Centre for Internet and Society

Govt asks CBI to probe Cambridge Analytica in data breach case

Admin — 2018-07-29T01:47:01Z

Centre directs social media platforms to take prompt action against fake messages

The article by Komal Gupta was published in Livemint on July 27, 2018. Pranesh Prakash was quoted.

The government has written to the Central Bureau of Investigation (CBI) seeking an enquiry into London-based political consultancy Cambridge Analytica, and asked all social media platforms to take prompt action against fake messages, including tracing their origin. Cambridge Analytica is at the centre of a Facebook data breach row, including those of around 562,000 Indian users.

“It is suspected that Cambridge Analytica may have been involved in illegally obtaining data of Indians which could be misused. The government has entrusted this issue to be investigated by the CBI for possible violation of Information Technology Act, 2000 and IPC,” said Ravi Shankar Prasad, electronics and IT minister in response to a calling attention motion in the Rajya Sabha on “Misuse of social media platforms and propagation of fake news causing unrest and violence.”

Media platforms have been directed to work with Indian officials to receive grievance in real time and also inform law enforcement agencies.

“They (social media platforms) will have to ensure that their platforms do not become vehicles of promoting hatred, terrorism money laundering, mob violence and rumour mongering,” said Prasad.

Over the last couple of months, there have been several instances of data breach and fake messages being circulated through social media platforms.

In March, after the data of Indians was allegedly compromised through Facebook by Cambridge Analytica, the government issued notices to the two companies and sought their response. According to Prasad, Facebook responded that it will streamline its internal processes on handling of personal data and Cambridge Analytica violated its platform policies. Cambridge Analytica had said that data of Indians was not breached but this was not in conformity with what was reported by Facebook.

After initial responses, Cambridge Analytica stopped responding to letters from the IT ministry after which the government ordered a CBI probe into the matter. Over the last month, a spate of mob lynchings has been reported from several states, including Assam, Maharashtra, Karnataka, Tripura, Jharkhand and West Bengal, following fake messages spread through Facebook-owned messaging service WhatsApp.

According to Prasad, the government is initiating measures to increase awareness about fake news with the support of all stakeholders.

On 19 July, the government directed WhatsApp to come out with more effective solutions that can bring in accountability and facilitate enforcement of law in addition to their efforts to label forwards and identify fake news. After this, the social media giant limited forward messages to five chats at once instead of multiple chats at once.

“It now plans to the remove forward button (icon) adjacent to a video or audio message. They also plan to bring fact checking and fake news verification mechanism,” added Prasad.

Earlier this month, WhatsApp rolled out a new feature that would clearly mark forwarded messages in a move aimed at curbing the spread of rumours.

As of March, there were more than 460 million Indian users of social media platforms, including Facebook, Twitter, YouTube and WhatsApp.

The ministry of home affairs (MHA) has issued a number of advisories on incidents of lynching by mobs fuelled by rumours of lifting/kidnapping of children and cyber crime prevention and control. It has also constituted a group of ministers and a high level committee to formulate appropriate measures to address mob violence and lynchings in the country.

“The government doesn’t seem to have understood the meaning of ‘abetment’ under the IPC, nor does it seem to understand the protections afforded to intermediaries like messaging platforms under section 79 of the Information Technology Act. Messaging platforms like WhatsApp cannot legally be held to be abettors, plain and simple,”said Pranesh Prakash, fellow at the Centre for Internet and Society, a Bengaluru-based think tank.

For more details visit https://cis-india.org/internet-governance/news/livemint-july-27-2018-komal-gupta-govt-asks-cbi-to-probe-cambridge-analytica-in-data-breach-case

Government washes hands of Google's new privacy policy

praskrishna — 2012-04-10T09:40:55Z

The government has more or less washed its hands of internet giant Google's new privacy policy that is being criticised in Europe and elsewhere, but wants Indian residents to watch out for themselves, writes Jayadevan in this article published in the Economic Times on April 10, 2012.

Google's new privacy policy provides information on how personal information is collected, processed and secured, as required by relevant Indian laws. "The end users, however, need to fully understand the privacy policy of Google, the consequences of sharing their personal information and their privacy rights before they start using online services," Sachin Pilot, India's minister for information technology, stated in Rajya Sabha on March 30.

Ever since Google came out with a unified privacy policy in January, it has been facing criticism from many users and privacy advocates, especially in Europe where privacy is a fundamental right. The new policy unified separate privacy polices relating to nearly 60 of Google's services.

The new policy also lets the separate Google services, such as Gmail, Google Search or Youtube, share data among each other. In Europe, Google is facing potential sanctions or even fine over its new privacy policy.

Section 43A of the India's amended Information Technology Act (2000) has established a legal framework for data privacy protection in the country. The rules notified last year explain security practices to be followed and the need for guarding sensitive personal information. The Act also requires Indian corporations to publish a privacy policy.

"Google has published a Privacy Policy on their website," said the minister. "Any change in the privacy policy is not within the purview of amended Information Technology Act 2000," Pilot added. Venkatesh Hariharan (Venky), head of public policy and government affairs at Google India, has left the company last month and did not want to comment.

According to the Pilot, while France's independent privacy watchdog, the CNIL (nationale de I'informatique et des libertes) has said that the changes to Google's privacy policy do not comply with the European law, rectification of conflict between Google, an American company and European directive on data protection is not within the purview of the Indian government.

CNIL, the data protection watchdog in France had asked Google to answer 69 questions including what it does with the data collected from users and how long it is retained to better understand the consequences of the new policy for Google users.

Experts agree Google privacy policy is in compliance with Sec 43A of IT Act but cautioned that it may not be enough. "Section 43A does not have all the privacy safeguards that exist for citizen in developed countries," said Sunil Abraham, executive director at the Centre for Internet and Society.

Abraham advocates the creation of a privacy commissioner. "It is important to have a independent and autonomous regulator who can respond on a proactive basis when confronted with evidence of abusive practices," he said.

Legal provisions will have to enable the creation of such a regulator, says cyber law expert Vakul Sharma. "You can not create a regulator out of thin air. You should have legislation for privacy. In India we do not have any such legislation," said Sharma.

The IT act classifies information into two - personal information and sensitive personal information. Safeguards under the section 43A and rules apply to sensitive personal information which includes biometric information, information related to health, passwords, sexual orientation and financial information among others.

"Users must be aware that Google's new policy does not have room for categorization according to Indian laws," says Sharma. "It is a plain vanilla document. The users need more," he added.

Read the original published in the Economic Times on April 10, 2012. Sunil Abraham is quoted in it.

For more details visit https://cis-india.org/news/govt-washes-hands-of-google-privacy-policy

Government gives free publicity worth 40k to Twitter and Facebook

Akriti Bopanna — 2018-04-27T09:52:26Z

We conducted a 2 week survey of newspapers for links between government advertisement to social media giants. As citizens, we should be worried about the close nexus between the Indian government and digital behemoths such as Facebook, Google and Twitter. It has become apparent to us after a 2 week print media analysis that our Government has been providing free publicity worth Rs 40,000 to these entities. There are multiple issues with this as this article attempts at pointing out.

We analyzed 5 English language newspapers daily for 2 weeks from March 12^th to 26^th, one week of the newspapers in Lucknow and the second week in Bangalore. Facebook, Twitter, Instagram and Alphabet backed services such as Youtube and Google Plus were part of our survey. Of a total of 33 advertisements (14 in Lucknow+19 in Bangalore), Twitter stands out as the most prominent advertising platform used by government agencies with 30 ads but Facebook at 29 was more expensive. In order to ascertain the rates of publicity, current advertisement rates for Times of India as our purpose was to solely give a rough estimation of how much the government is spending.

Advertising of this nature is not merely an inherent problem of favoring some social media companies over others but also symptomatic of a bigger problem, the lack of our native e-governance mechanisms which cause the Government to rely and promote others. Where we do have guidelines they are not being followed. By outsourcing their e-governance platforms to Twitter such as TwitterSeva, a feature created by the Twitter India team to help citizens connect better with government services, there is less of an impetus to construct better websites of their own.

If this is so because we currently do not have the capacity to build them ourselves then it is imperative that this changes. We should either be executing government functions on digital infrastructure owned by them or on open and interoperable systems. If anything, the surveyed social media platforms can be used to enhance pre-existing facilities. However, currently the converse is true with these platforms overshadowing the presence of e-governance websites. Officials have started responding to complaints on Twitter, diluting the significance of such complaint mechanisms on their respective department’s portal. Often enough such features are not available on the relevant government website. This sets a dangerous precedent for a citizen management system as the records of such interactions are then in the hands of these companies who may not exist in the future. As a result, they can control the access to such records or worse tamper with them. Posterity and reliability of such data can be ensured only if they are stored within the Government’s reach or if they are open and public with a first copy stored on Government records which ensures transparency as well. Data portability is an important facet to this issue as well as being a right consumers should possess. It provides for support of many devices, transition to alternative technologies and lastly, makes sure that all the data like other public records will be available upon request through the Right to Information procedure. The last is vital to uphold the spirit of transparency envisioned through the RTI process since interactions of government with citizens are then under its ambit and available for disclosure for whomsoever concerned.

Secondly, such practices by the Government are enhancing the monopoly of the companies in the market effectively discouraging competition and eventually, innovation. While a certain elite strata of the population might opt for Twitter or Facebook as their mode of conveying grievance, this may not hold true for the rest of the online India population.

Picking players in a free market is in violation of technology and vendor neutrality, a practice essential in e-governance to provide a level playing field for all and competing technologies. Projecting only a few platforms as de facto mediums of communication with the government inhibits the freedom of choice of citizens to air their grievances through a vendor or technology they are comfortable with. At the same time it makes the Government a mouthpiece for such companies who are gaining free publicity and consolidating their popularity. Government apps such as the SwachBharat one which is an e-governance platform do not offer much more in terms of functionality but either reflect the website or are a less mature version of the same. This leads to the problem of fracturing with many avenues of complaining such as the website, app, Twitter etc. Consequently, the priority of the people dealing with the complaints in terms of platform of response is unsure. Will I be responded to sooner if I tweet a complaint as opposed to putting it up on the app? Having an interoperable system can solve this where the Government can have a dashboard of their various complaints and responses are then made out evenly. Twitter itself could implement this by having complaints from Facebook for example and then the Twitter Seva would be an equal platform as opposed to the current issue where only they are favored.

