Centre for Internet and Society

Glaring Errors in UIDAI's Rebuttal

pranesh — 2016-09-18T03:22:32Z

This response note by Pranesh Prakash questions Unique Identification Authority of India’s reply to Hans Verghese Mathews' article titled “Flaws in the UIDAI Process” (EPW, March 12, 2016), which found “serious mathematical errors” in the article.

The article was published in Economic & Political Weekly Vol. 51, Issue No. 36, September 3, 2016.

While I am not a statistician, I have followed the technical debate between Hans Verghese Mathews and the UIDAI closely, and see a number of glaring errors in the latter’s so-called rebuttal in EPW (March 12, 2016).

The UIDAI alleges Mathews to have ignored the evidence that the Receiver Operating Characteristic (ROC) "flattens" with more factors. However, Mathews cannot be accused of ignorance if the flattening of the ROC is not relevant to his argument. To explain this in simple terms, the ROC curve is used to choose the appropriate "threshold distance" which determines false positives and false negatives, and belongs to a stage which precedes the estimation of the false positive identification rates (FPIR).

However, Mathews has used the FPIR estimates provided by the UIDAI (based on evidence from the enrolment of 84 million persons), and calculated how the FPIR changes when extrapolated for a population of 1.2 billion persons. In other words, he did not need to look at the ROC curve as that factor is not relevant to his argument, since he has used UIDAI data (which has presumably been estimated on the basis of all 12 factors : 10 fingerprints and 2 irises).

Further, UIDAI asks why Mathews has assumed a linear curve for his extrapolation. Mathews has done no such thing. In fact, in their paper "Role of Biometric Technology in Aadhaar Enrollment," the UIDAI states: "FPIR rate grows linearly with the database size" (nd, 19). Thus, this is an assumption formerly made by them (without providing rationale for it to be a linear curve as opposed to anything else). Mathews mathematically derives bounds for the FPIR in his paper, that is, the range within which the FPIR lies. One gets a linear curve only if they use the upper bound and not on the usage of anything else. So while Mathews does, as he explains, provide the results of the calculation based on the upper bound for the sake of simplicity, he nowhere asserts nor assumes a linear curve.

If, as the UIDAI claims, one cannot perform such an extrapolation and needs to depend on “empirical evidence” instead, the question arises as to how the UIDAI decided to scale up the programme to 1.3 billion people given the error rates. One could also ask if the machines being used to capture biometrics are good enough for the enlargement. Surely they would have performed some extrapolations to decide this.

In their paper they note that "although it [FPIR] is expected to grow as the database size increases, it is not expected to exceed manageable values even at full enrolment of 120 crores" (UIDAI nd, 13). They do not illustrate the extent to which the FPIR is expected to grow—neither in their initial paper, nor in their rebuttal to Mathews—whereas Mathews provides a method of estimating the increase of FPIR. Even if UIDAI is correct in its appraisal of FPIR and that it will not exceed "manageable values," they need to either exemplify their calculations or release the latest data. They have done neither, and that is quite unfortunate.

References

UIDAI (nd): “Role of Biometric Technology in Aadhaar Enrollment,” Unique Identification Authority of India, Government of India, New Delhi, viewed on 18 August 2016, https://uidai.gov.in/images/FrontPageUpdates/role_of_biometric_technology

Related Links

Flaws in the UIDAI Process http://www.epw.in/journal/2016/9/special-articles/flaws-uidai-process.html
Erring on Aadhaar http://www.epw.in/journal/2016/11/discussion/erring-aadhaar.html
Request for Specifics http://www.epw.in/journal/2016/36/documents/request-specifics-rebuttal-u...
Glaring Errors in UIDAI's Rebuttal http://www.epw.in/journal/2016/36/documents/glaring-errors-uidais-rebutt...
Overlooking the UIDAI Process http://www.epw.in/journal/2016/36/documents/response-hans-verghese-mathe...

For more details visit https://cis-india.org/internet-governance/blog/glaring-errors-in-uidai-rebuttal-epw

Giving out your fingerprint for Aadhar payments is as bad as telling the seller your banking password

praskrishna — 2017-02-07T16:09:53Z

PRS India recently released a report card enlisting the status of all the major policy announcements made by the President on India in his address to the Parliament on 23 February 2016. The policies cover all the major sectors including economy and finance, industry and manufacturing, governance and legal reform, skill development, science and innovation among others.

The blog post by Nimish Sawant was published by First Post Tech 2 on February 3, 2017. Pranesh Prakash was quoted.

Ever since the current government has come into power, there has been a concerted effort to take India on the information highway with technology-backed initiatives. Projects such as Digital India, Smart City Project, Startup India to the latest policy announcements post the demonetisation on 8 November 2016, a lot of has been said about technology.

But there are still areas of improvement, for instance we are yet to have a privacy and data protection law, there is an alarming shortage of cybersecurity experts and we have seen our fair share of government as well as personal data being under jeopardy in the years gone by.

Pranesh Prakash, policy director of the Centre for Internet and Society, has his reservations against the speed at which we are moving towards the dream of a digitised India, without covering the core policies on security, legal frameworks and more. Here is what Prakash has to say.

“All in all, we in India are in a really precarious situation when it comes to Digital India, especially from a legal and regulatory perspective. While the push for digitisation is to be welcome, it should make this more convenient for citizens and that can’t be accomplished by forcing digitisation on people without giving them options.

The Planning Commission put together a group of experts chaired by Justice AP Shah, which came out with a report on privacy principles which were to inform a privacy and data protection law that the government was to introduce in Parliament. That report came out in 2012. In 2017, we are no closer to a privacy and data protection law. The data security practices at the levels of the government and of the private sector are very worrying.

For instance, the Narendra Modi app, which is operated by the BJP, for many months was leaking the personal details of more than 7 million users.

Another example: the government, as per press reports, is going ahead with using fingerprints for authentication of Aadhaar Enabled Payment Systems (AEPS) transactions. While the security architecture of AEPS might in itself be good, the idea of providing your fingerprints to merchants for financial transactions is a terrible idea since that is like asking you to give your bank password to a merchant, and the merchant can reuse that password, and you can’t ever change the password.

Last year Symantec revealed that for more than two years a cyberespionage project (that Symantec called “SuckFly“) had penetrated deep into Indian systems, including Indian government and banking systems. Yet, the government didn’t conduct an enquiry about this and reassure the public on actions being taken to mitigate this.

So while digitisation initiatives are great, there also needs to be a concerted effort to have a secure framework, and there has to be an ease in onboarding the non tech-savvy population as well.”

For more details visit https://cis-india.org/internet-governance/news/first-post-february-3-2017-nimish-sawant-giving-out-your-fingerprint-for-aadhar-payments-is-as-bad-as-telling-the-seller-your-banking-password

Getting the (Digital) Indo-Pacific Economic Framework Right

arindrajit — 2022-10-03T14:56:22Z

On the eve of the Tokyo Quad Summit in May 2022, President Biden unveiled the Indo-Pacific Economic Framework (IPEF), visualising cooperation across the Indo-Pacific based on four pillars: trade; supply chains; clean energy, decarbonisation and infrastructure; and tax and anti-corruption. Galvanised by the US, the other 13 founding members of the IPEF are Australia, Brunei Darussalam, India, Indonesia, Japan, Republic of Korea, Malaysia, New Zealand, Philippines, Singapore, Thailand and Vietnam. The first official in-person Ministerial meeting was held in Los Angeles on 9 September 2022.

The article was originally published in Directions on 16 September 2022.

It is still early days. Given the broad and noncommittal scope of the economic arrangement, it is unlikely that the IPEF will lead to a trade deal among members in the short run. Instead, experts believe that this new arrangement is designed to serve as a ‘framework or starting point’ for members to cooperate on geo-economic issues relevant to the Indo-Pacific, buoyed in no small part by the United States’ desire to make up lost ground and counter Chinese economic influence in the region.

