actual-cost-free-Wi-Fi/?utm_cid=mash-com-Tw-main-link#WmAJGJ_COiq5

^[48]MojoNetworks, ‘Complying with DoT Regulation on Secure Use of WiFi: Less in Letter, More in Spirit’, http://www.mojonetworks.com/fileadmin/pdf/Implementing_DoT_Regulation_on_WiFi_Security.pdf

^[49]Network Computing, ‘Public WiFi, Location Data & Privacy Anxiety’, July 4, 2015, http://www.networkcomputing.com/wireless/public-wifi-location-data-privacy-anxiety/1496375374

^[50]Network Computing, ‘Public WiFi, Location Data & Privacy Anxiety’, July 4, 2015, http://www.networkcomputing.com/wireless/public-wifi-location-data-privacy-anxiety/1496375374

^[51]The Indian Express, ‘Public Wifi can be used to steal private information: IT Security Expert’, May 19, 2015, http://indianexpress.com/article/technology/technology-others/public-wifi-can-be-used-to-steal-private-information-it-security-expert/#sthash.xiuWtL6v.dpuf

^[52]Medium, ‘Maybe Better If You Don’t Read This Story on Public WiFi’, October 14, 2014, https://medium.com/matter/heres-why-public-wifi-is-a-public-health-hazard-dd5b8dcb55e6#.3061h6lsv

^[53]Network Computing, ‘Public WiFi, Location Data & Privacy Anxiety’, July 4, 2015, http://www.networkcomputing.com/wireless/public-wifi-location-data-privacy-anxiety/1496375374

^[54]University of Washington, Computer Science and Engineering, ‘When I am on Wi-Fi, I am Fearless:” Privacy Concerns & Practices in Everyday Wi-Fi Use’, https://djw.cs.washington.edu/papers/wifi-CHI09.pdf

^[55]Breitbart, ‘Fre Public Wi-Fi poses security risks’, May 19, 2015, http://www.breitbart.com/big-government/2015/05/19/free-public-wifi-poses-security-risk/

^[56]The Guardian, ‘Londoners give up eldest children in public Wi-Fi security horror show’, September 29, 2014, https://www.theguardian.com/technology/2014/sep/29/londoners-Wi-Fi-security-herod-clause

^[57] Medium, ‘Maybe Better If You Don’t Read This Story on Public WiFi’, October 14, 2014, https://medium.com/matter/heres-why-public-wifi-is-a-public-health-hazard-dd5b8dcb55e6#.3061h6lsv

^[58]ABC13, ‘Hackers set up fake Wi-Fi hotspots to steal your information, July 10, 2015, http://abc13.com/technology/hackers-set-up-fake-Wi-Fi-hotspots-to-steal-your-information/835223/

^[59]Medium, ‘Maybe Better If You Don’t Read This Story on Public WiFi’, October 14, 2014, https://medium.com/matter/heres-why-public-wifi-is-a-public-health-hazard-dd5b8dcb55e6#.3061h6lsv

^[60] Scroll, ‘Free wifi in Delhi is good news but here is the catch’ November 21, 2014, http://scroll.in/article/690755/free-wifi-in-delhi-is-good-news-but-here-is-the-catch

^[61] Scroll, ‘Free wifi in Delhi is good news but here is the catch’ November 21, 2014, http://scroll.in/article/690755/free-wifi-in-delhi-is-good-news-but-here-is-the-catch

^[62]University of Washington, Computer Science and Engineering, ‘When I am on Wi-Fi, I am Fearless:” Privacy Concerns & Practices in Everyday Wi-Fi Use’, https://djw.cs.washington.edu/papers/wifi-CHI09.pdf

^[63] Breitbart, ‘Fre Public Wi-Fi poses security risks’, May 19, 2015, http://www.breitbart.com/big-government/2015/05/19/free-public-wifi-poses-security-risk/

^[64] Ranking Digital Rights, https://rankingdigitalrights.org/who/frequently-asked-questions/

^[65] Business & Human Rights Resource Centre, ‘Ranking Digital Rights Project’, http ://business-humanrights.org/en/documents/ranking-digital-rights-project

^[66] Ranking Digital Rights, https://rankingdigitalrights.org/about/

^[67] Ranking Digital Rights, https://rankingdigitalrights.org/about/

^[68] Ranking Digital Rights, https://rankingdigitalrights.org/who/frequently-asked-questions/

^[69] Ranking Digital Rights, https://rankingdigitalrights.org/who/frequently-asked-questions/

^[70] Ranking Digital Rights, https://rankingdigitalrights.org/about/

^[71] Ranking Digital Rights, https://rankingdigitalrights.org/who/frequently-asked-questions/

^[72] D-VoIS Communication Pvt. Ltd. http://www.dvois.com/

^[73]Section 16 of the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009 states that all request and complaints must be kept confidential.

^[74] Tata Docomo, http://www.tatadocomo.com/

For more details visit https://cis-india.org/internet-governance/blog/privacy-and-security-implications-of-public-wi-fi-a-case-study

Privacy and Security Can Co-exist

sunil — 2012-03-21T09:05:57Z

The blanket surveillance the Centre seeks is not going to make India more secure, writes Sunil Abraham in this article published in Mail Today on June 21, 2011.

TODAY, the national discourse around the “ right to privacy” posits privacy as antithetical to security.

Nothing can be farther from the truth. Privacy is a necessary but not sufficient condition for security. A bank safe is safe only because the keys are held by a trusted few. No one else can access these keys or has the ability to duplicate them. The 2008 amendment of the IT Act and their associated rules notified April 2011 propose to eliminate whatever little privacy Indian netizens have had so far. Already as per the Internet Service Provider ( ISP) licence, citizens using encryption above 40- bit were expected to deposit the complete decryption key with the Ministry of Communications and Information Technology. This is as intelligent as citizens of a neighbourhood making duplicates of the keys to their homes and handing them over at the local police station.

Surveillance

Surveillance in any society is like salt in cooking — essential in small quantities but completely counter- productive even slightly in excess. Blanket surveillance makes privacy extinct, it compromises anonymity, essential ingredients for democratic governance, free media, arts and culture, and, most importantly, commerce and enterprise. The Telegraph Act only allowed for blanket surveillance as the rarest of the rare exception. The IT Act, on the other hand, mandates multitiered blanket surveillance of all lawabiding citizens and enterprises.

When your mother visits the local cybercafe to conduct an e- commerce transaction, at the very minimum there are two levels of blanket surveillance. According to the cyber- cafe rules, all her transaction logs will be captured and stored by the operator for a period of one year. This gentleman would also have access to her ID document and photograph. The ISPs would also store her logs for two years to be in compliance with the ISP licence ( even though none of them publish a data- retention policy). Some e- commerce website, to avoid liability, will under the Intermediary Due Diligence rules also retain logs.

Data retention at the cyber- cafe, by the ISP and also by the application service provider does not necessarily make Indian cyberspace more secure. On the contrary, redundant storage of sensitive personal information only opens up multiple points of failure and leaks — in the age of Nira Radia and Amar Singh no sensible bank would accept such intrusion into their core business processes.

Surveillance capabilities are not a necessary feature of information systems.

They have to be engineered into these systems. Once these features exist they could potentially serve both the legally authorised official and undesirable elements.

Terrorists, cyber- warriors and criminals will all find systems with surveillance capabilities easier to compromise.

In other words, surveillance compromises security at the level of system design. There were no Internet or phone lines in the Bin Laden compound — he was depending on a store and forward arrangement based on USB drives. Do we really think that registration of all USB drives, monitoring of their usage and the provision of back doors to these USBs via a master key would have led the investigators to him earlier?

Myth

Increase in security levels is not directly proportional to an increase in levels of surveillance gear. This is only a myth perpetuated by vendors of surveillance software and hardware via the business press. You wouldn't ask the vendors of Xray machines how many you should purchase for an airport, would you? An airport airport with 2,000 X- ray machines is not more secure than one with 20. But in the age of UID and NATGRID, this myth has been the best route for reaching salestargets using tax- payers’ money.

Surveillance must be intelligent, informed by evidence and guided by a scientific method. Has the ban on public WiFi and the current ID requirements at cyber- cafes led to the arrest of terrorists or criminals in India? Where is the evidence that more resource hungry blanket surveillance is going to provide a return on the investment? Unnecessary surveillance is counter- productive and distracts the security agenda with irrelevance.

Finally, there is the question of perception management. Perceptions of security do not only depend on reality but on personal and popular sentiment. There are two possible configurations for information systems — one, where the fundamental organising principle is trust and second, where the principle is suspicion.

Systems based on suspicion usually give rise to criminal and corrupt behaviour.

Perception

If the state were to repeatedly accuse its law- abiding citizens of being terrorists and criminals it might end up provoking them into living up to these unfortunate expectations. If citizens realise that every moment of their digital lives is being monitored by multiple private and government bodies, they will begin to use anonymisation and encryption technology round the clock even when it is not really necessary. Ordinary citizens will be forced to visit the darker and nastier corners of the Internet just to download encryption tools and other privacy enabling software. Like prohibition this will only result in further insecurity and break- down of the rule of law.

The writer is executive director of the Bangalore- based Centre for Internet and Society.

Read the original published in Mail Today here

For more details visit https://cis-india.org/internet-governance/blog/privacy-and-security

Privacy and Governmental Databases

elonnai — 2012-03-22T05:41:38Z

In our research we have found that most government databases are incrementally designed in response to developments and improvements that need to be incorporated from time to time. This method of architecting a system leads to a poorly designed database with many privacy risks such as: inaccurate data, incomplete data, inappropriate disclosure of data, inappropriate access to data, and inappropriate security over data. To address these privacy concerns it is important to analyze the problem that is being addressed from the perspective of potential and planned interoperability with other government databases. Below is a list of problems and recommendations concerning privacy, concerning government databases.

Government Databases and recommendations for privacy practices

Citizen-State relationships and privacy standards
Government databases foster different types of relationships between the state and its citizenry. For instance: User databases, service providing databases, and information providing databases. Each one these relationships requires a different level of privacy. Thus, it is important to identify the type of relationship that the database will foster in order to determine what type of privacy model to implement.
Specific privacy policy

Each government database should have a specific privacy policy that are tailored to the information that they hold. Each policy should cover the following areas:
- data collection
- digitization
- usage
- storage
- security
- disclosure
- retrieval
- access (inter departmental and public)
- anonymization, obfuscation and deletion.
Personal vs. personal sensitive and public vs. non-public data categories

Data in government databases requires varying degrees of privacy safeguards. The division of personal information vs. non personal information etc. creates distinct

categories for security levels over data and permissibility of public disclosure. Ex of personal information: Name, address, telephone number, religion. Ex of non-personal data: gender, age. This could work to avoid situations such as the census - where a person’s name, address, age, etc, were all printed for the public eye.
Standardization of Privacy Policies and Access Control

Government databases should all be designed upon interoperable standards so that the databases can "talk" to each other. The ability to coalesce databases strengthens the potential for use and reuse by different stakeholders. Furthermore, the interoperability of systems helps to avoid the creation of silos that hold multiple copies of the same data. To protect the privacy in interoperable systems - restricted and authorized access within departments and between departments is key. The Department of Information Technology has recently published a "Government Interoperability Framework" titled "Interoperability Framework for eGovernance" This policy document is the appropriate place to articulate interoperable privacy policies that could be adopted across eGovernance projects.
Record of breach notification

If data breach occurs in government database, the breach should be recorded and the appropriate individuals notified.
Anonymization/obfuscation and deletion policies

Once the purpose for which the data has been collected has been served it must be anonymized/obfuscated or deleted as appropriate. All data-sets cannot be deleted as bulk aggregate data is very useful to those interested in trend analysis. Anonymizing/obfuscating the personal details of a data set ensures that privacy is protected during such trend analysis.
Accountability for accuracy of data

Frequently data that is collected and entered into government databases is not accurate, because the departments are not collecting the data themselves. Thus, they feel no responsibility for its accuracy. If a mechanism is built into each database for identification of each data source this brings accountability for data accuracy.
Appropriate uses of government databases

Businesses should feel automatically entitled to aggregate and consolidate public information from government databases because it is technically possible to do so. Their uses of government database must be guided by policies that define "appropriate usage."
Access, updation and control of personal information

Citizens must be able to access and update their information. Furthermore, they should be able to define to a certain extent access control to their information - which would automatically make them eligible or ineligible for various government services.

Bibliography

Rezhui, Abdemounaam. Preserving Privacy in Web Services. Department of Computer Sciences, Virginia Tech.
Medjahed, Brahim. Infrastructure for E-Government Web Services. IEEE Internet Computing, Virgina Tech. January/Feburary 2003.

Mladen, Karen. A Report of Research on Privacy for Electronic Government. Privacy in Canada

joi.ito.com/privacyreport/Contents_Distilled/.../Canada_E_p252-314.pdf

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-govt-databases

Privacy after Big Data: Compilation of Early Research

Saumyaa Naidu — 2016-11-12T01:37:03Z

Download the Compilation (PDF)

Privacy after Big Data

Evolving data science, technologies, techniques, and practices, including big data, are enabling shifts in how the public and private sectors carry out their functions and responsibilities, deliver services, and facilitate innovative production and service models to emerge. For example, in the public sector, the Indian government has considered replacing the traditional poverty line with targeted subsidies based on individual household income and assets. The my.gov.in platform is aimed to enable participation of the connected citizens, to pull in online public opinion in a structured manner on key governance topics in the country. The 100 Smart Cities Mission looks forwards to leverage big data analytics and techniques to deliver services and govern citizens within city sub-systems. In the private sector, emerging financial technology companies are developing credit scoring models using big, small, social, and fragmented data so that people with no formal credit history can be offered loans. These models promote efficiency and reduction in cost through personalization and are powered by a wide variety of data sources including mobile data, social media data, web usage data, and passively collected data from usages of IoT or connected devices.

These data technologies and solutions are enabling business models that are based on the ideals of ‘less’: cash-less, presence-less, and paper-less. This push towards an economy premised upon a foundational digital ID in a prevailing condition of absent legal frameworks leads to substantive loss of anonymity and privacy of individual citizens and consumers vis-a-vis both the state and the private sector. Indeed, the present use of these techniques run contrary to the notion of the ‘sunlight effect’ - making the individual fully transparent (often without their knowledge) to the state and private sector, while the algorithms and means of reaching a decision are opaque and inaccessible to the individual.

These techniques, characterized by the volume of data processed, the variety of sources data is processed from, and the ability to both contextualize - learning new insights from disconnected data points - and de-contextualize - finding correlation rather than causation - have also increased the value of all forms of data. In some ways, big data has made data exist on an equal playing field as far as monetisation and joining up are concerned. Meta data can be just as valuable to an entity as content data. As data science techniques evolve to find new ways of collecting, processing, and analyzing data - the benefits of the same are clear and tangible, while the harms are less clear, but significantly present.

Is it possible for an algorithm to discriminate? Will incorrect decisions be made based on data collected? Will populations be excluded from necessary services if they do not engage with certain models or do emerging models overlook certain populations? Can such tools be used to surveil individuals at a level of granularity that was formerly not possible and before a crime occurs? Can such tools be used to violate rights – for example target certain types of speech or groups online? And importantly, when these practices are opaque to the individual, how can one seek appropriate and effective remedy.

Traditionally, data protection standards have defined and established protections for certain categories of data. Yet, data science techniques have evolved beyond data protection principles. It is now infinitely harder to obtain informed consent from an individual when data that is collected can be used for multiple purposes by multiple bodies. Providing notice for every use is also more difficult – as is fulfilling requirements of data minimization. Some say privacy is dead in the era of big data. Others say privacy needs to be re-conceptualized, while others say protecting privacy now, more than ever, requires a ‘regulatory sandbox’ that brings together technical design, markets, legislative reforms, self regulation, and innovative regulatory frameworks. It also demands an expanding of the narrative around privacy – one that has largely been focused on harms such as misuse of data or unauthorized collection – to include discrimination, marginalization, and competition harms.

In this compilation we have put together a series of articles that we have developed as we explore the impacts – positive and negative – of big data. This includes looking at India’s data protection regime in the context of big data, reviewing literature on the benefits of harms of big data, studying emerging predictive policing techniques that rely on big data, and analyzing closely the impact of big data on specific privacy principles such as consent. This is a growing body of research that we are exploring and is relevant to multiple areas of our work including privacy and surveillance. Feedback and comments on the compilation are welcome and appreciated.

Elonnai Hickok
Director - Internet Governance

For more details visit https://cis-india.org/internet-governance/blog/privacy-after-big-data-compilation-of-early-research

Privacy after Big Data - Workshop Report

amber — 2017-01-27T01:09:17Z

The Centre for Internet and Society (CIS) and the Sarai programme, CSDS, organised a workshop on 'Privacy after Big Data: What Changes? What should Change?' on Saturday, November 12, 2016 at Centre for the Study of Developing Societies in New Delhi.

This workshop aimed to build a dialogue around some of the key government-led big data initiatives in India and elsewhere that are contributing significant new challenges and concerns to the ongoing debates on the right to privacy. It was an open event.

In this age of big data, discussions about privacy are intertwined with the use of technology and the data deluge. Though big data possesses enormous value for driving innovation and contributing to productivity and efficiency, privacy concerns have gained significance in the dialogue around regulated use of data and the means by which individual privacy might be compromised through means such as surveillance, or protected. The tremendous opportunities big data creates in varied sectors ranges from financial technology, governance, education, health, welfare schemes, smart cities to name a few. With the UID project re-animating the Right to Privacy debate in India, and the financial technology ecosystem growing rapidly, striking a balance between benefits of big data and privacy concerns is a critical policy question that demands public dialogue and research to inform an evidence based decision. Also, with the advent of potential big data initiatives like the ambitious Smart Cities Mission under the Digital India Scheme, which would rely on harvesting large data sets and the use of analytics in city subsystems to make public utilities and services efficient, the tasks of ensuring data security on one hand and protecting individual privacy on the other become harder.

This workshop sought to discuss some of the emerging problems due to the advent of big data and possible ways to address these problems. The workshop began with Amber Sinha of CIS and Sandeep Mertia of Sarai introducing the topic of big data and implications for privacy. Both speakers tried to define big data and brief history of the evolution of the term and raised questions about how we understand it. Dr. Usha Ramanathan spoke on the right to privacy in the context of the ongoing Aadhaar case and Vipul Kharbanda introduced the concept of Habeas Data as a possible solution to the privacy problems posed by big data. Amelia Andersotter discussed national centralised digital ID systems and their evolution in Europe, often operating at a cross-functional scale, and highlighted its implications for discussions on data protection, welfare governance, and exclusion from public and private services. Srikanth Lakshmanan spoke of the issues with technology and privacy, and possible technological solutions. Dr. Anupam Saraph discussed the rise of digital banking and Aadhaar based payments and its potential use for corrupt practices. Astha Kapoor of Microsave spoke about her experience of implementation of digital money solution in rural India.

Post lunch, Dr. Anja Kovacs and Mathew Rice spoke on the rise of mass communication surveillance across the world, and the evolving challenges of regulating surveillance by government agencies. Mathew also spoke of privacy movements by citizens and civil society in regions. In the final speaking session, Apar Gupta and Kritika Bhardwaj traced the history of jurisprudence on the right to privacy and the existing regulations and procedures. In the final session, the participants discussed various possible solutions to privacy threats from big data and identity projects including better regulation, new approached such as harms based regulation and privacy risk assessments, and conceiving privacy as a horizontal right. The workshop ended with vote of thanks from the organizers.

The agenda for the event can be accessed here, and the transcript is available here.

For more details visit https://cis-india.org/internet-governance/blog/privacy-after-big-data-workshop-report

Privacy Act should not circumscribe RTI: expert group

praskrishna — 2012-10-22T09:36:49Z

An expert group to draw the framework of a law to protect privacy of individuals has suggested that issues of personal privacy must not be used to dilute the provisions of or block information under the Right to Information Act, and used a language that almost directly contradicts the sentiments expressed by the Prime Minister in this regard just a few days ago.

This article by Amitabh Sinha was published in the Indian Express on October 19, 2012.

The group headed by Justice (retd) A P Shah has argued that the RTI Act already has provisions that protect the privacy, and such types of information are exempt from public disclosure. “When applied, the (proposed) Privacy Act should not circumscribe the Right to Information Act,” the report of the expert group, which was made public on Thursday, said.

“Section 8 of the (RTI) Act lists specific types of information that are exempted from public disclosure in order to protect privacy. In this way, privacy is the narrow exception to the Right to Information,” the report said.

Interestingly, just earlier this week, while inaugurating an annual convention of information commissioners, Prime Minister Manmohan Singh had made the opposite argument. “There is a fine balance required to be maintained between the Right to Information and the right to privacy, which stems out of the Fundamental Right to Life and Liberty,” he had said.

“The citizens’ right to know should definitely be circumscribed if disclosure of information encroaches upon someone’s personal privacy. But where to draw the line is a complicated question,” he had said.

Sibngh’s remarks had come at a time when questions were being asked about whether government money had been spent on foreign trips and medical treatment of UPA chairperson Sonia Gandhi. The government had clarified that no public money had been spent on either of the two.

The expert group under Justice Shah was constituted at the initiative of Minister of State for Planning Ashwani Kumar after an attempt by the Department of Personnel and Training (DoPT) last year to draft a privacy bill ended in a disaster. The expert group was only asked to draw up the broad contours of what a privacy law must comprise of. It has drawn from international experiences and presented nine ‘principles’ that must be accommodated in any future privacy law.

The group also recognises that the constitutional basis of privacy as “a fundamental right deriving from Article 21 of the Constitution of India”.

The report deals mainly with how the extensive collection of personal data — through government institutions like Census, NATGRID, UID, or through private agencies like banks, credit card companies or phone operators — must be stored, managed and eventually destroyed, if possible, without infringing on the privacy rights of an individual.

The report would now be referred to the DoPT which will then begin further consultation processes to make a fresh start at drafting a privacy law.

Suggestions on Tapping

The expert group has said that the system of telephone and other communication interception for security reasons has an “unclear regulatory regime that is inconsistent, non-transparent, prone to misuse, and that does not provide remedy or compensation to aggrieved individuals”. It has suggested the following:

All orders of interceptions must be reported to a court within 15 days, disclosing the reason for interception.
All interceptions must only be in force for 60 days, renewable up to a period of 180 days.
Reasons for interception order must be specified and recorded in writing by competent authority.
Records of interception must be destroyed by security agencies after six months, or nine months, and service providers must destroy records after two months, or six months.
All interception orders must be sent for review by a designated committee.
Officers to whom information relating to interception can be disclosed must be specified.
Intermediaries (like telephone operators) must ensure security, confidentiality and privacy of intercepted material, and must be held legally responsible for any unauthorized access or disclosure of intercepted material.

Note: The Centre for Internet & Society was part of the expert committee even though it is not explicitly mentioned here.

For more details visit https://cis-india.org/news/indianexpress-amitabh-sinha-october-19-2012-privacy-act-should-not-circumscribe-rti-expert-group

Privacy (Protection) Bill, 2013: Updated Third Draft

bhairav — 2013-10-01T12:25:43Z

The Centre for Internet and Society has been researching privacy in India since 2010 with the objective of raising public awareness around privacy, completing in depth research, and driving a privacy legislation in India. As part of this work, we drafted the Privacy (Protection) Bill, 2013.

This research is being undertaken as part of the 'SAFEGUARDS' project that CIS is doing with Privacy International and IDRC. The following is the latest version with changes based on the Round Table held on August 24:

[Preamble]

CHAPTER I

Preliminary

1. Short title, extent and commencement. – (1) This Act may be called the Privacy (Protection) Act, 2013.

(2) It extends to the whole of India.

(3) It shall come into force on such date as the Central Government may, by notification in the Official Gazette, appoint.

2. Definitions. – In this Act and in any rules made thereunder, unless the context otherwise requires, –

(a) “anonymise” means, in relation to personal data, the removal of all data that may, whether directly or indirectly in conjunction with any other data, be used to identify the data subject;

(b) “appropriate government” means, in relation the Central Government or a Union Territory Administration, the Central Government; in relation a State Government, that State Government; and, in relation to a public authority which is established, constituted, owned, controlled or substantially financed by funds provided directly or indirectly –

(i) by the Central Government or a Union Territory Administration, the Central Government;

(ii) by a State Government, that State Government;

(c) “authorised officer” means an officer, not below the rank of a Gazetted Officer, of an All India Service or a Central Civil Service, as the case may be, who is empowered by the Central Government, by notification in the Official Gazette, to intercept a communication of another person or carry out surveillance of another person under this Act;

(d) “biometric data” means any data relating to the physical, physiological or behavioural characteristics of a person which allow their unique identification including, but not restricted to, facial images, finger prints, hand prints, foot prints, iris recognition, hand writing, typing dynamics, gait analysis and speech recognition;

(e) “Chairperson” and “Member” mean the Chairperson and Member appointed under sub-section (1) of section 17;

(f) “collect”, with its grammatical variations and cognate expressions, means, in relation to personal data, any action or activity that results in a data controller obtaining, or coming into the possession or control of, any personal data of a data subject;

(g) “communication” means a word or words, spoken, written or indicated, in any form, manner or language, encrypted or unencrypted, meaningful or otherwise, and includes visual representations of words, ideas, symbols and images, whether transmitted or not transmitted and, if transmitted, irrespective of the medium of transmission;

(h) “competent organisation” means an organisation or public authority listed in the Schedule;

(i) “data controller” means a person who, either alone or jointly or in concert with other persons, determines the purposes for which and the manner in which any personal data is processed;

(j) “data processor” means any person who processes any personal data on behalf of a data controller;

(k) “Data Protection Authority” means the Data Protection Authority constituted under sub-section (1) of section 17;

(l) “data subject” means a person who is the subject of personal data;

(m) “deoxyribonucleic acid data” means all data, of whatever type, concerning the characteristics of a person that are inherited or acquired during early prenatal development;

(n) “destroy”, with its grammatical variations and cognate expressions, means, in relation to personal data, to cease the existence of, by deletion, erasure or otherwise, any personal data;

(o) “disclose”, with its grammatical variations and cognate expressions, means, in relation to personal data, any action or activity that results in a person who is not the data subject coming into the possession or control of that personal data;

(p) “intelligence organisation” means an intelligence organisation under the Intelligence Organisations (Restriction of Rights) Act, 1985 (58 of 1985);

(q) “interception” or “intercept” means any activity intended to capture, read, listen to or understand the communication of a person;

(r) “personal data” means any data which relates to a natural person if that person can, whether directly or indirectly in conjunction with any other data, be identified from it and includes sensitive personal data;

(s) “prescribed” means prescribed by rules made under this Act;

(t) “process”, with its grammatical variations and cognate expressions, means, in relation to personal data, any action or operation which is performed upon personal data, whether or not by automated means including, but not restricted to, organisation, structuring, adaptation, modification, retrieval, consultation, use, alignment or destruction;

(u) “receive”, with its grammatical variations and cognate expressions, means, in relation to personal data, to come into the possession or control of any personal data;

(v) “sensitive personal data” means personal data as to the data subject’s –

(i) biometric data;

(ii) deoxyribonucleic acid data;

(iii) sexual preferences and practices;

(iv) medical history and health;

(v) political affiliation;

(vi) commission, or alleged commission, of any offence;

(vii) ethnicity, religion, race or caste; and

(viii) financial and credit information.

