Centre for Internet and Society

CIS Statement on Right to Privacy Judgment

amber — 2017-08-31T18:13:14Z

In an emphatic endorsement of the right to privacy, a nine judge constitutional bench unanimously upheld a fundamental right to privacy. The events leading to this bench began during the hearings in the ongoing Aadhaar case, when in August 2015, Mukul Rohatgi, the then Attorney General stated that there is no constitutionally guaranteed right to privacy.

reliance was on two Supreme Court judgments in MP Sharma v Satish Chandra (1954) and Kharak Singh v State of Uttar Pradesh (1962): both cases, decided by eight- and six-judge benches respectively, denied the existence of a constitutional right to privacy. As the subsequent judgments which upheld the right to privacy were by smaller benches, he claimed that MP Sharma and Kharak Singh still prevailed over them, until they were overruled by a larger bench. This landmark judgment was in response to a referral order to clear the confusion over the status of privacy as a right.

We, at the Centre for Internet and Society (CIS) welcome this judgement and applaud the depth and scope of the Supreme Court’s reasoning. CIS has been producing research on the different aspects of the right to privacy and its implications for the last seven years and had the privilege of serving on the Justice AP Shah Committee and contributing to the Report of the Group of Experts on Privacy.[1] We are honoured that some of our research has also been cited by the judgment.[2] Such judicial recognition is evidence of the impact sound research can have on policymaking.

In the course of a 547 page judgment, the bench affirmed the fundamental nature of the right to privacy reading it into the values of dignity and liberty. The judgment is instructive in its reference to scholarly works and jurisprudence not only in India but other legal systems such as USA, South Africa, EU and UK, while recognising a broad right to privacy with various dimensions across spatial, informational and decisional spheres. We note with special appreciation that women’s bodily integrity and citizens’ sexual orientation are among those aspects of privacy that were clearly recognised in the judgment. For researchers studying privacy and its importance, this judgment is of great value as it provides clear reasoning to reject oft-quoted arguments which are used to deny privacy’s significance. The judgement is also cognizant of the implications of the digital age and emphasise the need for a robust data protection framework.

The right to privacy has been read into into Article 21 (Right to life and liberty), and Part III (Chapter on Fundamental Rights) of the Constitution. This means that any limitation on the right in the form of reasonable restrictions must not only satisfy the tests evolved under Article 21, but where loss of privacy leads to infringement on other rights, such as chilling effects of surveillance on free speech, the tests for constitutionality under those provisions for also be satisfied by the limiting action. This provides a broad protection to citizens’ privacy which may not be easily restricted. We expect that this judgment will have far reaching impacts, not just with respect to the immediate Aadhaar case, but also to in a score of other matters such as protection of sexual choice by decriminalising Section 377 of the Indian Penal Code, oversight of statutory search and seizure provisions such as Section 132 of the Income Tax Act, personal data collection and processing practices by both state and private actors and mass surveillance programmes in the interest of national security.

As this judgment comes in response to a referral order, the judges were not dealing with any questions of fact to ground the legal principles in. Subsequent judgments which deal with privacy will apply these principles and further evolve the contours of this right on a case-by-case basis. For now, we welcome this judgment and look forward to its consistent application in the future.

[1]. http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf

[2]. CIS was quoted in the judgement on footnote 46, page 33 and 34: http://supremecourtofindia.nic.in/pdf/LU/ALL%20WP(C)%20No.494%20of%202012%20Right%20to%20Privacy.pdf The quote is " Illustratively, the Centre for Internet and Society has two interesting articles tracing the origin of privacy within Classical Hindu Law and Islamic Law. See Ashna Ashesh and Bhairav Acharya ,“Locating Constructs of Privacy within Classical Hindu Law”, The Centre for Internet and Society, available at https://cis-india.org/internet-governance/blog/loading-constructs-of-privacy-within-classical-hindu-law. See also Vidushi Marda and Bhairav Acharya, “Identifying Aspects of Privacy in Islamic Law”, The Centre for Internet and Society, available at https://cis-india.org/internet-governance/blog/identifying-aspects-of-privacy-in-islamic-law " Further, research commissioned by CIS cited in the judgment includes a reference in page 201 footnote 319, "Bhairav Acharya, “The Four Parts of Privacy in India”, Economic & Political Weekly (2015), Vol. 50 Issue 22, at page 32."

For more details visit https://cis-india.org/internet-governance/blog/cis-statement-on-right-to-privacy-judgment

CIS Cybersecurity Series (Part 24) – Shantanu Ghosh

purba — 2015-07-15T14:58:50Z

CIS interviews Shantanu Ghosh, Managing Director, Symantec Product Operations, India, as part of the Cybersecurity Series.

“Remember that India is also a land where there are a lot of people who are beginning to use computing devices for the first time in their lives. For many people, their smartphone is their first computing device because they have never had computers in the past. For them, the challenge is how do you make sure that they understand that that can be a threat too. It can be a threat not only to their bank accounts, with their financial information, but even to their private lives.”

Centre for Internet and Society presents its twenty fourth installment of the CIS Cybersecurity Series.”

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

Shantanu Ghosh is the Managing Director of Symantec Product Operations, India. He also runs the Data Centre Security Group for Symantec globally.

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/blog/cis-cybersecurity-series-part-24-2013-shantanu-ghosh

CIS Cybersecurity Series (Part 23) – Justin Searle

purba — 2015-07-15T14:44:38Z

CIS interviews Justin Searle, security expert, as part of the Cybersecurity Series.

"I think that people here in India, just like everywhere else, are broadening the areas where security can be applied. We see elsewhere, like in the United States and in Europe, that a lot of security researchers are starting to get into not just control systems, but also embedded devices and hardware and wireless... And we are seeing the same trends here in India as well. It is fun to see that growth and continual development, and not only that, but we are seeing security projects and research coming out of India, that's unqiue and fresh and contributing back to what originally came more from the United States and Europe."

Centre for Internet and Society presents its twenty third installment of the CIS Cybersecurity Series.

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

Justin Searle is the managing partner for Utilisec. Utisix provides security services to the energy sector. They also assist oil, water, gas, and manufacturing companies. Justin specializes in security assessments and finding vulnerabilities in systems.

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/cis-cybersecurity-series-part-23-2013-justin-searle

CIS Cybersecurity Series (Part 22) - Anonymous

purba — 2015-07-13T13:40:42Z

CIS interviews a Tibetan security researcher and information activist, as part of the Cybersecurity Series. He prefers to remain anonymous.

"I don't know technology but I am aware of the information people share with me. So yes, they can track you down through your mobile phone. The last time I was in Nepal, I met a westerner. We went to this restaurant and she asked me to take the battery out of the phone. That was the first time I had heard of this and so when I asked why she said that it is possible that people had followed us and it has happened to other Tibetans in Nepal..."

Centre for Internet and Society presents its twenty second installment of the CIS Cybersecurity Series.

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/blog/cis-cybersecurity-series-part-22-anonymous

CIS Cybersecurity Series (Part 21) – Gyanak Tsering

purba — 2014-09-06T05:08:44Z

CIS interviews Gyanak Tsering, Tibetan monk in exile, as part of the Cybersecurity Series.

“I have three mobile phones but I use only one to exchange information to and from Tibet. I don't give that number to anyone and nobody knows about it. High security forces me to use three phones. Usually a mobile phone can be tracked easily in many ways, especially by the network provider but my third mobile phone is not registered so that makes sure that the Chinese government cannot track me. The Chinese have a record of all mobile phone numbers and they can block them at anytime. But my third number cannot be traced and that allows me to communicate freely. This is only for security reasons so that my people in Tibet don't get into trouble.”

Centre for Internet and Society presents its twenty-first installment of the CIS Cybersecurity Series.

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

Gyanak Tsering is a Tibetan monk in exile, studying at Kirti Monastery, Dharamshala. He came to India in 1999, and has been using the internet and mobile phone technology, since 2008, to securely transfer information to and from Tibet. Tsering adds a new perspective to the cybersecurity debate and explains how his personal security is interlinked with internet security and mobile phone security.

Video

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/blog/cis-cybersecurity-series-part-21-gyanak-tsering

CIS Cybersecurity Series (Part 20) – Saumil Shah

purba — 2014-09-06T05:03:00Z

CIS interviews Saumil Shah, security expert, as part of the Cybersecurity Series.