Recent events have illustrated how detrimental the storage of data by these giants can be in terms of privacy. Data security concerns are also a consequence of such leaks. Not only is this a long overdue call for a better data protection law but at the same time also for the Government to realize that these platforms cannot be trusted. The hiring of Cambridge Analytica to influence voters in the US elections, based on their Facebook profiles and ancillary data, effectively put the governance of the country on sale by exploiting these privacy and security issues. By basing e-governance on their backbone, India is not far from inviting trouble as well. It is unnecessary and dangerous to have a go-between for matters that pertain between an individual and state.

As this article was being written, it was confirmed by the Election Commission that they are partnering with Facebook for the Karnataka Assemby Elections to promote activities such as encourage enrollment of Voter ID and voter participation. Initiatives like these tying the government even closer to these companies are of concern and cementing the latter’s stronghold.

Note: Our survey data and results are attached to this post. All research was collected by Shradha Nigam, a Vth year student at NLSIU, Bangalore.

Survey Data and Results

This report is based on a survey of government advertisements in English language newspapers in relation to their use of social media platforms and dedicated websites (“Survey”). For the purpose of this report, the ambit of the social media platforms has been limited to the use of Facebook, Twitter, YouTube, Google Plus and Instagram. The report was prepared by Shradha Nigam, a student from National Law School of India University, Bangalore. Read the full report here.

For more details visit https://cis-india.org/internet-governance/blog/government-giving-free-publicity-worth-40-k-to-twitter-and-facebook

Google’s privacy policy raises hackles

praskrishna — 2012-01-30T03:58:57Z

Have you ever used Google to search for a restaurant while you were logged in its network using your Google id? Or shared information about your trip to Goa with your friends on Google +? Or watched belly dance on YouTube? Or looked for Sunny Leone pictures on Google images? If yes, Google knows about it. Javed Anwer wrote on article on this. It is published in the Times of India on 26 January 2012.

And according to its new privacy policy it is going to put this information to some use.

The web giant says the new privacy policy will allow it to offer better services, including more relevant search results. But web experts have raised concerns over potential misuse of data and breach of privacy. According to Google's new privacy policy that will come into effect from March 1, the company is "getting rid of over 60 different privacy policies across Google services and replacing them with one that's shorter, easier to read" and something that will enable it to "create intuitive experience across Google" . Unlike in the past when Google had allowed users to choose personalized services, this time there is no option to opt out.

For an end-user this means that whatever information he shares through Google searches, Gmail, Google +, Picassa etc will be used to customize Google services for him. That the move is significant can be gauged from the fact that Google has provided a link to the new policy directly under its search engine on main page, something that the company rarely does. Google users will also be notified about the policy change through an email. "Our new privacy policy makes clear that, if you're signed in, we may combine information you've provided from one service with information from other services. In short, we'll treat you as a single user across all our products, which will mean a simpler, more intuitive Google experience," said Alma Whitten, Google's director of privacy, in a post on the company's official blog.

Whitten gave some example of how this information will be used. "We can make search better - figuring out what you really mean when you type in Apple, Jaguar or Pink. We can provide more relevant ads too," she wrote. "We can provide reminders that you're going to be late for a meeting based on your location , your calendar and an understanding of what the traffic is like that day. Or ensure that our spelling suggestions, even for your friends' names, are accurate because you've typed them before."

The privacy policy from Google is at the heart of its new business strategy as it works to keep the search engine relevant and its services fresh in the face of social networking websites like Twitter and Facebook. It is also prompted by the proliferation of devices like smartphones and tablets. However, privacy experts are not amused. Sunil Abraham, director of Centre for Internet and Society, said the new changes are not good for a consumer's privacy.

"I understand that Google collects the data so that it can build a 360 degree profile of a user and based on the information serve relevant advertisements . But there is no reason for them to store this data for long. Storing data makes it prone to misuse by authorities as well as corporations," said Abraham. Another, problem, he said is that different services are used for different purposes. "I don't want my bakery shop owner to know what kind of medicines Ibuy from the nearby medical store," said Abraham.

Are you being watched?

What |

For an end-user the new policy means that whatever information he shares through Google searches, Gmail, Google+, Picassa, etc will be used to customize Google services for him

Why |

The privacy policy is at the heart of Google's business strategy as it tries to keep the search engine relevant in the face of social networking websites like Twitter and Facebook

Concerns |

It's instrusive as online activity is tracked; storing data makes it prone to misuse by authorities as well as corporations

The original was published in the Times of India. Sunil Abraham has been quoted in it.

For more details visit https://cis-india.org/news/google2019s-privacy-policy-raises-hackles

Google to change privacy policy to use personal info of users

praskrishna — 2012-01-30T05:03:55Z

It is a warning for users of Google and other Social Networking sites. Who are using these sites for searching anything they want to know and sharing their personal life with friends, colleagues and relatives. If you have ever used Google for searching any place, restaurant or shared information about your personal life with your friends on Google and other social networking sites, or you have watched adult stuff on YouTube, if your answer is yes, Google knows about it. And according to its new privacy policy Google is going to put this information to some use. Sheetal Ranga's article was published in Punjab Newsline on 27 January 2012.

It is claimed by the web enormous that according to new privacy policy, better service will be provided to its users, including more relevant search results. And other side the web experts have expressed their concerns over potential misuse of data and defy of privacy. Google's new privacy policy will come into effect from 1 March 2012, said by Google.

Google provide service which will be shorter and easier to read and something that will enable it to create spontaneous experience across Google. Google had allowed users to choose personalized services; “unlike” this time there is no option to pick for the users.

The new policy of Google has made some people anxious over their privacy issues. The new policy is being adopted by Google, SafeGov monitors security issues for federal, state and local government is not happy with it.

A security analyst, Jeff ( SafeGov) said, "Google should not be data-mining information in e-mails, text messages, searches and documents that workers are putting into Google services. It’s a matter of not making government workers unnecessarily exposed to hackers and to inadvertent disclosures of information."

The Vice President of Google ,Amit Singh claims that Google’s new privacy policy for consumer data is antiquated by data privacy provisions in contracts with government agencies and other organization that use the paid version of Google Apps. Google will maintain our endeavor customers’ data in conformity with the confidentiality and security obligations provided to their domain, he said.

The new policy of Google has made some people edgy over their privacy issues. SafeGov monitors security issues for federal, state and local government agencies are very unhappy with the new policy of Google. It is also said by Sunil Abraham, director of Centre for Internet and Society that the new changes are not good for a consumer's privacy.

Director of privacy Alma Whitten has given some example of how this information will be used. "We can make search better - figuring out what you really mean when you type in Apple, Jaguar or Pink. We can provide more relevant ads too," she wrote. "We can provide reminders that you're going to be late for a meeting based on your location, your calendar and an understanding of what the traffic is like that day. Or ensure that our spelling suggestions, even for your friends' names, are accurate because you've typed them before."

Other side after the cross-checked the contract between Google and the city of Los Angele by Gould, claimed that he didn’t think through the consequences for government users.

Punjab Newsline published this story. Sunil Abraham was quoted in it.

For more details visit https://cis-india.org/news/google-to-change-privacy-policy

Google move is not good for netizens, say experts

praskrishna — 2012-02-03T10:03:17Z

Google's plan to merge data across 60 of its properties, which was announced last week, has drawn criticism from experts on the Internet, who are saying that this is detrimental to privacy. Balaji Narasimhan wrote this in the Hindu Business Line. The article was published on 31 January 2012.

"Google is doing what is good for shareholders. This is not positive for netizens,” said Mr Sunil Abraham, Executive Director, Centre for Internet and Society. “People like you and me have to either accept it or leave."

But what are the alternatives? Mr Somick Goswami, Director Consulting, PwC India, didn't want to comment directly on Google, but in the larger context of data privacy, he asked, "Do users want a free Internet or control over content? There is a lot of advocacy going around it. End of the day, when using the Internet, there has to be trust."

One way that Google could build trust could be by using something pertaining to loyalty, which retailers use in the real world in order to woo customers.

Mr Ram Menon, Executive Vice-President and Chief Technology Officer of Tibco, said that many of his clients make offers that are in context with what users want.

"For example, if you like cappuccino and this knowledge is known to a vendor, he can offer you a cappuccino when you walk past the store." He said that in such cases, there was no affront to privacy because the offer is relevant and in context. "You are a member and have opted in," he said.

Perhaps, the fact that all of Google's services are free has something to do with the privacy issue, pointed out the Australian Privacy Foundation. As its site privacy.org.au noted, "The company's business model is based on advertising revenue. Users pay no fees for their use of the services."

And the merger of its 60 policies apart, there is another issue worrying users — new acquisitions. As Mr Abraham pointed out, “When I was browsing Silk Smitha before YouTube was acquired by Google, I had no idea that one day this information would be known to Google."

And the issue becomes more serious in the context of a growing mobile workforce. As the Australian Privacy Foundation said, "Android mobile phones effectively trap users into having a Google user account."

Using Google services on a mobile – especially Google Latitude, a service that allows you to enable your friends to view your current location – allows Google to track your movements.

And since Google is predominantly an advertising-driven company, it could be argued that one day they might share information about you with a third party, enabling them to market to you more effectively, though this may not necessarily be done with your explicit permission – and this means that you may get an offer for products even if you have not opted in for such a service.

What can be done? Mr Abraham rued the fact that there are no specific laws to safeguard users.

"India needs privacy laws. In the US, law makers will create a fuss. In India, we are at the mercy of companies."

The original was published in the Hindu Business Line. Sunil Abraham is quoted in this article.