(w) “store”, with its grammatical variations and cognate expressions, means, in relation to personal data, to retain, in any form or manner and for any purpose or reason, any personal data;

(x) “surveillance” means any activity intended to watch, monitor, record or collect, or to enhance the ability to watch, record or collect, any images, signals, data, movement, behaviour or actions, of a person, a group of persons, a place or an object, for the purpose of obtaining information of a person;

and all other expressions used herein shall have the meanings ascribed to them under the General Clauses Act, 1897 (10 of 1897) or the Code of Criminal Procedure, 1973 (2 of 1974), as the case may be.

CHAPTER II

Regulation of Personal Data

3. Regulation of personal data. – Notwithstanding anything contained in any other law for time being in force, no person shall collect, store, process, disclose or otherwise handle any personal data of another person except in accordance with the provisions of this Act and any rules made thereunder.

4. Exemption. – Nothing in this Act shall apply to the collection, storage, processing or disclosure of personal data for personal or domestic use.

CHAPTER III

Protection of Personal Data

5. Regulation of collection of personal data. – (1) No personal data of a data subject shall be collected except in conformity with section 6 and section 7.

(2) No personal data of a data subject may be collected under this Act unless it is necessary for the achievement of a purpose of the person seeking its collection.

(3) Subject to section 6 and section 7, no personal data may be collected under this Act prior to the data subject being given notice, in such and form and manner as may be prescribed, of the collection.

6. Collection of personal data with prior informed consent. – (1) Subject to sub-section (2), a person seeking to collect personal data under this section shall, prior to its collection, obtain the consent of the data subject.

(2) Prior to a collection of personal data under this section, the person seeking its collection shall inform the data subject of the following details in respect of his personal data, namely: –

(a) when it will be collected;

(b) its content and nature;

(d) the manner in which it may be accessed, checked and modified;

(e) the security practices, privacy policies and other policies, if any, to which it will be subject;

(f) the conditions and manner of its disclosure; and

(g) the procedure for recourse in case of any grievance in relation to it.

(3) Consent to the collection of personal data under this section may be obtained from the data subject in any manner or medium but shall not be obtained as a result of a threat, duress or coercion:

Provided that the data subject may, at any time after his consent to the collection of personal data has been obtained, withdraw the consent for any reason whatsoever and all personal data collected following the original grant of consent shall be destroyed forthwith:

Provided that the person who collected the personal data in respect of which consent is subsequently withdrawn may, if the personal data is necessary for the delivery of any good or the provision of any service, not deliver that good or deny that service to the data subject who withdrew his grant of consent.

7. Collection of personal data without prior consent. – Personal data may be collected without the prior consent of the data subject if it is –

(a) necessary for the provision of an emergency medical service to the data subject;

(b) required for the establishment of the identity of the data subject and the collection is authorised by a law in this regard;

(d) necessary to prevent, investigate or prosecute a cognisable offence.

8. Regulation of storage of personal data. – (1) No person shall store any personal data for a period longer than is necessary to achieve the purpose for which it was collected or received, or, if that purpose is achieved or ceases to exist for any reason, for any period following such achievement or cessation.

(2) Save as provided in sub-section (3), any personal data collected or received in relation to the achievement of a purpose shall, if that purpose is achieved or ceases to exist for any reason, be destroyed forthwith.

(3) Notwithstanding anything contained in this section, any personal data may be stored for a period longer than is necessary to achieve the purpose for which it was collected or received, or, if that purpose has been achieved or ceases to exist for any reason, for any period following such achievement or cessation, if –

(a) the data subject grants his consent to such storage prior to the purpose for which it was collected or received being achieved or ceasing to exist;

(b) it is adduced for an evidentiary purpose in a legal proceeding; or

Provided that only that amount of personal data that is necessary to achieve the purpose of storage under this sub-section shall be stored and any personal data that is not required to be stored for such purpose shall be destroyed forthwith:

Provided further that any personal data stored under this sub-section shall, to the extent possible, be anonymised.

9. Regulation of processing of personal data. – (1) No person shall process any personal data that is not necessary for the achievement of the purpose for which it was collected or received.

(2) Save as provided in sub-section (3), no personal data shall be processed for any purpose other than the purpose for which it was collected or received.

(3) Notwithstanding anything contained in this section, any personal data may be processed for a purpose other than the purpose for which it was collected or received if –

(a) the data subject grants his consent to the processing and only that amount of personal data that is necessary to achieve the other purpose is processed;

(b) it is necessary to perform a contractual duty to the data subject;

(d) it necessary to prevent, investigate or prosecute a cognisable offence.

10. Transfer of personal data for processing. – (1) Subject to the provisions of this section, personal data that has been collected in conformity with this Act may be transferred by a data controller to a data processor, whether located in India or otherwise, if the transfer is pursuant to an agreement that explicitly binds the data processor to same or stronger measures in respect of the storage, processing, destruction, disclosure and other handling of the personal data as are contained in this Act.

(2) No data processor shall process any personal data transferred under this section except to achieve the purpose for which it was collected.

(3) A data controller that transfers personal data under this section shall remain liable to the data subject for the actions of the data processor.

11. Security of personal data and duty of confidentiality. – (1) No person shall collect, receive, store, process or otherwise handle any personal data without implementing measures, including, but not restricted to, technological, physical and administrative measures, adequate to secure its confidentiality, secrecy, integrity and safety, including from theft, loss, damage or destruction.

(2) Data controllers and data processors shall be subject to a duty of confidentiality and secrecy in respect of personal data in their possession or control.

(3) Without prejudice to the provisions of this section, a data controller or data processor shall, if the confidentiality, secrecy, integrity or safety of personal data in its possession or control is violated by theft, loss, damage or destruction, or as a result of any disclosure contrary to the provisions of this Act, or for any other reason whatsoever, notify the data subject, in such form and manner as may be prescribed, forthwith.

12. Regulation of disclosure of personal data. – Subject to section 10, section 13 and section 14, no person shall disclose, or otherwise cause any other person to receive, the content or nature of any personal data that has been collected in conformity with this Act.

13. Disclosure of personal data with prior informed consent. – (1) Subject to sub-section (2), a data controller or data processor seeking to disclose personal data under this section shall, prior to its disclosure, obtain the consent of the data subject.

(2) Prior to a disclosure of personal data under this section, the data controller or data processor, as the case may be, seeking to disclose the personal data, shall inform the data subject of the following details in respect of his personal data, namely: –

(a) when it will be disclosed;

(b) the purpose of its disclosure;

(d) the procedure for recourse in case of any grievance in relation to it.

14. Disclosure of personal data without prior consent. – (1) Subject to sub-section (2), personal data may be disclosed without the prior consent of the data subject if it is necessary –

(a) to prevent a reasonable threat to national security, defence or public order; or

(b) to prevent, investigate or prosecute a cognisable offence.

(2) No data controller or data processor shall disclose any personal data unless it has received an order in writing from a police officer not below the rank of [___] in such form and manner as may be prescribed:

Provided that an order for the disclosure of personal data made under this sub-section shall not require the disclosure of any personal data that is not necessary to achieve the purpose for which the disclosure is sought:

Provided further that the data subject shall be notified, in such form and manner as may be prescribed, of the disclosure of his personal data, including details of its content and nature, and the identity of the police officer who ordered its disclosure, forthwith.

15. Quality and accuracy of personal data. – (1) Each data controller and data processor shall, to the extent possible, ensure that the personal data in its possession or control, is accurate and, where necessary, is kept up to date.

(2) No data controller or data processor shall deny a data subject whose personal data is in its possession or control the opportunity to review his personal data and, where necessary, rectify anything that is inaccurate or not up to date.

(3) A data subject may, if he finds personal data in the possession or control of a data controller or data processor that is not necessary to achieve the purpose for which it was collected, received or stored, demand its destruction, and the data controller shall destroy, or cause the destruction of, the personal data forthwith.

16. Special provisions for sensitive personal data. – Notwithstanding anything contained in this Act and the provisions of any other law for the time being in force –

(a) no person shall store sensitive personal data for a period longer than is necessary to achieve the purpose for which it was collected or received, or, if that purpose has been achieved or ceases to exist for any reason, for any period following such achievement or cessation;

(b) no person shall process sensitive personal data for a purpose other than the purpose for which it was collected or received;

(c) no person shall disclose sensitive personal data to another person, or otherwise cause any other person to come into the possession or control of, the content or nature of any sensitive personal data, including any other details in respect thereof.

CHAPTER IV

The Data Protection Authority

17. Constitution of the Data Protection Authority. – (1) The Central Government shall, by notification, constitute, with effect from such date as may be specified therein, a body to be called the Data Protection Authority consisting of a Chairperson and not more than four other Members, to exercise the jurisdiction and powers and discharge the functions and duties conferred or imposed upon it by or under this Act.

(2) The Chairperson shall be a person who has been a Judge of the Supreme Court:

Provided that the appointment of the Chairperson shall be made only after consultation with the Chief Justice of India.

(3) Each Member shall be a person of ability, integrity and standing who has a special knowledge of, and professional experience of not less than ten years in privacy law and policy.

18. Term of office, conditions of service, etc. of Chairperson and Members. – (1) Before appointing any person as the Chairperson or Member, the Central Government shall satisfy itself that the person does not, and will not, have any such financial or other interest as is likely to affect prejudicially his functions as such Chairperson or Member.

(2) The Chairperson and every Member shall hold office for such period, not exceeding five years, as may be specified in the order of his appointment, but shall be eligible for reappointment:

Provided that no person shall hold office as the Chairperson or Member after he has attained the age of sixty-seven years.

(3) Notwithstanding anything contained in sub-section (2), the Chairperson or any Member may –

(a) by writing under his hand resign his office at any time;

(b) be removed from office in accordance with the provisions of section 19 of this Act.

(4) A vacancy caused by the resignation or removal of the Chairperson or Member under sub-section (3) shall be filled by fresh appointment.

(5) In the event of the occurrence of a vacancy in the office of the Chairperson, such one of the Members as the Central Government may, by notification, authorise in this behalf, shall act as the Chairperson till the date on which a new Chairperson, appointed in accordance with the provisions of this Act, to fill such vacancy, enters upon his office.

(6) When the Chairperson is unable to discharge his functions owing to absence, illness or any other cause, such one of the Members as the Chairperson may authorise in writing in this behalf shall discharge the functions of the Chairperson, till the date on which the Chairperson resumes his duties.

(7) The salaries and allowances payable to and the other terms and conditions of service of the Chairperson and Members shall be such as may be prescribed:

Provided that neither the salary and allowances nor the other terms and conditions of service of the Chairperson and any member shall be varied to his disadvantage after his appointment.

19. Removal of Chairperson and Members from office in certain circumstances. – The Central Government may remove from office the Chairperson or any Member, who –

(a) is adjudged an insolvent; or

(b) engages during his term of office in any paid employment outside the duties of his office; or

(d) is of unsound mind and stands so declared by a competent court; or

(e) is convicted for an offence which in the opinion of the President involves moral turpitude; or

(f) has acquired such financial or other interest as is likely to affect prejudicially his functions as a Chairperson or Member, or

(g) has so abused his position as to render his continuance in offence prejudicial to the public interest.

20. Functions of the Data Protection Authority. – (1) The Chairperson may inquire, suo moto or on a petition presented to it by any person or by someone acting on his behalf, in respect of any matter connected with the collection, storage, processing, disclosure or other handling of any personal data and give such directions or pass such orders as are necessary for reasons to be recorded in writing.

(2) Without prejudice to the generality of the foregoing provision, the Data Protection Authority shall perform all or any of the following functions, namely –

(a) review the safeguards provided by or under this Act and other law for the time being in force for the protection of personal data and recommend measures for their effective implementation;

(b) review any measures taken by any entity for the protection of personal data and take such further action is it deems fit;

(c) review any action, policy or procedure of any entity to ensure compliance with this Act and any rules made hereunder;

(d) formulate, in consultation with experts, norms for the effective protection of personal data;

(e) promote awareness and knowledge of personal data protection through any means necessary;

(f) undertake and promote research in the field of protection of personal data;

(g) encourage the efforts of non-governmental organisations and institutions working in the field of personal data protection;

(h) publish periodic reports concerning the incidence of collection, processing, storage, disclosure and other handling of personal data;

(i) such other functions as it may consider necessary for the protection of personal data.

(3) Subject to the provisions of any rules prescribed in this behalf by the Central Government, the Data Protection Authority shall have the power to review any decision, judgement, decree or order made by it.

(4) In the exercise of its functions under this Act, the Data Protection Authority shall give such directions or pass such orders as are necessary for reasons to be recorded in writing.

(5) The Data Protection Authority may, in its own name, sue or be sued.

21. Secretary, officers and other employees of the Data Protection Authority. – (1) The Central Government shall appoint a Secretary to the Data Protection Authority to exercise and perform, under the control of the Chairperson such powers and duties as may be prescribed or as may be specified by the Chairperson.

(2) The Central Government may provide the Data Protection Authority with such other officers and employees as may be necessary for the efficient performance of the functions of the Data Protection Authority.

(3) The salaries and allowances payable to and the conditions of service of the Secretary and other officers and employees of the Data Protection Authority shall be such as may be prescribed.

22. Salaries, etc. be defrayed out of the Consolidated Fund of India. – The salaries and allowances payable to the Chairperson and Members and the administrative expenses, including salaries, allowances and pension, payable to or in respect of the officers and other employees of the of the Data Protection Authority shall be defrayed out of the Consolidated Fund of India.

23. Vacancies, etc. not to invalidate proceedings of the Data Protection Authority. – No act or proceeding of the Data Protection Authority shall be questioned on the ground merely of the existence of any vacancy or defect in the constitution of the Data Protection Authority or any defect in the appointment of a person acting as the Chairperson or Member.

24. Chairperson, Members and employees of the Data Protection Authority to be public servants. – The Chairperson and Members and other employees of the Data Protection Authority shall be deemed to be public servants within the meaning of section 21 of the Indian Penal Code, 1860 (45 of 1860).

25. Location of the office of the Data Protection Authority. – The offices of the Data Protection Authority shall be in [___] or any other location as directed by the Chairperson in consultation with the Central Government.

26. Procedure to be followed by the Data Protection Authority. – (1) Subject to the provisions of this Act, the Data Protection Authority shall have powers to regulate –

(a) the procedure and conduct of its business;

(b) the delegation to one or more Members of such powers or functions as the Chairperson may specify.

(2) In particular and without prejudice to the generality of the foregoing provisions, the powers of the Data Protection Authority shall include the power to determine the extent to which persons interested or claiming to be interested in the subject-matter of any proceeding before it may be allowed to be present or to be heard, either by themselves or by their representatives or to cross-examine witnesses or otherwise take part in the proceedings:

Provided that any such procedure as may be prescribed or followed shall be guided by the principles of natural justice.

27. Power relating to inquiries. – (1) The Data Protection Authority shall, for the purposes of any inquiry or for any other purpose under this Act, have the same powers as vested in a civil court under the Code of Civil Procedure, 1908 (5 of 1908), while trying suits in respect of the following matters, namely –

(a) the summoning and enforcing the attendance of any person from any part of India and examining him on oath;

(b) the discovery and production of any document or other material object producible as evidence;

(d) the requisitioning of any public record from any court or office;

(e) the issuing of any commission for the examination of witnesses; and,

(f) any other matter which may be prescribed.

(2) The Data Protection Authority shall have power to require any person, subject to any privilege which may be claimed by that person under any law for the time being in force, to furnish information on such points or matters as, in the opinion of the Data Protection Authority, may be useful for, or relevant to, the subject matter of an inquiry and any person so required shall be deemed to be legally bound to furnish such information within the meaning of section 176 and section 177 of the Indian Penal Code, 1860 (45 of 1860).

(3) The Data Protection Authority or any other officer, not below the rank of a Gazetted Officer, specially authorised in this behalf by the Data Protection Authority may enter any building or place where the Data Protection Authority has reason to believe that any document relating to the subject matter of the inquiry may be found, and may seize any such document or take extracts or copies therefrom subject to the provisions of section 100 of the Code of Criminal Procedure, 1973 (2 of 1974), in so far as it may be applicable.

(4) The Data Protection Authority shall be deemed to be a civil court and when any offence as is described in section 175, section 178, section 179, section 180 or section 228 of the Indian Penal Code, 1860 (45 of 1860) is committed in the view or presence of the Data Protection Authority, the Data Protection Authority may, after recording the facts constituting the offence and the statement of the accused as provided for in the Code of Criminal Procedure, 1973 (2 of 1974), forward the case to a Magistrate having jurisdiction to try the same and the Magistrate to whom any such case is forwarded shall proceed to hear the complaint against the accused as if the case had been forwarded to him under section 346 of the Code of Criminal Procedure, 1973 (2 of 1974).

28. Decisions of the Data Protection Authority. – (1) The decisions of the Data Protection Authority shall be binding.

(2) In its decisions, the Data Protection Authority has the power to –

(a) require an entity to take such steps as may be necessary to secure compliance with the provisions of this Act;

(b) require an entity to compensate any person for any loss or detriment suffered;

29. Proceedings before the Data Protection Authority to be judicial proceedings. – The Data Protection Authority shall be deemed to be a civil court for the purposes of section 195 and Chapter XXVI of the Code of Criminal Procedure, 1973 (2 of 1974), and every proceeding before the Data Protection Authority shall be deemed to be a judicial proceeding within the meaning of section 193 and section 228 and for the purposes of section 196 of the Indian Penal Code, 1860 (45 of 1860).

CHAPTER V

Regulation by Data Controllers and Data Processors

30. Co-regulation by Data Controllers and the Data Protection Authority. – (1) The Data Protection Authority may, in consultation with data controllers, formulate codes of conduct for the collection, storage, processing, disclosure or other handling of any personal data.

(2) No code of conduct formulated under sub-section (1) shall be binding on a data controller unless –

(a) it has received the written approval of the Data Protection Authority; and

(b) it has received the approval, by signature of a director or authorised signatory, of the data controller.

31. Co-regulation without prejudice to other remedies. – Any code of conduct formulated under this chapter shall be without prejudice to the jurisdiction, powers and functions of the Data Protection Authority.

32. Self-regulation by data controllers. – (1) The Data Protection Authority may encourage data controllers and data processors to formulate professional codes of conduct to establish rules for the collection, storage, processing, disclosure or other handling of any personal data.

(2) No code of conduct formulated under sub-section (1) shall be effective unless it is registered, in such form and manner as may be prescribed, by the Data Protection Authority.

(3) The Data Protection Authority shall, for reasons to be recorded in writing, not register any code of conduct formulated under sub-section (1) that is not adequate to protect personal data.

CHAPTER IV

Surveillance and Interception of Communications

33. Surveillance and interception of communication to be warranted. – Notwithstanding anything contained in any other law for the time being in force, no –

(i) surveillance shall be carried out, and no person shall order any surveillance of another person;

(ii) communication shall be intercepted, and no person shall order the interception of any communication of another person; save in execution of a warrant issued under section 36, or an order made under section 38, of this Act.

34. Application for issuance of warrant. – (1) Any authorised officer seeking to carry out any surveillance or intercept any communication of another person shall prefer an application for issuance of a warrant to the Magistrate.

(2) The application for issuance of the warrant shall be in the form and manner prescribed in the Schedule and shall state the purpose for which the warrant is sought.

(3) The application for issuance of the warrant shall be accompanied by –

(i) a report by the authorised officer of the suspicious conduct of the person in respect of whom the warrant is sought, and all supporting material thereof;

(ii) an affidavit of the authorised officer, or a declaration under his hand and seal, that the contents of the report and application are true to the best of his knowledge, information and belief, and that the warrant shall be executed only for the purpose stated in the application and shall not be misused or abused in any manner including to interfere in the privacy of any person;

(iii) details of all warrants previously issued in respect of the person in respect of whom the warrant is sought, if any.

35. Considerations prior to the issuance of warrant. – (1) No warrant shall issue unless the requirements of section 34 and this section have been met.

(2) The Magistrate shall consider the application made under section 34 and shall satisfy himself that the information contained therein sets out –

(i) a reasonable threat to national security, defence or public order; or

(ii) a cognisable offence, the prevention, investigation or prosecution of which is necessary in the public interest.

(3) The Magistrate shall satisfy himself that all other lawful means to acquire the information that is sought by the execution of the warrant have been exhausted.

(4) The Magistrate shall verify the identity of the authorised officer and shall satisfy himself that the application for issuance of the warrant is authentic.

36. Issue of warrant. – (1) Subject to section 34 and section 35, the Magistrate may issue a warrant for surveillance or interception of communication, or both of them.

(2) The Magistrate may issue the warrant in Chambers.

37. Magistrate may reject application for issuance of warrant. – If the Magistrate is not satisfied that the requirements of section 34 and section 35 have been met, he may, for reasons to be recorded in writing, –

(i) refuse to issue the warrant and dispose of the application;

(ii) return the application to the authorised officer without disposing of it;

(iii) pass any order that he thinks fit.

38. Order by Home Secretary in emergent circumstances. – (1) Notwithstanding anything contained in section 35, if the Home Secretary of the appropriate government is satisfied that a grave threat to national security, defence or public order exists, he may, for reasons to be recorded in writing, order any surveillance or interception of communication.

(2) An authorised officer seeking an order for surveillance or interception of communication under this section shall prefer an application to the Home Secretary in the form and manner prescribed in the Schedule and accompanied by the documents required under sub-section (3) of section 34.

(3) No order for surveillance or interception of communication made by the Home Secretary under this section shall be valid upon the expiry of a period of seven days from the date of the order.

(4) Before the expiry of a period of seven days from the date of an order for surveillance or interception of communication made under this section, the authorised officer who applied for the order shall place the application before the Magistrate for confirmation.

39. Duration of warrant or order. – (1) The warrant or order for surveillance or interception of communication shall specify the period of its validity and, upon its expiry, all surveillance and interception of communication, as the case may be, carried out in relation to that warrant or order shall cease forthwith:

Provided that no warrant or order shall be valid upon the expiry of a period of sixty days from the date of its issue.

(2) A warrant issued under section 36, or an order issued under section 38, for surveillance or interception of communication, or both of them, may be renewed by a Magistrate if he is satisfied that the requirements of sub-section (2) of section 35 continue to exist.

40. Duty to inform the person concerned. – Subject to sub-section (2), before the expiry of a period of sixty days from the conclusion of any surveillance or interception of communication carried out under this Act, the authorised officer who carried out the surveillance or interception of communication shall, in writing in such form and manner as may be prescribed, notify, with reference to the warrant of the Magistrate, and, if applicable, the order of the Home Secretary, each person in respect of whom the warrant or order was issued, of the fact of such surveillance or interception and duration thereof.

(2) The Magistrate may, on an application made by an authorised officer in such form and manner as may be prescribed, if he is satisfied that the notification under sub-section (1) would –

(a) present a reasonable threat to national security, defence or public order, or

(b) adversely affect the prevention, investigation or prosecution of a cognisable offence,

for reasons to be recorded in writing addressed to the authorised officer, order that the person in respect of whom the warrant or order of surveillance or interception of communication was issued, not be notified of the fact of such interception or the duration thereof:

41. Security and duty of confidentiality and secrecy. – (1) No person shall carry out any surveillance or intercept any communication of another person without implementing measures, including, but not restricted to, technological, physical and administrative measures, to secure the confidentiality and secrecy of all information obtained as a result of the surveillance or interception of communication, as the case may be, including from theft, loss or unauthorised disclosure.

(2) Any person who carries out any surveillance or interception of any communication, or who obtains any information, including personal data, as a result of surveillance or interception of communication, shall be subject to a duty of confidentiality and secrecy in respect of it.

(3) Every competent organisation shall, before the expiry of a period of one hundred days from the enactment of this Act, designate as many officers as it deems fit as Privacy Officers who shall be administratively responsible for all interceptions of communications carried out by that competent organisation.

42. Disclosure of information. – (1) Save as provided in this section, no person shall disclose to any other person, or otherwise cause any other person to come into the knowledge or possession of, the content or nature of any information, including personal data, obtained as a result of any surveillance or interception carried out under this Act.

(2) Notwithstanding anything contained in this section, if the disclosure of any information, including personal data, obtained as a result of any surveillance or interception of any communication is necessary to –

(a) prevent a reasonable threat to national security, defence or public order, or

(b) prevent, investigate or prosecute a cognisable offence,

an authorised officer may disclose the information, including personal data, to any authorised officer of any other competent organisation.

CHAPTER VI

Offences and penalties

43. Punishment for offences related to personal data. – (1) Whoever, except in conformity with the provisions of this Act, collects, receives, stores, processes or otherwise handles any personal data shall be punishable with imprisonment for a term which may extend to [___] years and may also be liable to fine which may extend to [___] rupees.

(2) Whoever attempts to commit any offence under sub section (1) shall be punishable with the punishment provided for such offence under that sub-section.

(3) Whoever, except in conformity with the provisions of this Act, collects, receives, stores, processes or otherwise handles any sensitive personal data shall be punishable with imprisonment for a term which may extend to [increased for sensitive personal data] years and and may also be liable to fine which may extend to [___] rupees.

(4) Whoever attempts to commit any offence under sub section (3) shall be punishable with the punishment provided for such offence under that sub-section.

44. Abetment and repeat offenders. – (1) Whoever abets any offence punishable under this Act shall, if the act abetted is committed in consequence of the abetment, be punishable with the punishment provided for that offence.

(2) Whoever, having been convicted of an offence under any provision of this Act is again convicted of an offence under the same provision, shall be punishable, for the second and for each subsequent offence, with double the penalty provided for that offence.

45. Offences by companies. – (1) Where an offence under this Act has been committed by a company, every person who, at the time of the offence was committed, was in charge of, and was responsible to, the company for the conduct of the business of the company, as well as the company shall be deemed to be guilty of the offence and shall be liable to be proceeded against and punished accordingly:

Provided that nothing contained in this sub-section shall render any such person liable to any punishment, if he proves that the offence was committed without his knowledge or that he had exercised all due diligence to prevent the commission of such offence.

(2) Notwithstanding anything contained in sub-section (1), where any offence under this Act has been committed by a company and it is proved that the offence has been committed with the consent or connivance of, or is attributable to any neglect on the part of any director, manager, secretary or other officer of the company, such director, manager, secretary or other officer shall be deemed to be guilty of that offence, and shall be liable to be proceeded against and punished accordingly.

46. Cognisance. – Notwithstanding anything contained in the Code of Criminal Procedure, 1973 (2 of 1974), the offences under section 43, section 44 and section 45 shall be cognisable and non-bailable.

47. General penalty. – Whoever, in any case in which a penalty is not expressly provided by this Act, fails to comply with any notice or order issued under any provisions thereof, or otherwise contravenes any of the provisions of this Act, shall be punishable with fine which may extend to [___] rupees, and, in the case of a continuing failure or contravention, with an additional fine which may extend to [___] rupees for every day after the first during which he has persisted in such failure or contravention.

48. Punishment to be without prejudice to any other action. – The award of punishment for an offence under this Act shall be without prejudice to any other action which has been or which may be taken under this Act with respect to such contravention.

CHAPTER VII

Miscellaneous

49. Power to make rules. – (1) The Central Government may, by notification in the Official Gazette, make rules to carry out the provisions of this Act.

