Centre for Internet and Society

IETF 105

Admin — 2019-08-13T01:38:36Z

Gurshabad Grover attended a meeting of the Internet Engineering Task Force (IETF), IETF105, held in Montreal from July 20 - 26.

Gurshabad participated in several IETF working group meetings, IRTF researchgroups meetings and other sessions, including ones on Captive Portals,Transport Layer Security, Applications Doing DNS, DNS Privacy, andSoftware Updates for IoT Devices. At the meeting of the Human Rights Protocol Considerations (hrpc) research group of the IRTF, I co-presented (with Niels ten Oever) an update to the Internet Draft we are editing, 'Guidelines for Human Rights Protocol and Architecture Considerations'. For more info, click here

For more details visit https://cis-india.org/internet-governance/news/ietf-105

IETF 104 Prague

Admin — 2019-04-12T01:04:47Z

Karan Saini and Gurshabad Grover participated in IETF 104 organized by IETF in Prague from 23rd March to 29th March 2019.

Karan Saini:

Attended and scribed for the Privacy Enhancements and Assessments Proposed Research Group (PEARG) session.
Attended and made interventions in the Stopping Malware and Researching Threats (SMART RG) research group session.
Attended: DNS Over HTTPS (DOH), Domain Name System Operations (DNSOP), Transport Layer Security (TLS) and Authentication and Authorization for Constrained Environments (ACE WG) group sessions
Attended side meetings: Public Interest Technology (PITG) and Web Packaging (webpack)

Gurshabad Grover:

Attended and made interventions in the Captive Portals (capport) and Registration Protocols Extensions (regext) working groups. Also attended the meetings of the Transport Layer Security (TLS), DNS Privacy, and DNS over HTTPS (DoH) working groups and the Privacy Enhancements and Assessments Proposed Research Group (PEARG). Additionally, attended the Public Interest Technology Group (PITG) and Centralisation of DNS Services side meetings.
At the meeting of the Human Rights Protocol Considerations (HRPC) research group, I presented an update to draft-irtf-hrpc-guidelines ('Guidelines for Human Rights Protocol and Architecture Considerations'), which I am co-editing with Niels ten Oever.
At the IETF Hackathon, I explored the use of differential privacy for privacy-preserving latency measurement in the QUIC protocol (with Amelia Andersdotter and Shivan Kaul Sahib). We will continue the research to see whether differential privacy techniques are viable/useful for IETF protocols.
Attended and made interventions in the Captive Portals (capport) andRegistration Protocols Extensions (regext) working groups. Also attended the meetings of the Transport Layer Security (TLS), DNS Privacy, and DNS over HTTPS (DoH) working groups and the Privacy Enhancements and Assessments Proposed Research Group (PEARG). Additionally, attended the Public Interest Technology Group (PITG) and Centralisation of DNS Services side meetings.
At the meeting of the Human Rights Protocol Considerations (HRPC)research group, I presented an update to draft-irtf-hrpc-guidelines('Guidelines for Human Rights Protocol and ArchitectureConsiderations'), which I am co-editing with Niels ten Oever.
At the IETF Hackathon, I explored the use of differential privacy forprivacy-preserving latency measurement in the QUIC protocol (with Amelia Andersdotter and Shivan Kaul Sahib). We will continue the research to see whether differential privacy techniques are viable/useful for IETF protocols.

For more information visit IETF website

For more details visit https://cis-india.org/internet-governance/news/ietf-104-prague

IETF 102 Montreal

Admin — 2018-08-01T22:42:31Z

The Internet Engineering Task Force (IETF) organized IETF 102 Montreal at Fairmont Queen Elizabeth Montreal in Canada from July 14 - 20, 2018. Gurshabad Grover participated remotely in the meetings of several Working Groups.

Meeting agenda of IETF102: https://datatracker.ietf.org/meeting/agenda

On July 19, in the meeting of the Human Rights Protocol Considerations (HRPC) Research Group, Gurshabad presented a review of the human rights considerations in the drafts of the Software Update for IoT Devices (SUIT) Working Group. His presentation was based on the review written by him and Sandeep Kumar, which is archived here.

Agenda of the HRPC session @ IETF102: https://datatracker.ietf.org/meeting/102/materials/agenda-102-hrpc-05

For more details visit https://cis-india.org/internet-governance/news/ietf-102-montreal

IDRC - Open Development Book - Authors' Workshop

praskrishna — 2017-03-29T03:47:14Z

Sumandro Chattapadhyay participated in the authors' workshop organized by the International Development Research Centre (IDRC) and the Centre for Innovation in Learning and Teaching at the University of Cape Town in South Africa on March 11 and 12, 2017.

The workshop gathered the contributers to an upcoming book by IDRC on open development. This volume will continue, extend, and reflect back on the previously published "Open Development: Networked Innovations in International Development" (Edited by Matthew L. Smith and Katherine M. A. Reilly). Elonnai Hickok, Gus Hosein from Privacy International and Sumandro Chattapadhyay are writing a chapter for this book that is tentative titled as "Six Principles for Openness and Privacy in the Time of Data Revolution".

This chapter will bring together personal and institutional experiences from policy advocacy and grounded practice in open data and privacy across the “South” and the “West” to discuss a potential framing of these two concerns as not opposing but complimentary rights. We locate this discussion of openness and privacy within the context of the ongoing “data revolution”, and propose six principles towards engaging with present and future challenges in generation and management of, innovation with, and reliance on data as an economic and social resource.

For more details visit https://cis-india.org/openness/news/idrc-open-development-book-authors-workshop

Identity of the Aadhaar Act: Supreme Court and the Money Bill Question

Vanya Rakesh and Sumandro Chattapadhyay — 2016-05-09T11:52:44Z

A writ petition has been filed by former Union minister Jairam Ramesh on April 6 challenging the constitutionality and legality of the treatment of this Act as a money bill. The Supreme Court heard the matter on April 25 and invited the Union government to present its view. It is our view that the Supreme Court can not only review the Lok Sabha speaker’s decision, but should also ask the government to draft the Aadhaar Bill again, this time with greater parliamentary and public deliberation. Vanya Rakesh and Sumandro Chattapadhyay wrote this article on The Wire.

Published by and cross-posted from The Wire.

The Aadhaar Act 2016, passed in the Lok Sabha on March 16, 2016, faced opposition ever since it was tabled in parliament. In particular, the move to introduce it as a money bill has been vehemently challenged on grounds of this being an attempt to bypass the Rajya Sabha completely. A writ petition has been filed by former Union minister Jairam Ramesh on April 6 challenging the constitutionality and legality of the treatment of this Act as a money bill. The Supreme Court heard the matter on April 25 and invited the Union government to present its view.

It is our view that the Supreme Court can not only review the Lok Sabha speaker’s decision, but should also ask the government to draft the Aadhaar Bill again, this time with greater parliamentary and public deliberation.

The money bill question

M.R. Madhavan has argued that the Aadhaar Act contains matters other than “only” those incidental to expenditure from the consolidated fund, as it establishes a biometrics-based unique identification number for beneficiaries of government services and benefits, but also allows the number to be used for other purposes beyond service delivery. While Pratap Bhanu Mehta calls this a subversion of “the spirit of the constitution”, P.D.T. Achary, former secretary general of the Lok Sabha, expressed concern about the attempts to pass off financial bills like Aadhaar as money bills as a means to circumvent and erode the supervisory role of the Rajya Sabha. Arvind Datar has further emphasised that when the primary purpose of a bill is not governed by Article 110(1), then certifying it as a money bill is an unconstitutional act.

Article 110(1) of the Constitution identifies a bill as a money bill if it contains “only” provisions dealing with the following matters, or those incidental to them:

imposition and regulation of any tax,
financial obligations undertaken by Indian Government,
payment into or withdrawal from the Consolidated Fund of India (CFI) or Contingent Fund of India,
appropriation of money and expenditure charged on the CFI or receipt, and
custody, issue or audit of money into CFI or public account of India.

However, the link of the Act with the Consolidated Fund of India is rather tenuous, since it depends on the Union or state governments declaring a certain subsidy to be available upon verification of the Aadhaar number. The objectives and validity of the Act would not actually change if the Aadhaar number no longer was directly connected to the delivery of services. The use of the word “if” in section 7 explicitly leaves scope for a situation where the government does not declare an Aadhaar verification as necessary for accessing a subsidy. In such a scenario, the Act will still be valid but without any formal connection with any charges on the Consolidated Fund of India.

A case of procedural irregularity?

The constitution of India borrows the idea of providing the speaker with the authority to certify a bill as money bill from British law, but operationalises it differently. In the UK, though the speaker’s certificate on a money bill is conclusive for all purposes under section 3 of the Parliament Act 1911, the speaker is required to consult two senior members, usually one from either side of the house, appointed by the committee from amongst those senior MPs who chair general committees. In India, the speaker makes the decision on her own.

Although article 110 (3) of the Indian constitution states that the decision of the speaker of the Lok Sabha shall be final in case a question arises regarding whether a bill is a money bill or not, this does not restrict the Supreme Court from entertaining and hearing a petition contesting the speaker’s decision. As the Aadhaar Act was introduced in the Lok Sabha as a money bill even though it does not meet the necessary criteria for such a classification, this treatment of the bill may be considered as an instance of procedural irregularity.

There is ample jurisprudence on what happens when the Supreme Court’s power of judicial review comes up against Article 122 – which states that the validity of any proceeding in the parliament can (only) be called into question on the grounds of procedural irregularities. In the crucial judgment of Raja Ram Pal vs Hon’ble Speaker, Lok Sabha and Others (2007), the court evaluated the scope of judicial review and observed that although parliament is supreme, unlike Britain, proceedings which are found to suffer from substantive illegality or unconstitutionality, cannot be held protected from judicial scrutiny by article 122, as opposed to mere irregularity. Deciding upon the scope for judicial intervention in respect of exercise of power by the speaker, in Kihoto Hollohan vs Zachillhu and Ors. (1992), the Supreme Court held that though the speaker of the house holds a pivotal position in a parliamentary democracy, the decision of the speaker (while adjudicating on disputed disqualification) is subject to judicial review that may look into the correctness of the decision.

Several past decisions of the Supreme Court discuss how the tests of legality and constitutionality help decide whether parliamentary proceedings are immune from judicial review or not. In Ramdas Athawale vs Union of India (2010), the case of Keshav Singh vs Speaker, Legislative Assembly (1964) was referred to, in which the judges had unequivocally upheld the judiciary’s power to scrutinise the actions of the speaker and the houses. It was observed that if the parliamentary procedure is illegal and unconstitutional, it would be open to scrutiny in a court of law and could be a ground for interference by courts under Article 32, though the immunity from judicial interference under this article is confined to matters of irregularity of procedure. These observations were reiterated in Mohd. Saeed Siddiqui vs State of Uttar Pradesh (2014) and Yogendra Kumar Jaiswal vs State of Bihar (2016).

Thus, the decision of the Lok Sabha speaker to pass and certify a bill as a money bill is definitely not immune from judicial review. Additionally, the Supreme Court has the power to issue directions, orders or writs for enforcement of rights under Article 32 of the constitution, therefore, allowing the judiciary to decide upon the manner of introducing the Aadhaar Act in parliament.

National implications demand public deliberation

As the provisions of the Aadhaar Act have far reaching implications for the fundamental and constitutional rights of Indian citizens, the Supreme Court should look into the matter of its identification and treatment as a money bill and whether such decisions lead to the thwarting of legislative and procedural justice.

The Supreme Court may also take this opportunity to reflect on the very decision making process for classification of bills in general. As Smarika Kumar argues, experience with the Aadhaar Act reveals a structural concern regarding this classification process, which may have substantial implications in terms of undermining public and parliamentary deliberative processes. This “trend,” as Arvind Datar notes, of limiting legislative discussions and decisions of national importance within the space of the Lok Sabha must be swiftly curtailed.

Apart from deciding upon the legality of the nature of the bill, it is vital that the apex court ask the government to categorically respond to the concerns red-flagged by the Standing Committee on Finance, which had taken great exception to the continued collection of data and issuance of Aadhaar numbers in its report, and to the recommendations passed in the Rajya Sabha recently. Further, the repeated violation of the Supreme Court’s interim orders – that the Aadhaar number cannot be made mandatory for availing benefits and services – in contexts ranging from marriages to the guaranteed work programme should also be addressed and responses sought from the Union government.

Evidently, the substantial implications of the Aadhaar Act for national security and fundamental rights of citizens, primarily privacy and data security, make it imperative to conduct a duly balanced public deliberation process, both within and outside the houses of parliament, before enacting such a legislation.

For more details visit https://cis-india.org/internet-governance/blog/identity-of-the-aadhaar-act-supreme-court-and-the-money-bill-question

Identity and Databases

praskrishna — 2014-08-07T08:32:16Z

The Centre for Internet and Society (CIS) and the Say No to UID Campaign invite you to a discussion identity, databases and facilitating technologies that explores the use of personal identifiers across databases and the potential violations of privacy on August 9, 2014 (10.30 a.m. to 1.00 p.m.) at the CIS office in Bangalore.

The discussions will specifically focus on the UID and the NPR and seek to answer:

What information is being collected and databased by each scheme?
What type of technology is needed to collect and database this information?
How and where is this information being databased?
What are the potential risks to the databasing of this information?
Are there legal safeguards protecting against misuse of this information, and if not, what safeguards are needed?
Is there a difference between the state collecting, storing, and using this information and a private entity?

For more details visit https://cis-india.org/events/identity-and-databases

Identifying Aspects of Privacy in Islamic Law

Vidushi Marda and Bhairav Acharya — 2015-01-01T14:04:44Z

This white paper seeks to identify aspects of privacy in Islamic Law and demonstrate that the notion of privacy was recognized and protected in traditional Islamic law.

I. Introduction

The nuances of privacy have been deliberated by numerous scholars till date, without arriving at a definite answer. It has been perceived as a right to be left alone, as mere secrecy, as the right to a legitimate area of seclusion and solitude. Privacy is a particularly nebulous concept, with a tendency of resting on intuitionist arguments. However, finding refuge in intuitionist arguments has not lent to a clear understanding of the term itself. This presents a peculiar predicament; while privacy is demanded, nobody seems to have a clear understanding of what it truly means. Daniel Solove opines that privacy is a concept in disarray, it is about everything and hence it seems to be about nothing. Solove finds agreement in a variety of literature, where privacy has been described as a "chameleon-like word", a term suffering from an "embarrassment of meanings", a "powerful rhetorical battle cry".

Traditional notions such as bodily privacy, privacy within one's home, or privacy resulting out of private property are received with far less scepticism than more recent aspects of privacy. With the burgeoning increase in information exchange, the ambit of privacy concerns is widened but not always understood. While earlier notions of privacy confined themselves to physical intrusions, it is now possible to invade a person's privacy without physically intruding on their space. As capabilities to intrude on privacy increase, the demand for respecting privacy grows stronger. In their historic article, Warren and Brandeis referred to privacy as an incorporeal notion, referring to cases of defamation, proprietary harms, contractual harms, breach of confidence to conclude that all such cases belonged to an umbrella principle of the right to privacy.

I.II Aspects of Privacy

William Prosser, a torts scholar, in 1860 attempted to classify privacy comprehensively. He contemplated four kinds of activities as impinging on a person's privacy. They were
1. Intrusion upon the plaintiff's seclusion or solitude, or into his private affairs.
2. Public disclosure of embarrassing private facts about the plaintiff.
3. Publicity which places the plaintiff in a false light in the public eye.
4. Appropriation, for the defendant's advantage, of the plaintiff's name or likeness.
While this classification lent some structure to the understanding of privacy, it restricted itself to only tort law.

A wider taxonomy was offered by Daniel Solove, imbibing concerns of digital privacy and information technology. Focussing on activities that invade privacy, Solove argued that information collection, aggregation of information, dissemination of such aggregated information and invasion into people's private affairs are the aspects integral to understanding the privacy concerns of a data subject.

In its policy paper on privacy in India, the Data Security Council of India (DSCI) recognised privacy issues in the context of e-commerce, transactional privacy, cyber crime, national security, and cross border data flows. Similarly the Department of Personnel and Training (DoPT) in 2011 focussed on understanding privacy in the context of data protection and surveillance. Subsequently, in 2012, the Planning Commission of India set up the A.P. Shah Committee to look into issues of data protection. This Committee classified the dimensions of privacy into four main categories; interception and access, audio and video recording, access and use of personal identifiers, and bodily and genetic material.