For more details visit https://cis-india.org/news/google-move-is-not-good-for-netizens-say-experts

Good Intentions, Recalcitrant Text - I: Why India’s Proposal at the ITU is Troubling for Internet Freedoms

geetha — 2014-11-02T15:13:45Z

The UN's International Telecommunications Union (ITU) is hosting its Plenipotentiary Conference (PP-14) this year in South Korea. At PP-14, India introduced a new draft resolution on ITU's Role in Realising Secure Information Society. The Draft Resolution has grave implications for human rights and Internet governance. Geetha Hariharan explores.

At the 2014 Plenipotentiary Conference (‘PP-14’ or ‘Plenipot’) of the International Telecommunications Union (ITU), India has tabled a draft proposal on “ITU’s Role in Realising Secure Information Society” [Document 98, dated 20 October 2014] (“Draft Resolution”). India’s proposal has incited a great deal of concern and discussion among Plenipot attendees, governments and civil society alike. Before offering my concerns and comments on the Draft Resolution, let us understand the proposal.

Our Draft Resolution identifies 3 security concerns with exchange of information and resource allocation on the Internet:

First, it is troubling for India that present network architecture has “security weaknesses” such as “camouflaging the identity of the originator of the communication”;[1] random IP address distribution also makes “tracing of communication difficult”;[2]
Second, India is concerned that under the present allocation system of naming, numbering and addressing resources on the Internet, it is impossible or at the very least, cumbersome to identify the countries to which IP address are allocated;[3]
Third, India finds it insecure from the point of view of national security that traffic originating and terminating in the same country (domestic traffic) often routes through networks overseas;[4] similarly, local address resolution also routes through IP addresses outside the country or region, which India finds troubling.[5]

In an effort to address these concerns, the Draft Resolution seeks to instruct the ITU Secretary General:

First, to develop and recommend a ‘traffic routing plan’ that can “effectively ensure the traceability of communication”;[6]
Second, to collaborate with relevant international and intergovernmental organisations to develop an “IP address plan” which facilitates identification of locations/countries to which IP addresses are allocated and coordinates allocation accordingly;[7]
Third, to develop and recommend “a public telecom network architecture” that localizes both routing[8] as well as address resolution[9] for local/domestic traffic to “within the country”.

Admittedly, our Draft Resolution is intended to pave a way for “systematic, fair and equitable allocation” of, inter alia, naming, numbering and addressing resources,[10] keeping in mind security and human rights concerns.[11] In an informal conversation, members of the Indian delegation echoed these sentiments. Our resolution does not, I was told, raise issues about the “concentration of control over Internet resources”, though “certain governments” have historically exercised more control. It also does not, he clarified, wish to make privacy or human rights a matter for discussion at the ITU. All that the Draft Resolution seeks to do is to equip the ITU with the mandate to prepare and recommend a “roadmap for the systematization” of allocation of naming, numbering and addressing resources, and for local routing of domestic traffic and address resolution. The framework for such mandate is that of security, given the ITU’s role in ‘building confidence and security in the use of ICTs’ under Action Line C5 of the Geneva Plan of Action, 2003.

Unfortunately, the text of our Draft Resolution, by dint of imprecision or lack of clarity, undermines India’s intentions. On three issues of utmost importance to the Internet, the Draft Resolution has unintended or unanticipated impacts. First, its text on tracing communication and identity of originators, and systematic allocation of identifiable IP address blocks to particular countries, has impacts on privacy and freedom of expression. Given Edward Snowden’s NSA files and the absence of adequate protections against government incursions or excesses into privacy,[12] either in international human rights law or domestic law, such text is troublesome. Second, it has the potential to undermine multi-stakeholder approaches to Internet governance by proposing text that refers almost exclusively to sovereign monopolies over Internet resource allocation, and finally, displays a certain disregard for network architecture and efficiency, and to principles of a free, open and unified Internet, when it seeks to develop global architecture that facilitates (domestic) localization of traffic-routing, address resolution and allocation of naming, numbering and addressing.

In this post, I will address the first concern of human rights implications of our Draft Resolution.

Unintended Implications for Privacy and Freedom of Expression:

India’s Draft Resolution has implications for individual privacy. At two different parts of the preamble, India expresses concerns with the impossibility of locating the user at the end of an IP address:

Pream. §(e): “recognizing… that the modern day packet networks, which at present have many security weaknesses, inter alia, camouflaging the identity of originator of the communication”;
Pream. §(h): “recognizing… that IP addresses are distributed randomly, that makes the tracing of communication difficult”.

The concerns here surround difficulties in tracking IP addresses due to the widespread use of NATs, as also the existence of IP anonymisers like Tor. Anonymisers like Tor permit individuals to cover their online tracks; they conceal user location and Internet activity from persons or governments conducting network surveillance or traffic analysis. For this reason, Tor has caused much discomfort to governments. Snowden used Tor while communicating with Laura Poitras. Bradley (now Chelsea) Manning of Wikileaks fame is reported to have used Tor (page 24). Crypto is increasingly the safest – perhaps the only safe – avenue for political dissidents across the world; even Internet companies were coerced into governmental compliance. No wonder, then, that governments are doing all they can to dismantle IP anonymisers: the NSA and GCHQ have tried to break Tor; the Russian government has offered a reward to anyone who can.

Far be it from me to defend Tor blindly. There are reports suggesting that Tor is being used by offenders, and not merely those of the Snowden variety. But governments must recognize the very obvious trust deficit they face, especially after Snowden’s revelations, and consider the implications of seeking traceability and identity/geolocation for every IP address, in a systematic manner. The implications are for privacy, a right guaranteed by Article 17 of the International Covenant on Civil and Political Rights (ICCPR). Privacy has been recognized by the UN General Assembly as applicable in cases of surveillance, interception and data collection, in Pream. §4 of its resolution The Right to Privacy in the Digital Age. But many states do not have robust privacy protections for individuals and data. And while governments may state the necessity to create international policy to further effective criminal investigations, such an aim cannot be used to nullify or destroy the rights of privacy and free speech guaranteed to individuals. Article 5(1), ICCPR, codifies this principle, when it states that States, groups or persons may not “engage in any activity or perform any act aimed at the destruction of any of the rights and freedoms recognized herein…”.

Erosion of privacy has a chilling effect on free speech [New York Times v. Sullivan, 376 U.S. 254], so free speech suffers too. Particularly with regard to Tor and identification of IP address location and users, anonymity in Internet communications is at issue. At the moment, most states already have anonymity-restrictions, in the form of identification and registration for cybercafés, SIM cards and broadband connections. For instance, Rule 4 of India’s Information Technology (Guidelines for Cyber Cafe) Rules, 2011, mandates that we cannot not use computers in a cybercafé without establishing our identities. But our ITU Draft Resolution seeks to dismantle the ability of Internet users to operate anonymously, be they political dissidents, criminals or those merely acting on their expectations of privacy. Such dismantling would be both violative of international human rights law, as well as dangerous for freedom of expression and privacy in principle. Anonymity is integral to democratic discourse, held the US Supreme Court in McIntyre v. Ohio Elections Commission [514 U.S. 334 (1995)].[13] Restrictions on Internet anonymity facilitate communications surveillance and have a chilling effect on the free expression of opinions and ideas, wrote Mr. Frank La Rue, Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression (¶¶ 48-49).

So a law or international policy for blanket identification and traceability of IP addresses has grave consequences for and prima facie violates privacy, anonymity and freedom of speech. But these rights are not absolute, and can be validly restricted. And because these human rights are implicated, the ITU with its lack of expertise in the area may not be the adequate forum for discussion or study.

To be valid and justified interference, any law, policy or order interfering with privacy and free speech must meet the standards of reasonableness and proportionality, even if national security were the government’s legitimate aim, laid down in Articles 19(3) and 17 of the Covenant on Civil and Political Rights (CCPR) [Toonen v. Australia, Communication No. 488/1992, U.N. Doc CCPR/C/50/D/488/1992 (1994), ¶6.4]. And as the European Court of Human Rights found in Weber & Saravia v. Germany [Application no. 54934/00, 29 June 2006 (ECHR), ¶95], law or executive procedure that enables surveillance without sufficient safeguards is prima facie unreasonable and disproportionate. Re: anonymity, in Delfi AS v. Estonia [Application no. 64569/09, 17 February 2014, ¶83], while considering the liability of an Internet portal for offensive anonymous comments, the ECHR has emphasized the importance of balancing freedom of expression and privacy. It relied on certain principles such as “contribution to a debate of general interest, subject of the report, the content, form and consequences of the publication” to test the validity of government’s restrictions.

The implications of the suggested text of India’s Draft Resolution should then be carefully thought out. And this is a good thing. For one must wonder why governments need perfect traceability, geolocation and user identification for all IP addresses. Is such a demand really different from mass or blanket surveillance, in scale and government tracking ability? Would this not tilt the balance of power strongly in favour of governments against individuals (citizens or non-citizens)? This fear must especially arise in the absence of domestic legal protections, both in human rights, and criminal law and procedure. For instance, India’s Information Technology Act, 2000 (amended in 2008) has Section 66A, which criminalizes offensive speech, as well as speech that causes annoyance or inconvenience. Arguably, arrests under Section 66A have been arbitrary, and traceability may give rise to a host of new worries.

In any event, IP addresses and users can be discerned under existing domestic law frameworks. Regional Internet Registries (RIR) such as APNIC allocate blocks of IP addresses to either National Internet Registries (NIR – such as IRINN for India) or to ISPs directly. The ISPs then allocate IP addresses dynamically to users like you and me. Identifying information for these ISPs is maintained in the form of WHOIS records and registries with RIRs or NIRs, and this information is public. ISPs of most countries require identifying information from users before Internet connection is given, i.e., IP addresses allocated (mostly by dynamic allocation, for that is more efficient). ISPs of some states are also regulated; in India, for instance, ISPs require a licence to operate and offer services.