“If you look at the evolution of targets, from the 2000s to the present day, the shift has been from the servers to the individual. Back in 2000, the target was always servers. Then as servers started getting harder to crack, the target moved to the applications hosted on the servers, as people started using e-commerce applications even more. Eventually, as they started getting harder to crack, the attacks moved to the user's desktops and the user's browsers, and now to individual user identities and to the digital personas.”

Centre for Internet and Society presents its twentieth installment of the CIS Cybersecurity Series.

The CIS Cybersecurity Series seeks to address hotly debated aspects of cybersecurity and hopes to encourage wider public discourse around the topic.

Saumil Shah is a security expert based in Ahmedabad. He has been working in the field of security and security related software development for more than ten years, with a focus on web security and hacking.

Video

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/blog/cis-cybersecurity-series-part-20-saumil-shah

CIS contributes to ABLI Compendium on Regulation of Cross-Border Transfers of Personal Data in Asia

Amber Sinha and Elonnai Hickok — 2018-06-03T15:10:11Z

The Asian Business Law Institute, based in Singapore published a compendium on “Regulation of cross-border transfer of personal data in Asia”. This was part of an exercise to explore legal convergence around issues such as data protection, enforcement of foreign judgments and principle of restructuring in Asia.

The compendium contains 14 detailed reports written by legal practitioners, legal scholars and researchers in their respective jurisdictions, on the regulation of cross-border data transfers in the wider Asian region (Australia, China, Hong Kong SAR, India, Indonesia, Japan, South Korea, Macau SAR, Malaysia, New Zealand, Philippines, Singapore, Thailand, and Vietnam).

The compendium is intended to act as a springboard for the next phase of ABLI's project, which will be devoted to the in-depth study of the differences and commonalities between Asian legal systems on these issues and – where feasible – the drafting of recommendations and/or policy options to achieve convergence in this area of law in Asia.

The chapter titled Jurisdictional Report India was authored by Amber Sinha and Elonnai Hickok. The compendium can be accessed here.

For more details visit https://cis-india.org/internet-governance/blog/regulation-of-cross-border-transfers-of-personal-data-in-asia

CIS Comments and Recommendations to the Human DNA Profiling Bill, June 2015

Elonnai Hickok, Vipul Kharbanda and Vanya Rakesh — 2015-09-02T17:09:04Z

The Centre for Internet & Society (CIS) submitted a clause-by-clause comments on the Human DNA Profiling Bill that was circulated by the Department of Biotechnology on June 9, 2015.

The Centre for Internet and Society is a non-profit research organisation that works on policy issues relating to privacy, freedom of expression, accessibility for persons with diverse abilities, access to knowledge, intellectual property rights and openness. It engages in academic research to explore and affect the shape and form of Internet, along with its relationship with the Society, with particular emphasis on South-South dialogues and exchange. The Centre for Internet and Society was also a member of the Expert Committee which was constituted in the year 2013 by the Department of Biotechnology to discuss the draft Human DNA Profiling Bill.

Missing aspects from the Bill

The Human DNA Profiling Bill, 2015 has overlooked and has not touched upon the following crucial factors :

Objects Clause

An ‘objects clause,’ detailing the intention of the legislature and containing principles to inform the application of a statute, in the main body of the statute is an enforceable mechanism to give directions to a statute and can be a formidable primary aid in statutory interpretation. [See, for example, section 83 of the Patents Act, 1970 that directly informed the Order of the Controller of Patents, Mumbai, in the matter of NATCO Pharma and Bayer Corporation in Compulsory Licence Application No. 1 of 2011.] Therefore, the Bill should incorporate an objects clause that makes clear that

“DNA profiles merely estimate the identity of persons, they do not conclusively establish unique identity, therefore forensic DNA profiling should only have probative value and not be considered as conclusive proof.

The Act recognises that all individuals have a right to privacy that must be continuously weighed against efforts to collect and retain DNA and in order to protect this right to privacy the principles of notice, confidentiality, collection limitation, personal autonomy, purpose limitation and data minimization must be adhered to at all times.”

Collection and Consent

The Bill does not contain provisions regarding instances when the DNA samples can be collected from the individuals without consent (nor does the Bill establish or refer to an authorization procedure for such collection), when DNA samples can be collected from individuals only with informed consent, and how and in what instances individuals can withdraw their consent. The issue of whether DNA samples can be collected without the consent of the individual is a vexed one and requires complex questions relating to individual privacy as well as the right against self incrimination. While the question of whether an accused can be made to give samples of blood, semen, etc. which had been in issue in a wide gamut of decisions in India has finally been settled by section 53 of the Code of Criminal Procedure, which allows collection of medical evidence from an accused, thus laying to rest any claims based on the right against self incrimination. However there are still issues dealing with the right to privacy and the violation thereof due to the non-consensual collection of DNA samples. This is an issue which needs to be addressed in this Act itself and should not be left unaddressed as this would only lead to a lack of clarity and protracted court cases to determine this issue. An illustration of this problem is where the Bill allows for collection of intimate body samples. There is a need for inclusion of stringent safeguard measures regarding the same since without such safeguards, the collection of intimate body samples would be an outright infringement of privacy. Further, maintaining a database for convicts and suspects is one thing, however collecting and storing intimate samples of individuals is a gross violation of the citizens’ right to privacy, and without adequate mechanisms regarding consent and security, stands at a huge risk of being misused.

Privacy Safeguards

Presently, the Bill is being introduced without comprehensive privacy safeguards in place on issues such as consent, collection, retention, etc. as is evident from the comments made below. Though the DNA Board is given the responsibility of recommending best practices pertaining to privacy (clause 13 (l)) – this is not adequate given the fact that India does not have a comprehensive privacy legislation. Though section 43A and associated Rules of the Information Technology Act would apply to the collection, use, and sharing of DNA data by DNA laboratories (as they would fall under the definition of ‘body corporate’ under the IT Act), the National and State Data Banks and the DNA Board would not clearly be body corporate as per the IT Act and would not fall under the ambit of the provision or Rules. Safeguards are needed to protect against the invasion of informational privacy and physical privacy at the level of these State controlled bodies. The fact that the Bill is to be introduced into Parliament prior to the enactment of a privacy legislation in India is significant as according to discussions in the Record Notes of the 4h Meeting of the Expert Committee - “the Expert Committee also discussed and emphasized that the Privacy Bill is being piloted by the Government. That Bill will over-ride all the other provisions on privacy issues in the DNA Bill.”

Lack of restriction on type of analysis to be performed

The Bill currently does not provide any restriction on the types of analysis that can be performed on a DNA sample or profile. This could allow for DNA samples to be analyzed for purposes beyond basic identification of an individual – such as for health, genetic, or racial purposes. As a form of purpose limitation the Bill should define narrowly the types of analysis that can be performed on a DNA sample.

Purpose Limitation

The Bill does not explicitly restrict the use of a DNA sample or DNA profile to the purpose it was originally collected and created for. This could allow for the re-use of samples and profiles for unintended purposes.

Annual Public Reporting

The Bill does not require the DNA Board to disclose publicly available information on an annual basis regarding the functioning and financial aspects of matters contained within the Bill. Such disclosure is crucial in ensuring that the public is able to make informed decisions. Categories that could be included in such reports include: Number of DNA profiles added to each indice within the databank, total number of DNA profiles contained in the database, number of DNA profiles deleted from the database, the number of matches between crime scene DNA profiles and DNA profiles, the number of cases in which DNA profiles were used in and the percentage in which DNA profiles assisted in the final conclusion of the case, and the number and categories of DNA profiles shared with international entities.

Elimination Indice

An elimination indice containing the profiles of medical professionals, police, laboratory personnel etc. working on a case is necessary in case they contaminate collected samples by accident.

Clause by Clause Recommendations

As stated the Human DNA Profiling Bill 2015 is to regulate the use of DNA analysis of human body substances profiles and to establish the DNA Profiling Board for laying down the standards for laboratories, collection of human body substances, custody trail from collection to reporting and also to establish a National DNA Data Bank.