United States Trade Representative (USTR) Katherine Tai has underscored the relevance of the Indo-Pacific digital economy to the US agenda with the IPEF. She has emphasized the importance of collaboratively addressing key connectivity and technology challenges, including standards on cross-border data flows, data localisation and online privacy, as well as the discriminatory and unethical use of artificial intelligence. This is an ambitious agenda given the divergence among members in terms of technological advancement, domestic policy preferences and international negotiating stances at digital trade forums. There is a significant risk that imposing external standards or values on this evolving and politically-contested digital economy landscape will not work, and may even undermine the core potential of the IPEF in the Indo-Pacific. This post evaluates the domestic policy preferences and strategic interests of the Framework’s member states, and how the IPEF can navigate key points of divergence in order to achieve meaningful outcomes.

State of domestic digital policy among IPEF members

Data localisation is a core point of divergence in global digital policymaking. It continues to dominate discourse and trigger dissent at all international trade forums, including the World Trade Organization. IPEF members have a range of domestic mandates restricting cross-border flows, which vary in scope, format and rigidity (see table below). Most countries only have a conditional data localisation requirement, meaning data can only be transferred to countries where it is accorded an equivalent level of protection – unless the individual whose data is being transferred consents to said transfer. Australia and the United States have sectoral localisation requirements for health and defence data respectively. India presently has multiple sectoral data localisation requirements. In particular, a 2018 Reserve Bank of India (RBI) directive imposed strict local storage requirements along with a 24-hour window for foreign processing of payments data generated in India. The RBI imposed a moratorium on the issuance of new cards by several US-based card companies until compliance issues with the data localisation directive were resolved. Furthermore, several iterations of India’s recently withdrawn Personal Data Protection Bill contained localisation requirements for some categories of personal data.

Indonesia and Vietnam have diluted the scopes of their data localisation mandates to apply, respectively, only to companies providing public services and to companies not complying with other local laws. These dilutions may have occurred in response to concerted pushback from foreign technology companies operating in these countries. In addition to sectoral restrictions on the transfer of geospatial data, South Korea retains several procedural checks on cross-border flows, including formalities regarding providing notice to individual users.

Moving onto another issue flagged by USTR Tai, while all IPEF members recognise the right to information privacy at an overarching or constitutional level, the legal and policy contours of data protection are at different stages of evolution in different countries. Japan, South Korea, Malaysia, New Zealand, Philippines, Singapore and Thailand have data protection frameworks in place. Data protection frameworks in India and Brunei are under consultation. Notably, the US does not have a comprehensive federal framework on data privacy, although there are patchworks of data privacy regulations at both the federal and state levels.

Regulation and strategic thinking on artificial intelligence (AI) are also at varying levels of development among IPEF members. India has produced a slew of policy papers on Responsible Artificial Intelligence. The most recent policy paper published by NITI AAYOG (the Indian government’s think tank) refers to constitutional values and endorses a risk-based approach to AI regulation, much like that adopted by the EU. The US National Security Commission on Artificial Intelligence (NSCAI), chaired by Google CEO Eric Schmidt, expressed concerns about the US ceding AI leadership ground to China. The NSCAI’s final report emphasised the need for US leadership of a ‘coalition of democracies’ as an alternative to China’s autocratic and control-oriented model. Singapore has also made key strides on trusted AI, launching A.I. verify – the world’s first AI Governance Testing Framework for companies that wish to demonstrate their use of responsible AI through a minimum verifiable product.

IPEF and pipe dreams of digital trade

Some members of the IPEF are signatories to other regional trade agreements. With the exception of Fiji, India and the US, all the IPEF countries are members of the Regional Comprehensive Economic Partnership (RCEP), which also includes China. Five IPEF member countries are also members of the Comprehensive and Progressive Trans-Pacific Partnership (CPTPP) that President Trump backed out of in 2017. Several IPEF members also have bilateral or trilateral trading agreements among themselves, an example being the Digital Economic Partnership Agreement (DEPA) between Singapore, New Zealand and Chile.

All these ‘mega-regional’ trading agreements contain provisions on data flows, including prohibitions on domestic legal provisions that mandate local computing facilities or restrict cross-border data transfers. Notably, these agreements also incorporate exceptions to these rules. The CPTPP includes within its ambit an exception on the grounds of ‘legitimate public policy objectives’ of the member, while the RCEP incorporates an additional exception for ‘essential security interests’.

IPEF members are also spearheading multilateral efforts related to the digital economy: Australia, Japan and Singapore are working as convenors of the plurilateral Joint Statement Initiative (JSI) at the World Trade Organization (WTO), which counts 86 WTO members as parties. India (along with South Africa) vehemently opposes this plurilateral push on the grounds that the WTO is a multilateral forum functioning on consensus and a plurilateral trade agreement should not be negotiated within the aegis of the WTO. They fear, rightly, that such gambits close out the domestic policy space, especially for evolving digital economy regimes where keen debate and contestation exist among domestic stakeholders. While wary of the implications of the JSI, other IPEF members, such as Indonesia, have cautiously joined the initiative to ensure that they have a voice at the table.

It is unlikely that the IPEF will lead to a digital trade arrangement in the short run. Policymaking on issues as complex as the digital economy that must respond to specific social, economic and (geo)political realities cannot be steamrolled through external trade agreements. For instance, after the Los Angeles Ministerial India opted out of the IPEF trade pillar citing both India’s evolving domestic legislative framework on data and privacy as well as a broader lack of consensus among IPEF members on several issues, including digital trade. Commerce Minister Piyush Goyal explained that India would wait for the “final contours” of the digital trade track to emerge before making any commitments.

Besides, brokering a trade agreement through the IPEF runs a risk of redundancy. Already, there exists a ‘spaghetti bowl’ of regional trading agreements that IPEF members can choose from, in addition to forming bilateral trade ties with each other.

This is why Washington has been clear about calling the IPEF an ‘economic arrangement’ and not a trade agreement. Membership does not imply any legal obligations. Rather than duplicating ongoing efforts or setting unrealistic targets, the IPEF is an opportunity for all players to shape conversations, share best practices and reach compromises, which could feed back into ongoing efforts to negotiate trade deals. For example, several members of RCEP have domestic data localisation mandates that do not violate trade deals because the agreement carves out exceptions that legitimise domestic policy decisions. Exchanges on how these exceptions work in future trade agreements could be a part of the IPEF arrangement and nudge states towards framing digital trade negotiations through other channels, including at the WTO. Furthermore, states like Singapore that have launched AI self-governance mechanisms could share best practices on how these mechanisms were developed as well as evaluations of how they have helped policy goals be met. And these exchanges shouldn’t be limited to existing IPEF members. If the forum works well, countries that share strategic interests in the region with IPEF members, including, most notably, the European Union, may also want to get involved and further develop partnerships in the region.

Countering China

Talking shop on digital trade should certainly not be the only objective of the IPEF. The US has made it clear that they want the message emanating from the IPEF ‘to be heard in Beijing’. Indeed, the IPEF offers an opportunity for the reassertion of US economic interests in a region where President Trump’s withdrawal from the CPTPP has left a vacuum for China to fill. Accordingly, it is no surprise that the IPEF has representation from several regions of the Indo-Pacific: South Asia, Southeast Asia and the Pacific.

This should be an urgent policy priority for all IPEF members. Since its initial announcement in 2015, the Digital Silk Road (DSR), the digital arm of China’s Belt and Road Initiative, has spearheaded massive investments by the Chinese private sector (allegedly under close control of the Chinese state) in e-commerce, fintech, smart cities, data centres, fibre optic cables and telecom networks. This expansion has also happened in the Indo-Pacific, unhampered by China’s aggressive geopolitical posturing in the region through maritime land grabs in the South China Sea. With the exception of Vietnam, which remains wary of China’s economic expansionism, countries in Southeast Asia welcome Chinese investments, extolling their developmental benefits. Several IPEF members – including Indonesia, Malaysia and Singapore – have associations with Chinese private sector companies, predominantly Huawei and ZTE. A study evaluating Indonesia’s response to such investments indicates that while they are aware of the risks posed by Chinese infrastructure, their calculus remains unaltered: development and capacity building remain their primary focuses. Furthermore, on the specific question of surveillance, given evidence of other countries such as the US and Australia also using digital infrastructure for surveillance, the threat from China is not perceived as a unique risk.

