Centre for Internet and Society

Big Data and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011

elonnai — 2015-08-11T07:01:12Z

Experts and regulators across jurisdictions are examining the impact of Big Data practices on traditional data protection standards and principles. This will be a useful and pertinent exercise for India to undertake as the government and the private and public sectors begin to incorporate and rely on the use of Big Data in decision making processes and organizational operations.This blog provides an initial evaluation of how Big Data could impact India's current data protection standards.

Experts and regulators across the globe are examining the impact of Big Data practices on traditional data protection standards and principles. This will be a useful and pertinent exercise for India to undertake as the government and the private and public sectors begin to incorporate and rely on the use of Big Data in decision making processes and organizational operations.

Below is an initial evaluation of how Big Data could impact India's current data protection standards.

India currently does not have comprehensive privacy legislation - but the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules 2011 formed under section 43A of the Information Technology Act 2000[1] define a data protection framework for the processing of digital data by Body Corporate. Big Data practices will impact a number of the provisions found in the Rules:

Scope of Rules: Currently the Rules apply to Body Corporate and digital data. As per the IT Act, Body Corporate is defined as "Any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities."

The present scope of the Rules excludes from its purview a number of actors that do or could have access to Big Data or use Big Data practices. The Rules would not apply to government bodies or individuals collecting and using Big Data. Yet, with technologies such as IoT and the rise of Smart Cities across India – a range of government, public, and private organizations and actors could have access to Big Data.

Definition of personal and sensitive personal data: Rule 2(i) defines personal information as "information that relates to a natural person which either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person."

Rule 3 defines sensitive personal information as:

Password,
Financial information,
Physical/physiological/mental health condition,
Sexual orientation,
Medical records and history,
Biometric information

The present definition of personal data hinges on the factor of identification (data that is capable of identifying a person). Yet this definition does not encompass information that is associated to an already identified individual - such as habits, location, or activity.

The definition of personal data also addresses only the identification of 'such person' and does not address data that is related to a particular person but that also reveals identifying information about another person - either directly - or when combined with other data points.

By listing specific categories of sensitive personal information, the Rules do not account for additional types of sensitive personal information that might be generated or correlated through the use of Big Data analytics.

Importantly, the definitions of sensitive personal information or personal information do not address how personal or sensitive personal information - when anonymized or aggregated – should be treated.

Consent: Rule 5(1) requires that Body Corporate must, prior to collection, obtain consent in writing through letter or fax or email from the provider of sensitive personal data regarding the use of that data.

In a context where services are delivered with little or no human interaction, data is collected through sensors, data is collected on a real time and regular basis, and data is used and re-used for multiple and differing purposes - it is not practical, and often not possible, for consent to be obtained through writing, letter, fax, or email for each instance of data collection and for each use.

Notice of Collection: Rule 5(3) requires Body Corporate to provide the individual with a notice during collection of information that details the fact that information is being collected, the purpose for which the information is being collected, the intended recipients of the information, the name and address of the agency that is collecting the information and the agency that will retain the information. Furthermore body corporate should not retain information for longer than is required to meet lawful purposes.

Though this provision acts as an important element of transparency, in the context of Big Data, communicating the purpose for which data is collected, the intended recipients of the information, the name and address of the agency that is collecting the information and the agency that will retain the information could prove to be difficult to communicate as they are likely to encompass numerous agencies and change depending upon the analysis being done.

Access and correction: Rule 5(6) provides individuals with the ability to access sensitive personal information held by the body corporate and correct any inaccurate information.

This provision would be difficult to implement effectively in the context of Big Data as vast amounts of data are being generated and collected on an ongoing and real time basis and often without the knowledge of the individual.

Purpose Limitation: Rule 5(5) requires that body corporate should use information only of the purpose which it has been collected.

In the context of Big Data this provision would overlook the re-use of data that is inherent in such practices.

Security: Rule 8 states that any Body Corporate or person on its behalf will be understood to have complied with reasonable security practices and procedures if they have implemented such practices and have in place codes that address managerial, technical, operational and physical security control measures. These codes could follow the IS/ISO/IEC 27001 standard or another government approved and audited standard.

This provision importantly requires that data controllers collecting and processing data have in place strong security practices. In the context of Big Data – the security of devices that might be generating or collecting data and algorithms processing and analysing data is critical. Once generated, it might be challenging to ensure the data is being transferred to or being analysed by organisations that comply with such security practices as listed.

Data Breach : Rule 8 requires that if a data breach occurs, Body Corporate would have to be able to demonstrate that they have implemented their documented information security codes.

Though this provision holds a company accountable for the implementation of security practices, it does not address how a company should be held accountable for a large scale data breach as in the context of Big Data the scope and impact of a data breach is on a much larger scale.

Opt in and out and ability to withdraw consent : Rule 5(7) requires Body Corporate or any person on its behalf, prior to the collection of information - including sensitive personal information - must give the individual the option of not providing information and must give the individual the option of withdrawing consent. Such withdrawal must be sent in writing to the body corporate.

The feasibility of such a provision in the context of Big Data is unclear, especially in light of the fact that Big Data practices draw upon large amounts of data, generated often in real time, and from a variety of sources.

Disclosure of Information: Rule 6 maintains that disclosure of sensitive personal data can only take place with permission from the provider of such information or as agreed to through a lawful contract.

This provision addresses disclosure and does not take into account the “sharing” of information that is enabled through networked devices, as well as the increasing practice of companies to share anonymized or aggregated data.

Privacy Policy : Rule 4 requires that body corporate have in place a privacy policy on their website that provides clear and accessible statements of its practices and policies, type of personal or sensitive personal information that is being collected, purpose of the collection, usage of the information, disclosure of the information, and the reasonable security practices and procedures that have been put in place to secure the information.

In the context of Big Data where data from a variety of sources is being collected, used, and re-used it is important for policies to 'follow data' and appear in a contextualized manner. The current requirement of having Body Corporate post a single overarching privacy policy on its website could prove to be inadequate.

Remedy : Section 43A of the Act holds that if a body corporate is negligent in implementing and maintain reasonable security practices and procedures which results in wrongful loss or wrongful gain to any person, the body corporate can be held liable to pay compensation to the affected person.

This provision will provide limited remedy for an affected individual in the context of Big Data. Though important to help prevent data breaches resulting from negligent data practices, implementation of reasonable security practices and procedures cannot be the only hinging point for determining liability of a Body Corporate for violations and many of the harms possible through Big Data are not in the form of wrongful loss or wrongful gain to another person. Indeed many harms possible through Big Data are non-economic in nature – including physical invasion of privacy, and discriminatory practices that can arise from decisions based on Big Data analytics. Nor does the provision address the potential for future damage that can result from a 'Big Data data breach'.

The safeguards noted in the above section are not the only legal provisions that speak to privacy in India. There are over fifty sectoral legislation that have provisions addressing privacy - for example provisions addressing confidentiality of health and banking information. The government of India is also in the process of drafting a privacy legislation. In 2012 the Report of the Group of Experts on Privacy provided recommendations for a privacy framework in India. The Report envisioned a framework of co-regulation - with sector level self regulatory organization developing privacy codes (that are not lower than the defined national privacy principles) and that are enforced by a privacy commissioner.[2] Perhaps this method would be optimal for the regulation of Big Data- allowing for the needed flexibility and specificity in standards and device development. Though the Report notes that individuals can seek remedy from the court and the Privacy Commissioner can issue fines for a violation, the development of privacy legislation in India has yet to clearly integrate the importance of due process and remedy. With the onset of Big Data - this will become more important than ever.

Conclusion

The use and generation of Big Data in India is growing. Plans such as free wifi zones in cities[3], city wide CCTV networks with facial recognition capabilities[4], and the implementation of an identity/authentication platform for public and private services[5], are indicators towards a move of data generation that is networked and centralized, and where the line between public and private is blurred through the vast amount of data that is collected.

In such developments and innovations what is privacy and what role does privacy play? Is it the archaic inhibitor - limiting the sharing and use of data for new and innovative purposes? Will it be defined purely by legislative norms or through device/platform design as well? Is it a notion that makes consumers think twice about using a product or service or is it a practice that enables consumer and citizen uptake and trust and allows for the growth and adoption of these services?

How privacy will be regulated and how it will be perceived is still evolving across jurisdictions, technologies, and cultures - but it is clear that privacy is not being and cannot be overlooked. Governments across the world are reforming and considering current and future privacy regulation targeted towards life in a quantified society. As the Indian government begins to roll out initiatives that create a "Digital India" indeed a "quantified India", taking privacy into consideration could facilitate the uptake, expansion, and success of these practices and services. As the Indian government pursues the opportunities possible through Big Data it will be useful to review existing privacy protections and deliberate on if, and in what form, future protections for privacy and other rights will be needed.

[1]Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules 2011). Available at: http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf

[2]Group of Experts on Privacy. (2012). Report of the Group of Experts on Privacy. New Delhi: Planning Commission, Government of India. Retrieved May 20, 2015, from http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf

[3] NDTV. “Free Public Wi-Fi Facility in Delhi to Have Daily Data Limit. NDTV, May 25^th 2015, Available at: http://gadgets.ndtv.com/internet/news/free-public-wi-fi-facility-in-delhi-to-have-daily-data-limit-695857. Accessed: July 2^nd 2015.

[4]FindBiometrics Global Identity Management. “Surat Police Get NEC Facial Recognition CCTV System”. July 21^st 2015. Available at: http://findbiometrics.com/surat-police-nec-facial-recognition-27214/

[5]UIDAI Official Website. Available at: https://uidai.gov.in/

For more details visit https://cis-india.org/internet-governance/blog/big-data-and-information-technology-rules-2011

Genetic Profiling: Is it all in the DNA?

praskrishna — 2015-09-13T09:47:17Z

A Bill seeks to make genetic profiling mandatory for the fight against crime—and generates a debate about the clash of ethics, freedom, science and data.

The article by Ullekh NP was published in Open Magazine on August 7, 2015. Sunil Abraham gave his inputs.

When British geneticist Sir Alec Jeffreys first developed the DNA profiling test 31 years ago in his laboratory at Leicester University, he didn’t help the police prove a man guilty. His test—back then it took weeks to complete DNA profiling procedures as opposed to a few hours now—proved that a rape suspect in police custody was innocent. Details from the whole exercise also subsequently helped the local police nab the real criminal, who had killed his teenaged rape victim. Later, the police found that he was the one who had committed a similar crime three years earlier in a village nearby. Britain was destined to make great gains in solving crimes thanks to DNA identification, while the rest of the developed world, including the US, caught up later, but only after lagging initially thanks to the relentless—and sometimes ill-founded—opposition from civil liberties activists. In India, the Human DNA Profiling Bill, 2015, a proposed law that envisages collecting DNA finger prints—which are unique to an individual—especially of criminals, has been in the making for the past 12 years. The draft bill, which will shortly be placed before the Union Cabinet for its nod, has been prepared by the Department of Biotechnology and the Centre for DNA Fingerprinting & Diagnostics (CDFD), a Hyderabad-based Central Government-run agency, after examining and reviewing submissions by a panel of experts, holding consultations with various stakeholders and getting responses from the public. Notwithstanding the claims of safeguards against any misuse of the intended DNA data base, activists, lawyers, internet freedom fighters, civil liberty activists and columnists have been up in arms against the Government, arguing that the DNA profiling bill is ill- conceived and naïve—to the extent that it would destroy an individual’s right to privacy as it lacks provisions to check data tampering.

The international experience has proved otherwise. Ever since Sir Jeffreys extracted DNA from human muscle tissue, identified and processed genetic markers (which are unique to individuals except in the case of identical twins) from what was until then considered ‘seemingly purposeless segments of the human DNA’ in the words of writers Peter Reinharz and Howard Safir, more than 500,000 ‘otherwise unsolvable’ cases have been solved in the developed world thanks to the DNA identification, note CDFD scientists. DNA is the hereditary material in the human body. It is found in blood, saliva, urine, strands of hair, semen, tears, skin, etcetera.