If any government wished, on the basis of some reasonable cause, to identify a particular IP address or its user, then the government could first utilize WHOIS to obtain information about the ISP. Then ISPs may be ordered to release specific IP address locations and user information under executive or judicial order. There are also technical solutions, such as traceroute or IP look-up that assist in tracing or identifying IP addresses. Coders, governments and law enforcement must surely be aware of better technology than I.

If we take into account this possibility of geolocation of IP addresses, then the Draft Resolution’s motivation to ‘systematize’ IP address allocations on the basis of states is unclear. I will discuss the implication of this proposal, and that of traffic and address localization, in my next post.

[1] Pream. §(e), Draft Resolution: “recognizing… that the modern day packet networks, which at present have many security weaknesses, inter alia, camouflaging the identity of originator of the communication”.

[2] Pream. §(h), Draft Resolution: “recognizing… that IP addresses are distributed randomly, that makes the tracing of communication difficult”.

[3] Op. §1, Draft Resolution: “instructs the Secretary General… to collaborate with all stakeholders including International and intergovernmental organizations, involved in IP addresses management to develop an IP address plan from which IP addresses of different countries are easily discernible and coordinate to ensure distribution of IP addresses accordingly”.

[4] Pream. §(g), Draft Resolution: “recognizing… that communication traffic originating and terminating in a country also many times flows outside the boundary of a country making such communication costly and to some extent insecure from national security point of view”.

[5] Pream. §(f), Draft Resolution: “recognizing… that even for local address resolution at times, system has to use resources outside the country which makes such address resolution costly and to some extent insecure from national security perspective”.

[6] Op. §6, Draft Resolution: “instructs the Secretary General… to develop and recommend a routing plan of traffic for optimizing the network resources that could effectively ensure the traceability of communication”.

[7] Op. §1, Draft Resolution; see note 3.

[8] Op. §5, Draft Resolution: “instructs the Secretary General… to develop and recommend public telecom network architecture which ensures that effectively the traffic meant for the country, traffic originating and terminating in the country remains within the country”.

[9] Op. §4, Draft Resolution: “instructs the Secretary General… to develop and recommend public telecom network architecture which ensures effectively that address resolution for the traffic meant for the country, traffic originating and terminating in the country/region takes place within the country”.

[10] Context Note to Draft Resolution, ¶3: “Planning and distribution of numbering and naming resources in a systematic, equitable, fair and just manner amongst the Member States…”

[11] Context Note to Draft Resolution, ¶2: “…there are certain areas that require critical attention to move in the direction of building the necessary “Trust Framework” for the safe “Information Society”, where privacy, safety are ensured”.

[12] See, for instance, Report of the Office of the High Commission for Human Rights (“OHCHR”), Right to Privacy in the Digital Age, A/HRC/27/37 (30 June 2014), ¶34-35, http://www.ohchr.org/EN/HRBodies/HRC/RegularSessions/Session27/Documents/A.HRC.27.37_en.pdf. See esp. note 30 of the Report, ¶35.

[13] Many thorny political differences exist between the US and many states (including India and Kenya, who I am told has expressed preliminary support for the Draft Resolution) with regard to Internet governance. Irrespective of this, the US Constitution’s First Amendment and judicial protections to freedom of expression remain a yardstick for many states, including India. India, for instance, has positively referred to the US Supreme Court’s free speech protections in many of its decisions; ex. see Kharak Singh v. State of Uttar Pradesh, 1963 Cri. L.J. 329; R. Rajagopal v. State of Tamil Nadu, AIR 1995 SC 264.

For more details visit https://cis-india.org/internet-governance/blog/good-intentions-going-awry-i-why-india2019s-proposal-at-the-itu-is-troubling-for-internet-freedoms

GNI-Industry Dialogue Learning Session: Human Rights Impact Assessments and Due Diligence in the ICT sector

elonnai — 2016-04-06T15:42:41Z

Elonnai Hickok attended the meeting organized by Global Network Initiative on March 11, 2016 in Washington D.C.

The GNI welcomed its new observers from the Telecommunications Industry Dialogue by holding a learning session in conjunction with the GNI Board Meeting on March 10. This learning session aimed to increase understanding between the GNI and the ID by examining some of the common challenges that face ICT companies in the area of human rights due diligence and highlighting good practices. A second objective was to help the GNI develop a learning program and materials that will be useful for its members and draw on their expertise. Finally, this learning session informed the review of the GNI Implementation Guidelines that will take place during 2016.

The session took place according to the Chatham House Rule. Each short presentation was followed by a space for questions and answers.

Human Rights Impact Assessments in the ICT sector – Michael Samway
The Human Rights Due Diligence Process at Nokia – Laura Okkonen
Yahoo’s approach to Human Rights Impact Assessments– Nicole Karlebach and Katie Shay
Orange’s challenges and approach to doing business in Africa – Yves Nissim
Microsoft’s human rights impacts and the warrant case – Steve Crown and Bernard Shen
TeliaSonera’s approach to withdrawing from Eurasia – Patrik Hiselius
Considerations for company due diligence on the ground – Kathleen Reen and Babette Ngene, Internews

For discussion:

What are some of the common challenges facing current GNI member companies and ID member companies?
What do we consider to be good practices that are applicable to all?
What lessons can be applied to the review of the GNI Implementation Guidelines that will take place during 2016?

For more details visit https://cis-india.org/internet-governance/news/gni-industry-dialogue-learning-session-human-rights-impact-assessments-and-due-diligence-in-the-ict-sector

Global Partners Meeting @ London

praskrishna — 2013-03-20T06:37:48Z

Privacy International is organizing the Global Partners Meeting in London from March 22 to 25, 2013. The workshop will be held at the London School of Economics and Political Science. Sunil Abraham and Malavika Jayaram will be participating in this event.

Click to read the full details published by Privacy International here.

The meeting is an opportunity to connect global partners with each other and with researchers, human rights advocates, and privacy and technology experts from over 20 countries. This will provide an opportunity for discussion and debate, that will enrich global research and advocacy agenda for the next two years.

Workshop Overview

The purpose of the three day workshop is as follows:

To understand the privacy discourse and identify the challenges faced in advancing the right to privacy across the globe.
To consolidate our network and look for opportunities for collaboration and cross-pollination for research and advocacy initiatives.
To share experiences about research, dissemination and advocacy strategies that influence policy change.

We envisage this workshop as a launching pad for the work that Privacy International and our global partners will conduct over the next two years under the ambit of the Surveillance and Freedom: Global Understandings and Rights Development (SAFEGUARD) project, funded by the International Development

Research Centre. The focus of the SAFEGUARD project is to understand what are the threats, challenges and obstacles to, and opportunities for, the protection of privacy in developing countries.

Background to the SAFEGUARD project

Nowhere are the challenges to, and opportunities for, privacy protections as dynamic and complex as in the developing world. As these countries seek new measures to develop their economies, build social and technological infrastructures, sustain their social systems, and ensure security they need to consider what are the modern policy frameworks they require to ensure a just society. The windows around these policy frameworks are key opportunities for reflection about rights and democratic values, and in the case of this project, the protection of privacy.

The vast scope and relevance of the right to privacy in this age of technology gives rise to a myriad of challenges and issues, many of which have relevance across, as well as within, borders. This is particularly the case in the developing world, where South-South collaboration is gaining increasing currency in the development sector, and donor countries continue to contribute to and influence policy in recipient countries, particularly with respect to the adoption of new technologies. Many of the trends in developing countries – communications surveillance, biometrics and DNA databases, and identity cards – mirror those being adopted in the global North. Policy laundering and modelling, such as that witnessed with respect to counter-terrorism policies in the aftermath of 9/11 is taking hold in the context of communications surveillance laws and national ID databases. Such phenomena raise concerns not only as to the spread of practices that threaten to undermine privacy, but also with respect to the stifling of national policy discourses and legislative processes.

Conceptual framework

This projects sets out to isolate and understand the challenges to privacy in the developing world. In order to ensure that the research developed is sufficiently targeted to influence policy debates, we have identified a set of themes that cover the range of privacy-related issues and that together will give a comprehensive picture of the difficult relationship between privacy and technology. This set of themes has been developed in collaboration with our partners, who have identified those discussions around which there is perfect storm of advancing surveillance policies and technologies, poor legal and technical safeguards, and a scarcity of research and understanding. We have designed our conceptual framework accordingly.

Research questions

The legal and constitutional landscape: What laws and constitutional provisions exist to protect privacy, how are they implemented and monitored, and where are the legal and policy gaps?

Data protection: What is the state of data protection in partner countries, and what are the local and regional regulatory standards and good practices?

Communications surveillance: What communications surveillance regimes are in place, how are they designed in law and how do they operate in practice?

Adoption of surveillance technologies: Where are governments buying surveillance technologies, and how are they using them? What legal regimes are in place to establish safeguards over the use of advanced surveillance technologies? What is the state of the art in legal protections?

Political intelligence oversight: What is the nature and operation of local intelligence services, what oversight mechanisms are in place, and how can these mechanisms be implemented or enforced?

Politics, Identity, sexual and reproductive health and social sorting: To what the extent do governments misuse personal information to pursue social sorting practices?

Delivery of public services: What is the state of privacy protections in public service delivery, particularly those related to e-health systems and social protection programmes, and how can protections be improved?

ID, DNA and biometrics: What privacy risks are associated with the collection and use of personal information for ID and biometric systems?