(2) In particular, and without prejudice to the generality of the foregoing power, such rules may provide for –

[__]

(3) Every rule made under this section shall be laid, as soon as may be after it is made, before each House of Parliament while it is in session for a period of thirty days which may be comprised in one session or in two successive sessions and if before the expiry of the session in which it is so laid or the session immediately following, both Houses agree in making any modification in the rule, or both Houses agree that the rule should not be made, the rule shall thereafter have effect only in such modified form or be of no effect, as the case may be, so however, that any such modification or annulment shall be without prejudice to the validity of anything previously done under that rule.

50. Bar of jurisdiction. – (1) On and from the appointed day, no court or authority shall have, or be entitled to exercise, any jurisdiction, powers or authority (except the Supreme Court and a High Court exercising powers under Article 32, Article 226 and Article 227 of the Constitution) in relation to matters specified in this Act.

(2) No order passed under this Act shall be appealable except as provided therein and no civil court shall have jurisdiction in respect of any matter which the Data Protection Authority is empowered by, or under, this Act to determine and no injunction shall be granted by any court or other authority in respect of any action taken or to be taken in pursuance of any power conferred by or under this Act.

51. Protection of action taken in good faith. – No suit or other legal proceeding shall lie against the Central Government, State Government, Data Protection Authority, Chairperson, Member or any person acting under the direction either of the Central Government, State Government, Data Protection Authority, Chairperson or Member in respect of anything which is in good faith done or intended to be done in pursuance of this Act or of any rules or any order made thereunder.

52. Power to remove difficulties. – (1) If any difficulty arises in giving effect to the provisions of this Act, the Central Government may, by order, published in the Official Gazette, make such provisions, not inconsistent with the provisions of this Act, as appears to it to be necessary or expedient for removing the difficulty:

Provided that no such order shall be made under this section after the expiry of a period of three years from the commencement of this Act.

(2) Every order made under this section shall be laid, as soon as may be after it is made, before each House of Parliament.

53. Act to have overriding effect. – The provisions of this Act shall have effect notwithstanding anything inconsistent therewith contained in any other law for the time being in force.

For more details visit https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-updated-third-draft

Privacy & Sexual Minorities

Danish Sheikh — 2013-09-20T09:22:44Z

Danish Sheikh examines the status of sexual minorities in the light of privacy framework in India. Culling out some real life examples based on various studies, media reports and judgments from the Supreme Court and the High Courts of Delhi and Allahabad, the research brings to light the privacy violations being committed by both individuals as well as state authorities. The research concludes by saying that privacy doesn’t necessarily encompass a one-size-fits-all approach, and can raise as many questions as it answers.

Defining Privacy

In examining the status of sexual minorities vis-à-vis the privacy framework in India, this research takes into account a definition of privacy that encompasses protection against physical interference with a person and their property as well as the state of being free from intrusion in one’s private life or affairs.[1] This involves an understanding of privacy violations being committed by both an individual as well as the State. On the one hand is the extent to which a private individual is entitled to personal information about another individual and on the other is the extent to which government authorities can intrude into the private life of a citizen to keep watch over his or her movements or exercise control over personal choices.[2]

No mention of sexuality and privacy in India can stand without a nod to Section 377 of the Indian Penal Code (IPC). In 1860, with the institution of the IPC by Lord Macaulay, section 377 criminalized homosexuality by putting forth that, "carnal intercourse against the order of nature"[3] was to be punishable by law. While this archaic law stands even today, it was read down significantly in a landmark Delhi High Court judgment in 2009[4] which will be referred to later. As stated in an open letter by Vikram Seth and a host of others and endorsed by Amartya Sen, the law has been used to "systematically arrest, prosecute, terrorize and blackmail sexual minorities. It has spawned public intolerance and abuse, forcing tens of millions of gay and bisexual men and women to live in fear and secrecy at tragic cost to themselves and their families."[5] When understood in its conception as non-interference by the State, as the right to be left alone,[6] privacy isn’t necessarily an empowering right for lesbian, gay, bisexual and transgender (LGBT) persons. For one, the claim to privacy when it comes to same-sex acts tends to get construed as a claim for secrecy: it is to carry out purportedly "clandestine" acts that the sexual minority community wants refuge from the State. The same strategy can further backfire when claims for heightened scrutiny might in fact be requested, such as in discrimination actions.[7] A zonal understanding of privacy also subverts the fact that many instances of expression of identity happen in the public sphere.[8]

For a while, privacy jurisprudence hinged on this idea of privacy as a negative right by disallowing infringement of a person’s right to a private life by the State. This understanding may be located in an international regime which has for a while insisted on dividing civil and political rights at one side, and social and economic rights on the other. With this split, what was institutionalized was the idea that civil and political rights were as such "negative" rights, while social and economic rights were "positive" in their content. In effect, the presumption that stood was that while states needed to expand resources to uphold social and economic rights, no such correlative obligation required observance in respect of civil and political rights.[9] Recent human rights conventions such as the Convention on the Rights of Persons with Disabilities acknowledge the flaw in this understanding, based on the reasoning that both civil and political rights and social and economic rights give rise to positive and negative duties.[10] The Naz Foundation[11] judgment propels the understanding of privacy as a positive right. It’s easy enough to split the analysis in this study neatly with the judgment which, in the course of declaring unconstitutional the aforementioned IPC provision, discussed at length the right to privacy, exploring it as a function of dignity. To divide what the Delhi High Court said about the right into three parts — first, they discussed privacy as dealing with persons and not places,[12] implying that the right to privacy is not only a claim to space from state intervention but that it protects the autonomy of the private will and a person’s freedom of choice and action, second, they tied it in with dignity and connected it with the value and worth of all individuals,[13] and third, they talked of the right to privacy as being based on one’s autonomous identity. In the context of privacy, this means that it is "the inner sanctum of the person such as his/her family life, sexual preference and home environment which is shielded from erosion by conflicting rights of the community."

While there will be a bit of a before-Naz/after-Naz tint to the analysis, it is important to appreciate that the nature of privacy discourse when it comes to sexual minorities remains somewhat murky even after the grand affirmation that the judgment provided. A large part of this of course is concerned with society struggling to catch up with the developments in the law.

Before moving on to the next chapter, I’ll unpack the term "sexual minority" to delineate the different communities that will feature in the course of this paper, whilst also attempting to renegotiate the idea of privacy contextually. Using Arvind Narrain’s seminal monograph Queer as a template,[14] the term gay will be employed to describe a man who is attracted to another man emotionally, sexually or physically; a lesbian woman is attracted to women emotionally, sexually or romantically; while someone who is bisexual maintains that attraction towards members of both sexes. A transgender person assumes the gender identity of the opposite sex; within Indian discourse they are called as hijras, constituted of a transgender person who is biologically male and takes on the gender role of a female. The hijra community in India maintains a unique form of social organization within its parallel society. We then have the term "eunuch", used in a more derogatory fashion, which medically refers to a castrated male, and is sometimes employed in India to refer to the hijras. Another South Asian constructed identity is that of the kothi — a male homosexual who is feminized and takes a passive/receptive role in sex.

The next section of this study will look at a string of privacy concerns of sexual minorities in India as sourced from various studies and media reports. The analysis pauses at the interplay of rights surrounding the transgender community in particular: how do issues of recognition of their particular category impact members of the community? The subsequent section jumps past the timeline of the Naz Foundation judgment to understand the kind of changes – if at all – that the high court’s words have effected when it comes to this idea of privacy.

Privacy Rights and Wrongs

The incidents highlighted in this chapter took place before the Delhi High Court altered the way we conceived of queer rights in general and privacy in particular. Two issues permeate this analysis: one, the notion of criminality hovering above queer identity, and two, the somewhat one-dimensional idea of privacy that existed then. A third, more complex issue in the context of the hijra community becomes the idea that one conception of privacy may not always be the most empowering for a community, and the subsequent negotiations that have to be made in that sphere.

Entrapment: The Lucknow Incidents

In July of 2001, a set of raids: first on a public park frequented by the men who have sex with men (MSM)[15] community, and next on the offices of two NGOs working on safe sex issues led to the arrests of ten people. The operation was conducted on the basis of an FIR filed with a Lucknow police station wherein it was alleged that a certain Suresh had sodomized the complainant. Notable in the incident was the climate of homophobia stoked by the media which indulged in sensationalizing headlines,[16] with the magistrate concerned further refusing bail to the men. In denial of bail, instead of siding with the relevant law, the magistrate clearly proceeded on the basis of his perceptions regarding homosexuality: "they…are polluting the entire society by encouraging the young persons and abetting them for committing the offence of sodomy."[17]

If we were to extend the Supreme Court’s reasoning in the catena of surveillance cases vis-a-vis privacy starting from Kharak Singh v. State of U.P., [18] it is clear that the NGO members’ right to privacy was violated by the way of unwarranted search and seizure operations carried out by the police. As the court said in Govind v. State of M.P.,[19] domiciliary visits and picketing by the police should be reduced to the clearest cases of danger to community security. While the judges were referring to matters relating to follow-up from a conviction/release from prison, it seems evident that a higher standard should be given to cases where such prior conviction itself hasn’t taken place.

As for the accused, Narrain notes how the response of the State and media ended up harming them, regardless of the final judicial decision. [20] The public hearings meant that in Lucknow, their sexual identities became public, with a definite impact on their future prospects and present perceptions. The question, as Narrain poses, is the issue of the suitability of the courts to protect the rights of people who are still in the closet. If approaching the courts means compulsory 'outing' with all its attendant negative outcomes, how does one articulate the rights of such a minority?[21]

There are thus three major facets of privacy violation here: the police’s lawlessness resulting in the primary intrusion; the media’s sensationalization which harshly exposed the accused to the public glare; and finally, the magistrate’s bias which legitimized these privacy violations.

Yet another set of arrests took place in the city, this time in 2006, with the police in Lucknow arresting four men under section 377 for allegedly having sex in a public park. News reports revealed pictures of all the four men with their names and home addresses.[22]

The first information report (FIR) here contradicted the investigation of a fact finding team of activists and lawyers: it emerged that none of the men were actually involved having public sex, with the story by the police being a completely fabricated one. It turned out that one of the men had been arrested by the police on their knowledge about his homosexuality, following which his contacts were tapped to stage an entrapment of the other three men.[23]

This notion of raiding homosexual gatherings was taken to its extreme by a police raid on a gay party in the outskirts of Mumbai in 2008, in the course of which six persons were detained. "…. neither was he able to give a satisfactory explanation for organizing the party," said the API on questioning the event organizer.[24]

In these instances of interplay between criminal procedure, media ethics and judicial process, it is worth questioning whether general reforms in those areas will positively affect privacy rights of sexual minorities in particular. Unwarranted searches and arrests are barely an uncommon occurrence in the country, neither is the fact of accounts of people’s sexual behaviour finding themselves very publicly outed in the media, and nor, again, are accounts of judges overlooking police excesses rare. It’s a bit difficult to make an exact value judgment over what kinds of privacy violations is more damning, in a society that takes its sexual mores quite seriously, be they with regard to hetero or homosexual sex. More than anything though, that just makes the need for across the board reforms in these areas more urgent, and sharpens the kind of alliances across communities that would be required to effect change. Of course, this kind of advocacy can only happen in an atmosphere where homosexuality continues to be decriminalized – the fate of the Naz Foundation appeal before the Supreme Court is of paramount importance.

Gender Identity and Transgender Issues

A survey of the situation regarding the transgender community in India throws up a fascinating picture of instances where seemingly positive sounding regulation doesn't always serve its intended effects – when such "positive sounding" regulation does happen at all. To start with, there is the question of the status of the transgender community in India itself – a PUCL report[25] notably documented, and numerous reports and articles[26] have affirmed, the reality of the transgender community today as one of harassment, abuse, and sexual violence. These accounts reveal a deep-rooted fear inculcated by mainstream society of sexual and gender non-conformity, which manifests itself in the refusal of basic citizenship rights to these communities.

The PUCL report gives a detailed account of harassment by the police in public places, at home, in police stations, and instances of entrapment similar to the Lucknow cases. Instead of reiterating that aspect which would simply involve repeating the above analysis, this section will look into other gender-specific issues that arise with respect to the community and the multiple questions these give rise to:

Transgender Toilets

The first example relates to efforts by the Chennai Municipal Corporation to build toilets specifically for the transgender population,[27] in a move stated as being part of a pilot project to recognize the considerable community in South and Central Chennai. Each lavatory in these toilets was to contain male, as well as female urinals. In the words of the municipal commissioner, the scheme was aimed at "extending recognition to the community and mainstreaming them", and more facilities could be built if the public responded well to the idea.

The reaction from the community was mixed at best: sure, it was regarded as a positive move to the extent that not every person who identified themselves as transgender had undergone sex change; simultaneously, the city saw one section of the community fearing the move as a step towards discrimination and isolation. "I don’t agree with this. We want to mingle with the mainstream. We don’t want to be separated like this," said Aasha Bharati, president of the Aravanigal Association. The idea of privacy here is at odds with something else the community is striving for: inclusion. The fear then was of one kind of recognition trumping another. What would a policy maker then privilege? Would this possibly be a better short-term move, as we move towards a future understanding of not being disabled by difference, or would the ideal of privacy trump even that?

The way this issue has played out in the Indian context stands in interesting contrast to cases in America. A bill in Maine which would allow restroom owners in business establishments and institutions from mandating what gender persons would use what washroom was met with sharp opposition from the transgender community on claims of dignity and privacy.[28] For a person who, say, externally had strongly masculine features, but identified as a woman, two options existed: either break the law and walk discreetly into the male compartment – or risk the outrage of other women as she walked into their compartment and was faced with their indignation of having a "man" use their toilet. In such an instance, there stand two rival conceptions of privacy: one in which respecting privacy would, somewhat ironically, stand as a transgender person’s right to assert their distinct identity in public without fear, versus a conception of privacy as anonymity – their right not to be compelled to make a political statement in the course of going about their daily lives.

Now that kind of issue wouldn’t come up in the Indian context for a large section of the transgender community simply owing to the hyper-visibility of the hijras. For all its contemporary stigmatization, the hijra community is a discernible one in public with an acknowledged history. Hijras have won elections in India, and are very much an acknowledged part of public space.[29] To that extent, privacy isn’t quite the overriding concern here in the way that it might be in the West – one might even say that the lack of such a conception can in this particular case be somewhat empowering.

Passport Forms

The next example concerns gender-sensitivity when it comes to passport forms.[30] The Ministry of External Affairs moved to allow for the option of entering a person's sex as "E" instead of either "M" or "F", the "E" then standing for "Eunuch". At the time of introduction of this category there was a degree of ambivalence: it was not available on the form itself, instead being listed as an option only in the rules. As activists noted however, it was a victory in the sense of being the first official recognition of the community. The particular category of recognition was problematic: for one the term "eunuch" would only reasonably represent one part of the transgender population; for another, large sections of the community would consider that term insulting. The government subsequently made an ameliorative measure by changing the category to "Other".[31] Again, the logical privacy question that would arise here would be regarding one's desire to be identified as transgendered in the first place. Similar to the toilets example, the issue would play out differently in India in many cases, given the hyper-visibility of the hijra community which provides an instant marker for a hijra, and subsequently ensures that there isn’t really a privacy violation when it comes to such kind of identification.

Of course, this declaration of otherness leads to issues for someone uncomfortable with disclosing transgender identity as such, and wanting to perform maleness or femaleness specifically. Would marking either the "M" or "F" column be considered an illegality?

Recognition – and Resolving Privacy

Where official recognition is clearly ameliorative, it doesn't always stay. Following years of struggle, the community was given recognition in Andhra Pradesh under the Minorities Welfare Department. It was short-lived, however: protests by religious minority groups forced the government to go back on its decision.[32] The kind of privacy violations that the hijra community suffers in India are thus in stark contrast to the kinds suffered by members of the gay and lesbian community: where one side deals with its invisibility, the other contends with the problems of its hyper-visibility. Hijras walk about as constant targets of police intrusion. A gay man or lesbian woman wouldn’t necessarily face those issues at the same level, except in instances where public sex is involved. The exceptions to even that are incidents of entrapment such as the Lucknow case, but it is evident that it is the hijra community which deals with such police action much more than the others. What is also uniquely empowering for the community is this very aspect of their identity, this ever-present identification. The kind of fears of disclosure and blackmail that someone who fears outing might face fizzle out in the case of the hijras.

The discourse gets complicated when you take up the identities of non-hijra transgendered persons: there are the female-to-male transgendered identities of Thirunambigal in Tamil Nadu, Magaraidu in Andhra Pradesh and Gandabasaka in Karnataka – as well as male to female identities such as the Jogappas in Northern Karnataka, and Jogathas in Andhra Pradesh.[33] The idea of hyper-visibility which is so crucial to locating a sense of empowerment for the hijra community in their lack of loss of privacy disappears here. The discussion here then springs back to the U.S. example of transgender toilets, and the complications that arise when external identity doesn’t necessarily match the internal one.

The Medical Establishment[34]

Relevant to this section of the study is the understanding of privacy under the ambit of autonomy. Referring to Naz Foundation, instead of using liberty to describe and support privacy as under Article 21 of the Constitution of India, the court refers to autonomy holding that "exercise of autonomy enables an individual to attain fulfillment, grow in self-esteem and form relationships of his or her choice and fulfill all legitimate goals that he/she may set."[35];

The medical establishment in India constantly undermines that autonomy by its treatment of homosexuality as a disease, and of LGBT persons as "others". LGBTs in India have often been detained in clinics against their will and subjected to treatment including shock therapy aimed at curing them.[36]

In 2001, the National Human Rights Commission (NHRC) admitted a complaint from a patient at the All Indian Institute of Medical Sciences, alleging psychiatric abuse at the hands of the consulting doctor, having been put on a four year course of drugs and told he had to be "cured" of his homosexuality. The NHRC finally chose to reject the complaint, with informal conversations with the chairman showing his belief that till section 377 was read down, nothing could be done. [37]

According to Vinay Chandran, Executive Director of the Swabhava Trust, medicine in India continues to be obsessed with curing homosexuality, with health professionals in many places still offering behavioural therapy including electric shock treatment as well as psychiatric drugs and hormones in order to "cure" patients of homosexual desire. Vinay reports that a couple of psychiatrists in Bangalore mentioned that there were possibilities of discovering which gene determines sexual preference and scientifically suppressing it.[38]

Of course quacks exist across the spectrum, and medicinal malpractice is barely limited to serving disastrous advice/ treatment to persons "afflicted" with homosexuality. For understanding how the debate moves beyond merely unqualified doctors, we have to factor in the category of ego-dystonic homosexuality, which is endorsed by the WHO. Here, the gender identity or sexual preference of the individual is not in doubt, but the individual wishes it were different and seeks treatment.[39]

The way a number of psychiatrists’ engage with the situation is summed up by the statement: "it’s not my job to tell him that it’s okay to be gay." No, the psychiatrist’s job it seems is to attempt to "cure" the oft-acknowledged incurable.

The fundamental factor not taken into account is that it is very often the environment that surrounds expression of homosexual identity that the patient is concerned about, as opposed to merely the idea of being LGBT. The relationship between patient and doctor is a fiduciary one, premised on absolute trust. In consulting a doctor, the patient entrusts fundamental decision making powers to the practitioner. The medical professional is often unable to comprehend the question of choice. This in turn results in effectively infringing the patient’s autonomy: the component of attaining fulfillment, the growth in self-esteem that the Delhi High Court elaborated on is robbed in the process of stifling sexuality, even when it is something the patient specifically requests the doctor for.

Lesbian Unions

Maya Sharma, in her book Loving Women locates the stories of a number of working-class lesbian women struggling to be with each other against the odds.[40] In a vein that parallels the reaction elicited to inter-religious or inter-caste marriages in a number of regions, it is often the honour of a family/village that is invoked in opposition to the demands of two people who want to be each other. One incident involves a woman who "dares" to elope with another being beaten and stripped, having her face blackened and being paraded around a village with a garland of shoes on her neck. Sahayatrika, a lesbian women's collective in Kerala has documented 24 cases of lesbian couple suicides in Kerala during the period between 1996 and 2004.[41] Earlier this year, two sets of lesbian couples committed suicide within a month of each – one in Sonarpur,.[42] and the other in Nandigram.[43]

Sexuality has often been used as a means for controlling women. The immoral/ tainted woman when placed in contrast with the idealized image of the model Indian woman is an image played out in various daily social interactions. In carrying out the agenda of control, the act of agency displayed by women who choose to step out of the heterosexual woodwork is a direct threat to that very system. The acts of family members in attempting to separate lesbian unions display a lack of respect for autonomy and for the private decisions of the women concerned. The feelings of fear, shame and isolation experienced by women who dare to explore their sexuality are compounded by instances of persecution by the family. The state is further complicit in numerous documented instances with the police often working with the family to track down the runaway brides and get them back home to familial watch under lock and key.

Privacy again battles with privacy in this realm: an oft-heard feminist critique of privacy hinges on the idea that privacy can be dangerous for women when it is used to cover up repression and physical harm to them by creation of the public/private divide.[44] The private realm is premised on non-intervention by the State. In this instance however, it is another aspect of privacy that needs to be valued, and one that even calls for state intervention: the aforementioned act of autonomy.

Privacy in the Time of Naz

The examples up until now have been coloured with a pre-Naz conception of privacy and queer rights – this chapter takes up two incidents post the judgment that captured the public imagination. First is the sting operation carried out on an Allahabad Muslim University professor that began a chain of events leading to his death; the second is an "expose" on the gay community carried by TV9. In both incidents, the "Spectre of Naz" [45] looms in the background, in many ways acting as an empowering, legitimizing force.

The Allahabad Muslim University Sting Operation

In February 2010, newspapers widely reported the story of Dr. Shrinivas Ramchandra Siras a 64 year-old Reader & Chairman, Department of Modern Indian Languages, Aligarh Muslim University (AMU) being filmed having consensual sex with another adult male. When the video was made public, AMU suspended Siras for immoral sexual activity.[46] The implications of the suspension both in terms of the perception of homosexuality as immoral despite the judgment of the Delhi High Court as well as the disturbing nature of the occurrence of the filming of Dr. Siras in the privacy of his home prompted a nationwide outrage.[47]

On April 1 of the same year, the Allahabad High Court ordered AMU to reinstate Siras, holding that his right to privacy had been violated, stating "the right of privacy is a fundamental right, needs to be protected and that unless the conduct of a person, even if he is a teacher is going to affect and has substantial nexus with his employment, it may not be treated as misconduct."[48]

Then comes the news that Uttar Pradesh police had arrested two of those who broke into Siras’ house and filmed him. Many university officials were also charged with criminal offences. As Vinay Sitapati notes, none of this could have happened in a context where gay sex was illegal. In that context, it would have been Siras who was the criminal, and the additional wrongs done simply irrelevant – "this is not how the story was supposed to pan out. Those who broke into Siras’s house and AMU (and there are allegations that they are one and the same) assumed that Siras’s transgressions were so repellent, that their own would be forgiven." The judicial narrative — of a victimized Siras, a callous administration and criminal house-breakers — owes much to the Delhi High Court’s view that Siras’s sexual choice was legitimate.[49]

Going back to the understanding that the right to privacy is integrally linked to the notion of autonomy and the right to live with dignity ‒ it is this most fundamental of Constitutional safeguards that the AMU authorities clearly colluded in negating by being complicit in the sting operation and subsequently suspending Dr. Siras. A press release by the AMU authorities demonstrated a continuing disrespect for privacy: "the university respects the privacy of a teacher living in its premises but it also expects everyone to behave in a respectful manner giving due regard to its valued cultural ethos and the campus sensitivity including their neighbours concerns and to the great moral credentials that AMU has been nurturing since its inception."[50]

The TV9 “Expose”

In February of 2011, the news channel TV9 aired what it called an expose on the Hyderabad gay community titled "Gay Culture in Hyderabad". The video starts by worrying about how gay culture in Hyderabad is "increasing drastically". Following this, footage of a gay club is shown, without any attempt to blank out faces. The show then puts itself in the mode of investigative journalism, as TV9 sets itself the target of exposing the "truth" about gay culture in the city.

Next, viewers are informed about gay dating websites, with the anchor taking special care to inform viewers that it is software employees and students who mostly "fall prey" to this gay culture. Then, in an astonishingly blunt violation of privacy, pictures of men on one dating site are flashed on the screen, accompanied by conversations between the concerned man and a TV9 journalist soliciting sex. "While some do it for new pleasures, some get spoilt by friends, others do it for the crave of money and the remaining are vowed by the lust some of them have changed it into a business by capturing teenager's mind and get them into hell."

The video recording of the telecast on YouTube was taken off the site following a sustained protest from users of the site. Notices for legal action were sent to TV9 offices, including a detailed petition from Adhikaar, a Delhi based NGO. Two questions were primarily asked on LGBT mailing lists across the country[51]: first, regarding how safe establishing one’s homosexual identity online, or attending gay parties would be anymore, and secondly, whether a protest should take place, and what the nature of the same should be.

As highlighted by the petition drafted by Adhikaar, a Delhi-based NGO, this act of TV9 was violative of Code 6 of the News Broadcasters Association Code which deals with matters of privacy, and states:[52]

"As a rule channels must not intrude on private lives, or personal affairs of individuals, unless there is a clearly established larger and identifiable public interest for such a broadcast. The underlying principle that news channels abide by is that the intrusion of the private spaces, records, transcripts, telephone conversations and any other material will not be for salacious interest, but only when warranted in the public interest."

By way of entrapping a set of gay men through calling them and asking them pointed personal questions about their sexual lives, TV9 was further in violation of Code 9 (Self-Regulation Section) of the News Broadcasters Association which deals with sting operations and which states:[53]

"As a guiding principle, sting and undercover operations should be a last resort of news channels in an attempt to give the viewer comprehensive coverage of any news story. News channels will not allow sex and sleaze as a means to carry out sting operations, the use of narcotics and psychotropic substances or any act of violence, intimidation, or discrimination as a justifiable means in the recording of any sting operation."

A month later, the News Broadcasting Standards Authority, New Delhi censured TV9 and ordered it to pay a fine of Rs.1,00,000 and broadcast an apology in prime time both in English and in Telugu. The Authority determined that TV9 has violated the codes of ethics and broadcasting standards.[54]

Justice JS Verma called the story a sensationalized depiction of gay culture in Hyderabad and the story needlessly violated the privacy of individuals, with possible alternate sexual orientation. He also pointed out that alternate sexual orientation is no longer considered as a taboo or a criminal act. The channel was directed to run an apology for three consecutive days beginning the Monday next, in prime time with the following text:

"TV9 apologizes for the story “Gay Culture Rampant in Hyderabad” telecast on this channel on 22 February, 2011 from3.11 p.m. to 3.17 p.m. particularly since the story invaded the privacy of certain persons and was in violation of the Code of Ethics & Broadcasting Standards of the News Broadcasters Association. Any hurt or harm caused to any person thereby is sincerely regretted."

Again, it must be noted that the order of the NBSA would not have been possible in a context where gay sex was illegal: it is that very notion that allowed the Authority to move past the issue of homosexuality and instead delve into the merits of the actual harm done here.

Conclusion

It is possible to mount an argument that nothing has really changed post-Naz. The AMU’s attitude even in the face of the flak it received after the sting operation was phlegmatic at best: a summary statement saying that while it respected his privacy, it also expected a certain degree of behavior keeping in line with its "valued cultural ethos". Reactions like this threaten to lock the idea of privacy into a closed epistemic loop of judicial discourse: the courts might go hoarse extolling the significance of privacy, but it is for nought if the AMU decides it can still walk away with its flagrant violation of basic civil liberties. Or perhaps the frenzy generated by the incident will work as a deterrent factor to future institutions fixing their moral gaze upon their members. The strength of an incident as precedent can only be gauged effectively by how its future echoes use it as a reference point.