Dr Madhusudan Reddy Nandineni, staff scientist and group leader, laboratory of DNA fingerprinting services and laboratory of genomics and profiling applications, CDFD, is worried that opposition to the Bill is gaining momentum in India due to a raft of reasons. Of course, the West, too, has witnessed sharp protests against DNA profiling laws. One of the key reasons anti-profiling activists have an edge, says a senior Home Ministry official who asks not to be named, is that there is a “general public anxiety” over “anything to do with disclosing personal details”. He agrees that the tests are going to be intrusive, because muscle tissue may have to be collected from private parts. The procedure of DNA sample collection—as explained in the draft Bill submitted in January by a committee headed by TS Rao, senior adviser to the department of biotechnology—talks about obtaining intimate body samples of living persons (on page 6-7 of the 48- page document) from ‘the genital or anal area, the buttocks and also breasts in the case of a female’. According to the draft Bill, it also involves external examination of private parts, taking samples from pubic hair or by swabs or washing or by vacuum suction, by scraping or by lifting by tape and taking of a photograph or video recording of, or an impression or cast of a wound in those areas. “But then, it is par for the course,” says the Home Ministry official by way of justification.

American military historian and author Edward Luttwak agrees that DNA profiling is a significant intrusion into the “very body of a citizen”. That is the price one has to pay in the choice between liberty and equality before investigation, he posits. Luttwak is glad that in the US, as well as in other countries that have such profiling laws, DNA identification has yielded results. “It protects suspicious/ low status but innocent people from false accusations and helps to catch clever/high-status law-breakers,” he says.

+++

For his part, Dr Nandineni says that every aspect of the Human DNA Profiling Bill for India is based on similar legislation that has already been implemented in the US, Canada, UK, Australia and Continental Europe for more than 20 years. He also contends that the benefits that have accrued there are enormous, which India has missed out on for all these years. “In all these countries, the concerns of the general public on privacy matters have been allayed in their legislation,” he adds. He points out that the retention of DNA profiles in a ‘DNA Data Bank’ is meant to apprehend repeat offenders and thus serve a larger societal good. As regards privacy concerns, Dr Nandineni says that consultations on the preparations of the Bill lasted for 2-3 years and took into account the views of an expert committee whose members included representatives of NGOs.

Dr Nandineni is of the view that the opponents of the Bill have managed to get an upper hand in a national debate thanks to their media-savvy backgrounds. Agrees the Home Ministry official: “Perhaps the drafters of the Bill have not been communicative enough in getting their points across to the public and the media. Which might explain why the Bill has come under tremendous attack in the media. Even otherwise, global trends also show that civil liberty rights activists have had great initial advantage in their campaign against DNA profiling.” After all, the potential for misuse of DNA samples is not restricted to biological material collected under the provisions of the DNA Bill alone, Nandineni offers. “Any and every blood sample collected by a clinical laboratory has the same potential for misuse,” he says.

While Dr J Gowrishankar, director, CDFD, has been vocal about the positives of the Bill, its opponents have been louder. Many of those who oppose the Bill say the question is not one of being loud or feeble, but about being naïve or not.

The likes of Sunil Abraham, executive director of Bangalore-based internet research organisation Centre for Internet and Society (CIS), have no argument against DNA profiling being the gold standard for all forensic investigations. “There is nothing wrong with using DNA evidence for forensic purposes,” says Abraham, “However, the draft Bill is filled with techno-utopianism; it assumes that the people and machines that leverage DNA technologies are infallible.” He goes on, “This is not true. It is easier to tamper with DNA evidence than it is to tamper with a video recording. Therefore, all we are asking for are process checks that prevent compromised persons and machines from using DNA evidence to convict or exonerate the wrong person.” His contention is that if the DNA sample is sent to two different labs and both labs come back with exactly the same result, then the courts can be convinced of the veracity of the result. “Also the Bill says that DNA labs will give courts ‘yes’ or ‘no’ answers to questions related to DNA matching. But ideally, the lab must give the exact match percentage along with all the detailed information that emerges from the match process so that the court can fully appreciate the significance of the DNA evidence,” he suggests.

Abraham and legal scholar Usha Ramanathan—both members of the expert panel who filed notes of dissent and disagreed with various aspects of the Bill—have a problem with the claim that the proposed DNA data bank will cover only criminals and not the general public. Points out Ramanathan: “The Bill does not restrict the data base to criminals alone, not by a long shot. The provision in the proposed Bill reads: ‘(Clause 31(4)) Every DNA Data Bank shall maintain following indices for various categories of data, namely: (a) a crime scene index; (b) a suspects’ index; (c) an offenders’ index; (d) a missing persons’ index; (e) unknown deceased persons’ index; (f) a volunteers’ index; and (g) such other DNA indices as may be specified by regulations.’ That is an elaborate set of indices. There is certainly a lot of the ‘general public’ in it.”

Supporters of the DNA Profiling Bill have maintained that a DNA data bank is not for the public but only for a limited category of individuals. The proposed law also provides for storing profiles with the consent of relatives of missing children and grownups so that relationship identities can be established.

Ramanathan is also worried that apart from purposes of criminal justice, DNA profiling may be extended to parental disputes (maternity or paternity), issues related to pedigree, those related to assisted reproductive technologies (surrogacy, in vitro fertilisation or IVF, intrauterine implantation or IUI, and so on), to transplantation of human organs (donor and recipient) under the Transplantation of Human Organs Act, 1994, and also related to immigration or emigration. She had objected to the requirement of revealing a person’s caste in the application form for offering blood samples. “This Bill is certainly not a convict data base. The ambitions are much much vaster, and little to do with crime control,” she alleges.

Abraham agrees that some safeguards have been built in the proposed law to prevent any misuse of DNA data under pressure from expert panel members such as him. However, he says, cyber security and privacy-related issues are not addressed in a comprehensive manner. “The Bill basically hopes that the Privacy Bill will address all of this when it becomes law. But unfortunately, a bill could take 7-10 years before it becomes law,” he says.

Dr Gowrishankar of CDFD and others have conceded that it was the decision of the expert panel to include an enabling provision for the privacy issues of DNA profiling to comply with the proposed Privacy Bill.

Abraham says that various measures to prevent ‘privacy harms’ to volunteers are missing in the latest draft of the Bill. “Given that biometric technology works on probabilistic matching, the larger the size of the database, the larger the incidence of mistaken identification. Therefore it is important that the database remain as small as necessary,” he asserts.

+++

The estimated cost of the Bill is Rs 20 crore—to create the infrastructure for the DNA Profiling Board and the data bank, which includes buildings, furniture, computer servers and so on. Among other things, the DNA Profiling Board is tasked with the responsibility of laying down and implementing standards for laboratories and proper protocols for ‘Data Bank’ operations.

CDFD scientists and government officials are keen to highlight the ‘under- hyped’ benefits of DNA profiling –similar to the Innocence Project in the US, which was aimed at securing the release of people who were erroneously convicted on the basis of other lines of evidence. Abraham has no patience for such comparisons. “DNA profiling for forensic purposes is very advanced and sophisticated, but technologies do not exist in a vacuum,” he says, “These advanced technologies have to work within traditional institutions with vulnerabilities and flaws. We need to, therefore, have non-technological procedural fixes that ensure that these technologies are not compromised by money and power. The choice is between the right to privacy and the rights and requirements of the criminal justice process.”

Ramanathan agrees with that view. “In the Indian context, the state of investigation is so poor that we have been looking for ways of circumventing our problems, not addressing them. That is how narco-analysis began to be used, till the court struck it down. DNA may be more reliable than most other scientific tools available to us today, but it is not all about the science. We also have to worry about contamination, what happens in the chain of custody, its potential for being planted or otherwise abused, and the errors even in the laboratory. You may remember the avowed mix-up of results in the Aarushi [Talwar murder] case, something the lab said they noticed over two years after they had given it to the investigators. The danger of treating DNA as conclusive and not needing corroboration is exacerbated in this kind of a vulnerable system. Which is why bringing this into a DNA data base law and not putting any checks on criminal procedure is less than wise,” she elaborates. She is least impressed with the ‘idea’ of ‘pedigree’ and of ‘population genetics’ in the Bill. “Institutions like the CDFD have been collecting DNA from suspects and asking for the caste of the person on the form. How does this seem innocent and safeguarded?” she asks.

Meanwhile, columnist and author Salil Tripathi says that it is sheer hubris to think that technology will provide all the answers to crime-fighting. “Tech- nology is enormously useful and powerful, but it is value-neutral; it can be used for good or bad ends… There have to be sufficient safeguards, overseen not only by technologists, law enforcement officers and bureaucrats, but also by lawyers and civil liberties experts, who can point out potential flaws and misuse and prevent those.”

Tripathi, too, is piqued that one of the markers sought is of caste. “Why?” he asks, emphatic that the country’s people should be concerned about allowing the state so much power over their lives. “And it may not be only the state; given that the scope of its future expansion is undefined, what guarantees are there that private actors won’t have access to the data, and if so, what security protocols would apply?”

Dr Gowrishankar and Dr Nandineni are right in saying that without DNA fingerprinting, many international criminals would still be at liberty, and the opponents of the Bill do not disagree with the efficacy of the technique developed by Sir Jeffreys. Instead, they are placing the spotlight on various objectionable aspects in the proposed law. In a country which first needs—according to former RAW chief Vikram Sood—to ensure access to Photofit (a technique to create an accurate image of a person that gels with a witness’ description) for its ground-level police operatives to combat crime, critics of the Bill seem to have won the war of words.

For more details visit https://cis-india.org/internet-governance/news/open-magazine-august-7-2015-ullekh-np-genetic-profiling

Why the DNA Bill is open to misuse: Sunil Abraham

sunil — 2015-09-13T08:37:44Z

The Human DNA Profiling Bill, the law that regulates the collection, storage and use of the human genetic code, has attracted some strong criticism from civil liberties groups including the Bengaluru-based Centre for Internet and Society (CIS) which had participated in the expert committee for DNA profiling constituted by the Department of Biotechnology in 2012.

CIS circulated a detailed dissent note earlier this year on the draft of the Bill. As the government gets ready to table the Bill in Parliament, CIS Executive Director Sunil Abraham tells Kanika Datta why the provisions of the Bill are open to misuse and invasion of privacy. Edited excerpts:

Why does Centre for Internet and Society reject using DNA analysis for non-forensic use as set out in the Human DNA Profiling Bill in its current form? What are the possible risks involved here?

The problem here is that the introduction to the Bill talks of DNA matches "without a doubt". But the way we understand it, biometric technology depends on approximate matching and not discrete matching. Unlike, say, the technology used for matching digital signatures, machines for matching DNA, fingerprints or the iris specify a false positive ratio when they leave the factory - that's what created the controversy in the O J Simpson trial, for example. This means you have to be very conservative in populating the database. For a given false positive ratio - the larger the database the greater the incidence of mistaken identification. That is why we think that for purposes other than forensic use, it would be better to create other databases.

Let me clear: we are not Luddites but neither are we naïve techno-enthusiasts. After all, the Innocence Project in the US has managed to overturn the convictions of many people who were held guilty through DNA evidence. But it is a myth that the more sophisticated the technology the more secure and accurate it is. In fact, the reverse is often true. For instance, the voter machines we use in India are primitive technology but they are much harder to compromise compared to the voting machines used in the US. Given all this, we believe that there should be "process fixes", such as sending DNA collected from a crime scene to two laboratories as a check and balance against the fallibility of human beings and machines.

CIS made the point that the powers of the DNA Board are too wide. In what possible way could these powers be misused since the Board is to be an independent authority?

When this exercise was started, the DNA Board had 26 functions. We proposed that this be cut this down to ten, which was accepted by a sub-committee. But when the final Bill came back it rejected the consensus view and restored the 26 functions, including things like "raising the general awareness". All this detracts from the Board's primary role and efficiency and expands its discretionary powers. It is true that a good regulator needs some amount of discretion but this should be a limited discretion within a tightly defined scope -- this is true for any regulator, not just the DNA Board.

