Centre for Internet and Society

My Experiment with Scam Baiting

sahana — 2012-03-13T10:43:28Z

Today, as I am sure many of you have experienced, Internet scams are widespread and very deceptive. As part of my research into privacy and the Internet, I decided to follow a scam and attempt to fully understand how Internet scams work, and what privacy implications they have for Internet users. Though there are many different types of scams that take place over the Internet —identity scams, housing scams, banking scams— just to name a few. I decided to look in depth at the lottery scam.

Day 1: July 4, 2011

On July 4, I received a spam mail from Shell BP Manchester England (lamarc65@cs.com). The e-mail informed me that my e-mail address had won a sum of $550,000 which was held on July 3, 2011 in England. In order to claim my prize the e-mail instructed me to confirm the receipt of the mail by submitting a few of my personal details to one Dr. Mohammed Al Maliki. This is an extract from the letter asking for my information:

Information Requested:

Your full Name:
Contact address:
Your Telephone:
Your Age:
Your occupation:
Your country of origin:

Congratulations.
Yours Sincerely,
Mrs Roseline Lott
Shell Prize announcer, England.

Deciding to reply to the email and see what happened, I responded to Dr. Mohammed Al Maliki (dr.mohamedmalik@gmail.com) with the information that the e-mail had asked, only I substituted my real information with the following fake information:

Shaiza Sarkar
B-196, CR Park, New Delhi - 110019
09916000603
23 yrs old
India

To my surprise he replied to my mail the same day at 4:59pm. In this mail he informed me that he had sent my details to Lloyds Bank who would be responsible for the payment of my prize. He asked me to inform him after I receive a mail from the bank. The e-mail contained a phone number for me to call. I tried to call the number mentioned in the mail but there was no reply.

Again to my surprise, I received a mail from Lloyds Bank at 6:58 p.m. the same day with a list of documents and details that I was supposed to send them to claim the prize money. Lloyds Bank had also attached a deposit certificate to ‘prove’ that Shell Petroleum Development Company had deposited the prize money in the bank. Below is an extraction of the e-mail I received from Lloyds Bank.

"FROM THE DESK OF DR. MOHAMED MALIK
REGIONAL CLAIMS AGENT,
SHELL PETROLEUM INTERNATIONAL LOTTERY PROGRAM.
Regional Office:
St James Court, Great Park Road,
Almondsbury Park, Bradley Stoke,
Bristol BS32 4QJ, England
Contact: +447035974608
“LLOYDS BANK PLC
ADMINISTRATIVE HEADQUARTERS.
LONDON, ENGLAND, UNITED KINGDOM.
REF...FILENOS2345/LTB
ATTENTION: SARKAR SHAIZA
*REGARDING YOUR PRIZE FROM SHELL PETROLEUM DEVELOPMENT COMPANY*
PLEASE SEND US THE DOCUMENTS BELOW;
1. A CERTIFICATE OF AWARD FROM SHELL PETROLEUM CONTACT DR MOHAMED MALIK
2. A SCANNED COPY OF EITHER YOUR DRIVERS LICENSE OR YOUR INTERNATIONAL PASSPORT OR WORK I.D CARD.
3. A SWORN AFFIDAVIT OF CLAIM FROM THE CROWN COURT HERE IN LONDON,YOU ARE REQUIRED TO CONTACT [DR MOHAMED MALIK]YOUR AGENT FOR ALL THIS.
SIR PAUL WISCONFIELD.
HEAD OF OPERATIONS.
LLOYDS TSB BANK PLC

Day 2: July 5, 2011

The next day I informed Dr. Mohammed Al Maliki of the above letter from the bank, as instructed to at 8:58 p.m. At 9:45 p.m., Dr. Mohammed Al Maliki emailed me back with the certificate of award from Shell Petroleum Development Company with my fake name printed on it.

Though the first two documents that Lloyds Bank required me to obtain were standard enough, the turning point in this entire scam was the third document that Lloyds Bank asked me to acquire. The third document asked me to present a sworn affidavit of claim from the Crown Court in London. Following the instructions given by the bank, I again emailed Dr. Mohammed Al Maliki. He replied with instructions for me to contact Barrister Wilson Burrows (ESQ) of Wilson and Co. Law Chambers for this document. I tried to search for Wilson and Co. Chambers on the Internet and found that no company with such a name exists.

This is the certificate of award provided to me by Dr. Mohammed Al Maliki:

Day 3: July 6, 2011

At 1:47 p.m. I mailed Wilson and Co. Law Chambers informing them about the sworn affidavit that I required in order to claim the lottery prize. The same day at 8:25 p.m. the Law Chambers sent me the following mail with an application form, and asked me to transfer 520 pounds through a Western Union Money Transfer to the Chamber’s Accountant Mr. Preston Doyle. I checked the address provided in the mail to see if it existed. The Google map showed that the given pin code “L14JJ”- London - was a pin code for Liverpool, Merseyside UK, which is not London , and not where Wilson and Co. Law Chambers claimed to be based. Additionally, the Law Chambers attached a form for the affidavit in this mail.

Below is an extract from the email I received from Wilson and Co. Law Chambers:
“The Principal Attorney
Wilson and co Chambers
#18 Harms Road Manchester
L14JJ - London.
Supreme Solicitors, Principal Attorneys and Property Managers
Kind Attention: Client,
As stated in the attached form, the completed form should be returned with the Court Oath Fee. For further processing, see below fees;
Court Oath Fee: 250 Pounds
Attorney Fee: 270 Pounds
------------------------------------------
Total Fee: 520 Pounds
-----------------------------------------
To send this money, go to any WESTERN UNION MONEY TRANSFER OFFICE nearest to you and make the payment to the Chamber's Accountant - Mr. Preston Doyle with the following details -
Receiver's Name: Mr. Preston Doyle
Receiver's Location: London, United Kingdom.
Receiver's Address: #18 Harms Road Manchester, L14JJ – London
Amount: £ 520.00 (Five Hundred and Twenty Pounds)
Regards,
Mrs.Wilson Burrows(ESQ)
(Registrar)
Mrs. Ivon Samuel (KBE) (Secretary)”

Day 4: July 7, 2011

After receiving the e-mail asking for a money transfer, I was curious and wished to probe more. Thus, I wrote to Wilson and Co Law Chambers and explained that a Western Union Transfer was not available in my village. The same day at 6:48 p.m. the Law Chambers sent me a mail saying that the Honourable Chamber recognizes only Western Union Transfer as the safest mode for transactions. I did not reply to this mail, as I knew I would not be able to go any further with my investigation. Though I was disappointed because this was the end to my investigation into lottery scams, and I still had questions that I wanted answered, the last e-mail the Law Chambers sent me was very interesting. In the last email sent to me by the Law Chambers requested (in a very pushy tone) that I should not tell anyone about my prize money, and that it was in fact in my best interest not to tell anyone.

Below is the extract of this mail:

“So do not discuss your winning with anybody until your prize has been transferred to you. It is for your own good. And it is at that time alone that you can be used for advert purposes by our company. So the success of this transfer lies sorely in your hands. These are the exact words from the Director this morning.”

Regards,

Mrs.Wilson Burrows (ESQ)

(Registrar)

His Lordship, Justice Ivon Samuel (KBE) (Secretary)

Day 5: July 8, 2011

Originally I wrote to the Law Chambers telling them I did not have access to a Western Union for the purpose of seeing if they use other mediums to receive money. Surprisingly, at 1:47 p.m. Wilson and Co. Law Chambers emailed me. The e-mail said that they would grant me the privilege of using a direct deposit of the 250 pounds into their correspondents account in India. In the mail they asked me to confirm that I would use this method of payment, and that once confirmed, that they would furnish me with their correspondent’s account details. Interested, I confirmed. After my e-mail confirmation at 9:47 p.m. they emailed me the details of their correspondent in India.

Below are the details of the account that I was supposed to transfer the money into:

This is the account details you will deposit the money into:
Account Name: L. MOHAN SINGH
Bank name: HDFC BANK
Branch: DELHI
Account number: 0609190004391
Ifsc Code : HDFC0000609
Pan Card: DDMPS9075M

Day 6: July 11, 2011

I did not deposit the money (obviously) and I did not e-mail the bank or the Law Chambers, I did receive a mail from Wilson and Co. Law Chambers informing me that their reputable organization would not tolerate my laxity. Unfortunately, because I could not pay the fee to their correspondent and obtain the affidavit, I was unable to follow the scam any further. Despite this dead end I was curious to know if they would provide me with the phone number of their Indian correspondent. Thus, I wrote them a mail to humbly apologise for the delay. I further asked them to provide me with the correspondent’s phone number claiming that the bank was rejecting his profile due to security protocols.

Day 7: July 12, 2011

The Law Chambers responded, informing me that they did not wish to give the correspondents number. In their e-mail they made it quite clear that for online banking all that is needed is the IFSC code. Therefore, I had to stop here.

This is the extract of the mail they sent me when I asked for the phone number:

The Principal Attorney
Wilson and co Chambers
#18 Harms Road Manchester
L14JJ - London.
Supreme Solicitors, Principal Attorneys and Property Managers

Kind Attention: Client,
This Honorable Chambers is in receipt of your mail. It is very important for you to know that laxity will not be accepted anymore. For the online transfer of this payment, you do not need any phone number, all you need is the IFSC Code already supplied to you. Once more, the IFSC Code is HDFC0000609. That is all you need to make an online transfer.

While I stopped following the scam at this point, many people might have continued with the process without any knowledge of it being a scam. Thus, one should be very sceptical about individuals or organizations who ask for personal and banking information.

Conclusions

In my experiment with scam baiting, I realized that:

They introduced me to various parties to make this entire scheme look professional. I initially assumed that I would have to carry out the process with the Shell Petroleum Development Company alone.
In the beginning of the experiment I initially thought the scam was about taking my account number and hacking into it. During my experiment I realized that the scam was not designed to make money by emptying my bank account, but instead was designed to profit off of the various admission fees such as the Sworn Affidavit.
Due to the speed by which they were able to respond to my emails, I realized that they had pre-prepared fake documents – ready to send to anyone who emailed them regarding claiming the offered lottery prize.
Throughout all of our e-mail exchanges I noticed that the individuals behind the scam only used a G-mail account. Curious, I checked their IP address – hoping to find out more information and possibly track their location – but found that Google does not reveal senders IP address information (which is in fact a very good thing in terms of privacy protection!)

For a detailed understanding of different types of scams visit here.

For more details visit https://cis-india.org/internet-governance/blog/privacy/scam-baiting

The Walls Have Ears

praskrishna — 2011-07-06T06:26:25Z

The proposed Privacy Bill seems skewed towards the state rather than the citizen, writes Saikat Datta. This news was published in the Outlook magazine, issue, July 11, 2011.

Sometimes the best of intentions can camouflage the worst of motives. On the face of it, the government’s bid to bring in a privacy bill is a welcome move, a long-overdue measure. But after an initial approach paper prepared by lawyers and bureaucrats in November last year, the government went into a secretive huddle. Now a leaked April 19, 2011, version of the bill raises several disturbing questions.

"The idea behind it was to protect privacy but not short-circuit the current systems to combat terror."

K.M. Chandrashekhar, Ex-cabinet secretary

While recognising the need for privacy, the government has also slipped in several clauses that could severely restrict the freedom of the press if enacted in its current form. Worse, it could actually make journalists liable for prosecution as well as imprisonment up to five years. And if that was not bad enough, it does little or nothing to prevent the government from invading a citizen’s privacy. In fact, it will legitimise all forms of intrusion by the state and collection of a wide variety of data from individuals.

TV news channels could be the most affected by this. Sting operations could become a very risky thing in the future, with section four of the proposed bill saying that any form of filming/recording can be deemed as surveillance and anyone doing so without proper authorisation would be liable for prosecution. So if someone was to secretly catch on camera MPs accepting cash for posing questions in Parliament, or record a bureaucrat demanding bribes, chances are he/she will be doing time in jail.

While the proposed draft draws a distinction between data and personal information, it still leaves little room for journalists. For instance, if a reporter were to use "personal information" of an individual for an article without his/her written consent, it will amount to a civil offence and immediately attract a penalty of up to Rs. 1 lakh. If the journalists were to repeat the "offence" by publishing another story using the same material, the penalty goes up to Rs. 5 lakh. So, is the UPA government, under the scanner for a plethora of scams, trying to muzzle the media? It certainly seems so.

"The bill, in its current form, brings an element of pre-censorship that violates our right to speech. It’s disturbing."

Now when it comes to the government’s right to invade a citizen’s privacy, the proposed legislation offers little immunity. It will uphold all existing laws of phone-tapping, interception of communications, collection of statistics and personal data with impunity. "The proposed bill doesn’t change any system or structure of surveillance that are in place today," says Usha Ramanathan, a law researcher who has worked extensively on privacy issues. "Look at the Collection of Statistics Act passed by Parliament last year. You can be penalised for not sharing the information that the government seeks from you. This is very disturbing."

Usha Ramanathan, Law Researcher

Ramanathan’s discomfiture has its reasons. "In the past three years, the government has become far more intrusive than it ever was. All this is asserting the sovereignty of the state over the citizen when the Constitution says that the citizen is supreme. This bill, in its current form, also brings in an element of pre-censorship that violates our fundamental right to speech as well as several judgements of the Supreme Court that ruled against pre-censorship."

On the other hand, former cabinet secretary K.M. Chandrashekhar, a prime mover behind the bill during his tenure, feels that the security needs of the state warrant "lawful" intrusion by it. “The idea was to protect privacy but not short-circuit the current surveillance systems in place for combating terrorism."

"While we accept the primacy of public interest, we must be very, very careful about what is public interest."
Satyananda Mishra, CIC

As far as protecting privacy is concerned, of course all is not bad with the proposed bill. Prashant Iyengar, a researcher with the Centre for Internet and Society (CIS), a Bangalore-based NGO that has played a leading role in shaping the public discourse on this issue, is hopeful. "For the first time, this bill creates a strong liability for the government. This means that the government can be held liable and penalised for the violation of privacy. It also establishes a routine civil liability against the government for all its lapses in protecting the privacy of citizens... which is very good.” But Prashant also feels that the bill has a long way to go before it resolves some inherent contradictions. “The proposed Act must recognise the concept of public interest while it protects privacy. That is an element missing from the current discourse."

Satyananda Mishra, the chief information commissioner and a former secretary, DoPT, has a nuanced view of the proposed bill. He feels public interest must outweigh privacy in every case. "But while we accept the primacy of public interest, we must be very, very careful about what is public interest," he says.

Mishra, in many ways the country’s biggest trustee of transparency in public life today, suggests a few key modifications in the conditions in the proposed legislature. "We need to understand that after the enactment of the RTI Act, it has become incumbent upon us to have some form of inherent disclosure in all our public dealings. This will also safeguard our privacy from the government."

The relationship between citizen and government, says Mishra, is guided by a social contract. "People elect governments and trust them with their lives and liberty in the promise that the government will exercise its powers for their welfare. But there could be instances where the government breaks that promise. It could legitimately tap someone’s phone through legal means, but with malicious intent."

To prevent this, Mishra suggests a modification to the proposed Privacy Act. "Let there be disclosure of all such events, after a reasonable period of time, of any effort by the government to invade the privacy of citizens. For instance, if it needs to tap the phones of a person, then it must be disclosed after a period of time. After all, phones can be tapped legally only to protect the interests of the state. So it should either lead to a criminal prosecution or a disclosure after a reasonable amount of time has elapsed. That is the only way we will be able to curb the intrusive powers of the state and protect the privacy of citizens." Prashant of CIS agrees with Mishra’s suggestion. "In the United States, all wire-tapping laws have a clause for disclosure. This way, a citizen will know if his privacy has been violated lawfully or not."

Now if a reporter were to use "personal info" without consent, it will mean a civil offence, a penalty of Rs. 1 lakh.

While the government will take its time to introduce the bill in Parliament, it needs to be more transparent in its deliberations. Right now two ministries are working simultaneously on the same bill. While the ministry of law and justice under Veerappa Moily is busy shaping its draft, the ministry of personnel, training and public grievances under the prime minister is busy formulating its own version. While they work on it, what both ministries must recognise is that nothing is private about public policy.

Click here to see the story originally published by Outlook

For more details visit https://cis-india.org/news/walls-have-ears

Aadhaar’s moment of truth

praskrishna — 2011-07-05T07:16:58Z

It’s time for the unique identity project to answer tough questions it has dodged so far, writes MA Arun in the Deccan Herald.

On June 25, 2009, Prime Minister Manmohan Singh generated one of the biggest feel-good headlines of UPA2. He appointed former Infosys CEO Nandan Nilekani as Chairperson of Unique Identification Authority of India (UIDAI), which had been set up to assign a unique number to every resident of the country.

UIDAI – billed as the world’s largest e-governance project – presented a numbing technical challenge. Fingerprint and iris samples of one billion plus Indian residents had to be collected along with details of name, gender, birth date and address. A unique identity had to be assigned to each resident in return and then authenticate it online whenever called for.

Nilekani using his stature in the IT industry assembled a smart team of engineers, who could take the challenge head on. He also started tirelessly crisscrossing the country promoting the project and tying up with different government agencies and PSUs.

He addressed countless gatherings conveying a simple message: Indian growth has bypassed the poor and giving them legal identity was the first step in acknowledging their existence and making government services accessible.

In the last two years, there has been a little change in his script and in the response of the audience, which has by and large remained breathless and adulatory. There have been a few jarring notes. Once in a while he is accosted by individuals and organisations, who say the project takes away their privacy.

Most memorably, on January 7, 2011, Nilekani faced an uncharacteristically unruly audience at IISc, Bangalore, which demanded strong protection to privacy. People who attended the meeting found Nilekani evasive as protesting students waved placards outside the venue, urging him to go back.

But for the media, this reporter included, the dissenting opinion from possibly fringe protesters, sounded exaggerated, making too much of a small issue, debating an academic issue of little practical value.