Setting expectations and approaches

Still, the risks of excessive dependence on one country for the development of digital infrastructure are well known. While the IPEF cannot realistically expect to displace the DSR, it can be utilised to provide countries with alternatives. This can only be done by issuing carrots rather than sticks. A US narrative extolling ‘digital democracy’ is unlikely to gain traction in a region characterised by a diversity of political systems that is focused on economic and development needs. At the same time, an excessive focus on thorny domestic policy issues – such as data localisation and the pipe dream of yet another mega-regional trade deal – could risk derailing the geo-economic benefits of the IPEF.

Instead, the IPEF must focus on capacity building, training and private sector investment in infrastructure across the Indo-Pacific. The US must position itself as a geopolitically reliable ally, interested in the overall stability of the digital Indo-Pacific, beyond its own economic or policy preferences. This applies equally to other external actors, like the EU, who may be interested in engaging with or shaping the digital economic landscape in the Indo-Pacific.

Countering Chinese economic influence and complementing security agendas set through other fora – such as the Quadrilateral Security Dialogue – should be the primary objective of the IPEF. It is crucial that unrealistic ambitions seeking convergence on values or domestic policy do not undermine strategic interests and dilute the immense potential of the IPEF in catalysing a more competitive and secure digital Indo-Pacific.

Table: Domestic policy positions on data localisation and data protection

For more details visit https://cis-india.org/internet-governance/blog/directions-cyber-digital-europe-arindrajit-basu-september-16-2022-getting-the-digital-indo-pacific-economic-framework-right

Get an Aadhaar card if you don't have one

praskrishna — 2017-04-04T15:39:05Z

The Aadhaar number has been made compulsory for filing tax return. With both the government and private parties insisting on it for various activities despite the Supreme Court's assertion that is not mandatory, you need to get one at the earliest.

The article by Priya Nair and Sanjay Kumar Singh was published in the Business Standard on March 27, 2017. Udbhav Tiwari was quoted.

Until now the need for an Aadhaar card arose if someone wanted to avail of the LPG subsidy, or if senior citizens wanted to enjoy a concession on train tickets. This 12-digit number, which is a proof of identity, is largely used by the government to distribute cash benefits and other subsidies under its welfare schemes. Since submitting the Aadhaar card at the time of opening a bank account, investing in a mutual fund, etc is optional (you can submit another proof of identity), many people have still not bothered to get one. That ambivalent attitude will now have to change.

This year onwards all those filing income tax returns will have to furnish their Aadhaar number. There is a field in the income tax return form for Aadhaar number. Don’t forget to fill it this year. If you do not have an Aadhaar number, you will have to submit the enrolment number of your application for Aadhaar. "In case of failure to intimate the Aadhaar number, the PAN allotted to the person shall be deemed invalid and the other provisions of the Income Tax Act shall apply, as if the person has not applied for allotment of PAN," says Amarpal Chadha, tax partner, people advisory services, EY India.

Experts say that this step has been taken to deal with the problem of duplicate permanent account numbers (PAN) and to control black money. Says Kuldip Kumar, partner and leader-personal tax at PwC India: “Many people have more than one PAN, even though there is a penalty under the Income Tax Act for doing so. The government is linking PAN to Aadhaar to deal with this problem. This step will also help control black money. Whether you invest in stocks, shares, or do any other high-value transaction, over a period of time the tax department will be able to see all this information at the click of a button." Other experts also agree that this step will create an audit trail for various transactions. “Linking of Aadhaar and PAN will throw up any discrepancies in reported transactions and provide a ready database to the revenue authorities for necessary action,” says Vikas Vasal, partner, Grant Thornton India.

Interim problems
This measure is expected to create a slew of problems for people. Many individuals may still not have an Aadhaar card. They should apply for one post-haste. Everyone needs to check if their Aadhaar and PAN details match. If there are discrepancies between the two, get either your Aadhaar or PAN details updated so that you do not face problems at the time of filing returns. Details on how to update the Aadhaar and PAN are available on the web sites of UID and the IT department respectively (see box).

Non-Resident Indians (NRI) and foreign nationals may also need to obtain an Aadhaar number now. Many NRIs have an income (before claiming any deduction) that exceeds the basic exemption limit of Rs 2.5 lakh, and hence file a tax return in India. Foreign nationals who have spent time in India and earned an income also need to file a tax return. Indian residents who have been sent by their companies to work abroad will also have to scramble for the card. "March is about to end and tax returns will have to be filed by the end of July. Persons who have to file a tax return but are abroad will face a challenge getting the Aadhaar card made in time since you have to be physically present in India for this purpose,’’ says Kumar. The government may possibly grant some leeway to such people.

Even though the Supreme Court has said that Aadhaar is not mandatory, there are several instances where the authorities are insisting on it. Those applying for domicile proof and those who want to get their property registered are being asked to provide this number. Some telecom providers also insist on it before giving a connection. Schools are asking for it from students. You need it to appear for competitive exams like IIT JEE. Online providers of financial products insist on Aadhaar since it makes KYC easier. With the government moving strongly towards making Aadhaar compulsory, one can't escape complying with this regulation.

Risks of an Aadhaar-centric system
There are several risks associated with Aadhaar, whose basic purpose is authentication and authorisation. The first problem arises from the fact that it is easily accessible to miscreants. Aadhaar numbers of thousands of people have been uploaded on the Internet. "Since the Aadhaar number has to be given at so many places, it can be misused to pull information about people from the centralised database. In the case of credit and debit cards, we are told not to shares these numbers publicly as the number is the first thing required for carrying out a transaction. That is not the case with Aadhaar. UID's position is that you should treat your Aadhaar number carefully. But the fact is that the Aadhaar number is not used carefully either by consumers or businesses. It is a fairly public number. With Aadhaar too much power is being vested in a number that is quite public,’’ says Udbhav Tiwari, policy officer, Centre for Internet and Society, Bengaluru.

Second, Aadhaar has a centralised database, and all centralised databases are vulnerable to hacking. Third, biometrics are not a very secure form of authentication. "Fingerprints are easy to forge. The UID says that the device (used to check the fingerprint) should not remember the biometrics but should only transfer it to UID which will verify the information. But miscreants could use a device that captures your biometrics," says Tiwari.

Other documents used for identification like PAN and passport are not easy to duplicate because of their security features. PAN, for instance, has a hologram. The power of the passport lies not in the passport number but in the document. Without the passport one cannot travel internationally. But in case of Aadhaar one can go on the Internet and print a new Aadhaar card. “If somebody has managed to capture my fingerprint and has my Aadhaar number, he can use it wherever Aadhaar is required,’’ says Tiwari.

For more details visit https://cis-india.org/internet-governance/news/business-standard-march-27-2017-priya-nair-and-sanjay-kumar-singh-get-an-aadhaar-card-if-you-dont-have-one

Genetic Profiling: Is it all in the DNA?

praskrishna — 2015-09-13T09:47:17Z

A Bill seeks to make genetic profiling mandatory for the fight against crime—and generates a debate about the clash of ethics, freedom, science and data.

The article by Ullekh NP was published in Open Magazine on August 7, 2015. Sunil Abraham gave his inputs.