The provision that no civil suit can be entertained on any matter on which the DNA Board is empowered under the Act looks excessive. Is there any precedent that explains why this provision was introduced? What kind of oversight and checks and balances are there in other jurisdictions that could be incorporated in the Indian law?

I can understand the logic here; the government is trying to ensure that the regulator has final say. After all, if you look at telecom, the decisions of the TDSAT (Telecom Dispute Settlement & Appellate Tribunal) can be appealed in the High Court and the Supreme Court. But eliminating judicial appeal as this Bill has state amounts to a violation of classic regulatory design by circumventing the appellate process. Ideally, we need a tripartite separation of law in which the executive frames policies, the DNA board implements them and the courts adjudicate upon them.

You have said the term "DNA Analysis" has not been defined. Could you explain the possible risks of the absence of a definition?

DNA analysis is of many types and some of them allow you to get to know a person quite intimately in terms of their medical history, genetic traits and so on. But forensic analysis looks at a limited set of markers which are essentially privacy-protecting and from which no genetic traits can be determined. You can't, for instance, do a study on the genetic make-up of criminals from this analysis. Now, if this Bill is around law enforcement - which we know is the policy intention - then the DNA analysis should be limited to those markers. That would reduce the chances of abuse.

You have also criticised the low standards of information disclosure and suggest the issue should be vested in an independent third party rather than the DNA Bank Manager. Could you explain how this would help?

In information and technology and telecom there is an executive authorisation mechanism in place for information sharing that requires the home secretary's permission for non-emergency situations and the head of the police station in the case of an emergency. We want a similar authorisation process - say, a judge and an established paper trail so that there are proper checks and balances. When personal information is involved, even the DNA Board is not well placed because its members are scientists whereas disclosure of personal information is a question of the law.

You have said the Bill has not been brought in line with the nine national privacy principles set out by an expert committee in 2012. Shouldn't a privacy law precede the passing of the DNA Bill in any case?

It's not a chicken-and-egg situation, but the point to consider is that the world is moving towards European data protection principles, and something like 100 countries have adopted it. If we in India want to trade in European personal information (via our BPO and outsourcing businesses) we must have a law that is adequate from the data protection perspective. This means, among other things, mandating that anyone whose DNA profile is accessed receives a notice to this effect, for instance. We know that the Department of Personnel and Training has incorporated the principles set out in the Justice Shah report in the privacy Bill two years ago but we haven't heard anything about it since. If and when this Bill is enacted, it will have overriding powers over a host of laws. But where the DNA Bill is concerned, there is no reason for it not to take cognisance of a later law.

What has been the government's reaction to this dissent note?

No reaction!

For more details visit https://cis-india.org/internet-governance/news/business-standard-kanika-datta-august-1-2015-why-the-dna-bill-is-open-to-misuse-sunil-abraham

Regulation, misuse concerns still dog DNA profiling bill

praskrishna — 2015-09-13T08:32:48Z

Experts fear such data could be used for non-forensic purposes and are concerned about the vast powers to be vested in proposed DNA profiling board.

The article by Nikita Mehta was published in Livemint on July 29, 2015. Sunil Abraham gave his inputs.

A bill aimed at creating a DNA database of offenders, slated for introduction in the monsoon session of Parliament, has been criticized by experts who fear that such information could be used for non-forensic purposes and are concerned about the vast powers sought to vested in a proposed DNA profiling board.

Despite changes made by the Department of Biotechnology, the final draft of the Human DNA Profiling Bill 2015 has drawn flak from the Centre for Internet and Society (CIS), a non-profit group that works on policy issues.

The bill seeks Parliament’s approval for plans to create a DNA bank of various offenders in order to prevent repeat offences and to regulate the process by defining infrastructure, training, qualifications, facilities and legalities.

The government says that conducting DNA analysis involves working with sensitive information which, if misused, can cause harm to a person or to society. There is, thus, a need to restrict the use of DNA profiles through an Act of Parliament only for lawful purposes of establishing someone’s identity in a criminal or civil case and for other specified purposes.

The bill seeks to establish standards for laboratories, staff qualifications, training, proficiency testing, collection of body substances, custody trail from collection to reporting and a data bank with policies of use and access to information, its retention and deletion.

The offences for which the database can be maintained range from criminal and civil offences to paternity disputes.

“We need this bill because there are so many unresolved cases. A judge can use this data as material evidence and speedy justice can be served,” said M.K. Bhan, former secretary of the department of biotechnology. “Tremendous amount of effort has been taken to consult all possible parties and the bill has been drafted and redrafted over the years,” Bhan added.

In its note of dissent, CIS raised objections about DNA profiling and DNA samples being used for identifying victims of accidents or disasters, for missing persons and in civil disputes. It also objected to the creation and maintenance of a population statistics databank that is to be used, as prescribed, for the purposes of identification.

“One problem is accuracy. Unlike comparisons between digital signatures which can either have matches or no matches, biometric signatures will have a level of accuracy, so there can be a few false matches. Hence unnecessary widening of the data will reduce the accuracy of this system,” said Sunil Abraham, executive director at CIS.

CIS further noted that a DNA Profiling Board proposed by the bill will have vast powers, including those of authorizing procedures for DNA profiling for civil and criminal investigation, drawing up a list of instances for the application of human DNA profiling and undertaking any other activity which in the opinion of the Board advances the purposes of the Act. The DNA Profiling Board will consist of eminent scientists, administrators and law enforcement officers who will administer and carry out other functions assigned to it under the Act.

“Usually when regulators are created, the mandate is extremely clear. In this bill it is quite vague and there should not be so many things left to the discretionary powers of the board,” said Abraham who was part of the consultation process for the bill. He added that a number of changes have been introduced to the bill, including reduction of powers of the board, tighter definitions and more privacy safeguards.

“Any regulatory system requires external auditing, that should be taken into view. Another issue that was being looked at was that the forensic system should be outside police jurisdiction as they may have vested interests,” Bhan said.

The CIS note pointed out that although the bill refers to security and privacy procedures that labs are to follow, these have been left to be drawn up and implemented by the proposed DNA Board.

“This proposal has been doing the rounds for years and I can vouch for the scientific infallibility of using DNA profiling for carrying out justice. That being said, the bill does not provide verifiable or implementable safeguards for misuse of this data and lack of accountability of public servants can cause serious jeopardy to the privacy of citizens,” said K.P.C. Gandhi, a forensic scientist and founder chairman at Truth Labs, an independent forensic science laboratory.

For more details visit https://cis-india.org/internet-governance/news/livemint-nikita-mehta-july-29-2015-regulation-misuse-concerns-still-dog-dna-profiling-bill

A Public Discussion on Criminal Defamation in India

bhairav — 2015-07-27T14:44:15Z

The Centre for Internet and Society (CIS); the Network of Women in Media, India; and Media Watch, Bengaluru, are hosting a public discussion on criminal defamation in India. The discussion will start at 5.30 pm on Wednesday, 29 July 2015, at the CIS office in Domlur, Bengaluru.


Pictured above: A poster of the event.

Decriminalising Defamation in India: A Brief Statement of Issues

Subramanian Swamy’s petition to decriminalise defamation has been joined in the Supreme Court by concurring petitions from Rahul Gandhi and Arvind Kejriwal. Defamation is criminalised by sections 499 and 500 of the Indian Penal Code, 1860 (IPC). Swamy and his unlikely cohorts want the Supreme Court to declare that these criminal defamation provisions interfere with the right to free speech and strike them down.

Although news coverage of the case has focused on the motivations and arguments of the three politicians, defamation should not be the sole province of celebrities and the powerful. Unfortunately, criminal defamation has emerged as a new system of censorship to silence journalists, writers, and activists. SLAPP suits (Strategic Lawsuits against Public Participation) are being increasingly used by large corporations to frighten and overwhelm critics and opponents. SLAPP suits are not designed to succeed – although they often do, they are intended to intimidate, harass, and outspend journalists and activists into submission.

The law of defamation rests on uncertain foundations. In medieval Europe defamation was dually prosecuted by the Church as a sin equal to sexual immorality, and by secular courts for the threat of violence that accompanied defamatory speech. These distinct concerns yielded a peculiar defence which fused two elements: truth, which shielded the speaker from the sin of lying; and, the public good, which protected the speaker from the charge of disrupting the public peace. This dual formulation – truth and the public good – remains the primary defence to defamation today.

India does not have a strong ‘fair comment’ defence to protect speech that is neither true nor intrinsically socially useful. This bolsters the law’s reflexive censorship of speech that falls outside the bounds of social utility and morality such as parody, caricature, outrageous opinion, sensationalism, and rumour. This failure affects cartoonists and tabloid sensationalism alike.

Defamation law is also open to procedural misuse to maximise its harrassive effect. Since speech that is published on the Internet or mass-printed and distributed can be read almost anywhere, the venue of criminal defamation proceedings can be chosen to inconvenience and exhaust a speaker into surrender. This motivation explains the peculiarly remote location of several defamation proceedings in India against journalists and magazine editors.

The offence of defamation commoditises reputation. While defamation remains a crime, the state must prosecute it as it does other crimes such as murder and rape. This merits the question: should the state expend public resources to defend the individual reputations of its citizens? Such a system notionally guarantees parity because if the state were to retreat from this role leaving private persons to fight for their own reputations, the market would favour the reputations of the rich and powerful at the expense of others.

These and other issues demand an informed and rigorous public discussion about the continued criminalisation of defamation in India.

Download the concept note prepared by Bhairav Acharya

For more details visit https://cis-india.org/internet-governance/events/a-public-discussion-on-criminal-defamation-in-india

The scariest bill in Parliament is getting no attention – here’s what you need to know about it

sunil — 2015-09-13T07:56:42Z

A bill proposes creation of a national DNA data bank, without requisite safeguards for privacy, and opens the information to everything from civic disputes to compilation of statistics.

The blog post by Nayantara Narayanan was published in Scroll.in on July 24, 2015.

On Wednesday, the Narendra Modi government told the Supreme Court that India's citizens have no fundamental right to privacy. Attorney General Mukul Rohatgi referred to a 1950 court verdict which held that the right to privacy was not a fundamental right while defending the constitutional validity of the Aadhar scheme, a massive database of information of individual citizens including biometrics and bank accounts. At the same time, the government is planning another big database.

In the ongoing stormy monsoon session of Parliament, where the government and opposition have locked horns over several proposed legislation, Human DNA Profiling Bill 2015 has been making little noise but can have widespread impact on India’s criminal justice system and the privacy of citizens. The bill aims to regulate the collection and use of genetic material from crime scenes, and also proposes the creation of a national DNA databank that might be used for non-forensic purposes.

DNA is a mighty tool, especially in criminal forensics, but access to a person’s genetic information can be highly intrusive and dangerous. DNA contains information about health and genetic relationships that can influence employment, insurance. It can be tampered with and planted at crime scenes.

Law and poverty expert Usha Ramanathan and Centre for Internet and Society executive director Sunil Abraham, who are members of an expert committee on DNA profiling constituted by the government, have written dissent notes against the final draft of the Human DNA Profiling Bill. Ramanathan and Abraham are of the opinion that there aren’t adequate safeguards to privacy and too much power rests with the proposed DNA Profiling Board.

Ramanathan notes that one of the biggest challenges of a DNA database is function creep – the gradual widening of the use of a technology beyond the purpose for which it was originally intended. As this DNA profiling bill enters Parliament, here are some questions we should be asking.

Is DNA evidence infallible?

The short answer is “no”. Despite all the crime shows and murder movies we have seen where DNA evidence nails the perpetrator to the crime, DNA evidence is far from absolute. Genetic material recovered from a crime scene is likely to be only a partial strand of DNA. Analysing this partial strand can lead to a match with the person that left the DNA behind but can also lead to a coincidental match with people who happen to have a similar gene sequence in their DNA. False incriminations can happen when more than one person’s DNA get mixed at the crime scene, from DNA contamination, mislabelling and even degradation over time.