The classification of privacy for the purpose of this paper is under the heads of bodily privacy, informational and communications privacy, and territorial and locational privacy. Bodily privacy stems from the notion of personal autonomy and inviolate personality. Battery, rape, voyeurism are all examples of the recognition of the need to protect the privacy of one's body. Communications and informational privacy refers to the protection of sensitive personal information, specific communications and private conversations. Interception of messages, spying, hacking or tapping phone lines are all activities that impinge on privacy under this head. India's ambitious biometric project, Aadhar, has brought to the fore concerns surrounding personal information. Territorial privacy is developed from the notion of private property, the tort of trespass being ample recognition of the same.

I.III Is India a Private Nation?

In October, 2010, the government published an approach paper for legislation on privacy. In explaining the need for privacy legislation in India, the paper states,

"India is not a particularly private nation. Personal information is often shared freely and without thinking twice. Public life is organized without much thought to safeguarding personal data. In fact, the public dissemination of personal information has over time, become a way of demonstrating the transparent functioning of the government."

The notion of privacy being a foreign construct carves the argument that legislation on privacy would mean subjecting India to an alien cultural value. However, this ignores the possibility of privacy being culturally subjective. Cultures have exhibited different measurements by which they measure public and private realms. This paper aims to demonstrate that while the word "privacy" does not find explicit reference in traditional Indian law, the essence of privacy as we understand it today has existed in traditional Indian culture, specifically Indian Islamic culture, pre-dating colonialism in India and modernity in India's legal system.

I.IV Displacement of traditional Indian Law

Contemporary Indian law functions within a rubric that was constructed after the "expropriation" of traditional law. India's colonial legacy rendered the displacement of traditional Indian law with a unified modern legal system abounding in European ideas of modernity and legal systems, leaving it is a state of "fractured modernity". Before the British rule, Indians were governed by their personal laws and these laws did not aim to unify the nation in ways that Western legal systems did.. The decision to establish a modern legal system stemmed from the desire to administer the law as a function of the state, which would have been impractical at best in the absence of a unified legal system.

Edward Said eloquently states that the colonial experience does not end when the last European flag comes down or when the last white policeman leaves. One cannot help but agree with Said, as the understanding of law in contemporary India is constructed on the principles of the English common law and on ideas of a modern legal system. While the word "privacy" does not arise in traditional law, this paper argues that the notions of privacy as we perceive it today did exist hitherto the modernization of India's legal system.

I.V Structure of the paper

While Part I has laid down the foundation of this paper and the arguments it endeavours to make, Part II explains the sources of Islamic law and attempts at locating privacy in them. It also explains certain pervasive concepts that will enhance an understanding of privacy in Islamic law. This paper restricts itself to Sunni Islamic law. Part III gives an indication of privacy rights in India's neighbouring Islamic countries (both predominantly Sunni), Pakistan and Bangladesh; and highlights the legal framework for privacy in these countries.

II. Privacy in Islamic Law

II.I Sources of Islamic Law

Before locating aspects of privacy in Islamic Law, an understanding of its structure and sources will be helpful. Islamic Law is composed of Shariah, and fiqh. Shariah indicates the path a faithful Muslim must undertake to attain guidance in the present world and deliverance to the next. Fiqh, the jurisprudence of Islam, refers to the rational understanding of Shariah and human reasoning to appreciate the practical implications of Islam. While Shariah is divine revelation, fiqh is the human inference of Shariah.

The principle tenet of Islam is unwavering obedience to the teachings of God. According to Muslim belief, the Quran is the divine communication from Allah to the Prophet of Islam. It is the foremost record of the word of God, and for this reason is considered the apex source of Islamic law. It is in the Quran that basic norms of Shariah are found, and it embodies the exact words of God as was revealed to the Prophet over a period of 23 years. Fiqh, or the understanding of Shariah, also finds its origins in the holy Quran.

The Sunnah or Prophetic traditions are the ingredients for the model behaviour of a Muslim as demonstrated by the Prophet. It is a "way, course, rule, mode, or manner, of acting or conduct of life." The Sunnah were compiled through the communications of Prophet Muhammad in the form of Hadiths which are communications, stories or conversations; and may be religious or secular; historical or recent. The narrators of the Hadith are known as "isnad" who convey the "matn" or the substance of the Prophet's actions or words as narrated through oral communications through the years. Due to its very nature, the accuracy of the Sunnah came under considerable scrutiny, with concerns as to its possible fabrication and dilution. However, with a well devised system of recording and verifying sources, the Sunnah accompanies the imperative source of Islamic law, the Quran.

The other sources of Islam are found in human reasoning, or ijtihad. Ijtihad assumes a variety of secondary sources such as analogical reasoning (Qiyas), unanimous consensus (Ijma), decisions in favour of public interest (isthihsan), and presumption of continuity (istishab).
Ijtihad entails a resilient effort; an exertion in interpreting the primary sources in order to understand Shariah, to infer the law which is not explicit or evident. The legitimacy of Ijma is found in the Prophetic tradition, which states that the followers of Islam would never agree on an error, and will never unite on misguidance.

The Quran and Sunnah lie at the pinnacle of Islamic jurisprudence and their authoritativeness lends a ready inference of legal principles derived from them. In exploring the concept of Privacy in Islamic Law, this paper will focus mainly on the material available in the Quran and Sunnah.

II.II The Public and Private in Islam

According to the doctrine of Shariah, every aspect of life is deemed to be private unless shown otherwise. The public sphere is that in which governmental authority operates, making it both transparent and open to scrutiny and observation. Since its inception, Islam has considered the idea of governance with reasonable scepticism, ascribing to the view that there is no concept of a human ruler beyond reproach. This perhaps gave impetus to the idea of a private sphere as one that is inhabited exclusively by an individual and the divine, excluding any interference of the State; except with permission from religious law. In Islamic belief, a pious individual had submitted himself to God, and not the worldly State. Hence, all aspects of his life will align with the tenets of Islamic law and in pursuance with the will of God. Any failure to perform religious duties on the part of a Muslim is beyond the scope of another; it is only a consideration between him and the divine. It is believed that the Prophet said, "Those, who acknowledge God in words, and not at heart, do not find fault with their fellow Muslims. The wrongdoing of those who do so become the subject of God's scrutiny, and when God looks into someone's wrongdoing then all shall be truly exposed" The individual is bestowed with complete freedom of action in the private sphere, subject only to the will of the divine. To govern another is wholly beyond the capacity of any individual, and this forms a pervasive theme in Islamic jurisprudence.

Islamic Law recognizes that it is inevitable for every society to impose certain requirements on individuals both by the law and by societal norms. In respect of a public domain, Islam prescribes an amalgam of requirements of a Muslim community and the teachings of Islam. While committing sins in private is beyond the scope of public or governmental scrutiny, committing a sin in public amounts to a crime, meriting worldly punishment.

Islamic law provides for an individual's obligations to the divine at all times, and to the state in matters within the public domain. This is the most striking difference between Islamic law and modern law, as the function of enforcement of the law and punishment are forfeited to the state in a modern legal system, by virtue of the social contract. However, in Islamic societies, the concept of social contract does not exist. Instead, an individual's obligations lie to the state only if acts meriting worldly punishment occur in the public sphere. It is this distinction in the obligations of individuals that leads to conflicts between the application of Islamic law and modern law.

The Quran is replete with rules for all believers to ordain good and forbid evil (al-amrbi al-Ma'rufwa al-nahy 'an al-munkar'). This divine injunction is a restriction of freedom in the private sphere. The notion of privacy in the public sphere was tested through the office of the muhtasib, or compliance officer. These officers were appointed to ensure that the quality of life is preserved in Islamic societies. Personal or private matters which were visible in the public realm were liable to scrutiny from the muhtasib as well. However, this does not extend to matters such as surveillance and spying even on the authority of the state. The Prophet, according to the hadith of Amir Mu'awiyah remarked, " If you try to find out the secrets of the people, then you will definitely spoil them or at least you will bring them to the verge of ruin." In fact, modern jurists admonish the idea of surveillance as "exactly what Islam has called as the root cause of mischief in politics."

II.III. Privacy in Islamic Law

Bodily Privacy

The sanctity of one's bodily privacy is well recognised in Islamic Law. The Quran (24:58) demarcates certain periods in a day which are times of privacy for an individual, and indicates the need for prior permission before one may enter the private sphere of another. These periods are before the prayer at dawn, during the afternoon where one rests, and after the night prayer. This verse also calls upon children who have not yet reached the age of puberty to get accustomed to asking for permission before entering rooms apart from their own.

As far as bodily seizure of individuals accused of crimes goes, the Traditions indicate a general disinclination towards pre-adjudication restraint of individuals. The very occurrence of it appears to be a cause of discomfort as recorded in the Traditions. One of the Prophet's closest companions, Umar, is believed to have encourages officials to speed up adjudication processes so that the accused could not be deprived of the comfort of their homes and families.

bodily privacy and modesty

Although the Quran stipulates gender equality, the norms of bodily privacy and modesty applicable to men are far less rigorous than the rules of modesty that apply to women. While staring is not contemplated as a crime in modern jurisdictions, the Quran directs "believing men to lower their gaze and be modest." At the same time, it directs women to adhere to strict rules of clothing and conduct, with directions on how to conduct oneself both in private as well as public. Interestingly, with the use of full-body scanners at airports around the world, the bodily privacy of Muslims came to the forefront with several Muslim scholars opining that such use of scanners was in direct violation of the tenets of Islam. According to the Quran, the modesty of a Muslim woman is an indication of her faith.

Communication and Informational Privacy

Privacy is, in many ways, inextricably linked to the notions of personal autonomy, and inviolate personality. Privacy in matters apart from those concerned with proprietary interests was only developed as a legal idea around the ninth century, although the Quran made ample references to it. Whilst the term "privacy" is not directly alluded to in the Quran, it contains verses emphasizing the importance of respecting personal autonomy. The Quran (49:12) rebukes those who wish to pry into matters which do not concern them, or harbour suspicions in respect of others, conceding that some suspicions can even be considered crimes. This implies an injunction against investigation; which complements the prohibition of circulation of information pertaining to an individual's private sphere (24:19). According to this verse, publication of immorality is desirous of punishment. A reasonable conclusion from the reading of these verses is that the Quran mandates respect for the private sphere, guaranteeing that a faithful believer will not violate it. The Prophet is reported to have said that non interference of individuals in matters that do not concern them is a sign of their good faith. Interestingly, the injunction against unwarranted search is for all members of a Muslim community, not just followers of Islam. An extension of the concept of informational privacy is the privacy of one's opinion, which is believed to be beyond reproach regardless of its contents. Deeds in the public sphere can be subject to worldly punishment, but thoughts and opinions everywhere, are not subject to it.

The Sunnah have also emphasized on privacy in communications. The Prophet once said, "He, who looks into a letter belonging to his brother, looks into the Hellfire" , indicating that private communications shall enjoy their privacy even in the public domain. This is evident from another saying of the Prophet,"Private encounters result in entrustment", which entails a restriction on communications arising out of private meetings.

Territorial Privacy

Domestic privacy is considered an important facet of Islamic life and this idea pervades different aspects of Shariah. Privacy in regard to proprietary interests was in fact the first legal conception of privacy recognised by Muslim jurists. The Quran (24:27-8) forbids entering another's house in lieu of permission to do the same. It seeks to ensure that a person visiting another's house is welcome in that house; reminding individuals of their rights during such visits. Further, the Quran (2:189) envisions visits made to other's houses only through the front door, indicating respect and transparency in visiting another's dwelling place. Muslim scholars are of the opinion that such rules were laid down in order to safeguard one's private sphere; to allow people to modify their behaviour to accommodate a visitor in a private domain. Clarifying the reasons for such rules, a jurist offered the following explanation, "The first greeting is for the residents to hear the visitor, the second is for the residents to be cautious( fa-ya khudhu hidhrahum),and the third is for them to either welcome the visitor or send him away."

Privacy in the domestic sphere extends to both physical privacy as well as intangible privacy. The Prophet opined that if one's gaze has entered into a private home before his body does, permission to enter the home would be redundant. This follows from the idea that if a person curiously peeps into another's home, it is equivalent to him entering it himself. The right to privacy is extended to absolve the home owner of any guilt in the event of attack on the intruder. Curiously, the right to privacy within one's home is extended to privacy in respect of sinful behaviour within his private sphere; the accountability of a Muslim to his fellow humans is only to be discerned in respect of his public actions. This is illustrated by an interesting story in the Hadith of Umar ibn al-Khattab. Khattab climbed the wall of a house on the suspicion of wine being consumed within the premises. On his suspicion being confirmed, he chided them for their conduct. They then reminded him that while he pointed out their sins, he himself was guilty of three sins; spying on them, failing to greet them and also not approaching their house through the front door. He agreed with them and walked away.

The rationale behind recognising privacy in the domestic sphere is not just illegal intrusion into one's physical space; it is also intrusion into matters of sensitivity which widens the scope for privacy in Islamic Law.

III Privacy in Shariah Based States

Locating aspects of privacy is Shariah-based states is particularly challenging due to the duality of obligations that exists in their legal framework. While Islamic law focuses on obligations of individuals to the divine in all affairs and the state only in public matters, legal obligations in modern states are understood vis-à-vis the state only. The incorporation of Islam into these modern legal systems represents the attempt at reconciling two distinct sources of law. This Part will consider the legal frameworks for privacy in Pakistan and Bangladesh.

III.I Pakistan

Islamic law has had a profound impact on the legal system of Pakistan. This Islamic Republic integrates Shariah law into its common law system, as is evident from Article 227(1) of the 1973 Constitution of Pakistan ("the 1973 Constitution"). It reads, " All existing laws shall be brought in conformity with the Injunctions of Islam as laid down in the Holy Quran and Sunnah, in this Part referred to as the Injunctions of Islam, and no law shall be enacted which is repugnant to such injunction". In addition to the Constitutional safeguards, General Zia-ul-Haq, between 1977 and 1988 provided great impetus to Pakistan's process of incorporating Islam into its common law system through the establishment of appellate religious courts and also enactment of the Hudood criminal law, which was consequently criticized for being discriminatory and arbitrary.

Constitutional Provisions

Enshrined in the 1973 Constitution is the fundamental right of persons not to be subject to any action detrimental to the life, liberty, body, reputation or property. While referring to the rights of individuals, Article 4(1) lays down, "To enjoy the protection of law and to be treated in accordance with law in the inalienable right of every citizen. Wherever he may be, and of every other person for the time being within Pakistan." While aspects of privacy can be read into this Article quite emphatically, the 1973 Constitution explicitly recognises the right to privacy, dignity and the inviolability of persons in Article 14(1),"The dignity of man, subject to law, the privacy of home, shall be inviolable". The sanctity of these rights is vigorously upheld as laws inconsistent with fundamental rights are declared to be void to the extent of their inconsistency.

Bodily Privacy

The 1973 Constitution recognises the fundamental right of persons not to be subject to any action detrimental to the life, liberty, body, reputation or property. The Pakistan Penal Code (Act XLV of 1860) refers to the protection of privacy of women in Section 509, upholding the modesty of women.

Communications and Informational Privacy

The Pakistan Telecommunication (Re-organisation) Act 1996 enables investigating authorities under the Act to take cognizance of illegalities in communications. These authorities submit their reports to the courts, ensuring the accountability of such events, as well as legitimising search and seizure in pursuance of intercepted communications. The Act also makes arrangements for authorised interception of communications in cases of national security, although the wide and sweeping powers bestowed under this Section are a cause for concern. Moreover, any person causing annoyance to another through a telephone is liable to criminal punishment under the Telegraph Act, 1885.

Medicaland Financial information is recognised as a unit of privacy in the legal system of Pakistan. The delicate balance between transparency of government action and extent of privacy of information is struck in the Freedom of Information Ordinance, which exempts divulging information regarding personal privacy of individuals, private documents and financial privacy.

As far as digital privacy is concerned, the law in Pakistan is still at a nascent stage. In 2000, Pakistan implemented the National Information Technology Policy and Action Plan, which provided for confidentiality of transactional information. In 2002, an Electronic Transactions Ordinance was passed with a view to recognise and protect electronic transactions, setting up a framework within which privacy of information can be guaranteed and authenticity can be verified. There is no devoted law on data protection yet, although a Draft Electronic Data Protection Bill was published by the Ministry of Information in 2005.