When British geneticist Sir Alec Jeffreys first developed the DNA profiling test 31 years ago in his laboratory at Leicester University, he didn’t help the police prove a man guilty. His test—back then it took weeks to complete DNA profiling procedures as opposed to a few hours now—proved that a rape suspect in police custody was innocent. Details from the whole exercise also subsequently helped the local police nab the real criminal, who had killed his teenaged rape victim. Later, the police found that he was the one who had committed a similar crime three years earlier in a village nearby. Britain was destined to make great gains in solving crimes thanks to DNA identification, while the rest of the developed world, including the US, caught up later, but only after lagging initially thanks to the relentless—and sometimes ill-founded—opposition from civil liberties activists. In India, the Human DNA Profiling Bill, 2015, a proposed law that envisages collecting DNA finger prints—which are unique to an individual—especially of criminals, has been in the making for the past 12 years. The draft bill, which will shortly be placed before the Union Cabinet for its nod, has been prepared by the Department of Biotechnology and the Centre for DNA Fingerprinting & Diagnostics (CDFD), a Hyderabad-based Central Government-run agency, after examining and reviewing submissions by a panel of experts, holding consultations with various stakeholders and getting responses from the public. Notwithstanding the claims of safeguards against any misuse of the intended DNA data base, activists, lawyers, internet freedom fighters, civil liberty activists and columnists have been up in arms against the Government, arguing that the DNA profiling bill is ill- conceived and naïve—to the extent that it would destroy an individual’s right to privacy as it lacks provisions to check data tampering.

The international experience has proved otherwise. Ever since Sir Jeffreys extracted DNA from human muscle tissue, identified and processed genetic markers (which are unique to individuals except in the case of identical twins) from what was until then considered ‘seemingly purposeless segments of the human DNA’ in the words of writers Peter Reinharz and Howard Safir, more than 500,000 ‘otherwise unsolvable’ cases have been solved in the developed world thanks to the DNA identification, note CDFD scientists. DNA is the hereditary material in the human body. It is found in blood, saliva, urine, strands of hair, semen, tears, skin, etcetera.

Dr Madhusudan Reddy Nandineni, staff scientist and group leader, laboratory of DNA fingerprinting services and laboratory of genomics and profiling applications, CDFD, is worried that opposition to the Bill is gaining momentum in India due to a raft of reasons. Of course, the West, too, has witnessed sharp protests against DNA profiling laws. One of the key reasons anti-profiling activists have an edge, says a senior Home Ministry official who asks not to be named, is that there is a “general public anxiety” over “anything to do with disclosing personal details”. He agrees that the tests are going to be intrusive, because muscle tissue may have to be collected from private parts. The procedure of DNA sample collection—as explained in the draft Bill submitted in January by a committee headed by TS Rao, senior adviser to the department of biotechnology—talks about obtaining intimate body samples of living persons (on page 6-7 of the 48- page document) from ‘the genital or anal area, the buttocks and also breasts in the case of a female’. According to the draft Bill, it also involves external examination of private parts, taking samples from pubic hair or by swabs or washing or by vacuum suction, by scraping or by lifting by tape and taking of a photograph or video recording of, or an impression or cast of a wound in those areas. “But then, it is par for the course,” says the Home Ministry official by way of justification.

American military historian and author Edward Luttwak agrees that DNA profiling is a significant intrusion into the “very body of a citizen”. That is the price one has to pay in the choice between liberty and equality before investigation, he posits. Luttwak is glad that in the US, as well as in other countries that have such profiling laws, DNA identification has yielded results. “It protects suspicious/ low status but innocent people from false accusations and helps to catch clever/high-status law-breakers,” he says.

+++

For his part, Dr Nandineni says that every aspect of the Human DNA Profiling Bill for India is based on similar legislation that has already been implemented in the US, Canada, UK, Australia and Continental Europe for more than 20 years. He also contends that the benefits that have accrued there are enormous, which India has missed out on for all these years. “In all these countries, the concerns of the general public on privacy matters have been allayed in their legislation,” he adds. He points out that the retention of DNA profiles in a ‘DNA Data Bank’ is meant to apprehend repeat offenders and thus serve a larger societal good. As regards privacy concerns, Dr Nandineni says that consultations on the preparations of the Bill lasted for 2-3 years and took into account the views of an expert committee whose members included representatives of NGOs.

Dr Nandineni is of the view that the opponents of the Bill have managed to get an upper hand in a national debate thanks to their media-savvy backgrounds. Agrees the Home Ministry official: “Perhaps the drafters of the Bill have not been communicative enough in getting their points across to the public and the media. Which might explain why the Bill has come under tremendous attack in the media. Even otherwise, global trends also show that civil liberty rights activists have had great initial advantage in their campaign against DNA profiling.” After all, the potential for misuse of DNA samples is not restricted to biological material collected under the provisions of the DNA Bill alone, Nandineni offers. “Any and every blood sample collected by a clinical laboratory has the same potential for misuse,” he says.

While Dr J Gowrishankar, director, CDFD, has been vocal about the positives of the Bill, its opponents have been louder. Many of those who oppose the Bill say the question is not one of being loud or feeble, but about being naïve or not.

The likes of Sunil Abraham, executive director of Bangalore-based internet research organisation Centre for Internet and Society (CIS), have no argument against DNA profiling being the gold standard for all forensic investigations. “There is nothing wrong with using DNA evidence for forensic purposes,” says Abraham, “However, the draft Bill is filled with techno-utopianism; it assumes that the people and machines that leverage DNA technologies are infallible.” He goes on, “This is not true. It is easier to tamper with DNA evidence than it is to tamper with a video recording. Therefore, all we are asking for are process checks that prevent compromised persons and machines from using DNA evidence to convict or exonerate the wrong person.” His contention is that if the DNA sample is sent to two different labs and both labs come back with exactly the same result, then the courts can be convinced of the veracity of the result. “Also the Bill says that DNA labs will give courts ‘yes’ or ‘no’ answers to questions related to DNA matching. But ideally, the lab must give the exact match percentage along with all the detailed information that emerges from the match process so that the court can fully appreciate the significance of the DNA evidence,” he suggests.

Abraham and legal scholar Usha Ramanathan—both members of the expert panel who filed notes of dissent and disagreed with various aspects of the Bill—have a problem with the claim that the proposed DNA data bank will cover only criminals and not the general public. Points out Ramanathan: “The Bill does not restrict the data base to criminals alone, not by a long shot. The provision in the proposed Bill reads: ‘(Clause 31(4)) Every DNA Data Bank shall maintain following indices for various categories of data, namely: (a) a crime scene index; (b) a suspects’ index; (c) an offenders’ index; (d) a missing persons’ index; (e) unknown deceased persons’ index; (f) a volunteers’ index; and (g) such other DNA indices as may be specified by regulations.’ That is an elaborate set of indices. There is certainly a lot of the ‘general public’ in it.”

Supporters of the DNA Profiling Bill have maintained that a DNA data bank is not for the public but only for a limited category of individuals. The proposed law also provides for storing profiles with the consent of relatives of missing children and grownups so that relationship identities can be established.

Ramanathan is also worried that apart from purposes of criminal justice, DNA profiling may be extended to parental disputes (maternity or paternity), issues related to pedigree, those related to assisted reproductive technologies (surrogacy, in vitro fertilisation or IVF, intrauterine implantation or IUI, and so on), to transplantation of human organs (donor and recipient) under the Transplantation of Human Organs Act, 1994, and also related to immigration or emigration. She had objected to the requirement of revealing a person’s caste in the application form for offering blood samples. “This Bill is certainly not a convict data base. The ambitions are much much vaster, and little to do with crime control,” she alleges.

Abraham agrees that some safeguards have been built in the proposed law to prevent any misuse of DNA data under pressure from expert panel members such as him. However, he says, cyber security and privacy-related issues are not addressed in a comprehensive manner. “The Bill basically hopes that the Privacy Bill will address all of this when it becomes law. But unfortunately, a bill could take 7-10 years before it becomes law,” he says.