Perhaps reflecting the larger prevailing sentiments on Aadhaar, Sujeet Pillai of Feecounter, says with the rise of social networking, privacy has already eroded. "We put more information on Facebook and Twitter than we share with Aadhaar. The benefits of the project outweigh the cost," he adds.

Many say it is only the middleclass which worries about privacy, while the poor would be more concerned about the benefits. Trying to address privacy concerns, Aadhaar officials have maintained they collect just basic details, enrollment is voluntary and information is encrypted. Your approval is required to authenticate your identity and while revealing who you are, the system just gives a yes or no response, they say.

Over the last year Aadhaar has picked up steam and observers, who expected the bureaucracy to resist, given its anti-corruption overtone, are mildly surprised. Various government departments are embracing it in competition. Several central ministries, state governments, PSUs have begun to tie their programmes to the Aadhaar number.

Aadhaar officials say they are on course to enroll 600 million by 2014 and by October this year they expect to start enrolling one million numbers a day. The pilot projects at Mysore, Tumkur and Hyderabad have already enrolled 85 per cent of the population and the project is ramping up to other districts and states.

Early last month the Cabinet Committee on Security in a seemingly unrelated move gave partial approval for a Home ministry project, National Intelligence Grid (Natgrid). The development alarmed the privacy advocates to again raise a cry over Aadhaar. Among other things, Natgrid, being run by an ex-army man, Capt Raghu Raman, reportedly seeks to integrate 21 databases - railways, airlines, stock exchanges, income tax, bank account details, credit card transactions, visa and immigration records, telecom service providers and chemical vendors.

Most of us reading this article appear in many these databases, which today are islands of information controlled by different government agencies. They cover different segments of the population and may overlap to some extent. Stitching together these disparate databases together would require a mammoth exercise to uniquely identify all Indian residents. That is precisely what Aadhaar, the missing link, is doing, say critics.

"If Aadhaar ever succeeds in assigning a unique number to all residents, it will take a maximum of two years to create a common Natgrid database. Using a terminal in his office, a cop would be able to watch whatever you do - travelling, talking, buying - in real time. The surveillance technology is pretty straightforward," says noted security expert and IIT Mumbai alumni, Dr Samir Kelekar of Teknotrends.

The system is being designed to catch terrorists and criminals, say Natgrid supporters. "But why subject the entire population to potentially the same level of surveillance," asks Sunil Abraham of Centre for Internet and Society.

Noted jurist Usha Ramanathan says since 2008 several measures such as the Collection of Statistics Act, The Information Technology Act, Aadhaar, National Grid have come about to collect information about people. “After 9/11 in the guise of homeland security USA expanded police powers. Something similar is happening in India after 26/11,” she says.

The claims of Aadhaar benefiting the poor is untested as there has been no feasibility study, she adds. "This is a security project masquerading as an anti-poverty project," says Abraham.

Aadhaar has eluded a debate so far on these issues, say critics. Ramanathan says she made three attempts in November 2009, July 2010 and February 2011 to engage Nilekani, Aadhaar Director General R S Sharma and few other project officials on the issue.

Dubious demands

A New Delhi-based Aadhaar government official, speaking on the condition of anonymity, said there was no discussion within the project on the potential risks it posed. "The main focus is in making a paradigm shift in governance and reaching out to the poor to ensure that the Rs 3,26,000 crore being spent on subsidy is not pilfered," he said.

But he went on to acknowledge that Aadhaar was like 'nuclear energy', which could be used to either make bombs or generate electricity. “It is for the media and civil society to apply pressure for the right safeguards," he said.

While the engineers and bureaucrats are steamrolling the project, the laws of the land and the promised safeguards are yet to catch up with it.

Indian judiciary has also given a free hand to the law enforcement authorities to conduct surveillance. According to the latest Google Transparency Report, Indian government officials made 67 requests to remove contentious items from various Google services between July to December 2010. Only 6 requests were backed by court orders and rest were demands made by police and other executive agencies.

Why is Nilekani who has emerged as the face of Aadhaar silent about the security dimension of the project, ask critics. After all, the Infosys credo is to ‘disclose when in doubt’, they point out. "Nilekani and team are good people without any evil intention. They have never lived in villages and believe that technology can solve any problem," says Abraham.

Ramanathan differs. "In 2009, I would have said he was unaware of the possible risks of Aadhaar. I will not attribute that innocence to him anymore. People in power tend to be blinded by it," she says.

"Their response has varied from ‘nobody else is asking these questions’, ‘have not come prepared to address these issues today’ and ‘we will get back to you’," she says.

Critics also accuse Aadhaar officials of presenting a misleading picture. Enrollment started as a voluntary exercise, but is now being made mandatory to get LPG cylinders. "They were supposed to collect only basic details, but Aadhaar enrollment forms now ask for email ids and phone numbers," Ramanathan said.

This news appeared in the Deccan Herald on 5 July 2011. The original post can be read here.

For more details visit https://cis-india.org/news/aadhaar-truth

Sorry Wrong Number

praskrishna — 2011-07-08T04:11:02Z

The government’s ambitious project to give a unique identification number to every Indian citizen is running woefully behind schedule. T.V. Jayan investigates the problems that beset the project. The news was published in the Telegraph on 3 July 2011.

It was supposed to be a smooth, if mammoth, operation — one where a 12-digit unique identification (UID) or aadhaar number would be provided to every Indian citizen within a specified time frame. Yet less than a year after Prime Minister Manmohan Singh and United Progressive Alliance chairperson Sonia Gandhi launched it with much fanfare in Maharashtra’s Nandurbar district, the ambitious project seems mired in problems.

In Nandurbar itself, the pace of implementation has been agonisingly slow. As against the enrolment target of 2.6 lakh people by June end, only 1.17 lakh people have been enrolled so far.

And Nandurbar is just one case in point. In most districts and states, the Unique Identification Authority of India (UIDAI), the body that is overseeing the project, is struggling to meet its target. Only three states have crossed the one million mark in providing aadhaar numbers to their citizens. Andhra Pradesh leads the pack with nearly 3.5 million UIDs, followed by Karnataka (1.82 million) and Maharashtra (1.6 million). The total enrolment, according to the UIDAI website, stands at 9.5 million as on June 27. The plan, though, is to provide aadhaar numbers to 600 million people by 2014 — a target that will surely remain way out of reach if the UIDAI continues with its current pace of work.

Forget the debate on whether or not the UID project will compromise a citizen’s right to privacy. Right now, the big issue facing it is that it’s beset with a host of operational problems. “There are issues at all levels — conceptual, technology, logistics and at the implementation stages. Unless we resolve them fast, there could be inordinate delays. The project could even be derailed,” says a senior manager at one of the biggest enrolment agencies empanelled with the UIDAI, on condition of anonymity.

The UID programme works something like this. The UIDAI has appointed a large number of registrars, which are either state or central government departments, or public sector banks and insurance companies. The registrars, in turn, have enlisted the services of private firms to enrol people and collect demographic and biometric data such as their finger prints, iris scans and so on. So far 209 firms have been enlisted as enrolment agencies (EAs). While most of them are information technology firms, stock broking companies, financial service companies and even printing presses have been commissioned to obtain the UID enrolment data.

Once the EAs collect the information, the data packets are sent to the respective registrar to be vetted and thence to the UIDAI’s Central Identities Data Repository (CIDR) in Bangalore. The CIDR checks the data packets for authenticity and makes sure that there has been no duplication of data — in case an individual has been enrolled more than once. When all the processes are cleared, a UID number is generated against the person’s name, which is delivered to him or her by post.

Incidentally, the government is yet to announce the cost of the entire project, although UIDAI director general Ram Sewak Sharma reveals that the cost of generating each aadhaar number would be about Rs 150.

What is also slowing down the project is the process of “de-duplication” of data. UIDAI technology head Srikanth Nadhamuni admits that the biometric service providers who help the CIDR check duplication in biometric records now take a couple of minutes to process a single data packet. As a result, right now the UIDAI can issue fewer than 50,000 aadhaar numbers a day. And yet, it plans to generate one million numbers daily by October this year. To achieve this target the UIDAI should be processing 11 data packets per second during a 24-hour cycle.

UIDAI director general Sharma feels that these are niggling problems that will soon be resolved. “Kindly understand that the world has not seen this scale of de-duplication thus far,” he exclaims. “The IT systems, both hardware and software, are continuously being tuned to scale up to these numbers.”

UIDAI’s chief technology architect Prashant Varma is also optimistic. “These things need not be done sequentially. If we have enough computing power it can be carried out in a parallel manner,” he says, adding that more hardware is on its way to streamline the de-duplication process.

But others hold out a much bleaker view. “The de-duplication algorithm will get slower and slower as the size of the database grows. The authority has also not been transparent about the de-duplication process,” says Sunil Abraham, executive director of the Centre for Internet and Society (CIS), Bangalore.

Enrolment agencies too say that the problem is far more serious than what the UIDAI admits. “Currently, they are processing data packets that we had sent in April,” says the state head of an EA working with the commissioner of civil supplies in Andhra Pradesh.

Again, the fact that the UIDAI is taking an inordinately long time to generate the aadhaar numbers — about three to four months from the time of data collection, in place of a month as originally planned — is creating its own complications. Thanks to the time lag, a citizen who is unsure of his UID status may go to another enrolment agency associated with yet another registrar. So his data is collected again and sent to the CIDR for registration once more. This leads to duplication of data and hence, further increases the de-duplication workload.

What’s more, it also hits the margins of enrolment agencies as the UIDAI pays only once for someone’s data. So any EA that unwittingly collects the personal data of a citizen the second time will not be paid for its pains.

In fact, the EAs are beginning to realise that the work is barely financially viable for them. Having procured the enrolment job through competitive bidding, they are now finding out that the rates are abysmally low. “If one EA quotes a low price, others are asked to match it if they want to work with the same registrar,” says an executive with an EA, who does not wish to reveal his or his agency’s name.

“For instance, a Noida-based firm, which bagged the tender for 200 enrolment stations to be set up in Hyderabad from the commissioner of civil supplies in Andhra Pradesh, had quoted a figure of Rs 23 per enrolment. We all knew this was a ridiculously low amount as an ideal per capita enrolment cost should be between Rs 30 and 35. But others working in the Hyderabad area had no choice but to quote a figure very close to it,” he says.

Then again, because enrolment agencies are paid only after their enrollees have received the UID numbers, and because these numbers are taking months to be generated, the EAs are not getting paid on time. “We are already working on tiny margins. So if the cash flow is tight, we find it difficult to pay salaries to people who work on the ground,” says an enrolment agency official.

Admittedly, while the profitability of an EA need not be the UIDAI’s concern, it certainly needs to check if enrolment is being affected because the EAs are cutting corners to stay within their budgets.

The EAs are also witnessing high attrition rates among enrolment operators. These operators, who have to clear a certification exam before they can enrol people, work for three or four months and leave if some other agency offers them more money, reveals Sudhanva Kimmane of Comat Technologies, a Bangalore-based EA. Since getting a new operator certified takes about 20 to 25 days, the deadline goes for a toss.

Sometimes, the unreasonable demands of state governments also lead to delays. Karnataka, for instance, has asked registrars working in the state to gather information on as many as 19 counts. “Filling out so many additional fields reduces the number of enrolments that an operator can complete in a day and thus makes our targets go awry,” says an EA working in Karnataka.

Experts feel that one of the biggest flaws of the UID project is that it was launched all across the country without trial runs in small areas. “Whether in the private sector or the public sector, if a new project is being undertaken, it is usually tested in a small area before being launched on a large scale,” says an IT expert who has been involved with launching e-governance programmes in Kerala. “This way you suss out the feasibility of the project. Also, it helps to resolve all possible problems that may be encountered during the full roll-out. Why didn’t they first test the UID programme in a district, and then in a state before taking it pan India,” he asks.

With so many problems bedevilling the project, many people are sceptical of its success. Asks R. Ramakumar, associate professor at the Tata Institute of Social Sciences, Mumbai, “Will the benefits accruing from the project justify the huge expenses involved?” He points out that a similar project in the UK — that aimed to create a National Identity Register — was scrapped by the government in December. The London School of Economics, which analysed the proposal, found that the cost could end up being 10 times more than what was envisaged. “If the technologies involved are so infallible, why did a few developed countries which tried to use them drop them eventually,” he asks.

Clearly, there are too many uncomfortable questions facing the UIDAI right now. It remains to be seen if it is merely experiencing teething troubles or if India’s zillion-rupee aadhaar number scheme will tie itself into knots even before it gets to the halfway mark.

GLITCHES GALORE

Slipping targets: Only three states have crossed the one million mark in providing aadhaar numbers to their citizens. Total enrolment stands at 9.5 million as on June 27. The goal is to provide aadhaar numbers to 600 million people by 2014.

Slow data crunching: Processing each data packet now takes a couple of minutes. To achieve the target of generating one million UID numbers daily by October this year, the UIDAI should be processing 11 data packets a second during a 24-hour cycle.

Devil is in duplication: Since the UIDAI is taking about three to four months to generate an aadhaar number, a citizen who is unsure of his UID status may go to another enrolment agency. So his data are collected again and sent to the CIDR for registration once more. This increases the de-duplication workload and slows down the entire process even more.

High attrition rates: Enrolment operators, who have to clear a certification exam before they can enrol people, work for three or four months and leave if some other agency offers them more money. Since getting a new operator certified takes about 20 to 25 days, the enrolment agency’s target goes for a toss.

Click here to read the original in the Telegraph

For more details visit https://cis-india.org/news/sorry-wrong-number

Privacy and Security Can Co-exist

sunil — 2012-03-21T09:05:57Z

The blanket surveillance the Centre seeks is not going to make India more secure, writes Sunil Abraham in this article published in Mail Today on June 21, 2011.

TODAY, the national discourse around the “ right to privacy” posits privacy as antithetical to security.

Nothing can be farther from the truth. Privacy is a necessary but not sufficient condition for security. A bank safe is safe only because the keys are held by a trusted few. No one else can access these keys or has the ability to duplicate them. The 2008 amendment of the IT Act and their associated rules notified April 2011 propose to eliminate whatever little privacy Indian netizens have had so far. Already as per the Internet Service Provider ( ISP) licence, citizens using encryption above 40- bit were expected to deposit the complete decryption key with the Ministry of Communications and Information Technology. This is as intelligent as citizens of a neighbourhood making duplicates of the keys to their homes and handing them over at the local police station.

Surveillance

Surveillance in any society is like salt in cooking — essential in small quantities but completely counter- productive even slightly in excess. Blanket surveillance makes privacy extinct, it compromises anonymity, essential ingredients for democratic governance, free media, arts and culture, and, most importantly, commerce and enterprise. The Telegraph Act only allowed for blanket surveillance as the rarest of the rare exception. The IT Act, on the other hand, mandates multitiered blanket surveillance of all lawabiding citizens and enterprises.

When your mother visits the local cybercafe to conduct an e- commerce transaction, at the very minimum there are two levels of blanket surveillance. According to the cyber- cafe rules, all her transaction logs will be captured and stored by the operator for a period of one year. This gentleman would also have access to her ID document and photograph. The ISPs would also store her logs for two years to be in compliance with the ISP licence ( even though none of them publish a data- retention policy). Some e- commerce website, to avoid liability, will under the Intermediary Due Diligence rules also retain logs.

Data retention at the cyber- cafe, by the ISP and also by the application service provider does not necessarily make Indian cyberspace more secure. On the contrary, redundant storage of sensitive personal information only opens up multiple points of failure and leaks — in the age of Nira Radia and Amar Singh no sensible bank would accept such intrusion into their core business processes.

Surveillance capabilities are not a necessary feature of information systems.

They have to be engineered into these systems. Once these features exist they could potentially serve both the legally authorised official and undesirable elements.

Terrorists, cyber- warriors and criminals will all find systems with surveillance capabilities easier to compromise.

In other words, surveillance compromises security at the level of system design. There were no Internet or phone lines in the Bin Laden compound — he was depending on a store and forward arrangement based on USB drives. Do we really think that registration of all USB drives, monitoring of their usage and the provision of back doors to these USBs via a master key would have led the investigators to him earlier?

Myth

Increase in security levels is not directly proportional to an increase in levels of surveillance gear. This is only a myth perpetuated by vendors of surveillance software and hardware via the business press. You wouldn't ask the vendors of Xray machines how many you should purchase for an airport, would you? An airport airport with 2,000 X- ray machines is not more secure than one with 20. But in the age of UID and NATGRID, this myth has been the best route for reaching salestargets using tax- payers’ money.

Surveillance must be intelligent, informed by evidence and guided by a scientific method. Has the ban on public WiFi and the current ID requirements at cyber- cafes led to the arrest of terrorists or criminals in India? Where is the evidence that more resource hungry blanket surveillance is going to provide a return on the investment? Unnecessary surveillance is counter- productive and distracts the security agenda with irrelevance.

Finally, there is the question of perception management. Perceptions of security do not only depend on reality but on personal and popular sentiment. There are two possible configurations for information systems — one, where the fundamental organising principle is trust and second, where the principle is suspicion.

Systems based on suspicion usually give rise to criminal and corrupt behaviour.

Perception

If the state were to repeatedly accuse its law- abiding citizens of being terrorists and criminals it might end up provoking them into living up to these unfortunate expectations. If citizens realise that every moment of their digital lives is being monitored by multiple private and government bodies, they will begin to use anonymisation and encryption technology round the clock even when it is not really necessary. Ordinary citizens will be forced to visit the darker and nastier corners of the Internet just to download encryption tools and other privacy enabling software. Like prohibition this will only result in further insecurity and break- down of the rule of law.

The writer is executive director of the Bangalore- based Centre for Internet and Society.