Comment:

As stated, the purpose of the DNA Human Profiling Bill is to broadly regulate the of DNA analysis and establish a DNA Data Bank. Despite this, the majority of provisions in the Bill pertain to the collection, use, access etc. of DNA samples and profiles for civil and criminal purposes. The result of this is an 'unbalanced Bill' - with the majority of provisions focusing on issues related to forensic use. At the same time the Bill is not a comprehensive forensic bill – resulting in legislative gaps.
Additionally, the Bill contains provisions beyond the stated purpose. These include:

Facilitating the creation of a Data Bank for statistical purposes (Clause 33(e))
Establishing state and regional level databanks in addition to a national level databank (Clause 24)
Developing procedure and providing for the international sharing of DNA profiles with foreign Governments, organizations, institutions, or agencies. (Clause 29)

Recommendation:

The Bill should ideally be limited to regulating the use of DNA samples and profiles for criminal purposes. If the scope remains broad, all purposes should be equally and comprehensively regulated.
The stated purpose of the Bill should address all aspects of the Bill. Provisions beyond the scope of the Bill should be removed.

Chapter 1: Preliminary

Clause 2: This clause defines the terms used in the Bill.

Comment: A number of terms are incomplete and some terms used in the Bill have not been included in the list of definitions.

Recommendation:

The definition of DNA Data bank manager - clause 2 (1)(g) - must be renamed as National DNA Data bank manager.
The definition of “DNA laboratory” in clause 2(1)(h) should refer to the specific clauses that empower the Central Government and State Governments to license and recognise DNA laboratories. This is a drafting error.

The definition of “DNA profile” in clause 2(1)(i) is too vague. Merely the results of an analysis of a DNA sample may not be sufficient to create an actual DNA profile. Further, the results of the analysis may yield DNA information that, because of incompleteness or lack of information, is inconclusive. These incomplete bits of information should not be recognised as DNA profiles. This definition should be amended to clearly specify the contents of a complete and valid DNA profile that contains, at least, numerical representations of 17 or more loci of short tandem repeats that are sufficient to estimate biometric individuality of a person. The definition of “DNA profile” does not restrict the analysis to forensic DNA profiles: this means additional information, such as health-related information could be analyzed and stored against the wishes of the individual, even though such information plays no role in solving crimes.

The term “known sample” that is defined in clause 2(1)(m) is not used anywhere outside the definitions clause and should be removed.

The definition of “offender” in clause 2(1)(q) is vague because it does not specify the offenses for which an “offender” needs to be convicted. It is also linked to an unclear definition of the term “under trial”, which does not specify the nature of pending criminal proceedings and, therefore, could be used to describe simple offenses such as, for example, failure to pay an electricity bill, which also attracts criminal penalties.

The term “proficiency testing” that is defined in clause 2(1)(t) is not used anywhere in the text of the DNA Bill and should be removed.

The definitions of “quality assurance”, “quality manual” and “quality system” serve no enforceable purpose since they are used only in relation to the DNA Profiling Board’s rule making powers under Chapter IX, clause 58. Their inclusion in the definitions clause is redundant. Accordingly, these definitions should be removed.

The term “suspect” defined in clause 2(1)(za) is vague and imprecise. The standard by which suspicion is to be measured, and by whom suspicion may be entertained – whether police or others, has not been specified. The term “suspect” is not defined in either the Code of Criminal Procedure, 1973 ("CrPC") or the Indian Penal Code, 1860 ("IPC").

The term volunteer defined in clause 2(zf) only addresses consent from the parent or guardian of a child or an incapable person. This term should be amended to include informed consent from any volunteer.

Chapter II: DNA Profiling Board

Clause 4: This clause addresses the composition of the DNA Profiling Board.

Comment: The size and composition of the Board that is staffed under clause 4 is extremely large. The number of members remains to be 15, as it was in the 2012 Bill.

Recommendation: Drawing from the experiences of other administrative and regulatory bodies in India, the size of the Board should be reduced to no more than five members. The Board must contain at least:

One ex-Judge or senior lawyer
Civil society – both institutional and non-institutional
Privacy advocates

Note: The reduction of the size of the Board was agreed upon by the Expert Committee from 16 members (2012 Bill) to 11 members. This recommendation has not been incorporated.

Clause 5(1): The clause specifies the term of the Chairperson of the DNA Profiling Board to be five years and also states that the person shall not be eligible for re-appointment or extension of the term so specified.

Comment: The Chairperson of the Board, who is first mentioned in clause 5(1), has not been duly and properly appointed.

Recommendation: Clause 4 should be amended to mention the appointment of the Chairperson and other Members.

Clause 7: The clause requires members to react on a case-by-case basis to the business of the Board by excusing themselves from deliberations and voting where necessary.

Comment: This clause addresses the issue of conflict of interest only in narrow cases and does not provide penalty if a member fails to adhere to the laid out procedure.

Recommendation: The Bill should require members to make full and public disclosures of their real and potential conflicts of interest and the Chairperson must have the power to prevent such members from voting on interested matters. Failure to follow such anti-collusion and anti-corruption safeguards should attract criminal penalties.

Clause 12(5): The clause states that the board shall have the power to co-opt such number of persons as it may deem necessary to attend the meetings of the Board and take part in the proceedings of the board, but such persons will not have the right to vote.

Comment: While serving on the Expert Committee, CIS provided language regarding how the Board could consult with the public. This language has not been fully incorporated.

Recommendation: As per the recommendation of CIS, the following language should be adopted in the Bill: The Board, in carrying out its functions and activities, shall be required to consult with all persons and groups of persons whose rights and related interests may be affected or impacted by any DNA collection, storage, or profiling activity. The Board shall, while considering any matter under its purview, co-opt or include any person, group of persons, or organisation, in its meetings and activities if it is satisfied that that person, group of persons, or organisation, has a substantial interest in the matter and that it is necessary in the public interest to allow such participation. The Board shall, while consulting or co-opting persons, ensure that meetings, workshops, and events are conducted at different places in India to ensure equal regional participation and activities.

Clause 13: The clause lays down the functions to be performed by the DNA Profiling Board, which includes it’s role in regulation of the DNA Data Banks, DNA Laboratories and techniques to be adopted for collection of the DNA samples.

Comment: While serving on the Expert Committee, CIS recommended that the functions of the DNA Profiling Board should be limited to licensing, developing standards and norms, safeguarding privacy and other rights, ensuring public transparency, promoting information and debate and a few other limited functions necessary for a regulatory authority.

Furthermore, this clause delegates a number of functions to the Board that places the Board in the role of a manager and regulator for issues pertaining to DNA Profiling including functions of the DNA Databases, DNA Laboratories, ethical concerns, privacy concerns etc.

Recommendation: As per CIS’s recommendations the functions of the Board should be limited to licensing, developing standards and norms, safeguarding privacy and other rights, ensuring public transparency, promoting information and debate and a few other limited functions necessary for a regulatory authority.

Towards this, the Board should be comprised of separate Committees to address these different functions. At the minimum, there should be a Committee addressing regulatory issues pertaining to the functioning of Data Banks and Laboratories and an Ethics Committee to provide independent scrutiny of ethical issues. Additionally:

Clause 13(j) allows the Board to disseminate best practices concerning the collection and analysis of DNA samples to ensure quality and consistency. The process for collection of DNA samples and analysis should be established in the Bill itself or by regulations. Best practices are not enforceable and do not formalize a procedure.
Clause 13(q) allows the Board to establish procedure for cooperation in criminal investigation between various investigation agencies within the country and with international agencies. This procedure, at the minimum, should be subject to oversight by the Ministry of External Affairs.

Chapter III: Approval of DNA Laboratories

Clause 15: This clause states that every DNA Laboratory has to make an application before the Board for the purpose of undertaking DNA profiling and also for renewal.

Comment: Though the Bill requires DNA Laboratories to make an application for the undertaking DNA Profiling, it does not clarify that the Lab must receive approval before collection and analysis of DNA samples and profiles.

Recommendation: The Bill should clarify that all DNA Laboratories must receive approval for functioning prior to the collection or analysis of any DNA samples and profiles.

Chapter IV: Standards, Quality Control and Quality Assurance Obligations of DNA Laboratory and Infrastructure and Training

Clause 19: This clause defines the obligations of a DNA laboratory. Sub-section (d) maintains that one such obligation is the sharing of the 'DNA data' prepared and maintained by the laboratory with the State DNA Data Bank and the National DNA Data Bank.

Comment: ‘DNA Data’ is a new term that has not been defined under Clause 2 of the Bill. It is thus unclear what data would be shared between State DNA data banks and the National DNA data bank - DNA samples? DNA profiles? associated records? It is also unclear in what manner and on what basis the information would be shared.