Dr Gowrishankar of CDFD and others have conceded that it was the decision of the expert panel to include an enabling provision for the privacy issues of DNA profiling to comply with the proposed Privacy Bill.

Abraham says that various measures to prevent ‘privacy harms’ to volunteers are missing in the latest draft of the Bill. “Given that biometric technology works on probabilistic matching, the larger the size of the database, the larger the incidence of mistaken identification. Therefore it is important that the database remain as small as necessary,” he asserts.

+++

The estimated cost of the Bill is Rs 20 crore—to create the infrastructure for the DNA Profiling Board and the data bank, which includes buildings, furniture, computer servers and so on. Among other things, the DNA Profiling Board is tasked with the responsibility of laying down and implementing standards for laboratories and proper protocols for ‘Data Bank’ operations.

CDFD scientists and government officials are keen to highlight the ‘under- hyped’ benefits of DNA profiling –similar to the Innocence Project in the US, which was aimed at securing the release of people who were erroneously convicted on the basis of other lines of evidence. Abraham has no patience for such comparisons. “DNA profiling for forensic purposes is very advanced and sophisticated, but technologies do not exist in a vacuum,” he says, “These advanced technologies have to work within traditional institutions with vulnerabilities and flaws. We need to, therefore, have non-technological procedural fixes that ensure that these technologies are not compromised by money and power. The choice is between the right to privacy and the rights and requirements of the criminal justice process.”

Ramanathan agrees with that view. “In the Indian context, the state of investigation is so poor that we have been looking for ways of circumventing our problems, not addressing them. That is how narco-analysis began to be used, till the court struck it down. DNA may be more reliable than most other scientific tools available to us today, but it is not all about the science. We also have to worry about contamination, what happens in the chain of custody, its potential for being planted or otherwise abused, and the errors even in the laboratory. You may remember the avowed mix-up of results in the Aarushi [Talwar murder] case, something the lab said they noticed over two years after they had given it to the investigators. The danger of treating DNA as conclusive and not needing corroboration is exacerbated in this kind of a vulnerable system. Which is why bringing this into a DNA data base law and not putting any checks on criminal procedure is less than wise,” she elaborates. She is least impressed with the ‘idea’ of ‘pedigree’ and of ‘population genetics’ in the Bill. “Institutions like the CDFD have been collecting DNA from suspects and asking for the caste of the person on the form. How does this seem innocent and safeguarded?” she asks.

Meanwhile, columnist and author Salil Tripathi says that it is sheer hubris to think that technology will provide all the answers to crime-fighting. “Tech- nology is enormously useful and powerful, but it is value-neutral; it can be used for good or bad ends… There have to be sufficient safeguards, overseen not only by technologists, law enforcement officers and bureaucrats, but also by lawyers and civil liberties experts, who can point out potential flaws and misuse and prevent those.”

Tripathi, too, is piqued that one of the markers sought is of caste. “Why?” he asks, emphatic that the country’s people should be concerned about allowing the state so much power over their lives. “And it may not be only the state; given that the scope of its future expansion is undefined, what guarantees are there that private actors won’t have access to the data, and if so, what security protocols would apply?”

Dr Gowrishankar and Dr Nandineni are right in saying that without DNA fingerprinting, many international criminals would still be at liberty, and the opponents of the Bill do not disagree with the efficacy of the technique developed by Sir Jeffreys. Instead, they are placing the spotlight on various objectionable aspects in the proposed law. In a country which first needs—according to former RAW chief Vikram Sood—to ensure access to Photofit (a technique to create an accurate image of a person that gels with a witness’ description) for its ground-level police operatives to combat crime, critics of the Bill seem to have won the war of words.

For more details visit https://cis-india.org/internet-governance/news/open-magazine-august-7-2015-ullekh-np-genetic-profiling

Gender and Privacy: Countering the Patriarchal Gaze

Admin — 2018-09-19T01:48:07Z

Ambika Tandon participated in a workshop on privacy and gender which was organized by Privacy International in United Kingdom on September 13 and 14, 2018. Ambika was part of a panel on reproductive rights and privacy in India. She also recorded a podcast on the same topic, as part of a series on privacy and gender being hosted by Privacy International.

Read the Agenda here

For more details visit https://cis-india.org/internet-governance/news/gender-and-privacy-countering-the-patriarchal-gaze

GDPR and India: A Comparative Analysis

Aditi Chaturvedi — 2017-11-28T15:17:39Z

At present, companies world over are in the process of assessing the impact that EU General Data Protection Regulations (“GDPR”) will have on their businesses.

The post is written by Aditi Chaturvedi and edited by Amber Sinha

High administrative fines in case of non-compliance with GDPR provisions are a driving force behind these concerns as they can lead to loss of business for various countries such as India.

To a large extent, future of business will depend on how well India responds to the changing regulatory changes unfolding globally. India will have to assess her preparedness and make convincing changes to retain the status as a dependable processing destination. This document gives a brief overview of data protection provisions of the Information Technology Act, 2000 followed by a comparative analysis of the key provisions of GDPR and Information Technology Act and the Rules notified under it.

Download the full blog post

For more details visit https://cis-india.org/internet-governance/blog/gdpr-and-india-a-comparative-analysis

Future of Privacy in India

praskrishna — 2013-03-26T05:14:45Z

DSCI and ICOMP are organizing a meet on Privacy at the Oberoi Hotel in New Delhi on April 5, 2013. Sunil Abraham will be participating in this event as a speaker.

In recent years, there has been an increasing deployment of ICT in the collection of personal information by both private sector and state agencies. Data is a reason for empowerment for both commercial and public purposes. The prolific use of the Internet for search, social networking cloud computing and e-commerce transactions places increasing amounts of personal information and Internet history in hands of dominant private sector players. Data is undeniably the capital of the Internet. While technology has evolved to be able to collect, store and mine increasing amounts of data for improved public services or for commercial purposes, there are understandable concerns over the lack of accountability for the purposes and limits of the use of personal data. These concerns demand an appropriate regulatory framework for Privacy.

As an important step toward formulating the privacy bill, an Expert Group headed by Justice A P Shah provides inputs based on a study of the international landscape of privacy laws, along with the predominant privacy concerns ensuing from technological advancements. The Committee’s report, submitted in Oct 2012 has recommended Nine Principles as the cornerstone for privacy legislation. While the Privacy Act is under development, DSCI and iCOMP are organizing a meet focusing on the following areas:

Outline an appropriate Indian context for privacy: the nine principles
Presentation of the state of play on privacy in key markets (practices, Issues, regulatory interventions)
Analyse the scope and implications of data collection by public agencies in India.
Analyse privacy challenges and risks related to commercial use of data collected on the Internet by private players
Consider how India can address these challenges and enshrine privacy principles in legislation

Key Speakers

Dr. Gulshan Rai, DG, CERT-In*

Mr. Simon Davis, London School of Economics

Mr. Manoj Joshi, JS, DOPT*

Mr. Kanta Roy, CEO, NeGD*

Dr. Kamlesh Bajaj, CEO, DSCI

Mr. Sunil Abraham, ED, CIS

* To be confirmed

Event Flow

Opening Remark by Mr. S V Divvaakar, Executive Director, ICOMP
Framework for Privacy Regulation in India, By Dr. Kamlesh Bajaj, CEO, DSCI
Keynote Address
‘Privacy :The International state of play’, by Mr. Simon Davis, London School of Economics
Panel Discussion 1: Context of Privacy in India
Panel Discussion 2: Business responsibility in the age of ‘data driven’ transformations

Date: April 5, 2013
Time: 9.00 a.m. to 1.00 p.m.
Venue: Oberoi Hotel, Nilgiri Room, New Delhi

For more details visit https://cis-india.org/news/future-of-privacy-in-india-on-april-5-2013-at-oberoi-hotel-new-delhi

Fundamental Right to Privacy — Three Years of the Puttaswamy Judgment

pranav — 2020-08-24T07:46:10Z

Today marks three years since the Supreme Court of India recognised the fundamental right to privacy, but the ideals laid down in the Puttaswamy Judgment are far from being completely realized. Through our research, we invite you to better understand the judgment and its implications, and take stock of recent issues pertaining to privacy.