Read the original published in Mail Today here

For more details visit https://cis-india.org/internet-governance/blog/privacy-and-security

Copyright Enforcement and Privacy in India

Prashant Iyengar — 2012-12-14T10:27:12Z

Copyright can function contradictorily, as both the vehicle for the preservation of privacy as well as its abuse, writes Prashant Iyengar. The research examines the various ways in which privacy has been implicated in the shifting terrain of copyright enforcement in India and concludes by examining the notion of the private that emerges from a tapestry view of the relevant sections of Copyright Act.

Introduction

Copyright can function contradictorily, as both the vehicle for the preservation of privacy as well as its abuse. This paper examines the various ways in which privacy has been implicated in the shifting terrain of copyright enforcement in India. Chiefly, there are three kinds of situations that we will be discussing here: The first is straightforward and deals with the physical privacy intrusion caused by the execution of search and seizure orders during the investigation of infringement. The second situation involves the violation of privacy through the misappropriation of confidential information. The last situation involves the wrongful appropriation of a person’s persona or their ‘publicity’ – the photographs of celebrities, for instance – for private gain. Instances of each of these situations, and the manner in which the courts have negotiated the privacy claims that have arisen are described in the sections that follow. In addition, Copyright law, dealing as it does mainly with offences of the nature of unauthorised publicity/publication putatively inscribes certain spaces and activities as either public or private. The concluding section of this paper examines the notion of the private that emerges from a tapestry view of various sections of the Copyright Act.

Copyright Enforcement

Context setting

Over the past several decades there has been an increasing awareness globally – and within India – of the importance of 'knowledge societies' which, in contrast to earlier industrial or agrarian societies, leverage 'information' as the key raw material and output of a range of productive activity. As one UNESCO Report puts it "Knowledge is today recognized as the object of huge economic, political and cultural stakes"[1].

In this new paradigm, investment in Information and Communications Technology (ICT), the enactment of strong Intellectual Property laws, and their strict enforcement are prescribed as imperative in facilitating the transition away from the older economic modes. The promise of the knowledge society is particularly alluring for developing countries, like India, where it is viewed as a vehicle for achieving what Ravi Sundaram has termed 'temporally-accelerative' development[2], through which we would be able to transcend our "historical disabilities", and achieve parity with the incumbent masters of the world. [3]

In their eagerness to provide the best supportive conditions to usher in this coveted knowledge society, nations have been tightening their Intellectual Property regimes – including copyright law. This has entailed a two fold expansion, firstly, in the scope of copyright to include, for instance, ‘technological protection measures’ within their ambit and secondly, in the powers of investigation, search and seizure put at the disposal enforcement agencies. In addition, as we shall see, courts in India have enthusiastically bought into this vision of a knowledge economy, and this has fuelled their eagerness to craft innovative – if legally unsound – orders which put tremendously intrusive powers in the hands of copyright owners. Taken together, these developments have taken their toll on the privacy of individuals which this section will explore in further detail. We begin with a brief description of the statutory mechanism for copyright enforcement – both civil and criminal - under the Copyright Act. We then move on to the way courts have crafted new orders that magnify the powers of copyright owners to the detriment of the privacy of individuals.

Civil and Criminal Enforcement under the Copyright Act

The Copyright Act provides for both civil and criminal remedies for infringement. Section 55 provides for civil remedies and declares that, upon infringement, "the owner of the copyright shall be entitled to all such remedies by way of injunction, damages, accounts and otherwise as are or may be conferred by law for the infringement of a right." Civil suits are instituted at the appropriate district court having jurisdiction – including where the plaintiff resides.

Similarly, Chapter XIII (Sections 63-70) provides a range of criminal penalties for infringing copyrights which are typically punishable with terms of imprisonment that “may extend up to three years” along with a fine. These offences would be taken cognizance of and tried at the court of the Metropolitan Magistrate or Judicial Magistrate of the First class [Sec 70], in the same manner as all cognizable offences[4] in India i.e., by following the procedures under the Code of Criminal Procedure, 1973. Section 64 of the Copyright Act dealing with police powers was amended in 1984 to give plenary powers to police officers, of the rank of a sub-inspector and above, to seize without warrant all infringing copies of works “if he is satisfied” that an offence of infringement under section 63, “has been, is being, or is likely to be, committed”. Prior to amendment, this power could only be exercised by a police officer when the matter had already been taken cognizance of by a Magistrate. Prima facie, this is a very sweeping power since its exercise is unsupervised by the judiciary and only depends on the “satisfaction” of a police officer. To put matters in perspective, under the Income Tax Act, dealing with the far more sensitive issue of tax evasion, a search and seizure can only be conducted based on information already in the possession of the investigating authority.[5]

In Girish Gandhi & Ors. v Union of India[6], a case before the Rajasthan High Court, the petitioner, who ran a video cassette rental business, challenged the constitutional validity of the wide powers granted to police officers under this section. Citing various instances of violations of privacy that the abuse of the section could occasion, the petitioner contended:

"The provisions of section 64 itself gives arbitrary and naked powers without any guidelines to the police officer to seize any material from the shop and thus, drag the video owners to the litigation. He has given instances in the petition that police officer usually demands for video cassettes to be given to them free of charge for viewing it at their homes and in case, on any reason either the video cassette is not available or it is not given free of charge, there is likelihood that police officer shall misuse his powers and try to seize the material for prosecution under the various provisions of the Act."

Although the High Court dismissed the petition on the grounds that it did not disclose any actual injury to the petitioner, it upheld the constitutionality of the section by reading the word "satisfaction" to mean that the "police officer will not act until and unless he has got some type of information on which information he is satisfied and his satisfaction shall be objective."

[Section 64] is also not arbitrary for the reason that guidelines and safeguards are provided under Sections 51, 52 and 52A and Section 64(2) of the Copyright Act, coupled with the fact that it is expected of the police officer that he would not act arbitrarily and his satisfaction shall always based on some material or knowledge and he shall only proceed for action under Section 64 in a bona fide manner and not for making a roving inquiry. (emphasis added)

Despite the pious hopes expressed in this decision, they do not appear to have influenced the actual behaviour of police officers. In May 2011, the Delhi High Court struck down a notification issued by the Commissioner of Police which had instructed all subordinate functionaries of the police to "attend to and provide assistance" whenever any complaint "in respect of violation of the provisions of Copyright Act, 1957" was received from three companies: Super Cassettes Industries Limited, Phonographic Performance Ltd and Indian Performance Right Society Ltd. This virtually amounted to the commandeering of the criminal enforcement system by a few private owners for their own private interests. In their suit, the petitioner — Event and Entertainment Management Association — had contended that the police machinery "cannot be made to act at the behest of certain privileged copyright owners". Striking the notification down, as unconstitutional, Justice Muralidhar of the Delhi High Court held:

"To the extent the impugned circular privileges the complaints from SCIL over other complaints from owners of copyright it is unsustainable in law for the simple reason that there has to be equal protection of the law in terms of Article 14 of the Constitution. The police are not expected to act differently depending on who the complainant is. All complaints under the Act require the same seriousness of response and the promptitude with which the police will take action, Likewise, the caution that the Police is required to exercise by making a preliminary inquiry and satisfying itself that prima facie there is an infringement of copyright will be no different as regards the complaints or information received under the Act[7]."

The Judge also issued some welcome remarks on the manner in which complaints under Section 64 were to be handled:

In order that the power to seize in terms of Section 64 of the Act is not exercised in an arbitrary and whimsical manner, it has to be hedged in with certain implied safeguards that constitute a check on such power. Consequently, prior to exercising the power of seizure under Section 64(1) of the Act the Police officer concerned has to necessarily be prima facie satisfied that there is an infringement of copyright in the manner complained of. In other words, merely on the receipt of the information or a complaint from the owner of a copyright about the infringement of the copyrighted work, the Police is not expected to straightway effect seizure. Section 52 of the Act enables the person against whom such complaint is made to show that one or more of the circumstances outlined in that provision exists and that therefore there is no infringement. During the preliminary inquiry by the Police, if such a defence is taken by the person against whom the complaint is made it will be incumbent on the Police to prima facie be satisfied that such defence is untenable before proceeding further with the seizure.(emphasis added)[8]

This decision significantly tempers the severity of possible searches and seizures conducted by the police under Copyright Law. It advances the cause of privacy by reining in the power of the state to arbitrarily intrude on citizens.

Parallel to the attempt at ‘hedging in’ of police powers in criminal enforcement by this High court, there has been a move to expand powers of investigative bodies in civil suits. The next sub-section looks at two innovations by courts – Anton Piller Orders and John Doe orders – which are mechanisms unwarranted by civil procedural law, but crafted by high courts specifically to deal with copyright investigation.

'Anton Piller' orders and 'John Doe' Orders

In addition to the extensive police powers under the Copyright Act mentioned above, plaintiffs have other, equally intrusive powers at their disposal. In the past decade it has become common for copyright owners and owners-associations to employ civil procedure to emulate the same kind of invasiveness. This is done via the mechanism of so-called ‘Anton Piller’ orders - orders obtained unilaterally ‘ex-parte’ (in the absence of the defendant) from civil courts which permit court-appointed officers, accompanied by representatives of the plaintiffs themselves, to search premises and seize evidence without prior warning to the defendant. Frequently, courts have also issued ‘John Doe’ orders[9] –orders to search and seize against unnamed/unknown defendants - which virtually translates into untrammelled powers in the hands of the plaintiffs, aided by court-appointed local commissioners, to raid any premises they set their eyes on.

Although the authority of the courts under Indian law to grant these orders is suspect[10], they have virtually been regularized in practice over the past decade through routine issual by the High Courts, especially the Delhi High Court. This has led to a widespread phenomenon of powerful copyright owning groups such as the Business Software Alliance and the Indian Performing Right Society Limited managing to successfully assume for themselves almost plenary powers of search and seizure as they go about knocking on the doors of small businesses and demanding to be allowed to audit their software. An anonymous post on the popular Indian Intellectual Property Weblog ‘Spicy IP’ graphically conveys the invasiveness inherent in the execution of these orders:

Ghost Post on IP (Software) Raids: Court Sponsored Extortion?[11]

Picture this:

You are working in your office one day, when all of a sudden, a group of people arrive unannounced brandishing a court order. The order allows them to walk into your office and conduct an audit of all your office computers to collect evidence of the use of unlicensed software in your office.

This group consists of a court-appointed commissioner, lawyers representing the plaintiff, and technical persons who will carry out the actual software audit.

Knowing that to disobey the order will amount to a contempt of court, you allow the group to carry out the audit.

The audit lasts several hours and continues well into the night. Needless to say, it is physically and emotionally draining on you as your work has come to a stand-still. Everyone around you knows there is some court proceeding going on. You have already lost face with your employees, and possibly even clients who have visited your office during the audit.

As you have several dozen computers purchased over a period of time, and the audit is conducted unannounced, you may not have the time to gather documentation and invoices demonstrating the purchase of licensed software.

While the court order allows you to back up your valuable client and business data, the plaintiff’s lawyers don’t allow you to do so, stating that documents/ data found on machines that contain any unlicensed software may not be backed up.

All computers found with copies of what the plaintiff’s lawyers are calling unlicensed software are seized and sealed. You do not have the time, presence of mind or legal representation to argue that such copies may be backup copies allowed under the law, or that therefore several, or all of the seized machines are not liable to be seized, or that such copies are actually allowed under the software license.

Even more importantly, your licensed servers are seized because they are found to contain back-up copies of software, allowed under the law, but deemed infringing by the plaintiff’s lawyers.

At the end of the audit, you are informed that your computers contain copies of unlicensed software to varying degrees. You are made to sign a report prepared by the commissioner, along with sheets that represent the software audit of each computer in your office.

Most of your computers and servers are seized and sealed. You are told that you cannot touch them till the court allows you to. You are not even allowed to separate the hard drives of those machines that contain the alleged unlicensed software, for the purpose of seizure, so as to enable you to continue using the rest of the machine, even though the court order clearly states that only storage media containing the unlicensed software is to be seized.

In a 2008 case, Autodesk Inc vs. AVT Shankardass[12], the Delhi High Court – which happens to be the most enthusiastic issuer of Anton Piller orders[13] –issued guidelines on the considerations which judges should weigh before granting such orders in software piracy cases. Worryingly, the guidelines stipulate that "The test of reasonable and credible information regarding the existence of pirated software or incriminating evidence should not be subjected to strict proof". Instead the court prescribes that "It has to be tested on the touchstone of pragmatism and the natural and normal course of conduct and practice in trade."

The Court also included a few guidelines meant to safeguard the defendant. These include the possibility of requiring the plaintiff to deposit costs in the court "so that in case pirated software or incriminating evidence is not found then the defendant can be suitably compensated for the obtrusion in his work or privacy." Although on the face of it, these guidelines threatened to open up the floodgates for the granting of Anton Pillar orders, in fact, these fears seem not to have been realized. The privacy-invasive ambitions of IP owners have been subverted by a combination of the security requirements stipulated in the Autodesk guidelines above, the judiciary’s own inefficiency/inconsistency and a greater assertiveness and defiance on the part of defendants. The following passage from the 2011 Special 301 India Country Report on Copyright Protection and Enforcement[14], prepared by the IIPA, records the industry’s frustrations in obtaining Anton Pillar orders from the courts over the past year:

Unfortunately, in 2010, such enforcement efforts have become much less effective due to judges imposing conditions on such orders.

With periodic changes to the roster of judges on the Original Side Jurisdiction of the Delhi High Court (which is done as a matter of routine and procedure where the roster changes every 6 months), BSA reports: 1) the imposition of security costs on Plaintiffs; 2) the grant of local commission orders without orders to seize and seal computer systems containing pirated/unlicensed software; 3) granting the right to Defendants to obtain back up copies of their proprietary data while at the same time ensuring that the evidence of infringement is preserved in electronic form; 4) assigning a low number of technical experts for large inspections, making carrying out orders more time-consuming and raising court commissioners’ fees; and 5) ineffective implementation and lack of deterrence from contempt proceedings against defendants who disrupt or defy Anton Pillar orders.[15]

Notwithstanding this temporary setback, Anton Piller orders and John Doe orders remain powerful weapons in the arsenal of large copyright owners who continue to use it in ways that are extremely intrusive. These orders exemplify an instance of how courts rarely reflect on the privacy implications of the orders that they themselves issue –similar action undertaken by the executive would have most likely invited the court’s consideration on whether they violate privacy.

In the next section we move on to private ‘technological’ measures of enforcing copyright which are likely to receive statutory sanction.

Technological Measures

In the light of the industry’s perception of a weakening of its enforcement options due to the judiciary’s waning enthusiasm, it remains to be seen what new manoeuvres they would make to strengthen enforcement. One foreseeable arena of conflict would be the new measures proposed to be included in the Copyright Act that criminalise the circumvention of ‘technological protection measures’ (TPMs) built into software by manufacturers. The proposed new Section 65A criminalises the circumvention of “an effective technological measure applied for the purpose of protecting any of the rights conferred by this Act," "with the intention of infringing such rights”. This is punishable with imprisonment up to two years and a fine. However the section also creates a vast list of exceptions including research, testing, national security etc which make it a comparatively soft tool in the hands of prosecutors. Among the list of exceptions is a clause that enables the circumvention of TPMs in order to facilitate purposes that are 'not expressly prohibited' – including, conceivably, to exercise fair dealing rights under Section 52. Although this is a welcome provision, it requires, as a condition of its exercise, that the person ‘facilitating the circumvention’ maintain a record of the persons for whose benefit this has been done. This has led to apprehensions of violations of privacy especially from disability rights groups, who would potentially be the biggest users of this section as it would enable them to make electronic content more widely accessible. However, the lawful exercise of this right would mean that each instance of use of electronic content – say an e-book – by a disabled person would be recorded, which could deter them from accessing content. It would also clearly amount to a violation of their privacy compared to other analog users who are not required to similarly maintain logs each time they share books, for instance.

On the whole, despite the effect these measures have of diminishing absolute control over our electronic resources, the fact that the IIPA - which has been one the most rapid ‘defenders’ of IP - has consistently complained about their inadequacy in its Special 301 Reports[16] gives us some cause for optimism that the privacy invasions it could occasion would not be too severe.

Meanwhile, in a first of its kind, in 2005 the High Court of Andhra Pradesh permitted the prosecution, under the Copyright Act, of persons accused of having circumvented technological protection measures in mobile devices.

In Syed Asifuddin and Ors. v The State of Andhra Pradesh [17] the accused had altered the software on the mobile handsets provided by one service provider (Reliance), so that the same handset could be used to access the network of a rival provider (Tata Indicom). The Court observed that "if a person alters computer programme of another person or another computer company, the same would be infringement of the copyright." The matter was then relegated to the trial court to receive evidence on whether in fact such alteration had occurred.

This ruling, if correct, effectively negates the need for any amendment to the law since circumvention of technological measures typically involves an unauthorized alteration of copyrighted code. Of course it would always be open to the defendant to assert his fair dealing rights in defence, but that issue was not deliberated upon by the High Court in this instance.

Portents

With the terrain of copyright infringement increasingly shifting from ‘street piracy’ to online piracy, it remains to be seen how innovations in copyright enforcement impact privacy. Three events are particularly interesting in this context.

In August 2007, a techie from Bangalore was arrested on charges of having posted incendiary images of a popular folk hero on a website. He had been traced based on the IP Address details provided by a leading ISP. It later turned out that the IP address information was incorrect. By the time the error was noticed, he had already been held in jail illegally for a period of 50 days.[19] Shocking as this incident is, it offers a portent of the gravity of the possible privacy abuses that we are likely to witness in the years to come as copyright owners begin to hunt down infringers on the Internet.
In 2006, the Delhi High Court the pioneer among the Indian Judiciary in issuing John Doe orders added another feather to its cap by permitting the filing of a suit against an IP address. In a case of defamation by email from an unknown sender, a company was able to successfully file a suit against the IP address and obtain an order against the ISP to track down the user who was later impleaded as a party to the suit. This case and the growing number of John Doe orders issued, indicates that the judiciary in India has been quite willing to partner with litigants in their fishing expeditions. While it cannot be gainsaid that this has aided the legitimate interests of litigants, this has come at the price of a callous disregard for the interests of consumer privacy in India, which, as the incident described above highlights, could easily descend into a full blown human rights violation.
With the arrest in November 2010 of a four-member gang from Hyderabad for uploading media content – including popular film titles - on Bittorrent, the popular online file sharing tool, the industry has signalled its capacity and willingness to take the battle over copyright to the Internet.[20] New rules notified under the Information Technology Act make it mandatory for 'intermediaries' (ISPs) to co-operate in locating and removing ‘infringing content’ that is stored or transmitted by them.[21] This will facilitate untrammelled access to users by copyright industries.