Recommendation: The term ‘DNA Data’ should be defined to clarify what information will be shared between State and National DNA Data Banks. The flow of and access to data between the State DNA Data Bank and National DNA Data Bank should also be established in the Bill.

Clause 22: The clause lays down the measures to be adopted by a DNA Laboratory and 22(h) includes a provision requiring the conducting of annual audits according to prescribed standards.

Comment:

The definition of “audit” under Chapter VI in clause 22 under ‘Explanation’ is relevant for measuring the training programmes and laboratory conditions. However, the term “audit” is subsequently used in an entirely different manner in Chapter VII which relates to financial information and transparency.
The standards for the destruction of DNA samples have not been included within the list of measures that DNA laboratories must take.

Recommendation:

The definition of ‘audit’ must be amended or removed as it is being used in different contexts. The term “audit” has a well established use for financial information that does not require a definition.
Standards for the destruction of DNA samples should be developed and included as a measure DNA laboratories must take.
Clause 23: This clause lays down the sources for collection of samples for the purpose of DNA profiling. 23(1)(a) includes collection from bodily substances and 23(1)(c) includes clothing and other objects. Explanation (b) provides a definition of 'intimate body sample'.

Comment:

Permitting the collection of DNA samples from bodily substances and clothing and other objects allows for the broad collection of DNA samples without contextualizing such collection. In contrast 23(b) Scene of occurrence or scene of crime limits the collection of samples to a specific context.
This clause also raises the issue of consent and invasion of privacy of an individual. If “intimate body samples” are to be taken of individuals, then this would be an invasion of the person’s right to bodily privacy if such collection is done without the person’s consent (except in the specific instance when it is done in pursuance of section 53 of the Criminal Procedure Code).

Recommendation:

Sources for the collection of DNA samples should be contextualized to prevent broad, unaccounted for, or unregulated collection. Clause (a) and (c) should be deleted and replaced with contexts in which the collection DNA collection would be permitted.
The Bill should specify circumstances on which non-intimate samples can be collected and the process for the same.
The Bill should specify that intimate body samples can only be taken with informed consent except as per section 53 of the Criminal Procedure Code.
The Bill should require that any individual that has a sample taken (intimate and non-intimate) is provided with notice of their rights and the future uses of their DNA sample and profile.

Chapter V: DNA Data Bank

Clause 24:This clause addresses establishment of DNA Data Banks at the State and National Level. 24(5) establishes that the National DNA Data Bank will receive data from State DNA Data Banks and store the approved DNA Profiles as per regulations.

Comment:

As noted previously, ‘DNA Data’ is a new term that has not been defined in the Bill. It is thus unclear what data would be shared between State DNA data banks and the National DNA data bank - DNA samples? DNA profiles? associated records?
The process for sharing Data between the State and National Data Banks is not defined.

Recommendation:

The term ‘DNA Data’ should be defined to clarify what information will be shared between State and National DNA Data Banks.
The process for the National DNA Data Bank receiving DNA data from State DNA Data Banks and DNA laboratories needs to be defined in the Bill or by regulation. This includes specifying how frequently information will be shared etc.

Clause 25: This clause establishes standards for the maintenance of indices by DNA databanks. 25(1) states that every DNA Data Bank needs to maintain the prescribed indices for various categories of data including an index for a crime scene, suspects, offenders, missing persons, unknown deceased persons, volunteers, and other indices as may be specified by regulation. 25(2) states that in addition to the indices, the DNA Data Bank should contain information regarding each of the DNA profiles. It can either be the identity of the person from whose bodily substance the profile was derived in case of a suspect or an offender, or the case reference number of the investigation associated with such bodily substances in other cases. 25(3) states that the indices maintained shall include information regarding the data which is based on the DNA profiling and the relevant records.

Comment:

25(1): The creation of multiple indices cannot be justified and must be limited since collection of biological source material is an invasion of privacy that must be conducted only in strict conditions when the potential harm to individuals is outweighed by the public good. This balance may only be struck when dealing with the collection and profiling of samples from certain categories of offenders. The implications of collecting and profiling DNA samples from corpses, suspects, missing persons and others are vast. Specifically a 'volunteer' index could possibly be used for racial/community/religious profiling.
25(2): This clause requires the names of individuals to be connected to their profiles, and hence accessible to persons having access to the databank.
25(3) The clause states that only information related to DNA profiling and will be stored in an indice. Yet, it is unclear what such information might be. This could allow inconsistencies in data stored in an indice and could allow for unnecessary information to be stored on an indice.

Recommendation:

25(1) Ideally, DNA databanks should be created for dedicated purposes. This would mean that a databank for forensic purposes should contain only an offenders’ index and a crime scene index while a databank for missing persons would contain only a missing persons indice etc. If numerous indices are going to be contained in one databank, the Bill needs to recognize the sensitivity of each indice as well as the difference between each indice and lay down appropriate and strict conditions for collection of data for such indice, addition of data into the indice, as well as use, access, and retention of data within the indice.
25(2) DNA profiles, once developed, should be maintained with complete anonymity and retained separate from the names of their owners. This amendment becomes even more important if we consider the fact that an “offender” may be convicted by a lower court and have his profile included in the data bank, but may get acquitted later. However, till the time that such person is acquitted, his/her profile with the identifying information would still be in the data bank, which is an invasion of privacy.
25(3) What information will be stored in indices should be clearly defined in the Bill and should be tailored appropriately to each category of indice.

Clause 28: This clause addresses the comparison and communication of DNA profiles. 28(1) states that the DNA profile entered in the offenders or crime scene index shall be compared by the DNA Data Bank Manger against profiles contained in the DNA Data Bank and the DNA Data Bank Manager will communicate such information with any court, tribunal, law enforcement agency, or approved DNA laboratory which he may consider appropriate for the purpose of investigation. 28(2) allows for any information relating to a person's DNA profile contained in the suspect's index or offenders' index to be communicated to authorised persons.

Comment:

28(1) (a-c) allows for the DNA Bank Manager to communicate the following: 1.) if the DNA profile is not contained in the Data Bank and what information is not contained, 2.) if the DNA profile is contained in the data bank and what information is contained, and if in the opinion of the Manager, 3.) the DNA profile is similar to one stored in the Databank. These options of communication are problematic as they 1. allow for all associated information to be communicated – even if such information is not necessary, 2.) Allows for the DNA Databank Manager to communicate that a profile is 'similar' without defining what 'similar' would constitute.
28(1) only addresses the comparison of DNA profiles entered into the offenders index or the crime scene index against all other profiles entered into the DNA Data Bank.
28(1) gives the DNA Data Bank manager broad discretion in determining if information should be communicated and requires no accountability for such a decision.
28(2) only addresses information in the suspect's and offender's index and does not address information in any other index.

Recommendation:

Rather than allowing for broad searches across the entire database, the Bill should be clear about which profiles can be compared against which indices. Such distinctions must take into consideration if a profile was taken on consent and what was consented to.
Ideally, the response from the DNA Databank Manager should be limited to a 'yes' or 'no' response and only further information should be revealed on receipt of a court order.
The Bill should define what constitutes 'similar'
A process for determining if information should be communicated should be established in the Bill and followed by the DNA Data Bank Manager. The Manager should also be held accountable through oversight mechanisms for such decisions. This is particularly important, as a DNA laboratory would be a private body.
Information stored in any index should be disclosed to only authorized parties.

Clause 29: This clause provides for comparison and sharing of DNA profiles with foreign Government, organisations, institutions or agencies. 29(1) allows the DNA Bank Manager to run a comparison of the received profile against all indices in the databank and communicate specified responses through the Central Bureau of Investigation.

Comment: This clause allows for international disclosures of DNA profiles of Indians through a procedure that is to be established by the Board (see clause 13(q))

Recommendation: The disclosure of DNA profiles of Indians with international entities should be done via the MLAT process as it is the typical process followed when sharing information with international entities for law enforcement purposes.

Clause 30: This clause provides for the permanent retention of information pertaining to a convict in the offenders’ index and the expunging of such information in case of a court order establishing acquittal of a person, or the conviction being set aside.

Comment: This clause addresses only the retention and expunging of records of a convict stored in the offenders index upon the receipt of a court order or the conviction being set aside. This implies that records in all other indices - including volunteers - can be retained permanently. This clause also does not address situations where an individuals DNA profile is added to the databank, but the case never goes to court.