Territorial and Locational Privacy

Akin to notions of privacy of the home in Islamic law, criminal trespass is a punishable offence under the Pakistan Penal Code. Pakistan has an unfortunately intimate relationship with terrorism. The Anti Terrorism Act of 1997 incorporates some provisions which raise concerns as to the sanctity of individual privacy. The Act allows an officer of police, armed forces or civil armed forces to enter and search any premise, and to seize any property they suspect to be connected to a terrorist act, without a warrant. Perhaps what is more worrying is that the entry of an officer is not subject to review, unlike in other Islamic countries like the United Arab Emirates. The trade off between personal liberties and national security is acutely felt in Pakistan, with intelligence agencies carrying on mass surveillance, without any legal framework providing for the same.

III.II Privacy in Bangladesh

Bangladesh identifies itself as a secular nation, although Islam is the state religion. The Constitution of Bangladesh uses the word privacy in the context of both territorial and communications privacy.

Bodily Privacy

The Bangladesh Penal Code, similar to Pakistan's, contains a section guaranteeing the bodily privacy of a woman and prohibiting any form of outraging her modesty. It criminalises assault, and also provides for private defence in case of assault.

Communications Privacy

The privacy of communications is subject to interception for the purpose of public safety, as envisaged in the Telegraph Act, 1885. It also contains provisions regarding unlawful interception of messages, as well as tampering or damaging communications. The Telecommunications (Amendment) Act 2006 gives the police sweeping powers to intercept mobile communications as well. However, a notice was issued to the government after this amendment to demonstrate its legality. Bangladesh also has the Right to Information Act, 2009 to promote transparency in governance, although it has a considerable number of agencies exempt from the Act as well. Provisions for cyber crime are enshrined in the Information and Communication Technology Act, 2006.

Territorial Privacy

In the context of territorial privacy, the Bangladesh Penal Code recognises criminal trespass, house trespass, lurking house trespass and house breaking as offences under Bangladeshi law.

IV. Conclusion

Privacy is a comprehensive term that entails a plethora of claims, making an exact definition of the term difficult to come by. In the absence of an explicit reference to privacy in the Indian Constitution, the Supreme Court has brought the right to privacy within the penumbra of Article 21 through various case laws. In 2010, the Government in its approach paper on privacy claimed that India is not a particularly private nation. In order to comprehensively understand India's modern legal framework, it is imperative to analyze the concepts of traditional law as they existed hitherto the colonial era. Although the term "privacy" is a modern construct, this paper has sought to demonstrate that the notion of privacy was well recognized and protected in traditional Islamic law.

From the discussion above, it is evident that the concept of privacy in Shariah law rests convincingly within the taxonomy adopted in this paper. The Quran and Hadith accommodate concerns surrounding private property, personal autonomy, protection of private communications, domestic life, modesty and the modern idea of surveillance. In addition to this, Islamic jurisprudence ascribes to the idea of a public and private sphere. The public sphere is occupied by society and governmental action, being liable to scrutiny and observation. On the other hand, the private sphere is occupied by the individual and the divine alone, free from any interference except in accordance with Shariah law. Inspite of the term "privacy" not finding explicit mention in the Quran or Hadith, a closer analysis of Shariah reveals privacy as a pervasive theme in Islamic jurisprudence.

Daniel Solove, A Taxonomy of Privacy, Vol. 154, No.3 University of Pennsylvania Law Journal, 477 (2006).

Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harvard Law Review 193, 193 (1890).

Richard A. Posner, Privacy, Surveillance and the Law, Vol. 75 No. 1 The University of Chicago Law Review 245, 245 (2008).

Blanca Rodríguez Ruiz, Privacy in Telecommunications: A European and an American Approach 39 (1st ed. 1997).

James Q. Whitman, The Two Western Cultures of Privacy : Dignity versus Liberty, 113 Yale Law Journal 1152, 1153 (2004).

Whitman, supra note 5, at 1153.

Solove, supra note 1, at 479.

Ibid. Referencing Lillian r. BeVier, Information About Individuals in the Hands of Government: Some Reflections on Mechanisms for Privacy Protection, 4 WM. & MARY BILL RTS. J. 455, 458 (1995) .

Ibid. Referencing KIM LANE SCHEPPELE, LEGAL SECRETS 184-85 (1988).

Ibid. Referencing 1 J. THOMAS MCCARTHY, THE RIGHTS OF PUBLICITY AND PRIVACY § 5.59 (2d ed. 2005).

Solove, supra note 1, at 560.

Samuel D. Warren & Louis D. Brandeis, supra note 2, at 193.

William L Prosser, Privacy, 48 California Law Review 383,389 (1960).

Solove, supra note 1, at 488.

Data Security Council of India, Policy Paper: Privacy in India. Available at https://www.dsci.in/sites/default/files/Policy%20Paper%20-%20Privacy%20in%20India.pdf.

Department of Personnel and Training, (DoPT) Approach Paper for a Legislation on Privacy. Report available at http://ccis.nic.in/WriteReadData/CircularPortal/D2/D02rti/aproach_paper.pdf.

Justice Ajit.P.Shah Committee, Report of the Group of Experts on Privacy, 60. Available at - http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf.

Bhairav Acharya, at http://freespeechhub.thehoot.org/freetracker/storynew.php?storyid=565&sectionId=10.

DoPT, Approach Paper. supra note 16.

Whitman, supra note 5, at 1154.

Chandran Kukathas, Cultural Privacy, Vol. 91, No. 1 The Monist 68, 69 (2008).

Marc Galanter, Displacement of Traditional Law in Modern India, Vol XXIV, No. 4 Journal of Social Issues 65, 67 (1968).

Stuart Corbridge & John Harriss, Reinventing India: Liberalization, Hindu Nationalism and Popular Democracy 238 (Reprint, 2006).

Galanter, supra note 22, at 66.

Ibid. at 67.

Edward Said, Representing the Colonized: Anthropology's Interlocutors, Vol. 15 No.2 Critical Inquiry 205, 207 (1989).

Mohammad Hashim Kamali, Shari'ah Law, An Introduction 19 (2009)

M Mustafa Al Azami, Studies in Hadith Methodology and Literature 7 (2002).

Id. at 3.

NJ Coulson, A History of Islamic Law 22 (1964)

Kamali, supra note 27, at 19.

Sunan Ibn Majah , Book of Tribulations (Kitab al-Fitan) , #3950, available at http://sunnah.com/ibnmajah/36.

Mohsen Kadivar, An Introduction to the Private and Public Debate in Islam, Vol.70 , No. 3 Social Research 659, 663 (2003).

Lara Aryani, Privacy Rights in Shariah and Shariah-based States, Vol. 3, Iss.2, Journal of Islamic State Practices in International Law, 3 (2007)

Kadivar, supra note 33, at 664.

Ibid. at 665.

Ibid. at 667. Referencing Koleini, Mohammad. Al-Kaafi. Qom, Vol. 2: 353 1388.

Ibid. at 671.

Ibid. at 664.

Social Contract Theory of John Locke(1932-1704) in the Contemporary World , SelectedWorks of Daudi Mwita, Nyamaka (2011) Available at http://works.bepress.com/cgi/viewcontent.cgi?article=1009&context=dmnyamaka.

Kadivar, supra note 33, at 664.

Ibid. at 673.

Abul a'la Mawdudi, Human Rights in Islam 24 (1995). Also available online, at http://books.google.co.in/books?id=RUJWdCOmmxoC&printsec=frontcover#v=onepage&q&f=false.

Aryani, supra note 34, at 13.

This indicates Sura 24 : verse 58.

Holy Quran, 24:58 - O you who have believed, let those whom your right hands possess and those who have not [yet] reached puberty among you ask permission of you [before entering] at three times: before the dawn prayer and when you put aside your clothing [for rest] at noon and after the night prayer. [These are] three times of privacy for you. There is no blame upon you nor upon them beyond these [periods], for they continually circulate among you - some of you, among others. Thus does Allah make clear to you the verses; and Allah is Knowing and Wise. (Translation from Sahih International available at http://quran.com/24/58)

Reza Sadiq, Islam's Fourth Amendment : Search and Seizure in Islamic Doctrine and Muslim Practice, Vol. 40 Georgetown Journal of International Law 703, 730 (2008 - 2009).

Ibid. at 733. Referencing IBRAHIM ABDULLA AL-MARZOUQI, Human Rights in Islamic Law 392 (2000).

Rohen Peterson, The Emperor's New Scanner :Muslim Women at the Intersection of the First Amendment and Full Body Scanners, 22 Hastings Women's Law Journal 339, 343 (2011).

Holy Quran, 24:30 - Tell the believing men to reduce [some] of their vision and guard their private parts. That is purer for them. Indeed, Allah is Acquainted with what they do. (Translation from Sahih International available at http://quran.com/24/30-31).

Holy Quran, 24:31- And tell the believing women to reduce [some] of their vision and guard their private parts and not expose their adornment except that which [necessarily] appears thereof and to wrap [a portion of] their headcovers over their chests and not expose their adornment except to their husbands, their fathers, their husbands' fathers, their sons, their husbands' sons, their brothers, their brothers' sons, their sisters' sons, their women, that which their right hands possess, or those male attendants having no physical desire, or children who are not yet aware of the private aspects of women. And let them not stamp their feet to make known what they conceal of their adornment. And turn to Allah in repentance, all of you, O believers, that you might succeed. (Translation from Sahih Internation, available at http://quran.com/24/30-31).

David Garner, Muslims warned not to go through airport body scanners because they violate Islamic rules on nudity, The daily mail, (Feb 12, 2010). http://www.dailymail.co.uk/news/article-1250616/Muslims-warned-airport-body-scanners-violate-Islamic-rules-nudity.html#ixzz3KF8hS6q3 .

Holy Quran, 33:59 - O Prophet, tell your wives and your daughters and the women of the believers to bring down over themselves [part] of their outer garments. That is more suitable that they will be known and not be abused. And ever is Allah Forgiving and Merciful. (Translation from Sahih International, available at http://quran.com/33/59.)

Eli Alshech, "Do Not Enter Houses Other than Your Own": The Evolution of the Notion of a Private Domestic Sphere in Early Sunnī Islamic Thought Vol. 11, No. 3, Islamic Law and Society 291, 304 (2004).

Holy Quran, 49:12 - O you who have believed, avoid much [negative] assumption. Indeed, some assumption is sin. And do not spy or backbite each other. Would one of you like to eat the flesh of his brother when dead? You would detest it. And fear Allah ; indeed, Allah is Accepting of repentance and Merciful. ( Translation from Sahih International, available at http://quran.com/49/12)

Holy Quran, 24:19 - Indeed, those who like that immorality should be spread [or publicized] among those who have believed will have a painful punishment in this world and the Hereafter. And Allah knows and you do not know. ( Translation from Sahih International, available at http://quran.com/24/19)

Kadivar, supra note 33, at 666.

Ahmad Atif Ahmad, Islam Modernity violence and everyday life 176 (1^st ed. 2009)

Kadivar, supra note 33, at 667.

Ibid , at 178.

Ibid.

Alshech, supra note 54, at 291.

Holy Quran, 24:27-8 - O you who have believed, do not enter houses other than your own houses until you ascertain welcome and greet their inhabitants. That is best for you; perhaps you will be reminded. And if you do not find anyone therein, do not enter them until permission has been given you. And if it is said to you, "Go back," then go back; it is purer for you. And Allah is Knowing of what you do. ( Translation from Sahih International, available at http://quran.com/24)

Holy Quran, 2:189 - They ask you, [O Muhammad], about the new moons. Say, "They are measurements of time for the people and for Hajj." And it is not righteousness to enter houses from the back, but righteousness is [in] one who fears Allah. And enter houses from their doors. And fear Allah that you may succeed. (Translation from Sahih International, available at http://quran.com/2)

Alshech, supra note 54, at 308.

Ibid. at 306. Referencing Ibn Abi Hatim, 8 TAF5IRAL-QUR'ANAL-'ADHIM 2566 (Makiabat Nlilr Mustaffi 1999).

Ahmad, supra note 58, at 177.

Alshech, supra note 54, at 324.

Aryani, supra note 34, at 4. Also see Ahmad, supra note 24, at 178.

Alshech, supra note 54, at 310.

Kadivar, supra note 33, at 664.

Moeen Cheema, Beyond Beliefs: Deconstructing the Dominant Narratives of the Islamization of Pakistan's Law, 60 American Journal of Comparative Law 875 (2012).

The Constitution of the Islamic Republic of Pakistan, 1973. Available at http://www.na.gov.pk/publications/constitution.pdf.

Cheema, supra note 72, at 879.

The Constitution of the Islamic Republic of Pakistan, 1973, supra note 73.

Ibid.

Ibid. Article 8 - "(1) Any law, or any custom or usage having the force of law, in so far as it is inconsistent with the rights conferred by this Chapter, shall, to the extent of such inconsistency, be void. (2) The State shall not make any law which takes away or abridges the right so conferred and any law made in contravention of this clause shall, to the extent of such contravention, be void

Ibid. Article 4(2)(a) - "no action detrimental to the life, liberty, body, reputation or property of any person shall be taken except in accordance with law."

Section 509, Pakistan Penal Code (Act XLV of 1860), Available at http://www.oecd.org/site/adboecdanti-corruptioninitiative/46816797.pdf.

Section 32, Pakistan Telecommunication (Re-Organisation) Act, 1996. Available at http://www.pta.gov.pk/media/pta_act_140508.pdf.

Ibid. Section 54.

Section 25-D, Pakistan Telegraph Act, 1885. Available at http://www.fia.gov.pk/law/Offences/26.pdf.

Section 12, Pakistan Medical and Dental Council Code of Ethics. Available at http://www.pmdc.org.pk/LinkClick.aspx?fileticket=v5WmQYMvhz4%3D&tabid=292&mid=845.

http://www.sbp.org.pk/publications/prudential/ordinance_62.pdf

Section 8, Freedom of Information Ordinance, 2002. Available at http://infopak.gov.pk/Downloads/Ordenances/Freedom_of_%20Information_Ordinance2002.pdf.

Pakistan IT Policy and Action Plan, available at http://www.unapcict.org/ecohub/resources/pakistan-information-technology-policy.

Electronic Transactions Ordinance, available at http://www.pakistanlaw.com/eto.pdf.

For a more detailed account, see http://www.supremecourt.gov.pk/ijc/articles/10/1.pdf. Second draft available at http://media.mofo.com/docs/mofoprivacy/PAKISTAN%20Draft%20Law%202nd%20Revision%20.pdf.

Sections 441 - 462, Pakistan Penal Code (XLV of 1860) Chapter XVII, "Offences against Property".

Section 5, Anti Terrorism Act, 1997. Available at http://www.fia.gov.pk/law/ata1997.pdf.

Ibid. Section 10.

Lara Aryani, supra note 34, at 21.

Julhas Alam, Bangladesh moves to retain Islam as state religion, Cns News, http://cnsnews.com/news/article/bangladesh-moves-retain-islam-state-religion.

Article 43, Constitution of Bangladesh. Available at http://www1.umn.edu/humanrts/research/bangladesh-constitution.pdf.

Section 509, Bangladesh Penal Code,1860. Available at http://bdlaws.minlaw.gov.bd/print_sections_all.php?id=11.

Ibid. Sections 351- 358.

Ibid . Section 100.

Section 5, Bangladesh Telegraph Act, 1885. Available at http://bdlaws.minlaw.gov.bd/print_sections_all.php?id=55.

Ibid . Section 24.

Ibid. Section 25.

Bangladesh Penal Code, 1860. supra note 95. Section 441.

Ibid. Section 442.

Ibid. Section 443.

Ibid. Section 445.

See, Kharak Singh v. State of Uttar Pradesh, AIR 1963 SC 1295 : (1964) 1 SCR 332; Govind v. State of Madhya Pradesh, AIR 1975 SC 1378; Rajagopal v. State of Tamil Nadu, AIR 1995 SC 264; People's Union for Civil Liberties (PUCL) v. Union of India, AIR 1997 SC 568; X v. Hospital Z, AIR 1999 SC 495.

DoPT, Approach Paper. supra note 16.

For more details visit https://cis-india.org/internet-governance/blog/identifying-aspects-of-privacy-in-islamic-law

I Just Pinged to Say Hello

nishant — 2013-11-30T08:36:02Z

A host of social networks find us more connected than ever before, but leave us groping for words in the digital space.

Dr. Nishant Shah's article was published in the Indian Express on November 24, 2013.