In the Aarushi Talwar murder case, for instance, the Hyderabad-based Centre for DNA Fingerprinting and Diagnostics altered its 2008 report in 2013 and admitted to typographical errors in the description of its DNA samples. The evidence could have changed the course of the investigation.

What will the national DNA database look like?

The bill proposes to set up a national DNA data bank and a number of state or regional data banks that will feed into the national data pool. Every data bank will have six categories under which DNA profiles will be filed – crime scene index, suspects’ index, offenders’ index, missing persons’ index, unknown deceased persons’ index, and volunteers’ index. The DNA profiling board will have the power to include more categories. In the offenders’ index, the DNA information will be linked to the name of the person from whom it was collected. All others will be linked to a case reference number.

What happens when my genetic material is on the database?

The bill gives sanction for broad use of DNA profiles and samples – to identify victims of accidents or disasters, to identify missing persons, for civil disputes and other offences. It also allows the information to be used to create population statistics, identification research, parental disputes, issues relating to reproductive technologies and migration. In his dissent note, Abraham argues that all non-forensic use should be rejected.

Cases like whether paternity should be determined, unwed mothers leaving their children and adopted children looking for their natural parents are hugely contestable things, said Ramanathan. “You are changing multiple structures and not recognising any of them,” she added.

Even though the bill allows for DNA information of offenders to be expunged once a court acquits them or sets aside a conviction, it makes no provision for removing other kinds of profiles.

The CDFD, which will be instrumental in building and processing DNA profiles, is using the CODIS software bought from the US's Federal Bureau of Investigation an compatible with their systems. The FBI used CODIS to identify victims of the terrorist attacks on the World Trade Center in 2001. More recently, the CDFD used CODIS to identify some who died in the Uttarakhand floods of 2013 after asking for 5,000 people who were possibly relatives of the deceased to undertake DNA testing.

Can the DNA profiling board protect our genetic information?

The bill grants the board vast powers to allow the use of DNA profiles in any civil and criminal proceedings that it deems necessary. “Ideally these powers would lie with the legislative or judicial branch,” Abraham said, in his dissent note. “Furthermore, the Bill establishes no mechanism for accountability or oversight over the functioning of the Board.”

Ramanathan questions the constitution of the board itself, her worry being that the board is not a body of disinterested officials. The secretary of the board is supposed to be from the Centre for DNA Fingerprinting and Diagnostics, an autonomous institute that will get a lot of work from the creation of the national DNA data bank.

Why does a DNA fingerprinting consent form ask for caste?

One of the most troubling features of the creation of a databank is the consent form to be signed by a person donating blood for DNA analysis. Along with name, gender and address, the form also asks for caste to be listed.

India has a history of unwarrantedly linking caste and community with criminality. Members of decriminalised tribes regularly report being harassed by the police and even having false cases foisted on them simply because they are linked to a certain community. Tagging caste onto genetic data can result in unfair profiling and identification errors.

The United Kingdom set up its national criminal DNA database in 1995. The database expanded over a decade by including genetic information of anyone who was arrested till more than one million innocent people were on it – including a grandmother who didn’t return a football to children who kicked it into her garden. The dangers of a genetic database are too much state oversight, false implication in crimes and a loss of privacy – none of which should come to pass without at least a debate.

For more details visit https://cis-india.org/internet-governance/news/the-scariest-bill-in-parliament-is-getting-no-attention-2013-here2019s-what-you-need-to-know-about-it

Aadhaar Number vs the Social Security Number

elonnai — 2015-07-24T01:24:00Z

This blog calls out the differences between the Aadhaar Number and the Social Security Number

In response to news items that reported the Government of India running pilot projects to enroll children at the time of birth for Aadhaar numbers - an idea that government officials in the news items claimed was along the lines of the social security number - this note seeks to point out the ways in which the Aadhaar number and the social security number are different.[1]

Governance

SSN is governed by Federal legislation: The issuance, collection, and use of the SSN is governed by a number of Federal and State legislation with the most pertinent being the Social Security Act 1935[2] - which provides legal backing for the number, and the Privacy Act 1974 which regulates the collection, access, and sharing of the SSN by Federal Executive agencies.[3]

Aadhaar was constituted under the Planning Commission: The UIDAI was constituted as an attached office under the Planning Commission in 2009.[4] A Unique Identification Authority Bill has been drafted, but has not been enacted.[5] Though portions of the Information Technology Act 2008 apply to the UID scheme, section 43A and associated Rules (India's data protection standards) do not clearly apply to the UIDAI as the provision has jurisdiction only over body corporate.

Purpose

SSN was created as a number record keeping scheme for government services: The Social Security Act provides for the creation of a record keeping scheme - the SSN. Originally, the SSN was used as a means to track an individuals earnings in the Social Security system.[6] In 1943 via an executive order, the number was adopted across Federal agencies. Eventually the number has evolved from being a record keeping scheme into a means of identity. In 1977 it was clarified by the Carter administration that the number could act as a means to validate the status of an individual (for example if he or she could legally work in the country) but that it was not to serve as a national identity document.[7] Today the SSN serves as a number for tracking individuals in the social security system and as one (among other) form of identification for different services and businesses. Alone, the SSN card does not serve proof of identity, citizenship, and it cannot be used to transact with and does not have the ability to store information. [8]

Aadhaar was created as a biometric based authenticator and a single unique proof of identity: The Aadhaar number was established as a single proof of identity and address for any resident in India that can be used to authenticate the identity of an individual in transactions with organizations that have adopted the number. The scheme as been promoted as a tool for reducing fraud in the public distribution system and enabling the government to better deliver public benefits.[9]

Applicability

SSN is for citizens and non-citizens authorized to work: The social security number is primarily for citizens of the United States of America. In certain cases, non citizens who have been authorized by the Department of Homeland Security to work in the US may obtain a Social Security number.[10]

Aadhaar is for residents: The aadhaar number is available to any resident of India.[11]

Storage, Access, and Disclosure

SSN and applications are stored in the Numident: The numident is a centralized database containing the individuals original SNN and application and any re-application for the same. All information stored in the Numident is protected under the Privacy Act. Individuals may request records of their own personal information stored in the Numident. With the exception of the Department of Homeland Security and U.S Citizenship and Immigration Services, third parties may only request access to Numident records with the consent of the concerned individual.[12] Federal agencies and private entities that collect the SSN for a specific service store the number at the organizational level. The Privacy Act and various state level legislation regulates the disclosure, access, and sharing of the SSN number collected by agencies and organizations.

Aadhaar and data generated at multiple sources is stored in the CIDR and processed in the data warehouse: According to the report "Analytics, Empowering Operations", "At UIDAI, data generated at multiple sources would typically come to the CIDR (Central ID Repository), UIDAIs Data centre, through an online mechanism. There could be certain exceptional sources, like Contact centre or Resident consumer surveys, that will not feed into the Data center directly. Data is then processed in the Data Warehouse using Business Intelligence tools and converted into forms that can be accessed and shared easily." Examples of data that is stored in the CIDR include enrollments, letter delivery, authentication, processing, resident survey, training, and data from contact centres.[13] It is unclear if organizations that authenticate individuals via the Adhaar number store the number at the organizational level. Biometrics are listed as a form of sensitive personal information in the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) 2011, thus if any body corporate collects biometrics with the Aadhaar number - the storage, access, and disclosure of this information would be protected as per the Rules, but the Aadhaar number is not explicitly protected. [14]

Use by public and private entities

Public and private entities can request SSN: Public and private entities can request the SSN to track individuals in a system or as a form of identifying an individual. Any private business is allowed to request and use the SSN as long as the use does not violate federal or state law. Legally, an individual is only required to provide their SSN to a business if they are engaging in a transaction that requires notification to the Internal Revenue Service or the individual is initiating a transaction that is subject to federal Customer Identification Program rules.[15] Thus, an individual can refuse to provide their SSN, but a private business can also refuse to provide a service.[16]

Any public authority requesting the SSN must provide a disclosure notice to the individual explaining if the provision of SSN is required or optional. According to the Privacy Act of 1974, no individual can be denied a government service or benefit for not providing the SSN unless Federal law specifically requires the number for a particular service.[17] Thus, there are a number of Federal legislation in the U.S that specifically require the SSN. For example, the Social Security Independence and Program Improvements Act 1994 allows for the use of the SSN for jury selection and allows for cross matching of SSNs and Employer Identification Numbers for investigation into violation of Federal Laws. [18]

Public and private entities can request Aadhaar: The Aadhaar number can be adopted by any public or private entity as a single means of identifying an individual. The UIDAI has stated that the Aadhaar number is not mandatory,[19] and the Supreme Court of India has clarified that services cannot be denied on the grounds that an individual does not have an Aadhaar number.[20]

Verification

The SSN can be verified only in certain circumstances: The SSA will only respond to requests for SSN verification in certain circumstances:

Before issuing a replacement SSN, posting a wage item to the Master Earnings File, or establishing a claims record - the SSA will verify that the name and the number match as per their records.
When legally permitted, the SSA verification system will verify SSNs for government agencies.
When legally permitted the SSA verification system will verify a workers SSN for pre-registered and approved private employers.
If an individual has provided his/her consent, the SSA will verify a SSN request from a third party.

For verification the SSN number must be submitted with an accompanying name to be matched to and additional information such as date of birth, fathers name, mothers name etc. When verifying submitted SSN's, the system will respond with either confirmation that the information matches or that it does not match. It is important to note that because SSN is verified only in certain circumstances, it is not guaranteed that the person providing an SSN number is the person whom the number was assigned.[21]

The Aadhaar number can be verified in any transaction: If an organization, department, or platform has adopted the Aadhaar number as a form of authentication, they can send requests for verification to the UIDAI. The UIDAI will respond with a yes or no answer. When using their Aadhaar number as a form of authentication individuals can submit their number and demographic information or their number and biometrics for verification.[22]

Lost or stolen

SSN can be replaced: If an individual loses his/her SSN card lost or their number is fraudulently used, they can apply for a replacement SSN card or a new SNN number. [23]

Aadhaar number can be replaced: If an individual has lost their Aadhaar number, there is a process that they can follow to have their number re-sent to them. If the number cannot be located by the UIDAI , the individual has the option of re-enrolling for a new Aadhaar number.[24] The UIDAI has built the scheme with the understanding the biometrics are a unique identifier that cannot be lost or stolen, and thus have not created a system to address the possibility of stolen or fraudulent use of biometrics.

Implementation

Legislation and formal roll out: The SSN program was brought into existence via the Social Security Act and officially rolled out while eventually being adopted across Federal Departments.

Bill and pilot studies: The UID scheme has been envisioned as being brought into existence via the Unique Identification Authority Bill 2010 which has not been passed. Thus far, the project has been implemented in pilot phases across States and platforms.

Enrollment

Social Security Administration: The Social Security Agency is the soul body in the US that receives and processes applications for SSN and issues SSN numbers. [25]

UIDAI, registrars, and enrolling agencies: The UIDAI is the soul body that issues Aadhaar numbers. Registrars (contracted bodies under the UIDAI_ - and enrolling agencies (contracted bodies under Registrars) are responsible for receiving and processing enrollments into the UID scheme.