Amber Sinha dissects the Puttaswamy Judgment through an analysis of the sources, scope and structure of the right, and its possible limitations. [link]

Through a visual guide to the fundamental right to privacy, Amber Sinha and Pooja Saxena trace how courts in India have viewed the right to privacy since Independence, explain how key legal questions were resolved in the Puttaswamy Judgement, and provide an account of the four dimensions of privacy — space, body, information and choice — recognized by the Supreme Court. [link]

Based on publicly available submissions, press statements, and other media reports, Arindrajit Basu and Amber Sinha track the political evolution of the data protection ecosystem in India, on EPW Engage. They discuss how this has, and will continue to impact legislative and policy developments. [link]

For the AI Policy Exchange, Arindrajit Basu and Siddharth Sonkar examine the Automated Facial Recognition Systems (AFRS), and define the key legal and policy questions related to privacy concerns around the adoption of AFRS by governments around the world. [link]

Over the past decade, reproductive health programmes in India have been digitising extensive data about pregnant women. In partnership with Privacy International, we studied the Mother and Child Tracking system (MCTS), and Ambika Tandon presents the impact on the privacy of mothers and children in the country. [link]

While the right to privacy can be used to protect oneself from state surveillance, Mira Swaminathan and Shubhika Saluja write about the equally crucial problem of lateral surveillance — surveillance that happens between individuals, and within neighbourhoods, and communities — with a focus on this issue during the COVID-19 crisis. [link]

Finally, take a dive into the archives of the Centre for Internet and Society to read our work, which was cited in the Puttaswamy judgment — essays by Ashna Ashesh, Vidushi Marda and Bhairav Acharya that displaced the notion that privacy is inherently a Western concept, by attempting to locate the constructs of privacy in Classical Hindu [link], and Islamic Laws [link]; and Acharya’s article in the Economic and Political Weekly, which highlighted the need for privacy jurisprudence to reflect theoretical clarity, and be sensitive to unique Indian contexts [link].

For more details visit https://cis-india.org/internet-governance/blog/fundamental-right-to-privacy-three-years-of-the-puttaswamy-judgment

From 1 March, only registered devices to be used to authenticate Aadhaar

Admin — 2018-02-24T07:59:39Z

UIDAI directive to Aadhaar authentication agencies aims to avoid putting citizens’ biometric data at risk

The article by Komal Gupta was published in Livemint on February 8, 2018.

The Unique Identification Authority of India (UIDAI) has directed all Aadhaar authentication agencies to use only registered biometric devices from 1 March to avoid putting residents’ data at risk.

The initial deadline to upgrade these devices was 1 June 2017, but it has been extended several times. The latest is the sixth extension.

The UIDAI wants the biometric devices registered with the Aadhaar system for encryption key management. The Aadhaar authentication server can individually identify and validate these devices and manage encryption keys on each registered device.

“It is reiterated that to ensure encryption of biometrics of residents at time of capture, it is absolutely essential to use only the registered devices. Any further use of non-registered devices will be putting residents’ privacy at risk,” a UIDAI circular dated 2 February said.

In January last year, UIDAI had instructed all the authentication user agencies (AUAs) and authentication service agencies (ASAs) to adhere to its new encryption standards and accordingly upgrade the devices to the new norms.

The AUA is an entity engaged in providing Aadhaar-enabled services. It may be a government, public or a private legal agency registered in India which uses Aadhaar authentication services provided by UIDAI.

The ASA is any entity that transmits authentication requests to the Central Identities Data Repository (CIDR) on behalf of one or more AUAs.

Requests from AUAs to extend the timeline has been cited as the reason for delay by UIDAI. The last deadline was 31 January.

Still, UIDAI claims most of the entities have migrated to registered devices and “no further extension will be given in this regard.” Failure to meet the February-end deadline will lead to loss or disruption of services, the circular added.

A privacy expert called for better security in the Aadhaar system.

“The UIDAI should have gone in for smart cards, which are inherently more secure and would have proven a better basis for a national ID system. Given its choice of biometrics, UIDAI should have required hardware-level encryption — the yet-to-be-specified (Level 1) security standard— from 2010,” said Pranesh Prakash, policy director at think tank Centre for Internet and Society.

“Making the much-delayed Level 1 mandatory is what UIDAI should be focusing on; sadly, even basic registration and easily-defeated software-level encryption (Level 0) is yet to be made mandatory,” he said.

UIDAI has been under the scanner over the past few months over charges that random entities have been accessing personal information without the consent of individual Aadhaar number holders.

Last month, UIDAI put in place a two-layer security to reinforce privacy protections for Aadhaar holders—it introduced a virtual identification so that the actual number need not be shared to authenticate their identity. Simultaneously, it further regulated the storage of the Aadhaar numbers within various databases.
There are more than 1.2 billion Aadhaar holders in the country.

For more details visit https://cis-india.org/internet-governance/news/livemint-komal-gupta-february-8-2018-from-march-1-only-registered-devices-to-be-used-to-authenticate-aadhaar

Freedom from Monitoring: India Inc Should Push For Privacy Laws

sunil — 2013-08-21T07:04:48Z

More surveillance than absolutely necessary actually undermines the security objective.

This article by Sunil Abraham was published in Forbes India Magazine on August 21, 2013.

I think I understand why the average Indian IT entrepreneur or enterprise does not have a position on blanket surveillance. This is because the average Indian IT enterprise’s business model depends on labour arbitrage, not intellectual property. And therefore they have no worries about proprietary code or unfiled patent applications being stolen by competitors via rogue government officials within projects such as NATGRID, UID and, now, the CMS.

A sub-section of industry, especially the technology industry, will always root for blanket surveillance measures. The surveillance industry has many different players, ranging from those selling biometric and CCTV hardware to those providing solutions for big data analytics and legal interception systems. There are also more controversial players who provide spyware, especially those in the market for zero-day exploits. The cheerleaders for the surveillance industry are techno-determinists who believe you can solve any problem by throwing enough of the latest and most expensive technology at it.

What is surprising, though, is that other indigenous or foreign enterprises that depend on secrecy and confidentiality—in sectors such a banking, finance, health, law, ecommerce, media, consulting and communications—also don’t seem to have a public position on the growing surveillance ambitions of ‘democracies’ such as India and the United States of America. (Perhaps the only exceptions are a few multinational internet and software companies that have made some show of resistance and disagreement with the blanket surveillance paradigm.)

Is it because these businesses are patriotic? Do they believe that secrecy, confidentiality and, most importantly, privacy, must be sacrificed for national security? If that were true then it would not be a particularly wise thing to do, as privacy is the precondition for security. Ann Cavoukian, privacy commissioner of Ontario, calls it a false dichotomy. Bruce Schneier, security technologist and writer, calls it a false zero sum game; he goes on to say, “There is no security without privacy. And liberty requires both security and privacy.”

The reason why the secret recipe of Coca Cola is still secret after over 120 years is the same as the reason why a captured soldier cannot spill the beans on the overall war strategy. Corporations, like militaries, have layers and layers of privacy and secrecy. The ‘need to know’ principle resists all centralising tendencies, such as blanket surveillance. It’s important to note that targeted surveillance to identify a traitor or spy within the military, or someone engaged in espionage within a corporation, is pretty much an essential. However, any more surveillance than absolutely necessary actually undermines the security objective. To summarise, privacy is a pre-condition to the security of the individual, the enterprise, the military and the nation state.