Although it is too early to predict the future for the Internet that these developments will result in, they are definitely a source of apprehension from the perspective of privacy.

Copyright and Confidential Information

Although the protection of 'confidential information' and 'copyright' occupy distinct realms in the law[22], they converge occasionally, and copyright has been used as an instrument by people and organisations to protect their confidential information. In fact it has become quite routine for written pleadings by plaintiffs in cases to assert the omnibus infringement of their ‘copyrights, confidential information, trade secrets, trademarks designs etc’ without specifying which of the claims is urged. For instance in Mr. M. Sivasamy v M/S. Vestergaard Frandsen[23] a case before the Delhi High Court, the plaintiffs claimed that. "Defendants are violating the trade secrets, confidential information and copyrights of the plaintiffs.”; Similarly in Dietrich Engineering Consultant v Schist India & Ors , before the Bombay High Court, the plaintiffs contended"..the suit is filed to prevent unauthorized and illegal use of the plaintiffs confidential information and infringement of the 1st plaintiffs Copyright".[24]

In one of the earliest cases of this kind, Zee Telefilms Ltd. v Sundial Communications Pvt. Ltd, the Bombay High Court delivered a ruling in favour of the plaintiffs on both grounds of copyright infringement and confidential information. Here the employees of the plaintiffs – a company engaged in the business of producing television serials - had developed the concept for a program which they had registered with the Film Writers Association. Subsequently, they made a confidential pitch of the concept to the representatives of the defendants, a well known TV channel. Although initially the defendants appeared reluctant to take the concept forward, they proceeded later on, without the authorization of the plaintiffs, to produce a TV serial that closely mirrored the ideas contained in the show conceived by the plaintiff. In an action seeking to restrain the defendants from proceeding with their production, the High Court agreed with the plaintiff’s claims both on the count of copyright infringement and confidentiality. Curiously, the determination of both issues turned on the similarities between the plaintiff’s and defendant’s concepts – which is traditionally a determination relevant only to copyright cases. On the issue of confidentiality, the court held "Keeping in view numerous striking similarities in two works and in the light of the material produced on record, it is impossible to accept that the similarities in two works were mere coincidence...the plaintiffs' business prospect and their goodwill would seriously suffer if the confidential information of this kind was allowed to be used against them in competition with them by the defendants."

Although a clear line is demarcated between the claims of confidentiality and copyright in this case, this distinction is less sharp in other cases of the same nature.

In a more recent case Diljeet Titus, Advocate v Mr. Alfred A. Adebare & Ors[25] four associates of the plaintiff’s law firm quit together to start their own practice. While leaving they took documents they had drafted including agreements, due diligence reports and a list of clients along with them. The plaintiff filed a suit for injunction, asserting both that this material was confidential and that he owned the copyrights over them. The Delhi High Court agreed and issued an injunction restraining the defendants from “utilizing the material of the plaintiff forming subject matter of the suit and from disseminating or otherwise exploiting the same including the data for their own benefit.” What is interesting in this case is the conflation of confidentiality and copyright – both in the allegations of the plaintiff and the rebuttals of the defendant who sought to resist claims of confidentialty on grounds that they had themselves authored the papers in question.

Curiously, where copyright and confidentiality claims coincide, it would appear that the parameters of determining copyright infringement end up determining the issue of confidentiality as well.

In the next section we move on to the last copyright/privacy issue that we had flagged in the introduction – the invocation of copyright in aid of the ‘right to publicity’ of individuals which can be read as a kind of privacy claim.

Copyright and Publicity

Do we have a copyright over our identities – our names, our appearances, our life histories, our reputation and our bodies - so that we have an actionable interest in preventing their deployment in public without our express authorization?

This question has arisen in a limited set of cases in India that raise interesting questions. As with the confidentiality cases discussed above, the lines separating ‘defamation’ actions from ‘copyright’ claims is not brightly drawn in these cases. Neither is the line linking copyright to the protection of privacy clearly evident. All one can say with confidence is that copyright and privacy are two words tossed into the plaints by the plaintiffs while asserting their claims.

In one of the most high-profile cases of its kind, Phoolan Devi v Shekhar Kapoor[26] the Delhi High Court was faced with the question of whether ‘public figures’ are entitled to any degree of control over the representation of their lives. Here the petitioner, Phoolan Devi, a reformed bandit, had 'licensed'[27] the production of a biopic on her life to the defendant, a film director of note, who was to consult the plaintiff’s own writings and those of her authorised biographer in making the film. However, the defendant – the director of the biopic – had exceeded this mandate and also depicted incidents that emerged from various newspaper accounts – including a graphic gang rape scene where the plaintiff was the victim, and a massacre which she had allegedly orchestrated. Although generally well-known, neither of these incidents were either admitted to by the plaintiff herself or mentioned in the plaintiff’s own writings and those of her biographer. Even worse, the film had not been shown to her even several months after it had been released to national and international audiences.[28] In Arundhati Roy’s moving words the producers of the film “[R]e-invent her life. Her loves. Her rapes. They implicate her in the murder of twenty-two men that she denies having committed. Then they try to slither out of showing her the film!”[29]

One of the contentions that the petitioner’s advocate had advanced was that the defendant had no right “to mutilate or distort the facts as based upon prison diaries” and that any such distortion would fall afoul of her right under Sec 57 of the Indian Copyright Act. This section confers certain ‘special rights’ on the author including the right to claim authorship and to restrain any distortion/mutilation or modification of the work that would be prejudicial to his/her honour or reputation.[30]

These rights survive any assignment of the copyright made by the author i.e. they can e asserted by the author above any contract entered into by her with third parties such as the producer in this case. The Court framed the question it was faced with in these terms:

[T]he question before me is whether such person like the plaintiff has no right to defend when someone enlarges the terrible facts, enters the realm of her private life, depicts in graphic details rape, sexual intercourse, exhibits nudity, portrays the living person which brings shame, humiliation and memories of events which haunts and will go on haunting the plaintiff, more so the person is still living. Whether the plaintiff has no right and her life can become an excuse for film makers and audience to participate in an exercise of legitimate violence with putting all inhibitions aside.

Ultimately, the High Court sided with the petitioner and issued an injunction restraining the defendant from exhibiting his film.[31] This decision was based more on a consideration of constitutional right to privacy principles than an evaluation of the plaintiff’s case under Copyright law. However, it does provide an interesting factual matrix for the exploration of the way in which protection of copyright and privacy might overlap.

In a contrasting case before the Bombay High Court, Manisha Koirala v Shashilal Nair & Ors [32] an injunction was sought against the release of a film in which the petitioner, a noted actress, was depicted in the nude through the device of a ‘body double’. Here the plot was entirely fictional and the plaintiff, a noted actress, had agreed to perform in the film with ‘substituted shots’ during the scenes in the story that involved nudity. Subsequently, she appears to have reconsidered this decision and objected to the very inclusion of these scenes in its final version. In her petition before the court, she alleged defamation and malicious injurious falsehood, arguing that the exhibition of the film would result in a violation her right to privacy "as the objectionable shots, attempt to expose the body of a female which is suggested to be that of the plaintiff". She contended that “the right to portray her on screen can only be exercised in a manner, which is subject to the fundamental principle that such portrayal can only be with her unconditional consent." "The present rendition" of her part in the film, she alleged was “an invasion of privacy as it is embarrassing and will cause irreparable damage to her reputation which remains untarnished thereby causing irreparable loss and injury”. Although Copyright is not invoked in this case by the petitioner, there is an audible echo of some of the reputational anxieties that had animated Phoolan Devi’s case mentioned above. The difference, however, is that in this case the petitioner’s claim was not grounded in a quest for control over her biography, but over the image of her body. Unlike the previous case, here the Court was unsympathetic to the petitioner’s claims. The court treated her previous ‘consents’ as determinative of all issues and dismissed her case holding:

"The Court ...cannot be a moral guardian in this context. ..It is.. clear to my mind that once having agreed to act in the film it will be too late for the plaintiff .. to hold that a case of defamation has been made out.. To maintain a case of malicious falsehood it must be held out that the statement was false. In the instant case what is sought to be contended is that the scenes involving the film artist would result in an action of malicious injurious falsehood or malicious falsehood by associating the plaintiff's with the scenes which she had not enacted.. The plaintiff was prima facie aware as earlier held and that the scenes formed part of the story board have been enacted by a double and consequently it cannot be said that in the present case the plaintiff has been able to establish a case of malicious falsehood."[33]

One of the facts that was relevant in the court’s decision was that the defendant, as the ‘holder of the copyright in the film’, had incurred vast expenditure in publicising its release. Here, in a reversal of the Phoolan Devi case, copyright is held up as a shield against a competing privacy claim. The issue of the extent of overlap between copyright and privacy however remains unsettled in law. In April 2007, the Madras High Court granted a temporary injunction against the publishers of an unauthorised biography of former Tamil Nadu Chief Minister Jayalalitha. In her petition she alleged that the biography “had been written without any verification of facts. Such a publication would spoil her image and damage her status in politics and public life.” Her petition contended that “No one has a right to publish anything concerning personal private matters without consent, whether truthful or otherwise, whether laudatory or critical.[34]

Although it does not reference Copyright law, this case is another illustration of the enduring relevance of the question of whether we are entitled to the exclusive authorship of our private life-stories.

The Private under the Copyright Act

In its various sections, the Copyright Act inscribes certain spaces and actions as either public or private. Specified activities are labelled public even though they are conducted within the domestic confines of one’s home. Similarly, activities that infringe copyright are nevertheless immunised from prosecution due to the fact that they are conducted for a ‘private’ purpose. In this concluding section of this paper, we try to piece together a narrative of privacy and the private domain that emerges from a combined reading of various sections and decisions under the Copyright Act.

We begin, here, by collating the Copyright Act’s various articulations of the ‘public’ and ‘private’. By treating them as intertwining, mutually constitutive terms, we proceed to analyse these various articulations in the Copyright Act with a view to seeing what account of the private realm may emerge.

Public/Publish

One of the key rights that most owners of copyrights enjoy is the exclusive right to "publish" or "communicate their work to the public".

The Act defines "publication" to mean “making a work available to the public by issue of copies or by communicating the work to the public”. Significantly, in case of dispute, if the issue of copies or communication to the public is “of an insignificant nature” it is deemed not to constitute a publication [Section 6]. This signals that the notions of publicity and publication under the Copyright Act are in some senses moored to the magnitude of the receiving public. The ‘private’ then is constituted, reciprocally, as the ‘insignificant public’.

Under the Indian Copyright Act, "communication to the public" occurs when a person makes any work “available for being seen or heard or otherwise enjoyed by the public directly or by any means of display or diffusion other than by issuing copies of such work”. Such communication occurs “regardless of whether any member of the public actually sees, hears or otherwise enjoys the work so made available.”[Section 2(ff)][35]

Private

The word ‘private’ is expressly referenced in four provisions of the Copyright Act.

Section 39 declares that “the making of any sound recording or visual recording for the private use of the person making such recording, or solely for purposes of bona fide teaching or research” would not violate the broadcast reproduction right or performer's right;
Section 51 which stipulates when copyrights are infringed declares that the “imports into India, any infringing copies of the work” would constitute an infringement except if it is only a single copy of any work that is imported “for the private and domestic use of the importer”.
Section 52(1) of the Copyright Act lists certain acts as not infringing of copyright. These include:

(a) a fair dealing with a literary, dramatic, musical or artistic work, not being a computer programme, for the purposes of private use, including research. A proposed amendment to this section seeks to extend this protection to all ‘personal’ uses in addition to ‘private uses including research[36]. ‘Personal use’ has been interpreted in non-copyright contexts to include the family members of the person living with him.[37] The definition of ‘person’ under the General Clauses Act includes a “company or association or body of individuals, whether incorporated or not”. Although the case law on the point is scant[38], it would be interesting to see if ‘personal use’ can be read to include the use by companies internally, thereby casting a shroud of privacy on corporations for the purpose of copyright.
(p) the reproduction, for the purpose of research or private study or with a view to publication, of an unpublished literary, dramatic or musical work kept in a library, museum or other institution to which the public has access.

In addition to the provisions listed above, Section 52 the Act also shields certain spaces and occasions as immune from the charge of copyright infringement (although they are not specially designated as ‘private’). These include educational institutions[39], non-profit clubs, societies[40], religious institutions[41] and religious ceremonies including marriages.[42]

Perhaps the most elaborate calibration of the boundaries between the 'private' and 'public' under the Indian Ccopyright Act by the judiciary occurs in the case Garware Plastics and Polyester vs Telelink & Ors[43]., decided by the Bombay High Court in 1989. The case called for the determination of whether films transmitted via neighbourhood cable networks and viewed in the privacy of customers’ homes would constitute an unauthorised ‘communication to the public’ under the Copyright Act. Here the defendants had purchased video tapes of popular films and begun transmitting them over cable networks owned by them. For this they charged a monthly maintenance fee from their customers. Under the Copyright Act then in force, ‘communication to the public’ was defined simply as "communication to the public in whatever manner, including communication through satellite.” After an extensive review of English law on the subject, the court ruled that this did constitute an unauthorised communication to the public:

"Whether a communication is to the public or whether it is a private communication depends essentially on the persons receiving the communication. If they can be characterized as the public or a protein of the public , the communication is to the public…From the authorities the principal criteria which emerge for determining the issue are(1) the character of audience and whether it can be described as a private or domestic audience consisting of family members or members of the household, (2) whether the audience in relation to the owner of the copyright can be so considered…Applying the test of the character of the audience watching these video films , can this audience be called a Section of the public or is this audience a private or domestic audience of the defendants ? In the present case it cannot be said that the audience which watches video films shown by the defendants consists of family members and guests of the defendants. The video film may be watched by a large Section of the public in the privacy of their homes. But this does not make it a private communication so as to take it our of the definition of "broadcast" under the Copyright Act, 1957.

It is true that the network operates through the connection of a cable to all these various apartments or houses. But this cannot in any way affect the character of the audience. The viewers are not members of one family or their guests. They do not have even the homogeneity of club members of one family or their guests. They do not have even the homogeneity of a club membership.[44] (emphasis added)

A central feature emerging from this case that distinguishes public form private in Copyright law is homogeneity or affiliation: that space is marked ‘private’ where a pre-affiliated group – united either by kinship or association in pursuit of a common goal – comes together in pursuit of a non-commercial common interest. Conversely, ‘Public’ is where the unaffiliated congregate. On the face, this accords with the spirit of the various fair dealing rights under the Copyright Act which carve out immunised spaces for institutions that correspond to these definitions – educational institutions, religious institutions and ceremonies, amateur clubs etc are immune from infringement actions because, one could say, their activities are ‘private’.

In 1994 the Copyright Act was amended to fortify this conclusion by expanding the definition of ‘communication to the public’ to include ‘communication through satellite or cable or any other means of simultaneous communication to more than one household or place of residence including residential rooms of any hotel or hostel shall be deemed to be communication to the public;” (Sec 2(ff), Explanation)

Conclusion

I would like to conclude this paper with some reflections on the assertion I made in the introduction about copyright law being both an instrument for the protection and violation of privacy. From the discussion in the previous sections, it follows:

Firstly, that 'property' – as embodied by copyright law – is, at best, an unreliable guarantor of privacy. It works when bussed along with dignity claims– for instance the Phoolan Devi case where the petitioner’s suffering underlay her property claim– but fails when asserted as ‘property’ per se (as in Manisha Koirala’s case[45]). One does not (under the Indian Copyright Act, at least) have a reliable ‘property’ interest in one’s life story, bodily representation, name etc. This stands in contrast with other regimes such as the US where several states have enacted ‘Right to publicity’ statutes or have recognised publicity rights through common law processes.[46]

These rights can be read to offer people a 'property' means for protecting their privacy (by preventing unauthorised publicity) in those jurisdictions. Analogous claims are unavailable in India.

Secondly, that ‘property’ operates frequently as a license for the violation of privacy with impunity. This emerges most clearly from the cases of copyright investigation that we examined in Section 1.2 above. Pecuniary copyright interests appear to completely overwhelm any regard for competing privacy concerns.

Thirdly, that, notwithstanding the preceding two points, the copyright act does protect privacy in limited ways. Chiefly these are a) By conferring limited copyright on 'unpublished works', it enables authors to restrict their publication except on terms acceptable to them. b) The Act grants a very wide “Performer’s right” to performers and no sound or visal recording may be made of them without their express consent. No such recording can broadcast or communicated to the public without their consent. This gives a very powerful weapon of control in the hands of performers to restrict the extent to which representations of them are publicised. C) As mentioned above in the penultimate section of this paper, various fair dealing exceptions carve out spaces of privacy where infringing acts are granted immunity – for instance private uses, uses in educational institutions and libraries, etc.