Required supporting documents

SSN requires proof of age, identity, and citizenship: To obtain a SSN you must be able to provide proof of your age, your identity, and US citizenship. The application form requires the following information:

Name to be shown on the card
Full name at birth, if different
Other names used
Mailing address
Citizenship or alien status
Sex
Race/ethnic description (SSA does not receive this information under EAB)
Date of birth
Place of birth
Mother's name at birth
Mother's SSN (SSA collects this information for the Internal Revenue Service (IRS) on an original application for a child under age 18. SSA does not retain these data.)
Fathers' name
Father's SSN (SSA collects this information for IRS on an original application for a child under age 18. SSA does not retain these data).
Whether applicant ever filed for an SSN before
Prior SSNs assigned
Name on most recent Social Security card
Different date of birth if used on an earlier SSN application.
Date application completed
Phone number
Signature
Applicant's relationship to the number holder.[26]

Aadhaar requires proof of age, address, birth, and residence and biometric information: The application form requires the following information:

Name
Date of birth
Gender
Address
Parent/guardian details
Email
Mobile number
Indication of consenting or not consenting to the sharing of information provided to the UIDAI with Public services including welfare services
Indication of if the individual wants the UIDAI to facilitate the opening of a bank account linked to the Aadhaar number and permits the sharing of information for this purpose
If the individual has no objection to linking their present bank account to the Aadhaar number and the relevant bank details
Signature[27]

[1] Sahil Makkar, "PM's idea to track kids from birth hits practical hurdles", Business Standard. April 11^th 2015. Available at: http://www.business-standard.com/article/current-affairs/pm-s-idea-to-track-kids-from-birth-hits-practical-hurdles-115041100828_1.html

[2] The Social Security Act of 1935. Available at: http://www.ssa.gov/history/35act.html

[3] The United States Department of Justice, "Overview of the Privacy Act of 1974". Available at: http://www.justice.gov/opcl/social-security-number-usage

[4] Government of India Planning Commission "Notification". Available at: https://uidai.gov.in/images/notification_28_jan_2009.pdf

[5] The National Identification Authority of India Bill 2010. Available at: http://www.prsindia.org/uploads/media/UID/The%20National%20Identification%20Authority%20of%20India%20Bill,%202010.pdf

[6] History of SSA 1993 - 2000. Chapter 6: Program Integrity. Available at: http://www.ssa.gov/history/ssa/ssa2000chapter6.html

[7] Social Security Number Chronology. Available at: http://www.ssa.gov/history/ssn/ssnchron.html

[8] History of SSA 1993 - 2000, Chapter 6: Program Integrity. Available at: http://www.ssa.gov/history/ssa/ssa2000chapter6.html

[9] UID FAQ: Aadhaar Features, Eligibility. Available at: https://resident.uidai.net.in/faqs

[10] Social Security Numbers for Noncitizens. Available at: http://www.ssa.gov/pubs/EN-05-10096.pdf

[11] Aapka Aadhaar. Available at: https://uidai.gov.in/aapka-aadhaar.html

[12] Program Operations Manual System. Available at: https://secure.ssa.gov/poms.nsf/lnx/0203325025

[13] UIDAI Analytics -Empowering Operations - the UIDAI Experience. Available at: https://uidai.gov.in/images/commdoc/other_doc/uid_doc_30012012.pdf

[14] Information Technology (Reasonable security practices and procedures and sensitive personal data or information rules 2011) available at: http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf

[15] IdentityHawk, "Who can lawfully request my social security number?" Available at: http://www.identityhawk.com/Who-Can-Lawfully-Request-My-Social-Security-Number

[16] SSA FAQ " Can I refuse to give my social security number to a private business?" Available at: https://faq.ssa.gov/link/portal/34011/34019/Article/3791/Can-I-refuse-to-give-my-Social-Security-number-to-a-private-business

[17] The United States Department of Justice, "Overview of the Privacy Act of 1974". Available at: http://www.justice.gov/opcl/social-security-number-usage

[18] Social Security Number Chronology. Available at: http://www.ssa.gov/history/ssn/ssnchron.html

[19] Aapka Aadhaar. Available at: https://uidai.gov.in/what-is-aadhaar.html

[20] Business Standard, "Aadhaar not mandatory to claim any state benefit, says Supreme Court" March 17^th, 2015. Available at: http://www.business-standard.com/article/current-affairs/aadhaar-not-mandatory-to-claim-any-state-benefit-says-supreme-court-115031600698_1.html

[21] Social Security History 1993 - 2000, Chapter 6: Program Integrity. Available at: http://www.ssa.gov/history/ssa/ssa2000chapter6.html

[22] Aapka Aadhaar. Available at: https://uidai.gov.in/auth.html

[23] SSA. New or Replacement Social Security Number Card. Available at: http://www.ssa.gov/ssnumber/

[24] UIDAI, Lost EID/UID Process. Available at: https://uidai.gov.in/images/mou/eiduid_process_ver5_2_27052013.pdf

[25] Social Security. Availabl at: http://www.ssa.gov/

[26] Social Security Administration, Application for a Social Security. Available at: http://www.ssa.gov/forms/ss-5.pdf

[27] Aadhaar enrollment/correction form. Available at: http://hstes.in/pdf/2013_pdf/Genral%20Notification/Aadhaar-Enrolment-Form_English.pdf

For more details visit https://cis-india.org/internet-governance/blog/aadhaar-vs-social-security-number

Privacy, Autonomy, and Sexual Choice: The Common Law Recognition of Homosexuality

bhairav — 2015-08-23T12:20:52Z

In the last few decades, all major common law jurisdictions have decriminalised non-procreative sex – oral and anal sex (sodomy) – to allow private, consensual, and non-commercial homosexual intercourse.

Download PDF

Anti-sodomy statutes across the world, often drafted in the same anachronistic vein as section 377 of the Indian Penal Code, 1860 (“IPC”), have either been repealed or struck down on the grounds that they invade individual privacy and are detrimentally discriminative against homosexual people.

This is not an examination of India’s laws against homosexuality, it does not review the Supreme Court of India’s judgment in Suresh Koushal v. Naz Foundation (2014) 1 SCC 1 nor the Delhi High Court’s judgment in Naz Foundation v. Government of NCT Delhi 2009 (160) DLT 277, which the former overturned – in my view, wrongly. This note simply provides a legal history of the decriminalisation of non-procreative sexual activity in the United Kingdom and the United States. Same-sex marriage is also not examined.

In the United Kingdom

The Wolfenden Report

In England, following a campaign of arrests of non-heterosexual persons and subsequent protests in the 1950s, the government responded to public dissatisfaction by appointing the Departmental Committee on Homosexual Offences and Prostitution chaired by John Frederick Wolfenden. The report of this committee (“Wolfenden Report”) was published in 1957 and recommended that:

“…homosexual behaviour between consenting adults in private should no longer be a criminal offence.”

The Report further observed that it was not the function of a State to punitively scrutinise the private lives of its citizens:

“(T)he law’s function is to preserve public order and decency, to protect the citizen from what is offensive or injurious, and to provide sufficient safeguards against exploitation and corruption of others… It is not, in our view, the function of the law to intervene in the private life of citizens, or to seek to enforce any particular pattern of behaviour.”

The Sexual Offences Act, 1967

The Wolfenden Report was accepted and, in its pursuance, the Sexual Offences Act, 1967 was enacted to, for the first time in common law jurisdictions, partially decriminalise homosexual activity – described in English law as ‘buggery’ or anal sex between males.
Section 1(1) of the original Sexual Offences Act, as notified on 27 July 1967 stated –
"Notwithstanding any statutory or common law provision, but subject to the provisions of the next following section, a homosexual act in private shall not be an offence provided that the parties consent thereto and have attained the age of twenty one years."
A ‘homosexual act’ was defined in section 1(7) as –
“For the purposes of this section a man shall be treated as doing a homosexual act if, and only if, he commits buggery with another man or commits an act of gross indecency with another man or is a party to the commission by a man of such an act.”
The meaning of ‘private’ was also set forth rather strictly in section 1(2) –
“An act which would otherwise be treated for the purposes of this Act as being done in private shall not be so treated if done –
(a) when more than two persons take part or are present; or
(b) in a lavatory to which the public have or are permitted to have access, whether on
payment or otherwise.”
Hence, by 1967, English law permitted:

as between two men,
both twenty-one years or older,
anal sex (buggery),
and other sexual activity (“gross indecency”)
if, and only if, a strict prescription of privacy was maintained,
that excluded even a non-participating third party from being present,
and restricted the traditional conception of public space to exclude even lavatories.

However, the benefit of Section 1 of the Sexual Offences Act, 1967 did not extend beyond England and Wales; to mentally unsound persons; members of the armed forces; merchant ships; and, members of merchant ships whether on land or otherwise.

Developments in Scotland and Northern Ireland

Over the years, the restrictions in the original Sexual Offences Act, 1967 were lifted. In 1980, the Criminal Justice (Scotland) Act, 1980 partially decriminalised homosexual activity in Scotland on the same lines that the Act of 1967 did for England and Wales. One year later, in 1981, an Irishman Jeffrey Dudgeon successfully challenged the continued criminalisation of homosexuality in Northern Ireland before the European Court of Human Rights (“ECHR”) in the case of Dudgeon v. United Kingdom (1981) 4 EHRR 149. Interestingly, Dudgeon was not decided on the basis of detrimental discrimination or inequality, but on the ground that the continued illegality of homosexuality violated the petitioner’s right to privacy guaranteed by Article 8 of the 1950 European Convention on Human Rights (“European Convention”). In a 15-4 majority judgement, the ECHR found that “…moral attitudes towards male homosexuality…cannot…warrant interfering with the applicant’s private life…” Following Dudgeon, the Homosexual Offences (Northern Ireland) Order, 1982 came into effect; and with it, brought some semblance of uniformity in the sodomy laws of the United Kingdom.

Equalising the age of consent

However, protests continued against the unequal age of consent required for consensual homosexual sex (21 years) as opposed to that for heterosexual sex (16 years). In 1979, a government policy advisory recommended that the age of consent for homosexual sex be reduced to 18 years – two years older than that for heterosexual sex, but was never acted upon. In 1994, an attempt to statutorily equalise the age of consent at 16 years was defeated in the largely conservative House of Commons although a separate legislative proposal to reduce it to 18 years was carried and enacted under the Criminal Justice and Public Order Act, 1994. Following this, the unequal ages of consent forced a challenge against UK law in the ECHR in 1994; four years later, in Sutherland v. United Kingdom [1998] EHRLR 117, the ECHR found that the unequal age of consent violated Articles 8 and 14 of the European Convention – relating to privacy and discrimination. Sutherland was significant in two ways – it forced the British government to once again introduce legislation to equalise the ages of consent; and, significantly, it affirmed a homosexual human right on the ground of anti-discrimination (as opposed to privacy).

To meet its European Convention commitments, the House of Commons passed, in June 1998, a bill for an equal age of sexual consent but it was rejected by the more conservative House of Lords. In December 1998, the government reintroduced the equal age of consent legislation which again passed the House of Commons and was defeated in the House of Lords. Finally, in 1999, the government invoked the statutory superiority of the House of Commons, reintroduced for the third time the legislation, passed it unilaterally to result in the enactment of the Sexual Offences (Amendment) Act, 2000 that equalised the age of sexual consent for both heterosexuals and homosexuals at 16 years of age.

Uniformity of equality

However, by this time, different UK jurisdictions observed separate legislations regarding homosexual activity. The privacy conditions stipulated in the original Sexual Offences Act, 1967 remained, although they had been subject to varied interpretation by English courts. To resolve this, the UK Parliament enacted the Sexual Offences Act, 2003 which repealed all earlier conflicting legislation, removed the strict privacy conditions attached to homosexual activity and re-drafted sexual offences in a gender neutral manner. A year later, the Civil Partnership Act, 2004 gave same-sex couples the same rights and responsibilities as a civil marriage. And, in 2007, the Equality Act (Sexual Orientation) Regulations came into force to prohibit general discrimination against homosexual persons in the same manner as such prohibition exists in respect of grounds of race, religion, disability, sex and so on.

In the United States

Diversity of state laws

Sodomy laws in the United States of America have followed a different trajectory. A different political and legal system leaves individual US States with wide powers to draft and follow their own constitutions and laws. Accordingly, by 1961 all US States had their own individual anti-sodomy laws, with different definitions of sodomy and homosexuality. In 1962, Illinois became the first US State to repeal its anti-sodomy law. Many States followed suit over the next decades including Connecticut (1971); Colorado and Oregon (1972); Delaware, Hawaii and North Dakota (1973); Ohio (1974); New Hampshire and New Mexico (1975); California, Maine, Washington and West Virginia (1976); Indiana, South Dakota, Wyoming and Vermont (1977); Iowa and Nebraska (1978); New Jersey (1979); Alaska (1980); and, Wisconsin (1983).