Recommendation: The Bill should establish retention standards and deletion standards for each indice that it creates. Furthermore, the Bill should require the immediate destruction of DNA samples once a DNA profile for identification purposes has been created. An exception to this should be the destruction of samples stored in the crime scene index.

Chapter VI: Confidentiality of and Access to DNA Profiles, Samples, and Records

Clause 33: This provision lays down the cases and the persons to which information pertaining to DNA profiles, samples and records stored in the DNA Data Bank shall be made available. Specifically, 33(e) permits disclosure for the creation and maintenance of a population statistics Data Bank.

Comment:

This clause addresses disclosure of information in the DNA Data Bank, but does not directly address the use of DNA samples or DNA profiles. This allows for the possibility of re-use of samples and profiles.
There is no limitation on the information that can be disclosed. The clause allows for any information stored in the Data Bank to be disclosed for a number of circumstances/to a variety of people.
There is no authorization process for the disclosure of such information. Of the circumstances listed – an authorization process is mentioned only for the disclosure of information in the case of investigations relating to civil disputes or other civil matters with the concurrence of the court. This implies that there is no procedure for authorizing the disclosure of information for identification purposes in criminal cases, in judicial proceedings, for facilitating prosecution and adjudication of criminal cases, for the purpose of taking defence by an accused in a criminal case, and for the creation and maintenance of a population statistics Data Bank.

Recommendation:

The Bill should establish an authorization process for the disclosure of information stored in a data bank. This process must limit the disclosure of information to what is necessary and proportionate for achieving the requested purpose.
Clause 33(e) should be deleted as the non-consensual disclosure of DNA profiles for the study of population genetics is specifically illegal. The use of the database for statistical purposes should be limited to purposes pertaining to understanding effectiveness of the databank.
Clause 33(f) should be deleted as it is not necessary for DNA profiles to be stored in a database to be useful for civil purposes. Instead samples for civil purposes are only needed as per the relevant case and specified persons.
Clause 33(g) should be deleted as it allows for the scope of cases in which DNA can be disclosed to by expanded as prescribed.

Clause 34: This clause allows for access to information for operation maintenance and training.
Comment: This clause would allow individuals in training access to data stored on the database for training purposes. This places the security of the databank and the data stored in the databank at risk.
Recommendation: Training of individuals should be conducted via simulation only.

Clause 35: This clause allows for access to information in the DNA Data Bank for the purpose of a one time keyboard search. A one time keyboard search allows for information from a DNA sample to be compared with information in the index without the information from the DNA sample being included in the index. The clause allows for an authorized individual to carry out such a search on information obtained from an DNA sample lawfully collected for the purpose of criminal investigation, except if the DNA sample was submitted for elimination purposes.
Comment: The purpose of this clause is unclear as is the scope. The clause allows for the sample to be compared against 'the index' without specifying which index. The clause also allows for 'information obtained from a DNA sample' rather than a profile. Thus, the clause appears to allow for any information derived from a DNA sample collected for a criminal investigation to be compared against all data within the databank – without recording such information. Such a comparison is vast in scope and open to abuse.
Recommendation: To ensure that this provision is not used for conducting searches outside of the scope of the original purpose, only DNA profiles, rather than 'information derived from a sample' should be allowed to be compared, only the indices relevant to the sample should be compared, and the search should be authorized and justified.
Clause 36 : This clause addresses the restriction of access to information in the crime scene index if the individual is a victim of a specified offense or if the person has been eliminated as a suspect of an investigation.

Comment:

This clause only addresses restriction of access to the crime scene index and does not address restriction of access to other indices.
This clause only restricts access to the indice for certain category of individual and for a specific status of a person. Oddly, the clause does not include authorization or rank as a means for determining or restricting access.

Recommendation:

This clause should be amended to lay down standards for restriction of access for all indices.
Access to all information in the databank should be restricted by default and permission should be based on authorization rather than category or status of individual.

Clause 38: This clause sets out a post-conviction right related to criminal procedure and evidence.

Comment: This clause would fundamentally alter the nature of India’s criminal justice system, which currently does not contain specific provisions for post-conviction testing rights.

Recommendation: This clause should be deleted and the issue of post conviction rights related to criminal procedure and evidence referenced to the appropriate legislation. Clause 38 is implicated by Article 20(2) of the Constitution of India and by section 300 of the CrPC. The principle of autrefois acquit that informs section 300 of the CrPC specifically deals with exceptions to the rule against double jeopardy that permit re-trials. [See, for instance, Sangeeta Mahendrabhai Patel (2012) 7 SCC 721.] The person must be duly accorded with a right to know rules may provide for- the authorized persons to whom information relating to a person’s DNA profile contained in the offenders’ index shall be communicated. Alternatively, this right could be limited only to accused persons who’s trial is still at the stage of production of evidence in the Trial Court. This suggestion is being made because unless the right as it currently stands, is limited in some manner, every convict with the means to engage a lawyer would ask for DNA analysis of the evidence in his/her case thereby flooding the system with useless requests risking a breakdown of the entire machinery.

Chapter VII: Finance, Accounts, and Audit

Clause 39: This clause allows the Central Government to make grants and loans to the DNA Board after due appropriation by Parliament.

Comment: This clause allows the Central Government to grant and loan money to the DNA Board, but does not require any proof or justification for the sum of money being given.

Recommendation: This clause should require a formal cost benefit analysis, and financial assessment prior to the giving of any grants or loans.

Chapter VIII: Offences and Penalties

Chapter IX: Miscellaneous

Clause 53: This clause allows protects the Central Government and the Members of the Board from suit, prosecution, or other legal proceedings for actions that they have taken in good faith.

Comment: Though it is important to take into consideration if an action has been taken in good faith, absolving the Government and Board from accountability for actions leaves little course of redress for the individual. This is particularly true as the Central Government and the Board are given broad powers under the Bill.

Recommended: If the Central Government and the Board will be protected for actions taken in good faith, their powers should be limited. Specifically, they should not have the ability to widen the scope of the Bill.

Clause 57: This clause states that the Central Government will have the powers to make Rules for a number of defined issues.

Comment: 57(d) allows for the regulations to be created regarding the use of population statistics Data Bank created and maintained for the purposes of identification research and protocol development or quality control.

Recommendation: 57(d) should be deleted as any use for the creation of a population statistics Data Bank created and maintained for the purposes of identification research and protocol development or quality control is beyond the scope of the Bill.

Clause 58: This clause empowers the Board to make regulations regarding a number of aspects related to the Bill.
Comment: There a number of functions that the Board can make regulations for that should be defined within the Bill itself to ensure that the scope of the Bill does not expand without Parliamentary oversight and approval.
Recommendation: 58(2)(g) should be deleted as it allows the Board to create regulations for other relevant uses of DNA techniques and technologies, 58(2)(u) should be deleted as it allows the Board to include new categories of indices to databanks, and 58(2) (aa) should be deleted as it allows the Board to decide which other indices a DNA profile may be compared with in the case of sharing of DNA profiles with foreign Governments, organizations, or institutions.

Clause 61: This clause states that no civil court will have jurisdiction to entertain any suit or proceeding in respect of any matter which the Board is empowered to determine and no injunction shall be granted.

Comment: This clause in practice will limit the recourse that individuals can take and will exclude the Board from the oversight of civil or criminal courts.

Recommendation: The power to collect, store and analyse human DNA samples has wide reaching consequences for people whose samples are being utilised for this purpose, specially if their samples are being labeled in specific indexes such as “index of offenders”, etc. The individual should therefore have a right to approach the court of law to safeguard his/her rights. Therefore this provision barring the jurisdiction of the courts should be deleted.

Schedule

Schedule A: The schedule refers to section 33(f) which allows for disclosure of information in relation to DNA profiles, DNA samples, and records in a DNA Data Bank to be communicated in cases of investigations relating to civil disputes or other civil matters or offenses or cases listed in the schedule with the concurrence of the court.

Comment: As 33(f) requires the concurrence of the court for disclosure of information, it is unclear what purpose the schedule serves. If the Schedule is meant to serve as a guide to the Court on appropriate instances for the disclosure of information stored in the DNA databank – the schedule is too general by listing entire Acts, while at the same time being too specific by naming specific Acts. Ideally, courts should use principles and the greater public interest to reach a decision as to whether or not disclosure of information in the DNA databank is appropriate. At a minimum these principles should include necessity (of the disclosure) and proportionality (of the type/amount of information disclosed).