Lastly, with the arena of copyright infringement shifting gradually to the internet, it is foreseeable that the IT Act will be employed with greater frequency in the coming years to do the work of copyright enforcement. The legal regime already supports this change through provisions in the IT Act which preserve all existing rights available under the Copyright Act [Section 81 (proviso) of the IT Act] and put new powers of take-down [see Intermediary Guidelines] in the hands of Copyright Owners. Thus on the one hand, copyright owners would be able to lawfully hack into potential infringers’ computers while enjoying immunity under the IT Act. On the other hand, ‘intermediaries’ would be legally bound to co-operate in copyright enforcement including, conceivably, handing over a number of personal details of those accused of copyright infringement. In other jurisdictions, such as the EU, such ‘co-operation’ is heavily policed by judicial oversight where personally identifiable information is involved[47]. Contrastingly, in India, with its diminished concerns for privacy and limited awareness of how IP address data can seriously imperil privacy, there is a very real threat that these provision will license the wholesale violation of online privacy.

Notes

[1]Anon, 2005. Towards Knowledge Societies, Paris: UNESCO. Available at: http://unesdoc.unesco.org/images/0014/001418/141843e.pdf [Accessed April 20, 2011].

[2]Sundaram says "Temporal acceleration was a significant part of the imaginary of developmentalism - this was inherent in the logic of 'catching up' with the core areas of the world economy by privileging a certain strategy of growth that actively delegitimized local and 'traditional' practices."

[3]This aspiration underlies several of the policy documents prepared in India in the last decade – Illustratively, the report submitted by the National Task Force on Information Technology (NTFIT) in 1998 captures this sentiment well: “For India, the rise of Information Technology is an opportunity to overcome historical disabilities and once again become the master of one's own national destiny. IT is a tool that will enable India to achieve the goal of becoming a strong, prosperous and self-confident nation. In doing so, IT promises to compress the time it would otherwise take for India to advance rapidly in the march of development and occupy a position of honor and pride in the comity of nations” Tiwari, Ghanshyam et al. Government of India. Central Advisory Board of Education, Ministry of Human Resource Development .Report of the Central Advisory Board of Education Committee On Universalisation of Secondary Education. New Delhi: 2005

[4]There is some ambiguity on whether offences under the Copyright Act punishable with imprisonment “which may extend to three years” are 'cognizable' or not. The Code of Criminal Procedure 1973 classifies all offences which prescribe a penalty of three years and above as cognizable and non bailable [First Schedule]. Offences which are punishable with imprisonment of less than three years are classified as ‘non-cognizable’ and ‘bailable’. In the absence of a definitive ruling from the Supreme Court on this issue, different High Courts have offered conflicting interpretations. See Singh, S. & Aprajita, 2008. Insight into the nature of offence of Copyright Infringement. Journal of Intellectual Property Rights, 13(6), pp.583-589. Available at: http://nopr.niscair.res.in/bitstream/123456789/2433/1/JIPR%2013%286%29%20583-589.pdf [Accessed May 12, 2011]. See also Agarwal, D.K., 2010. Arrest under the customs act ? Bailable or non-bailable offence. Translation Interpreting Services. Available at: http://translation-tech.com/blog/213/arrest-under-the-customs-act-bailable-or-non-bailable-offence/ [Accessed May 12, 2011]. The determination of this issue would have wide ranging implications since the police have a wider assortment of powers with respect to interrogation, arrest, search and seizure in the course of investigating cognizable offences than they have with respect to non-cognizable offences.

[5]"Where Director of Inspection or Commissioner in consequence of information in his possession, has reason to believe that any person having in possession of any money, etc.." has not disclosed it for purposes of Income Tax.

[6]AIR 1997 Raj 78 < http://indiankanoon.org/doc/661363/>

[7]Event and Entertainment Management Association v. Union of India (Delhi HC) Order dated 2nd May 2011 <http://courtnic.nic.in/dhcorder/dhcqrydisp_o.asp?pn=84697&yr=2011>. Harkauli, S., 2011. HC nullifies police circular on copyright issue. The Pioneer. Available at: http://www.dailypioneer.com/336974/HC-nullifies-police-circular-on-copyright-issue.html [Accessed May 9, 2011].

[8]Ibid

[9]As recently as April 2011, the Delhi high court restrained “cable operators nationwide from telecasting matches of the Indian Premier League (IPL) without authorization from MSM Satellite (Singapore) Pte Ltd, which owns the broadcasting rights. See Bailay, R., 2011. Cable operators can’t telecast IPL without authorization, says HC. Livemint. Available at: http://www.livemint.com/articles/2011/04/27212449/Cable-operators-can8217t-te.html?atype=tp [Accessed May 13, 2011]. For an early history of John Doe orders in India, see Krishnamurthy, N. & Anand, P., 2003. India Trade marks in a state of change. Managing Intellectual Property. Available at: http://www.managingip.com/Article/1321770/India-Trade-marks-in-a-state-of-change.html [Accessed May 13, 2011].

[10]These orders are granted by the Court supposedly under Section 75 read with Order 26 of the Code of Civil Procedure which empowers the court to appoint “Local Commissioners” to record evidence in special cases. I have stated my opinions elsewhere on why I believe these powers may not be invoked for the purpose of effecting routine searches and seizures in the manner as is currently being practiced by the higher judiciary – especially the Delhi High Court. See Iyengar, P., 2009. BSA’s response on Spicy IP – in perspective. Original Fakes. Available at: http://originalfakes.wordpress.com/2009/04/04/bsas-response-on-spicy-ip-in-perspective/ [Accessed May 10, 2011].

[11]Anon, 2009. Ghost Post on IP (Software) Raids: Court Sponsored Extortion? SPICY IP. Available at: http://spicyipindia.blogspot.com/2009/03/ghost-post-on-ip-software-raids-court.html [Accessed May 10, 2011].

[12]Autodesk Inc Vs. AVT Shankardass, Available at: http://delhicourts.nic.in/Jul08/Autodesk%20Inc%20Vs.%20AVT%20Shankardass.pdf [Accessed May 10, 2011].

[13]The 2011 Special 301 Country Report on India prepared by the IIPA specifically cites the Delhi High Court in this context, statng “The industry enjoys a very high success rate with respect to the grant of such orders at the Delhi High Court”. According to this report, the Business Software Alliance was able to obtain 34 such orders in 2009.

[14]Anon, 2011. Special 301 Report on Copyright Protection and Enforcement: 2011 India Country Report, International Intellectual Property Alliance. Available at: http://www.iipa.com/rbc/2011/2011SPEC301INDIA.pdf [Accessed May 9, 2011].

[15]Ibid at. Pp 41-42.

[16]The 2010 Special 301 Country Report lists the following defects of the proposed Section 65A: “(a) does not cover access controls and is limited only to TPMs protecting the exercise of exclusive rights; (b) covers only the “act” of circumvention and does not also cover manufacturing, trafficking in, or distributing circumvention devices or services; (c) does not define an “effective technological measure”; (d) contains an exception which would appear to permit circumvention for any purpose that would not amount to infringement under the act (thereby almost completely eviscerating any protection); (e) creates other overbroad exceptions; and (f) provides for only criminal and not civil remedies."

[17]Syed Asifuddin And Ors. v The State Of Andhra Pradesh, 2005 CriLJ 4314 (Andhra Pradesh HC ).

[18]Ibid.

[19]Holla, A., 2009. Wronged, techie gets justice 2 yrs after being jailed. Mumbai Mirror. Available at: http://www.mumbaimirror.com/index.aspx?page=article&sectid=2&contentid=200906252009062503144578681037483 [Accessed March 23, 2011]. See also Nanjappa, V., 2008. “I have lost everything.” Rediff.com News. Available at: http://www.rediff.com/news/2008/jan/21inter.htm [Accessed March 23, 2011].

[20]Pahwa, N., 2010. Hyderabad Police Arrests Torrent Uploaders - MediaNama. MediaNama. Available at: http://www.medianama.com/2010/11/223-hyderabad-police-arrests-torrent-uploaders/ [Accessed May 12, 2011].

[21]GSR 314(E) Dated 11 April 2011: Information Technology (Intermediaries guidelines) Rules, 2011 http://www.mit.gov.in/sites/upload_files/dit/files/GSR314E_10511(1).pdf [Accessed May 12, 2011].

[22]See Zee Telefilms Ltd. v Sundial Communications Pvt. Ltd., 2003 (5) BomCR 404 (Bombay High Court 2003).

[23]Mr. M. Sivasamy v M/S. Vestergaard Frandsen (Delhi High court 2009).< http://indiankanoon.org/doc/916718/>

[24]Dietrich Engineering Consultant v Schist India & Ors (Bombay High Court, 2009) < http://indiankanoon.org/doc/1634545/>

[25]Mr. Diljeet Titus, Advocate vs Mr. Alfred A. Adebare And Ors, 130 DLT 330 (Delhi High Court 2006).

[26]Phoolan Devi v Shekhar Kapoor And Ors. (1994). DLT (Vol. 57 (1995), p. 154). Retrieved from http://indiankanoon.org/doc/793946/

[27]The conditions under which this license were obtained speak eloquently to the ills of the current copyright system. According to Phoolan Devi’s lawyer, the noted advocate Indira Jaisingh, the contract was signed by Phoolan Devi while she was behind prison bars. She did not speak or understand Hindi or English and only spoke in a local dialect. The copyright contract was written entirely in English and gave her a paltry sum or Rs. 2 lakh – which was a pittance considering the budget and projected returns from the film. Jaisingh, I., 2001. Supreme Court lawyer Indira Jaisingh pays tribute to Phoolan Devi. Available at: http://www.rediff.com/news/2001/jul/26spec.htm [Accessed June 10, 2011]. Arundhati Roy’s two superb critiques of the film and its director movingly capture why this is not a simple case of copyright assignment. See Roy, A., 1994. The Great Indian Rape Trick - I. Sawnet. Available at: http://www.sawnet.org/books/writing/roy_bq1.html [Accessed June 10, 2011].; Roy, A., 1994. The Great Indian Rape Trick - II. Sawnet. Available at: http://www.sawnet.org/books/writing/roy_bq2.html [Accessed June 10, 2011].

[28]Ibid, Roy, A., 1994. The Great Indian Rape Trick - I.

[29]Ibid, Roy, A., 1994. The Great Indian Rape Trick - II

[30]Section 57 of the Act reads “Author’s Special Rights: ‘Independently of the author's copyright and even after the assignment either wholly or partially of the said copyright, the author of a work shall have the right-

(a) to claim authorship of the work; and
(b) to restrain or claim damages in respect of any distortion, mutilation, modification or other act in relation to the said work which is done before the expiration of the term of copyright if such distortion, mutilation, modification or other act would be prejudicial to his honour or reputation:”

[31]The case was later settled out of court with Phoolan Devi being able to secure a substantially higher compensation. Ultimately, the case was not about the depiction of rape generally, but primarily about Phoolan Devi’s sovereign right to decide the terms on which her own life would be represented.

[32]Manisha Koirala v Shashilal Nair & Ors. (2002). BomCR (Vol. 2003 (2), p. 136). Retrieved from http://indiankanoon.org/doc/1913646/

[33]Ibid

[34]Anon, 2011. High Court Grants Injunction Till June 7 Against Publishing Book on Jayalalithaa. The Hindu, p.01. Available at: http://www.hindu.com/2011/04/27/stories/2011042762360100.htm [Accessed May 12, 2011].

[35]For a more dispersed account on the concept of the ‘public’ under Indian law, See Iyengar, P, ‘Where the private and the public collide’, iCommons Lab Report, September- October 2007, pp. 7-8, Icommons.org, < http://archive.icommons.org/articles/what-is-public> last visited May 2011

[36]Copyright (Amendment) Bill 2010 http://prsindia.org/uploads/media/Copyright%20Act/Copyright%20Bill%202010.pdf

[37]See Sivasubramania Iyer v. S.H. Krishnaswamy AIR 1981 Ker 57 , a case under Kerala Buildings (Lease & Rent Control) Act 1965.

[38]Goods purchased for the private use of a corporation would be goods purchased for the ”personal use” of the corporation. 158 IC 703.

[39]52(1)(g), (h) and (i)

[40]52(1)(k) and (l)

[41]52(1)(l)

[42]52(1)(za)

[43]AIR 1989 Bom 331, 1989 (2) BomCR 433, (1989) 91 BOMLR 139 <http://indiankanoon.org/doc/858705/>

[44]Ibid.

[45]At first glance this distinction may seem facile since even Manisha Koirala invoked ‘reputational harm’ as a prop to buttress her property claim. However, I believe this case was complicated by the fact that the court had to consider whether the display of someone else’s body could have implicated Manisha Koirala’s privacy/dignity. Koirala was, in effect, arguing that she had absolute ‘proprietorial’ control over all representations of her body – a property argument which the court was unwilling to concede.

[46]See Footnote 90 and accompanying text in Samuelson, P., 2000. Privacy as Intellectual Property? SSRN eLibrary; Stanford Law Review. Available at: http://ssrn.com/paper=239412 [Accessed on June 14, 2011].

[47]Lebatard, F.-R., Copyright Enforcement and the Protection of Privacy in France. Translegal. Available at: http://www.translegal.com/feature-articles/copyright-enforcement-and-the-protection-of-privacy-in-france [Accessed June 14, 2011].

For more details visit https://cis-india.org/internet-governance/blog/privacy/copyright-enforcement

The New Right to Privacy Bill 2011 — A Blind Man's View of the Elephunt

Prashant Iyengar — 2012-02-29T05:45:41Z

Over the past few days various newspapers have reported the imminent introduction in Parliament, during the upcoming Monsoon session, of a Right to Privacy Bill. Since the text of this bill has not yet been made accessible to the public, this post attempts to grope its way – through guesswork – towards a picture of what the Bill might look like from a combined reading of all the newspaper accounts, writes Prashant Iyengar in this blog post which was posted on the Privacy India website on June 8, 2011.

I am relying entirely on the following three newspaper accounts in the Times of India, the Hindu and the Deccan Chronicle.

A Constitutional/Fundamental Right?

The Times of India piece which broke the story seems to have misunderstood/misquoted Law Minister Veerappa Moily. The article is titled “Right to privacy may become fundamental right” which connotes a constitutional amendment. However this is inconsistent with the later portions of the same article as well as subsequent newspaper accounts in DC and the Hindu. So its safe to assume that this will not be a fundamental right to privacy, but a statutory right to privacy – like what the Right to Information Act grants us.

Preamble

I’m extrapolating here from the Hindu article:

"To provide for such a right [of privacy] to citizens of India AND to regulate collection, maintenance, use and dissemination of their personal information."

So it’s an omnibus Privacy and Data Protection Law that’s being passed. How nice. This addresses some of the misgivings that we had last year against the "Approach Paper on Privacy" released by the Department of Personnel and Training.

Definition of ‘Right to Privacy’

The Hindu article appears to quote directly from the Bill.

Every individual shall have a right to his privacy — confidentiality of communication made to, or, by him — including his personal correspondence, telephone conversations, telegraph messages, postal, electronic mail and other modes of communication; confidentiality of his private or his family life; protection of his honour and good name; protection from search, detention or exposure of lawful communication between and among individuals; privacy from surveillance; confidentiality of his banking and financial transactions, medical and legal information and protection of data relating to individual.

This is a wonderfully expansive definition of the right to privacy which spans diverse areas including privacy of communications, reputational privacy, bodily/physical privacy, confidentiality, privacy of records and data protection. I’m especially pleased that this section does not limit this right to privacy only to claims against the state (as in the Right to Information Act).

The Deccan Chronicle article contains a slightly different definition of 'right to privacy' under the Bill. Here the right to privacy includes "confidentiality of communication, family life, bank and health records, protection of honour and good name and protection from use of photographs, fingerprints, DNA samples and other samples taken at police stations and other places."

This wording is slightly more granular, but less broad. I’m wondering if it is a part of the same section, or a different one entirely.

Interception

What is most interesting is the attempt made in this Bill at harmonization of interception rules across all modes of "communication". (Currently there are different rules/procedures that followed depending on the mode of communication used – Indian Post Act, Telegraph Act, IT Act.)

Here are some of the sweeping changes sought to be introduced:

The bill prohibits interception of communications except in certain cases with approval of Secretary-level officer – not below the rank of home secretary at the Central level and home secretaries in state governments
Mandatory destruction of intercepted material by the service provider within two months of discontinuance of interception.
Constitution of a Central Communication Interception Review Committee (CCIRC) to examine and review all interception orders passed (under all Acts?).
CCIRC empowered to order destruction of material intercepted under the Telgraph Act.
"unauthorised interception" (by whom?) punishable with a maximum of five years’ imprisonment, or a fine of Rs 1 lakh, or both, for each such interception. This makes it a cognizable, non-bailable offense.
Disclosure of legally intercepted communication by “government officials, employees of service providers and other persons” will be punishable with imprisonment up to three years. (It is unclear whether this will be a cognizable offence or not)

Data Protection

The Bill adds muscle to the newly introduced Data Protection Rules under the IT Act, by creating an overarching statutory regime for Data Protection.

Thus, the bill forbids "any person having a place of business in India but has data using equipment located in India" from collecting or processing, using or disclosing "any data relating to individual to any person without consent of such individual". I assume that there will be exceptions to this section. The wording of this section seems to preclude its application to the government (unless you can interpret the ‘government’ to mean ‘a person having a place of business in India’. I have no views on the likelihood of that argument.

The bill evidently authorizes the establishment of an oversight body called “Data Protection Authority of India” that will investigate complaints about alleged violations of data protection. The following appear to be the functions of this body

to monitor development in data processing and computer technology;
to examine law and to evaluate its effect on data protection
to give recommendations and to receive representations from members of the public on any matter generally affecting data protection.
to investigate any data security breach and issue orders to safeguard the security interests of affected individuals whose personal data has or is likely to have been compromised by such breach.

Video Surveillance

The bill includes a very interesting prohibition on "closed circuit television or other electronic or by any other mode", except in certain cases as per the specified procedure.

No further details are provided about the exceptions or the procedure and one expects the devil to be in the details.

Bodily Privacy

The bill prohibits "surveillance by following a person".