Bowers v. Hardwick

However, not all States repealed their anti-sodomy laws. Georgia was one such State that retained a statutory bar to any oral or anal sex between any persons of any sex contained in Georgia Code Annotated §16-6-2 (1984) (“Georgia statute”) which provided, in pertinent part, as follows:

“(a) A person commits the offense of sodomy when he performs or submits to any sexual act involving the sex organs of one person and the mouth or anus of another… (b) A person convicted of the offense of sodomy shall be punished by imprisonment for not less than one nor more than 20 years”

In 1982, a police officer arrested Michael Hardwick in his bedroom for sodomy, an offence which carried a prison sentence of up to twenty years. His case went all the way up to the US Supreme Court which, in 1986, pronounced its judgement in Bowers v. Hardwick 478 US 186 (1986). Although the Georgia statute was framed broadly to include even heterosexual sodomy (anal or oral sex between a man and a woman or two women) within its ambit of prohibited activity, the Court chose to frame the issue at hand rather narrowly. Justice Byron White, speaking for the majority, observed at the outset –

“This case does not require a judgment on whether laws against sodomy between consenting adults in general, or between homosexuals in particular, are wise or
desirable. It raises no question about the right or propriety of state legislative decisions to repeal their laws that criminalize homosexual sodomy, or of state-court decisions invalidating those laws on state constitutional grounds. The issue presented is whether the Federal Constitution confers a fundamental right upon homosexuals to engage in sodomy…”

Privacy and autonomy

Interestingly, Hardwick’s case against the Georgia statute was not grounded on an equality-discrimination argument (since the Georgia statute prohibited even heterosexual sodomy but was only enforced against homosexuals) but on a privacy argument that sought to privilege and immunise private consensual non-commercial sexual conduct from intrusive State intervention. To support this privacy claim, a long line of cases was relied upon that restricted the State’s ability to intervene in, and so upheld the sanctity of, the home, marriage, procreation, contraception, child rearing and so on [See, Carey v. Population Services 431 US 678 (1977), Pierce v. Society of Sisters 268 US 510 (1925) and Meyer v. Nebraska 262 US 390 (1923) on child rearing and education; Prince v. Massachusetts 321 US 158 (1944) on family relationships; Skinner v. Oklahoma ex rel. Williamson 316 US 535 (1942) on procreation; Loving v. Virginia 388 US 1 (1967) on marriage; Griswold v. Connecticut 381 US 479 (1965) and Eisenstadt v. Baird 405 US 438 (1972) on contraception; and Roe v. Wade 410 US 113 (1973) on abortion]. Further, the Court was pressed to declare a fundamental right to consensual homosexual sodomy by reading it into the Due Process clause of the Fourteenth Amendment to the US Constitution.

The 9-judges Court split 5-4 down the middle to rule against all of Hardwick’s propositions and uphold the constitutionality of the Georgia statute. The Court’s majority agreed that cases cited by Hardwick had indeed evolved a right to privacy, but disagreed that this privacy extended to homosexual persons since “(n)o connection between family, marriage, or procreation on the one hand and homosexual activity on the other has been demonstrated…”. In essence, the Court’s majority held that homosexuality was distinct from procreative human sexual behaviour; that homosexual sex could, by virtue of this distinction, be separately categorised and discriminated against; and, hence, homosexual sex did not qualify for the benefit of intimate privacy protection that was available to heterosexuals. What reason did the Court give to support this discrimination? Justice White speaking for the majority gives us a clue: “Proscriptions against that (homosexual) conduct have ancient roots.” Justice White was joined in his majority judgement by Chief Justice Burger, Justice Powell, Justice Rehnquist and Justice O’Connor. His rationale was underscored by Chief Justice Burger who also wrote a short concurring opinion wherein he claimed:

“Decisions of individuals relating to homosexual conduct have been subject to state intervention throughout the history of Western civilization. Condemnation of those practices is firmly rooted in Judeo-Christian moral and ethical standards. Blackstone described “the infamous crime against nature” as an offense of “deeper malignity” than rape, a heinous act “the very mention of which is a disgrace to human nature,” and “a crime not fit to be named.” … To hold that the act of homosexual sodomy is somehow protected as a fundamental right would be to cast aside millennia of moral teaching.”

The majority’s “wilful blindness”: Blackmun’s dissent

The Court’s dissenting opinion was delivered by Justice Blackmun, in which Justice Brennan, Justice Marshall and Justice Stevens joined. At the outset, the Justice Blackmun disagreed with the issue that was framed by the majority led by Justice White: “This case is (not) about “a fundamental right to engage in homosexual sodomy,” as the Court purports to declare…” and further pointed out that the Georgia statute proscribed not just homosexual sodomy, but oral or anal sex committed by any two persons: “…the Court’s almost obsessive focus on homosexual activity is particularly hard to justify in light of the broad language Georgia has used.”. When considering the issue of privacy for intimate sexual conduct, Justice Blackmun criticised the findings of the majority: “Only the most wilful blindness could obscure the fact that sexual intimacy is a sensitive, key relationship of human existence, central to family life, community welfare, and the development of human personality…” And when dealing with the ‘historical morality’ argument that was advanced by Chief Justice Burger, the minority observed:

“The assertion that “traditional Judeo-Christian values proscribe” the conduct involved cannot provide an adequate justification for (§)16-6-2 (of the Georgia Statute). That certain, but by no means all, religious groups condemn the behavior at issue gives the State no license to impose their judgments on the entire citizenry. The legitimacy of secular legislation depends instead on whether the State can advance some justification for its law beyond its conformity to religious doctrine.”

The states respond, privacy is upheld

Bowers was argued and decided over five years in the 1980s. At the time, the USA was witnessing a neo-conservative wave in its society and government, which was headed by a republican conservative. The HIV/AIDS issue had achieved neither the domestic nor international proportions it now occupies and the linkages between HIV/AIDS, homosexuality and the right to health were still unclear. In the years after Bowers, several more US States repealed their sodomy laws.

In some US States, sodomy laws that were not legislatively repealed were judicially struck down. In 1998, the Georgia State Supreme Court, in Powell v. State of Georgia S98A0755, 270 Ga. 327, 510 S.E. 2d 18 (1998), heard a challenge to the same sodomy provision of the Georgia statute that was upheld in by the US Supreme Court in Bowers. In a complete departure from the US Supreme Court’s findings, the Georgia Supreme Court first considered whether the Georgia statute violated individual privacy: “It is clear from the right of privacy appellate jurisprudence…that the “right to be let alone” guaranteed by the Georgia Constitution is far more extensive that the right of privacy protected by the U.S. Constitution…”

Having established that an individual right to privacy existed to protect private consensual sodomy, the Georgia Court then considered whether there was a ‘legitimate State interest’ that justified the State’s restriction of this right. The justifications that were offered by the State included the possibility of child sexual abuse, prostitution and moral degradation of society. The Court found that there already were a number of legal provisions to deter and punish rape, child abuse, trafficking, prostitution and public indecency. Hence: “In light of the existence of these statutes, the sodomy statute’s raison d’ etre can only be to regulate the private sexual conduct of consenting adults, something which Georgians’ right of privacy puts beyond the bounds of government regulation.” By a 2-1 decision, Chief Justice Benham leading the majority, the Georgia Supreme Court struck down the Georgia statute for arbitrarily violating the privacy of individuals. Interestingly, the subjects of the dispute were not homosexual, but two heterosexual adults – a man and a woman. Similar cases where a US State’s sodomy laws were judicially struck down include:

Campbell v. Sundquist 926 S.W.2d 250 (1996) – [Tennessee – by the Tennessee Court of Appeals on privacy violation; appeal to the State Supreme Court expressly denied].
Commonwealth v. Bonadio 415 A.2d 47 (1980) – [Pennsylvania – by the Pennsylvania Supreme Court on both equality and privacy violations];
Doe v. Ventura MC 01-489, 2001 WL 543734 (2001) – [Minnesota – by the Hennepin County District Judge on privacy violation; no appellate challenge];
Gryczan v. Montana 942 P.2d 112 (1997) – [Montana – by the Montana Supreme Court on privacy violation];
Jegley v. Picado 80 S.W.3d 332 (2001) – [Arkansas – by the Arkansas Supreme Court, on privacy violation];
Kentucky v. Wasson 842 S.W.2d 487 (1992) [Kentucky – by the Kentucky Supreme Court on both equality and privacy violations];
Massachusetts v. Balthazar 366 Mass. 298, 318 NE2d 478 (1974) and GLAD v. Attorney General 436 Mass. 132, 763 NE2d 38 (2002) – [Massachusetts – by the Superior Judicial Court on privacy violation];
People v. Onofre 51 NY 2d 476 (1980) [New York – by the New York Court of Appeals on privacy violation]; and,
Williams v. Glendenning No. 98036031/CL-1059 (1999) – [Maryland – by the Baltimore City Circuit Court on both privacy and equality violations; no appellate challenge].

Lawrence v. Texas

These developments made for an uneven field in the matter of legality of homosexual sex with the sodomy laws of most States being repealed by their State legislatures or subject to State judicial invalidation, while the sodomy laws of the remaining States were retained under the shade of constitutional protection afforded by Bowers. Texas was one such State which maintained an anti-sodomy law contained in Texas Penal Code Annotated § 21.06(a) (2003) (“Texas statute”) which criminalised sexual intercourse between two people of the same sex. In 1998, the Texas statute was invoked to arrest two men engaged in private, consensual, non-commercial sodomy. They subsequently challenged the constitutionality of the Texas statute, their case reaching the US Supreme Court. In 2003, the US Supreme Court, in Lawrence v. Texas 539 US 558 (2003) pronounced on the validity of the Texas statute. Interestingly, while the issue under consideration was identical to that decided in Bowers, the Court this time around was presented with detailed arguments on the equality-discrimination aspect of same-sex sodomy laws – which the Bowers Court majority did not consider. The Court split 6-3; the majority struck down the Texas statute. Justice Kennedy, speaking for himself and 4 other judges of the majority, found instant fault with the Bowers Court for framing the issue in question before it as simply whether homosexuals had a fundamental right to engage in sodomy.

Privacy, intimacy, home

This mistake, Justice Kennedy claimed, “…discloses the Court’s own failure… To say that the issue in Bowers was simply the right to engage in certain sexual conduct demeans…the individual…just as it would demean a married couple were it to be said marriage is simply about the right to have sexual intercourse. Their penalties and purposes (of the laws involved)…have more far-reaching consequences, touching upon the most private human conduct, sexual behavior, and in the most private of places, the home.” Justice Kennedy, joined by Justice Stevens, Justice Souter, Justice Ginsburg and Justice Breyer, found that the Texas statute violated the right to privacy granted by the Due Process clause of the US Constitution:

“The petitioners are entitled to respect for their private lives. The State cannot demean their existence or control their destiny by making their private sexual conduct a crime. “It is a promise of the Constitution that there is a realm of personal liberty which the government may not enter.”” [The quote is c.f. Planned Parenthood of Southeastern Pa. v. Casey 505 US 833 (1992)]

Imposed morality is defeated

With the privacy argument established as controlling, Justice Kennedy went to some length to refute the ‘historical morality’ argument that was put forward in Bowers by then Chief Justice Burger: “At the outset it should be noted that there is no longstanding history in this country of laws directed at homosexual conduct as a distinct matter… The sweeping references by Chief Justice Burger to the history of Western civilization and to Judeo-Christian moral and ethical standards did not take account of other authorities pointing in an opposite direction.” To illustrate these other authorities, Justice Kennedy references the ECHR’s decision in Dudgeon supra which was reached five years before Bowers: “Authoritative in all countries that are members of the Council of Europe (21 nations then, 45 nations now), the decision (Dudgeon) is at odds with the premise in Bowers that the claim put forward was insubstantial in our Western civilization.”.