Partners

Africa	Latin America	Asia
Zimbabwe Human Rights Forum, Zimbabwe Kenyan Ethical and Legal Issues Network, Kenya Media Institute of Southern Africa, Namibia Jonction, Senegal Centre for Social Sciences Research, University of Cape Town African Platform for Social Protection, Kenya	Dejusticia, Columbia Asociacion por los Derechos Civiles, Argentina Autonomous University of Mexico State, Mexico Centro de Tecnologia y Sociedad, Universidad San Andres, Argentina, in collaboration with the Centro de Tecnologica da Escola de Direito da Fundacao Getulio Vargas, Brasil Instituto NUPEF, Brazil Derechos Digitales, Chile	VOICE, Bangladesh University of Hong Kong, Hong Kong Centre for Internet and Society, India Thai Netizen Network, Thailand Thai Media Policy Center, Thailand Bytes For All, Pakistan Centre for Cyber Law Studies, Indonesia Foundation for Media Alternatives, Philippines

Africa

Latin America

Asia

Zimbabwe Human Rights Forum, Zimbabwe

Kenyan Ethical and Legal Issues Network, Kenya

Media Institute of Southern Africa, Namibia

Jonction, Senegal

Centre for Social Sciences Research, University of Cape Town

African Platform for Social Protection, Kenya

Dejusticia, Columbia

Asociacion por los Derechos Civiles, Argentina

Autonomous University of Mexico State, Mexico

Centro de Tecnologia y Sociedad, Universidad San Andres, Argentina, in collaboration with the Centro de Tecnologica da Escola de Direito da Fundacao Getulio Vargas, Brasil

Instituto NUPEF, Brazil

Derechos Digitales, Chile

VOICE, Bangladesh
University of Hong Kong, Hong Kong
Centre for Internet and Society, India
Thai Netizen Network, Thailand
Thai Media Policy Center, Thailand
Bytes For All, Pakistan
Centre for Cyber Law Studies, Indonesia
Foundation for Media Alternatives, Philippines

Participants

Ababacar Diop
Allan Maleche
Anna Fielder
Anthony Jackson
Arthit Suriyawongkul
Arthur Gwagwa
Ben Hayes
Ben Wagner
Benjamin Barretto
Carly Nyst
Carolin Moeller
Charles Dhewa
Claudio Ruiz
Clement Chen
Danilo Doneda
Eric King
Farjana Akter
Fieke Jansen
Graciela Sulamein
Gus Hosein
Helen Wallace
Juan Camilo Rivera
Karelle Dagon
Katitza Rodriguez
Kevin Donovan
Levinson Kabwato
Malavika Jayaram
Mathias Vermeulen
Michael Rispoli
Nelson Arteaga Botello
Pablo Palazzi
Pirongrong Ramasoota
Ramiro Alvarez Ugarte
Richie Tynan
Sam Smith
Sinta Dewi Rosadi
Shahzad Ahmed
Sinta Dewi Rosadi
Sunil Abraham
Stephanie Perrin
Tavengwa Nhongo
Vera Franz
Vicky Nida
Vivian Newman Pont

Agenda

Friday, March 22, 2013: Reception

Meet with Privacy International staff members and advisors, and workshop participants from more than 20 countries in Latin America, Asia, Africa, Europe and Central Asia. Food and drinks will be provided.

Time: 6.00 p.m.
Location: 2nd Floor, 46 Bedford Row, London WC1R 4LR
Contact: 0207 242 2836
Getting there: Our office is a short walk 10 minute from your hotel. See Map 1 below for directions.

Saturday, March 23, 2013: Day 1 (Objectives and Reviewing the Landscape)

10:00 a.m. - Welcome Breakfast: Setting The Scene
Location: Mercure London Bloomsbury restaurant

Welcome and introduction

Overview of PI’s work in developing countries

Participant introductions

Setting the agenda

12:30 p.m. - Session 1: Reviewing The Landscape
Location: Old Building, Room 3.21, London School of Economics and Political Science, Houghton Street, London WC2A 2AE

Mapping privacy in constitutions

Masterclass 1: communications surveillance laws around the world

Break-out groups on assigned topics, and reporting back

2:30 p.m. - Afternoon tea

Privacy quiz

Masterclass 2: SIM card registration

Building a network: how can PI facilitate your work?

Masterclass 3: Oversight of intelligence agencies

6:00 p.m. - Drinks

7:00 p.m. - Dinner

Location: Tohbang, 164 Clerkenwell Road
http://www.tohbang.com/sub_eng/main.php

Sunday, March 24: Day 2 (Research Topics and Strategies)

Location: Old Building, Room 3.21, London School of Economics and Political Science, Houghton Street, London WC2A 2AE

10:00 a.m. - Recap of day one

Masterclass 4 - The UN Universal Periodic Review

Open-space - research and policy priorities

1:00 p.m. - Lunch
Location: Ship Tavern, Holborn

2:30 p.m. - Reconvene

Open space - research, dissemination and communication strategies

Wrapping up and going forward

6:00 p.m. - Dinner
Location: Wahaca, Charlotte St, http://www.wahaca.co.uk/

For more details visit https://cis-india.org/news/global-partners-meeting-london

Global Governance Futures 2027 - Session 3, New Delhi

sumandro — 2017-01-15T11:46:27Z

The Global Governance Futures program (GGF) initiated by Global Public Policy Institute and supported by Robert Bosch Stiftung brings together young professionals to look ahead ten years and recommend ways to address global challenges. Sumandro Chattapadhyay will join Ankhi Das (Facebook) and Arun Mohan Sukumar (Observer Research Foundation) on Tuesday, January 17, to discuss the "data governance" scenarios developed by the GGF 2027 Fellows.

About the Programme: External Link.

GGF 2027 Fellows: External Link.

GGF 2027 Session 3, New Delhi - Agenda: Download (PDF).

For more details visit https://cis-india.org/internet-governance/news/global-governance-futures-2027-session-3-new-delhi

Glaring Errors in UIDAI's Rebuttal

pranesh — 2016-09-18T03:22:32Z

This response note by Pranesh Prakash questions Unique Identification Authority of India’s reply to Hans Verghese Mathews' article titled “Flaws in the UIDAI Process” (EPW, March 12, 2016), which found “serious mathematical errors” in the article.

The article was published in Economic & Political Weekly Vol. 51, Issue No. 36, September 3, 2016.

While I am not a statistician, I have followed the technical debate between Hans Verghese Mathews and the UIDAI closely, and see a number of glaring errors in the latter’s so-called rebuttal in EPW (March 12, 2016).

The UIDAI alleges Mathews to have ignored the evidence that the Receiver Operating Characteristic (ROC) "flattens" with more factors. However, Mathews cannot be accused of ignorance if the flattening of the ROC is not relevant to his argument. To explain this in simple terms, the ROC curve is used to choose the appropriate "threshold distance" which determines false positives and false negatives, and belongs to a stage which precedes the estimation of the false positive identification rates (FPIR).

However, Mathews has used the FPIR estimates provided by the UIDAI (based on evidence from the enrolment of 84 million persons), and calculated how the FPIR changes when extrapolated for a population of 1.2 billion persons. In other words, he did not need to look at the ROC curve as that factor is not relevant to his argument, since he has used UIDAI data (which has presumably been estimated on the basis of all 12 factors : 10 fingerprints and 2 irises).

Further, UIDAI asks why Mathews has assumed a linear curve for his extrapolation. Mathews has done no such thing. In fact, in their paper "Role of Biometric Technology in Aadhaar Enrollment," the UIDAI states: "FPIR rate grows linearly with the database size" (nd, 19). Thus, this is an assumption formerly made by them (without providing rationale for it to be a linear curve as opposed to anything else). Mathews mathematically derives bounds for the FPIR in his paper, that is, the range within which the FPIR lies. One gets a linear curve only if they use the upper bound and not on the usage of anything else. So while Mathews does, as he explains, provide the results of the calculation based on the upper bound for the sake of simplicity, he nowhere asserts nor assumes a linear curve.

If, as the UIDAI claims, one cannot perform such an extrapolation and needs to depend on “empirical evidence” instead, the question arises as to how the UIDAI decided to scale up the programme to 1.3 billion people given the error rates. One could also ask if the machines being used to capture biometrics are good enough for the enlargement. Surely they would have performed some extrapolations to decide this.

In their paper they note that "although it [FPIR] is expected to grow as the database size increases, it is not expected to exceed manageable values even at full enrolment of 120 crores" (UIDAI nd, 13). They do not illustrate the extent to which the FPIR is expected to grow—neither in their initial paper, nor in their rebuttal to Mathews—whereas Mathews provides a method of estimating the increase of FPIR. Even if UIDAI is correct in its appraisal of FPIR and that it will not exceed "manageable values," they need to either exemplify their calculations or release the latest data. They have done neither, and that is quite unfortunate.

References

UIDAI (nd): “Role of Biometric Technology in Aadhaar Enrollment,” Unique Identification Authority of India, Government of India, New Delhi, viewed on 18 August 2016, https://uidai.gov.in/images/FrontPageUpdates/role_of_biometric_technology

Related Links

Flaws in the UIDAI Process http://www.epw.in/journal/2016/9/special-articles/flaws-uidai-process.html
Erring on Aadhaar http://www.epw.in/journal/2016/11/discussion/erring-aadhaar.html
Request for Specifics http://www.epw.in/journal/2016/36/documents/request-specifics-rebuttal-u...
Glaring Errors in UIDAI's Rebuttal http://www.epw.in/journal/2016/36/documents/glaring-errors-uidais-rebutt...
Overlooking the UIDAI Process http://www.epw.in/journal/2016/36/documents/response-hans-verghese-mathe...

For more details visit https://cis-india.org/internet-governance/blog/glaring-errors-in-uidai-rebuttal-epw

Giving out your fingerprint for Aadhar payments is as bad as telling the seller your banking password

praskrishna — 2017-02-07T16:09:53Z

PRS India recently released a report card enlisting the status of all the major policy announcements made by the President on India in his address to the Parliament on 23 February 2016. The policies cover all the major sectors including economy and finance, industry and manufacturing, governance and legal reform, skill development, science and innovation among others.

The blog post by Nimish Sawant was published by First Post Tech 2 on February 3, 2017. Pranesh Prakash was quoted.

Ever since the current government has come into power, there has been a concerted effort to take India on the information highway with technology-backed initiatives. Projects such as Digital India, Smart City Project, Startup India to the latest policy announcements post the demonetisation on 8 November 2016, a lot of has been said about technology.

But there are still areas of improvement, for instance we are yet to have a privacy and data protection law, there is an alarming shortage of cybersecurity experts and we have seen our fair share of government as well as personal data being under jeopardy in the years gone by.