This innocuously worded provision has the potential to effect sweeping changes in the criminal administration of this country (if it is even applicable to the state police machinery) . Currently, Police Acts in the various states contain no provisions that enable a person to challenge the surveillance imposed on them. This new section could provide a powerful new shield to the victims of police harassment.

Impersonation and Financial Fraud

In a section apparently dealing with identity theft, the Bill criminalises inter alia "posing as another person when apprehended for a crime" and "using another’s identity to obtain credit, goods and services".

I think the first (at least) is unnecessary since it is already covered by the crime of Impersonation under the IPC.

Residual

A curious provision appears to be a fine imposed on “any persons who obtain any record of information concerning an individual from any officer of the government or agency under false pretext”. Such a person shall be punishable with a fine of up to Rs. 5 lakh.(unclear whether there is a term of imprisonment in addition).

It will be interesting to see how this section conflicts with the Right to Information under which no 'pretext' need be given to the public authority.

I also think it is ill-conceived to penalise the person obtaining the record of information – the government body in custody of the information should be made more responsible in scrutinizing the 'pretext' before handing over such information.

Tailpiece

That’s all I can make out from the three articles referenced. Looks like it’s going to be a really interesting bill. I’m optimistic about it for the sincere attempt it appears to make to grapple with the protean nature of Privacy concerns we encounter. Veerappa Moily has claimed that this bill will be introduced in the monsoon session in July but has also cautioned that "it’s difficult to commit the timeframe". I think we should make haste slowly with this Bill and hope that the Law Ministry will have the wisdom to solicit public comment before introducing it in Parliament.

I’d greatly appreciate someone sending me a copy of the bill if you have access to it.

Read the article published on the Privacy India website here.

For more details visit https://cis-india.org/internet-governance/blog/privacy/new-right-to-privacy-bill

A Street View of Private and the Public

Prashant Iyengar — 2012-03-21T09:34:23Z

Prashant Iyengar on how in the eyes of the law, the internet giant is like the homeless in India. This article was published by Tehelka on June 4, 2011.

Since last Thursday, Internet-search giant Google has been busy collecting images of roads in Bengaluru in order to launch its popular StreetView service for the city. It is a feature that allows users of Google Maps to virtually navigate and explore cities through a 360-degree, street-level imagery. To achieve this, Google drives vehicles with cameras mounted on them through each street and neighbourhood in a city, systematically capturing everything in their path, including buildings, roads, traffic, animals and human subjects.

Intrinsically, the idea is exciting for its ability to enable distant users to sample street life in cities and neighbourhoods that they may have never physically visited. Or, even for the exhilaration it permits of viewing familiar spaces virtually.

However, this technology has also raised interesting privacy concerns in countries where it has previously been launched. In April 2008, shortly after the service was first launched in the US, Google was sued by a couple who objected to the pictures of their home being publicly displayed. This suit was settled out-of-court two years later. Google had, meanwhile, made changes to their service, permitting users to "opt out" of the service, rendering similar suits unnecessary. Google has faced similar concerns in other jurisdictions, including Europe and Japan, and has successfully fended them off by adapting its service by voluntarily blurring faces of all individuals captured during the process and vesting more agency in the hands of users to take down information that offends them.

Putting aside the privacy debate over StreetView in other jurisdictions momentarily, I want to raise two questions about India and the Indian law in the context of StreetView: first, does Indian privacy law – that evanescent sub-topic of tort and constitutional law – contain anything useful or even informative which we can bring to bear on this discussion? And, do the specificities of the Indian street life merit a different approach to the privacy question?

On the first question, the legal right to privacy in India has been, for the most part, a child of the higher judiciary. However, despite a fairly substantial volume of case law that has accumulated by now that references "privacy", one cannot suppress a sense that the concept lacks, even today, a definitive articulation. The individual’s privacy in India today is an uneven concept – stronger in some situations and non-existent in others. It is a contingent, rather tame concept of a general right to privacy that we have, from which it is not possible to mount a confident attack against Google.

Given this state of indeterminacy about one’s right to privacy, a case for the extension of this right in public spaces seems even more far-fetched. Indeed, in specific cases, courts have dealt damaging blows to the emergence of such a concept. For instance, in a tort case from colonial times, it was held that a window overlooking a public street would not infringe the privacy of the neighbours across the street. Likewise, in a case involving sex workers, the Supreme Court held that they were not entitled to move freely in a public place due to the very subversive nature of the professions they practiced in private – signalling that the private seeps into the public only as a limiting or negative concept.

Against this context Google’s extension of its opt-out privacy principles to India is commendable, because they are not warranted by the current state of law in the country. Indeed, it may even result in a "wagging the dog" of privacy jurisprudence in India by seeding the notion of a limited "right to public anonymity", which is currently indeterminate in the Indian law. That individuals have no “legitimate expectation of privacy in a public place” is axiomatic in most other common-law jurisdictions and is one of the hidden legal ballasts that supports Google’s StreetView service. However, there has not yet been an occasion for the Supreme Court to pronounce on this question. It is very likely that the court will defer to international precedent on the matter. However, until this eventuality, the legal position on the question must be regarded as unsettled.

Turning briefly to the second question regarding the specificities of the Indian situation, India is home to one of the largest populations of urban homeless persons. To them the street, generally, and pavements and bridges, more specifically, are "home" regardless of their tenuous legal title to these claims. To casually dismiss their claims is to crudely conflate privacy with property, which is insensitive to the tragedies of urban life in India. In his insightful essay on filth and the public sphere, Sudipta Kaviraj makes the fascinating point that "for the poor, homeless and other destitute people" of India, "public means not-private spaces, from which they could not be excluded by somebody’s right to property.

It comprises assets which are owned by some general institution like the government or city municipality which does not exercise fierce vigilance over its properties as individual owners do, and which allows through default, indifference and a strangely lazy generosity, its owned things to be despoiled by those with out other means. Public space is a matter not of collective pride but of desperate uses that can range from free riding to vandalizing.

I would add here that this notion of public space is shared not just by the homeless but Google as well, which has taken advantage of the lazy generosity of the Bengaluru traffic police to appropriate images of the city for its purposes. Like the homeless, Google is willing to cede to competing private interests, if they are asserted strongly enough. (This makes Google StreetView, despite its origins in Mountain View in California, characteristically Indian!) In the past, Google has required users to submit documentary proof of their titles before their claims to opt out are honoured. In the context of the homeless particularly, honouring privacy in India may require a different approach. Fortunately for Google, the homeless are not likely to fiercely assert this right.

To conclude, I will like to clarify that I write to praise Google not to bury him, since Google is an honourable man. Over the past several decades, technology – from wire tapping to DNA tests to paternity tests – has been the site and discursive nucleus that has facilitated an efflorosence of privacy jurisprudence in the country. Two decades ago we did not have Facebook, Google, unsolicited calls and spam, and, correspondingly, neither did we have a sharp notion of our privacy. One awaits with optimism the kinds of changes in privacy jurisprudence that might emerge from StreetView.

Prashant Iyengar is a lawyer and consultant on privacy issues with the Centre for Internet and Society, Bengaluru.

He can be contacted at prashantiyengar@gmail.com.

Read the original published in Tehelka here

For more details visit https://cis-india.org/internet-governance/blog/privacy/street-view-of-private-and-public

Bloggers' Rights Subordinated to Rights of Expression: Cyber Law Expert

elonnai — 2012-03-21T09:35:06Z

Vijayashankar, an eminent cyber law expert answers Elonnai Hickok’s questions on bloggers' rights, freedom of expression and privacy in this e-mail interview conducted on May 19, 2011.

A set of rules relating to regulation of the Internet (mentioned in section 79 of the ITAA, 2008) was released in April 2011. In light of the rules framed under the IT Act, and as part of our research on privacy and Internet users, we have been looking into questions surrounding bloggers’ rights, freedom of expression, and privacy.

The new rules require among other things that intermediaries take down any content that could be considered disparaging. In practice, these rules will act to limit the ability of individuals to express their opinions on the Internet — especially for the bloggers. Though these requirements seem to only impact the freedom of expression of bloggers, a blogger’s privacy rights, especially in relation to the protection of their identity, are also pulled into question. Other issues surrounding bloggers’ rights and privacy include: if bloggers are identified as journalists, then whether they should be afforded the same protections and privileges, e.g., should bloggers have the right to free political speech and should intermediaries have freedom from liability for hosting speech or others’ comments? Are bloggers allowed to publish material that is under copyright on their website?

On May 19, 2011, through e-mail, I had the opportunity to interview Vijayashankar, an expert in cyber law, on issues regarding the rights of bloggers freedom of expression, and privacy. Vijayashankar has authored multiple books on cyber law, taught in many universities, and is an active leader of the Netizen movement in India. Below is a summary of the questions I posed to Vijayashankar and his responses.

I began the interview by trying to understand bloggers’ rights and how they are defined. Often the term 'bloggers' rights is used casually, but it is important to understand the different roles that a blogger plays in order to understand what his/her rights are, how they could be violated, and how they could be protected. Vijayashankar explained that a blog is comprised of two parties: a blogger and an intermediary – which is the application host. Bloggers have many different roles: authors, editors, or publishers of content, and thus, a blogger’s rights should be defined within these contexts. As authors, bloggers write their own article/blog or adds comments to others’ blogs. As such, they should have the freedom to express their thoughts and opinions and determine a level of privacy with which to maintain them, without regulation or censorship from a third party. Though the freedom of expression and privacy should be basic rights for blog authors, bloggers must also be held accountable and responsible for the content that they choose to make public by posting on accessible web pages.

The need for a blogger to be held responsible and accountable is similar to the limitation on speech that informs defamation law, and it means that a blogger cannot be entirely anonymous – at least not once a blog is public and is challenged. Thus, accountability must limit the right to be entirely private and anonymous. Though a blogger should be held accountable, the international implications give rise to thorny issues of jurisdiction and accountability under unforeseen laws: all of which raises the question whether, instead of local jurisdictions seeking to enforce their laws against potentially out-of-the-jurisdiction bloggers, an international third party should be entrusted with the responsibility of holding bloggers accountable and responsible – whether that takes the form of an organization like the WTO or WIPO or looks more like specially trained international arbitrators.

This challenge arises because bloggers live in different jurisdictions where different rules apply, but their opinions cross multiple borders and boundaries. This raises questions such as: Which jurisdictional law should the blogger be accountable to? Should a blogger be held responsible for actions that are considered violations in a jurisdiction in which a blog is read, even if those actions are not violations in the jurisdiction in which it is written? And if a blogger is to be held responsible, who should hold him responsible – the country where the action is considered a violation or his own country – and where does a private party have a cause of action? According to Vijayashankar, blogger’s rights’ are always subordinated to the rights of expression guaranteed to the blogger in his country where he is a citizen.

Furthermore, the rights of a blogger have to be seen in the context of who has the "cause of action" against blog writing, i.e., which party involved has the right to complain. If an individual is a victim of a blog, and that individual is a citizen of another country and is guaranteed certain rights, the blogger's rights cannot override the rights of the victim in his own country. Hence, the victim has the right to invoke law enforcement in his country, and the law enforcement agencies do have a right to seek information from the blogger. If, however, a citizen brings a private civil action against a blogger, the discovery limitations are much more severe across boundaries, and the blogger’s national policy on responding to discovery from other countries will determine the extent to which information from the blogger will be made available. To the extent that the impact of a blogger’s expression reaches across boundaries, his actions should be considered similar to a situation where a citizen of one country does certain things which affect the rights enjoyed by a citizen of another country. It does not seem right that a blogger can say something offensive in one jurisdiction and be held liable, but a different blogger can say the same thing from another jurisdiction and be protected. On the one hand, since the Internet as a medium broadcasts across geographical boundaries, it is the responsibility of the individual countries to erect their "cyber boundaries" if they do not want the broadcast to reach their citizens. On the other, individuals should be able to invoke international laws to seek consistent application of standards about what is actionable and what information is discoverable in support of an action. This suggests that an international tribunal might be the best solution.

Other questions to think about when exploring the idea of a trusted third party holding online bloggers accountable include: who would form the third party, what legal authority/power would they have, would this group also be in charge of reviewing a country’s "cyber boundaries" in addition to holding online bloggers accountable? and how would it avoid being influenced by any one government or by other stakeholders?

Next I asked him for examples of common privacy violations that happen to online users. A few he said included identity theft in the form of phishing, which leads to financial frauds, and is one of the most dangerous consequences of privacy breach. Other examples included manipulation of online profiles in social networking sites to cause annoyance, defamation, and coercion; cyber squatting with content which can be misleading; posting of obscene pictures with or without morphing of victim’s photographs to other obscene photographs/pictures; and SPAM – particularly through mobile phones – are all serious forms of privacy violations.

My third question focused on privacy violations and bloggers. How could a blogger’s rights be compromised, especially with a focus on privacy? For bloggers, is privacy important simply to protect their identity and content, or are there other implications for privacy and bloggers? In our research we have looked into ways in which practices such as data retention by ISPs, government/law enforcements’ access to web content including private conversations, and poorly established user control over privacy settings on websites can violate online users’ privacy. According to Vijayashankar, a blogger is mainly concerned about privacy in the context of protecting his identity. It is important for bloggers to protect their identity because the content they create could be considered controversial or illegal in different regions. Thus, it is critical for bloggers to have the right to blog anonymously. An exception to this right is that if the blog is so offensive then the law enforcement agency can take action. In some countries individuals also can sue bloggers. To help protect bloggers from unreasonable and ungrounded searches, Vijayashankar suggested that a mechanism be created by which international and domestic law enforcement agencies can request 'sensitive' information. This mechanism would work to filter and evaluate requests for information without bias, and according to a country’s law own domestic law.

I then asked him what legal protections he felt bloggers needed. He said that he believes that it is important that bloggers and online users’ right to anonymity, protection of identity and freedom of expression (political and non-political) are protected from excessive regulations. An interesting point that he raised was about the protection of bloggers from international requests for information. According to –him — bloggers can be protected only to the extent to which their rights are protected in their own country. If a request for information comes to a law enforcement agency of a country of which the blogger is a citizen, information may need to be released unless an “asylum” has been granted.

An example of the situation Vijayashankar is referring to is that if a blogger in India writes content that is found to be controversial by the U.S Government; the U.S Government then has a right to request and access that information, unless the Indian Government provides protection over the citizen and the information and refuses to release it. Though right to information requests tend to be governmental, this rule changes if it is a citizen requesting information. Very rarely can a citizen of one country request information about a blogger from another country and gain access. The question of international discovery over Internet material is one that has many angles that need to be taken into consideration – a few being: what the content on the blog contained; was the content against an individual or a government; who is requesting the information — a citizen or the government, and whom are they requesting the information from? For example, in the US Supreme Court case, Calder vs. Jones 465 U.S. 783 (1984), information about a woman, Shirley Jones, was published in another state, but the court ruled that the wrongful action was directed to her where she was.

A large part of the debate over bloggers’ rights is centered on governments’ need to monitor online activity. Developments such as the new rules to the IT Act, the Indian Government’s request for blackberry’s encryption keys, and the news about the government wiretapping citizens’ phones show that the Government of India is demanding access to see and regulate content created by online users in India. When asked about bloggers’ rights and government access to content, Vijayashankar stressed that there has to be a mechanism to check the requests from government agencies, and any such mechanism should have popular representation. He went on to explain that presently an order for the blocking of a blog or for private information is made by a government agency or a court. Unfortunately, government agencies may be responsive to certain interests. Likewise, decisions of conventional courts can be inconsistent. Therefore, it is important that a mechanism that reflects the common person’s input is put in place. This could either be a stand-alone private body, such as Netizen Protection Agency, acting as one more layer of protection, or the government body itself could build in adequate public representation. Courts would need to recognize such bodies and seek their opinion as an input to any dispute. This is an innovative option, but one that is a radical departure from the view of a court as an impartial tribunal that is supposed to weigh every matter independently on its merits.

Lastly, I asked if a privacy legislation could address the issue at hand i.e., could a privacy legislation work to protect bloggers’ rights by providing them identity protection and protection of their content and in general what should be included in a comprehensive privacy legislation? Though India already addresses bloggers’ rights through the Information Technology Act, it could be possible that privacy legislation could establish a third party group to work to protect bloggers’ rights and hold both governments and bloggers’ accountable. When asked what should be included in a comprehensive privacy legislation, Vijayashankar suggested that it should recognize that privacy rights of individuals are part of the larger interests of the society, and a comprehensive legislation should work to take all the stakeholders into consideration.

For more details visit https://cis-india.org/internet-governance/blog/privacy/bloggers-rights-and-privacy

Limits to Privacy

Prashant Iyengar — 2012-12-14T10:28:55Z

In his research article, Prashant Iyengar examines the limits to privacy for individuals in light of the provisions of the Constitution of India, public interest, security of state and maintenance of law and order. The article attempts to build a catalogue of all these justifications and arrive at a classification of all such frequently used terms invoked in statutes and upheld by courts to deprive persons of their privacy.

Introduction

In 1965, the Supreme Court of India heard and decided State of UP v. Kaushaliya[1], a case which involved the question of whether women who are engaged in prostitution can be forcibly removed from their residences and places of occupation, or whether they were entitled, along with other citizens of India, to the fundamental right to move freely throughout the territory of India, and to reside and settle in any part of the territory of India [under Article 19(1)(d) and (e) of the Constitution of India]. In other words, did these women possess an absolute right of privacy over their decisions in respect to their occupation and place of residence? In its decision, the Supreme Court denied them this right holding that "the activities of a prostitute in a particular area... are so subversive of public morals and so destructive of public health that it is necessary in public interest to deport her from that place." In view of their 'subversiveness', the statutory restrictions imposed by the Suppression of Immoral Traffic Act on prostitutes, were upheld by the court as constitutionally-permissible “reasonable restrictions” on their movements.