I am making a list of all the platforms that I use to connect with the large networks that I belong to. Here goes: I use Yahoo! Messenger to talk to my friends in east Asia. Most of my work meetings happen on Skype and Google Hangout. A lot of friendly chatter fills up my Facebook Messenger. Twitter is always available for a little back-chat and bitching. On the phone, I use Viber to make VoIP calls and WhatsApp is the space for unending conversations spread across days. And these are just the spaces for real-time conversation. Across all these platforms, something strange is happening. As I stay connected all the time, I am facing a phenomenon where we have run out of things to say, but not the desire to talk.

I had these three conversations today on three different instant-messaging platforms:

Person 1 (on WhatsApp): Hi.

Me: Hey, good to hear from you. How are you doing?

Person 1: Good.

Me (after considerable silence): So what's up?

Person 1: Nothing.

End of conversation.

Person 2 (On an incoming video call on Skype): Hey, you there?

Me: Yeah. What time is it for you right now?

Person 2: It is 10 at night.

Me: Oh! That is late. How come you are calling me so late?

Person 2: Oh, I saw you online.

Me: Ok….. *eyes raised in question mark*

Person 2: So, that's it. I am going to sleep soon.

Me: Ok…. Er…goodnight.

Person2: Goodnight.

We hang up.

Person 3 (pinging me on Facebook): Hey, you are in the US right now?

Me: Yes. I am attending a conference here.

Person 3: Cool!

Me: Umm… yeah, it is.

Person 3: emoticon of a Facebook 'like'. Have fun. Bye.

Initially I was irritated at the futility of these pings that are bewildering in their lack of content. I dismissed it as one of those things, but I realise that there is a pattern here. Our lives are so particularly open and documented, such minute details of what we do, where we are and who we are with, is now available for the rest of the world to consume, making most of the conversations seeking information, redundant. If you know me on my social media networks, you already know most of the basic things that you would want to know about me. And it goes without saying that no matter how close and connected we are, we are not necessarily in a state where we want to talk all the time. The more distributed our lives are, the more diminished is the need for personal communication.

And yet, the habit or the urge to ping, buzz, DM or chat has not caught up with this interaction deficit. So, we still seem to reach out, using a variety of platforms just to say hello, even when there is nothing to say. I call this the 'Always On' syndrome. We live in a world where being online all the time has become a ubiquitous reality. Even when we are asleep, or busy in a meeting, or just mentally disconnected from the online spaces, our avatars are still awake. They interact with others. And when they feel too lonely, they reach out and send that empty ping — just to confirm that they are not alone. That on the other side of the glowing screen is somebody else who is going to connect back, and to reassure you that we are all together in this state of being alone.

This empty ping has now become a signifier, loaded with meaning. The need for human connection has been distributed, but it does not compensate our need for one-on-one contact. In the early days of the cell phone, when incoming calls were still being charged, the missed call, without any content, was a code between friends and lovers. It had messages about where to meet, when to meet, or sometimes, just that you were missing somebody. The empty ping is the latest avatar of the missed call — in a world where we are always online but not always connected, when we are constantly together, but also spatially and emotionally alone, the ping remains that human touch in the digital space that reassures us that on the other side of that seductive interface and the buzzing gadget, is somebody we can say hello to.

For more details visit https://cis-india.org/internet-governance/blog/indian-express-november-24-2013-nishant-shah-i-just-pinged-to-say-hello

Human Rights in the Age of Digital Technology: A Conference to Discuss the Evolution of Privacy and Surveillance

Amber Sinha — 2016-01-11T02:12:49Z

The Centre for Internet and Society organised a conference in roundtable format called ‘Human Rights in the Age of Digital Technology: A Conference to discuss the evolution of Privacy and Surveillance. The conference was held at Indian Habitat Centre on October 30, 2015. The conference was designed to be a forum for discussion, knowledge exchange and agenda building to draw a shared road map for the coming months.

In India, the Right to Privacy has been interpreted to mean an individual's’ right to be left alone. In the age of massive use of Information and Communications Technology, it has become imperative to have this right protected. The Supreme Court has held in a number of its decisions that the right to privacy is implicit in the fundamental right to life and personal liberty under Article 21 of the Indian Constitution, though Part III does not explicitly mention this right. The Supreme Court has identified the right to privacy most often in the context of state surveillance and introduced the standards of compelling state interest, targetted surveillance and oversight mechanism which have been incorporated in the forms of rules under the Indian Telegraph Act, 1885. Of late, privacy concerns have gained importance in India due to the initiation of national programmes like the UID Scheme, DNA Profiling, the National Encryption Policy, etc. attracting criticism for their impact on the right to privacy. To add to the growing concerns, the Attorney General, Mukul Rohatgi argued in the ongoing Aadhaar case that the judicial position on whether the right to privacy is a fundamental right is unclear and has questioned the entire body of jurisprudence on right to privacy in the last few decades.

Participation

The roundtable saw participation from various civil society organisation such as Centre for Communication Governance, The Internet Democracy Project, as well as individual researchers like Dr. Usha Ramanathan and Colonel Mathew.

Introductions

Vipul Kharbanda, Consultant, CIS made the introductions and laid down the agenda for the day. Vipul presented a brief overview of the kind of work of CIS is engaged in around privacy and surveillance, in areas including among others, the Human DNA Profiling Bill, 2014, the Aadhaar Project, the Privacy Bill and surveillance laws in India. It was also highlighted that CIS was engaged in work in the field of Big Data in light of the growing voices wanting to use Big Data in the Smart Cities projects, etc and one of the questions was to analyse whether the 9 Privacy Principles would still be valid in a Big Data and IoT paradigm.

The Aadhaar Case

Dr. Usha Ramanathan began by calling the Aadhaar project an identification project as opposed to an identity project. She brought up various aspects of project ranging from the myth of voluntariness, the strong and often misleading marketing that has driven the project, the lack of mandate to collect biometric data and the problems with the technology itself. She highlighted inconsistencies, irrationalities and lack of process that has characterised the Aadhaar project since its inception. A common theme that she identified in how the project has been run was the element of ad-hoc-ness about many important decisions taken on a national scale and migrating from existing systems to the Aadhaar framework. She particularly highlighted the fact that as civil society actors trying to make sense of the project, an acute problem faced was the lack of credible information available. In that respect, she termed it as ‘powerpoint-driven project’ with a focus on information collection but little information available about the project itself. Another issue that Dr. Ramanathan brought up was that the lack of concern that had been exhibited by most people in sharing their biometric information without being aware of what it would be used, was in some ways symptomatic of they way we had begun to interact with technology and willingly giving information about ourselves, with little thought. Dr Ramanathan’s presentation detailed the response to the project from various quarters in the form of petitions in different high courts in India, how the cases were received by the courts and the contradictory response from the government at various stages. Alongside, she also sought to place the Aadhaar case in the context of various debates and issues, like its conflict with the National Population Register, exclusion, issues around ownership of data collected, national security implications and impact on privacy and surveillance. Aside from the above issues, Dr. Ramanathan also posited that the kind of flat idea of identity envisaged by projects like Aadhaar is problematic in that it adversely impacts how people can live, act and define themselves. In summation, she termed the behavior of the government as irresponsible for the manner in which it has changed its stand on issues to suit the expediency of the moment, and was particularly severe on the Attorney General raising questions about the existence of a fundamental right to privacy and casually putting in peril jurisprudence on civil liberties that has evolved over decades.

Colonel Mathew concurred with Dr. Ramanathan that the Aadhaar Project was not about identity but about identification. Prasanna developed on this further saying that while identity was a right unto the individual, identification was something done to you by others. Colonel Mathew further presented a brief history of the Aadhaar case, and how the significant developments over the last few years have played out in the courts. One of the important questions that Colonel Mathew addressed was the claim of uniqueness made by the UID project. He pointed to research conducted by Hans Varghese Mathew which analysed the data on biometric collection and processing released by the UID and demonstrated that there was a clear probability of a duplication in 1 out of every 97 enrolments. He also questioned the oft-repeated claim that UID would give identification to those without it and allow them to access welfare schemes. In this context, he pointed at the failures of the introducer system and the fact that only 0.03% of those registered have been enrolled through the introducer system. Colonel Mathew also questioned the change in stance by the ruling party, BJP which had earlier declared that the UID project should be scrapped as it was a threat to national security. According to him, the prime mover of the scheme were corporate interests outside the country interested in the data to be collected. This, he claimed created very serious risks to the national security. Prasanna further added to this point stating that while, on the face of it, some of the claims of threats to national security may sound alarmist in nature, if one were to critically study the manner in which the data had collected for this project, the concerns appeared justified.

The Draft Encryption Policy

Amber Sinha, Policy Officer at CIS, made a presentation on the brief appearance of the Draft Encryption Policy which was released in October this year, and withdrawn by the government within a day. Amber provided an overview of the policy emphasising on clauses around limitations on kind of encryption algorithms and key sizes individuals and organisations could use and the ill-advised procedures that needed to be followed. After the presentation, the topic was opened for discussion. The initial part of the discussion was focussed on specific clauses that threatened privacy and could serve the ends of enabling greater surveillance of the electronic communications of individuals and organisations, most notably having an exhaustive list of encryption algorithms, and the requirement to keep all encrypted communication in plain text format for a period of 90 days. We also attempted to locate the draft policy in the context of privacy debates in India as well as the global response to encryption. Amber emphasised that while mandating minimum standards of encryption for communication between government agencies may be a honorable motive, as it is concerned with matters of national security, however when this is extended to private parties and involved imposes upward thresholds on the kinds of encryption they can use, it stems from the motive of surveillance. Nayantara, of The Internet Democracy Project, pointed out that there had been global push back against encryption by governments in various countries like US, Russia, China, Pakistan, Israel, UK, Tunisia and Morocco. In India also, the IT Act places limits on encryption. Her points stands further buttressed by the calls against encryption in the aftermath of the terrorist attacks in Paris last month.

It also intended to have a session on the Human DNA Profiling Bill led by Dr. Menaka Guruswamy. However, due to certain issues in scheduling and paucity of time, we were not able to have the session.

Questions Raised

On Aadhaar, some of the questions raised included the question of applicability of the Section 43A, IT Act rules to the private parties involved in the process. The issue of whether Aadhaar can be tool against corruption was raised by Vipul. However, Colonel Mathew demonstrated through his research that issues like corruption in the TPDS system and MNREGA which Aadhaar is supposed to solve, are not effectively addressed by it but that there were simpler solutions to these problems.

Ranjit raised questions about the different contexts of privacy, and referred to the work of Helen Nissenbaum. He spoke about the history of freely providing biometric information in India, initially for property documents and how it has gradually been used for surveillance. He argued has due to this tradition, many people in India do not view sharing of biometric information as infringing on their privacy. Dipesh Jain, student at Jindal Global Law School pointed to challenges like how individual privacy is perceived in India, its various contexts, and people resorting to the oft-quoted dictum of ‘why do you want privacy if you have nothing to hide’. In the context, it is pertinent to mention the response of Edward Snowden to this question who said, “Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say.” Aakash Solanki, researcher

Vipul and Amber also touched upon the new challenges that are upon us in a world of Big Data where traditional ways to ensure data protection through data minimisation principle and the methods like anonymisation may not work. With advances in computer science and mathematics threatening to re-identify anonymized datasets, and more and more reliances of secondary uses of data coupled with the inadequacy of the idea of informed consent, a significant paradigm shift may be required in how we view privacy laws.

A number of action items going forward were also discussed, where different individuals volunteered to lead research on issues like the UBCC set up by the UIDAI, GSTN, the first national data utility, looking the recourses available to individual where his data is held by parties outside India’s jurisdiction.

For more details visit https://cis-india.org/internet-governance/blog/human-rights-in-the-age-of-digital-technology-a-conference-to-discuss-the-evolution-of-privacy-and-surveillance

Human DNA Profiling Bill 2012 v/s 2015 Bill

vanya — 2015-09-06T14:10:26Z

This entry analyses the Human DNA Profiling Bill introduced in 2012 with the provisions of the 2015 Bill

A comparison of changes that have been introduced in the Human DNA Profiling Bill, June 2015.

Definitions:

1. 2012 Bill: The definition of "analytical procedure" was included under clause 2 (1) (a) and was defined as an orderly step by step procedure designed to ensure operational uniformity.

2015 Bill: This definition has been included under the Explanation under clause 22 which provides for measures to be taken by DNA Laboratory.

2. 2012 Bill: The definition of "audit" was earlier defined under clause 2 (1) (b) and was defined as an inspection used to evaluate, confirm or verify activity related to quality.

2015 Bill: This definition has been included under the Explanation under clause 22 which provides for measures to be taken by DNA Laboratory.

3. 2012 Bill: There was no definition of "bodily substance".

2015 Bill: Clause 2(1) (b) defines bodily substance to be any biological material of or from a body of the person (whether living or dead) and includes intimate/non-intimate body samples as well.

4. 2012 Bill: The definition of "calibration" was included under clause 2 (1) (d) in the previous Bill.

2015 Bill: The definition has been removed from the definition clause and has been included as an explanation under clause 22.

5. 2012 Bill: Previously "DNA Data Bank" was defined under clause 2(1)(h) as a consolidated DNA profile storage and maintenance facility, whether in computerized or other form, containing the indices as mentioned in the Bill.

2015 Bill: However, in this version, the definition has been briefed under clause 2(1) (f) to mean as a DNA Data Bank as established under clause 24.

6. 2012 Bill: Previously a "DNA Data Bank Manager" was defined clause 2(1) (i) as the person responsible for supervision, execution and maintenance of the DNA Data Bank.

2015 Bill: In the new Bill, it is defined clause 2(1) (g) as a person appointed under clause 26.

7. 2012 Bill: Under clause 2(1) (j), the definition of "DNA laboratory" was defined to be any laboratory established to perform DNA procedures.

8. 2015 Bill: Under clause 2(1) (h) "DNA laboratory" has been now defined to be any laboratory established to perform DNA profiling.

9. 2012 Bill: "DNA procedure" was defined under clause 2(1) (k) as a procedure to develop DNA profile for use in the applicable instances as specified in the Schedule.

2015 Bill: This definition has been removed from the Bill.

10. 2012 Bill: There was no definition of "DNA Profiling".

2015 Bill: DNA profiling has been defined under clause 2(1) (j) as a procedure to develop DNA profile for human identification.

11. 2012 Bill: "DNA testing" was defined under clause 2(1) (n) as the identification and evaluation of biological evidence using DNA technologies for use in the applicable instances.

2015 Bill: This definition has been removed.

12. 2012 Bill: "forensic material" was defined under clause 2(1) (o) as biological material of or from the body of a person living or dead, and representing an intimate body sample or non-intimate body sample.

2015 Bill: This definition has been included under the definition of "bodily substance" under clause 2(1) (b).

13. 2012 Bill: "intimate body sample" was defined under clause 2(1) (q).

2015 Bill: This has been removed from the definitions clause and has been included as an explanation under clause 23 which addresses sources and manner of collection of samples for DNA profiling.

14. 2012 Bill: "intimate forensic procedure" was defined under 2(1) (r).

2015 Bill: This has been removed from the definitions clause and has been included as an explanation under clause 23 which addresses sources and manner of collection of samples for DNA profiling.

15. 2012 Bill: "non-intimate body sample" was defined under clause 2(1) (v) in 2012 Bill.

2015 Bill: The definition of "non-intimate body sample" has not been included in the definitions clause and has been included as an Explanation under clause 23 which addresses sources and manner of collection of samples for DNA profiling.

16. 2012 Bill: "non-intimate forensic procedure" was defined under clause 2(1) (w) in 2012 Bill.

2015 Bill: The definition of "non-intimate forensic procedure" has not been included in the definitions clause and has been included as an Explanation under clause 23 which addresses sources and manner of collection of samples for DNA profiling.

17. 2012 Bill: "undertrial" was defined under clause 2(1) (zk) as a person against whom a criminal proceeding is pending in a court of law.

2015 Bill: The definition now states such a person against whom charges have been framed for a specified offence in a court of law under clause 2(1) (zc).

DNA Profiling Board:

1. 2012 Bill: Under clause 4 (a), the Bill stated that a renowned molecular biologist must be appointed as the Chairperson.

2015 Bill: Under clause 4 addressing Composition of the Board, the Bill states that the Board shall consist of a Chairperson who shall be appointed by the Central Government and must have at least fifteen years' experience in the field of biological sciences.

2. 2012 Bill: Under clause 4 (i), the Chairman of National Bioethics Committee of Department of Biotechnology, Government of India was to be included as a member under the DNA Profiling Board.