Meanwhile, what do these stories tell us about privacy?

The issues faced by the transgender community tell us that privacy doesn’t necessarily encompass a one-size-fits-all approach, and can raise as many questions as it answers. The issues faced by the Lucknow NGOs narrate a tale of institutionalized disrespect for privacy that has marginally more devastating consequences for the homosexual community by the spectre of outing. The issues faced by lesbian women evidence yet another need for breaching the public/private divide, demonstrating how the protection of the law might be welcome in the family sphere regardless of the bull-in-a-china-shop[55] prophecies of doom. Alternate sexual orientation and gender identity might bring the community under a common rubric, but distilling the components of that rubric is essential for engaging in any kind of useful understanding of the community and the kind of privacy violations it suffers – or engage with situations when the lack of privacy is empowering.

Selected incidents reported from 2001-2011

1	NGO charged with running gay club	8 July 2001	Times of India	http://goo.gl/MNHzw
2	Homosexuality okay if practiced in private	14 September 2011	Sify News	http://goo.gl/iF3PQ
3	Male callers harass lesbian helpline	26 October 2003	Mid Day Mumbai	http://goo.gl/Xf0fj
4	Lesbian marriages, born of a legal loophole, stir debate in India	4 February 2005	DesPardes	http://goo.gl/O30Hf
5	Third sex finds a place on Indian passport forms	10 March 2005	Telegraph	http://goo.gl/nBQIt
6	Lesbian couple sparks debate in Uttar Pradesh state	9 April 2005	Sify News	http://goo.gl/9GxuF
7	The Indian city of Chennai is set to build toilets for trans people	July 2005	Pink News	http://goo.gl/52Llq
8	Homosexual gangs	3 January 2006	Pioneer	http://goo.gl/NX2NP
9	Nihal was used to homosexual sex since 1986	4 January 2006	Dainik Jagran	http://goo.gl/NX2NP
10	Ain’t no cure for love	6 June 2006	India Together	http://goo.gl/V9Vjn
11	Police bust gay party	4 February 2008	Times of India	http://goo.gl/n2nyz
12	Aligarh Muslim University professor suspended for being gay	18 February 2010	Times of India	http://goo.gl/D8LuD
13	Class monitors	8 March 2010	Outlook	http://goo.gl/Q2dkV
14	Aligarh gay professor found dead, may have killed self	8 April 2010	Times of India	http://goo.gl/FyeIz
15	AMU professor a victim of clash between ‘tradition’ and privacy	25 February 2010	The Hindu	http://goo.gl/AtiJW
16	Criminal case registered against six in gay professor case	10 April 2010	India Today	http://goo.gl/LfwDI
17	AMU Prof promised money for sex: Rickshaw-puller	19 April 2010	Times of India	http://goo.gl/aXmBz
18	Varsity paid for sting on gay professor	19 February 2010	India Today	http://goo.gl/cyQxL
19	TV channel outs gay men, women in Hyderabad	24 February 2010	NDTV	http://goo.gl/w6NG4
20	News Broadcasting Standards Authority censures TV9 over privacy violations	25 March 2011	Privacy India	http://goo.gl/rY7bT
21	In a first, Gurgaon Court recognizes lesbian marriage	29 July 2011	Times of India	http://goo.gl/70KPr

Notes

[1].Madhavi Goradia Divan, Facets of Media Law, Eastern Book Company, Lucknow, 2006.

[2].For instance, an HIV positive man’s right to marry as discussed in Mr. X v. Hospital Z, 1998 (8) SCC 296.

[3].Section 377, Indian Penal Code.

[4].(2009) 160 DLT 277.

[5].http://www.openletter377.com/, last accessed 20 October 2007.

[6].Olmstead v. U.S., 277 U.S. 438, 478 (1928) (Brandeis, J., dissenting).

[7].Cathy Harris, Outing Privacy Litigation: Towards a Contextual Strategy for Lesbian and Gay Rights, 65 Geo. Wash. L. Rev. 248.

[8].Ibid.

[9].Amita Dhanda, Constructing a New Human Rights Lexicon : Convention on the Rights of Persons with Disabilities, Year 5 No. 8 Sao Paulo June 2008.

[10].See Henry Shue, Basic Rights Subsistence Affluence and US Foreign Policy, Princeton University Press, 2nd ed. 1996.

[11].Naz Foundation v. Government of NCT, Delhi, 160 (2009) DLT 277.

[12].Ibid., 47.

[13].Ibid., 26, 83, 113.

[14].Arvind Narrain, Queer: Law and Despised Sexualities in India, Books for Change, 2004.

[15].Men who have sex with men.

[16]."Gay Club Supplied Boys to Politicians"; "Gay Culture Started in UP in 1998 Itself", The Times of India.

[17].Criminal Misc. Case No. 2054/2001, as taken from Arvind Narrain, Queer: Law and Despised Sexualities in India.

[18].AIR 1963 SC 1295; it was Justice Subba Rao’s minority decision here that laid the foundation for the right to privacy in India.

[19].1975 (2) SCC 148.

[20]. Arvind Narrain, Queer: Law and Despised Sexualities in India, Books for Change, 2004.

[21].Ibid.

[21].Alok Gupta, Section 377 and the Dignity of Indian Homosexuals, http://www.iglhrc.org/binary-data/ATTACHMENT/file/000/000/15-1.pdf, last accessed on 9 August 2011.

[22].Ibid.

[23].http://timesofindia.indiatimes.com/Mumbai/Police_bust_gay_party/articleshow/2753740.cms, last accessed on 8 August 2011.

[24].Human Rights Violations in the Transgender Community: A Report by PUCL-K, 2nd ed. 2005.

[25].http://www.guardian.co.uk/world/2008/jul/04/india-gender, last accessed on 9 August 2011.

[26].http://www.pinknews.co.uk/news/articles/2005-11518.html, last accessed on 10 August 2011.

[27].Transgender people deserve privacy, dignity, in public bathrooms, Maine Opinion, available at http://bangordailynews.com/2011/05/17/opinion/transgender-people-deserve-privacy-dignity-in-public-bathrooms/, last accessed on 20 August 2011.

[28].Transgender people deserve privacy, dignity, in public bathrooms, Maine Opinion, available at http://bangordailynews.com/2011/05/17/opinion/transgender-people-deserve-privacy-dignity-in-public-bathrooms/, last accessed on 20 August 2011.

[29].Siddharth Narrain, Being a Eunuch, available at http://www.countercurrents.org/gen-narrain141003.htm, last accessed on 20 August 2011.

[30].http://webcache.googleusercontent.com/search?q=cache:gLqrElQbWboJ:infochangeindia.org/human-rights/news/-third-sex-finds-a-place-on-indian-passport-forms.html+PASSPORT+APPLICATION+INDIA+gender&cd=4&hl=en&ct=clnk&gl=in&source=www.google.co.in, last accessed on 9 August 2011.

[31].http://passport.gov.in/cpv/ppapp1.pdf, last accessed on 9 August 2011.

[32].http://www.ndtv.com/article/india/andhra-pradesh-government-gives-in-to-sexuality-bias-71454, last accessed on 8 August 2011.

[33].Gee Ameena Suleiman, Non-Hijra Transgenders Struggle for Identity, Daily News and Analysis, available at http://www.dnaindia.com/lifestyle/report_non-hijra-transgenders-struggle-for-identity_1588421, last accessed on 25 August 2011.

[34].Arvind Narrain and Vinay Chandran, It’s Not My Job to tell you It’s okay to be Gay – Medicalisation of Homosexuality: A Queer Critique, available at http://www.altlawforum.org/gender-and-sexuality/publications/medicalizationfinal.rtf/at_download/filehttp://www.altlawforum.org/gender-and-sexuality/publications/medicalizationfinal.rtf/at_download/file, last accessed on 20 August 2011.

[35].160 (2009) DLT 277.

[36].http://www.unhcr.org/refworld/pdfid/4b6fe2110.pdf, last accessed 9 August 2011.

[37].Arvind Narrain. and Tarunabh Khaitan, Medicalisation of Homosexuality : A Human Rights Approach, as taken from Bina Fernandez (ed.), Humjinsi: A Resource Book on Lesbian, Gay and Bisexual Rights in India (New Delhi : India Centre for Human Rights and the Law, 2002).

[38].Vinay Chandran, Ain’t no cure for love, India Together, last accessed on 8 August 2011.

[39].Supra n. 32.

[40].Maya Sharma, Loving Women: Being Lesbian in Unprivileged India, Yoda Press, 2006.

[41].India: Second NGO Shadow Report on CEDAW, November 2006, available at http://www.iwraw-ap.org/resources/pdf/India%20Shadow%20report.pdf, last accessed on 10 September 2011.

[42].http://articles.timesofindia.indiatimes.com/2011-01-24/kolkata/28367047_1_girls-suicide-lesbian-couple, last accessed on 10 September 2011.

[43].http://articles.timesofindia.indiatimes.com/2011-02-22/kolkata/28624865_1_lesbian-couple-suicide-field, last accessed on 10 September 2011.

[44].Saptarshi Mandal, Right to Privacy in Naz Foundation: A Counter-Heteronormative Critique, 3 NUJS L. Rev. 2009.

[45].Vinay Sitapati, The Spectre of Naz, as available at http://www.indianexpress.com/news/the-spectre-of-naz/609695/0, last accessed on 9 August 2011.

[46].http://articles.timesofindia.indiatimes.com/2010-02-18/india/28118769_1_shrinivas-ramchandra-siras-rickshaw-puller-amu-campus, last accessed on 11 August 2011.

[47]. Arvind Narrain, et al, Policing Morality at AMU: An Independent Fact-Finding Report, available at http://www.fridae.com/newsfeatures/2010/03/10/9724.policing-morality-at-amu-an-independent-fact-finding-report?n=sea&nm=amu, last accessed on 11 August 2011.

[48].Dr. Shrinivas Ramchandra Siras & Ors v. The Aligarh Muslim University & Ors, Civil Misc. Writ Petition No.17549 of 2010.

[49].Vinay Sitapati, The Spectre of Naz, as available at http://www.indianexpress.com/news/the-spectre-of-naz/609695/0, last accessed on 9 August 2011.

[50]. Supra n. 32

[51].Lgbt-india@yahoogroups.com. This is possibly the most prolific mailing list for LGBT persons in the country, and is constantly active with atleast 4-5 mails being exchanged per day.

[52].Code of Ethics and Broadcasting Standards of the News Broadcasters Association.

[53].Code 9, Code of Ethics and Broadcasting Standards of the News Broadcasters Association.

[54].TV9 Ordered to Air Apology for Sting available at http://www.dnaindia.com/lifestyle/report_tv9-ordered-to-air-apology-for-sting_1527622, last accessed on 10 September 2011.

[55].“Introduction of constitutional law in the home … is like introducing a bull in a china shop. It will prove to be a ruthless destroyer of the marriage institution”, Rohatgi, J. in Harvinder Kaur v. Harmander Singh Choudhry, AIR 1984 Del 66.

* The author, Danish Sheikh works with the Alternative Law Forum in Bangalore, India.

For more details visit https://cis-india.org/internet-governance/privacy-sexual-minorities

Privacy & Media Law

Sonal Makhija — 2012-12-14T10:26:51Z

In her research, Sonal Makhija, a Bangalore-based lawyer, tries to delineate the emerging privacy concerns in India and the existing media norms and guidelines on the right to privacy. The research examines the existing media norms (governed by Press Council of India, the Cable Television Networks (Regulation) Act, 1995 and the Code of Ethics drafted by the News Broadcasting Standard Authority), the constitutional protection guaranteed to an individual’s right to privacy upheld by the courts, and the reasons the State employs to justify the invasion of privacy. The paper further records, both domestic and international, inclusions and exceptions with respect to the infringement of privacy.

Introduction

Last year’s satirical release, Peepli [Live], accurately captured what takes place in media news rooms. The film revolves around a debt-ridden farmer whose announcement to commit suicide ensue a media circus. Ironically, in the case of the Radia tapes, the same journalists found themselves in the centre of the media’s frenzy-hungry, often intrusive and unverified style of reporting.[1] Exposés, such as, the Radia tapes and Wikileaks have thrown open the conflict between the right to information, or what has come to be called ‘informational activism’, and the right to privacy. Right to information and the right to communicate the information via media is guaranteed under Article 19(1) (a) of the Constitution of India. In State of Uttar Pradesh v Raj Narain,[2] the Supreme Court of India held that Article 19(1) (a), in addition, to guaranteeing freedom of speech and expression, guarantees the right to receive information on matters concerning public interest. However, more recently concerns over balancing the right to information with the right to privacy have been raised, especially, by controversies like the Radia-tapes.

For instance, last year Ratan Tata filed a writ petition before the Supreme Court of India alleging that the unauthorised publication of his private conversations with Nira Radia was in violation of his right to privacy. The writ, filed by the industrialist, did not challenge the action of the Directorate-General of Income Tax to record the private conversations for the purpose of investigations. Instead, it was challenging the publication of the private conversations that took place between the industrialist and Nira Radia by the media. Whether the publication of those private conversations was in the interest of the public has been widely debated. What the Tata episode brought into focus was the need for a law protecting the right to privacy in India.

India, at present, does not have an independent statute protecting privacy; the right to privacy is a deemed right under the Constitution. The right to privacy has to be understood in the context of two fundamental rights: the right to freedom under Article 19 and the right to life under Article 21 of the Constitution.

The higher judiciary of the country has recognised the right to privacy as a right “implicit in the right to life and liberty guaranteed to the citizens of this country by Article 21”. The Indian law has made some exceptions to the rule of privacy in the interest of the public, especially, subsequent to the enactment of the Right to Information Act, 2005 (RTI). The RTI Act, makes an exception under section 8 (1) (j), which exempts disclosure of any personal information which is not connected to any public activity or of public interest or which would cause an unwarranted invasion of privacy of an individual. What constitutes an unwarranted invasion of privacy is not defined. However, courts have taken a positive stand on what constitutes privacy in different circumstances.

The purpose of this paper is to delineate the emerging privacy concerns in India and the existing media norms and guidelines on the right to privacy. At present, the media is governed by disparate norms outlined by self-governing media bodies, like the Press Council of India, the Cable Television Networks (Regulation) Act, 1995 and the Code of Ethics drafted by the News Broadcasting Standard Authority (NBSA). The paper examines the existing media norms, constitutional protection guaranteed to an individual’s right to privacy and upheld by courts, and the reasons the State employs to justify the invasion of privacy. The paper records, both domestic and international, inclusions and exceptions with respect to the infringement of privacy.

The paper traces the implementation of media guidelines and the meanings accorded to commonly used exceptions in reporting by the media, like, ‘public interest’ and ‘public person’. This paper is not an exhaustive attempt to capture all privacy and media related debates. It does, however, capture debates within the media when incursion on the right to privacy is considered justifiable. The questions that the paper seeks to respond to are: When is the invasion on the right to privacy defensible? How the media balances the right to privacy with the right to information? How is ‘public interest’ construed in day-to-day reporting? The questions raised are seen in the light of case studies on the invasion of privacy in the media, the interviews conducted with print journalists, the definition of the right to privacy under the Constitution of India and media’s code of ethics.

Constitutional Framework of Privacy

The right to privacy is recognised as a fundamental right under the Constitution of India. It is guaranteed under the right to freedom (Article 19) and the right to life (Article 21) of the Constitution. Article 19(1) (a) guarantees all citizens the right to freedom of speech and expression. It is the right to freedom of speech and expression that gives the media the right to publish any information. Reasonable restrictions on the exercise of the right can be imposed by the State in the interests of sovereignty and integrity of the State, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence. Article 21 of the Constitution provides, "No person shall be deprived of his life or personal liberty except according to procedure established by law." Courts have interpreted the right to privacy as implicit in the right to life. In R.Rajagopal v. State of T.N.[3]; and PUCL v. UOI[4], the courts observed that the right to privacy is an essential ingredient of the right to life.

For instance, in R. Rajagopal v State of Tamil Nadu, Auto Shankar — who was sentenced to death for committing six murders — in his autobiography divulged his relations with a few police officials. The Supreme Court in dealing with the question on the right to privacy, observed, that the right to privacy is implicit in the right to life and liberty guaranteed to the citizens of the country by Article 21. It is a ‘right to be left alone.’ "A citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, child-bearing and education among other matters.” The publication of any of the aforesaid personal information without the consent of the person, whether accurate or inaccurate and ‘whether laudatory or critical’ would be in violation of the right to privacy of the person and liable for damages. The exception being, when a person voluntarily invites controversy or such publication is based on public records, then there is no violation of privacy.

In PUCL v. UOI,[5]which is popularly known as the wire-tapping case, the question before the court was whether wire-tapping was an infringement of a citizen’s right to privacy. The court held that an infringement on the right to privacy would depend on the facts and circumstances of a case. It observed that, "telephone conversation is an important facet of a man's private life. Right to privacy would certainly include telephone-conversation in the privacy of one's home or office. Telephone-tapping would, thus, infract Article 21 of the Constitution of India unless it is permitted under the procedure established by law." It further observed that the right to privacy also derives from Article 19 for "when a person is talking on telephone, he is exercising his right to freedom of speech and expression."

In Kharak Singh v. State of U.P,[6] where police surveillance was being challenged on account of violation of the right to privacy, the Supreme Court held that domiciliary night visits were violative of Article 21 of the Constitution and the personal liberty of an individual.

The court, therefore, has interpreted the right to privacy not as an absolute right, but as a limited right to be considered on a case to case basis. It is the exceptions to the right to privacy, like ‘public interest’, that are of particular interest to this paper.

International Conventions

Internationally the right to privacy has been protected in a number of conventions. For instance, the Universal Declaration of Human Rights, 1948 (UDHR) under Article 12 provides that:

"No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, or to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."

The UDHR protects any arbitrary interference from the State to a person’s right to privacy. Similarly, International Covenant on Civil and Political Rights, 1976 (ICCPR) under Article 17 imposes the State to ensure that individuals are protected by law against “arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. [7]

Thus, ensuring that States enact laws to protect individual’s right to privacy. India has ratified the above conventions. The ratification of the Conventions mandates the State to take steps to enact laws to protect its citizens. Although, human right activists have periodically demanded that the State take adequate measures to protect human rights of the vulnerable in society, the right to privacy has received little attention.

Similarly, Article 16 of the Convention on the Rights of the Child (CRC) provides protection to a minor from any unlawful interference to his/her right to privacy and imposes a positive obligation on States who have ratified the convention to enact a law protecting the same. India does have safeguards in place to protect identity of minors, especially, juveniles and victims of abuse. However, there are exceptions when the law on privacy does not apply even in case of a minor.

The right to privacy, therefore, is not an absolute right and does not apply uniformly to all situations and all class of persons. For instance, privacy with respect to a certain class of persons, like a person in public authority, affords different protection as opposed to private individuals.

Public Person

In case of a representative of the public, such as a public person, the right to privacy afforded to them is not of the same degree as that to a private person. The Press Council of India (PCI) has laid down Norms of Journalistic Conduct, which address the issue of privacy. The PCI Norms of Journalistic Conduct, recognises privacy as an inviolable human right, but adds a caveat; that the degree of privacy depends on circumstances and the person concerned.

In the landmark judge’s asset case, CPIO, Supreme Court of India vs Subhash Chandra Agarwal,[8] the court recognised the tension between the right to information and the right to privacy, especially, with respect to public persons. The case arose from an application filed by a citizen who was seeking information under the RTI Act on whether judges of high courts and Supreme Court were filing asset declarations in accordance with full resolution of the Supreme Court. The court held that information concerning private individuals held by public authority falls within the ambit of the RTI Act. It remarked that whereas public persons are entitled to privacy like private persons, the privacy afforded to private individuals is greater than that afforded to those in public authority, especially in certain circumstances.

The court commented:

"A private citizen's privacy right is undoubtedly of the same nature and character as that of a public servant. Therefore, it would be wrong to assume that the substantive rights of the two differ. Yet, inherent in the situation of the latter is the premise that he acts for the public good, in the discharge of his duties, and is accountable for them. The character of protection, therefore, afforded to the two classes — public servants and private individuals, is to be viewed from this perspective. The nature of restriction on the right to privacy is therefore, of a different order; in the case of private individuals, the degree of protection afforded is greater; in the case of public servants, the degree of protection can be lower, depending on what is at stake."

In testing whether certain information falls within the purview of the RTI Act, the court said one should consider the following three tests:

whether the disclosure of the personal information is with the aim of providing knowledge of the proper performance of the duties and tasks assigned to the public servant in any specific case;
whether the information is deemed to comprise the individual's private details, unrelated to his position in the organization, and,
whether the disclosure will furnish any information required to establish accountability or transparency in the use of public resources.

Would this rule hold true for information on relatives/ friends of public persons? The rule is that, unless, private information on relatives/friends of public person’s impacts public interest and accountability, the information should not be revealed.

In 2010, the media reported that Sunanda Pushkar, a close friend of the Minister of State for External Affairs, Shashi Tharoor, holds a significant holding in the IPL Kochi team. The media exposure led to the exit of Shashi Tharoor from the government. While the media’s questioning of Pushkar’s holdings was legitimate, the media’s reporting on her past relationships and how she dressed had no bearing on public interest or accountability.[9] The media accused Pushkar of playing proxy for Tharoor in the Rs. 70 crore sweat equity deal. Much of the media attention focussed on her personal life, as opposed to, how she attained such a large stake in the IPL Kochi team. It minutely analysed her successes and failures, questioned her ability and accused her of having unbridled ambition and greed for money and power.[10]

If one was to consider the rules of privacy set by the court in the judges assets’ case much of the personal information published by the media on Tharoor and Pushkar, failed to shed light on the IPL holdings or the establishment of the nexus between the IPL holdings and the government involvement.

The tests delineated by the court in considering what personal information regarding a public authority may be shared under the RTI Act, can be adopted by the media when reporting on public officials. If personal information divulged by the media does not shed light on the performance of a public official, which would be of public interest, then the information revealed violates the standards of privacy. Personal details which have no bearing on public resources or interests should not be published.

The media coverage of the Bombay terror attacks displayed the same lack of restraint, where the minutest details of a person’s last communication with his/her family were repeatedly printed in the media. None of the information presented by the media revealed anything new about the terror attack or emphasised the gravity of the attack.

A senior journalist, who talked off the record and reported on the Mumbai terror attacks, agreed that the media overstepped their limits in the Mumbai terror attacks. As per her, violation of privacy takes place at two stages: the first time, when you overstep your boundaries and ask a question you should not have, and the second, when you publish that information. Reflecting on her ten years of reporting experience, she said, “Often when you are covering a tragedy, there is little time to reflect on your reporting. Besides, if you, on account of violating someone’s privacy, choose not to report a story, some competing paper would surely carry that story. You would have to defend your decision to not report the story to your boss.” The competitiveness of reporting and getting a story before your competitor, she agreed makes even the most seasoned journalists ruthless sometimes. Besides, although PCI norms exist, not many read the PCI norms or recall the journalistic ethics when they are reporting on the field.[11]

The PCI Norms reiterate that the media should not intrude "the privacy of an individual, unless outweighed by genuine overriding public interest, not being a prurient or morbid curiosity."[12] The well accepted rule, however, is that once a matter or information comes in the public domain, it no longer falls within the sphere of the private. The media has failed to make the distinction between what is warranted invasion of privacy and what constitutes as an unwarranted invasion of privacy. For instance, identity of a rape or kidnap victim that would further cause discrimination is often revealed by the media.

Safeguarding Identity of Children

The Juvenile Justice (Care and Protection of Children) Act lays down that the media should not disclose the names, addresses or schools of juveniles in conflict with the law or that of a child in need of care and protection, which would lead to their identification. The exception, to identification of a juvenile or child in need of care and protection, is when it is in the interest of the child. The media is prohibited from disclosing the identity of the child in such situations.

Similarly, the Convention on the Rights of the Child (CRC) stipulates that:

Article 16

No child shall be subjected to arbitrary or unlawful interference with his or her privacy, family, or correspondence, nor to unlawful attacks on his or her honour and reputation.
The child has the right to the protection of the law against such interference or attacks.

Article 40 of the Convention, states that the privacy of a child accused of infringing penal law should be protected at all stages of the proceedings.

Almost all media, print and broadcast, fail to observe these guidelines. Prashant Kulkarni[13] (name changed), who was a photographer with Reuters a few years ago, said that in Reuters photographs taken by photojournalists could not be altered or edited, to ensure authenticity.

As far as taking photographs of certain vulnerable persons is concerned, he admitted to photographing street children who are drug addicts on the streets of Mumbai. The photographs were published by Reuters. However, when he was on an assignment for an NGO working with children, the NGO cautioned him about photographing children who are drug addicts, to protect their identity. Similarly, identity of HIV and AIDS patients, including children, should be protected and not revealed. Children affected with HIV and AIDS should not be identified by name or photograph, even if consent has been granted by the minor’s parents/guardian.

As a rule, Kulkarni said, he does not seek consent of individuals when he is taking their photographs, if they are in a public place. If they do not object, the assumption is that they are comfortable with being photographed. The PCI norms do not expressly provide that consent of a person should be sought. But, journalists are expected to exercise restraint in certain situations. Likewise, identifying juveniles in conflict with law is restricted. This includes taking photographs of juveniles that would lead to their identification.

Kulkarni, who extensively covered the Bombay train blasts in 2006, explains, "At the time of the Bombay train explosions, I avoided taking pictures that were gory or where dead people could be identified. However, I did take photographs of those injured in the blast and were getting treated in government hospitals. I did not expressly seek their consent. They were aware of being photographed. That is the rule I have applied, even when I was on an assignment in West Africa. I have never been on an assignment in Europe, so am not sure whether I would have applied the same rule of thumb. Nonetheless, now as a seasoned photographer, I would refrain from taking pictures of children who are drug addicts."

Safeguarding Identity of Rape Victims

Section 228A of the Indian Penal Code makes disclosure of the identity of a rape victim punishable. In the recent Aarushi Talwar murder case and the rape of an international student studying at the Tata Institute of Social Sciences (TISS) the media frenzy compromised the privacy of the TISS victim and besmirched the character of the dead person.[14] In the TISS case, the media did not reveal the name of the girl, but revealed the name of the university and the course she was pursuing, which is in violation of the PCI norms. In addition to revealing names of individuals, the PCI norms expressly states that visual representation in moments of personal grief should be avoided. In the Aarushi murder case, the media repeatedly violated this norm.

The media in both cases spent enough newsprint speculating about the crimes. Abhinav Pandey[15] (name changed), a senior journalist reporting on crime, agrees that the media crossed its boundaries in the TISS case by reporting sordid details of how the rape took place. "Names of victims of sexual crime cannot be reported. In fact, in many instances the place of stay and any college affiliation should also be avoided, as they could be easily identified. Explicit details of the offence drawn from the statement given by the victim to the police are irrelevant to the investigation or to the public at large. Similarly, names of minors and pictures, including those of juveniles, have to be safeguarded."

"Crime reporters receive most of their stories from the police. Therefore, one has to be careful before publishing the story. At times in the rigour of competitive journalism, if you decide to publish an unverified story, as a good journalist you should present a counter-point. As a seasoned journalist it is easy to sense when a story is being planted by the police. If you still want to carry the story, one has to be careful not to taint the character of a person," he adds.