The legal alibis that the State employs to justify its infringement of our privacy are numerous, and range from ‘public interest’ to 'security of the state' to the 'maintenance of law and order'. In this chapter we attempt to build a catalogue of these various justifications, without attempting to be exhaustive, with the objective of arriving at a rough taxonomy of such frequently invoked terms. In addition we also examine some the more important justifications such as 'public interest' and 'security of the state' that have been invoked in statutes and upheld by courts to deprive persons of their privacy.

The statutory venues of deprivation of privacy by the state being many – strictly, any statute that imposes any restriction on movement, or authorizes the search or examination of any residence or book, or the interception of communication may be read as a violation of a privacy right — tracking each of these down would not only be an impossible exercise, but also contribute little to the analytical exercise we are attempting here. Instead, in this chapter we only list provisions from a few statutes that are the familiar instruments by which the state impinges on our privacy. This is done with the limited object of arriving at a rough inventory of the common technologies which the state employs to impinge on our privacy.

Even if intrusions into our privacy are statutorily authorised, these statutes must withstand constitutional scrutiny. We therefore, begin this chapter with a discussion of the constitutional framework within which these statutes operate, and against which the severity of their incursions must be measured.

Constitutional Jurisprudence on Privacy

The 'right to privacy' has been canvassed by litigants before the higher judiciary in India by including it within the fold of two fundamental rights: the right to freedom under Article 19 and the right to life and personal liberty under Article 21.

It would be instructive to provide a brief background to each of these Articles before delving deeper into the privacy jurisprudence expounded by the courts under them.

Part III of the Constitution of India (Articles 12 through 35) is titled ‘fundamental rights’ and lists out several rights which are regarded as fundamental to all citizens of India (some apply all persons in India whether citizens or not). Article 13 forbids the State from making “any law which takes away or abridges the rights conferred by this Part”.

Thus, Article 19(1) (a) stipulates that "all citizens shall have the right to freedom of speech and expression". However this is qualified by Article 19(2) which states that this will not "affect the operation of any existing law, or prevent the State from making any law, in so far as such law imposes reasonable restrictions on the exercise of the right … in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence".

Thus, the freedom of expression guaranteed by Article 19(1) (a) is not absolute, but a qualified right that is susceptible, under the Constitutional scheme, to being curtailed under specified conditions.

The other important fundamental right from the perspective of privacy jurisprudence is Article 21 which reads "No person shall be deprived of his life or personal liberty except according to procedure established by law."

Where Article 19 contains a detailed list of conditions under which freedom of expression may be curtailed, by contrast Article 21 is thinly-worded and only requires a "procedure established by law" as a pre-condition for the deprivation of life and liberty. However, the Supreme Court has held in a celebrated case Maneka Gandhi vs. Union of India [2] that any procedure "which deals with the modalities of regulating, restricting or even rejection of a fundamental right falling within Article 21 has to be fair, not foolish, carefully designed to effectuate, not to subvert, the substantive right itself. Thus, understood, 'procedure' must rule out anything arbitrary, freakish or bizarre."

Four decisions by the Supreme Court have established the right to privacy in India as flowing from Articles 19 and 21.

The first was a seven-judge bench judgment in Kharak Singh vs The State of U.P.[3] The question for consideration before this court was whether 'surveillance' under Chapter XX of the U.P. Police Regulations constituted an infringement of any of the fundamental rights guaranteed by Part III of the Constitution. Regulation 236(b) which permitted surveillance by 'domiciliary visits at night' was held to be violative of Article 21.The word ‘life’ and the expression ‘personal liberty’ in Article 21 were elaborately considered by this court in Kharak Singh`s case. Although the majority found that the Constitution contained no explicit guarantee of a ‘right to privacy’, it read the right to personal liberty expansively to include a right to dignity. It held that "an unauthorised intrusion into a person's home and the disturbance caused to him thereby, is as it were the violation of a common law right of a man —an ultimate essential of ordered liberty, if not of the very concept of civilization."

In a minority judgment in this case, Justice Subba Rao held that "the right to personal liberty takes is not only a right to be free from restrictions placed on his movements, but also free from encroachments on his private life. It is true our Constitution does not expressly declare a right to privacy as a fundamental right but the said right is an essential ingredient of personal liberty. Every democratic country sanctifies domestic life; it is expected to give him rest, physical happiness, peace of mind and security. In the last resort, a person's house, where he lives with his family, is his 'castle' it is his rampart against encroachment on his personal liberty." This case, especially Justice Subba Rao’s observations, paved the way for later elaborations on the right to privacy using Article 21.

In 1972, the Supreme Court decided a case — one of the first of its kind — on wiretapping. In R. M. Malkani vs State of Maharashtra [4] the petitioner’s voice had been recorded in the course of a telephonic conversation where he was attempting blackmail. He asserted in his defence that his right to privacy under Article 21 had been violated. The Supreme Court declined his plea holding that “the telephonic conversation of an innocent citizen will be protected by courts against wrongful or high handed interference by tapping the conversation. The protection is not for the guilty citizen against the efforts of the police to vindicate the law and prevent corruption of public servants.”

The third case, Govind vs. State of Madhya Pradesh [5] , by a three-judge bench of the Supreme Court is regarded as being a setback to the right to privacy jurisprudence. Here, the court was evaluating the constitutional validity of Regulations 855 and 856 of the Madhya Pradesh Police Regulation which provided for police surveillance of habitual offenders including domiciliary visits and picketing. The Supreme Court desisted from striking down these invasive provisions holding that "It cannot be said that surveillance by domiciliary visit, would always be an unreasonable restriction upon the right of privacy. It is only persons who are suspected to be habitual criminals and those who are determined to lead criminal lives that are subjected to surveillance."

The court went on to make some observations on the right to privacy under the Constitution:

"Too broad a definition of privacy will raise serious questions about the propriety of judicial reliance on a right that is not explicit in the Constitution. The right to privacy will, therefore, necessarily, have to go through a process of case by case development. Hence, assuming that the right to personal liberty, the right to move freely throughout India and the freedom of speech create an independent fundamental right of privacy as an emanation from them it could not he absolute. It must be subject to restriction on the basis of compelling public interest. But the law infringing it must satisfy the compelling state interest test. It could not be that under these freedoms that the Constitution-makers intended to protect or protected mere personal sensitiveness."

The next case in the series was R. Rajagopal vs. State of Tamil Nadu [6] which involved a balancing of the right of privacy of citizens against the right of the press to criticize and comment on acts and conduct of public officials. The case related to the alleged autobiography of Auto Shankar who was convicted and sentenced to death for committing six murders. In the autobiography, he had commented on his contact and relations with various police officials. The right of privacy of citizens was dealt with by the Supreme Court in the following terms: -

The right to privacy is implicit in the right to life and liberty guaranteed to the citizens of this country by Article 21. It is a "right to be let alone". A citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, childbearing and education among other matters. None can publish anything concerning the above matters without his consent — whether truthful or otherwise and whether laudatory or critical. If he does so, he would be violating the right to privacy of the person concerned and would be liable in an action for damages. Position may, however, be different, if a person voluntarily thrusts himself into controversy or voluntarily invites or raises a controversy.
The rule aforesaid is subject to the exception, that any publication concerning the aforesaid aspects becomes unobjectionable if such publication is based upon public records including court records. This is for the reason that once a matter becomes a matter of public record, the right to privacy no longer subsists and it becomes a legitimate subject for comment by press and media among others. We are, however, of the opinion that in the interests of decency [Article 19(2)] an exception must be carved out to this rule, viz., a female who is the victim of a sexual assault, kidnap, abduction or a like offence should not further be subjected to the indignity of her name and the incident being publicised in press/media.

Elsewhere in the same decision, the court took a cautionary stance and held that "the right to privacy...will necessarily have to go through a process of case-by-case development."

The final case that makes up the 'privacy quintet' in India was the case of PUCL v. Union of India [7] in which the court was called upon to consider whether wiretapping was an unconstitutional infringement of a citizen’s right to privacy. The court held:

The right privacy — by itself — has not been identified under the Constitution. As a concept it may be too broad and moralistic to define it judicially. Whether right to privacy can be claimed or has been infringed in a given case would depend on the facts of the said case. But the right to hold a telephone conversation in the privacy of one’s home or office without interference can certainly be claimed as a ‘right to privacy’. Conversations on the telephone are often of an intimate and confidential character. Telephone conversation is a part of modern man's life. It is considered so important that more and more people are carrying mobile telephone instruments in their pockets. Telephone conversation is an important facet of a man's private life. Right to privacy would certainly include telephone-conversation in the privacy of one's home or office. Telephone-tapping would, thus, infract Article 21 of the Constitution of India unless it is permitted under the procedure established by law.

The court also read this right to privacy as simultaneously deriving from Article 19. "When a person is talking on telephone, he is exercising his right to freedom of speech and expression", the court observed, and therefore "telephone-tapping unless it comes within the grounds of restrictions under Article 19(2) would infract Article 19(1) (a) of the Constitution."

However, the court in this case made two observations which would have a lasting impact on privacy jurisprudence in India –firstly, it rejected the contention that 'prior judicial scrutiny' should be mandated before any wiretapping could take place and accepted the contention that administrative safeguards would be sufficient.

Thus, to conclude this section of this chapter, it may be observed that the right to privacy in India is, at its foundations a limited right rather than an absolute one. In the sections that follow, it will become apparent that this limited nature of the right provides a somewhat unstable assurance of privacy since it is frequently made to yield to all manners of competing interests which happen to have a more pronounced legal standing.

Vocabularies of Privacy Limitation

Article 12 of the Universal Declaration of Human Rights (1948) defines privacy in the following terms:

"No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."

Similarly, Article 17 of the International Covenant of Civil and Political Rights (to which India is a party) declares that:

"No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home and correspondence, nor to unlawful attacks on his honour and reputation."

In this section, we look briefly at sections in some statutes that authorize the deprivation of privacy. These statutes have been classified under three headings, following the aforementioned international covenants, each dealing with a) our communications, b) our homes and c) bodily privacy.

Privacy of Communications

Communications laws

All laws dealing with mediums of inter-personal communication — post, telegraph and telephony and email – contain similarly worded provisions permitting interception under specified conditions.

Thus, section 26 of the India Post Office Act 1898 confers powers of interception of postal articles for the 'public good'. According to this section, this power may be invoked "On the occurrence of any public emergency, or in the interest of the public safety or tranquillity". The section further clarifies that “a certificate from the State or Central Government” would be conclusive proof as to the existence of a public emergency or interest of public safety or tranquillity.

Similarly, section 5(2) of the Telegraph Act authorizes the interception of any message

on the occurrence of any public emergency, or in the interest of the public safety; and
if satisfied that it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence,

Thus, the events that trigger an action of interception are the occurrence of any ‘public emergency’ or in the interests of ‘public safety’.

Most recently, section 69 of the Information Technology Act 2008 contains a more expanded power of interception which may be exercised "when they [the authorised officers] are satisfied that it is necessary or expedient" to do so in the interest of:

sovereignty or integrity of India,
defence of India,
security of the State,
friendly relations with foreign States or
public order or
preventing incitement to the commission of any cognizable offence relating to above or
for investigation of any offence,

[More details of the occasions and the mandatory procedural safeguards before these powers may be exercised are contained in our briefing notes on Privacy and Telecommunications and Privacy and the IT Act]

From a plain reading of these sections, there appears to be a gradual loosening of standards from the Post Office Act to the latest Information Technology Act. The Post Office Act requires the existence of a ‘state of public emergency’ or a ‘threat to public safety and tranquillity’ as a precursor to the exercise of the power of interception. This requirement is continued in the Telegraph Act with the addition of a few more conditions, such as expediency in the interests of sovereignty, etc. Under the most recent IT Act, the requirement of a public emergency or a threat to public safety is dispensed with entirely – here, the government may intercept merely if it feels it ‘necessary or expedient’.

How much of a difference does it make?

In Hukam Chand Shyam Lal v. Union of India and ors [8] , the Supreme Court was required to interpret the meaning of ‘public emergency’. Here, the court was required to consider whether disconnection of a telephone could be ordered due to an ‘economic emergency’. The Government of Delhi had ordered the disconnection of the petitioner’s telephones due to their alleged involvement, through the use of telephones, in (then forbidden) forward trading in agricultural commodities. According to the government, this constituted an ‘economic emergency’ due to the escalating prices of food. Declining this contention, the Supreme Court held that:

a 'public emergency' within the contemplation of this section is one which raises problems concerning the interest of the public safety, the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or the prevention of incitement to the commission of an offence.

Economic emergency is not one of those matters expressly mentioned in the statute. Mere 'economic emergency'— as the high court calls it—may not necessarily amount to a 'public emergency' and justify action under this section unless it raises problems relating to the matters indicated in the section.

In addition the other qualifying term, 'public safety' was interpreted in an early case by the Supreme Court to mean "security of the public or their freedom from danger. In that sense, anything which tends to prevent dangers to public health may also be regarded as securing public safety. The meaning of the expression must, however, vary according to the context."[9]

Thus, the words ‘public emergency’ and 'public safety' does provide some legal buffer before the government may impinge on our privacy in the case of post and telecommunications. In a sense, they operate both as limits on our privacy as well as limits on the government’s ability to impinge on our privacy — since the government must demonstrate their existence to the satisfaction of the court, failing which their actions would be illegal.

However, as mentioned, even these requirements have been dispensed with in the case of electronic communications falling under the purview of the Information Technology Act where sweeping powers of interception have been provided extending from matters affecting the sovereignty of the nation, to the more mundane 'investigation of any offence'.

Privileged Communications

In addition to laying down procedural safeguards which restrict the conditions under which our communication may be intercepted, the law also safeguards our privacy in certain contexts by taking away the evidentiary value of certain communications.

Thus, for instance, under the Evidence Act, communications between spouses and communications with legal advisors are accorded a special privilege.

Section 122 of the Evidence Act forbids married couples from disclosing any communications made between them during marriage without the consent of the person who made it. This however, does not apply in suits “between married persons, or proceedings in which one married person is prosecuted for any crime committed against the other.”

This rule was applied in a case before the Kerala High Court, T.J. Ponnen vs M.C. Varghese [10] where a man sued his son-in-law for defamation based on statements about him written in a letter addressed to his daughter. The trial court held that the prosecution was invalid since it was based on privileged communications between the couple. This was upheld by the high court. The petitioner had attempted to argue that it was immaterial how he gained possession of the letter. The high court disagreed with this contention holding that this would defeat the purpose of section 122.

Similarly section 126 forbids “barristers, attorneys, pleaders or vakils” from disclosing, without their client’s express consent “any communication made to him in the course and for the purpose of his employment as such barrister, pleader, attorney or vakil... or to state the contents or condition of any document with which he has become acquainted in the course and for the purpose of his professional employment or to disclose any advice given by him to his client in the course and for the purpose of such employment.”

As with section 122, this privilege also comes with exceptions. Thus, the following kinds of communications are exempted from the privilege:

any communication made in furtherance of any illegal purpose,
any fact observed by any barrister, pleader, attorney or vakil, in the course of his employment as such showing that any crime or fraud has been committed since the commencement of his employment.

Section 127 extends the scope attorney-client privilege to include any interpreters, clerks and servants of the attorney or barrister. They are also not permitted to disclose the contents of any communication between the attorney and her client.

Section 129 enacts a reciprocal protection and provides that clients shall not be compelled to disclose to the court any "confidential communication which has taken place between him and his legal professional adviser."

Section 131 of the Evidence Act further cements the legal protection afforded to married couples, attorneys and their clients by providing that "No one shall be compelled to produce documents in his possession, which any other person would be entitled to refuse to produce if they were in his possession" unless that person consents to the production of such documents.

Note that these privileges do not limit the ability of the state to intercept communications – they merely negate the evidentiary value of any communications so intercepted.

Privacy of the Home: Search and Seizure Provisions

Under what circumstances may the State invade the privacy of our homes? What are the limits of these powers? Technically, any law that authorizes “search and seizure” can be said to authorize an invasion of our privacy. Many laws permit searches, for various grounds — ranging from the Income Tax Act which authorizes searches to recover undisclosed income, to the Narcotics Act which prescribes a procedure to search and sieze drugs, to the Excise Act and the Customs Act which do so in order to discover goods that are manufactured or imported in violation of those respective statutes. In this section we deal only with the general provisions for search and seizure under the Code of Criminal Procedure.

The Code of Criminal Procedure (CrPC) provides that a house or premises may be searched either under a search warrant issued by a court, or, in the absence of a court-issued-warrant, by a police officer in the course of investigation of offences.

Thus, a court may issue a search warrant where

it has reason to believe that a person to whom a summons has been, or might be, addressed, will not or would not produce the document or thing as required by such summons; or
where such document or thing is not known to the court to be in the possession of any person, or
where the court considers that the purposes of any inquiry, trial or other proceeding under this Code will be served by a general search or inspection,

Similarly, section 165 of the Code of Criminal Procedure permits for searches to be conducted by “police officers in charge of police station or a police officer making an investigation” without first obtaining a warrant. Such a search may be conducted if he has “reasonable grounds for believing that anything necessary for the purposes of an investigation into any offence which he is authorised to investigate may be found in any place within the limits of the police station of which he is in charge, or to which he is attached”, and if, in his opinion, such thing cannot “be otherwise obtained without undue delay”.

Such officer must record in writing the grounds of his belief and specify “so far as possible” the thing for which search is to be made.

In both cases, the Code of Criminal Procedure requires the search to conform to procedures including the presence of "two or more independent and respectable inhabitants of the locality”. The preparation, in their presence, of “a list of all things seized in the course of such search, and of the places in which they are respectively found", the delivery of this list to the occupant of the place being searched.

However, in reality, these requirements are observed more in the breach. Courts have consistently held that not following these provisions would not make evidence obtained inadmissible — it would make the search irregular, not unlawful. Thus, in State of Maharashtra v. Natwarlal Damodardas Soni [11], where a search was conducted under the Customs Act to recover smuggled gold, the Supreme Court held that

Assuming that the search was illegal it would not affect either the validity of the seizure and further investigation by the customs authorities or the validity of the trial which followed on the complaint of the Assistant Collector of Customs.