2015 Bill: This member has been removed from the composition.

3. 2012 Bill: Under clause 4 (m), the term of 1 person from the field of genetics was not mentioned in the 2012 Bill.

2015 Bill: In this Bill under clause 4 (m), it has been stated that such a person must have minimum experience of twelve years in the field.

4. 2012 Bill: The term of 2 people from the field of biological sciences was not mentioned in the 2012 Bill under clause 4 (l).

2015 Bill: Under clause 4 (l), it has been stated that such 2 people must have minimum experience of twelve years in the field.

5. The following members have been included in the 2015 Bill-

i. Chairman of National Human Rights Commission or his nominees, as an ex-officio member under clause 4 (a).

ii. Secretary to Government of India, Ministry of Law and Justice or his nominees (not below rank of Joint Secretary), as an ex-officio member under clause 4 (b).

6. 2012 Bill: Under clause 5, the term of the members was not uniform and varied for all members.

2015 Bill: The term of people from the field of biological sciences and the person from the field of genetics has been states to be five years from the date of their entering upon the office, and would be eligible for re-appointment for not more than 2 consecutive terms.

Also, the age of a Chairperson or a member cannot exceed seventy years.

The term of members under clauses (c), (f), (h), and (i) of clause 4 is 3 years and for others the term shall continue as long as they hold the office.

Chief Executive Officer:

2012 Bill: Earlier it was stated in the Bill under clause 10 (3) that such a person should be a scientist with understanding of genetics and molecular biology.

2015 Bill: The Bill states under clause 11 (3) that the CEO shall be a person possessing qualifications and experience in science or as specified under regulations. The specific experience has been removed.

A new clause- 12(5) addresses power of the Board to co-opt the number of people for attending the meetings and take part in proceedings; however such a person shall be devoid of voting rights. Also, such a person shall be entitled to specified allowances for attending the meetings.

Officers and Other Employees of Board:

2012 Bill: The Bill stated under clause 11 (3) that the Board may appoint consultants required to assist in the discharge of its functions on such terms and conditions as may be specified by the regulations.

2015 Bill: The 2015 Bill states under clause 12 (3) that the Board may appoint experts to assist for discharging its functions and may hold consultations with people whose rights may be affected by DNA profiling.

Functions of the Board:

2012 Bill: 26 functions were stated in the 2012 Bill.

2015 Bill: The number of the functions has been reduced to 22 with a few changes based on recommendations of Expert Committee.

Power of Board to withdraw approval:

2015 Bill: The circumstances in which the Board could withdraw its approval have not been changed from the 2012 Bill (previously under clause 16). There's an addition to the list as provided under clause 17 (1) (d) wherein the Board can also withdraw its approval in case the DNA laboratory fails to comply with any directions issued by the DNA Profiling Board or any such regulatory Authority under any other Act.

Obligations of DNA Laboratory:

2015 Bill: There is an addition to the list of obligations to be undertaken by a DNA laboratory under clause 19 (d). The laboratory has an additional obligation to share the DNA data prepared and maintained by it with the State DNA Data Bank and the National DNA Data Bank.

Qualification and experience of Head, technical and managerial staff and employees of DNA Laboratory:

2012 Bill: The previous Bill clearly mandated under clause 19 (2) the qualifications of the Head of every DNA laboratory to be a person possessing educational qualifications of Doctorate in Life Sciences from a recognised University with knowledge and understanding of the foundation of molecular genetics as applied to DNA work and such other qualifications as may be specified by regulations made by the Board.

2015 Bill: The provision has been generalized and provides under clause 20 (1) for a person to be possess the specified educational qualifications and experience.

Measures to be taken by DNA Laboratory:

2012 Bill: In the previous Bill, there were separate clauses with regard to security, minimization of contamination, evidence control system, validation process, analytical procedure, equipment calibration and maintenance, audits of laboratory to be followed by a DNA Laboratory.

2015 Bill: In the 2015 Bill, these measures to be adopted by DNA Laboratory have been included under one clause itself-clause 22.

Infrastructure and training:

2012 Bill: The specific provisions regarding infrastructure, fee, recruitment, training and installing of security system in the DNA Laboratory were present in the Bill under clauses 28-31.

2015 Bill: These provisions have been removed from the 2015 Bill.

Sources and manner of collection of samples for DNA profiling:

2012 Bill: Part II of the Schedule in the Bill provided for sources and manner of collection of samples for DNA Profiling.

The sources include: Tissue and skeleton remains and Already preserved body fluids and other samples.

Also, it provided for a list of the manner in which the profiling can be done:

(1) Medical Examination (2) Autopsy examination (3) Exhumation

Also, provision for collection of intimate and non-intimate body samples was provided as an Explanation.

2015 Bill: Under Clause 23, the sources include bodily substances and other sources as specified in Regulations. The other sources remain unchanged.

Also, provision for collection of intimate and non-intimate body samples is addressed in clause 23(2).

The explanation to the provision states what would be implied by the terms medical practitioner, intimate body sample, intimate forensic procedure, non-intimate body sample and non-intimate forensic procedure.

DNA Data Bank:

- Establishment:

2012 Bill: The Bill did not specify any location for establishment of the National DNA Data Bank.

2015 Bill: The Bill states under clause 24 (1) that the Central Government shall establish a National DNA Data Bank at Hyderabad.

-Maintenance of indices of DNA Data Bank:

2012 Bill: Apart from the DNA profiles, every DNA Data Bank shall contain the identity of the person from whose body the substances are taken in case of a profile in the offenders' index as under clause 32 (6) (a).

2015 Bill: Clause 25 (2) (a) states that the DNA Data Bank shall contain the identity for the suspects' or offenders' index.

DNA Data Bank Manager:

2012 Bill: The Bill States under clause 33 (1) that a DNA Data Bank Manger shall be appointed for conducting all operations of the National DNA Data Bank. The functions were not specific.

2015 Bill: The Bill states under clause 26 (1) specifically that a DNA Data Bank Manger shall be appointed for the purposes of execution, maintenance and supervision of the National DNA Data Bank.

- Qualification:

2012 Bill: In the previous Bill, it was stated under clause 33 (3) that the DNA Data Bank Manager must be a scientist with understanding of computer applications and statistics.

2015: The Bill states under clause 26 (2) that the DNA Data Bank Manager must possess educational qualification in science and any such experience as prescribed by the regulations.

Officers and other employees of the National DNA Data Bank:

2012 Bill: The Bill stated under clause 34 (3) that the Board may appoint consultants required to assist in the discharge of the functions of the DNA Data Banks.

2015 Bill: The Bill provides under clause 27 (3) that the Board may appoint experts required to assist in the discharge of the functions of the DNA Data Banks

Comparison and Communication of DNA profiles:

2015 Bill: The New Bill specifically addresses comparison and communication the DNA profiles as that in the offenders' or crime scene index under clause 28 (1). Also, there is an additional provision under clause 29 (3) which states that the National DNA Data Bank Manger may communicate a DNA profile through Central Bureau of Investigation on request of a court, tribunal, law enforcement agency or DNA laboratory to the Government of a foreign State, an international organization or institution of Government.

Use of DNA profiles and DNA samples and records:

2012 Bill: The Bill provided under clause 39 that all DNA profiles, samples and records would be used solely for purpose of facilitating identification of perpetrator of an offence as listed under the Schedule. The proviso to this provision addressed the fact that such samples could be used to identify victims of accidents or disaster or missing persons, or any purpose of civil dispute.

2015 Bill: The Bill restricts the use of all DNA profiles, samples and records solely for purpose of facilitating identification of a person under the Act under clause 32.

DNA Profiling Board Fund:

2012 Bill: The Bill stated under clause 47 (2) that the financial power for the application of monies of the Fund shall be delegated to the Board in such manner as may be prescribed and as may be specified by the regulations made by the Board.

Also, the Bill stated that the Fund shall be applied for meeting remuneration requirements to be paid to the consultants under clause 47 (3) (c).

2015 Bill: This provision has not been included in the Bill. Also, the Bill does not include the provision of paying the remuneration to the experts from the Fund.

Delegation of Powers:

2012 Bill: The Bill provided under clause 61 that The Board may delegate its powers and functions to the Chairperson or any other Member or officer of the Board subject to such conditions, if necessary.

2015 Bill: This provision has not been included in the 2015 Bill.

Powers of Board to make rules:

2012 Bill: The Bill provided for an exhaustive list consisting of 33 powers listed under clause 65.

2015 Bill: The Bill provides for a list of 27 powers of the Board under clause 57.

Schedule:

2012 Bill: In the list of offense where human DNA profiling would be applicable, there was an inclusion of any law as may be specified by the regulations made by the Board.

2015 Bill: This provision has been removed from the 2015 Bill.

For more details visit https://cis-india.org/internet-governance/blog/human-dna-profiling-bill-2012-vs-2015

Human DNA Profiling Bill 2012 Analysis

Jeremy Gruber — 2013-03-19T09:53:22Z

Jeremy Gruber from the Council for Responsible Genetics, US provides an analysis of the Human DNA Profiling Bill, 2012. He says that India’s updated 2012 Human DNA Profiling Bill offers largely superficial changes from its predecessor, the Draft DNA Profiling Bill, 2007.

Indeed, where there are significant departures from prior language, they tend to raise additional privacy and human rights concerns. Overall the current version of the Bill is littered with significant and striking human rights and privacy concerns and, if passed in its current form, would place India far outside the mainstream of both law and policy in this area. Beyond the privacy and human rights concerns that are addressed in this analysis of the Bill, the breadth of the structural and financial costs of enacting the Bill in its current form should also be seriously considered as they would most certainly be staggeringly high.

Bill Analysis

Introduction

The introduction of the Bill sets out the broad policy objectives of its drafters. The most telling portion in paragraph 1 states: “[DNA analysis] makes it possible to determine whether the source of origin of one body substance is identical to that of another, and further to establish the biological relationship, if any, between two individuals, living or dead without any doubt.” (emphasis added). It is evident that the policy animating the Bill presupposes the objective infallibility of genetic analysis. This patent mistruth underpins the policy rationale for the Bill, and as such casts a long shadow over its substantive provisions. At the very least, it tells the reader (and perhaps one day the court) to broadly interpret the Bill’s language to favor DNA analysis as the privileged solution to investigational and prosecutorial needs. This provision, and indeed the bill as a whole, ignores the occurrence of false matches, cross-contamination, laboratory error and other limitations of forensic DNA analysis.

The introduction goes on to state, truthfully, that “DNA analysis offers sensitive information which, if misused can cause harm to person or society.” However this statement does not acknowledge that DNA analysis often causes more harm when used as intended as part of unnecessarily expansive powers given to law enforcement authorities. Indeed this is further illustrated by language showing the legislative intent to draft a broad based bill that would govern the use of DNA in a variety of civil and criminal proceedings as well as for purposes to be determined at a later point.

Definitions (Chapter II)

A number of the Bill’s definitions are overbroad, further expanding the scope of its later provisions. The “crime scene index” is defined to include “DNA profiles from forensic material found . . . on or within the body of any person, on anything, or at any place, associated with the commission of a specified offence.” Chapter II(2)(iv). A “specified offence” is defined as any “offence listed in Part 1of the Schedule [to the Bill].” Part 1 of the “Schedule,” on page 56 of the Bill , includes in (A) “Offences under Indian Penal Code” without any specification. In the 2007 version of the bill, the language related to criminal offences was incredibly expansive but specified the various crimes covered inc. rape,“offences relating to dowry,” defamation, and “unnatural offenses.” (See 2007 Bill Schedule p. 34). The current Bill version dispenses with such identified crimes and seemingly expands the Schedule to create an “all crimes” database. The new Bill (Section B) further adds a variety of additional offences under special laws ranging from the Medical Termination of Pregnancy Act to the Motor Vehicles Act and empowers the Board to add any new law it wants to the Schedule. Section C of the Schedule identifies a wide variety of civil matters to be included in the Schedule including disputes related to paternity, pedigree, and organ transplantation. In adds additional civil categories not contemplated by prior versions of the Bill including issues related to assisted reproductive technologies, issues related to immigration/emigration and similar to Section B of the Schedule and in another significant departure from previous Bill versions, empowers the Board to include any other civil matter it chooses in the future. The Crime Scene Index also defines victim expansively to include a person “reasonably suspected of being a victim” (Section 2 ii). Taken together, the government is empowered to conduct genetic testing on almost anyone in any way connected with even minor infractions of the criminal law or involved in virtually any civil proceeding.

The definition of “offender” (Section 2y) is not limited to one with a criminal conviction but includes anyone even charged with an offense, thereby expanding coverage of the criminal provisions of the Bill to include individuals who have not yet been convicted of any crime.

The crucial term “suspect” (Section 2zi) is defined as anyone “suspected of having committed an offence.” By intentionally leaving out the qualifier “specified,” the drafters’ intent is plain: to sweep within the Bill’s breadth all persons suspected of any crime whatsoever even if there is insufficient probable cause for arrest. And, accordingly, the Bill defines the “suspects index” to include “DNA profiles derived from forensic material lawfully taken from suspects.”

Furthermore the definitions include a category of persons entitled “volunteers,” (Section 2 zo) defined as “a person who volunteers to undergo a DNA procedure and, in case of a child or incapable person, his parent or guardian having agreed…” There is no additional clarification as to how this category might be treated in practice but without any clear provisions for informed consent, it is highly unlikely that such participation will be truly voluntary; especially without provisions for decision making subsequent to offering the sample such as future expungement from the system.

Taken together the definitions of victim, offender and suspect expand the reach of this Bill to a broad range of potentially innocent individuals involved in the criminal justice system, while the Schedule and definition of “volunteers” sweep a broad range of categories of innocent citizens into the purview of this Bill- including children and the mentally incapacitated-having nothing to do with the criminal justice system. There is simply no corollary in any other country to such expansive authority. The Bill places India far outside the mainstream of policy in this area and raises serious and far ranging human rights concerns

DNA Profiling Board (Chapter III)

The DNA Profiling Board (hereinafter “Board”) is responsible for administering and overseeing the Indian DNA database . Oversight is an important and valuable concept, however the value of such principles in this Bill are completely overshadowed by the expansive powers given to the Board.

The Bill lays out a number of fields from which the members are to be chosen inc. molecular biology, population biology, criminal justice and bioethics. There is no representation from civil society human rights organizations or the criminal defense bar to ensure that privacy, human rights and the general public interest are ensured. Furthermore the Chief Executive Office of the Board is to be a scientist and therefore unlikely to be familiar with criminal justice matters and evaluations of their efficacy. (Chapter III, Section 10)

The Board is given an almost limitless list of responsibilities including “recommendations for maximizing the use of DNA techniques and technologies (Section 10k) and identifying scientific advances that may assist law enforcement (Section 10L). Such powers are particularly concerning because the Bill does not include any privacy provisions whatsoever but rather invests in the Board the power to make “recommendations for privacy protection laws, regulations and practices relating to access to, or use of stored DNA samples or DNA analyses,” as well as “mak[ing] specific recommendations to . . . ensure the appropriate use and dissemination of DNA information [and] take any other necessary steps required to be taken to protect privacy.” (Section 10o and p). Furthermore the Board is given the responsibility of “deliberating and advising on all ethical and human rights issues emanating out of DNA profiling.” (Section 10t).

These provisions are in lieu of any substantive language limiting the scope of the legislation, and protecting privacy and human rights principles (which the bill otherwise lacks.) These are significant omissions. As expressed in the introduction, the stated purpose of the Bill is “to enhance protection of people in the society and [the] administration of justice.” Taken alone, this Bill actually expresses only the government’s interest in the legislation, suggesting an ambiguously wide scope for its provisions. Substantive concepts of individual privacy and human rights are required to counterbalance the interests of the government and provide protections for the equally vital privacy and human rights interests of the individual. As such, limiting privacy and human rights principles should be included alongside the expression of the government’s security interest. Without it, the Board will effectively have carte blanche with regard to what privacy and human rights protections are—or are not—adopted.

Also in a departure from previous versions of this Bill, this Bill expands the Boards powers to include areas of policy beyond the coverage of the Bill’s other provisions including “intellectual property issues. (Section 10i)

Finally, as noted earlier in the discussion of the Schedule (and in a significant departure from previous versions of the Bill), the Board is given total control to expand every category of person to be included under the Bill. In a democratic system of government, such decisions should rest exclusively with the Parliament and therefore be subject to the checks and balances of government as well as the transparency necessary to ensure public participation. Leaving such decision making to an unelected body raises serious human rights concerns.