Pranesh Prakash, policy director of the Centre for Internet and Society, has his reservations against the speed at which we are moving towards the dream of a digitised India, without covering the core policies on security, legal frameworks and more. Here is what Prakash has to say.

“All in all, we in India are in a really precarious situation when it comes to Digital India, especially from a legal and regulatory perspective. While the push for digitisation is to be welcome, it should make this more convenient for citizens and that can’t be accomplished by forcing digitisation on people without giving them options.

The Planning Commission put together a group of experts chaired by Justice AP Shah, which came out with a report on privacy principles which were to inform a privacy and data protection law that the government was to introduce in Parliament. That report came out in 2012. In 2017, we are no closer to a privacy and data protection law. The data security practices at the levels of the government and of the private sector are very worrying.

For instance, the Narendra Modi app, which is operated by the BJP, for many months was leaking the personal details of more than 7 million users.

Another example: the government, as per press reports, is going ahead with using fingerprints for authentication of Aadhaar Enabled Payment Systems (AEPS) transactions. While the security architecture of AEPS might in itself be good, the idea of providing your fingerprints to merchants for financial transactions is a terrible idea since that is like asking you to give your bank password to a merchant, and the merchant can reuse that password, and you can’t ever change the password.

Last year Symantec revealed that for more than two years a cyberespionage project (that Symantec called “SuckFly“) had penetrated deep into Indian systems, including Indian government and banking systems. Yet, the government didn’t conduct an enquiry about this and reassure the public on actions being taken to mitigate this.

So while digitisation initiatives are great, there also needs to be a concerted effort to have a secure framework, and there has to be an ease in onboarding the non tech-savvy population as well.”

For more details visit https://cis-india.org/internet-governance/news/first-post-february-3-2017-nimish-sawant-giving-out-your-fingerprint-for-aadhar-payments-is-as-bad-as-telling-the-seller-your-banking-password

Getting the (Digital) Indo-Pacific Economic Framework Right

arindrajit — 2022-10-03T14:56:22Z

On the eve of the Tokyo Quad Summit in May 2022, President Biden unveiled the Indo-Pacific Economic Framework (IPEF), visualising cooperation across the Indo-Pacific based on four pillars: trade; supply chains; clean energy, decarbonisation and infrastructure; and tax and anti-corruption. Galvanised by the US, the other 13 founding members of the IPEF are Australia, Brunei Darussalam, India, Indonesia, Japan, Republic of Korea, Malaysia, New Zealand, Philippines, Singapore, Thailand and Vietnam. The first official in-person Ministerial meeting was held in Los Angeles on 9 September 2022.

The article was originally published in Directions on 16 September 2022.

It is still early days. Given the broad and noncommittal scope of the economic arrangement, it is unlikely that the IPEF will lead to a trade deal among members in the short run. Instead, experts believe that this new arrangement is designed to serve as a ‘framework or starting point’ for members to cooperate on geo-economic issues relevant to the Indo-Pacific, buoyed in no small part by the United States’ desire to make up lost ground and counter Chinese economic influence in the region.

United States Trade Representative (USTR) Katherine Tai has underscored the relevance of the Indo-Pacific digital economy to the US agenda with the IPEF. She has emphasized the importance of collaboratively addressing key connectivity and technology challenges, including standards on cross-border data flows, data localisation and online privacy, as well as the discriminatory and unethical use of artificial intelligence. This is an ambitious agenda given the divergence among members in terms of technological advancement, domestic policy preferences and international negotiating stances at digital trade forums. There is a significant risk that imposing external standards or values on this evolving and politically-contested digital economy landscape will not work, and may even undermine the core potential of the IPEF in the Indo-Pacific. This post evaluates the domestic policy preferences and strategic interests of the Framework’s member states, and how the IPEF can navigate key points of divergence in order to achieve meaningful outcomes.

State of domestic digital policy among IPEF members

Data localisation is a core point of divergence in global digital policymaking. It continues to dominate discourse and trigger dissent at all international trade forums, including the World Trade Organization. IPEF members have a range of domestic mandates restricting cross-border flows, which vary in scope, format and rigidity (see table below). Most countries only have a conditional data localisation requirement, meaning data can only be transferred to countries where it is accorded an equivalent level of protection – unless the individual whose data is being transferred consents to said transfer. Australia and the United States have sectoral localisation requirements for health and defence data respectively. India presently has multiple sectoral data localisation requirements. In particular, a 2018 Reserve Bank of India (RBI) directive imposed strict local storage requirements along with a 24-hour window for foreign processing of payments data generated in India. The RBI imposed a moratorium on the issuance of new cards by several US-based card companies until compliance issues with the data localisation directive were resolved. Furthermore, several iterations of India’s recently withdrawn Personal Data Protection Bill contained localisation requirements for some categories of personal data.

Indonesia and Vietnam have diluted the scopes of their data localisation mandates to apply, respectively, only to companies providing public services and to companies not complying with other local laws. These dilutions may have occurred in response to concerted pushback from foreign technology companies operating in these countries. In addition to sectoral restrictions on the transfer of geospatial data, South Korea retains several procedural checks on cross-border flows, including formalities regarding providing notice to individual users.

Moving onto another issue flagged by USTR Tai, while all IPEF members recognise the right to information privacy at an overarching or constitutional level, the legal and policy contours of data protection are at different stages of evolution in different countries. Japan, South Korea, Malaysia, New Zealand, Philippines, Singapore and Thailand have data protection frameworks in place. Data protection frameworks in India and Brunei are under consultation. Notably, the US does not have a comprehensive federal framework on data privacy, although there are patchworks of data privacy regulations at both the federal and state levels.

Regulation and strategic thinking on artificial intelligence (AI) are also at varying levels of development among IPEF members. India has produced a slew of policy papers on Responsible Artificial Intelligence. The most recent policy paper published by NITI AAYOG (the Indian government’s think tank) refers to constitutional values and endorses a risk-based approach to AI regulation, much like that adopted by the EU. The US National Security Commission on Artificial Intelligence (NSCAI), chaired by Google CEO Eric Schmidt, expressed concerns about the US ceding AI leadership ground to China. The NSCAI’s final report emphasised the need for US leadership of a ‘coalition of democracies’ as an alternative to China’s autocratic and control-oriented model. Singapore has also made key strides on trusted AI, launching A.I. verify – the world’s first AI Governance Testing Framework for companies that wish to demonstrate their use of responsible AI through a minimum verifiable product.

IPEF and pipe dreams of digital trade

Some members of the IPEF are signatories to other regional trade agreements. With the exception of Fiji, India and the US, all the IPEF countries are members of the Regional Comprehensive Economic Partnership (RCEP), which also includes China. Five IPEF member countries are also members of the Comprehensive and Progressive Trans-Pacific Partnership (CPTPP) that President Trump backed out of in 2017. Several IPEF members also have bilateral or trilateral trading agreements among themselves, an example being the Digital Economic Partnership Agreement (DEPA) between Singapore, New Zealand and Chile.

All these ‘mega-regional’ trading agreements contain provisions on data flows, including prohibitions on domestic legal provisions that mandate local computing facilities or restrict cross-border data transfers. Notably, these agreements also incorporate exceptions to these rules. The CPTPP includes within its ambit an exception on the grounds of ‘legitimate public policy objectives’ of the member, while the RCEP incorporates an additional exception for ‘essential security interests’.

IPEF members are also spearheading multilateral efforts related to the digital economy: Australia, Japan and Singapore are working as convenors of the plurilateral Joint Statement Initiative (JSI) at the World Trade Organization (WTO), which counts 86 WTO members as parties. India (along with South Africa) vehemently opposes this plurilateral push on the grounds that the WTO is a multilateral forum functioning on consensus and a plurilateral trade agreement should not be negotiated within the aegis of the WTO. They fear, rightly, that such gambits close out the domestic policy space, especially for evolving digital economy regimes where keen debate and contestation exist among domestic stakeholders. While wary of the implications of the JSI, other IPEF members, such as Indonesia, have cautiously joined the initiative to ensure that they have a voice at the table.

It is unlikely that the IPEF will lead to a digital trade arrangement in the short run. Policymaking on issues as complex as the digital economy that must respond to specific social, economic and (geo)political realities cannot be steamrolled through external trade agreements. For instance, after the Los Angeles Ministerial India opted out of the IPEF trade pillar citing both India’s evolving domestic legislative framework on data and privacy as well as a broader lack of consensus among IPEF members on several issues, including digital trade. Commerce Minister Piyush Goyal explained that India would wait for the “final contours” of the digital trade track to emerge before making any commitments.

Besides, brokering a trade agreement through the IPEF runs a risk of redundancy. Already, there exists a ‘spaghetti bowl’ of regional trading agreements that IPEF members can choose from, in addition to forming bilateral trade ties with each other.

This is why Washington has been clear about calling the IPEF an ‘economic arrangement’ and not a trade agreement. Membership does not imply any legal obligations. Rather than duplicating ongoing efforts or setting unrealistic targets, the IPEF is an opportunity for all players to shape conversations, share best practices and reach compromises, which could feed back into ongoing efforts to negotiate trade deals. For example, several members of RCEP have domestic data localisation mandates that do not violate trade deals because the agreement carves out exceptions that legitimise domestic policy decisions. Exchanges on how these exceptions work in future trade agreements could be a part of the IPEF arrangement and nudge states towards framing digital trade negotiations through other channels, including at the WTO. Furthermore, states like Singapore that have launched AI self-governance mechanisms could share best practices on how these mechanisms were developed as well as evaluations of how they have helped policy goals be met. And these exchanges shouldn’t be limited to existing IPEF members. If the forum works well, countries that share strategic interests in the region with IPEF members, including, most notably, the European Union, may also want to get involved and further develop partnerships in the region.

Countering China

Talking shop on digital trade should certainly not be the only objective of the IPEF. The US has made it clear that they want the message emanating from the IPEF ‘to be heard in Beijing’. Indeed, the IPEF offers an opportunity for the reassertion of US economic interests in a region where President Trump’s withdrawal from the CPTPP has left a vacuum for China to fill. Accordingly, it is no surprise that the IPEF has representation from several regions of the Indo-Pacific: South Asia, Southeast Asia and the Pacific.