The Court then affirmed that morality could not be a compelling ground to infringe upon a fundamental right: “Our obligation is to define the liberty of all, not to mandate our own moral code”. The lone remaining judge of the majority, Justice O’Connor, based her decision not on the right to privacy but on equality-discrimination considerations. Interestingly, Justice O’Connor sat on the Bowers Court and ruled with the majority in that case. Basing her decision on equal protection grounds allowed her to concur with the majority in Lawrence but not overturn her earlier position in Bowers which had rejected a right to privacy claim. It also enabled her to strike down the Texas statute while not conceding homosexuality as a constitutionally guaranteed private liberty. There were three dissenters: The chief dissent was delivered by Justice Scalia, in which he was joined by Chief Justice Rehnquist and Justice Thomas. Bowers was not merely distinguished by the majority, it was overruled:

“Bowers was not correct when it was decided, and it is not correct today. It ought not to remain binding precedent. Bowers v. Hardwick should be and now is overruled.”

For more details visit https://cis-india.org/internet-governance/blog/privacy-autonomy-sexual-choice-common-law-recognition-of-homosexuality

7th Best Practices Meet 2015

praskrishna — 2015-07-17T13:11:20Z

Data Security Council of India (DSCI) organized the 7th edition of its Best Practices Meet (BPM) from July 9 - 10, 2015 at Hotel ITC Gardenia in Bengaluru. BPM2015 had “Architecting Security for Digital Transformation” as its theme. Sunil Abraham and Elonnai Hickok were speakers at this event.

The two-day deliberations, reflected on policy, endeavours at national and industry levels, proposed industry steps, market response, best practices, industry standards and technology designs and see how they play their roles in architecting of information systems and enterprise security within organizations. Sunil Abraham was a panelist in the session "Architecting Security for transformation to Digital India". Elonnai Hickok was a panelist in the session "Steering privacy in the age of extreme innovation technology & business models."

See the Agenda

For more details visit https://cis-india.org/internet-governance/news/best-practices-meet-2015

A Dissent Note to the Expert Committee for DNA Profiling

elonnai — 2016-07-21T11:01:44Z

The Centre for Internet and Society has participated in the Expert Committee for DNA Profiling constituted by the Department of Biotechnology in 2012 for the purpose of deliberating on and finalizing the draft Human DNA Profiling Bill and appreciates this opportunity. CIS respectively dissents from the January 2015 draft of the Bill.

Click for DNA Bill Functions, DNA List of Offences, and CIS Note on DNA Bill. A modified version was published by Citizen Matters Bangalore on July 28.

Based on the final draft of the Human DNA Profiling Bill that was circulated on the 13th of January 2015 by the committee, the Centre for Internet and Society is issuing this note of dissent on the following grounds:

The Centre for Internet and Society has made a number of submissions to the committee regarding different aspects of the Bill including recommendations for the functions of the board, offences for which DNA can be collected, and a general note on the Bill. Though the Centre for Internet and Society recognizes that the present form of the Bill contains stronger language regarding human rights and privacy, we do not find these to be adequate and believe that the core concerns or recommendations submitted to the committee by CIS have not been incorporated into the Bill.

The Centre for Internet and Society has foundational objections to the collection of DNA profiles for non-forensic purposes. In the current form the DNA Bill provides for collection of DNA for the following non forensic purposes:

Section 31(4) provides for the maintenance of indices in the DNA Bank and includes a missing person’s index, an unknown deceased person’s index, a volunteers’ index, and such other DNA indices as may be specified by regulation.
Section 38 defines the permitted uses of DNA profiles and DNA samples including: identifying victims of accidents or disasters or missing persons or for purposes related to civil disputes and other civil matters and other offences or cases listed in Part I of the Schedule or for other purposes as may be specified by regulation.
Section 39 defines the permitted instances of when DNA profiles or DNA samples may be made available and include: for the creation and maintenance of a population statistics Data Bank that is to be used, as prescribed, for the purposes of identification research, protocol development or quality control provided that it does not contain any personally identifiable information and does not violate ethical norms.
Part I of the schedule lists laws, disputes, and offences for which DNA profiles and DNA samples can be used. These include, among others, the Motor Vehicles Act, 1988, parental disputes, issues relating to pedigree, issues relating to assisted reproductive technologies, issues relating to transplantation of human organs, issues relating to immigration and emigration, issues relating to establishment of individual identity, any other civil matter as may be specified by the regulations, medical negligence, unidentified human remains, identification of abandoned or disputed children.

While rejecting non-forensic use entirely, we have specific substantive and procedural objections to the provisions relating to forensic profiling in the present version of the Bill. These include:

Over delegation of powers to the board: The DNA Board currently has vast powers as delegated by Section 12 including:
“authorizing procedures for communication of DNA profiles for civil proceedings and for crime investigation by law enforcement and other agencies, establishing procedure for cooperation in criminal investigation between various investigation agencies within the country and with international agencies, specifying by regulations the list of applicable instances of human DNA profiling and the sources and manner of collection of samples in addition to the lists contained in the Schedule, undertaking any other activity which in the opinion of the Board advances the purposes of this Act.”

Section 65 gives the Board the power to make regulations for a number purposes including: “other purposes in addition to identification of victims of accidents, disasters or missing persons or for purposes related to civil disputes and other civil matters and other offences or cases lists in Part I of the Schedule for which records or samples may be used under section 38, other laws, if any, to be included under item (viii) of para B of Part I of the Schedule, other civil matters, if any, to be included under item (vii) of para C of Part I of the Schedule, and authorization of other persons, if any, for collection of non intimate body samples and for performance of non-intimate forensic procedures, under Part III of the Schedule.

Ideally these powers would lie with the legislative or judicial branch. Furthermore, the Bill establishes no mechanism for accountability or oversight over the functioning of the Board and section 68 specifically states that “no civil court shall have jurisdiction to entertain any suit or proceeding in respect to any matter which the Board is empowered by or under this Act to determine.”

The above represents only a few instances of the overly broad powers that have been given to the Board. Indeed, the Bill gives the Board the power to make regulations for 37 different aspects relating to the collection, storage, use, sharing, analysis, and deletion of DNA samples and DNA profiles. As a result, the Bill establishes a Board that controls the entire ecosystem of DNA collection, analysis, and use in India without strong external oversight or accountability.
Key terms undefined: Section 31 (5) states that the “indices maintained in every DNA Data Bank will include information of data based on DNA analysis prepared by a DNA laboratory duly approved by the Board under section 1 of the Act, and of records relating thereto, in accordance with the standards as may be specified by the regulations.”

The term’ DNA analysis’ is not defined in the Act, yet it is a critical term as any information based on such an analysis and associated records can be included in the DNA Database.
Low standards for sharing of information: Section 34 empowers the DNA Data Bank Manager to compare a received DNA profile with the profiles stored in the databank and for the purposes of any investigation or criminal prosecution, communicate the information regarding the received DNA profile to any court, tribunal, law enforcement agencies, or DNA laboratory which the DNA Data Bank Manager considers is concerned with it.

The decision to share compared profiles and with whom should be made by an independent third party authority, rather than the DNA Bank Manager. Furthermore, this provision isvague and although the intention seems to be that the DNA profiles should be matched and the results communicated only in certain cases, the generic wording could take into its ambit every instance of receipt of a DNA profile. For eg. the regulations envisaged under section 31(4)(g) may prescribe for a DNA Data Bank for medical purposes, but section 34 as it is currently worded may include DNA profiles of patients to be compared and their information released to various agencies by the Data Bank Manager as an unintentional consequence.
Missing privacy safeguards: Though the Bill refers to security and privacy procedures that labs are to follow, these have been left to be developed and implemented by the DNA Board. Thus, except for bare minimum standards and penalties addressing the access, sharing, and use of data – the Bill contains no privacy safeguards.

In our interactions with the committee we have asked that the Bill be brought in line with the nine national privacy principles established by the Report of the Group of Experts on Privacy submitted to the Planning Commission in 2012. This has not been done.

For more details visit https://cis-india.org/internet-governance/blog/dna-dissent

CIS Cybersecurity Series (Part 24) – Shantanu Ghosh

purba — 2015-07-15T14:58:50Z

CIS interviews Shantanu Ghosh, Managing Director, Symantec Product Operations, India, as part of the Cybersecurity Series.

“Remember that India is also a land where there are a lot of people who are beginning to use computing devices for the first time in their lives. For many people, their smartphone is their first computing device because they have never had computers in the past. For them, the challenge is how do you make sure that they understand that that can be a threat too. It can be a threat not only to their bank accounts, with their financial information, but even to their private lives.”

Centre for Internet and Society presents its twenty fourth installment of the CIS Cybersecurity Series.”

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

Shantanu Ghosh is the Managing Director of Symantec Product Operations, India. He also runs the Data Centre Security Group for Symantec globally.

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/blog/cis-cybersecurity-series-part-24-2013-shantanu-ghosh

CIS Cybersecurity Series (Part 23) – Justin Searle

purba — 2015-07-15T14:44:38Z

CIS interviews Justin Searle, security expert, as part of the Cybersecurity Series.

"I think that people here in India, just like everywhere else, are broadening the areas where security can be applied. We see elsewhere, like in the United States and in Europe, that a lot of security researchers are starting to get into not just control systems, but also embedded devices and hardware and wireless... And we are seeing the same trends here in India as well. It is fun to see that growth and continual development, and not only that, but we are seeing security projects and research coming out of India, that's unqiue and fresh and contributing back to what originally came more from the United States and Europe."

Centre for Internet and Society presents its twenty third installment of the CIS Cybersecurity Series.

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

Justin Searle is the managing partner for Utilisec. Utisix provides security services to the energy sector. They also assist oil, water, gas, and manufacturing companies. Justin specializes in security assessments and finding vulnerabilities in systems.

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/cis-cybersecurity-series-part-23-2013-justin-searle

CIS Cybersecurity Series (Part 22) - Anonymous

purba — 2015-07-13T13:40:42Z

CIS interviews a Tibetan security researcher and information activist, as part of the Cybersecurity Series. He prefers to remain anonymous.

"I don't know technology but I am aware of the information people share with me. So yes, they can track you down through your mobile phone. The last time I was in Nepal, I met a westerner. We went to this restaurant and she asked me to take the battery out of the phone. That was the first time I had heard of this and so when I asked why she said that it is possible that people had followed us and it has happened to other Tibetans in Nepal..."

Centre for Internet and Society presents its twenty second installment of the CIS Cybersecurity Series.

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/blog/cis-cybersecurity-series-part-22-anonymous

'IRCTC’s Aadhaar play can violate SC order and derail National Security'

praskrishna — 2015-07-07T15:10:08Z

Your online railway bookings are going to become a wee bit more difficult if they aren’t already so.

The blog entry by Shubhra Rishi was published by CIO.IN on July 1, 2015. Sunil Abraham gave his inputs.

That is, if the IRCTC makes Aadhaar card compulsory during the registration process for e-ticketing. The move, according to a recent announcement by IRCTC, will ensure that users registering on the IRCTC website are properly identified of their identity and address through the Aadhaar card number verification.

So in case, you already have an Aadhaar card, then you need not worry. For those who don't have it yet or are reluctant to apply for it, are in for a tough time.

According to Sandip Dutta, public relations officer at IRCTC, the plan, although still in the preliminary state, is to make Aadhaar compulsory which will prevent touts from further exploiting the e-ticketing platform.

IRCTC which already has around three crore registered users, adds 15,000 new registrations every day. Just to give you the scale of an IRCTC website, a 15-minute tatkal window has about 1,000,000 people trying to log on to the IRCTC website. This means a new user won't be able to book a railway ticket on the IRCTC site until he owns an Aadhaar card.

Also Read: Indian CISO don’t trust UID with their data

"This is a complete overkill and will only result in harassment of an ordinary citizen," says Sunil Abraham, executive director at The Centre for Internet & Society. "Aadhaar, he says, should be used to prevent politicians and bureaucrats from engaging in big-ticket fraud or whole-sale corruption. It should be used to make the state more accountable to citizens and not the other way around. It is unfortunate that techno-utopians are using biometric technology to fight retail corruption or small-ticket fraud.