Approval of Laboratories (Chapter IV)

Sections 13 to 17 provide for the approval by the DNA Profiling Board of DNA laboratories that will process and analyze genetic material for eventual inclusion on the DNA database. Under Section 13, all laboratories must be approved in writing prior to processing or analyzing any genetic material. However, a conflicting provision appears in the next section, Section 14(2), which permits DNA laboratories in existence at the time the legislation is enacted to process or analyze DNA samples immediately, without first obtaining approval.

Either an oversight on the part of the drafters, or the product of overly-vague language, the result is that established genetic laboratories—including whatever genetic material or profiles they may already have for whatever reason—are in effect “grandfathered” into the system. The only review of these laboratories is the post hoc approval of the laboratory by the DNA profiling board. The potential for abuse and error that this conflict of provisions would be best addressed in keeping with the rule articulated in Section 13, i.e. correcting the language of Section 14(2) that allows for laboratories to be “grandfathered” into the system.

Standards, Obligations of DNA Laboratory (Chapter V)

Chapter V, which concerns the obligations of and the standards to be observed by approved DNA laboratories, lacks adequate administrative requirements. For example, Section 21 requires that labs ensure “adequate security” to minimize contamination without providing for accountability in the event of contamination. Similarly, Section 27 provides for audits of DNA laboratories only, withholding from similar scrutiny of the DNA Profiling Board itself. However, the greatest limitation of every Section of this Chapter is that rather than offering any specific substantive requirements, they instead offer categories requiring attention “as may be specified “ by the DNA Board. Any actual standard or obligation by a laboratory is set entirely by the DNA Board. Minimum standards must be set by law to ensure compliance.

Infrastructure and Training (Chapter VI)

Similar to Chapter V, this section offers no legislative benchmarks but rather categories of activities, with further regulation “as may be specified” by the Board. As noted earlier, there are serious concerns in using DNA analysis with regards to false matches, cross-contamination and laboratory error. Not taking such concerns seriously, and taking serious steps to minimize their occurrence, can lead to significant distrust of government and police authority when such incidents occur.

DNA Databank (Chapter VII)

In addition on one national DNA database, the Bill sanctions the several Indian states to maintain their own DNA databases, provided these state-level databases forward copies of their content to the national database. Section 32(3). Section 32(5) states that the indices should include records related thereto” the DNA analysis. (See also Section 35(b)) Such provisions allow for access to “the information” contained in the database, not simply “the DNA profiles” contained in the database. Without further clarification it would appear to authorize an unlimited amount of private information unrelated to identification to be included in the indices.

The national database is envisioned to comprise several sub-databases (Section 32(4)), each to contain the genetic information of a subset of persons/samples, namely: (a) unidentified crime scene samples, (b) samples taken from suspects, (c) samples taken from offenders inc. persons convicted or currently subject to prosecution for criminal offenses (d) samples associated with missing persons, (e) samples taken from unidentified bodies, (f) samples taken from “volunteers,” and finally (g) samples taken for reasons “as may be specified by regulations made by the Board. Section 33 (4) et seq. Putting to one side the breadth of persons subject to inclusion under subcategories (1) through (6), subsection (7) appears on its face to be a “catch all” provision, leaving one only to guess at the circumstances under which its specificities may be promulgated.

A close reading of Section 32(6) strongly suggests that the agency conducting the forensic analyses and populating the DNA database shall retain the actual DNA samples thereafter. This section reads in relevant part:

The “DNA Data Bank shall contain . . . the following information, namely: (a) in case of a profile in the offenders index, the identity of the person from whose body substance or body substances the profile was derived, and (b) in case of all other profiles, the case reference number of the investigation associated with the body substance or body substances from which the profile was derived.

Allowing retention of the biological sample, even after a profile has been created from it, in conjunction with the unlimited ability of the Board to create regulations for additional uses of that sample raises serious privacy and human rights concerns.

Moreover, rather than choosing to link the DNA profile data to a specific offender or case, the drafters of the Bill instead link the “body substance or body substances” with that specific offender or case. Whether sloppy drafting or clever nuance, this provision equates the DNA profile with the DNA sample, injecting unneeded—and potentially harmful—ambiguity into the proposed law.

Section 37 (1) allows for indefinite retention of information in the offenders index (which includes individuals charged with an offense but not convicted). This provision raises serious human rights concerns as it would appear to allow indefinite retention of profiles of individuals who have not been convicted of a crime. This directly conflicts with Section 37 (II) which allows for expungement when a certified copy of a court order stating that the individual in question has been acquitted. This provision also appears to conflict with Chapter VIII Section 43(b) which appears to allow indefinite retention of DNA of suspects even after they’ve been excluded from an investigation. Indeed no process or procedures for expungement and removal of records are in place for suspects generally who are never charged or for any of the other categories of indices that are present in the Bill, thereby raising serious question as to how and even whether such profiles can be removed from the Databank.

Confidentiality, Access to DNA Profiles, Samples, and Records (Chapter VIII)

Two further provisions regarding access to the database warrant close scrutiny. First, Sections 39 and 40 confers upon the Board the unlimited power to expand categories for which DNA profiles, samples and records can be used. Considering that the Bill (Section 40(e)) already questionably allows such records to be used for population research, these provisions raise serious questions as to the classes of potential use such private information might be subject.
Sections 40-42 purport to confer upon the police and other authorized individuals direct access to all of the information contained in the national DNA database. While administratively expedient, this arrangement opens up the possibility for misuse. A more prudent system would place the Board (or some administrative subordinate portion thereof) between the police and the content of the DNA database, with the latter having to make specific and particular requests to the former. This would minimize the risks inherent in the more expansive model of database access the bill currently envisions.

Section 45 related to post-conviction DNA testing has the laudable goal of offering “any individual undergoing a sentence of imprisonment or death pursuant to conviction for an offence, may apply to the court which convicted him for an order of DNA testing” in order to prove their innocence. However such an application lists eleven separate criteria that such an applicant must meet before qualifying, and allows a court total discretion in deciding whether all such criteria have been met. High barriers and absolute discretion make such testing highly unlikely and therefore make a provision seeming to offer human rights protections completely hollow.

Offences and Penalties (Chapter X)

This chapter lays out penalties for misuse of the Database. Most notably, the bill specifically excludes a private cause of action for the unlawful collection of DNA, or for the unlawful storage of private information on the national DNA database. A new provision in Section 58 does allow for an aggrieved person to petition the Central Government or Board if an instance of misuse is not being addressed but such provision does not contain any required processes such entities must follow in responding to such a petition, making an otherwise positive new provision relatively empty. Nor does the bill grant an individual right to review one’s personal data contained on the database. Without these key features, there are limited checks against the unlawful collection, analysis, and storage of private genetic information on the database.

Best Practices Analysis

Collection of DNA

With consent: only for a specific investigation (e.g. from a victim or for elimination purposes). Volunteers should not have information entered on a database.	No provision.
Without consent: only from persons suspected of a crime for which DNA evidence is directly relevant i.e. a crime scene sample exists or is likely to exist. Or, broader categories?	No provision.
Requirement for an order by a court? Or allowed in other circumstances?	No provision.
Samples collected by police officers, or only medical professionals? Must take place in a secure location i.e. not on the street, etc.	No provision.
Provision of information for all persons from whom DNA is taken.	No provision.
Crime scenes should be promptly examined if DNA evidence is likely to be relevant, and quality assurance procedures must protect against contamination of evidence.	No provision; regulated at discretion of DNA Profiling Board.

Analysis of DNA

Should take place only in laboratories with quality assurance.	Regulated at discretion of DNA Profiling Board.
Laboratories should be independent of police.	No provision; regulated at discretion of DNA Profiling Board.
Profiling standards must be sufficient to minimize false matches occurring by chance. This must take account of increased likelihood of false matches in transboundary searches, and with relatives.	No provision; regulated at discretion of DNA Profiling Board.

Storage of DNA and Linked Data

Data from convicted persons should be separate from others e.g. missing persons’ databases.	Unclear.
Access to databases and samples must be restricted and there must be an independent and transparent system of governance, with regular information published e.g. annual reports, minutes of oversight meetings.	Access to database at discretion of DNA Data Bank Manager.
Personal identification information should not be sent with samples to laboratories.	No provision; regulated at discretion of DNA Profiling Board.
Any transfer of data e.g. from police station to lab or database, must be secure.	No provision; regulated at discretion of DNA Profiling Board.

Uses of Samples and Data

Research uses should be restricted to anonymised verification of database performance (e.g. checking false matches etc.). Third party access to data for such purposes should be allowed, provided public information on research projects is published. There should be an ethics board.	No provision.
Research uses for other purposes e.g. health research, behavioral research should not be allowed.	No provision.
Uses should be restricted by law to solving crimes or identifying dead bodies/body parts. Identification of a person is not an acceptable use. Missing persons databases (if they exist) should be separate from police databases. .	Ambiguous provisions suggest much wider scope.
Any transfer of data e.g. from police station to lab or database, must be secure.	No provision.

Destruction of DNA and Linked Data

DNA samples should be destroyed once the DNA profiles needed for identification purposes have been obtained from them, allowing for sufficient time for quality assurance, e.g. six months.	DNA samples are retained.
An automatic removals process is required for deletion of data from innocent persons. This must take place within a reasonable time of acquittal, etc.	No provision.
There should be limits on retention of DNA profiles from persons convicted of minor crimes.	No provision.
There should be an appeals process against retention of data.	No provision.
Linked data on other databases (e.g. police record of arrest, fingerprints) should be deleted at the same time as DNA database records.	No provision.
Crime scene DNA evidence should be retained for as long as a reinvestigation might be needed (including to address miscarriages of justice).	DNA evidence permitted to be retained indefinitely.

Use in court

Individuals must have a right to have a second sample taken from them and reanalyzed as a check.	No provision.
Individuals must have a right to obtain re-analysis of crime scene forensic evidence in the event of appeal.	Allowed but with impossibly high barriers.
Expert evidence and statistics must not misrepresent the role and value of the DNA evidence in relation to the crime. .	No provision.

Other

Relevant safeguards must be proscribed by law and there should be appropriate penalties for abuse.	No provision.
Impacts on children and other vulnerable persons (e.g. mentally ill) must be considered.	No provision.
Potential for racial bias must be minimized.	No provision.

Click for more information on the Council for Responsible Genetics.

For more details visit https://cis-india.org/internet-governance/blog/human-dna-profiling-bill-analysis

How to Engage in Broadband Policy and Regulatory Processes

praskrishna — 2014-04-03T06:07:04Z

LIRNEasia with the support of the Ford Foundation offered a four-day course in Gurgaon from March 7 to 10, 2014. Sunil Abraham taught on Surveillance and Privacy.

Click to see Sunil Abraham's presentation on Surveillance and Privacy. Also read it on LIRNE asia website here.

Goal

To enable members of Indian civil-society groups (including academics and those from the media) to marshal available research and evidence for effective participation in broadband policy and regulatory processes including interactions with media, thereby facilitating and enriching policy discourse on means of increasing broadband access by the poor.

Outcomes

The objective of the course is to produce discerning and knowledgeable consumers of research who are able to engage in broadband policy and regulatory processes. The course will benefit those working in government and at operators as well.

At the end of the course attendees will:

Be able to find and assess relevant research & evidence

Be able to summarize the research in a coherent and comprehensive manner
Have an understanding of broadband policy and regulatory processes in India
Have the necessary tools to improve their communication skills
Have some understanding of how media function and how to effectively interact with media

Participants will be formed into teams on day1. Both group assignments are connected.

The first assignment requires each group to research on a National Broadband Network (NBN) assigned to them (one of US, Singapore, Hong Kong, Brazil, South Africa, Korea or Colombia) and writing it up based on a template that will be provided. Each team will have to present their findings about the NBN at the end of day 2.

The second assignment is to be performed by teams. It is an oral presentation, accompanied by a policy brief of two pages max. at a mock public hearing at which the Indian Department of Telecommunications (DoT) is seeking input on the question of subsidizing fiber-to-the-home (FTTH) as the second phase of the current INR 20,000 Crore (USD 4 Billion) National Optical Fiber Network initiative. Each team will be assigned a role and they should present the recommendations from the point of view of the assigned ‘role’. All presentations must be evidence based. It is expected that participants will use what they learnt about other NBNs on day 2 to support their argument. Additional research must be conducted on Days 3 and 4.

	Day1 (March 7)	Day2 (March 8)	Day3 (March 9)	Day4 (March 10)
09.00 10.30	S1 Introduction (Rohan Samarajiva RS)	S5 Interrogating supply-side indicators (RS & RLG)	S8 Indian broadband policy & regulatory environment in relation to comparator countries (Satyen Gupta SG)	S13 Lessons from Mexico (Ernesto Flores EF)
10.30 11.00	Break	Break	Break	Break
11.00 12.00	S2 Research on significance of broadband/Internet (Payal Malik PM)	S6 Assessing & summarizing research (RS & NK)	S9 Research on subsidies in broadband eco system (PM)	S14 Spectrum policy debates (Martin Cave (MC)
12.00 13.00	S3 Finding research (Nilusha Kapugama NK)	S7 The art of media interaction (RS)	S10 Making policy & doing regulation (SG & Rajat Kathuria RK) panel discussion	S15 Framing issues (RS)
13.00 14.00	Lunch	Lunch	Lunch	Lunch
14.00 15.00	A1 Group formation; Assignments explained and introduction of Broadband Website (Roshanthi Lucas Gunaratne RLG)	A2 Rewriting research summaries & preparing presentations	S11 Surveillance and Privacy (RS & Sunil Abraham SA)	A5 Mock public hearing (RS & panel)
15.00 15.30	Break	Break	Break	Break
15.30 17.00	S4 Demand-side research (NK)	A3 Presentation & critique of research summaries (RS & Panel)	S12 International policy debates on Internet and broadband (RS)	A5 Mock public hearing & critique (RS & panel)
17.00 onwards	Group work	Group work	Group work	Certificate dinner

Faculty

Rohan Samarajiva, PhD
Rohan Samarajiva, was the founding CEO (2004 - 2012) and Chair (2004 – onwards) of LIRNEasia.

Previously he was the Team Leader at the Sri Lanka Ministry for Economic Reform, Science and Technology (2002-04) responsible for infrastructure reforms, including participation in the design of the USD 83 million e Sri Lanka Initiative. He was Director General of Telecommunications in Sri Lanka (1998-99), a founder director of the ICT Agency of Sri Lanka (2003-05), Honorary Professor at the University of Moratuwa in Sri Lanka (2003-04), Visiting Professor of Economics of Infrastructures at the Delft University of Technology in the Netherlands (2000-03) and Associate Professor of Communication and Public Policy at the Ohio State University in the US (1987-2000). He was Policy Advisor to the Ministry of Post and Telecom in Bangladesh (2007-09).

He serves as Senior Advisor to Sarvodaya (Sri Lanka’s largest community based organization) on ICT matters. Samarajiva is a Board Member of Communication Policy Research south, an initiative to identify and foster policy intellectuals in emerging Asia. He serves on the editorial boards of seven academic journals.

His full CV can be found at http://lirneasia.net/wp-content/uploads/2007/12/CVApril1long.pdf

Martin Cave, PhD
Martin Cave is a regulatory economist specialising in competition law and in the network industries, including airports, broadcasting, energy, posts, railways, telecommunications and water. He has published extensively in these fields, and has held professorial positions at Warwick Business School, University of Warwick, UK, and the Department of Economics, Brunel University, UK. In 2010/11, Martin held the BP Centennial Chair at the London School of Economics, based in the Department of Law. He is now Visiting Professor at Imperial College Business School.

He is a Deputy Chair of the Competition Commission from January 2012. He has provided expert advice to governments, competition authorities, regulators and firms around the world, focussing particularly upon the communications industries. This work has included reviews of spectrum policies for the Governments of Australia, Canada and the UK; advice on market analysis and access remedies to a large number of regulators in Asia, Australia, Europe and Latin America, including the European Commission. He has provided advice and expert testimony in competition and sector-specific regulatory proceedings to a number of major international firms in Asia, Australasia and Europe. He has also advised UK ministers on matters relating to the water sector, housing, legal services and airports, and advised regulators in the railway and energy sectors. He was a founder member of the Academic Advisory Committee of the Brussels-based think tank, the Centre for Regulation in Europe (www.cerre.eu). In 2009 he was awarded the OBE for public service.