"For instance, in my reporting if I find that the information will not add to the investigation, I will not include it in my copy. Last year, we had anonymous letters being circulated among crime reporters which alleged corruption among senior IPS officers. Instead of publishing the information contained in those letters with the names of the IPS officers, we published a story on corruption and cronyism on IPS officers. In the Faheem Ansari matter, who was an accused in the 26/11 trial, I had received his email account password. Accessing his account also amounts to violation of privacy. But, we only published the communication between him and some handlers in Pakistan, which we knew would have an impact on the investigation. Our job requires us to share information in the public domain, sometimes we would violate privacy. Nonetheless, one has to be cautious."

Trial by Media & Media Victimisation

The PCI norms lay down the guidelines for reporting cases and avoiding trial by media. The PCI warns journalists not to give excessive publicity to victims, witnesses, suspects and accused as that amounts to invasion of privacy. Similarly, the identification of witnesses may endanger the lives of witnesses and force them to turn hostile. Zaheera Sheikh, who was a key witness in the Gujarat Best Bakery case, was a victim of excessive media coverage and sympathy. Her turning hostile invited equal amount of media speculation and wrath. Her excessive media exposure possibly endangered her life. Instead, of focussing on the lack of a witness protection program in the country, the media focussed on the twists and turns of the case and the 19 year old’s conflicting statements. The right of the suspect or the accused to privacy is recognised by the PCI to guard against the trial by media.

Swati Deshpande,[16] a Senior Assistant Editor (Law) at the Times of India, Mumbai, observes that, “As a good journalist one will always have more information than required, but whether you publish that information or exercise restraint is up to you.” In a span of 11 years of court reporting, as per her, there have been instances when she has exercised the option of not reporting certain information that could be defamatory and cannot be attributed. If an allegation is made in a court room, but is not supported by evidence or facts, then it is advisable that it be dropped from the report.

"In the Bar Dancers’ case which was before the Bombay High Court, the petition made allegations of all kinds against certain ministers. I did not report that, although I could have justified it by saying it is part of the petition, and I was just doing my job. The allegation was neither backed by facts nor was it of public interest. As a rule one should report on undisputed facts. Then again, with court reporting one is treading on safer grounds, as opposed to other beats."

"In cases of rape when facts are part of the judgement, you report facts that are relevant to the judgement or give you an insight on why the court took a certain view and add value to the copy. One should avoid a situation where facts revealed are offensive or reveal the identity of the victim. The past history of both the victim and the accused should not be reported."

She admitted, that "Media reporting often gives the impression that the accused has committed the crime or the media through its independent investigation wing has found a particular fact. When in fact, it has relied entirely on the information given by the police and failed to question or verify the facts by an independent source. The result is that most crime reporting is one-sided, because the information received from the police is rarely questioned."

As per her, to a certain degree the publication of Tata–Radia conversations did violate Tata’s privacy. "Media needs to question itself prior to printing on how the information is of public interest. Of course, as a journalist you do not want to lose out on a good story, but there needs to be gate keeping, which is mostly absent in most of the media today."

In the Bofors pay-off case[17] the High Court of Delhi, observed that, “The fairness of trial is of paramount importance as without such protection there would be trial by media which no civilised society can and should tolerate. The functions of the court in the civilised society cannot be usurped by any other authority.”[18] It further criticised the trend of police or the CBI holding a press conference for the media when investigation of a crime is still ongoing. The court agreed that media awareness creates awareness of the crime, but the right to fair trial is as valuable as the right to information and freedom of communication.

The 200th report of the Law Commission dealt with the issue of Trial by media: Free Speech vs Fair Trial under Criminal Procedure. The report, focussed on the pre-judicial coverage of a crime, accused and suspects, and how it impacts the administration of justice. The Contempt of Courts Act, under section 2 defines criminal contempt as:

"…the publication, (whether by words, spoken or written or by signs, or by visible representations, or otherwise), of any matter or the doing of any other act whatsoever which
(i) … … … …
(ii) prejudices or interferes or tends to interfere with the due course
of any judicial proceedings; or
(iii) interferes or tends to interfere with or obstructs or tends to obstruct, the administration of justice in any manner."

Section 3(1) of the Act exempts any publication and distribution of publication, "if the publisher had no reasonable grounds for believing that the proceeding was pending”. In the event, the person is unaware of the pendency, any publication (whether by words spoken or written or signs or visible representations) interferes or tends to interfere with or obstructs “the course of justice in connection with any civil or criminal proceeding pending at the time of publication, if at that time he had no reasonable grounds for believing that the proceeding was pending." The report emphasizes that publications during the pre-trial stage by the media could affect the rights of the accused. An evaluation of the accused’s character is likely to affect or prejudice a fair trial.

If the suspect’s pictures are shown in the media, identification parades of the accused conducted under Code of Civil Procedure would be prejudiced. Under Contempt of Court Act, publications that interfere with the administration of justice amount to contempt. Further, the principles of natural justice emphasise fair trial and the presumption of innocence until proven guilty. The rights of an accused are protected under Article 21 of the Constitution, which guarantees the right to fair trial. This protects the accused from the over-zealous media glare which can prejudice the case. Although, in recent times the media has failed to observe restraint in covering high-profile murder cases, much of which has been hailed as media’s success in ensuring justice to the common man.

For instance, in the Jessica Lal murder case, the media took great pride in acting as a facilitator of justice. The media in the case whipped up public opinion against the accused and held him guilty even when the trial court had acquitted the accused. The media took on the responsibility of administering justice and ensuring the guilty are punished, candle light vigils and opinion polls on the case were organised by the media. Past history of the accused was raked up by the media, including photographs of the accused in affluent bars and pubs in the city were published after he was acquitted. The photographs of Manu Sharma in pubs insinuated how he was celebrating after his acquittal.

The Apex Court observed that the freedom of speech has to be carefully and cautiously used to avoid interference in the administration of justice. If trial by media hampers fair investigation and prejudices the right of defence of the accused it would amount to travesty of justice. The Court remarked that the media should not act as an agency of the court.[19]

The Court, commented, "Presumption of innocence of an accused is a legal presumption and should not be destroyed at the very threshold through the process of media trial and that too when the investigation is pending."[20]

Sting Operations

On 30 August, 2007 Live India, a news channel conducted a sting operation on a Delhi government school teacher forcing a girl student into prostitution. Subsequent to the media exposé, the teacher Uma Khurana[21] was attacked by a mob and was suspended by the Directorate of Education, Government of Delhi. Later investigation and reports by the media exposed that there was no truth to the sting operation. The girl student who was allegedly being forced into prostitution was a journalist. The sting operation was a stage managed operation. The police found no evidence against the teacher to support allegations made by the sting operation of child prostitution. In this case, the High Court of Delhi charged the journalist with impersonation, criminal conspiracy and creating false evidence. The Ministry of Information and Broadcasting sent a show cause notice to TV-Live India, alleging the telecast of the sting operation by channel was “defamatory, deliberate, containing false and suggestive innuendos and half truths."[22]

Section 5 of the Cable Television Networks (Regulation) Act, 1995 and the Cable Television Network Rules (hereafter the Cable Television Networks Act), stipulates that no programme can be transmitted or retransmitted on any cable service which contains anything obscene, defamatory, deliberate, false and suggestive innuendos and half truths. The Rules prescribes a programming code to be followed by channels responsible for transmission/re-transmission of any programme.

The programme code restricts airing of programmes that offend decency or good taste, incite violence, contains anything obscene, defamatory, deliberate, false and suggestive innuendos and half truths, criticises, maligns or slanders any individual in person or certain groups, segments of social, public and moral life of the country and affects the integrity of India, the President and the judiciary. The programme code provided by the Rules is exhaustive. The Act empowers the government to restrict operation of any cable network it thinks is necessary or expedient to do so in public interest.

The court observed that false and fabricated sting operations violate a person’s right to privacy. It further, observed, "Giving inducement to a person to commit an offence, which he is otherwise not likely and inclined to commit, so as to make the same part of the sting operation is deplorable and must be deprecated by all concerned including the media.” It commented that while “…sting operations showing acts and facts as they are truly and actually happening may be necessary in public interest and as a tool for justice, but a hidden camera cannot be allowed to depict something which is not true, correct and is not happening but has happened because of inducement by entrapping a person."[23]

The court criticised the role of the media in creating situations of entrapment and using the ‘inducement test’. It remarked that such inducement tests infringe upon the individual's right to privacy. It directed news channels to take steps to prohibit “reporters from producing or airing any programme which are based on entrapment and which are fabricated, intrusive and sensitive.[24]

The court proposed a set of guidelines to be followed by news channels and electronic media in carrying out sting operations. The guidelines direct a channel proposing to telecast a sting operation to obtain a certificate from the person who recorded or produced the same certifying that the operation is genuine to his knowledge. The guidelines propose that the Ministry of Information and Broadcasting should set up a committee which would have the powers to grant permission for telecasting sting operations. The permission to telecast a sting operation should be granted by the committee only if it is satisfied about the overriding public interest to telecast the sting operation. The guidelines mandate that, in addition, to ensuring accuracy, the operation should not violate a person’s right to privacy, "unless there is an identifiable large public interest” for broadcasting or publishing the material. However, the court failed to define what constitutes 'larger public interest'.

The PCI norms also lay down similar guidelines which require a newspaper reporting a sting operation to obtain a certificate from the person involved in the sting to certify that the operation is genuine and record in writing the various stages of the sting. The decision to report the sting vests with the editor who merely needs to satisfy himself that the sting operation is of public interest.

In addition, to the Cable Television Networks Act and the PCI norms, the News Broadcasting Standard Authority (NBSA) was set up in 2008 as a self-regulatory body by News Broadcasters Association.[25] The primary objective of the NBSA is to receive complaints on broadcasts. The NBSA has drafted a Code of Ethics and Broadcasting Standards governing broadcasters and television journalists. The Code of Ethics provides guiding principles relating to privacy and sting operations that broadcasters should follow.

With respect to privacy, the Code directs channels not to intrude into the private lives of individuals unless there is a “clearly established larger and identifiable public interest for such a broadcast.” Any information on private lives of persons should be “warranted in public interest.” Similarly, for sting operations, the Code directs that they should be used as “a last resort” by news channels and should be guided by larger public interest. They should be used to gather conclusive evidence of criminality and should not edit/alter visuals to misrepresent truth.

In a recent judgement on a supposed sting operation conducted by M/s. Associated Broadcasting Company Pvt. Limited[26] on TV9 on ‘Gay culture rampant in Hyderabad’, the NBA took suo motu notice of the violation of privacy of individuals with alternate sexual orientation and misuse of the tool of sting operation. NBA in its judgement held that the Broadcaster had violated clauses on privacy, sting operations and sex and nudity of the Code of Ethics. It further, observed, that the Broadcaster and the story did not reveal any justifiable public interest in using the sting operation and violating the privacy of individuals. In this particular case, the Broadcaster had revealed the personal information and faces of supposedly gay men in Hyderabad to report on the ‘underbelly’ of gay culture and life. However, the news report, as NBSA observed, did not prove any criminality and was merely a sensational report of gay culture allegedly prevalent in Hyderabad.

The PCI norms provide that the press should not tape-record conversations without the person’s express consent or knowledge, except where it is necessary to protect a journalist in a legal action or for “other compelling reason.” What constitutes a compelling reason is left to the discretion of the journalist.

It was in the 1980s, that the first sting operation on how women were being trafficked was carried out by the Indian Express reporter Ashwin Sarin. As part of the sting, the Express purchased a tribal girl called Kamla. Subsequently, in 2001, the sting operation conducted by Tehelka exposed corruption in defence contracts using spy cams and journalists posing as arms dealers. The exposé on defence contracts led to the resignation of the then defence minister George Fernandes. Sting operations gained legitimacy in India, especially in the aftermath of the Tehelka operation, exposing corruption within the government. The original purpose of a sting operation or an undercover operation was to expose corruption. Stings were justifiable only when it served a public interest. Subsequent to the Tehelka exposé, stings have assumed the status of investigative journalism, much of which has been questioned in recent times, especially, with respect to ethics involved in conducting sting operations and the methods of entrapment used by the media. Further, stings by Tehelka, where the newspaper used sex workers to entrap politicians have brought to question the manner in which stings are operated. Although, the overriding concern surrounding sting operations has been its authenticity, as opposed to, the issue of personal privacy.

For instance, in March 2005 a television news channel carried out a sting operation involving Bollywood actor Shakti Kapoor to expose the casting couch phenomenon in the movie industry. The video showing Shakti Kapoor asking for sexual favours from an aspiring actress, who was an undercover reporter, was received with public outrage. Nonetheless, prominent members of the media questioned the manner in which the sting was conducted. The sting was set up as an entrapment. The court has taken a strong view against the use of entrapment in sting operations. In the case of the Shakti Kapoor sting, privacy of the actor was clearly violated. The manner in which the sting was conducted casts serious doubt on who was the victim.[27]

Additionally, the sting violated the PCI norms. It failed to provide a record of the various stages of how the sting operation was conducted. In United Kingdom, the media when violating privacy of a person has to demonstrate that it is in the interest of the public.

International Law on Media & Privacy Ethics

United Kingdom

The Press Complaints Commission (PCC), UK is a self-regulatory body similar to NBA. The PCC has put down code of ethics to be followed by journalists. The PCC guidelines provide that everyone has the right to privacy and editors must provide reason for intrusions to a person’s privacy. This includes photographing individuals in private places without their consent. Interestingly, private places include public or private property "where there is a reasonable expectation of privacy." In India however, as Kulkarni pointed out, photographs are taken without the consent of an individual if he/she is in a public space.

Like the PCI norms, the PCC Code lays down guidelines to follow when reporting on minors (below 16 years of age) who have been victims of sexual assault. As per the guidelines, the identity of the children should be protected. Further, relatives or friends of persons convicted or accused of a crime should not be identified without their consent, unless the information is relevant to the story. References to a person’s race, colour, sexual orientation and gender should be avoided. For instance, the media reportage of the TISS rape case, which revealed the nationality and colour of the victim, would be in violation of the PCC Code. In the TISS rape case, the information on the nationality and colour of the victim was not only irrelevant to the story, but as amply demonstrated by the media it reinforced prejudices against white women as ‘loose or amoral’.[28]

As far as sting operations are concerned, the PCC lays down that the press must not publish material acquired by hidden camera or clandestine devices by intercepting private messages, emails or telephone calls without consent. However, revealing private information in cases of public interest is an exception to the general rule to be followed with respect to individual privacy. The PCC defines public interest to include, but it is not restricted to:

"i) Detecting or exposing crime or serious impropriety
ii) Protecting public health and safety
iii) Preventing the public from being misled by an action or statement of an individual or organisation"

It requires editors to amply demonstrate that a publication is of public interest. In case the material is already in public domain the same rules of privacy do not apply. However, in cases involving children below 16 years of age, editors must demonstrate exceptional public interest that overrides the interest of the child. Tellingly, the PCC recognises freedom of expression as public interest.

The PCC, to ensure that persons are not hounded by the media have started issuing desist orders. The PCC issues a desist notice to editors to prevent the media from contacting the person. Preventive pre-publication is when the PCC pre-empts a story that may be pursued or published and attempts to either influence the reporting of the story in a way that it is not in violation of a person’s privacy or persuades the media house not to publish the story. The PCC, however, does not have the powers to prevent publication.

Further, United Kingdom is a member of the European Convention on Human Rights (ECHR), which guarantees the right to privacy under Article 8 of the Convention: "Everyone has the right to respect for his private and family life, his home and his correspondence."

However, there is no independent law which recognises the right to privacy. The judiciary however has protected the right to privacy in several occasions, like in the famous J.K. Rowling case where the English Court held, that a minor’s photograph without the consent of the parent or guardian, though not offensive, violates the child’s right to privacy.[29]

France

The French legal system protects the right to privacy under: Article 9 of the Civil Code.

Article 9 of the Civil Code states:

Everyone has the right to respect for his private life. Without prejudice to compensation for injury suffered, the court may prescribe any measures, such as sequestration, seizure and others, appropriate to prevent or put an end to an invasion of personal privacy; in case of an emergency those measures may be provided for by an interim order. The right to privacy allows anyone to oppose dissemination of his or her picture without their express consent.

Article 9 covers both the public and private spheres, and includes not merely the publication of information but also the method of gathering information. Also, in France violation of one’s privacy is a criminal offence. This includes recording or transmitting private conversations or picture of a person in a private place without the person’s consent. This implies that privacy is not protected in a public place. Any picture taken of a person dead or alive, without their prior permission, is prohibited. Buying of such photographs where consent of a person also constitutes as an offence. Journalists, however, are not disqualified from the profession if they have committed such an offence.[30]

France has the Freedom of the Press of 29 July 1881 which protects minors from being identified and violent and licentious publication which targets minors. It punishes slander, publication of any information that would reveal the identity of a victim of a sexual offence, information on witnesses and information on court proceedings which include a person’s private life.[31]

Sweden

Privacy is protected in Sweden under its Constitution. All the four fundamental laws of the country: the Instrument of Government, the Act of Succession, the Freedom of the Press Act, and the Fundamental Law on Freedom of Expression protect privacy. The Instrument of Government Act of 1974 provides for the protection of individual privacy. It states that freedom of expression is limited under Article 13 of the Constitution:

"Freedom of expression and freedom of information may be restricted having regard to the security of the Realm, the national supply, public safety and order, the integrity of the individual, the sanctity of private life, or the prevention and prosecution of crime. Freedom of expression may also be restricted in economic activities. Freedom of expression and freedom of information may otherwise be restricted only where particularly important reasons so warrant."

Sweden has a Press Council which was established in 1916. The Council consists of the Swedish Newspaper Publishers' Association, the Magazine Publishers' Association, the Swedish Union of Journalists and the National Press Club. The Council consists of "a judge, one representative from each of the above-mentioned press organisations and three representatives of the general public who are not allowed to have any ties to the newspaper business or to the press organisations."

Additionally, there is an office of the Press Ombudsman which was established in 1969. Earlier the Swedish Press Council used to deal with complaints on violations of good journalistic practice. After the setting up of the Press Ombudsman, the complaints are first handled by the Press Ombudsman, who is empowered to take up matters suo motu. "Any interested members of the public can lodge a complaint with the PO against newspaper items that violate good journalistic practice. But, the person to whom the article relates to must provide a written consent, if the complaint is to result in a formal criticism of the newspaper."[33]

The Swedish Press Council reports that in the recent years, 350-400 complaints have been registered annually, of which most concern coverage of criminal matters and invasion of privacy.

Sweden, additionally, has a Code of Ethics which applies to press, radio and television. The Code of Ethics was adopted by the Swedish Co-operation Council of the Press in September 1995. The Code of Ethics for Press, Radio and Television in Sweden has been drawn up by the Swedish Newspaper Publishers' Association, the Magazine Publishers' Association, the Swedish Union of Journalists and the National Press Club.

The Code of Ethics lay down norms to be followed in respect of privacy. It states that caution should be exercised when publishing information that:

Infringes on a persons’ privacy, unless it is obviously in public interest,
Information on suicides or attempted suicides
Information on victims of crime and accidents. This includes publication of pictures or photographs[34]

Race, sex, nationality, occupation, political affiliation or religious persuasion in certain cases, especially when such information is of no importance, should not be published.

One should exercise care in use of pictures, especially, retouching a picture by an electronic method or formulating a caption to deceive the reader. In case a picture has been retouched, it should be indicated below the photograph.

Further, the Code asks journalists to consider “the harmful consequences that might follow for persons if their names are published” and names should be published only if it is in the public interest. Similarly, if a person’s name is not be revealed, the media should refrain from publishing a picture or any particulars with respect to occupation, title, age, nationality, sex of the person, which would enable identification of the person.

In case of court reporting or crime reporting, the Code states that the final judgement of the Court should be reported and given emphasis, as opposed to conducting a media trial. In addition, Sweden has incorporated the ECHR in 1994.

Japan

The Japan Newspaper Publishers & Editors Association or Nihon Shinbun Kyokai (NSK),[35] was established in 1946 as an independent and voluntary organisation to establish the standard of reporting, and protect and promote interests of the media. The organisation as part of its mandate has developed the Canon of Journalism, which provides for ethics and codes members of the body should follow. The Canon recognises that with the easy availability of information, the media constantly has to grapple with what information should be published and what should be held back. The Code provides that journalists have a sense of responsibility and should not hinder public interests. In addition, to ensuring accuracy and fairness, the Code states that respect of human rights, includes respect for human dignity, individual honour and right to privacy. Right to privacy is acknowledged as a human right.

Japan does not have an information ministry or organs like the PCC in the U.K. or the Press Ombudsman in Sweden. Apart from the Canon, the NSK has a code for marketing of newspapers, an advertising code and the Kisha club guidelines.[36]

Japan in 2003 formulated the Personal Information Protection Act, which regulates public and private sector. The Act, which came into effect in 2005, aims to ensure that all personal data collected by the public and private sector are handled with care. The Act requires that the purpose of collecting personal information and its use should be specified, information should be acquired by fair means, any information should not be supplied to third parties without prior consent of the individual concerned.

Netherlands

The right to privacy is protected under Article 10 of the Netherlands Constitution. Further, the Article also provides for the enactment of Rules for dissemination of personal data and the right of persons to be informed when personal data is being recorded.

Netherlands also has the Netherlands Press Council which keeps the media in check. The Code of the International Federation of Journalists and the Code of Conduct for Dutch Journalists was drafted by the Dutch Society of Editors-in-Chief to establish media reporting standards. These guidelines can be disregarded by the media only in cases involving social interest.

The Code recognises:

That a person’s privacy should not be violated when there is no overriding social interest;
In cases concerning public persons violation of privacy would take place, but they have the right to be protected, especially, if that information is not of public interest;
The media should refrain from publishing pictures and images of persons without prior permission of persons. Similarly, the media should not publish personal letters and notes without the prior permission of those involved;
The media should refrain from publishing pictures and information of suspects and accused; and
Details of criminal offence should be left out if they would add to the suffering of the victim or his/her immediate family and if they are not needed to demonstrate the nature and gravity of the offence or the consequences thereof.

Conclusion

The right to privacy in India has failed to acquire the status of an absolute right. The right in comparison to other competing rights, like, the right to freedom of speech & expression, the right of the State to impose restrictions on account of safety and security of the State, and the right to information, is easily relinquished. The exceptions to the right to privacy, such as, overriding public interest, safety and security of the State, apply in most countries. Nonetheless, as the paper demonstrates, unwarranted invasion of privacy by the media is widespread. For instance, in the UK, Sweden, France and Netherlands, the right to photograph a person or retouching of any picture is prohibited unlike, in India where press photographers do not expressly seek consent of the person being photographed, if he/she is in a public space. In France, not only is the publication of information is prohibited on account of the right to privacy, but the method in which the information is procured also falls within the purview of the right to privacy and could be violative. This includes information or photograph taken in both public and private spaces. Privacy within public spaces is recognised, especially, “where there is reasonable expectation of privacy.” The Indian norms or code of ethics in journalism fail to make such a distinction between public and private space. Nor do the guidelines impose any restrictions on photographing an individual without seeking express consent of the individual.

The Indian media violates privacy in day-to-day reporting, like overlooking the issue of privacy to satisfy morbid curiosity. The PCI norms prohibit such reporting, unless it is outweighed by ‘genuine overriding public interest’. Almost all the above countries prohibit publication of details that would hurt the feelings of the victim or his/her family. Unlike the UK, where the PCC can pass desist orders, in India the family and/or relatives of the victims are hounded by the media.

In India, the right to privacy is not a positive right. It comes into effect only in the event of a violation. The law on privacy in India has primarily evolved through judicial intervention. It has failed to keep pace with the technological advancement and the burgeoning of the 24/7 media news channels. The prevalent right to privacy is easily compromised for other competing rights of ‘public good’, ‘public interest’ and ‘State security’, much of what constitutes public interest or what is private is left to the discretion of the media.

Notes

[1]The Radia Tapes’ controversy concerns recording of conversations between the lobbyist Nira Radia and politicians, industrialists, bureaucrats and journalists with respect to the 2G spectrum scam. The tapes were recorded by the Income Tax Department. The role played by the media, especially some prominent journalists, in scam has been questioned. A handful of magazines and newspapers have questioned the media ethics employed by these journalists, whose recorded conversations are in the public domain or have been published by a few political magazines. The publication of the recorded conversations by a few media publications has received a sharp reaction from the said journalists. They have accused those media journals of unverified reporting and conducting a smear campaign against them.

[2]1975 AIR 865, 1975 SCR (3) 333.

[3](1994) 6 S.C.C. 632.

[4]AIR 1997 SC 568.

[5]AIR 1997 SC 568.

[6]AIR 1997 SC 568.

[7]International Covenant on Civil and Political Rights, Part III Art. 17. Available at: http://www2.ohchr.org/english/law/ccpr.htm [Last accessed 20//04/2011].

[8]W.P. (C) 288/2009

[9]PTI, Media just turned me into a 'slut' in IPL row: Sunanda Pushkar, 23/04/2010 Available at http://articles.timesofindia.indiatimes.com/2010-04-23/india/28149154_1_sunanda-pushkar-shashi-tharoor-ipl-kochi [Last accessed 20/04/2011].

[10]Vrinda Gopinath, "Got A Girl, Named Sue", 26/04/2010 Available at http://www.outlookindia.com/article.aspx?265098 [Last accessed 20/04/2011]

[11]Interview with Senior Assistant Editor, Hindustan Times, on 18.04.11.

[12]Guideline 6 (i) Right to Privacy, Norm if Journalistic Conduct, PCI.

[13]Interview with a freelance photographer and a former Reuters photographer on 16.04.11.

[14]Kumar, Vinod, “Raped American student’s drink not spiked in our bar,” 16.04.09 Available at http://www.mid-day.com/news/2009/apr/160409-Mumbai-News-Raped-American-student-date-drug-CafeXO-Tata-Institute-of-Social-Sciences.htm, Anon, “Party pics boomerangon TISS rape victim” , 04 .05.09, Available at http://www.mumbaimirror.com/index.aspx?page=article§id=15&contentid=2009050420090504031227495d8b4e80f [Last Accessed April 20,2011].

[15]Interview with Abhinav Pandey, crime reporter with a leading newspaper, on 21.04.11.

[16]Interview with Swati Deshpande, Senior Assistant Editor (Law), Times of India, on 15.04.11.

[17]Crl.Misc.(Main) 3938/2003

[18]Ibid.

[19]Sidhartha Vashisht @ Manu Sharma vs State (Nct Of Delhi), Available at http://www.indiankanoon.org/doc/1515299/.

[20]Ibid

[21]WP(Crl.) No.1175/2007

[22]Ibid

[23]Ibid

[24]Ibid

[25]NBA is a community formed by private television & current affairs broadcasters. As per the NBA website, it currently has 20 leading news channels and current affairs broadcaster as its members. Complaints can be filed against any of the broadcasters that are members of NBA on whom the Code of Ethics is binding.

[26]For additional details, please refer to the website: http://www.nbanewdelhi.com/authority-members.asp [Last Accessed April 20,2011]

[27]TNN, “'Full video will further embarrass Shakti', 15.03.2005 Available at http://articles.timesofindia.indiatimes.com/2005-03-15/mumbai/27849089_1_sting-operation-shakti-kapoor-film-industry.

[28]For more details please refer to the PCC website: http://www.pcc.org.uk/ [Last Accessed April 20,2011].