Most people complaining online about projects like the Central Monitoring System seem to think that India has no privacy laws. This is completely untrue: We have around 50 different laws, rules and regulations that aim to uphold privacy and confidentiality in various domains. Unfortunately, most of those policies are very dated and do not sufficiently take into account the challenges of contemporary information societies. These policy documents need to be updated and harmonised through the enactment of a new horizontal privacy law. A small minority will say that Section 43(A) of the Information Technology Act is the India privacy law. That is not completely untrue, but is a gross exaggeration. Section 43(A) is really only a data security provision and, at that, it does not even comprehensively address data protection, which is only a sub-set of the overall privacy regulation required in a nation.

What would an ideal privacy law for India look like? For one, it would protect the rights of all persons, regardless of whether they are citizens or residents. Two, it would define privacy principles. Three, it would establish the office of an independent and autonomous privacy commissioner, who would be sufficiently empowered to investigate and take action against both government and private entities. Four, it would define civil and criminal offences, remedies and penalties. And five, it would have an overriding effect on previous legislation that does not comply with all the privacy principles.

The Justice AP Shah Committee report, released in October 2012, defined the Indian privacy principles as notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, openness and accountability. The report also lists the exemptions and limitations, so that privacy protections do not have a chilling effect on the freedom of expression and transparency enabled by the Right to Information Act.

The Department of Personnel and Training has been working on a privacy bill for the last three years. Two versions of the bill had leaked before the Justice AP Shah Committee was formed. The next version of the bill, hopefully implementing the recommendations of the Justice AP Shah Committee report, is expected in the near future. In a multi-stakeholder-based parallel process, the Centre for Internet and Society (where I work), along with FICCI and DSCI, is holding seven round tables on a civil society draft of the privacy bill and the industry-led efforts on co-regulation.

The Indian ITES, KPO and BPO sector should be particularly pleased with this development. As should any other Indian enterprise that holds personal information of EU and US nationals. This is because the EU, after the enactment of the law, will consider data protection in India adequate as per the requirements of its Data Protection Directive. This would mean that these enterprises would not have to spend twice the time and resources ensuring compliance with two different regulatory regimes.

Is the lack of enthusiasm for privacy in the Indian private sector symptomatic of Indian societal values? Can we blame it on cultural relativism, best exemplified by what Simon Davies calls “the Indian Train Syndrome, in which total strangers will disclose their lives on a train to complete strangers”? But surely, when email addresses are exchanged at the end of that conversation, they are not accompanied by passwords. Privacy is perhaps differently configured in Indian societies but it is definitely not dead. Fortunately for us, calls to protect this important human right are growing every day.

For more details visit https://cis-india.org/internet-governance/blog/forbesindia-article-august-21-2013-sunil-abraham-freedom-from-monitoring

Free Speech and Surveillance

Gautam Bhatia — 2014-07-07T04:59:59Z

Gautam Bhatia examines the constitutionality of surveillance by the Indian state.

The Indian surveillance regime has been the subject of discussion for quite some time now. Its nature and scope is controversial. The Central Monitoring System, through which the government can obtain direct access to call records, appears to have the potential to be used for bulk surveillance, although official claims emphasise that it will only be implemented in a targeted manner. The Netra system, on the other hand, is certainly about dragnet collection, since it detects the communication, via electronic media, of certain “keywords” (such as “attack”, “bomb”, “blast” and “kill”), no matter what context they are used in, and no matter who is using them.

Surveillance is quintessentially thought to raise concerns about privacy. Over a series of decisions, the Indian Supreme Court has read in the right to privacy into Article 21’s guarantee of the right to life and personal liberty. Under the Supreme Court’s (somewhat cloudy) precedents, privacy may only be infringed if there is a compelling State interest, and if the restrictive law is narrowly tailored – that is, it does not infringe upon rights to an extent greater than it needs to, in order to fulfill its goal. It is questionable whether bulk surveillance meets these standards.

Surveillance, however, does not only involve privacy rights. It also implicated Article 19 – in particular, the Article 19(1)(a) guarantee of the freedom of expression, and the 19(1)(c) guarantee of the freedom of association.

Previously on this blog, we have discussed the “chilling effect” in relation to free speech. The chilling effect evolved in the context of defamation cases, where a combination of exacting standards of proof, and prohibitive damages, contributed to create a culture of self-censorship, where people would refrain from voicing even legitimate criticism for fear of ruinous defamation lawsuits. The chilling effect, however, is not restricted merely to defamation, but arises in free speech cases more generally, where vague and over-broad statutes often leave the border of the permitted and the prohibited unclear.

Indeed, a few years before it decided New York Times v. Sullivan, which brought in the chilling effect doctrine into defamation and free speech law, the American Supreme Court applies a very similar principle in a surveillance case. In NAACP v. Alabama, the National Association for the Advancement of Coloured People (NAACP), which was heavily engaged in the civil rights movement in the American deep South, was ordered by the State of Alabama to disclose its membership list. NAACP challenged this, and the Court held in its favour. It specifically connected freedom of speech, freedom of association, and the impact of surveillance upon both:

“Effective advocacy of both public and private points of view, particularly controversial ones, is undeniably enhanced by group association, as this Court has more than once recognized by remarking upon the close nexus between the freedoms of speech and assembly. It is beyond debate that freedom to engage in association for the advancement of beliefs and ideas is an inseparable aspect of the “liberty” assured by the Due Process Clause of the Fourteenth Amendment, which embraces freedom of speech. Of course, it is immaterial whether the beliefs sought to be advanced by association pertain to political, economic, religious or cultural matters, and state action which may have the effect of curtailing the freedom to associate is subject to the closest scrutiny… it is hardly a novel perception that compelled disclosure of affiliation with groups engaged in advocacy may constitute [an] effective a restraint on freedom of association… this Court has recognized the vital relationship between freedom to associate and privacy in one’s associations. Inviolability of privacy in group association may in many circumstances be indispensable to preservation of freedom of association, particularly where a group espouses dissident beliefs.”

In other words, if persons are not assured of privacy in their association with each other, they will tend to self-censor both who they associate with, and what they say to each other, especially when unpopular groups, who have been historically subject to governmental or social persecution, are involved. Indeed, this was precisely the argument that the American Civil Liberties Union (ACLU) made in its constitutional challenge to PRISM, the American bulk surveillance program. In addition to advancing a Fourth Amendment argument from privacy, the ACLU also made a First Amendment freedom of speech and association claim, arguing that the knowledge of bulk surveillance had made – or at least, was likely to have made – politically unpopular groups wary of contacting it for professional purposes (the difficulty, of course, is that any chilling effect argument effectively requires proving a negative).

If this argument holds, then it is clear that Articles 19(1)(a) and 19(1)(c) are prima facie infringed in cases of bulk – or even other forms of – surveillance. Two conclusions follow: first, that any surveillance regime needs statutory backing. Under Article 19(2), reasonable restrictions upon fundamental rights can only be imposed by law, and not be executive fiat (the same argument applies to Article 21 as well).

Assuming that a statutory framework is brought into force, the crucial issue then becomes whether the restriction is a reasonable one, in service of one of the stated 19(2) interests. The relevant part of Article 19(2) permits reasonable restrictions upon the freedom of speech and expression “in the interests of… the security of the State [and] public order.” The Constitution does not, however, provide a test for determining when a restriction can be legitimately justified as being “in the interests of” the security of the State, and of public order. There is not much relevant precedent with respect to the first sub-clause, but there happens to be an extensive – although conflicted – jurisprudence dealing with the public order exception.

One line of cases – characterised by Ramji Lal Modi v. State of UP and Virendra v. State of Punjab – has held that the phrase “for the interests of” is of very wide ambit, and that the government has virtually limitless scope to make laws ostensibly for securing public order (this extends to prior restraint as well, something that Blackstone, writing in the 18^th century, found to be illegal!). The other line of cases, such as Superintendent v. Ram Manohar Lohia and S. Rangarajan v. P. Jagjivan Ram, have required the government to satisfy a stringent burden of proof. In Lohia, for instance, Ram Manohar Lohia’s conviction for encouraging people to break a tax law was reversed, the Court holding that the relationship between restricting free speech and a public order justification must be “proximate”. In Rangarajan, the Court used the euphemistic image of a “spark in a powder keg”, to characterise the degree of proximity required. It is evident that under the broad test of Ramji Lal Modi, a bulk surveillance system is likely to be upheld, whereas under the narrow test of Lohia, it is almost certain not to be.