This should be an urgent policy priority for all IPEF members. Since its initial announcement in 2015, the Digital Silk Road (DSR), the digital arm of China’s Belt and Road Initiative, has spearheaded massive investments by the Chinese private sector (allegedly under close control of the Chinese state) in e-commerce, fintech, smart cities, data centres, fibre optic cables and telecom networks. This expansion has also happened in the Indo-Pacific, unhampered by China’s aggressive geopolitical posturing in the region through maritime land grabs in the South China Sea. With the exception of Vietnam, which remains wary of China’s economic expansionism, countries in Southeast Asia welcome Chinese investments, extolling their developmental benefits. Several IPEF members – including Indonesia, Malaysia and Singapore – have associations with Chinese private sector companies, predominantly Huawei and ZTE. A study evaluating Indonesia’s response to such investments indicates that while they are aware of the risks posed by Chinese infrastructure, their calculus remains unaltered: development and capacity building remain their primary focuses. Furthermore, on the specific question of surveillance, given evidence of other countries such as the US and Australia also using digital infrastructure for surveillance, the threat from China is not perceived as a unique risk.

Setting expectations and approaches

Still, the risks of excessive dependence on one country for the development of digital infrastructure are well known. While the IPEF cannot realistically expect to displace the DSR, it can be utilised to provide countries with alternatives. This can only be done by issuing carrots rather than sticks. A US narrative extolling ‘digital democracy’ is unlikely to gain traction in a region characterised by a diversity of political systems that is focused on economic and development needs. At the same time, an excessive focus on thorny domestic policy issues – such as data localisation and the pipe dream of yet another mega-regional trade deal – could risk derailing the geo-economic benefits of the IPEF.

Instead, the IPEF must focus on capacity building, training and private sector investment in infrastructure across the Indo-Pacific. The US must position itself as a geopolitically reliable ally, interested in the overall stability of the digital Indo-Pacific, beyond its own economic or policy preferences. This applies equally to other external actors, like the EU, who may be interested in engaging with or shaping the digital economic landscape in the Indo-Pacific.

Countering Chinese economic influence and complementing security agendas set through other fora – such as the Quadrilateral Security Dialogue – should be the primary objective of the IPEF. It is crucial that unrealistic ambitions seeking convergence on values or domestic policy do not undermine strategic interests and dilute the immense potential of the IPEF in catalysing a more competitive and secure digital Indo-Pacific.

Table: Domestic policy positions on data localisation and data protection

For more details visit https://cis-india.org/internet-governance/blog/directions-cyber-digital-europe-arindrajit-basu-september-16-2022-getting-the-digital-indo-pacific-economic-framework-right

Get an Aadhaar card if you don't have one

praskrishna — 2017-04-04T15:39:05Z

The Aadhaar number has been made compulsory for filing tax return. With both the government and private parties insisting on it for various activities despite the Supreme Court's assertion that is not mandatory, you need to get one at the earliest.

The article by Priya Nair and Sanjay Kumar Singh was published in the Business Standard on March 27, 2017. Udbhav Tiwari was quoted.

Until now the need for an Aadhaar card arose if someone wanted to avail of the LPG subsidy, or if senior citizens wanted to enjoy a concession on train tickets. This 12-digit number, which is a proof of identity, is largely used by the government to distribute cash benefits and other subsidies under its welfare schemes. Since submitting the Aadhaar card at the time of opening a bank account, investing in a mutual fund, etc is optional (you can submit another proof of identity), many people have still not bothered to get one. That ambivalent attitude will now have to change.

This year onwards all those filing income tax returns will have to furnish their Aadhaar number. There is a field in the income tax return form for Aadhaar number. Don’t forget to fill it this year. If you do not have an Aadhaar number, you will have to submit the enrolment number of your application for Aadhaar. "In case of failure to intimate the Aadhaar number, the PAN allotted to the person shall be deemed invalid and the other provisions of the Income Tax Act shall apply, as if the person has not applied for allotment of PAN," says Amarpal Chadha, tax partner, people advisory services, EY India.

Experts say that this step has been taken to deal with the problem of duplicate permanent account numbers (PAN) and to control black money. Says Kuldip Kumar, partner and leader-personal tax at PwC India: “Many people have more than one PAN, even though there is a penalty under the Income Tax Act for doing so. The government is linking PAN to Aadhaar to deal with this problem. This step will also help control black money. Whether you invest in stocks, shares, or do any other high-value transaction, over a period of time the tax department will be able to see all this information at the click of a button." Other experts also agree that this step will create an audit trail for various transactions. “Linking of Aadhaar and PAN will throw up any discrepancies in reported transactions and provide a ready database to the revenue authorities for necessary action,” says Vikas Vasal, partner, Grant Thornton India.

Interim problems
This measure is expected to create a slew of problems for people. Many individuals may still not have an Aadhaar card. They should apply for one post-haste. Everyone needs to check if their Aadhaar and PAN details match. If there are discrepancies between the two, get either your Aadhaar or PAN details updated so that you do not face problems at the time of filing returns. Details on how to update the Aadhaar and PAN are available on the web sites of UID and the IT department respectively (see box).

Non-Resident Indians (NRI) and foreign nationals may also need to obtain an Aadhaar number now. Many NRIs have an income (before claiming any deduction) that exceeds the basic exemption limit of Rs 2.5 lakh, and hence file a tax return in India. Foreign nationals who have spent time in India and earned an income also need to file a tax return. Indian residents who have been sent by their companies to work abroad will also have to scramble for the card. "March is about to end and tax returns will have to be filed by the end of July. Persons who have to file a tax return but are abroad will face a challenge getting the Aadhaar card made in time since you have to be physically present in India for this purpose,’’ says Kumar. The government may possibly grant some leeway to such people.

Even though the Supreme Court has said that Aadhaar is not mandatory, there are several instances where the authorities are insisting on it. Those applying for domicile proof and those who want to get their property registered are being asked to provide this number. Some telecom providers also insist on it before giving a connection. Schools are asking for it from students. You need it to appear for competitive exams like IIT JEE. Online providers of financial products insist on Aadhaar since it makes KYC easier. With the government moving strongly towards making Aadhaar compulsory, one can't escape complying with this regulation.

Risks of an Aadhaar-centric system
There are several risks associated with Aadhaar, whose basic purpose is authentication and authorisation. The first problem arises from the fact that it is easily accessible to miscreants. Aadhaar numbers of thousands of people have been uploaded on the Internet. "Since the Aadhaar number has to be given at so many places, it can be misused to pull information about people from the centralised database. In the case of credit and debit cards, we are told not to shares these numbers publicly as the number is the first thing required for carrying out a transaction. That is not the case with Aadhaar. UID's position is that you should treat your Aadhaar number carefully. But the fact is that the Aadhaar number is not used carefully either by consumers or businesses. It is a fairly public number. With Aadhaar too much power is being vested in a number that is quite public,’’ says Udbhav Tiwari, policy officer, Centre for Internet and Society, Bengaluru.

Second, Aadhaar has a centralised database, and all centralised databases are vulnerable to hacking. Third, biometrics are not a very secure form of authentication. "Fingerprints are easy to forge. The UID says that the device (used to check the fingerprint) should not remember the biometrics but should only transfer it to UID which will verify the information. But miscreants could use a device that captures your biometrics," says Tiwari.

Other documents used for identification like PAN and passport are not easy to duplicate because of their security features. PAN, for instance, has a hologram. The power of the passport lies not in the passport number but in the document. Without the passport one cannot travel internationally. But in case of Aadhaar one can go on the Internet and print a new Aadhaar card. “If somebody has managed to capture my fingerprint and has my Aadhaar number, he can use it wherever Aadhaar is required,’’ says Tiwari.

For more details visit https://cis-india.org/internet-governance/news/business-standard-march-27-2017-priya-nair-and-sanjay-kumar-singh-get-an-aadhaar-card-if-you-dont-have-one

Genetic Profiling: Is it all in the DNA?

praskrishna — 2015-09-13T09:47:17Z

A Bill seeks to make genetic profiling mandatory for the fight against crime—and generates a debate about the clash of ethics, freedom, science and data.

The article by Ullekh NP was published in Open Magazine on August 7, 2015. Sunil Abraham gave his inputs.

When British geneticist Sir Alec Jeffreys first developed the DNA profiling test 31 years ago in his laboratory at Leicester University, he didn’t help the police prove a man guilty. His test—back then it took weeks to complete DNA profiling procedures as opposed to a few hours now—proved that a rape suspect in police custody was innocent. Details from the whole exercise also subsequently helped the local police nab the real criminal, who had killed his teenaged rape victim. Later, the police found that he was the one who had committed a similar crime three years earlier in a village nearby. Britain was destined to make great gains in solving crimes thanks to DNA identification, while the rest of the developed world, including the US, caught up later, but only after lagging initially thanks to the relentless—and sometimes ill-founded—opposition from civil liberties activists. In India, the Human DNA Profiling Bill, 2015, a proposed law that envisages collecting DNA finger prints—which are unique to an individual—especially of criminals, has been in the making for the past 12 years. The draft bill, which will shortly be placed before the Union Cabinet for its nod, has been prepared by the Department of Biotechnology and the Centre for DNA Fingerprinting & Diagnostics (CDFD), a Hyderabad-based Central Government-run agency, after examining and reviewing submissions by a panel of experts, holding consultations with various stakeholders and getting responses from the public. Notwithstanding the claims of safeguards against any misuse of the intended DNA data base, activists, lawyers, internet freedom fighters, civil liberty activists and columnists have been up in arms against the Government, arguing that the DNA profiling bill is ill- conceived and naïve—to the extent that it would destroy an individual’s right to privacy as it lacks provisions to check data tampering.