[29]Singh, A., May 2008, “JK Rowling wins privacy case over son's photos”http://www.telegraph.co.uk/news/uknews/1936471/JK-Rowling-wins-privacy-case-over-sons-photos.html [Last Accessed April 20,2011].

[30]For more details, please refer to: http://www.kbkcl.co.uk/2008/03/privacy-law-the-french-experience/ and http://ambafrance-us.org/spip.php?article640 [Last Accessed April 20,2011].

[31]For more details, please refer to:http://www.ambafrance-uk.org/Freedom-of-speech-in-the-French.html [Last Accessed April 20,2011].

[32]http://www.po.se/english/how-self-regulation-works [Last Accessed April 20,2011].

[33]Ibid.

[34]Please refer to this website for additional details: http://ethicnet.uta.fi/sweden/code_of_ethics_for_the_press_radio_and_television and http://www.po.se/english/code-of-ethics/85-code-of-ethics-for [Last Accessed April 20,2011].

[35]http://www.pressnet.or.jp/english/index.htm [Last Accessed April 20,2011].

[36]Kisha Clubs, are clubs where only a few media houses/newspapers have access to public institution information. They have been criticised for its lack of openness and encouraging monopoly on reporting.

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-media-law

Press Release, March 15, 2016: The New Bill Makes Aadhaar Compulsory!

Amber Sinha — 2016-03-16T10:11:32Z

We published and circulated the following press release on March 15, 2016, to highlight the fact that the Section 7 of the Aadhaar Bill, 2016 states that authentication of the person using her/his Aadhaar number can be made mandatory for the purpose of disbursement of government subsidies, benefits, and services; and in case the person does not have an Aadhaar number, s/he will have to apply for Aadhaar enrolment.

Nandan Nilekani, the former chairperson of the Unique Identification Authority of India had repeatedly stated that Aadhaar is not mandatory. However, in the last few years various agencies and departments of the government, both at the central and state level, had made it mandatory in order to be able to avail beneficiary schemes or for the arrangement of salary, provident fund disbursals, promotion, scholarship, opening bank account, marriages and property registrations. In August 2015, the Supreme Court passed an order mandating that the Aadhaar number shall remain optional for welfare schemes, stating that no person should be denied any benefit for reason of not having an Aadhaar number, barring a few specified services.

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, however, has not followed this mandate. Section 7 of the Bill states that “a person should be authenticated or give proof of the Aadhaar number to establish his/her identity” “as a condition for receiving subsidy, benefit or service”. Further, it reads, “In the case a person does not have an Aadhaar number, he/she should make an application for enrollment.” The language of the provision is very clear in making enrollment in Aadhaar mandatory, in order to be entitled for welfare services. Section 7 also says that “the person will be offered viable and alternate means of identification for receiving the subsidy, benefit or service. However, these unspecified alternate means will be made available in the event “an Aadhaar number is not assigned”. This language is vague and it is not clear whether it mandates alternate means of identification for those who choose not to apply for an Aadhaar number for any reason. The fact that it does make it mandatory to apply for an Aadhaar number for persons without it, may lead to the presumption that the alternate means are to be made available for those who may have applied for an Aadhaar number but it has not been assigned for any reason. It is also noteworthy that draft legislation is silent on what the “viable and alternate means of identification” could be. There are a number of means of identification, which are recognised by the state, and a schedule with an inclusive list could have gone a long way in reducing the ambiguity in this provision.

Another aspect of Section 7 which is at odds with the Supreme Court order is that it allows making an Aadhaar number mandatory for “for receipt of a subsidy, benefit or service for which the expenditure is incurred” from the Consolidated Fund of India. The Supreme Court had been very specific in articulating that having an Aadhaar number could not be made compulsory except for “any purpose other than the PDS Scheme and in particular for the purpose of distribution of foodgrains, etc. and cooking fuel, such as kerosene” or for the purpose of the LPG scheme. The restriction in the Supreme Court order was with respect to the welfare schemes, however, instead of specifying the schemes, Section 7 specified the source of expenditure from which subsidies, benefits and services can be funded, making the scope much broader. Section 7, in effect, allows the Central Government to circumvent the Supreme Court order if they choose to tie more subsidies, benefits and services to the Consolidated Fund of India.

These provisions run counter to the repeated claims of the government for the last six years that Aadhaar is not compulsory, nor is the specification by the Supreme Court for restricting use of Aadhaar to a few services only, reflected anywhere in the Bill. The “viable and alternate means” clause is too vague and inadequate to prevent denial of benefits to those without an Aadhaar number. The sum effect of these factors is to give the Central Government powers to make Aadhaar mandatory, for all practical purposes.

For more details visit https://cis-india.org/internet-governance/blog/press-release-aadhaar-15032016-the-new-bill-makes-aadhaar-compulsory

Press Release, March 11, 2016: The Law cannot Fix what Technology has Broken!

Japreet Grewal and Sunil Abraham — 2016-03-16T10:10:40Z

We published and circulated the following press release on March 11, 2016, as the Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. This Bill was proposed by finance minister, Mr. Arun Jaitley to give legislative backing to Aadhaar, being implemented by the Unique Identification Authority of India (UIDAI).

The Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 today. This Bill was proposed by finance minister, Mr. Arun Jaitley to give legislative backing to Aadhaar, being implemented by the Unique Identification Authority of India (UIDAI).

The Bill was introduced as a money bill and there was no public consultation to evaluate the provisions therein even though there are very serious ramifications for the Right to Privacy and the Right to Association and Assembly. The Bill has made it compulsory for an individual to enrol under Aadhaar in order to receive any subsidy, benefit or service from the Government. Biometric information that is required for the purpose of enrolment has been deemed "sensitive personal information" and restrictions have been imposed on use, disclosure and sharing of such information for purposes other than authentication, disclosure made pursuant to a court order or in the interest of national security. Here, the Bill has acknowledged the standards of protection of sensitive personal information established under Section 43A of the Information Technology Act, 2000. The Bill has also laid down several penal provisions for acts that include impersonation at the time of enrolment, unauthorised access to the Central Identities Data Repository, unauthorised use by requesting entity, noncompliance with intimation requirements, etc.

Key Issues

1. Identification without Consent

Before the Aadhaar project it was not possible for the Indian government to identify citizens without their consent. But once the government has created a national centralized biometric database it will be possible for the government to identify any citizen without their consent. Hi-resolution photography and videography make it trivial for governments and also any other actor to harvest biometrics remotely. In other words, the technology makes consent irrelevant. A German ministers fingerprints were captured by hackers as she spoke using hand gesture at at conference. In a similar manner the government can now identify us both as individuals and also as groups without requiring our cooperation. This has direct implications for the right to privacy as we will be under constant government surveillance in the future as CCTV camera resolutions improve and there will be chilling effects on the right to free speech and the freedom of association. The only way to fix this is to change the technology configuration and architecture of the project. The law cannot be used as band-aid on really badly designed technology.

2. Fallible Technology

The technology used for collection and authentication as been said to be fallible. It is understood that the technology has been feasible for a population of 200 million. The Biometrics Standards Committee of UIDAI has acknowledged the lack of data on how a biometric authentication technology will scale up where the population is about 1.2 billion. Further, a report by 4G Identity Solutions estimates that while in any population, approximately 5% of the people have unreadable fingerprints, in India it could lead to a failure to enroll up to 15% of the population.

We know that the Aadhaar number has been issued to dogs, trees (with the Aadhaar letter containing the photo of a tree). There have been slip-ups in the Aadhaar card enrolment process, some cards have ended up with pictures of an empty chair, a tree or a dog instead of the actual applicants. An RTI application has revealed that the Unique Identification Authority of India (UIDAI) has identified more than 25,000 duplicate Aadhaar numbers in the country till August 2015.

At the stage of authentication, the accuracy of biometric identification depends on the chance of a false positiveâ€” the probability that the identifiers of two persons will match. For the current population of 1.2 billion the expected proportion of duplicates is 1/121, a ratio which is far too high. In a recent paper in EPW by Hans Mathews, a mathematician with CIS, shows that as per UIDAI's own statistics on failure rates, the programme would badly fail to uniquely identify individuals in India. [1]

Endnote

[1] See: http://cis-india.org/internet-governance/blog/epw-27-february-2016-hans-varghese-mathews-flaws-in-uidai-process

For more details visit https://cis-india.org/internet-governance/blog/press-release-aadhaar-11032016-the-law-cannot-fix-what-technology-has-broken

Predictive Policing: What is it, How it works, and its Legal Implications

Rohan George — 2015-11-24T16:31:41Z

This article reviews literature surrounding big data and predictive policing and provides an analysis of the legal implications of using predictive policing techniques in the Indian context.

Introduction

For the longest time, humans have been obsessed with prediction. Perhaps the most well-known oracle in history, Pythia, the infallible Oracle of Delphi was said to predict future events in hysterical outbursts on the seventh day of the month, inspired by the god Apollo himself. This fascination with informing ourselves about future events has hardly subsided in us humans. What has changed however is the methods we employ to do so. The development of Big data technologies for one, has seen radical applications into many parts of life as we know it, including enhancing our ability to make accurate predictions about the future.

One notable application of Big data into prediction caters to another basic need since the dawn of human civilisation, the need to protect our communities and cities. The word 'police' itself originates from the Greek word 'polis', which means city. The melding of these two concepts prediction and policing has come together in the practice of Predictive policing, which is the application of computer modelling to historical crime data and metadata to predict future criminal activity[1]. In the subsequent sections, I will attempt an introduction of predictive policing and explain some of the main methods within the domain of predictive policing. Because of the disruptive nature of these technologies, it will also be prudent to expand on the implications predictive technologies have for justice, privacy protections and protections against discrimination among others.

In introducing the concept of predictive policing, my first step is to give a short explanation about current predictive analytics techniques, because these techniques are the ones which are applied into a law enforcement context as predictive policing.

What is predictive analysis

Facilitated by the availability of big data, predictive analytics uses algorithms to recognise data patterns and predict future outcomes[2]. Predictive analytics encompasses data mining, predictive modeling, machine learning, and forecasting[3]. Predictive analytics also relies heavily on machine learning and artificial intelligence approaches [4]. The aim of such analysis is to identify relationships among variables that may not be immediately apparent using hypothesis-driven methods.[5] In the mainstream media, one of the most infamous stories about the use of predictive analysis comes from USA, regarding a department store Target and their data analytics practices [6]. Target mined data from purchasing patterns of people who signed onto their baby registry. From this they were able to predict approximately when customers may be due and target advertisements accordingly. In the noted story, they were so successful that they predicted pregnancy before the pregnant girl's father knew she was pregnant. [7]

Examples of predictive analytics

Predicting the success of a movie based on its online ratings[8]
Many universities, sometimes in partnership with other firms use predictive analytics to provide course recommendations to students, track student performance, personalize curriculum to individual students and foster networking between students.[9]
Predictive Analysis of Corporate Bond Indices Returns[10]

Relationship between predictive analytics and predictive policing

The same techniques used in many of the predictive methods mentioned above find application into some predictive policing methods. However two important points need to be raised:

First, predictive analytics is actually a subset of predictive policing. This is because while the steps in creating a predictive model, of defining a target variable, exposing your model to training data, selecting appropriate features and finally running predictive analysis [11] maybe the same in a policing context, there are other methods which may be used to predict crime, but which do not rely on data mining. These techniques may instead use other methods, such as some of those detailed below along with data about historical crime to generate predictions.

In her article "Policing by Numbers: Big Data and the Fourth Amendment"[12], Joh categorises 3 main applications of Big data into policing. These are Predictive Policing, Domain Awareness systems and Genetic Data Banks. Genetic data banks refer to maintaining large databases of DNA that was collected as part of the justice system. Issues arise when the DNA collected is repurposed in order to conduct familial searches, instead of being used for corroborating identity. Familial searches may have disproportionate impacts on minority races. Domain Awareness systems use various computer software and other digital surveillance tools such as Geographical Information Systems [13] or more illicit ones such as Black Rooms[14] to "help police create a software-enhanced picture of the present, using thousands of data points from multiple sources within a city" [15]. I believe Joh was very accurate in separating Predictive Policing from Domain Awareness systems, especially when it comes to analysing the implications of the various applications of Big data into policing.

In such an analysis of the implications of using predictive policing methods, the issues surrounding predictive technologies often get conflated with larger issues about the application of big data into law enforcement. That opens the debate up to questions about overly intrusive evidence gathering and mass surveillance systems, which though used along with predictive technology, are not themselves predictive in nature. In this article, I aim to concentrate on the specific implications that arise due to predictive methods.

One important point regarding the impact of predictive policing is how the insights that predictive policing methods offer are used. There is much support for the idea that predictive policing does not replace policing methods, but actually augments them. The RAND report specifically cites one myth about predictive policing as "the computer will do everything for you[16]". In reality police officers need to act on the recommendations provided by the technologies.

What is Predictive policing?

Predictive policing is the "application of analytical techniques-particularly quantitative techniques-to identify likely targets for police intervention and prevent crime or solve past crimes by making statistical predictions".[17] It is important to note that the use of data and statistics to inform policing is not new. Indeed, even twenty years ago, before the deluge of big data we have today, law enforcement regimes such as the New York Police Department (NYPD) were already using crime data in a major way. In order to keep track of crime trends, NYPD used the software CompStat[18] to map "crime statistics along with other indicators of problems, such as the locations of crime victims and gun arrests"[19]. The senior officers used the information provided by CompStat to monitor trends of crimes on a daily basis and such monitoring became an instrumental way to track the performance of police agencies[20]. CompStat has since seen application in many other jurisdictions [21].

But what is new is the amount of data available for collection, as well as the ease with which organisations can analyse and draw insightful results from that data. Specifically, new technologies allow for far more rigorous interrogation of data and wide-ranging applications, including adding greater accuracy to the prediction of future incidence of crime.

Predictive Policing methods

Some methods of predictive policing involve application of known standard statistical methods, while other methods involve modifying these standard techniques. Predictive techniques that forecast future criminal activities can be framed around six analytic categories. They all may overlap in the sense that multiple techniques are used to create actual predictive policing software and in fact it is similar theories of criminology which undergird many of these methods, but the categorisation in such a way helps clarify the concept of predictive policing. The basis for the categorisation below comes from a RAND Corporation report entitled 'Predictive Policing: The Role of Crime Forecasting in Law Enforcement Operations' [22], which is a comprehensive and detailed contribution to scholarship in this nascent area.

Hot spot analysis: Methods involving hot spot analysis attempt to "predict areas of increased crime risk based on historical crime data"[23]. The premise behind such methods lies in the adage that "crime tends to be lumpy" [24]. Hot Spot analysis seeks to map out these previous incidences of crime in order to inform potential future crime.

Regression methods: A regression aims to find relationships between independent variables (factors that may influence criminal activity) and certain variables that one aims to predict. Hence, this method would track more variables than just crime history.

Data mining techniques: Data mining attempts to recognise patterns in data and use it to make predictions about the future. One important variant in the various types of data mining methods used in policing are different types of algorithms that are used to mine data in different ways. These are dependent on the nature of the data the predictive model was trained on and will be used to interrogate in the future. Two broad categories of algorithms commonly used are clustering algorithms and classification algorithms:

· Clustering algorithms "form a class of data mining approaches that seek to group data into clusters with similar attributes" [25]. One example of clustering algorithms is spatial clustering algorithms, which use geospatial crime incident data to predict future hot spots for crime[26].

· Classification algorithms "seek to establish rules assigning a class or label to events"[27]. These algorithms use training data sets "to learn the patterns that determine the class of an observation"[28] The patterns identified by the algorithm will be applied to future data, and where applicable, the algorithm will recognise similar patterns in the data. This can be used to make predictions about future criminal activity for example.

Near-repeat methods: Near-repeat methods work off the assumption that future crimes will take place close to timing and location of current crimes. Hence, it could be postulated that areas of high crime will experience more crime in the near future[29]. This involves the use of a 'self-exciting' algorithm, very similar to algorithms modelling earthquake aftershocks [30]. The premise undergirding such methods is very similar to that of hot spot analysis.

Spatiotemporal analysis: Using "environmental and temporal features of the crime location" [31] as the basis for predicting future crime. By combining the spatiotemporal features of the crime area with crime incident data, police could use the resultant information to predict the location and time of future crimes. Examples of factors that may be considered include timing of crimes, weather, distance from highways, time from payday and many more.

Risk terrain analysis: Analyses other factors that are useful in predicting crimes. Examples of such factors include "the social, physical, and behavioural factors that make certain areas more likely to be affected by crime"[32]

Various methods listed above are used, often together, to predict the where and when a crime may take place or even potential victims. The unifying thread which relates these methods is their dependence on historical crime data.

Examples of predictive policing:

Most uses of predictive policing that have been studied and reviewed in scholarly work come from the USA, though I will detail one case study from Derbyshire, UK. Below is a collation of various methods that are a practical application of the methods raised above.

Hot Spot analysis in Sacramento: In February 2011, Sacramento Police Department began using hot spot analysis along with research on optimal patrol time to act as a sufficient deterrent to inform how they patrol high-risk areas. This policy was aimed at preventing serious crimes by patrolling these predicted hot spots. In places where there was such patrolling, serious crimes reduced by a quarter with no significant increases such crimes in surrounding areas[33].

Data Mining and Hot Spot Mapping in Derbyshire, UK: The Safer Derbyshire Partnership, a group of law enforcement agencies and municipal authorities sought to identify juvenile crime hotspots[34]. They used MapInfo software to combine "multiple discrete data sets to create detailed maps and visualisations of criminal activity, including temporal and spatial hotspots" [35]. This information informed law enforcement about how to optimally deploy their resources.

Regression models in Pittsburgh: Researchers used reports from Pittsburgh Bureau of Police about violent crimes and "leading indicator" [36] crimes, crimes that were relatively minor but which could be a sign of potential future violent offences. The researcher ran analysis of areas with violent crimes, which were used as the dependent variable in analysing whether violent crimes in certain areas could be predicted by the leading indicator data. From the 93 significant violent crime areas that were studied, 19 areas were successfully predicted by the leading indicator data.[37]

Risk terrain modelling analysis in Morris County, New Jersey: Police in Morris County, used risk terrain analysis to tackle violent crimes and burglaries. They considered five inputs in their model: "past burglaries, the address of individuals recently arrested for property crimes, proximity to major highways, the geographic concentration of young men and the location of apartment complexes and hotels." [38] The Morris County law enforcement officials linked the significant reductions in violent and property crime to their use of risk terrain modelling[39].

Near-repeat & hot spot analysis used by Santa Cruz Police Department: Uses PredPol software that applies the Mohler's algorithm [40] to a database with five years' worth of crime data to assess the likelihood of future crime occurring in the geographic areas within the city. Before going on shift, officers receive information identifying 15 such areas with the highest probability of crime[41]. The initiative has been cited as being very successful at reducing burglaries, and was used in Los Angeles and Richmond, Virginia[42].

Data Mining and Spatiotemporal analysis to predict future criminal activities in Chicago: Officers in Chicago Police Department made visits to people their software predicted were likely to be involved in violent crimes[43], guided by an algorithm-generated "Heat List"[44]. Some of the inputs used in the predictions include some types of arrest records, gun ownership, social networks[45] (police analysis of social networking is also a rising trend in predictive policing[46]) and generally type of people you are acquainted with [47] among others, but the full list of the factors are not public. The list sends police officers (or sometimes mails letters) to peoples' homes to offer social services or deliver warnings about the consequences for offending. Based in part on the information provided by the algorithm, officers may provide people on the Heat List information about vocational training programs or warnings about how Federal Law provides harsher punishments for reoffending[48].

Predictive policing in India

In this section, I map out some of the developments in the field of predictive policing within India. On the whole, predictive policing is still very new in India, with Jharkhand being the only state that appears to already have concrete plans in place to introduce predictive policing.

Jharkhand Police

The Jharkhand police began developing their IT infrastructure such as a Geographic Information System (GIS) and Server room when they received funding for Rs. 18.5 crore from the Ministry of Home Affairs[49]. The Open Group on E-governance (OGE), founded as a collaboration between the Jharkhand Police and National Informatics Centre[50], is now a multi-disciplinary group which takes on different projects related to IT[51]. With regards to predictive policing, some members of OGE began development in 2013 of data mining software which will scan online records that are digitised. The emerging crime trends "can be a building block in the predictive policing project that the state police want to try."[52]

The Jharkhand Police was also reported in 2012 to be in the final stages of forming a partnership with IIM-Ranchi[53]. It was alleged the Jharkhand police aimed to tap into IIM's advanced business analytics skills [54], skills that can be very useful in a predictive policing context. Mr Pradhan suggested that "predictive policing was based on intelligence-based patrol and rapid response"[55] and that it could go a long way to dealing with the threat of Naxalism in Jharkhand[56].

However, in Jharkhand, the emphasis appears to be targeted at developing a massive Domain Awareness system, collecting data and creating new ways to present that data to officers on the ground, instead of architecting and using predictive policing software. For example, the Jharkhand police now have in place "a Naxal Information System, Crime Criminal Information System (to be integrated with the CCTNS) and a GIS that supplies customised maps that are vital to operations against Maoist groups"[57]. The Jharkhand police's "Crime Analytics Dashboard" [58] shows the incidence of crime according to type, location and presents it in an accessible portal, providing up-to-date information and undoubtedly raises the situational awareness of the officers. Arguably, the domain awareness systems that are taking shape in Jharkhand would pave the way for predictive policing methods to be applied in the future. These systems and hot spot maps seem to be the start of a new age of policing in Jharkhand.

Predictive Policing Research

One promising idea for predictive policing in India comes from the research conducted by Lavanya Gupta and others entitled "Predicting Crime Rates for Predictive Policing"[59], which was a submission for the Gandhian Young Technological Innovation Award. The research uses regression modelling to predict future crime rates. Drawing from First Information Reports (FIRs) of violent crimes (murder, rape, kidnapping etc.) from Chandigarh Police, the team attempted "to extrapolate annual crime rate trends developed through time series models. This approach also involves correlating past crime trends with factors that will influence the future scope of crime, in particular demographic and macro-economic variables" [60]. The researchers used early crime data as the training data for their model, which after some testing, eventually turned out to have an accuracy of around 88.2%.[61] On the face of it, ideas like this could be the starting point for the introduction of predictive policing into India.

The rest of India's law enforcement bodies do not appear to be lagging behind. In the 44^th All India police science congress, held in Gandhinagar, Gujarat in March this year, one of the Themes for discussion was the "Role of Preventive Forensics and latest developments in Voice Identification, Tele-forensics and Cyber Forensics"[62].Mr A K Singh, (Additional Director General of Police, Administration) the chairman of the event also said in an interview that there was to be a round-table DGs (Director General of Police) held at the conference to discuss predictive policing[63]. Perhaps predictive policing in India may not be that far away from reality.

CCTNS and the building blocks of Predictive policing

The Ministry of Home Affairs conceived of a Crime and Criminals Tracking and Network System (CCTNS) as part of national e-Governance plans. According to the website of the National Crime Records Bureau (NCRB), CCTNS aims to develop "a nationwide networked infrastructure for evolution of IT-enabled state-of-the-art tracking system around 'investigation of crime and detection of criminals' in real time" [64]

The plans for predictive policing seem in the works, but first steps that are needed in India across police forces involve digitizing data collection by the police, as well as connecting law enforcement agencies. The NCRB's website described the current possibility of exchange of information between neighbouring police stations, districts or states as being "next to impossible"[65]. The aim of CCTNS is precisely to address this gap and integrate and connect the segregated law enforcement arms of the state in India, which would be a foundational step in any initiatives to apply predictive methods.

What are the implications of using predictive policing? Lessons from USA

Despite the moves by law enforcement agencies to adopt predictive policing, one reality is that the implications of predictive policing methods are far from clear. This section will examine these implications on the carriage of justice and its use in law, as well as how it impacts privacy concerns for the individual. It frames the existing debates surrounding these issues with predictive policing, and aims to apply these principles into an Indian context.

Justice, Privacy & IV Amendment

Two key concerns about how predictive policing methods may be used by law enforcement relate to how insights from predictive policing methods are acted upon and how courts interpret them. In the USA, this issue may finds its place under the scope of IV Amendment jurisprudence. The IV amendment states that all citizens are "secure from unreasonable searches and seizures of property by the government"[66]. In this sense, the IV amendment forms the basis for search and surveillance law in the USA.

A central aspect of the IV Amendment jurisprudence is drawn from United States v. Katz. In Katz, the FBI attached a microphone to the outside of a public phone booth to record the conversations of Charles Katz, who was making phone calls related to illegal gambling. The court ruled that such actions constituted a search within the auspices of the 4^th amendment. The ruling affirmed constitutional protection of all areas where someone has a "reasonable expectation of privacy"[67].

Later cases have provided useful tests for situations where government surveillance tactics may or may not be lawful, depending on whether it violates one's reasonable expectation of privacy. For example, in United States v. Knotts, the court held that "police use of an electronic beeper to follow a suspect surreptitiously did not constitute a Fourth Amendment search"[68]. In fact, some argue that that the Supreme Court's reasoning in such cases suggests " any 'scientific enhancement' of the senses used by the police to watch activity falls outside of the Fourth Amendment's protections if the activity takes place in public"[69]. This reasoning is based on the third party doctrine which holds that "if you voluntarily provide information to a third party, the IV Amendment does not preclude the government from accessing it without a warrant"[70]. The clearest exposition of this reasoning was in Smith v. Maryland, where the presiding judges noted that "this Court consistently has held that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties"[71].

However, the third party has seen some challenge in recent time. In United States v. Jones, it was ruled that the government's warrantless GPS tracking of his vehicle 24 hours a day for 28 days violated his Fourth Amendment rights[72]. Though the majority ruling was that warrantless GPS tracking constituted a search, it was in a concurring opinion written by Justice Sonya Sotomayor that such intrusive warrantless surveillance was said to infringe one's reasonable expectation of privacy. As Newell reflected on Sotomayor's opinion,

"Justice Sotomayor stated that the time had come for Fourth Amendment jurisprudence to discard the premise that legitimate expectations of privacy could only be found in situations of near or complete secrecy. Sotomayor argued that people should be able to maintain reasonable expectations of privacy in some information voluntarily disclosed to third parties"[73].

She said that the court's current reasoning on what constitutes reasonable expectations of privacy in information disclosed to third parties, such as email or phone records or even purchase histories, is "ill-suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks"[74].

Predictive policing vs. Mass surveillance and Domain Awareness Systems

However, there is an important distinction to be drawn between these cases and evidence from predictive policing. This has to do with the difference in nature of the evidence collection. Arguably, from Jones and others, what we see is that use of mass surveillance and domain awareness systems, drawing from Joh's categorisation of domain awareness systems as being distinct from predictive policing mentioned above, could potentially encroach on one's reasonable expectation of privacy. However, I think that predictive policing, and the possible implications for justice associated with it, its predictive harms, are quite distinct from what has been heard by courts thus far.

The reason for distinct risks between predictive harms and privacy harms originating from information gathering is related to the nature of predictive policing technologies, and how they are used. It is highly unlikely that the evidence submitted by the State to indict an offender will be mainly predictive in nature. For example, would it be possible to convict an accused person solely on the premise that he was predicted to be highly likely to commit a crime, and that subsequently he did? The legal standard of proving guilt beyond a reasonable doubt [75] can hardly be met solely on predictive evidence for a multitude of reasons. Predictive policing methods could at most, be said to inform police about the risk of someone committing a crime or of crime happening at a certain location, as demonstrated above.