Recommendation: As we recommended the deletion of clause 33(f) as it is not necessary to databank DNA profiles for civil purposes, the schedule should also be deleted.

Note: The schedule differs drastically from previous drafts and from discussions held in the Expert Committee and recommendations agreed upon. As per the Meeting Minutes of the Expert Committee meeting held on November 10th 2014 “The Committee recommended incorporation of the comments received from the members of the Expert Committee appropriately in the draft Bill...Point no. 1 suggested by Mr. Sunil Abraham in the Schedule of the draft Bill to define the cases in which DNA samples can be collected without consent by incorporating point no. 1 (I.e 'Any offence under the Indian Penal Code, 1860 if it is listed as a cognizable offence in Part I of the First Schedule of the code of Criminal Procedure, 1973)”

Download CIS submission here. See the cover letter here.

For more details visit https://cis-india.org/internet-governance/blog/cis-comments-and-recommendations-to-human-dna-profiling-bill-2015

CIS Comments and Recommendations on the Data Protection Bill, 2021

Pallavi Bedi and Shweta Mohandas — 2022-02-14T16:07:44Z

This document is a revised version of the comments we provided on the 2019 Bill on 20 February 2020, with updates based on the amendments in the 2021 Bill.

After nearly two years of deliberations and a few changes in its composition, the Joint Parliamentary Committee (JPC), on 17 December 2021, submitted its report on the Personal Data Protection Bill, 2019 (2019 Bill). The report also contains a new version of the law titled the Data Protection Bill, 2021 (2021 Bill). Although there were no major revisions from the previous version other than the inclusion of all data under the ambit of the bill, some provisions were amended.

This document is a revised version of the comments we provided on the 2019 Bill on 20 February 2020, with updates based on the amendments in the 2021 Bill. Through this document we aim to shed light on the issues that we highlighted in our previous comments that have not yet been addressed, along with additional comments on sections that have become more relevant since the pandemic began. In several instances our previous comments have either not been addressed or only partially been addressed; in such instances, we reiterate them.

These general comments should be read in conjunction with our previous recommendations for the reader to get a comprehensive overview of what has changed from the previous version and what has remained the same. This document can also be read while referencing the new Data Protection Bill 2021 and the JPC’s report to understand some of the significant provisions of the bill.

Read on to access the comments | Review and editing by Arindrajit Basu. Copy editing: The Clean Copy; Shared under Creative Commons Attribution 4.0 International license

For more details visit https://cis-india.org/internet-governance/blog/pallavi-bedi-and-shweta-mohandas-cis-comments-on-data-protection-bill

CIS and International Coalition Calls upon Governments to Protect Privacy

elonnai — 2013-09-25T07:21:09Z

The Centre for Internet and Society (CIS) along with the International Coalition has called upon governments across the globe to protect privacy.

On September 20 in Geneva, CIS joined a huge international coalition in calling upon countries across the globe, including India to assess whether national surveillance laws and activities are in line with their international human rights obligations.

The Centre for Internet and Society has endorsed a set of international principles against unchecked surveillance. The 13 Principles set out for the first time an evaluative framework for assessing surveillance practices in the context of international human rights obligations.

A group of civil society organizations officially presented the 13 Principles this past Friday in Geneva at a side event attended by Navi Pillay, the United Nations High Commissioner for Human Rights and the United Nations Special Rapporteur on Freedom of Expression and Opinion, Frank LaRue, during the 24th session of the Human Rights Council. The side event was hosted by the Permanent Missions of Austria, Germany, Liechtenstein, Norway, Switzerland and Hungary.

Elonnai Hickok, Programme Manager at the Centre for Internet and Society has noted that "the 13 Principles are an important first step towards informing governments, corporates, and individuals across jurisdictions, including India, about needed safeguards for surveillance practices and related policies to ensure that they are necessary and proportionate."

Navi Pillay, the United Nations High Commissioner for Human Rights, speaking at the Human Rights Council stated in her opening statement on September 9:

"Laws and policies must be adopted to address the potential for dramatic intrusion on individuals’ privacy which have been made possible by modern communications technology."

Navi Pillay, the United Nations High Commissioner for Human Rights, speaking at the event, said that:

"technological advancements have been powerful tools for democracy by giving access to all to participate in society, but increasing use of data mining by intelligence agencies blurs lines between legitimate surveillance and arbitrary mass surveillance."

Frank La Rue, the United Nations Special Rapporteur on Freedom of Expression and Opinion made clear the case for a direct relationship between state surveillance, privacy and freedom of expression in this latest report to the Human Rights Council:

"The right to privacy is often understood as an essential requirement for the realization of the right to freedom of expression. Undue interference with individuals’ privacy can both directly and indirectly limit the free development and exchange of ideas. … An infringement upon one right can be both the cause and consequence of an infringement upon the other."

Speaking at the event, the UN Special Rapporteur remarked that:

"previously surveillance was carried out on targeted basis but the Internet has changed the context by providing the possibility for carrying out mass surveillance. This is the danger."

Representatives of the Centre for Internet and Society, Privacy International, the Electronic Frontier Foundation,Access,Human Rights Watch,Reporters Without Borders, Association for Progressive Communications, and theCenter for Democracy and Technology all are taking part in the event.

Find out more about the Principles at https://NecessaryandProportionate.org

Contacts

NGOs currently in Geneva for the 24^th Human Rights Council:

Access
Fabiola Carrion: fabiola@accessnow.org

Association for Progressive Communication
Shawna Finnegan: shawna@apc.org

Center for Democracy and Technology
Matthew Shears: mshears@cdt.org

Electronic Frontier Foundation
Katitza Rodriguez: katitza@eff.org - @txitua

Human Rights Watch
Cynthia Wong: wongc@hrw.org

Privacy International
Carly Nyst: carly@privacy.org

Reporters Without Borders
Lucie Morillon: lucie.morillon@rsf.org
Hélène Sackstein: helsack@gmail.com

Signatories

Argentina
Ramiro Alvarez: rugarte@adc.org.ar
Asociación por los Derechos Civiles

Argentina
Beatriz Busaniche: bea@vialibre.org.ar
Fundación Via Libre

Colombia
Carolina Botero: carobotero@gmail.com
Fundación Karisma

Egypt
Ahmed Ezzat: ahmed.ezzat@afteegypt.org
Afteegypt

Honduras
Hedme Sierra-Castro: hedme.sc@gmail.com
ACI-Participa

India
Elonnai Hickok: elonnai@cis-india.org
Center for Internet and Society

Korea
Prof. Park: kyungsinpark@korea.ac.kr
Open Net Korea

Macedonia
Bardhyl Jashari: info@metamorphosis.org.mk
Metamorphosis Foundation for Internet and Society

Mauritania, Senegal, Tanzania
Abadacar Diop: jonction_jonction@yahoo.fr
Jonction

Portugal
Andreia Martins: andreia@coolpolitics.pt
ASSOCIAÇÃO COOLPOLITICS

Peru
Miguel Morachimo: morachimo@gmail.com
Hiperderecho

Russia
Andrei Soldatov: soldatov@agentura.ru
Agentura.ru

Serbia
Djordje Krivokapic: krivokapic@gmail.com
SHARE Foundation

Western Balkans
Valentina Pellizer: valentina.pellizzer@oneworldsee.org
Oneworldsee

Brasil
Marcelo Saldanha: instituto@bemestarbrasil.org.br
IBEBrasil

For more details visit https://cis-india.org/internet-governance/blog/cis-and-international-coalition-calls-upon-governments-to-protect-privacy

CII Conference on "ACT": Achieve Cyber Security Together"

kovey — 2013-07-26T08:17:40Z

The Confederation of Indian Industries (CII) organized a conference on facing cyber threats and challenges at Hotel Hilton in Chennai on July 13, 2013. Kovey Coles attended this conference and shares a summary of the event in this blog post.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

The conference hosted by CII in the Hotel Hilton, was well attended, and featured a range of industry experts, researches and developers, and members of the Indian armed forces.