His full CV available on http://www.martincave.org.uk/index.php

Payal Malik
Payal Malik is a Senior Research Fellow of LIRNEasia and an Associate Professor of Economics at the Delhi University. She is currently on deputation to the Competition Commission of India. She is also associated with National Council of Applied Economic Research and Indicus Analytics. She received her Master of Philosophy (M.Phil.), and MA in Economics from the Delhi School of Economics and BA in Economics from Lady Shriram College, University of Delhi. She also has a MBA in Finance from the University of Cincinnati.

She has several years of research experience on the issues of competition and regulation in network industries like power, telecommunication and water. In addition, she has done considerable research on the ICT sector. Recently she has been actively engaged in competition policy research. At LIRNEasia, she has led research on measuring India’s telecom sector and regulatory performance, including a study on Universal Service Instruments. She has written both for professional journals as well as for the economic press. Currently she is a regular columnist for the Financial Express, India and a referee for the Information Technologies and International Development journal published by University of Southern California, Annenberg. Click here to download a detailed version of CV.

Satyen Gupta
Satyen Gupta is the founder and Secretary General, NGN Forum, India. Previously he was the chief of Corporate Affairs, Sterlite Technologies Ltd and headed the Regulatory and Govt. Affairs for BT global Services for SAARC Region and handled Licencing, Regulation, compliance, competition and Industry Advocacy issues. He is also a member, Advisory Board of Creation and Implementation of National Optical Fibre Network for the government of India (2011 onwards). From 2000-2006 he served as the Principle Advisor, Telecom Regulatory Authority of India at the level of additional secretary to the government of India and headed the fixed network division. He is the author of “Everything Over IP-All you want to know about NGN” (2011).

He has conducted and taught many courses on telecommunication technologies, policy and regulation. He is also a Govt. Affairs and Regulatory advocate. He graduated with Hons, in Engineering in 1979 from NIT, Kurukshetra University, INDIA and went on to complete his post graduate studies in Electronics Design Technology at CEDT, Indian Institute of Science, Bangalore.

Rajat Kathuria, PhD
Rajat Kathuria is Director and Chief Executive at Indian Council for Research on International Economic Relations (ICRIER), New Delhi. He has over 20 years experience in teaching and 10 years experience in economic policy, besides research interests on a range of issues relating to regulation and competition policy. He worked with Telecom Regulatory Authority of India (TRAI) during its first eight years (1998-2006) and gained hands on experience with telecom regulation in an environment changing rapidly towards competition. The role entailed analysis of economic issues relating to telecom tariff policy, tariff rebalancing, interconnection charges and licensing policy. Market research and questionnaire development and analysis formed an integral part of this exercise. It also involved evaluation of macro level initiatives for transforming the telecom industry. He wrote a number of consultation papers which eventually formed the basis of tariff and interconnection orders applicable to the industry. He has an undergraduate degree in Economics from St. Stephens College, a Masters from Delhi School of Economics and a PhD degree from the University of Maryland, College Park.

Ernesto Flores, PhD
Ernesto M. Flores-Roux majored in Mathematics from the National University of Mexico (UNAM), obtained partial credits in a Masters in Economics (ITAM), and received his PhD in Statistics from The University of Chicago (1993). From 1993 to 2004, he worked for McKinsey & Co., Inc. (Mexico, Brazil), one of the most prestigious international consulting firms, first as a Consultant, then as Partner, and finally as the Partner in charge of McKinsey's Rio de Janeiro office. He specialized in several aspects of the telecommunications industry, including regulation, planning, strategy, and marketing. He assisted the governments of Mexico and Brazil in their deregulation and privatization processes. In 2004, he joined Telefonica, first as Director of Marketing and Strategy in Mexico and then transferring to Telefónica's operations in Peru, China (Beijing), and Brazil. In 2008 he joined the Ministry of Communications and Transport (SCT) in Mexico as Chief of Staff of the Deputy Minister of Communications. In 2009 he joined CIDE (Centro de Investigación y Docencia Económicas, Mexico City) as an associate professor of CIDE's telecommunications program (Telecom CIDE). He has published several papers in telecommunications policy and has written reports for the IDB, GSMA, UN/CEPAL , Ahciet, CAF, OECD, as well as other publications in industry and academic journals. In 2011 he became a member of the Advisory Council of the Mexican telecommunications regulator (Cofetel – Comisión Federal de Telecomunicaciones).

Sunil Abraham
Sunil Abraham is the Executive Director of Bangalore based research organization, the Centre for Internet and Society. He founded Mahiti in 1998, a company committed to creating high impact technology and communications solutions. Today, Mahiti employs more than 50 engineers. Sunil continues to serve on the board. Sunil was elected an Ashoka fellow in 1999 to 'explore the democratic potential of the Internet' and was also granted a Sarai FLOSS fellowship in 2003. Between June 2004 and June 2007, Sunil also managed the International Open Source Network, a project of United Nations Development Programme's Asia-Pacific Development Information Programme serving 42 countries in the Asia-Pacific region.

Nilusha Kapugama
Nilusha Kapugama is a Research Manager at LIRNEasia and manages the electricity component of the 2012-2014 IDRC Project on ‘Achieving e-inclusion by improving government service delivery & exploring the potential of “big data” for answering development questions’.

She is also working on a systematic review looking at the economic impacts of mobile phones. Previously she managed the Knowledge Based Economy project at LIRNEasia, which looked at the information and knowledge gaps in agriculture supply chains. She also worked on CPR south, LIRNEasia’s capacity-building initiative to develop Asia-Pacific expertise and knowledge networks in ICT policy regulation. She has also done research on broadband quality indicators and national regulatory authority (NRA) website indicators. She has also worked on LIRNEasia’s Virtual Organization Project. She has experience organizing international conferences and training courses.

She holds a master’s degree in development economics and policy from the University of Manchester, UK.

Roshanthi Lucas Gunaratne
Roshanthi is a Research Manager at LIRNEasia and is currently managing the Ford Foundation Funded project on Giving Broadband Access to the Poor in India.

She is also contributing to the IDRC Customer Lifecycle Management Practices Project by conducting research on customer lifecycle management practices in telecommunication sector in Bangladesh.

Before joining LIRNEasia, Roshanthi worked at the Global Fund to fight AIDS, Tuberculosis and Malaria, Geneva, Switzerland as a Strategic Information Officer. She contributed to the process of defining the Global Fund Key Performance Indicators, and also worked on improving the performance measurements of their grants. Prior to that, she worked as a telecom project manager at Dialog Telecom, and Suntel Ltd in Sri Lanka. As Suntel she managed the design and implementation of corporate customer projects.

She holds a MBA from the Judge Business School, University of Cambridge, UK and a BSc. Eng (Hons) specializing in Electronics and Telecommunication from the University of Moratuwa, Sri Lanka.

Resource Materials

Bauer, Johannes M.; Kim, Junghyun; & Wildman, Steven S. (2005). An integrated framework for assessing broadband policy options. MICH. ST. L. REV. 21, pp. 21-50. http://www.msulawreview.org/PDFS/2005/1/Bauer-Kim.pdf

Broadband Commission (2012). The state of broadband 2012: Achieving digital inclusion for all. http://www.broadbandcommission.org/Documents/bb-annualreport2012.pdf

Government of India, Department of Telecommunications (2012). National Telecom Policy 2012. http://www.dot.gov.in/ntp/NTP-06.06.2012-final.pdf

Government of India, Department of Telecommunications (2004). Broadband policy. http://www.dot.gov.in/ntp/broadbandpolicy2004.htm

Junio, Don Rodney (2012). Does a National Broadband Plan Matter? A Comparative Analysis of Broadband Plans in Hong Kong and Singapore http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2146566

InfoDev. Broadband strategies toolkit. http://broadbandtoolkit.org/en/toolkit/contents

Samarajiva, Rohan (2010). Leveraging the budget telecom network business model to bring broadband to the people, Information Technology and International Development, 6, special edition: 93-97. http://itidjournal.org/itid/article/view/630/270

For more details visit https://cis-india.org/news/how-to-engage-in-broadband-policy-and-regulatory-processes

How the world’s largest democracy is preparing to snoop on its citizens

praskrishna — 2013-07-15T09:41:21Z

Monitoring system will allow govt to snoop on voice calls, SMSes, and access Internet data.

The article by Leslie D' Monte and Joji Thomas Philip was published in Livemint on July 3, 2013. Sunil Abraham is quoted.

Nothing will be secret or private.

Every conversation on landlines and mobile phones will be heard; some will be recorded. Every move you make on the Internet will be tracked.

Fiction?

By December, when the Nanny State goes live, it will be fact.

Once the government’s innocuously named CMS (communication monitoring system) is in place, the state will be able to snoop on your voice calls, fax messages, SMSes and MMSes, across all phone networks. It will be able to access your Internet data, and see not just what sites you visit but even build a cache of your inbox, to decrypt at leisure.

The process began more than a couple of years ago.

On 29 April 2011, India’s home ministry called for bids to set up communications monitoring systems in all state capitals. The notice, which was published on its website and went almost unnoticed, specified that the system should be able to monitor voice calls, fax messages, SMSes and MMSes, and work across terrestrial networks, GSM and CDMA (the dominant mobile telephony platforms), and the Internet.

	The tender specified that the system should be able to listen in live, and be able to analyse intercepted data. It should have the ability to record, store and playback, without interfering “with the operation of telecommunication network or make the target aware that he is being monitored”. The CMS is no longer a concept. It has undergone successful pilots and is likely to be commissioned by the year-end, according to an internal note dated 10 June from the department of telecommunications (DoT). A top government official, who did not want to be named, said the CMS centralized data centre is likely to be ready by July and commissioned by October. The official also added that the Centre for Development of Telematics (C-DoT), the government’s telecom technology arm, has “signed an agreement with the Centre for Artificial Intelligence and Robotics (CAIR) for Internet Service Provider integration”. This agreement will allow monitoring agencies to track an individual’s Internet use.

The tender specified that the system should be able to listen in live, and be able to analyse intercepted data. It should have the ability to record, store and playback, without interfering “with the operation of telecommunication network or make the target aware that he is being monitored”.

The CMS is no longer a concept. It has undergone successful pilots and is likely to be commissioned by the year-end, according to an internal note dated 10 June from the department of telecommunications (DoT).

A top government official, who did not want to be named, said the CMS centralized data centre is likely to be ready by July and commissioned by October. The official also added that the Centre for Development of Telematics (C-DoT), the government’s telecom technology arm, has “signed an agreement with the Centre for Artificial Intelligence and Robotics (CAIR) for Internet Service Provider integration”. This agreement will allow monitoring agencies to track an individual’s Internet use.

Subsequent media reports, which have cited internal government documents, peg the cost of the CMS at around Rs.400 crore, but there is hardly any official data from the government about the implementation of the CMS.

In its 2012-13 annual report, DoT said the government has decided to set up the CMS for lawful interception and monitoring by law enforcement agencies, “reducing the manual intervention at many stages as well as saving of time”.

The system, according to the report, was to be installed by C-DoT after which the Telecom Enforcement, Resource and Monitoring (TERM) cells would take over. As on 31 March, there were 34 such TERM cells in the country. The current number could not be ascertained.

How does the government justify this invasive system? Its purpose is unclear, but national security is always a handy spectre. And so what if such a system can be misused to bully, spy and curtail the freedom of individuals? Indeed, India’s track record of using existing laws doesn’t inspire confidence.

Student Shaheen Dhada was arrested (under the law) for criticizing the shutdown of Mumbai after the death of Shiv Sena supremo Bal Thackeray on her personal Facebook account. Her friend, Renu Srinivasan, who had “liked” the comment was also arrested. The two were later freed, on bail.

No known safeguards

But how does the CMS work? According to the government official cited above, the Central Bureau for Investigation (CBI), for instance, is likely to be provided interception facilities through the CMS in Delhi initially.

“CBI shall enter data related to target in the CMS system and approach the telecom services provider”, at which point the process is automated, and the provider simply sends the data to a server which forwards the requested information, he explained.

He didn’t mention any safeguards, nor have any been made public, which means that there are likely none. In a Q&A session on the popular social network Reddit on Tuesday, academic and activist Lawrence Lessig, the co-founder of Creative Commons, wrote on the subject of snooping in the US, “I’m really troubled by national security programmes. We don’t know what protections are built into the system.”

That has become the subject of much debate following the leaks by whistleblower Edward Snowden about the US National Security Agency’s surveillance programme.

Lessig pointed out that protection based on code is the only real protection from misuse, as other safeguards are dependent on people choosing not to violate reasonable expectations of privacy.

Which is the heart of the problem. From what we know, the list of agencies with access to data in India is already large: the Research and Analysis Wing, CBI, the National Investigation Agency, the Central Board of Direct Taxes, the Narcotics Control Bureau, and the Enforcement Directorate. More may be added.

For the system to be useful in any practical fashion, access will have to be given to a large number of officials in each of these agencies. And in the absence of safeguards, one must assume that all data is accessible to all officials.

To be sure, some of this information is already being tracked by Internet companies.

Ravina Kothari, a 22-year-old student at Cardiff University, said she learnt a bitter lesson “last year when I Googled my name”. “It revealed all the personal details I had put up on social media sites. My childhood school photos popped up on Google image search results. Worse, I had not put them there. My friends had tagged me in—all so scary. And I can’t do anything about it.”

She has since stopped uploading personal details such as videos, pictures or telephone numbers.

Twenty-one-year-old Shruti Lodha, studying to be a chartered accountant, feels a similar discomfort.

“I am definitely not comfortable with Google, and how every time I Google myself it reveals my identity and shows information that is on social media sites.”

In 2011, 24-year-old Max Schrems of Vienna, Austria, asked the world’s largest social networking site Facebook Inc. for a copy of every piece of information it had collected on him since he had created an account with it two years earlier.

Schrems was delivered a CD packing a 1,222-page file that included information he had deleted, but had been stored on Facebook’s servers, according to ThreatPost, a publication on information technology (IT) security run by Kaspersky Lab, a leading maker of antivirus software.

Had Schrems been a resident of India, he could not have known how much personal information Facebook had on him. Every person in the European Union (EU) has the right to access all the data that a company holds on him or her.

With the CMS, all this information, and much more, can be called up by just about anyone—the taxman, CBI officials, Assam Police (which will also monitor the network according to some reports)—and the old bogey of national security may not even be raised.

Need for a privacy law

Publicly at least, companies agree that the new monitoring systems infringe on our rights. Subho Ray, president, Internet and Mobile Association of India said, “Without any prior permission, government should not take or use any information which is considered private. The biggest challenge for us is that we do not have a privacy law in India.”

Cyber law experts and privacy lobby groups caution that the world’s largest democracy’s attempt to snoop on its citizens with the CMS, ostensibly for security reasons, could be abused in the absence of a transparent process and a privacy law.

The issue has become alarming, they add, with the US admitting to be collecting billions of pieces of information on immigrants—6.3 billion from Indian citizens alone under the Foreign Intelligence Surveillance Act, according to an 8 June report in the UK-based The Guardian newspaper.

“We don’t know much about the CMS, except that when implemented, it could be plugged directly into telecom nodes and lead to widespread tapping,” said Apar Gupta, a partner at law firm Advani and Co. specializing in IT law.

“There’s no legal sanction as of now for any type of mass surveillance, such as the one that the CMS suggests,” said Pavan Duggal, a Supreme Court lawyer and cyberlaw expert.

Gupta added that since India lacks privacy legislation, which obliges companies to maintain privacy standards when they export the data which they’ve gathered in India overseas, “this poses a problem”.

N.S. Nappinai, a Bombay high court advocate, said, “India has lived without any codified laws to protect privacy all these years and has relied primarily on Article 21 of the Constitution. Protecting privacy has just become more complicated with the humongous quantity of data being uploaded online. People seem totally unaware of the trouble they are inviting upon themselves.”

Current laws are already compromised

The lack of a privacy law makes it easier for the government to take such extreme steps. The Indian Telegraph Act and the IT Act, 2008 (amendments introduced in the IT Act, 2000), already gives the government the power to monitor, intercept and even block online conversations and websites. The addition of the CMS will greatly widen the number of sources and could simplify access to these records as well.

On 25 April 2011, the government admitted that the existing laws include provisions for interception and pointed out that the Supreme Court had, on 18 December 1996, upheld the constitutional validity of interceptions and monitoring.

While the court had added that telephone tapping infringes on the right to life and the right to freedom of speech and expression, unless permitted under special procedures, these guidelines are not usually implemented, according to activists.