Predictive policing and Criminal Procedure

It may therefore pay to analyse how predictive policing may be used across the various processes within the criminal justice system. In fact, in an analysis of the various stages of criminal procedure, from opening an investigation to gathering evidence, followed by arrest, trial, conviction and sentencing, we see that as the individual gets subject to more serious incursions or sanctions by the state, it takes a higher standard of certainty about wrongdoing and a higher burden of proof, in order to legitimize that particular action.

Hence, at more advanced stages of the criminal justice process such as seeking arrest warrants or trial, it is very unlikely that predictive policing on its own can have a tangible impact, because the nature of predictive evidence is probability based. It aims to calculate the risk of future crime occurring based on statistical analysis of past crime data[76]. While extremely useful, probabilities on their own will not come remotely close meet the legal standards of proving 'guilt beyond reasonable doubt'. It may be at the earlier stages of the criminal justice process that evidence predictive policing might see more widespread application, in terms of applying for search warrants and searching suspicious people while on patrol.

In fact, in the law enforcement context, prediction as a concept is not new to justice. Both courts and law enforcement officials already make predictions about future likelihood of crimes. In the case of issuing warrants, the IV amendment makes provisions that law enforcement officials show that the potential search is based "upon probable cause"[77] in order for a judge to grant a warrant. In US v. Brinegar, probable cause was defined as existing "where the facts and circumstances within the officers' knowledge, and of which they have reasonably trustworthy information, are sufficient in themselves to warrant a belief by a man of reasonable caution that a crime is being committed" [78]. Again, this legal standard seems too high for predictive evidence meet.

However, the police also have an important role to play in preventing crimes by looking out for potential crimes while on patrol or while doing surveillance. When the police stop a civilian on the road to search him, reasonable suspicion must be established. This standard of reasonable suspicion was defined in most clearly in Terry v. Ohio, which required police to "be able to point to specific and articulable facts which, taken together with rational inferences from those facts, reasonably warrant that intrusion"[79]. Therefore, "reasonable suspicion that 'criminal activity may be afoot' is at base a prediction that the facts and circumstances warrant the reasonable prediction that a crime is occurring or will occur"[80]. Despite the assertion that "there are as of yet no reported cases on predictive policing in the Fourth Amendment context"[81], examining the impact of predictive policing on the doctrine of reasonable suspicion could be very instructive in understanding the implications for justice and privacy [82].

Predictive Policing and Reasonable Suspicion

Ferguson's insightful contribution to this area of scholarship involves the identification of existing areas where prediction already takes place in policing, and analogising them into a predictive policing context[83]. These three areas are: responding to tips, profiling, and high crime areas (hot spots).

Tips

Tips are pieces of information shared with the police by members of the public. Often tips, either anonymous or from known police informants, may predict future actions of certain people, and require the police to act on this information. The precedent for understanding the role of tips in probable cause comes from Illinois v. Gates[84]. It was held that "an informant's 'veracity,' 'reliability,' and 'basis of knowledge'-remain 'highly relevant in determining the value'"[85] of the said tip. Anonymous tips need to be detailed, timely and individualised enough[86] to justify reasonable suspicion [87]. And when the informant is known to be reliable, then his prior reliability may justify reasonable suspicion despite lacking a basis in knowledge[88].

Ferguson argues that whereas predictive policing cannot provide individualised tips, it is possible to consider reliable tips about certain areas as a parallel to predictive policing[89]. And since the courts had shown a preference for reliability even in the face of a weak basis in knowledge, it is possible to see the reasonable suspicion standard change in its application[90]. It also implies that IV protections may be different in places where crime is predicted to occur [91].

Profiling

Despite the negative connotations and controversial overtones at the mere sound of the word, profiling is already a method commonly used by law enforcement. For example, after a crime has been committed and general features of the suspect identified by witnesses, police often stop civilians who fit this description. Another example of profiling is common in combating drug trafficking[92], where agents keep track of travellers at airports to watch for suspicious behaviour. Based on their experience of common traits which distinguish drug traffickers from regular travellers (a profile), agents may search travellers if they fit the profile[93]. In the case of United States v. Sokolow[94], the courts "recognized that a drug courier profile is not an irrelevant or inappropriate consideration that, taken in the totality of circumstances, can be considered in a reasonable suspicion determination" [95]. Similar lines of thinking could be employed in observing people exchanging small amounts of money in an area known for high levels of drug activity, conceiving predictive actions as a form of profile[96].

It is valid to consider predictive policing as a form of profiling[97], but Ferguson argues that the predictive policing context means this 'new form' of profiling could change IV analysis. The premise behind such an argument lies in the fact that a prediction made by some algorithm about potential high risk of crime in a certain area, could be taken in conjunction observations of ordinarily innocuous events. Read in the totality of circumstances, these two threads may justify individual reasonable suspicion [98]. For example, a man looking into cars at a parking lot may not by itself justify reasonable suspicion, but taken together with a prediction of high risk of car theft at that locality, it may well justify reasonable suspicion. It is this impact of predictive policing, which influences the analysis of reasonable suspicion in a totality of circumstances that may represent new implications for courts looking at IV amendment protections.

Profiling, Predictive Policing and Discrimination

The above sections have already brought up the point that law enforcement agencies already utilize profiling methods in their operations. Also, as the sections on how predictive analytics works and on methods of predictive policing make clear, predictive policing definitely incorporates the development of profiles for predicting future criminal activity. Concerns about predictive models generate potentially discriminatory predictions therefore are very serious, and need addressing. Potential discrimination may be either overt, though far less likely, or unintended. A valuable case study of which sheds light on such discriminatory data mining practices can be found in US Labour law. It was shown how predictive models could be discriminatory at various stages, from conceptualising the model and training it with training data, to eventually selecting inappropriate features to search for [99]. It is also possible for data scientists to (intentionally or not) use proxies for identifiers like race, income level, health condition and religion. Barocas and Selbst argue that "the current distribution of relevant attributes-attributes that can and should be taken into consideration in apportioning opportunities fairly-are demonstrably correlated with sensitive attributes" [100]. Hence, what may result is unintended discrimination, as predictive models and their subjective and implicit biases are reflected in predicted decisions, or that the discrimination is not even accounted for in the first place. While I have not found any case law where courts have examined such situations in a criminal context, at the very least, law enforcement agencies need to be aware of these possibilities and guard against any forms of discriminatory profiling.

However, Ferguson argues that "the precision of the technology may in fact provide more protection for citizens in broadly defined high crime areas" [101]. This is because the label of a 'high-crime area' may no longer apply to large areas but instead to very specific areas of criminal activity. This implies that previously defined areas of high crime, like entire neighbourhoods may not be scrutinised in such detail. Instead, police now may be more precise in locating and policing areas of high crime, such as an individual street corner or a particular block of flats instead of an entire locality.

Hot Spots

Courts have also considered the existence of notoriously 'high-crime areas as part of considering reasonable suspicion[102]. This was seen in Illinois v. Wardlow [103], where the "high crime nature of an area can be considered in evaluating the officer's objective suspicion"[104]. Many cases have since applied this reasoning without scrutinising the predictive value of such a label. In fact, Ferguson asserts that such labelling has questionable evidential value[105]. He uses the facts of the Wardlow case itself to challenge the 'high crime area' factor. Ferguson cites the reasoning of one of the judges in the case:

"While the area in question-Chicago's District 11-was a low-income area known for violent crimes, how that information factored into a predictive judgment about a man holding a bag in the afternoon is not immediately clear."[106]

Especially because "the most basic models of predictive policing rely on past crimes"[107], it is likely that the predictive policing methods like hot spot or spatiotemporal analysis and risk terrain modelling may help to gather or build data models about high crime areas. Furthermore, the mathematical rigour of the predictive modelling could help clarify the term 'high crime area'. As Ferguson argues, "courts may no longer need to rely on the generalized high crime area terminology when more particularized and more relevant information is available" [108].

Summary

Ferguson synthesises four themes to which encapsulate reasonable suspicion analysis:

Predictive information is not enough on its own. Instead, it is "considered relevant to the totality of circumstances, but must be corroborated by direct police observation"[109].
The prediction must also "be particularized to a person, a profile, or a place, in a way that directly connects the suspected crime to the suspected person, profile, or place"[110].
It must also be detailed enough to distinguish a person or place from others not the focus of the prediction [111].
Finally, predicted information becomes less valuable over time. Hence it must be acted on quickly or be lost [112].

Conclusions from America

The main conclusion to draw from the analysis of the parallels between existing predictions in IV amendment law and predictive policing is that "predictive policing will impact the reasonable suspicion calculus by becoming a factor within the totality of circumstances test"[113]. Naturally, it reaffirms the imperative for predictive techniques to collect reliable data [114] and analyse it transparently[115]. Moreover, in order for courts to evaluate the reliability of the data and the processes used (since predictive methods become part of the reasonable suspicion calculus), courts need to be able to analyse the predictive process. This has implications for the how hearings may be conducted, for how legal adjudicators may require training and many more. Another important concern is that the model of predictive information and police corroboration or direct observation[116] may mean that in areas which were predicted to have low risk of crime, the reasonable suspicion doctrine works against law enforcement. There may be less effort paid to patrolling these other areas as a result of predictions.

Implications for India

While there have been no cases directly involving predictive policing methods, it would be prudent to examine the parts of Indian law which would inform the calculus on the lawfulness of using predictive policing methods. A useful lens to examine this might be found in the observation that prediction is not in itself a novel concept in justice, and is already used by courts and law enforcement in numerous circumstances.

Criminal Procedure in Non-Warrant Contexts

The most logical way to begin analysing the legal implications of predictive policing in India may probably involve identifying parallels between American and Indian criminal procedure, specifically searching for instances where 'reasonable suspicion' or some analogous requirement exists for justifying police searches.

In non-warrant scenarios, we find conditions for officers to conduct such a warrantless search in Section 165 of the Criminal Procedure Code (Cr PC). For clarity purposes I have stated section 165 (1) in full:

"Whenever an officer in charge of a police station or a police officer making an investigation has reasonable grounds for believing that anything necessary for the purposes of an investigation into any offence which he is authorised to investigate may be found in any place with the limits of the police station of which he is in charge, or to which he is attached, and that such thing cannot in his opinion be otherwise obtained without undue delay, such officer may, after recording in writing the grounds of his belief and specifying in such writing, so far as possible, the thing for which search is to be made, search, or cause search to be made, for such thing in any place within the limits of such station." [117]

However, India differs from the USA in that its Cr PC allows for police to arrest individuals without a warrant as well. As observed in Gulab Chand Upadhyaya vs State Of U.P, "Section 41 Cr PC gives the power to the police to arrest without warrant in cognizable offences, in cases enumerated in that Section. One such case is of receipt of a 'reasonable complaint' or 'credible information' or 'reasonable suspicion'" [118] Like above, I have stated section 41 (1) and subsection (a) in full:

"41. When police may arrest without warrant.

(1) Any police officer may without an order from a Magistrate and without a warrant, arrest any person-

(a) who has been concerned in any cognizable offence, or against whom a reasonable complaint has been made, or credible information has been received, or a reasonable suspicion exists, of his having been so concerned"[119]

In analysing the above sections of Indian criminal procedure from a predictive policing angle, one may find both similarities and differences between the proposed American approach and possible Indian approaches to interpreting or incorporating predictive policing evidence.

Similarity of 'reasonable suspicion' requirement

For one, the requirement for "reasonable grounds" or "reasonable suspicion" seems to be analogous to the American doctrine of reasonable suspicion. This suggests that the concepts used in forming reasonable suspicion, for the police to "be able to point to specific and articulable facts which, taken together with rational inferences from those facts, reasonably warrant that intrusion"[120] may also be useful in the Indian context.

One case which sheds light on an Indian interpretation of reasonable suspicion or grounds is State of Punjab v. Balbir Singh[121]. In that case, the court observes a requirement for "reason to believe that such an offence under Chapter IV has been committed and, therefore, an arrest or search was necessary as contemplated under these provisions"[122] in the context of Section 41 and 42 in The Narcotic Drugs and Psychotropic Substances Act, 1985[123]. In examining the requirement of having "reason to believe", the court draws on Partap Singh (Dr) v. Director of Enforcement, Foreign Exchange Regulation Act[124], where the judge observed that "the expression 'reason to believe' is not synonymous with subjective satisfaction of the officer. The belief must be held in good faith; it cannot be merely a pretence….."[125]

In light of this, the judge in Balbir Singh remarked that "whether there was such reason to believe and whether the officer empowered acted in a bona fide manner, depends upon the facts and circumstances of the case and will have a bearing in appreciation of the evidence" [126]. The standard considered by the court in Balbir Singh and Partap Singh is different from the 'reasonable suspicion' or 'reasonable grounds' standard as per Section 41 and 165 of Cr PC. But I think the discussion can help to inform our analysis of the idea of reasonableness in law enforcement actions. Of importance was the court requirement of something more than mere "pretence" as well as a belief held in good faith. This could suggest that in fact the reasoning in American jurisprudence about reasonable suspicion might be at least somewhat similar to how Indian courts view reasonable suspicion or grounds in the context of predictive policing, and therefore how we could similarly conjecture that predictive evidence could form part of the reasonable suspicion calculus in India as well.

Difference in judicial treatment of illegally obtained evidence - Indian lack of exclusionary rules

However, the apparent similarity of how police in America and India may act in non-warrant situations - guided by the idea of reasonable suspicion - is only veneered by linguistic parallels. Despite the existence of such conditions which govern the searches without a warrant, I believe that Indian courts currently may provide far less protection against unlawful use of predictive technologies. The main premise behind this argument is that Indian courts refuse to exclude evidence that was obtained in breaches of the conditions of sections of the Cr PC. What exists in place of evidentiary safeguards is a line of cases in which courts routinely admit unlawfully or illegally obtained evidence. Without protections against unlawfully gathered evidence being considered relevant by courts, any regulations on search or conditions to be met before a search is lawful become ineffective. Evidence may simply enter the courtroom through a backdoor.

In the USA, this is by and large, not the case. Although there are exceptions to these rules, exclusionary rules are set out to prevent admission of evidence which violates the constitution[127]. "The exclusionary rule applies to evidence gained from an unreasonable search or seizure in violation of the Fourth Amendment "[128]. Mapp v. Ohio [129] set the precedent for excluding unconstitutionally gathered evidence, where the court ruled that "all evidence obtained by searches and seizures in violation of the Federal Constitution is inadmissible in a criminal trial in a state court" [130].

Any such evidence which then leads law enforcement to collect new information may also be excluded, as part of the "fruit of the poisonous tree" doctrine[131], established in Silverthorne Lumber Co. v. United States [132]. The doctrine is a metaphor which suggests that if the source of certain evidence is tainted, so is 'fruit' or derivatives from that unconstitutional evidence. One such application was in Beck v. Ohio[133], where the courts overturned a petitioner's conviction because the evidence used to convict him was obtained via an unlawful arrest.

However in India's context, there is very little protection against the admission and use of unlawfully gathered evidence. In fact, there are a line of cases which lay out the extent of consideration given to unlawfully gathered evidence - both cases that specifically deal with the rules as per the Indian Cr PC as well as cases from other contexts - which follow and develop this line of reasoning of allowing illegally obtained evidence.

One case to pay attention to is State of Maharastra v. Natwarlal Damodardas Soni - in this case, the Anti-Corruption Bureau searched the house of the accused after receiving certain information as a tip. The police "had powers under the Code of Criminal Procedure to search and seize this gold if they had reason to believe that a cognizable offence had been committed in respect thereof"[134]. Justice Sarkaria, in delivering his judgement, observed that for argument's sake, even if the search was illegal, "then also, it will not affect the validity of the seizure and further investigation"[135]. The judge drew reasoning from Radhakishan v. State of U.P[136]. This which was a case involving a postman who had certain postal items that were undelivered recovered from his house. As the judge in Radhakishan noted:

"So far as the alleged illegality of the search is concerned, it is sufficient to say that even assuming that the search was illegal the seizure of the articles is not vitiated. It may be that where the provisions of Sections 103 and 165 of the Code of Criminal Procedure, are contravened the search could be resisted by the person whose premises are sought to be searched. It may also be that because of the illegality of the search the court may be inclined to examine carefully the evidence regarding the seizure. But beyond these two consequences no further consequence ensues." [137]

Shyam Lal Sharma v. State of M.P.[138] was also drawn upon, where it was held that "even if the search is illegal being in contravention with the requirements of Section 165 of the Criminal Procedure Code, 1898, that provision ceases to have any application to the subsequent steps in the investigation"[139].

Even in Gulab Chand Upadhyay, mentioned above, the presiding judge contended that even "if arrest is made, it does not require any, much less strong, reasons to be recorded or reported by the police. Thus so long as the information or suspicion of cognizable offence is "reasonable" or "credible", the police officer is not accountable for the discretion of arresting or no arresting"[140].

A more complete articulation of the receptiveness of Indian courts to admit illegally gathered evidence can be seen in the aforementioned Balbir Singh. The judgement aimed to:

"dispose of one of the contentions that failure to comply with the provisions of Cr PC in respect of search and seizure even up to that stage would also vitiate the trial. This aspect has been considered in a number of cases and it has been held that the violation of the provisions particularly that of Sections 100, 102, 103 or 165 Cr PC strictly per se does not vitiate the prosecution case. If there is such violation, what the courts have to see is whether any prejudice was caused to the accused and in appreciating the evidence and other relevant factors, the courts should bear in mind that there was such a violation and from that point of view evaluate the evidence on record."[141]

The judges then consulted a series of authorities on the failure to comply with provisions of the Cr PC:

State of Punjab v. Wassan Singh[142]: "irregularity in a search cannot vitiate the seizure of the articles"[143].
Sunder Singh v. State of U.P[144]: 'irregularity cannot vitiate the trial unless the accused has been prejudiced by the defect and it is also held that if reliable local witnesses are not available the search would not be vitiated."[145]
Matajog Dobey v.H.C. Bhari[146]: "when the salutory provisions have not been complied with, it may, however, affect the weight of the evidence in support of the search or may furnish a reason for disbelieving the evidence produced by the prosecution unless the prosecution properly explains such circumstance which made it impossible for it to comply with these provisions."[147]
R v. Sang[148]: "reiterated the same principle that if evidence was admissible it matters not how it was obtained."[149] Lord Diplock, one of the Lords adjudicating the case, observed that "however much the judge may dislike the way in which a particular piece of evidence was obtained before proceedings were commenced, if it is admissible evidence probative of the accused's guilt "it is no part of his judicial function to exclude it for this reason". [150] As the judge in Balbir Singh quoted from Lord Diplock, a judge "has no discretion to refuse to admit relevant admissible evidence on the ground that it was obtained by improper or unfair means. The court is not concerned with how it was obtained."[151]

The vast body of case law presented above provides observers with a clear image of the courts willingness to admit and consider illegally obtained evidence. The lack of safeguards against admission of unlawful evidence are important from the standpoint of preventing the excessive or unlawful use of predictive policing methods. The affronts to justice and privacy, as well as the risks of profiling, seem to become magnified when law enforcement use predictive methods more than just to augment their policing techniques but to replace some of them. The efficacy and expediency offered by using predictive policing needs to be balanced against the competing interest of ensuring rule of law and due process. In the Indian context, it seems courts sparsely consider this competing interest.

Naturally, weighing in on which approach is better depends on a multitude of criteria like context, practicality, societal norms and many more. It also draws on existing debates in administrative law about the role of courts, which may emphasise protecting individuals and preventing excessive state power (red light theory) or emphasise efficiency in the governing process with courts assisting the state to achieve policy objectives (green light theory) [152].

A practical response may be that India should aim to embrace both elements and balance them appropriately, although what an appropriate balance again may vary. There are some who claim that this balance already exists in India. Evidence for such a claim may come from R.M. Malkani v. State of Maharashtra[153], where the court considered whether an illegally tape-recorded conversation could be admissible. In its reasoning, the court drew from Kuruma, Son of Kanju v. R. [154], noting that

" if evidence was admissible it matters not how it was obtained. There is of course always a word of caution. It is that the Judge has a discretion to disallow evidence in a criminal case if the strict rules of admissibility would operate unfairly against the accused. That caution is the golden rule in criminal jurisprudence"[155].

While this discretion exists at least principally in India, in practice the cases presented above show that judges rarely exercise that discretion to prevent or bar the admission of illegally obtained evidence or evidence that was obtained in a manner that infringed the provisions governing search or arrest in the Cr PC. Indeed, the concern is that perhaps the necessary safeguards required to keep law enforcement practices, including predictive policing techniques, in check would be better served by a greater focus on reconsidering the legality of unlawfully gathered evidence. If not, evidence which should otherwise be inadmissible may find its way into consideration by existing legal backdoors.

Risk of discriminatory predictive analysis

Regarding the risk of discriminatory profiling, Article 15 of India's Constitution[156] states that "the State shall not discriminate against any citizen on grounds only of religion, race, caste, sex, place of birth or any of them" [157]. The existence of constitutional protection for such forms of discrimination suggests that India will be able to guard against discriminatory predictive policing. However, as mentioned before, predictive analytics often discriminates institutionally, "whereby unconscious implicit biases and inertia within society's institutions account for a large part of the disparate effects observed, rather than intentional choices"[158]. As in most jurisdictions, preventing these forms of discrimination are much harder. Especially in a jurisdiction whose courts are already receptive to allowing admission of illegally obtained evidence, the risk of discriminatory data mining or prejudiced algorithms being used by police becomes magnified. Because the discrimination may be unintentional, it may be even harder for evidence from discriminatory predictive methods to be scrutinised or when applicable, dismissed by the courts.

Conclusion for India

One thing which is eminently clear from the analysis of possible interpretations of predictive evidence is that Indian Courts have had no experience with any predictive policing cases, because the technology itself is still at a nascent stage. There is in fact a long way to go before predictive policing will become used on a scale similar to that of USA for example.

But, even in places where predictive policing is used much more prominently, there is no precedent to observe how courts may view predictive policing. Ferguson's method of locating analogous situations to predictive policing which courts have already considered is one notable approach, but even this does not provide complete answer. One of his main conclusions that predictive policing will affect the reasonable suspicion calculus, or in India's case, contribute to 'reasonable grounds' in some ways, is perhaps the most valid one.

However, what provides more cause for concern in India's context are the limited protections against use of unlawfully gathered evidence. The lack of 'exclusionary rules' unlike those present in the US amplifies the various risks of predictive policing because individuals have little means of redress in such situations where predictive policing may be used unjustly against them.

Yet, the promise of predictive policing remains undeniably attractive for India. The successes predictive policing methods seem to have had In the US and UK coupled with the more efficient allocation of law enforcement's resources as a consequence of adapting predictive policing evidence this point. The government recognises this and seems to be laying the foundation and basic digital infrastructure required to utilize predictive policing optimally. One ought also to ask whether it is the even within the court's purview to decide what kind of policing methods are to be permissible through evaluating the nature of evidence. There is a case to be made for the legislative arm of the state to provide direction on how predictive policing is to be used in India. Perhaps the law must also evolve with the changes in technology, especially if courts are to scrutinise the predictive policing methods themselves.

[1] Joh, Elizabeth E. "Policing by Numbers: Big Data and the Fourth Amendment." SSRN Scholarly Paper. Rochester, NY: Social Science Research Network, February 1, 2014. http://papers.ssrn.com/abstract=2403028.

[2] Tene, Omer, and Jules Polonetsky. "Big Data for All: Privacy and User Control in the Age of Analytics." Northwestern Journal of Technology and Intellectual Property 11, no. 5 (April 17, 2013): 239.

[3] Datta, Rajbir Singh. "Predictive Analytics: The Use and Constitutionality of Technology in Combating Homegrown Terrorist Threats." SSRN Scholarly Paper. Rochester, NY: Social Science Research Network, May 1, 2013. http://papers.ssrn.com/abstract=2320160.

[4] Johnson, Jeffrey Alan. "Ethics of Data Mining and Predictive Analytics in Higher Education." SSRN Scholarly Paper. Rochester, NY: Social Science Research Network, May 8, 2013. http://papers.ssrn.com/abstract=2156058.

[5] Ibid.

[6] Duhigg, Charles. "How Companies Learn Your Secrets." The New York Times, February 16, 2012. http://www.nytimes.com/2012/02/19/magazine/shopping-habits.html.

[7] Ibid.

[8] Lijaya, A, M Pranav, P B Sarath Babu, and V R Nithin. "Predicting Movie Success Based on IMDB Data." International Journal of Data Mining Techniques and Applications 3 (June 2014): 365-68.

[9] Johnson, Jeffrey Alan. "Ethics of Data Mining and Predictive Analytics in Higher Education." SSRN Scholarly Paper. Rochester, NY: Social Science Research Network, May 8, 2013. http://papers.ssrn.com/abstract=2156058.

[10] Sangvinatsos, Antonios A. "Explanatory and Predictive Analysis of Corporate Bond Indices Returns." SSRN Scholarly Paper. Rochester, NY: Social Science Research Network, June 1, 2005. http://papers.ssrn.com/abstract=891641.

[11] Barocas, Solon, and Andrew D. Selbst. "Big Data's Disparate Impact." SSRN Scholarly Paper. Rochester, NY: Social Science Research Network, February 13, 2015. http://papers.ssrn.com/abstract=2477899.

[12] Joh, supra note 1.

[13] US Environmental Protection Agency. "How We Use Data in the Mid-Atlantic Region." US EPA. Accessed November 6, 2015. http://archive.epa.gov/reg3esd1/data/web/html/.

[14] See here for details of blackroom.

[15] Joh, supra note 1, at pg 48.

[16] Perry, Walter L., Brian McInnis, Carter C. Price, Susan Smith and John S. Hollywood. Predictive Policing: The Role of Crime Forecasting in Law Enforcement Operations. Santa Monica, CA: RAND Corporation, 2013. http://www.rand.org/pubs/research_reports/RR233. Also available in print form.

[17] Ibid, at pg 2.

[18] Chan, Sewell. "Why Did Crime Fall in New York City?" City Room. Accessed November 6, 2015. http://cityroom.blogs.nytimes.com/2007/08/13/why-did-crime-fall-in-new-york-city/.

[19] Bureau of Justice Assistance. "COMPSTAT: ITS ORIGINS, EVOLUTION, AND FUTURE IN LAW ENFORCEMENT AGENCIES," 2013. http://www.policeforum.org/assets/docs/Free_Online_Documents/Compstat/compstat%20-%20its%20origins%20evolution%20and%20future%20in%20law%20enforcement%20agencies%202013.pdf.

[20] 1996 internal NYPD article "Managing for Results: Building a Police Organization that Dramatically Reduces Crime, Disorder, and Fear."

[21] Bratton, William. "Crime by the Numbers." The New York Times, February 17, 2010. http://www.nytimes.com/2010/02/17/opinion/17bratton.html.

[22] RAND CORP, supra note 16.

[23] RAND CORP, supra note 16, at pg 19.

[24] Joh, supra note 1, at pg 44.

[25] RAND CORP, supra note 16, pg 38.

[26] Ibid.

[27] RAND CORP, supra note 16, at pg 39.

[28] Ibid.

[29] RAND CORP, supra note 16, at pg 41.

[30] Data-Smart City Solutions. "Dr. George Mohler: Mathematician and Crime Fighter." Data-Smart City Solutions, May 8, 2013. http://datasmart.ash.harvard.edu/news/article/dr.-george-mohler-mathematician-and-crime-fighter-166.