Thus, if the constitutionality of surveillance comes to Court, three issues will need to be decided: first, whether Articles 19(1)(a) and 19(1)(c) have been violated. Secondly – and if so – whether the “security of the State” exception is subject to the same standards as the “public order” exception (there is no reason why it should not be). And thirdly, which of the two lines of precedent represent the correct understanding of Article 19(2)?

Gautam Bhatia — @gautambhatia88 on Twitter — is a graduate of the National Law School of India University (2011), and has just received an LLM from the Yale Law School. He blogs about the Indian Constitution at http://indconlawphil.wordpress.com. Here at CIS, he blogs on issues of online freedom of speech and expression.

For more details visit https://cis-india.org/internet-governance/blog/free-speech-and-surveillance

Free Net advocates flay Trai's public Wi-Fi paper

praskrishna — 2016-11-20T03:21:41Z

Stakeholders vouching for a cheap and open Internet have flagged concerns over privacy and regulatory hurdles.

The article by Anita Babu was published in the Business Standard on November 20, 2016. Pranesh Prakash was quoted.

With the Telecom Regulatory Authority of India releasing its consultation paper on public Wi-Fi this week, stakeholders vouching for a cheap and open Internet have flagged concerns over privacy and regulatory hurdles.

The Internet Freedom Foundation has pointed out that the proposed regulations might lead to invasion of privacy and interfere with the freedom of hotspot providers to operate freely.

“While we welcome Trai’s vision that increasing the number of public Wi-Fi hotspots could be the way to bringing the majority of Indians online, the proposals turn out to be regressive and poorly thought out,” said Aravind Ravi Sulekha, co-founder of the Internet Freedom Foundation.

The regulator in its consultation paper issued earlier this week proposed hotspot providers would have to register with the government and users could access hotspots only after paying using a service tied to their Aadhaar number. It wants to utilise Aadhaar, electronic-Know Your Customer (e-KYC) and the Unified Payment Interface (UPI) to build a standard authentication mechanism for access to public Wi-Fi in India. While the aim of Trai is to increase the number of Wi-Fi hotspots in India, proponents of free Internet fear these proposed rules might have a contrary effect.

Hotspot providers will have to incur costs on account of hardware installations for one-time password verification in addition to the costs of sending out the passwords. This might discourage entrepreneurs.

“This system of verification makes it harder for entrepreneurs to set up hotspots and for people to access them. It is impossible for broadband to proliferate in any significant way if Trai insists on applying ineffective and cumbersome regulations on those who wish to set up their own hotspots,” Internet Freedom Foundation said in its comments to Trai’s consultation paper.

The proposals have excluded individuals who do not have an Aadhaar account from accessing public Wi-Fi. “This not only brings concerns of costs and exclusion but also privacy, given the constitutionality of the Aadhaar project, and its government-mandated use, is pending adjudication in the Supreme Court,” the foundation pointed out.

The proposals also come at the cost of anonymity. The foundation, cofounded by the crusaders of last year’s SaveTheInternet campaign, trashed the argument that imposing eKYC norms would help in countering terrorism and other crimes. “This prohibition on anonymous communication is a violation of Indians’ freedom of expression… making a call at a PCO, sending a telegram and posting a letter have always been possible without showing ID — even though criminals and terrorists occasionally abused these services… KYC measures are ineffective in preventing crime and terrorism, as tools like VPNs, TOR, and proxies can easily mask the identity of an Internet user,” it stated.

“The solution proposed by Trai is a classic example of centralism and over-regulation. It turns out that Trai is unclear about the problem to be solved,” said Pranesh Prakash, policy director at the Centre for Internet and Society. He added that the new proposals had also failed to address the limitations on foreigners or tourists in India.

Current regulations prevent foreigners without a local mobile number from accessing public Wi-Fi connections. While Trai had identified the problem, it failed to come up with a plausible solution.

For more details visit https://cis-india.org/internet-governance/news/business-standard-november-20-2016-anita-babu-free-net-advocates-flay-trais-public-wifi-paper

Fourth Meeting of the two Sub-Groups on Privacy Issues under the Chairmanship of Justice AP Shah

praskrishna — 2012-08-07T10:12:41Z

The next meeting of the two Sub-Groups (4th meeting) on privacy issues under the Chairmanship of Justice A.P. Shah, former Chief Justice of Delhi High Court is scheduled to be held on July 9, 2012 at 11.00 a.m. in Committee Room No. 228, Yojana Bhawan, Planning Commission, New Delhi.

Members of both the Sub-Groups are requested to send their final drafts as decided in the meeting held on June 27, 2012, by July 4, 2012 so that these could be circulated for obtaining feedback and for discussions/deliberations on July 9, 2012.

The above information was communicated by Shri S. Bose, Under Secretary, (CIT & I) to the following individuals:

Justice A.P. Shah, Chairman
Dr. Kamlesh Bajaj
Ms. Usha Ramanathan
Shri Sunil Abraham/Shri Pranesh Prakash
Prashant Reddy
Prof. Arghya Sengupta (requested to join the meeting on skype. Exact time for coming online will be communicated separately)
Shri Som Mittal
Shri Gulshan Rai
Ms. Mala Dutt

A copy of this information was sent to the following individuals:

Dr. C.M. Kumar, Sr, Adviser (CIT&I)

Shri R.K. Gupta, Adviser (CIT&I)

Shri Ramesh Kumar, Director (CIT&I)

For more details visit https://cis-india.org/news/fourth-meeting-of-sub-groups-on-privacy-issues

Fourth Discussion Meeting of the Expert Committee to Discuss the Draft Human DNA Profiling Bill

praskrishna — 2014-12-08T16:07:24Z

The fourth expert committee meeting was held on November 10, 2014 at the Department of Biotechnology to discuss the potential privacy concerns of the draft Human DNA Profiling Bill. Sunil Abraham however was unable to participate because of technical problems.

Agenda

Welcome and opening remarks by the Secretary, DBT
Remarks by the Chairman - Dr. T.S. Rao, Senior Adviser, DBT
A brief overview on deliberations and decisions of Hon’ble Supreme Court - Dr. Alka Sharma, Director, DBT
Discussion and finalization of the Bill by the members
Recommendations of the Expert Committee
Any other item with the permission of the Chairman.

Resources

Click here (Zip file, 2698 Kb) to download the following resources from earlier meetings:

Record note of discussions of the Expert Committee Meeting held on January 31, 2013 at DBT, New Delhi, to discuss the potential privacy concerns on draft Human DNA Profiling Bill.
Annexure 1 to Record note: Draft Human DNA Profiling Bill 2012: The Privacy Issues and Concerns
Annexure 2 to Record note: Short background note on the draft Human DNA Profiling Bill
Record note of the 2nd discussion meeting of the Expert Committee held on May 13, 2013 in DBT to discuss the draft Human DNA Profiling Bill
Minutes of the 3rd meeting of the Expert Committee held on November 25, 2013 in DBT to discuss the draft Human DNA Profiling Bill
Record note of the discussions of the Experts Sub-committee Meeting on Human DNA Profiling Bill held on September 3, 2013 at CPFD, Hyderabad
Affidavit on behalf of DBT
Human Draft DNA Profiling Bill 2012 (Working Draft Version, April 29, 2012)

For more details visit https://cis-india.org/internet-governance/news/fourth-discussion-meeting-of-expert-committee-to-discuss-draft-human-dna-profiling-bill