Participants focused on the importance of Indian entities reaching new, adequate levels of cyber security. It was stated early in the event that India is one of the world's most targeted areas for cyber-attacks, and its number of domestic internet users is known to be rapidly increasing in an age which many view as a new era of international information warfare. Despite this, the speakers considered India to be too far behind other countries in its understanding of cyber security. In the opening remarks, CII Chairman Santhanam implored "We need hard core techies in this field… we are not producing them." Another speaker, Savitha Kesav Jagadeesan, a practicing lawyer in Chennai, asked if India would wait until the "9/11 of cyberspace" occurrence before we establish the same level of precautionary measures online as it exists now in transportation security.

With the presence of both the government’s executive forces and the private industries, the aura circulating the conference room was that of a collective Indian defense, a secure nation only achieved through both secure governmental and industrial aspects. Similar to the previous day’s DSCI cyber security conference, many speakers discussed security issues pertinent to the financial and banking industries, and other cyber crimes which had pecuniary goals. For people seeking to avoid the array of scams and frauds online, some talks shared some of the most basic advice, like safe password practices. "Passwords are like toothbrushes," said A.S. Murthy of the CDAC, "use them often, never share them with anyone, change them often." Other talks went into the intricacies of various hacking schemes, including tab-nabbing and Designated Denial of Service (DDoS) attacks, describing their tactics and how to moderate them.

In the end, the conference had certainly informed the attendees of the goals, and the challenges, that India will face in the coming months and years. The speakers (all of them) showed how the world of cyber security was quickly evolving, and demonstrated the imperative in government and industry entities evolving their own practices and defenses in stride. The ambitions of several presentations matched the well-publicized "5 lakh cyber professionals in 5 years" plan, placing a strong emphasis in the current and future training of young students in cyber security. Ultimately, I think, the conference helped convince that cyber security is neither a futile, nor completely infallible concept. As CISCO Vice President Col. K.P.M. Das said towards the end of the evening, the most ideal form of cyber security is truly "all about trust, the ability to recover, and transparency/visibility."

For more details visit https://cis-india.org/internet-governance/blog/cii-conference-on-act

Chinese state media says U.S. should take some blame for cyber attack

praskrishna — 2017-06-07T01:12:27Z

"WannaCry is far and away the most severe malware attack so far in 2017, and the spread of this troubling ransomware is far from over". Since the global attack was launched on Friday, several thousand more computers were discovered to be infected, particularly in Asia as the work day began on Monday. "We've seen that the slowdown of the infection rate over Friday night, after a temporary fix around it, has now been overcome by a second variation the criminals have released".

The article by Ellis Neal was published in the Villages Suntimes on May 21, 2017.

Microsoft called the incident a "wake-up" call for governments and customers to take security seriously, but in a letter to the Times Sir David Omand, GCHQ director from 1996 to 1997, pins the blame squarely on the technology firm for failing to maintain support for its ageing Windows XP platform. If they wanted their files decrypted, the program said all they had to do was pay $300 worth of Bitcoin to the specified address.

However, a cyber security expert working with the Centre for Internet and Society, Udbhav Tiwari working on vulnerabilities such as these, said as most ATMs in the country especially of the public-sector banks run on outdated operating systems, or are not updated regularly, they can be easily compromised.

When Microsoft sells its operating system software it does so through a licence agreement that states the company is not liable for any security breaches, thus shielding it from any legal complaints, points out Michael Scott, a professor at Southwestern Law School.

Microsoft has blamed the U.S. government for creating the software code that was used by hackers to launch the cyber-attacks. USA and European officials did not rule out North Korea as a possible suspect in the cyberattack.

In a blog post, Microsoft admonished governments around the world for keeping software vulnerabilities to themselves, instead of reporting them to the developers. EternalBlue and DoublePulsar, two tools the NSA used to infiltrate computer networks, were stolen from the agency and leaked online in April as part of a massive data dump by the Shadow Brokers hacker group. An investigation is on-going regarding how the codes got out.

The cyber experts have warned of a huge risk in near future as most institutions and individuals in Bangladesh use pirated software. We can not expect criminal hackers to be held accountable for their actions, but we should hold our government agencies accountable.

Since China and Russian Federation are two of the countries where a major share of computers are running pirated Windows, these are also the countries with the biggest rate of WannaCry infections, as stated by F-Secure.

Malware cases have been spreading in recent years as the malicious software trend has been gaining ground, with new forms of ransomware hitting the scene.

For more details visit https://cis-india.org/internet-governance/news/villages-suntimes-may-21-2017-ellis-neal-chinese-state-media-says-us-should-take-some-blame-for-cyber-attack

Chinese hackers baiting Indian govt, corporate employees: report

praskrishna — 2013-09-05T10:31:53Z

Hackers using fake subject headings to get users to open virus-laden email attachments.

This article by Moulishree Srivastava and Anirban Sen was published in Livemint on August 9, 2013. Sunil Abraham is quoted.

Using faked subject headings as diverse as Gujarat chief minister Narendra Modi and the Jallianwala Bagh Massacre, Chinese hackers have been baiting Indian government officials and corporate employees to open virus-laden emailed attachments and expose themselves to the risk of cyber attacks, a new report says.

The report on “advanced persistent cyber attacks” is based on an investigation conducted by security research firm Research Bundle in collaboration with CERT-ISAC. ISAC is a certification body for information technology (IT) security professionals that handles India’s National Security Database (NSD). CERT (Computer Emergency Response Team)-ISAC deals with mobile and electronic security.

“Some time back, there were a couple of high-profile cyber attacks that came to our notice when we were approached by corporates as well as government entities to look into them,” said Rajshekhar Murthy, director at CERT-ISAC, NSD, at the report’s release on Friday.

“First we thought it might be just these few incidents, but as we went deeper into it, it came to light that these threats were far more (widely) spread than we had initially perceived. During the course of our research, we got proof that the threats originated from China,” he said.

NSD, managed by ISAC and the government, is a programme that provides certification to IT professionals who have capability to protect critical infrastructure and the economy.

“Chinese hackers have been persistent in their attacks. According to our analysis, they have also made a separate wing for these operations,” Murthy said.

The report says, “It’s also a known fact the Indian government and other important sectors from India were heavily targeted during this campaign...focused on stealing confidential documents and sensitive information.”

The threat came in the form of emails with attached documents targeting government and corporate entities. “These documents exploited previously known vulnerabilities to drop ‘Travnet’ malware on to the systems,” said the report, prepared by 20 Internet security professionals over a period of six months.

“These emails showed that China has been gathering information about India and keeping up with current issues, and using those to entice people to open the attachments,” Murthy said.

Some of the attachments had names such as Army Cyber Security Policy 2013.doc, Jallianwala bagh massacre - a deeply shameful act.doc, Report - Asia Defense Spending Boom.doc, His Holiness the Dalai Lama’s visit to Switzerland day 3.doc, and BJP won’t dump Modi for Nitish NDA headed for split.doc.

The malware Travnet was specifically designed to search for “doc, docx, xls, xlsx, txt, rtf and pdf” files on the hacked computer.

“This provides enough hints that this malware was designed to steal confidential information, unlike the usual botnet variants that focus primarily on providing remote access to the system,” the report said. “The malware initially collects system information, a list of files on the victim machine among others, then sends this data to the remote Command & Control server...”

According to industry estimates, losses due to cyber theft from reported attacks alone amount to $8-10 billion (Rs.48,800-61,000 crore). But experts say the figure could be much higher as many threats go unreported.

Worryingly, the security infrastructure of Indian government websites has reportedly failed to keep pace with cyber attackers, who are becoming more focused on stealing information.

“Many of the servers that host ‘gov.in’ sites are running outdated software versions, with poorly managed Web servers that do not follow even the most basic Web application security guidelines,” said the report. “Even important government sites, access to which can lead to much deeper intrusion, seem to be managed with little care. While defacements are usually carried out by hackers just for fun or fame, serious hackers can cause much more damage and remain unnoticed for a very long time...”

“Slowly but steadily, serious APT (advanced, persistent attacks) campaigns are on the rise,” the report added. “It’s very important for the nation to start upgrading its IT infrastructure to keep up with the latest security guidelines and practices.”

“Cyber security has become one of the crucial areas for us and we are focusing on putting capacity and capability in place to strengthen the cyber security infrastructure,” said Alok Vijayant, director of the National Technical Research Organisation. “We want to bring IT security professionals under one entity to enhance our existing capability instead of just focusing on putting in additional security infrastructure.”

“India has one of the largest talent pools of IT professionals, but our biggest concern remains the young talent in IT, as most professionals prefer to go abroad to work,” he added.