The shortcomings of the existing laws already make it possible to misuse the vast amount of information that is available today. These laws were written at a time when the Internet was not a fact of life, and where the lines between public and private were not already blurred. Given that, the perspectives on privacy can be worrisome.

In a report presented to the Lok Sabha on 13 December 2011, the ministry of planning said, “Collection of information without a privacy law in place does not violate the right to privacy of the individual…There is no bar on collecting information, the only requirement to be fulfilled with respect to the protection of the privacy of an individual is that care should be taken in collection and use of information, consent of individual would be relevant, information should be kept safe and confidential.”

This proposed Right to Privacy Bill was leaked to the public, and eventually nothing came of it.

On 16 October 2012, a commission headed by justice (retired) A.P. Shah issued a report that included the study of privacy laws and related Bills from around the world. The report noted that with the “increased collection of citizen information by the government, concerns have emerged on their impact on the privacy of persons”.

Despite the report being given to the Planning Commission, the government has continued with its plans.

Early this year, a privacy lobby body, the Centre for Internet and Society (CIS) drafted the Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India.

CIS worked with the Federation of Indian Chambers of Commerce and Industry and the Data Security Council of India and held round table meetings around the country to bring about a privacy law.

Sunil Abraham, executive director, CIS, said, “While the government sets out to protect national interests, it’s also very important to protect the rights of individuals.”

The way ahead

Human Rights Watch, in a 7 June media release, described the CMS as “chilling, given its (India’s) reckless and irresponsible use of sedition and Internet laws”.

According to Freedom on the Net 2012, released on 24 September, India—which scored 39 points out of 100—was termed “partly-free”. But India is not alone. Around 40 countries filter the Internet in varying degrees, including democratic and non-democratic governments.

YouTube and Gmail (both owned by Google Inc.), BlackBerry, WikiLeaks, Skype (owned by Microsoft Corp.), Twitter and Facebook have all been censored, at different times, in countries such as China, Iran, Egypt and India.

European Union countries have strong privacy laws as is evident from the Schrems case.

Australia is engaged in putting similar safeguards in place. On 24 June, a Senate committee recommended that Australia’s proposed data retention scheme only be considered if it just collected metadata, avoided capture of browser histories and contained rigorous privacy controls and oversight.

Indian politicians could take a cue from such countries when balancing national interest with protecting the privacy of individuals.

Gopal Sathe in New Delhi and Zahra Khan in Mumbai contributed to this story.

For more details visit https://cis-india.org/news/livemint-leslie-d-monte-joji-thomas-philip-july-3-2013-how-the-worlds-largest-democracy-is-preparing-to-snoop-on-its-citizens

How The U.K. Got A Better Deal From Facebook Than India Did

praskrishna — 2016-11-18T01:56:49Z

The U.K.’s Information Commissioner’s Office (ICO) and India’s Karmanya Sareen shared a similar concern – how messenger application WhatsApp’s decision to share user data with parent Facebook is a violation of the promise of privacy.

The blog post by Payaswini Upadhyay was published in Bloomberg Quint on November 17, 2016. Sunil Abraham was quoted.

Last week, Facebook agreed to address the concerns of the ICO; in India, it didn’t have to.

WhatsApp: New Privacy Policy

In August 2016, WhatsApp issued a revised privacy policy that allowed it to share user information with parent company Facebook. Any user who didn’t want her information to be shared with Facebook had a 30-day period to opt out of the policy. Opting out meant that a user’s account information would not be shared with Facebook to improve ads and product experiences. But, there was a caveat.

The Facebook family of companies will still receive and use this information for other purposes such as improving infrastructure and delivery systems, understanding how our services or theirs are used, securing systems, and fighting spam, abuse, or infringement activities.
WhatsApp Support Team statement on its website

Facebook’s Commitment To ICO

The ICO decided to delve deeper into what Facebook intended to do with the WhatsApp user data. Elizabeth Denham, Information Commissioner, ICO stated in her blog that users haven’t been given enough information about what Facebook plans to do with the information, and WhatsApp hasn’t got valid consent from users to share the information.

I also believe users should be given ongoing control over how their information is used, not just a 30-day window.
Elizabeth Denham, Information Commissioner, ICO

Denham further elaborated ICO’s stand - that it’s important users have control over their personal information, even if services don’t charge them a fee.

We’ve set out the law clearly to Facebook, and we’re pleased that they’ve agreed to pause using data from U.K. WhatsApp users for advertisements or product improvement purposes.
Elizabeth Denham, Information Commissioner, ICO

The ICO has now asked Facebook and WhatsApp to sign an undertaking committing to better explaining to users how their data will be used, and to giving users ongoing control over that information. Additionally, the ICO also wants WhatsApp to give users an unambiguous choice before Facebook starts using that information and for them to be given the opportunity to change that decision at any point in the future. Facebook and WhatsApp are yet to agree to this, Denham stated.

If Facebook starts using the data without valid consent, it may face enforcement action from my office.
Elizabeth Denham, Information Commissioner, ICO

In the U.K., protections in the European Data Protection Directive have been incorporated into local law via the Data Protection Act 1998. The ICO is both the privacy regulator and the transparency (right to information) regulator, Sunil Abraham, executive director at the Centre for Internet and Society pointed out. The regulator can issue enforcement notices and also fine errant actors in the market place, he said.

This is a regulator with expertise, experience and teeth. Come May 25, 2018, the General Data Protection Regulation will come into force and this will give more comprehensive powers to the regulator to investigate and remedy cases like this. The regulator will take each principle from the Directive or Regulation and examine Facebook’s actions comprehensively before deciding on a response.
Sunil Abraham, Executive Director, Centre for Internet and Society

For example, if the regulator determines that the principle of choice and consent has not been complied with, it can force Facebook to reverse its decisions and provide greater transparency and clearer choices, Abraham added.

Karmanya Sareen’s Grievance

Back home in India, just two months ago, Karmanya Sareen, a WhatsApp user, argued before the Delhi High Court against the company’s new privacy policy. The argument was that WhatsApp’s August 2016 notice to its users about the proposed change in the privacy policy violated the fundamental rights of users under Article 21 of the Constitution. Article 21 promises protection of life and personal liberty.

Proposed change in the privacy policy of WhatsApp would result in altering/changing the most valuable, basic and essential feature of WhatsApp i.e. the complete protection provided to the privacy of details and data of its users.
Karmanya Sareen vs Union of India

The Delhi High Court struck down the Article 21 argument saying that the Supreme Court was still deliberating over including right to privacy as a fundamental right. It also pointed to WhatsApp’s 2012 Privacy Policy that allowed the company to transfer user information in case of an acquisition or merger with a third party. The 2012 policy also allowed WhatsApp to change the terms periodically.

Consequently, the Delhi High Court held that it is not open to the users now to contend that WhatsApp should be compelled to continue the same terms of service. However, the court gave WhatsApp two directions to protect users.

WhatsApp to delete from its servers and not share with Facebook or its group companies any information belonging to users who delete their account.

Users who continue to be on WhatsApp, their existing information up to September 25, 2016 cannot be shared with Facebook or any of its group companies.

Did The Delhi High Court Go Easy On Facebook And WhatsApp?

Apar Gupta, an advocate specializing in information technology, points out that the directions given by the Delhi High Court to WhatsApp did not contemplate any additional protection to a user than what was already provided by WhatsApp.

The Delhi Court essentially reproduced WhatsApp’s privacy policy. It did not compel or provide any additional safeguard.
Apar Gupta, Lawyer

Apar attributes this to the absence of a regulatory framework.

The lack of substantive safeguard and enforcement framework in India led to the Delhi High Court upholding WhatsApp’s new privacy policy.
Apar Gupta, Lawyer

Abraham added that the court did not examine the privacy policy from the perspective of data protection principles as would have been the case in EU or any other jurisdictions with a proper data protection law.

The court too admitted this in its order that there existed a regulatory vacuum in India and asked TRAI to look into the matter. Facebook did not respond to BloombergQuint’s query on whether it would implement its U.K. commitments in India as well.

For more details visit https://cis-india.org/internet-governance/news/bloomberg-quint-november-17-2016-payaswini-upadhyay-how-the-uk-got-a-better-deal-from-facebook-than-india-did

How the government gains when private companies use Aadhaar

praskrishna — 2016-04-01T15:58:38Z

This blog post by M. Rajshekhar and Anumeha Yadav was published in Scroll.in on March 24, 2016. Sunil Abraham was quoted.

Last week, Rajya Sabha made a last-ditch attempt to modify the contentious Aadhaar legislation introduced by the Modi government. Since the legislation was introduced as a Money Bill, the Upper House had no powers to amend it. It could only send back the bill with recommended amendments.

One of the clauses which Rajya Sabha wished to amend related to the use of the Aadhaar number, the 12-digit unique identification number assigned after the collection of an individual’s biometrics in the form of fingerprints and iris scans.

Clause 57 said that anyone, whether an individual or a public or private organisation, could use the Aadhaar number. Rajya Sabha voted to restrict the use of the number to the government. After all, the government had justified introducing Aadhaar legislation as a Money Bill by stating that it would be used for delivering government subsidies and benefits funded out of the Consolidated Fund of India. If the delivery of government welfare is the aim of Aadhaar, why should private companies be allowed to use it?

The Rajya Sabha recommended dropping clause 57 to limit the use of Aadhaar to government agencies. But the Lok Sabha rejected its recommendation, and cleared the Bill in its original form, paving the way for private companies to use Aadhaar.

Strikingly, however, well before the Bill was cleared, a private company started advertising its services as “India’s 1st Aadhaar based mobile app to verify your maid, driver, electrician, tutor, tenant and everyone else instantly”. In an article for Scroll.in, legal researcher Usha Ramanathan said, “A private company is advertising that it can use Aadhaar to collate information about citizens at a price. It says this openly, even as a case about the privacy of the information collected for the biometrics-linked government database is still pending in the Supreme Court.”

LinkedIn for plumbers

The company that owns the mobile app called TrustID believes it is not doing anything wrong.

Monika Chowdhry, who heads the marketing division of Swabhimaan Distribution Services, the company that created TrustID, defended the app, saying it offers the valuable service of verifying people's identities. “In our day to day life, we do a lot of transactions with people – like maids or plumbers. Till now, you would have to trust them on what they said about themselves and what others said about the quality of their work.” The company is solving that problem, she said. “We are saying ask the person for their Aadhaar number and name and we will immediately tell you if they are telling the truth or not,” Chowdhry said.

Chowdhry said that over time, the Aadhaar number of individuals will be used to create a private verified database of TrustIDs. “Our plan is to create a rating mechanism,” she said. Referring to the option for maid, plumbers and other service providers on the app, she added: “People like you and me, we have Linkedin and Naukri. What do these people have?”

How does the company use Aadhaar for verification and is there a reason to be concerned?

Aadhaar authentication

After you have logged into the TrustID app, you can choose from a dropdown menu of categories. You can send anyone's Aadhaar number, gender and name – or even biometrics – and the app claims it can verify their identity.

The app performs Aadhaar authentication – which means it matches an Aadhaar number with the information stored against that number in the servers of the Unique Identification Authority of India. At the time an individual enrols for an Aadhaar number, they disclose their name, gender, address and give biometric scans. This information is held in a database maintained by the UID authority.

One of the criticisms of Aadhaar has been that the database of millions of people could be misused in the absence of a privacy law in India. First, there is the question about whether the biometrics are secure. Second, there are risks that accompany the uncontrolled use of unique numbers.

In response, the proponents of Aadhaar have said that the data is encrypted and secure, and can be accessed only by the authority. Those wanting to authenticate – or match – the Aadhaar number cannot directly access the database. They can simply make requests to the authority which authenticates the number for them.

So far, it appeared that the authority was taking Aadhaar authentication requests solely from government agencies. For instance, to pay wages to workers of the rural employment guarantee programme.

But TrustID’s example showed that private companies too have been sending authentication requests to the authority. This is not entirely surprising for those who have followed the blueprint for Aadhaar as envisioned by Nandan Nilekani, its founder. In an interview in 2012, Nilekani spoke about creating a "thriving application system" using Aadhaar for both the public and private sector.

Chowdhary said Swabhimaan Distribution Services registered as an Aadhaar authentication agency in November 2015, and the app was launched in January 2016.

TrustID, or Swabhimaan, is not the only private company that has signed up as an authentication agency for Aadhaar. A quick Google search throws up the name of Alankit, which wants to “provide Aadhaar Enabled Services to its beneficiaries, clients and customers and can further verify the correctness of the Aadhaar numbers provided ” .

This shows the authority entered into agreements with private companies well before the Aadhaar law was passed in Parliament. The companies were running ahead of legislation in a space unbounded by law, and the UIDAI supported them in this.

It is unclear how many private companies were sending requests for Aadhaar authentication. Scroll's questions to Harish Agrawal, the deputy director general of Aadhaar's Authentication and Application Division, remained unanswered.

In an interview to Business Standard, ABP Pandey, the director general of the UIDAI, said, "Usually what happens is that first a law is passed and thereafter the institutions are built and operations start. Here it has happened the other way around. The operations – the enrolment – is almost complete. The organisation is also there and has been working under executive orders. Now everything has to be kind of retrofitted in to the acts and the regulations."

Why is this problematic?

For one, allowing private companies to use the Aadhaar number shows that the government’s stated aims of Aadhaar are misleading.

Both in the Supreme Court and in Parliament, the government has pushed for the use of Aadhaar as an instrument of welfare delivery. It justified passing Aadhaar legislation as a Money Bill by emphasising its importance to its welfare schemes. But as the case of Swabhimaan shows, Aadhaar's uses clearly go well beyond what the Bill's preamble describes as the “targeted delivery of subsidies, benefits and services, the expenditure for which is incurred from the Consolidated Fund of India.”

Two, biometrics and unique identification numbers are a qualitatively new form of private information. As such, they bring unknown risks. India does not have a privacy law, and a law defining the use of biometrics and unique numbers is yet to be created. Delhi-based lawyer Apar Gupta said, “Even the Aadhaar Bill is yet to be approved by the president. Its rules are yet to be drafted. There is not enough legal guidance on its use.”

Three, companies like Swabhimaan would be in a position to construct databases of their own. Take TrustID. When it starts retaining Aadhaar numbers, and adds ratings to them, it creates a database of its own, which amounts to creating profiles of people.

Here, as Ramanathan said, the analogy with the networking site LinkedIn doesn't work. “When I have an account on LinkedIn, I update my data,” she said. But the TrustID app generates profiles out of the ratings that others give. Even if a prospective employee shares his/her Aadhaar number, it does not amount to free consent since getting a job hinges on giving that number.

In the future, companies could use Aadhaar numbers in unknown ways, for instance, to combine multiple databases – banks, telecom companies, hospitals – to create detailed profiles of you and me that they can monetise. In effect, Aadhaar becomes a commercial instrument for private companies, and not just a mechanism for the delivery of government welfare.

Gains for the government

Sunil Abraham, the executive director of the Centre for Internet and Society, further explained the risks that arise when databases are combined. He cited the example of OCEAN, the system created by researchers at the Indraprastha Institute of Information Technology to raise privacy awareness. OCEAN used publicly available information held by the government (voter identity card, PAN card, driving licence) to access details about citizens in Delhi. This public data was combined with people's Facebook and Twitter accounts, and the aggregated results were visualised as a family tree which showed information extending to a person’s parents, siblings and spouse.

"If a company like TrustID tied up with OCEAN, it can create a very detailed profile of an individual," said Abraham. "To continue with the example of a job-seeker, if a employer uses TrustID to verify applicants' identity or profiles, the App may combine a database like OCEAN to track that you logged into Twitter at, say 2 am on most nights. It can profile you as someone who might not turn up at work on time in the morning."

Abraham pointed out that the government too stands to gain by allowing private companies to use Aadhaar for authentication. "Use of authentication by private companies will mean UIDAI can have information on authentications performed on you, or by you, over time in the private sphere as well, say during such a job search," he said. For instance, when TrustID runs a search for your prospective employers using your Aadhaar number, the government knows you have applied for a job at certain companies. "This is unnecessary involvement of the government, giving it access to information in an area that it should not have access to."

Over time, such Aadhaar authentication for private services in companies, hospitals, or hotels will "help the government gain granular data on citizens", he said.

Perhaps that explains why the government rushed the Aadhaar Bill through Parliament, allowing little time and room for public debate.

For more details visit https://cis-india.org/internet-governance/news/scroll.in-march-24-2016-rajshekhar-anumeha-yadav-how-the-govt-gains-when-private-companies-use-aadhaar