[31] RAND CORP, supra note 16, at pg 44.

[32] Joh, supra note 1, at pg 45.

[33] Ouellette, Danielle. "Dispatch - A Hot Spots Experiment: Sacramento Police Department," June 2012. http://cops.usdoj.gov/html/dispatch/06-2012/hot-spots-and-sacramento-pd.asp.

[34] Pitney Bowes Business Insight. "The Safer Derbyshire Partnership." Derbyshire, 2013. http://www.mapinfo.com/wp-content/uploads/2013/05/safer-derbyshire-casestudy.pdf.

[35] Ibid.

[36] Daniel B Neill, Wilpen L. Gorr. "Detecting and Preventing Emerging Epidemics of Crime," 2007.

[37] RAND CORP, supra note 16, at pg 33.

[38] Joh, supra note 1, at pg 46.

[39] Paul, Jeffery S, and Thomas M. Joiner. "Integration of Centralized Intelligence with Geographic Information Systems: A Countywide Initiative." Geography and Public Safety 3, no. 1 (October 2011): 5-7.

[40] Mohler, supra note 30.

[41] Ibid.

[42] Moses, B., Lyria, & Chan, J. (2014). Using Big Data for Legal and Law Enforcement
Decisions: Testing the New Tools (SSRN Scholarly Paper No. ID 2513564). Rochester, NY: Social Science Research Network. Retrieved from http://papers.ssrn.com/abstract=2513564

[43] Gorner, Jeremy. "Chicago Police Use Heat List as Strategy to Prevent Violence." Chicago Tribune. August 21, 2013. http://articles.chicagotribune.com/2013-08-21/news/ct-met-heat-list-20130821_1_chicago-police-commander-andrew-papachristos-heat-list.

[44] Stroud, Matt. "The Minority Report: Chicago's New Police Computer Predicts Crimes, but Is It Racist?" The Verge. Accessed November 13, 2015. http://www.theverge.com/2014/2/19/5419854/the-minority-report-this-computer-predicts-crime-but-is-it-racist.

[45] Moser, Whet. "The Small Social Networks at the Heart of Chicago Violence." Chicago Magazine, December 9, 2013. http://www.chicagomag.com/city-life/December-2013/The-Small-Social-Networks-at-the-Heart-of-Chicago-Violence/.

[46] Lester, Aaron. "Police Clicking into Crimes Using New Software." Boston Globe, March 18, 2013. https://www.bostonglobe.com/business/2013/03/17/police-intelligence-one-click-away/DzzDbrwdiNkjNMA1159ybM/story.html.

[47] Stanley, Jay. "Chicago Police 'Heat List' Renews Old Fears About Government Flagging and Tagging." American Civil Liberties Union, February 25, 2014. https://www.aclu.org/blog/chicago-police-heat-list-renews-old-fears-about-government-flagging-and-tagging.

[48] Rieke, Aaron, David Robinson, and Harlan Yu. "Civil Rights, Big Data, and Our Algorithmic Future," September 2014. https://bigdata.fairness.io/wp-content/uploads/2015/04/2015-04-20-Civil-Rights-Big-Data-and-Our-Algorithmic-Future-v1.2.pdf.

[49] Edmond, Deepu Sebastian. "Jhakhand's Digital Leap." Indian Express, September 15, 2013. http://www.jhpolice.gov.in/news/jhakhands-digital-leap-indian-express-15092013-18219-1379316969.

[50] Jharkhand Police. "Jharkhand Police IT Vision 2020 - Effective Shared Open E-Governance." 2012. http://jhpolice.gov.in/vision2020. See slide 2

[51] Edmond, supra note 49.

[52] Edmond, supra note 49.

[53] Kumar, Raj. "Enter, the Future of Policing - Cops to Team up with IIM Analysts to Predict & Prevent Incidents." The Telegraph. August 28, 2012. http://www.telegraphindia.com/1120828/jsp/jharkhand/story_15905662.jsp#.VkXwxvnhDWK.

[54] Ibid.

[55] Ibid.

[56] Ibid.

[57] See supra note 49.

[58] See here for Jharkhand Police crime dashboard.

[59] Lavanya Gupta, and Selva Priya. "Predicting Crime Rates for Predictive Policing." Gandhian Young Technological Innovation Award, December 29, 2014. http://gyti.techpedia.in/project-detail/predicting-crime-rates-for-predictive-policing/3545.

[60] Gupta, Lavanya. "Minority Report: Minority Report." Accessed November 13, 2015. http://cmuws2014.blogspot.in/2015/01/minority-report.html.

[61] See supra note 59.

[62] See here for details about 44th All India Police Science Congress.

[63] India, Press Trust of. "Police Science Congress in Gujarat to Have DRDO Exhibition." Business Standard India, March 10, 2015. http://www.business-standard.com/article/pti-stories/police-science-congress-in-gujarat-to-have-drdo-exhibition-115031001310_1.html.

[64] National Crime Records Bureau. "About Crime and Criminal Tracking Network & Systems - CCTNS." Accessed November 13, 2015. http://ncrb.gov.in/cctns.htm.

[65] Ibid. (See index page)

[66] U.S. Const. amend. IV, available here

[67] United States v Katz, 389 U.S. 347 (1967) , see here

[68] See supra note 1, at pg 60.

[69] See supra note 1, at pg 60.

[70] Villasenor, John. "What You Need to Know about the Third-Party Doctrine." The Atlantic, December 30, 2013. http://www.theatlantic.com/technology/archive/2013/12/what-you-need-to-know-about-the-third-party-doctrine/282721/.

[71] Smith v Maryland, 442 U.S. 735 (1979), see here

[72] United States v Jones, 565 U.S. ___ (2012), see here

[73] Newell, Bryce Clayton. "Local Law Enforcement Jumps on the Big Data Bandwagon: Automated License Plate Recognition Systems, Information Privacy, and Access to Government Information." SSRN Scholarly Paper. Rochester, NY: Social Science Research Network, October 16, 2013. http://papers.ssrn.com/abstract=2341182, at pg 24.

[74] See supra note 72.

[75] Dahyabhai Chhaganbhai Thakker vs State Of Gujarat, 1964 AIR 1563

[76] See supra note 16.

[77] See supra note 66.

[78] Brinegar v. United States, 338 U.S. 160 (1949), see here

[79] Terry v. Ohio, 392 U.S. 1 (1968), see here

[80] Ferguson, Andrew Guthrie. "Big Data and Predictive Reasonable Suspicion." SSRN Scholarly Paper. Rochester, NY: Social Science Research Network, April 4, 2014. http://papers.ssrn.com/abstract=2394683, at pg 287. See also supra note 79.

[81] See supra note 80.

[82] See supra note 80.

[83] See supra note 80.

[84] See supra note 80, at pg 289.

[85] Illinois v. Gates, 462 U.S. 213 (1983). See here

[86] See Alabama v. White, 496 U.S. 325 (1990). See here

[87] See supra note 80, at pg 291.

[88] See supra note 80, at pg 293.

[89] See supra note 80, at pg 308.

[90] Ibid.

[91] Ibid.

[92] Larissa Cespedes-Yaffar, Shayona Dhanak, and Amy Stephenson. "U.S. v. Mendenhall, U.S. v. Sokolow, and the Drug Courier Profile Evidence Controversy." Accessed July 6, 2015. http://courses2.cit.cornell.edu/sociallaw/student_projects/drugcourier.html.

[93] Ibid.

[94] United States v. Sokolow, 490 U.S. 1 (1989), see here

[95] See supra note 80, at pg 295.

[96] See supra note 80, at pg 297.

[97] See supra note 80, at pg 308.

[98] See supra note 80, at pg 310.

[99] See supra note 11.

[100] See supra note 11.

^{^[101]} See supra note 80, at pg 303.

[102] See supra note 80, at pg 300.

[103] Illinois v. Wardlow, 528 U.S. 119 (2000), see here

[104] Ibid.

[105] See supra note 80, at pg 301.

[106] Ibid.

[107] See supra note 1, at pg 42.

[108] See supra note 80, at pg 303.

[109] See supra note 80, at pg 303.

[110] Ibid.

[111] Ibid.

[112] Ibid.

[113] See supra note 80, at pg 312.

[114] See supra note 80, at pg 317.

[115] See supra note 80, at pg 319.

[116] See supra note 80, at pg 321.

[117] Section 165 Indian Criminal Procedure Code, see here

[118] Gulab Chand Upadhyaya vs State Of U.P, 2002 CriLJ 2907

[119] Section 41 Indian Criminal Procedure Code

[120] See supra note 79

[121] State of Punjab v. Balbir Singh. (1994) 3 SCC 299

[122] Ibid.

[123] Section 41 and 42 in The Narcotic Drugs and Psychotropic Substances Act 1985, see here

[124] Partap Singh (Dr) v. Director of Enforcement, Foreign Exchange Regulation Act. (1985) 3 SCC 72 : 1985 SCC (Cri) 312 : 1985 SCC (Tax) 352 : AIR 1985 SC 989

[125] Ibid, at SCC pg 77-78.

[126] See supra note 121, at pg 313.

[127] Carlson, Mr David. "Exclusionary Rule." LII / Legal Information Institute, June 10, 2009. https://www.law.cornell.edu/wex/exclusionary_rule.

[128] Ibid.

[129] Mapp v Ohio, 367 U.S. 643 (1961), see here

[130] Ibid.

[131] Busby, John C. "Fruit of the Poisonous Tree." LII / Legal Information Institute, September 21, 2009. https://www.law.cornell.edu/wex/fruit_of_the_poisonous_tree.

[132] Silverthorne Lumber Co., Inc. v. United States, 251 U.S. 385 (1920), see here.

[133] Beck v. Ohio, 379 U.S. 89 (1964), see here.

[134] State of Maharashtra v. Natwarlal Damodardas Soni, (1980) 4 SCC 669, at 673.

[135] Ibid.

[136] Radhakishan v. State of U.P. [AIR 1963 SC 822 : 1963 Supp 1 SCR 408, 411, 412 : (1963) 1 Cri LJ 809]

[137] Ibid, at SCR pg 411-12.

[138] Shyam Lal Sharma v. State of M.P. (1972) 1 SCC 764 : 1974 SCC (Cri) 470 : AIR 1972 SC 886

[139] See supra note 135, at page 674.

[140] See supra note 119, at para. 10.

[141] See supra note 121, at pg 309.

[142] State of Punjab v. Wassan Singh, (1981) 2 SCC 1 : 1981 SCC (Cri) 292

[143] See supra note 121, at pg 309.

[144] Sunder Singh v. State of U.P, AIR 1956 SC 411 : 1956 Cri LJ 801

[145] See supra note 121, at pg 309.

[146] Matajog Dobey v.H.C. Bhari, AIR 1956 SC 44 : (1955) 2 SCR 925 : 1956 Cri LJ 140

[147] See supra note 121, at pg 309.

[148] R v. Sang, (1979) 2 All ER 1222, 1230-31

[149] See supra note 121, at pg 309.

[150] Ibid.

[151] Ibid.

[152] Harlow, Carol, and Richard Rawlings. Law and Administration. 3rd ed. Law in Context. Cambridge University Press, 2009.

[153] R.M. Malkani v. State of Maharashtra, (1973) 1 SCC 471

[154] Kuruma, Son of Kanju v. R., (1955) AC 197

[155] See supra note 154, at 477.

[156] Indian Const. Art 15, see here

[157] Ibid.

[158] See supra note 11.

For more details visit https://cis-india.org/internet-governance/blog/predictive-policing-what-is-it-how-it-works-and-it-legal-implications

Pratap Vikram Singh - Why Aadhaar is Baseless?

praskrishna — 2016-04-02T05:31:30Z

This article by Pratap Vikram Singh, Governance Now, discusses the problems emerging out of the UIDAI project due to its lack of mechanisms for informed and granular consent, and for seeking recourse in the case of denial of service. The article quotes Sumandro Chattapadhyay and mentions Hans Varghese Mathew's work on the biometric basis of UIDAI. It was written before the Aadhaar bill was passed in Lok Sabha.

Cross-posted from Governance Now.

It was no less than a roller-coaster ride for Aadhaar, a programme formulated by the UPA government to assign a 12-digit unique number to every Indian resident. From the time it came into being in 2009, Aadhaar drew a volley of criticism, thanks to the misgivings and apprehensions that various critics and civil society organisations had. It was criticised for lack of a clear purpose, degree of effectiveness and absence of a privacy law and was virtually thrown into the bin by a parliamentary panel headed by BJP’s Yashwant Sinha in December 2011.

When the finance minister Arun Jaitley, in his budget speech, announced that the government would introduce the Aadhaar bill during the budget session, expectations were already set high. The bill, giving statutory backing to the unique identification authority of India (UIDAI), the implementing authority, was passed by the Lok Sabha on March 11. While the privacy and voluntary versus mandatory provisions are under the consideration of the supreme court, the bill makes way for linking Aadhaar with all government subsidies, benefits and services. The law on Aadhaar, former UIIDAI chairman Nandan Nilekani wrote in the Indian Express, will help the government in going paperless, presence-less and cashless. The legislation, however, fails to deliver on several counts.

However, prior to evaluating the bill (yet to be passed by the Rajya Sabha at the time of this writing though it is a money bill), let us take a look at its major aspects. For those, who always wondered whether Aadhaar is mandatory or voluntary, the bill 2016 makes it mandatory to avail subsidy, benefit or a service from the government.

The bill has provisions related to information security and confidentiality (section 28) which not only extend to employees of the UIDAI but also consultants and external agencies working with the authority.

The proposed law restricts information sharing. It bars UIDAI from sharing core biometric information – the bill defines it as fingerprints and iris scan – with “anyone for any reason whatsoever” or “used for any purpose other than generation of Aadhaar numbers and authentication under this Act”. The section 32 of the bill entitles Aadhaar number holders to access her or his authentication record. It also bars the authority from collecting, keeping or maintaining information about the purpose of authentication.

Odd Drives the Bill

While the intent is clear and is aimed at streamlining welfare schemes to ensure it reaches the bottom of the pyramid, cutting through the long chain of pilferage and subversion, the bill, however, has several shortcomings. To begin with, the government should not have taken the money bill route to pass the legislation – tactfully avoiding any conclusive discussion and debate in the Rajya Sabha, where it is in minority.

The bill assumes that the technology and the biometric system used by the UIDAI are flawless and it doesn’t provide any recourse in case of denial of a service. “If your fingerprint is not matching and you lose out on service, then what is the alternative mechanism you have,” asks Sumandro Chattapadhyay, research director, centre for internet and society (CIS). The bill doesn’t provide for recourse. “What if the scanning machine fails? What if the identifiers of two people match?”

Based on experiments conducted in the initial days of the Aadhaar programme, Hans Verghese Mathews, another CIS researcher, did a study on the probability of matching of identifiers of two persons. “For the current population of 1.2 billion the expected proportion of duplicands (users whose identifiers match) is 1/121, a ratio which is far too high,” Mathews wrote in the Economic and Political Weekly in February.

“It is like putting the technology in a black box – which can’t be reviewed,” says Chattapadhyay. The bill doesn’t talk about setting up an independent body to review the logs and keep an eye on wrong and duplicate matches.

Who Defines National Security?

According to public policy experts, it is an attempt to seek “minimal legitimacy” from parliament and further adds to the unbridled power of the executive.

Although the bill restricts information sharing in section 29, sections 33 and 48 provide exemption in cases of national security and public emergency, respectively. The legislation, nevertheless, doesn’t elaborate on what constitutes national security and public emergency, leaving it to the executives. The section 33 reads: “Nothing contained in… shall apply in respect of any disclosure of information, including identity information or authentication records, made in the interest of national security….”

Similarly, section 48 states that if, at any time, the central government is of the opinion that a public emergency exists, “the central government may, by notification, supersede the Authority for such period, not exceeding six months, as may be specified in the notification and appoint a person or persons as the president may direct to exercise powers and discharge functions under this Act”.

Says Jayati Ghosh, professor, centre for economic studies and planning, Jawaharlal Nehru University, “National security is a very opaque term. Who decides what national security is? Today, the whole JNU is being projected as a threat to national security.” Swagato Sarkar, associate professor and executive director, Jindal school of government and public policy, OP Jindal Global University, says, “The bill has provisions for oversight on the use of Aadhaar, but then it suspends those provisions in case of emergency in the later sections, giving the state the power to use biometric information for whatever it deems fit.”

Sarkar adds, “It seems the bill is simply an instrument for seeking minimum legitimacy from parliament. The bill tries to address the concern of privacy minimally and it hardly serves any purpose.” He believes that there is a need to define the broader contours of democratic control of the state and reassess the changing state-citizen relationship, instead of rejecting the whole idea on the basis of surveillance and privacy. In other words, there is a need for strong parliamentary oversight, and that the Aadhaar related matters shouldn’t be completely delegated to the executive.

In its recommendations on formulating Privacy Act, the justice AP Shah committee in 2012 provided for establishing the office of privacy commissioner at the regional and central levels, defining the role of self-regulating organisations and co-regulation, and creating a system of complaints and redressal for aggrieved individuals. Since the country still doesn’t have any legislation on privacy, people are left on their own in case of an infringement or violation of privacy. Moreover, section 47 states, “No court shall take cognizance of any offence punishable under this Act, save on a complaint made by the Authority or any officer or person authorised by it.”

In its report, the parliamentary committee headed by Yashwant Sinha notes that “enactment of national data protection law… is a prerequisite for any law that deals with large scale collection of information from individuals and its linkages across separate databases”. The committee notes that in absence of data protection legislation, it would be difficult to deal with issues of access, misuse of personal information, surveillance, profiling, linking and matching of databases and securing confidentiality of information.

Subsidy-Aadhaar Linkage

The Sinha committee also takes a cautious view of the role of Aadhaar in curbing leakages in subsidy distribution, as beneficiary identification is done by states. It notes, “Even if the Aadhaar number links entitlements to targeted beneficiaries, it may not even ensure that beneficiaries have been correctly identified. Thus, the present problem of proper identification would persist.”

According to Ghosh, the biggest danger in using Aadhaar for social welfare programmes is that the fingerprints of the rural working class is not always in good shape and hence Aadhaar will not be the best way of identification. “If I am misidentified, I can go to so many places for recourse. But what if a labourer in a remote Jharkhand village is misidentified? Where and whether he would go?” the economist asks. Besides, the bill doesn’t limit the use of Aadhaar and defines areas where it can be used. Section 57 says that the law will not prevent the use of Aadhaar number for establishing the identity of an individual for any purpose, “whether by the state or anybody corporate or person, pursuant to any law, for the time being in force or any contract to this effect.”

According to a PRS Legislative review, since the bill also allows private persons to use Aadhaar as a proof of identity for any purpose, the provision will open a floodgate and enable private entities such as airlines, telecom, insurance and real estate companies to mandate Aadhaar as a proof of identity for availing their services.

Since the bill doesn’t restrict its application, people will not have a choice to identify themselves other than using Aadhaar when corporate organisations make it mandatory, says Chattapadhyay of the CIS. Adds Sarkar, “The bill should clearly mention sectors or services where Aadhaar will be potentially used (or made mandatory). Every time a new sector or service is added to the list, it is done after parliamentary approval.”

So far, 98 crore people have been assigned Aadhaar number. So far the project has costed Rs 8,000 crore.

For more details visit https://cis-india.org/internet-governance/news/gov-now-pratap-vikram-singh-17032016-why-aadhaar-is-baseless

Pranesh Prakash as Resource Person for ITD seminar on Competition

Admin — 2019-07-04T16:23:51Z

Pranesh Prakash represented the Centre for Internet & Society (CIS) as a resource person for a training seminar held by the International Institute for Trade and Development, which is an organization with a UN mandate and funding by the Thai government. The event was held from 24 - 26 June 2019 at Bangkok.

The theme was "Competition Law and Policy for Sustainable Development". The audience was made up of government officials (mostly from competition commissions or from commerce ministries) from Thailand, Bhutan, India, Myanmar, Pakistan, Papua New Guinea, Vietnam. Click here to view the programme schedule. Pranesh Prakash was also a speaker in the session on Consumer Protection and Digital Rights- Defining Welfare and Fair Competition.

For more details visit https://cis-india.org/internet-governance/news/pranesh-prakash-as-resource-person-for-itd-seminar-on-competition

Power over privacy: New Personal Data Protection Bill fails to really protect the citizen’s right to privacy

Nikhil Pahwa — 2019-12-15T05:57:31Z

Nikhil Pahwa throws light on the new personal data protection bill.

The article by Nikhil Pahwa was published in the Times of India on December 12, 2019. CIS report was mentioned.

Earlier this year, in April, a data breach in the Election Commission of Philippines led to the leakage of personal information of over 55 million eligible voters on a searchable website: including names, addresses and date of birth. This was not the first data breach from the Election Commission. After the first, which took place in March 2016, where 340 GB of voter data was published online by a group of hackers called LulzSec Pilipinas, the National Privacy Commission of Philippines found that the Election Commission had violated the Data Privacy Act of 2012, and recommended criminal prosecution of its chairman, finding him liable when the agency failed to dispense its duty as a “personal information controller”.

It’s 2019, and that recommendation has still not been acted upon, because the National Privacy Commission of Philippines only has recommendatory powers for criminal prosecution. Meanwhile, data breaches continue at the Election Commission of Philippines.

Between 2017 and 2018, Aadhaar related personally identifiable data of several Indian citizens, including names, addresses, bank account numbers, in some cases pregnancy information and even religion and caste information of individuals, was published online by Indian government departments. The Centre for Internet and Society, in a report, estimated that personally identifiable data for 130-135 million Indian citizens had been leaked, thus putting them at risk. 210 government websites had made Aadhaar related data public, UIDAI confirmed in response to an RTI in 2017.

No one was held liable. There was no data protection law, no data protection authority, no criminal prosecution was recommended. Around that time, the Indian government was instead arguing in the Supreme Court that privacy isn’t a fundamental right under the Indian Constitution.

What we can learn from these two instances is that for the enforcement of a citizen’s right to privacy, and ensuring that no one takes the protection of data lightly, there needs to be a strong privacy law that holds even the government responsible, and above all, a strong data protection authority that is independent and has powers to penalise even government officials. On some of these counts, the Personal Data Protection Bill, 2019, disappoints.

First, members of the Data Protection Authority will no longer be appointed by independent entities from diverse backgrounds: where they were previously going to be appointed by a committee comprising the Chief Justice of India or a Supreme Court judge, the Cabinet secretary, and an independent expert, the power to appoint members to DPA now rests solely with government officials, including the appointment of adjudicating officers. In addition, the central government, in the interest of “national security, sovereignty, international relations and public order, can issue directions to DPA, which DPA will be bound by. Powers of DPA have also been reduced: while in the previous version of the bill, DPA had the sole power to categorise data as sensitive personal data, in the current version, the power rests with the central government, albeit in consultation with DPA. The central government will also notify any social media company as a significant data fiduciary, and not DPA. Only the central government can determine what critical personal data is, and not DPA.

This dependence on the government for appointments, functions and definitions, will invariably impact the independence of DPA, and even though the 2019 version of the bill gives it the authority to fine the state a maximum of Rs 5-15 crore, depending on the offence, i’d be surprised if this ever happens.

The bill does create significant exceptions for the state to acquire and process data, and an opportunity to create a base for surveillance reform in the country has been lost. The previous version of the bill had brought some sense of safety against mass surveillance, when it included the condition that processing of data by the government must be “necessary and proportionate”, drawing from Supreme Court’s historic right to privacy judgment. This is particularly important given that the bill also gives power to the government to exempt any agency from the provisions of the bill for processing of personal data, which includes acquiring data from any public or private entity.

Effectively, this means that government agencies may be exempt from any scrutiny by DPA, and can even collect data from third parties (for example, fin-tech companies, health-tech startups) without the user even knowing. Forget recommending criminal prosecution for mass surveillance, India’s DPA won’t even be able to fine a government agency for such a violation of the fundamental right to privacy. The government also has vast exceptions for data processing: “for the performance of any function of the state authorised by law”.

This aside, one of the more curious clauses in the bill is around non-personal data. The government, a few months ago, constituted a committee led by Infosys co-founder Kris Gopalakrishnan to look into the governance of non-personal data. Non-personal data, as the term suggests, is any data that is not related to an individual. In the bill, the government has given itself the right to acquire this data, which is essentially a company’s intellectual property, to “promote framing of policies for digital economy”. Why non-personal data finds a mention in a Personal Data Protection Bill is beyond comprehension, and this move will not inspire much confidence in businesses operating in India, when the state claims eminent domain over intellectual property.

It’s unfortunate minister Ravi Shankar Prasad is sending the bill to a select committee, given the fact that such significant changes to the bill should have led to another public consultation.

For more details visit https://cis-india.org/internet-governance/news/the-times-of-india-december-12-2019-power-over-privacy

Centre for Internet and Society

Privacy and Security Implications of Public Wi-Fi - A Case Study

Download (PDF)

Contents

1. Introduction

2. Global Scenario

3. Overview of Public Wi-Fi in India

4. Indian Policy and Legal Conundrum

5. Public Wi-Fi and Privacy Concerns

5.1. Data Theft

5.2. Tracking an Individual

5.3. Makes the Electronic Devices Prone to Hacking and Setting up Fake Networks

5.4. Illegal Use of Data

6. Ranking Digital Rights Project

6.1. D-VoIS[72], Bangalore

Summary

Analysis

6.2. Tata Docomo[74], Bangalore

Summary

Analysis

7. Compliance of Privacy Policies with Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

8. Conclusion and Recommendations

8.1. Commitment

8.2. Freedom of Expression

8.3. Privacy

Privacy and Security Can Co-exist

Surveillance

Myth

Perception

Privacy and Governmental Databases

Government Databases and recommendations for privacy practices

Privacy after Big Data: Compilation of Early Research

Download the Compilation (PDF)

Privacy after Big Data

Privacy after Big Data - Workshop Report

Privacy Act should not circumscribe RTI: expert group

Suggestions on Tapping

Privacy (Protection) Bill, 2013: Updated Third Draft

Privacy & Sexual Minorities

Defining Privacy

Privacy Rights and Wrongs

Entrapment: The Lucknow Incidents

Gender Identity and Transgender Issues

Privacy in the Time of Naz

Conclusion

Selected incidents reported from 2001-2011

Privacy & Media Law

Introduction

Constitutional Framework of Privacy

International Conventions

Public Person

Safeguarding Identity of Children

Safeguarding Identity of Rape Victims

Trial by Media & Media Victimisation

Sting Operations

International Law on Media & Privacy Ethics

France

Sweden

Japan

Netherlands

Conclusion

Press Release, March 15, 2016: The New Bill Makes Aadhaar Compulsory!

Press Release, March 11, 2016: The Law cannot Fix what Technology has Broken!

Key Issues

1. Identification without Consent

2. Fallible Technology

Endnote

Predictive Policing: What is it, How it works, and its Legal Implications

Introduction

What is predictive analysis

Examples of predictive analytics

Relationship between predictive analytics and predictive policing

What is Predictive policing?

Predictive Policing methods

Examples of predictive policing:

Predictive policing in India

Jharkhand Police

Predictive Policing Research

CCTNS and the building blocks of Predictive policing

What are the implications of using predictive policing? Lessons from USA

6.1. D-VoIS^[72], Bangalore

6.2. Tata Docomo^[74], Bangalore