The international experience has proved otherwise. Ever since Sir Jeffreys extracted DNA from human muscle tissue, identified and processed genetic markers (which are unique to individuals except in the case of identical twins) from what was until then considered ‘seemingly purposeless segments of the human DNA’ in the words of writers Peter Reinharz and Howard Safir, more than 500,000 ‘otherwise unsolvable’ cases have been solved in the developed world thanks to the DNA identification, note CDFD scientists. DNA is the hereditary material in the human body. It is found in blood, saliva, urine, strands of hair, semen, tears, skin, etcetera.

Dr Madhusudan Reddy Nandineni, staff scientist and group leader, laboratory of DNA fingerprinting services and laboratory of genomics and profiling applications, CDFD, is worried that opposition to the Bill is gaining momentum in India due to a raft of reasons. Of course, the West, too, has witnessed sharp protests against DNA profiling laws. One of the key reasons anti-profiling activists have an edge, says a senior Home Ministry official who asks not to be named, is that there is a “general public anxiety” over “anything to do with disclosing personal details”. He agrees that the tests are going to be intrusive, because muscle tissue may have to be collected from private parts. The procedure of DNA sample collection—as explained in the draft Bill submitted in January by a committee headed by TS Rao, senior adviser to the department of biotechnology—talks about obtaining intimate body samples of living persons (on page 6-7 of the 48- page document) from ‘the genital or anal area, the buttocks and also breasts in the case of a female’. According to the draft Bill, it also involves external examination of private parts, taking samples from pubic hair or by swabs or washing or by vacuum suction, by scraping or by lifting by tape and taking of a photograph or video recording of, or an impression or cast of a wound in those areas. “But then, it is par for the course,” says the Home Ministry official by way of justification.

American military historian and author Edward Luttwak agrees that DNA profiling is a significant intrusion into the “very body of a citizen”. That is the price one has to pay in the choice between liberty and equality before investigation, he posits. Luttwak is glad that in the US, as well as in other countries that have such profiling laws, DNA identification has yielded results. “It protects suspicious/ low status but innocent people from false accusations and helps to catch clever/high-status law-breakers,” he says.

+++

For his part, Dr Nandineni says that every aspect of the Human DNA Profiling Bill for India is based on similar legislation that has already been implemented in the US, Canada, UK, Australia and Continental Europe for more than 20 years. He also contends that the benefits that have accrued there are enormous, which India has missed out on for all these years. “In all these countries, the concerns of the general public on privacy matters have been allayed in their legislation,” he adds. He points out that the retention of DNA profiles in a ‘DNA Data Bank’ is meant to apprehend repeat offenders and thus serve a larger societal good. As regards privacy concerns, Dr Nandineni says that consultations on the preparations of the Bill lasted for 2-3 years and took into account the views of an expert committee whose members included representatives of NGOs.

Dr Nandineni is of the view that the opponents of the Bill have managed to get an upper hand in a national debate thanks to their media-savvy backgrounds. Agrees the Home Ministry official: “Perhaps the drafters of the Bill have not been communicative enough in getting their points across to the public and the media. Which might explain why the Bill has come under tremendous attack in the media. Even otherwise, global trends also show that civil liberty rights activists have had great initial advantage in their campaign against DNA profiling.” After all, the potential for misuse of DNA samples is not restricted to biological material collected under the provisions of the DNA Bill alone, Nandineni offers. “Any and every blood sample collected by a clinical laboratory has the same potential for misuse,” he says.

While Dr J Gowrishankar, director, CDFD, has been vocal about the positives of the Bill, its opponents have been louder. Many of those who oppose the Bill say the question is not one of being loud or feeble, but about being naïve or not.

The likes of Sunil Abraham, executive director of Bangalore-based internet research organisation Centre for Internet and Society (CIS), have no argument against DNA profiling being the gold standard for all forensic investigations. “There is nothing wrong with using DNA evidence for forensic purposes,” says Abraham, “However, the draft Bill is filled with techno-utopianism; it assumes that the people and machines that leverage DNA technologies are infallible.” He goes on, “This is not true. It is easier to tamper with DNA evidence than it is to tamper with a video recording. Therefore, all we are asking for are process checks that prevent compromised persons and machines from using DNA evidence to convict or exonerate the wrong person.” His contention is that if the DNA sample is sent to two different labs and both labs come back with exactly the same result, then the courts can be convinced of the veracity of the result. “Also the Bill says that DNA labs will give courts ‘yes’ or ‘no’ answers to questions related to DNA matching. But ideally, the lab must give the exact match percentage along with all the detailed information that emerges from the match process so that the court can fully appreciate the significance of the DNA evidence,” he suggests.

Abraham and legal scholar Usha Ramanathan—both members of the expert panel who filed notes of dissent and disagreed with various aspects of the Bill—have a problem with the claim that the proposed DNA data bank will cover only criminals and not the general public. Points out Ramanathan: “The Bill does not restrict the data base to criminals alone, not by a long shot. The provision in the proposed Bill reads: ‘(Clause 31(4)) Every DNA Data Bank shall maintain following indices for various categories of data, namely: (a) a crime scene index; (b) a suspects’ index; (c) an offenders’ index; (d) a missing persons’ index; (e) unknown deceased persons’ index; (f) a volunteers’ index; and (g) such other DNA indices as may be specified by regulations.’ That is an elaborate set of indices. There is certainly a lot of the ‘general public’ in it.”

Supporters of the DNA Profiling Bill have maintained that a DNA data bank is not for the public but only for a limited category of individuals. The proposed law also provides for storing profiles with the consent of relatives of missing children and grownups so that relationship identities can be established.

Ramanathan is also worried that apart from purposes of criminal justice, DNA profiling may be extended to parental disputes (maternity or paternity), issues related to pedigree, those related to assisted reproductive technologies (surrogacy, in vitro fertilisation or IVF, intrauterine implantation or IUI, and so on), to transplantation of human organs (donor and recipient) under the Transplantation of Human Organs Act, 1994, and also related to immigration or emigration. She had objected to the requirement of revealing a person’s caste in the application form for offering blood samples. “This Bill is certainly not a convict data base. The ambitions are much much vaster, and little to do with crime control,” she alleges.

Abraham agrees that some safeguards have been built in the proposed law to prevent any misuse of DNA data under pressure from expert panel members such as him. However, he says, cyber security and privacy-related issues are not addressed in a comprehensive manner. “The Bill basically hopes that the Privacy Bill will address all of this when it becomes law. But unfortunately, a bill could take 7-10 years before it becomes law,” he says.

Dr Gowrishankar of CDFD and others have conceded that it was the decision of the expert panel to include an enabling provision for the privacy issues of DNA profiling to comply with the proposed Privacy Bill.

Abraham says that various measures to prevent ‘privacy harms’ to volunteers are missing in the latest draft of the Bill. “Given that biometric technology works on probabilistic matching, the larger the size of the database, the larger the incidence of mistaken identification. Therefore it is important that the database remain as small as necessary,” he asserts.

+++

The estimated cost of the Bill is Rs 20 crore—to create the infrastructure for the DNA Profiling Board and the data bank, which includes buildings, furniture, computer servers and so on. Among other things, the DNA Profiling Board is tasked with the responsibility of laying down and implementing standards for laboratories and proper protocols for ‘Data Bank’ operations.

CDFD scientists and government officials are keen to highlight the ‘under- hyped’ benefits of DNA profiling –similar to the Innocence Project in the US, which was aimed at securing the release of people who were erroneously convicted on the basis of other lines of evidence. Abraham has no patience for such comparisons. “DNA profiling for forensic purposes is very advanced and sophisticated, but technologies do not exist in a vacuum,” he says, “These advanced technologies have to work within traditional institutions with vulnerabilities and flaws. We need to, therefore, have non-technological procedural fixes that ensure that these technologies are not compromised by money and power. The choice is between the right to privacy and the rights and requirements of the criminal justice process.”

Ramanathan agrees with that view. “In the Indian context, the state of investigation is so poor that we have been looking for ways of circumventing our problems, not addressing them. That is how narco-analysis began to be used, till the court struck it down. DNA may be more reliable than most other scientific tools available to us today, but it is not all about the science. We also have to worry about contamination, what happens in the chain of custody, its potential for being planted or otherwise abused, and the errors even in the laboratory. You may remember the avowed mix-up of results in the Aarushi [Talwar murder] case, something the lab said they noticed over two years after they had given it to the investigators. The danger of treating DNA as conclusive and not needing corroboration is exacerbated in this kind of a vulnerable system. Which is why bringing this into a DNA data base law and not putting any checks on criminal procedure is less than wise,” she elaborates. She is least impressed with the ‘idea’ of ‘pedigree’ and of ‘population genetics’ in the Bill. “Institutions like the CDFD have been collecting DNA from suspects and asking for the caste of the person on the form. How does this seem innocent and safeguarded?” she asks.

Meanwhile, columnist and author Salil Tripathi says that it is sheer hubris to think that technology will provide all the answers to crime-fighting. “Tech- nology is enormously useful and powerful, but it is value-neutral; it can be used for good or bad ends… There have to be sufficient safeguards, overseen not only by technologists, law enforcement officers and bureaucrats, but also by lawyers and civil liberties experts, who can point out potential flaws and misuse and prevent those.”

Tripathi, too, is piqued that one of the markers sought is of caste. “Why?” he asks, emphatic that the country’s people should be concerned about allowing the state so much power over their lives. “And it may not be only the state; given that the scope of its future expansion is undefined, what guarantees are there that private actors won’t have access to the data, and if so, what security protocols would apply?”

Dr Gowrishankar and Dr Nandineni are right in saying that without DNA fingerprinting, many international criminals would still be at liberty, and the opponents of the Bill do not disagree with the efficacy of the technique developed by Sir Jeffreys. Instead, they are placing the spotlight on various objectionable aspects in the proposed law. In a country which first needs—according to former RAW chief Vikram Sood—to ensure access to Photofit (a technique to create an accurate image of a person that gels with a witness’ description) for its ground-level police operatives to combat crime, critics of the Bill seem to have won the war of words.

For more details visit https://cis-india.org/internet-governance/news/open-magazine-august-7-2015-ullekh-np-genetic-profiling