Additionally, the use of proprietary rather than open-source software increases the vulnerability of Indian entities, according to Sunil Abraham, executive director of Bangalore-based research organization Centre for Internet and Society. “There’s a lack of use of Linux and other kinds of free software at both the desktop level and also the front end... They’re using Microsoft both at the server end and on the client end. Most of these attacks take advantage of that operating system dependency. If one were to look at it at a macro level, we’re vulnerable across the board—vulnerable to the US, we’re vulnerable to attackers from Europe, Pakistan, etc.,” Abraham said.

For more details visit https://cis-india.org/news/livemint-august-9-2013-moulishree-srivastava-anirban-sen-chinese-hackers-baiting-indian-govt-corporate-employees

Checks and balances needed for mass surveillance of citizens, say experts

Admin — 2017-12-16T14:32:23Z

A number of measures are required to protect law-abiding citizens from mass surveillance and misuse of their personal data, according to top technology and legal experts.

The article by Peerzada Abrar was published in the Hindu on December 9, 2017

The measures include issuing of tokens by the Unique Identification Authority of India (UIDAI) instead of Aadhaar numbers and having an official in the judiciary give permission to vigilance.

The experts were participating in a panel discussion on ‘Navigating Big Data Challenges’ at Carnegie India’s Global Technology Summit here. They also said there was a need to implement ‘de-identification of data’ or preventing a person’s identity from being connected with information.

The moderator of the discussion was Justice B.N. Srikrishna, a former Supreme Court judge, who was also heading a government-appointed committee of experts to identify “key data protection issues” and recommend methods to address them. Justice Srikrishna told the panellists that Aadhaar or the unique identification number had empowered the people. But in situations where the State wants all the information about citizens from different service providers because of its suspicions related to terrorism or criminal activity, he asked, what is the method to create a balance?

“Surveillance is like salt in cooking which is essential in tiny quantities, but counterproductive even if slightly in excess,” responded Sunil Abraham, executive director of Bengaluru-based think tank, Centre for Internet and Society. He said there was a need to make a surveillance system which had privacy by design built into it.

Mr. Abraham said that his organisation had proposed to the UIDAI that it used ‘tokenisation,’ which meant that whenever there was a ‘know your customer’ requirement, the Aadhaar number was not accessed by organisations like telecom firms or the banks. Instead, when the citizens used various services via smart cards or pins, a token got generated, which was controlled by the UIDAI. Organisations like banks and telecom firms can store those token numbers in their database. He said this would make it harder for unauthorised parties to combine databases. But at the same time would enable law enforcement agencies to combine database using the appropriate authorizations and infrastructure.

“UIDAI is considering this, they call it the dummy Aadhaar numbers. We need technical as well as institutional checks and balances,” said Mr. Abraham.

Countries like the U.S also have processes like Foreign Intelligence Surveillance Court (FISA court) which entertains applications made by the U.S Government for approval of electronic surveillance, physical search, and certain other forms of investigative actions for foreign intelligence purposes.

“My concern is that in the current system, surveillance can be done by the State machinery. I don’t necessarily suggest FISA court.... but some kind of mechanism where (one can’t) be held at the mercy of incestuous State machinery,” said Rahul Matthan, a partner at law firm Trilegal. “But have some second person who is outside the influence of this system (and) who actually says ‘yes this is a terrorist which requires us to do mass surveillance,” he said.

Artificial Intelligence

A large amount of information or Big data ranging from financial, health to political insights of people is being collected by different organisations and service providers which is sitting in different silos. All of this is likely going to be linked through Aadhaar. Mr. Srikrishna asked what if a situation arises where all of this data is aggregated and using artificial intelligence and machine learning, one is able to analyse it and profile individuals. He said “would that be not a terrifying scenario” where the State can act super-monitor for citizens. He asked how can citizens be guarded against it?

Mr.Srikrishna was referring to the ‘Social Credit System’ proposed by the Chinese government for creating a national reputation system to rate the trustworthiness of its citizens including their economic and social status. It works as a mass surveillance tool and uses big data analysis technology.

“It is a possibility. What stands in the way of it becoming a reality (in India) is a robust law,” said Mr.Matthan. “Technology is so powerful that it could equally be used for good as well as bad.”

For more details visit https://cis-india.org/internet-governance/news/the-hindu-peerzada-abrar-december-9-2017-checks-and-balances-needed-to-mass-surveillance-of-citizens-say-experts

Centre’s order on computer surveillance threatens right to privacy, experts say

Admin — 2018-12-25T00:50:48Z

The Constitutional validity of the notification allowing ten agencies to intercept information is uncertain.

The blog post by Abhishek Dey was published in Scroll.in on December 22, 2018.

A notification issued by the Union Ministry of Home Affairs on Thursday allowing ten agencies to intercept, monitor and decrypt any information generated from any computer poses a grave threat to the fundamental right to privacy, said lawyers and cyber security experts.

The notification led to a political storm on Friday and criticism from the Opposition forced Parliament to be adjourned. However, Union Finance Minister Arun Jaitley accused the Opposition of “making a mountain where a molehill does not exist”. The government on Friday issued a clarification stating that the directive does not confer any new powers on it and has the legal backing of the Information Technology Act.

Experts agreed that Thursday’s notification lists powers already available to the authorities in the Information Technology Act 2000. The legal provisions to allow interception were introduced in 2008 by the Congress-led United Progressive Alliance government. However, with the fresh directive, experts said that the Bharatiya Janata Party-led government seems to be trying to formalise surveillance through the interception of computer information, they said.

“It is true that such [interception] powers already existed,” said Pavan Duggal, a lawyer with expertise in cyber security. “But neither any such formal directives were issued which I know of, nor any agency were specifically notified to have those powers.”

Privacy test

The Information Technology Act 2000 was amended in 2008 to allow to the monitoring and interception of computer information, while the rules under which this would operate were promulgated in 2009. In 2017, the Supreme Court delivered a judgment establishing privacy as a fundamental right. The legal foundation of the computer interception directive could be still be challenged in court because it has not yet been considered in light of the privacy judgment, said Duggal. “It is now a matter of Constitutional validity,” he said

Thursday’s notification lists the agencies authorised to intercept, monitor and decrypt computer data: the Intelligence Bureau, Narcotics Control Bureau, Enforcement Directorate, Central Board of Direct Taxes, Directorate of Revenue Intelligence, Central Bureau of Investigation, National Investigation Agency, Cabinet Secretariat (RAW), Directorate of Signal Intelligence (for service areas of Jammu and Kashmir, North East and Assam) and the Commissioner of Police, Delhi. The Act provides a jail term of seven years for anyone who refuses to cooperate with these agencies.

On Friday, experts questioned whether a notification listing the 10 agencies had actually been issued earlier, as the Centre claimed.

“It is a fresh notification,” said Apar Gupta, a lawyer who specialises in technology and media issues. “With this, interception of computers has received formal acceptance in the public domain and it can have serious implications on privacy.”

Senior officials of the Delhi Police also said this appeared to be a fresh order. Asked if this meant that the agencies would not need to ask for authorisation in every case since a blanket order has been issued, the officials said that this still needs to be clarified.

Lacking proportionality

The order has raised questions about the validity of the cases of interception of computer information conducted by the state police and other security agencies between 2009 (the year the interception rules were promulgated) and 2018 (the year the notification has been issued), Pranesh Prakash, co-founder of the Centre for Internet and Society.

One possibility, he said, may be that they were all unlawful.

But if they were indeed conducted with legal backing, Prakash said, then permission for this would been sanctioned in the form of an order by a competent authority. This is what Rule 3 of the interception rules mandate. But if so, Rule 4, which deals with the government authorising agencies to conduct such interceptions, is redundant. “How can it not be when any state police or other agency is capable of acquiring an order for interception under Rule 3?” he said

Besides, Prakash said, the new directive does not pass the test of proportionality.

In 2007, the Central government introduced rules to amend the Indian Telegraph Act 1951 to allow for information to be intercepted, Prakash said. However, the rules say that the competent authority should resort to interception only after considering all alternative means to acquire information. Thursday’s directive, though, is silent about the circumstances in which interception will be permitted, he said.

For more details visit https://cis-india.org/internet-governance/news/scroll-abhishek-dey-december-22-2018-centres-order-on-computer-surveillance-threatens-right-to-privacy