If IRCTC makes Aadhaar mandatory for user registrations, they will be in direct violation of the Supreme Court's interim order of September 23, 2013 where it has ordered that no person should suffer for not getting the Aadhaar card in spite of the authority making it mandatory, since government says it is voluntary.

On March 24, 2014 again, the Supreme Court reiterated its earlier order of 2013 and directed all government authorities and departments to modify their forms/circulars, etc., so as to not compulsorily require an Aadhaar number. In the same order the Supreme Court also restrained the UIDAI from transferring any biometric data to any agency without the consent of the person in writing as an interim measure.

According to cyber law expert and Supreme Court Lawyer, Pavan Duggal, till the time Aadhaar has been brought to a legislative sanctity, no government agency must make it compulsory and if they do so, they will be in gross violation of the order and will be held for contempt of court. "The National Identification Authority of India Bill that intends to give statutory backing to UIDAI (introduced in Rajya Sabha in 2010) is yet to be passed by the Parliament. Aadhaar is also non-compliant with the Information Technology Act 2000," says Duggal. Aadhaar, he says, is the unwanted child that hasn't proven legitimacy yet.

The illegitimacy, which continues to prevail due to several anomalies in the UIDAI’s Aadhaar allotment process. In March this year, about 20 million people enrolled in Delhi for an Aadhaar identification number, according to Census. However, the UIDAI generated about 17.7 million unique numbers in Delhi, about a million more than the city population.

In another incident, Aadhaar numbers were assigned to adult residents in 13 of the country's 36 states, and union territories surpassed their respective population as per 2011 census figures. However, the UIDAI blames that ‘gaps’ in census evaluation may have resulted in inaccuracy of the population data.

There have also been bizarre instances in the past where some Aadhaar cards displayed pictures of an empty chair, a tree, and a dog instead of the actual applicant.

So how does it aid unscrupulous elements in misusing the flaws of the Aadhaar card system?

To start with, Aadhaar captures biometrics of a user, which is neither permanent nor immovable, says Dr. Anupam Saraph, innovator, professor and an advisor in governance, informatics and strategic planning.

"Biometrics change during the life of a person, sometimes even within a year, or without warning. Biometrics can be easily stolen, replicated or misused as has been demonstrated by instances of fingerprints and iris scans of high profile targets being hacked. The enrollment agencies that have captured the biometric have the entire demographic and biometric database in their possession and as such it can be misused or stolen. Once the biometric fails or is stolen, all the functions that have crept to link access to the biometric are denied with little or no recourse to the victim," says Saraph.

“Another benign scenario may be large scale fake bookings to make tickets pricier, the malignant scenario will be entire trains used to transfer armies of anti-nationals and terrorists. Therefore, the Railway Minister must rise to cancel any such plans," says Saraph, and the Home Minister and Defence Minister must immediately scrap the linkage of Aadhaar to any database, require that the entire UID is destroyed as was done in the UK. “This kind of compromise requires the initiation of a time-bound judicial probe by a retired CAG and Supreme Court Judge supported by the CBI to investigate the exposure of the country to serious threats to national security due to UID,” he says.

And therefore, the bigger question isn't whether Aadhaar should be made compulsory or not, but whether it is a foolproof method to validate someone's identity. If it isn’t, then why is IRCTC playing the Aadhaar card?

For more details visit https://cis-india.org/internet-governance/news/cio-july-1-2015-irctc-aadhaar-play-can-violate-sc-order-and-derail-national-security

The Digital Divide: pros and cons of Modi's latest big initiative

praskrishna — 2015-07-06T02:11:56Z

Prime Minister Narendra Modi inaugurated the Digital India (DI) initiative on 1 July, at an event attended by scores of government officials as well as industry leaders.

The blog post by Suhas Munshi was published in Catch News on July 2, 2015. Sunil Abraham is quoted.

The initiative

Digital India aims to make all citizens digitally literate. Bring e-governance to every doorstep.

Corporates have promised to invest Rs 4.5 lakh crore in the initiative.

This is greater than the total spend on all govt schemes. It is equivalent to 1/4th of the national budget.

The positives

It will be a boost to industry; both large and small enterprises.

It will ostensibly create a lot of jobs.

It's ideal if citizens can connect directly with the government.

The negatives

Will the initiative be genuinely inclusive?

How will corporates recover their costs? Will the promised investments end up as bad loans from banks?

Who will handle the personal data of so many citizens; will it be efficient?

Who will the vendors be?

Will the proposed digital lockers for official documentation be reliable?

Will the initiative give the govt a tool to conduct mass surveillance?

The alternative focus

Some experts feel the govt should concentrate on giving people access to basic necessities like water, power and sewage.

The backbone of the project, the National Optical Fibre Network, has already run into massive infrastructure issues.

The programme aims to make all citizens digitally literate and bring the internet and e-governance to all sections of the society.

Like Modi's past initiatives, this too has polarised opinion, in this case on the government's aggressive push for e-governance.

While some advise patience before arriving at a verdict, others think it isn't too early to begin celebrations.

Astronomical budget

Most of the funds for this initiative are expected to come from the private sector. The total investments promised by big corporates, according to Modi, is Rs 4.5 lakh crore.

That is an astonishing number - it is equivalent to a quarter of the country's budget.

If true, then the amount spent on this project will be way over the total money spent on all of the government's 66 central sponsored schemes.

However, India hasn't been able to deliver on the last big welfare scheme promised - the Food Security Act, two years after it was passed in Parliament.

Investments promised by corporates add up to Rs 4.5 lakh crore, which is one-fourth of India's total budget

This scheme, which is set to cost the country Rs 1.25 lakh crore, aims to provide subsidised food grains to two-thirds of the populace.

The immediate concern experts have expressed with the budget is the possible intervention of the private sector.

The big corporate houses that have promised these staggering investments, would also be looking to recover them.

"As I see it, effectively a new sector is being created for this initiative. While it is good, when the private sector comes in to support big government projects, we also have to examine what the recovery model for those investments are. Hopefully, more details about investments will be made available," said Subrata Das, Executive Director, Centre for Budget and Governance Accountability.

Boost to industry

The initiative has already received a massive thumbs up from the industry. Corporate leaders made a beeline to praise the initiative.

RIL chairman Mukesh Ambani said that with Digital India, the government has moved faster than industry. He added that Reliance Jio Infocomm will invest Rs 2,50,000 crore as part of the Digital India programme.

"Tata Consultancy Services (TCS) has partnered with the government for projects like Passport Seva and income tax e-filing, as well as state-level projects," said Cyrus Mistry, chairman of Tata Group, at the event.

Azim Premji, Wipro chairman, was quoted as saying the initiative will democratise the nation and "break down the digital divide in India".

He added that the level of skills of India's people will have to be significantly improved in order to make full use of the new initiative.

Kumar Mangalam Birla, chairman of the Aditya Birla Group, said it would leverage its Idea Cellular network of 165 million subscribers across 3,50,000 towns and villages in India to provide mobile-based healthcare and education services, as well as weather forecasting advisories and 'mandi' prices to over one million farmers.

The company will also launch a mobile wallet and payment bank as well as invest over $2 billion in the next five years in various internet-based sectors.

There seems to be a consensus on the kind of platform DI will provide to small entrepreneurs and the massive job opportunities it will create.

"Who has not heard about their computer engineer friends trying to develop a product in their spare time? These small entrepreneurs will get a lot of help if they are brought to a common platform with big companies and if lack of resources don't impede their work. Besides, as government starts to spend, there will be a severe need for hardware technicians, network operators, data entry operators," said Manish Sabharwal, chairman, Teamlease.

Rajeev Chandrasekhar, independent lawmaker in the Rajya Sabha, says DI is not only essential for the idea of 'minimum government, maximum governance', it is a big boost for the Indian IT industry.

"It is absolutely essential for good governance that as many people as possible are put directly in touch with their government. One of the biggest achievements, I think, will be in connecting 700 million people, so far sequestered, with the rest of the country. This obviously helps small entrepreneurs with launching their startups and bringing in a healthy workforce into the folds of this scheme," he said.

Many sunrise sectors before have similarly promised job growth that has not materialised. It remains to be seen how much of this euphoria plays out in concrete terms.

Privacy concerns

Therefore, while there's been a lot of positive buzz, not everyone is sold on the initiative.

Concerns are being raised about the handling of personal data of so many citizens.

There is a question about the reliability of the digital lockers in which all citizens will have their official documentation, and the anxiety of the data falling into the wrong hands.

"Of course, the concern with respect to privacy is legitimate and urgent.

Since the data the government will collect will be very large in terms of volume and can be misused, the reliability of the government's systems will have to be quite high.

So let's wait to see the nuts and bolts of the programme," said Apar Gupta, a senior lawyer specialising in information technology.

According to Reetika Khera, associate professor, economics at IIT Delhi, applications like digital lockers will make it easier for government to conduct mass surveillance.

There are questions over the reliability of digital lockers and about data falling into the wrong hands

"Programmes like Aadhar, digi-locker, central monitoring system (of mobile calls) etc are creating and enabling a massive surveillance infrastructure in India that will put NSA's PRISM, XKeyScore etc to shame.

"For instance, if Aadhaar is linked to your mobile number, bank account, travel details, the government can build a profile of each person at the click of a mouse. This is especially worrying because data protection and privacy laws are weak or non-existent," she said.

Sunil Abraham, executive director of Bangalore-based research organisation Centre for Internet and Society, also agrees with the concerns but is optimistic about the safeguards being put in place.

"There is a very mature draft of the Privacy Bill at the Department of Personnel and Training which will hopefully be introduced into Parliament after some rounds of public consultation and feedback.

"This, along with appropriate architectural and technological changes to e-governance services, will mitigate privacy concerns," said Abraham.

Misplaced priorities?

Then there is an argument that the less-privileged sections of society may need basic social services before they're considered for internet inclusion.

"What is true at the ground is that many people still don't have access to basic services, so while I think this is a good initiative, it should be part of our medium-term strategy.

"To begin with, we should focus on setting up basic infrastructure and extending water, power and sewer lines to most of the country," said Amitabh Kundu, retired JNU professor, who's advising the government on various projects.

Apar Gupta wonders how the government intends to bring people who are semi-literate, with no access to internet, within the fold of this e-governance project.

"Extending social welfare schemes to this section of people solely through digital medium is not viable," he said.

Some feel that the whole DI initiative is a mass-scale feel-good exercise. The argument is that using technology to 'uplift' the masses isn't a new idea, and is introduced periodically, and turns out to be largely ineffective.

"From the looks of it, this initiative seems to be nothing but techno-optimism. There is a belief that new technologies will, by themselves, transform the social world, but this doesn't happen.

"Techno-optimism, which we have seen before, is no different to traditional forms of governance, and over time, turns out to be nothing but a public relations exercises. An exercise to make governance visible to masses," said Ravi Sundaram, professor at the Centre for the Study of Developing Societies (CSDS).

Infrastructure issues

A project of this ambition and magnitude is bound to run into difficulties and, just a day after the launch, The Indian Express reported that the National Optical Fibre Network, the backbone of the initiative, is way behind schedule.

The project was supposed to be completed by December 2016. Initially, the 2014-15 target was to execute the work for one lakh gram panchayats, which was later halved to 50,000.

However, up until March 2015, only about 20,000 gram panchayats have been covered.

The primary problem is the cascading delays faced by central agencies, and when the active intervention of states was sought, 'right of way' charges have become the bone of contention.

Lack of contractors to do specialised work is also turning out to be an issue.

Thus, it won't be a stretch to say that while the initiative sounds like a great thing, doubts over its proper execution will continue till there is some concrete success to show for it.

For more details visit https://cis-india.org/internet-governance/news/catch-news-july-2-2015-the-digital-divide-pros-and-cons-of-modi-s-latest-big-initiative