In a different case, Radhakrishan v. State of U.P. [12] which involved an illegal search in contravention of the Code of Criminal Procedure , the Supreme Court held that:

"So far as the alleged illegality of the search is concerned, it is sufficient to say that even assuming that the search was illegal the seizure of the Articles is not vitiated. It may be that where the provisions of ... Code of Criminal Procedure, are contravened the search could be resisted by the person whose premises are sought to be searched. It may also be that because of the illegality of the search the Court may be inclined to examine carefully the evidence regarding the seizure. But beyond these two consequences no further consequence ensues."

India inherits the common law notion that a man’s house is his castle. In the light of the cases discussed above, this claim certainly appears to be lofty. However, there is still hope. In a recent case, the Supreme Court struck down provisions of a legislation on grounds that it was too intrusive of citizens’ right to privacy. The case involved an evaluation of the Andhra Pradesh Stamp Act which authorized the collector to delegate “any person” to enter any premises in order to search for and impound any document that was found to be improperly stamped. Thus, for instance, banks could be compelled to cede all documents in their custody, including clients documents, for inspection on the mere chance that some of them may be improperly stamped. These banks were then compelled under law to pay the deficit stamp duty on the documents, even if they themselves were not party to the transactions recorded in the documents.

After an exhaustive analysis of privacy laws across the world, and in India, the Supreme Court held that in the absence of any safeguards as to probable or reasonable cause or reasonable basis, this provision was violative of the constitutionally guaranteed right to privacy, both of the house and of the person. [13]

The case marks a welcome redrawing of the boundaries of the right to privacy against state intrusion.

Privacy of the Body

To what extent do we have a right to privacy that protects what we may do with our own bodies and may be done to them? This section deals with this question in the context of four issues that have arisen before courts:

the ability of the state to order persons to undergo medical-examination,
to undergo a range of 'truth technologies' including narco analysis, brain mapping, etc.,
to submit to DNA testing and d) to abortion. In most cases, as we shall see, the right to privacy cedes ground to any available competing interest.

Court-ordered Medical Examinations

Can courts compel persons to undergo medical examinations against their will? In the case of Sharda v. Dharmpal[14], decided in 2003, the Supreme Court held that they could. Here a man filed for divorce on that grounds that his wife suffered from a mental illness. In order to establish his case, he requested the court to direct his wife to submit herself to a medical examination. The trial court and the high court both granted his application. On appeal to the Supreme Court, the woman contested the order on grounds firstly, that compelling a person to undergo a medical examination by an order of the court would be violative of her right to 'personal liberty' guaranteed under Article 21 of the Constitution of India. Secondly, in absence of a specific empowering provision, a court dealing with matrimonial cases cannot subject a party to undergo medical examination against his her volition. The court could merely draw an adverse inference.

The Supreme Court rejected these contentions holding that the right to privacy in India was not absolute. If the "respondent avoids such medical examination on the ground that it violates his/her right to privacy or for a matter right to personal liberty as enshrined under Article 21 of the Constitution of India, then it may in most of such cases become impossible to arrive at a conclusion. It may render the very grounds on which divorce is permissible nugatory."

The court upheld the rights of matrimonial courts to order a person to undergo medical test. Such an order, the court held, would not be in violation of the right to personal liberty under Article 21 of the Constitution of India. However, this power could only be exercised if the applicant had a strong prima facie case, and there was sufficient material before the court. Crucially, the court held that if, despite the order of the court, the respondent refused to submit herself to medical examination, the court would be entitled to draw an adverse inference against him.

Thus, oddly, one limitation on the right to privacy appears to be the statutory rights of others. One is entitled to the privacy of one’s body, to the extent that another person is not, thereby, deprived of a statutory right – as in this case, to divorce.

Reproductive Rights

Ahmedabad: A 13-year-old girl, who conceived after being repeatedly raped, has moved the Gujarat High Court and sought permission to medically terminate her pregnancy after a sessions court rejected her plea.

Express India(April 2010) [15]

To what extent do pregnant women enjoy a right to privacy over their bodies and their reproductive decisions? Are there circumstances when the State can intervene and either order or forbid an abortion?

According to the Medical Termination of Pregnancy Act, 1971 a pregnancy may be terminated before the twentieth week if:

the continuance of the pregnancy would involve a risk to the life of the pregnant woman or of grave injury to her physical or mental health; or
there is a substantial risk that if the child were born, it would suffer from such physical or mental abnormalities to be seriously handicapped.
where any pregnancy is alleged by the pregnant woman to have been caused by rape,
where any pregnancy occurs as a result of failure of any device or method used by any married woman or her husband for the purpose of limiting the number of children.

Consent for termination needs to be obtained from the guardian in cases of minors or women who are mentally ill. In all other cases, the woman herself must consent.

Beyond the period of 20 weeks, the pregnancy may only be terminated if there is immediate danger to the life of the woman.

In August 2009, the Supreme Court heard an expedited appeal that was filed on behalf of a destitute mentally retarded woman who had become pregnant consequent to having been raped at a government run shelter. The government had approached the high court seeking permission to terminate her pregnancy, which had been granted by that court despite the finding by an ‘expert body’ of medical practitioners that she was keen on continuing the pregnancy. On appeal the Supreme Court held, very curiously, that the woman was not ‘mentally ill’, but ‘mentally retarded’, and consequently her consent was imperative under the Act. [16] However, not content to stop there, the court made several puzzling and contradictory observations:

Firstly, the court took the opportunity to affirm, generally, women’s rights to make reproductive choices as a dimension of their `personal liberty' as guaranteed by Article 21 (Right to Life and Personal Liberty) of the Constitution of India. The court observed:

“It is important to recognise that reproductive choices can be exercised to procreate as well as to abstain from procreating. The crucial consideration is that a woman's right to privacy, dignity and bodily integrity should be respected. This means that there should be no restriction whatsoever on the exercise of reproductive choices such as a woman's right to refuse participation in sexual activity or alternatively the insistence on use of contraceptive methods. Furthermore, women are also free to choose birth-control methods such as undergoing sterilisation procedures. Taken to their logical conclusion, reproductive rights include a woman's entitlement to carry a pregnancy to its full term, to give birth and to subsequently raise children. (emphasis mine) [17]

However, the court went on to affirm, in language that curiously imitates Roe v Wade,[18] that there was “a `compelling state interest' in protecting the life of the prospective child.[19]

Secondly, the Supreme Court upheld the woman’s consent as determinative and in doing so, categorically rejected the high court approach. The court held that since she suffered from `mild mental retardation' this did not render her "incapable of making decisions for herself". Simultaneously, however, the Supreme Court proceeded gratuitously to apply the common law doctrine of `parens patriae' to resume jurisdiction over the woman in her “best interests”. According to a court-appointed expert committee, her mental age was “close to that of a nine-year old child” and she was capable of “learning through rote memorisation and imitation” and of performing “basic bodily functions”.[20] In this light, the court deemed in her ‘best interests’, as defined by an expert committee, to defer to her wishes.

The findings recorded by the expert body indicate that her mental age is close to that of a nine-year old child and that she is capable of learning through rote-memorisation and imitation. Even the preliminary medical opinion indicated that she had learnt to perform basic bodily functions and was capable of simple communications. In light of these findings, it is the `best interests' test alone which should govern the inquiry in the present case and not the `substituted judgment' test. [21]

If one disregards the liberalism of its outcome, there are various problems with this decision. Chiefly, the Supreme Court relied on the woman’s expressed consent to deny the legitimacy of the high court’s decision in favour of abortion. Inexplicably, however, in the same move, the Supreme Court reserved to itself the right to adjudicate the ‘best interests’ of the woman. Thus, in relation to abortion, mentally retarded women are more autonomous than minor girls (since their own consent is determinative, rather than their guardians) but they are still less autonomous than ‘normal’ women (since their decisions are subject to adjudication based on what the court thinks is in their best interests)!

DNA Tests in Civil Suits

Do we have a right to privacy over the interiors of our body – our blood, our tissue, our DNA? There is, by now, a strong line of cases decided by the Supreme Court in which our right to ‘bodily integrity’ has been held to not be absolute, and may be interfered with in order to settle many terrestrial issues. In most cases, this question has arisen in the context of the determination of paternity – either in divorce or maintenance proceedings. Central in the determination of these issues is section 112 of the Evidence Act which stipulates that birth of a child during the continuance of a valid marriage (or within 280 days of its dissolution) would be conclusive proof of legitimacy of that child, “unless it can be shown that the parties to the marriage had no access to each other at any time when he could have been begotten.”

As is evident, this section creates a strong legal presumption of legitimacy that leaves no room for a scientific rebuttal. Various litigants have, nevertheless, sought the courts’ indulgence in accepting medical evidence to displace this formidable legal presumption. These efforts have yielded a measure of success, and a steady line of precedents since the early 1990s now affirms the right of courts to direct medical evidence in cases they consider fit. In these cases, the court has frequently invoked privacy rights as an important consideration to be weighed before ordering a person to submit to any test.

In one of the earliest and most frequently invoked cases, Goutam Kundu vs State of West Bengal and Anr (1993) [22] the Supreme Court laid down guidelines governing the power of courts to order blood tests. The court held:

courts in India cannot order blood test as matter of course;

wherever applications are made for such prayers in order to have roving inquiry, the prayer for blood test cannot be entertained.

There must be a strong prima facie case in that the husband must establish non-access in order to dispel the presumption arising under section 112 of the Evidence Act.

The court must carefully examine as to what would be the consequence of ordering the blood test; whether it will have the effect of branding a child as a bastard and the mother as an unchaste woman.

No one can be compelled to give sample of blood for analysis.

On the particular facts of this case, the Supreme Court refused to order the respondent to submit to the test, since in its view, there was no prima facie case made out that cast doubts on the legal presumption of legitimacy.

These guidelines have been frequently invoked in subsequent cases. In a complex set of facts, in Ms. X vs Mr. Z and Anr (2001), [23] the Delhi High Court was called to consider whether a foetus had a ‘right to privacy’ – or whether the mother of the foetus could assert a right to privacy on it’s behalf. A woman had given birth to a still-born child and tissues from the foetus had been stored at the All India Institute of Medical Sciences. Her husband approached to obtain an order permitting a DNA test to be carried out to determine if he was the father. In her defence, the woman claimed that this would offend her right to privacy. The high court reaffirmed the guidelines laid down in the Gautam Kundu case (supra), and also upheld the petitioner’s right to privacy over her own body. However, the court took the stance that she did not have a right of privacy over the foetus once it had been discharged from her body:

"The petitioner indeed has a right of privacy but is being not an absolute right, therefore, when a foetus has been preserved in All India Institute of Medical Science, the petitioner, who has already discharged the same cannot claim that it affects her right of privacy.

However, if the petitioner was being compelled to subject herself to blood test or otherwise, she indeed could raise a defense that she cannot be compelled to be a witness against herself in a criminal case or compelled to give evidence against her own even in a civil case but the position herein is different. The petitioner is not being compelled to do any such act. Something that she herself has discharged, probably with her consent, is claimed to be subjected to DNA test. In that view of the matter, in the peculiar facts, it cannot be termed that the petitioner has any right of privacy."

The decision has wide-ranging implications since it virtually divests control and ownership over any material that has been discarded from the body – from nails to hair to tissue samples. In an interesting case in the US, Moore v. Regents of the University of California [24], the Supreme Court of California was faced with a suit to determine whether a man retained ownership over cells that had been removed from his body through a surgical procedure. In this case, cells from a patient’s spleen were used to conduct research which resulted in the patenting of a cell-line by the defendant. The patient sued for a share in the profits, but this was rejected by the court which held that he had no property rights to his discarded cells or any profits made from them. The court specifically rejected the argument that his spleen should be protected as property as an aspect of his privacy and dignity. The court held these interests were already protected by informed consent.

In a sense the Ms. X vs Mr. Z case arrives at identical conclusions without as much deliberation on its implications. It would be interesting to see how subsequent courts interpret and apply this precedent.

One of the most critical factors, consistently weighed by courts alongside the privacy rights implicated, is the ‘best interests’ of the child. Thus, in Bhabani Prasad Jena v. Convenor Secretary, Orissa State Commission for Women & Anr.[25], the Supreme Court quashed a high court-mandated DNA test to determine the paternity of an unborn child in a woman’s womb. In doing so, the SC observed:

“In a matter where paternity of a child is in issue before the court, the use of DNA is an extremely delicate and sensitive aspect. One view is that when modern science gives means of ascertaining the paternity of a child, there should not be any hesitation to use those means whenever the occasion requires. The other view is that the court must be reluctant in use of such scientific advances and tools which result in invasion of right to privacy of an individual and may not only be prejudicial to the rights of the parties but may have devastating effect on the child. Sometimes the result of such scientific test may bastardise an innocent child even though his mother and her spouse were living together during the time of conception. In our view, when there is apparent conflict between the right to privacy of a person not to submit himself forcibly to medical examination and duty of the court to reach the truth, the court must exercise its discretion only after balancing the interests of the parties and on due consideration whether, for a just decision in the matter, DNA is eminently needed. (emphasis added)

A strong trend, evident in this case, is the bussing of the interests of the child (in not being declared illegitimate), along with the privacy rights of the mother. The two create a composite interest opposed to that of the putative father, which the courts have been reluctant to interfere with except for the most compelling reasons. But what happens when then the interests of the child conflict with the privacy rights of either parent?

In a high profile case in 2010, Shri Rohit Shekhar vs Shri Narayan Dutt Tiwari[26], the Delhi High was called upon to determine whether a man had a right to subject the person he named as his biological father to a DNA test. Contrary to the trend in the preceding cases, it was the biological father who pleaded his right to privacy in this case. The court relied on international covenants to affirm the “right of the child to know of her (or his) biological antecedents” irrespective of her (or his) legitimacy. The court ruled:

There is of course the vital interest of child to not be branded illegitimate; yet the conclusiveness of the presumption created by the law in this regard must not act detriment to the interests of the child. If the interests of the child are best sub-served by establishing paternity of someone who is not the husband of her (or his) mother, the court should not shut that consideration altogether.

The protective cocoon of legitimacy, in such case, should not entomb the child’s aspiration to learn the truth of her or his paternity.

The court went on to draw a distinction between legitimacy and paternity that may both "be accorded recognition under Indian law without prejudice to each other. While legitimacy may be established by a legal presumption [under section 112 of the Evidence Act], paternity has to be established by science and other reliable evidence"[27] The court, however, reaffirmed that the same considerations would apply as was laid down in previous cases – i.e., the plaintiff would have to establish a prima facie case and weigh the competing interests of privacy and justice before it could order a DNA test. In this case, the petitioner was able to produce DNA evidence that excluded the possibility that his legal father was his biological father. In addition, photographic and testimonial evidence suggested that the respondent could be his biological father. On these grounds the Delhi High Court ordered the respondent to undergo a DNA test. This was upheld in an appeal to the Supreme Court.

So from the foregoing cases, it appears that it is the ‘best interests of the child’ that undergrids the right to privacy of either parent. When the two are in conflict it is the former that will, the case law suggests, invariably prevail.

Bodily Effects — Fingerprints, handwriting samples, photographs, Irises, narco-analysis, brain maps and DNA

The human body easily betrays itself. We are incessantly dropping residues of our existence wherever we go – from shedding hair and fingernails, to fingerprints and footprints, handwriting – which, through use of modern technology, can implicate our bodies, and identify us against our will. Not even our thoughts are immune as new technologies like brain mapping pretend to be able to harvest psychic clues from our physiology.

In this section we explore occasions when the state may compel us to 'perform' our existence for instance, by submitting to photography, providing finger impressions or handwriting samples, submit to narco-analysis and truth tests, and more recently to provide iris scan data or our DNA.

Section 73 of the Evidence Act stipulates that the court "may direct any person present in the court to write any words or figures for the purpose of enabling the court to compare the words or figures so written with any words or figures alleged to have been written by such person."

This section was interpreted by the Supreme Court in State of U.P. v. Ram Babu Misra [28] where it was held that there must be “some proceeding before the court in which...it might be necessary... to compare such writings”. This specifically excludes, say, a situation where the case is still under investigation and there is no present proceeding before the court. “The language of section 73 does not permit a court to give a direction to the accused to give specimen writings for anticipated necessity for comparison in a proceeding which may later be instituted in the court.”

The pre-independence Identification of Prisoners Act, 1920 provides for the mandatory taking, by police officers, of 'measurements' and photograph of persons arrested or convicted for any offence punishable with rigorous imprisonment for a term of one year of upwards or ordered to give security for his good behaviour under section 118 of the Code of Criminal Procedure. [29] The Act also empowers a magistrate to order a person to be measured or photographed if he is satisfied that it is required for the purposes of any investigation or proceeding under the Code of Criminal Procedure, 1898. [30]

The Act also provides for the destruction of all photographs and records of measurements on discharge or acquittal. [31]

In addition, the Code of Criminal Procedure was amended in 2005 to enable the collection of a host of medical details from accused persons upon their arrest. Section 53 of the Code of Criminal Procedure provides that upon arrest, an accused person may be subjected to a medical examination if there are “reasonable grounds for believing” that such examination will afford evidence as to the crime. The scope of this examination was expanded in 2005 to include “the examination of blood, blood-stains, semen, swabs in case of sexual offences, sputum and sweat, hair samples and finger nail clippings by the use of modern and scientific techniques including DNA profiling and such other tests which the registered medical practitioner thinks necessary in a particular case.”

In a case in 2004, the Orissa High Court affirmed the legality of ordering a DNA test in criminal cases to ascertain the involvement of persons accused. Refusal to co-operate would result in an adverse inference drawn against the accused.

After weighing the privacy concerns involved, the court laid down the following considerations as relevant before the DNA test could be ordered:

the extent to which the accused may have participated in the commission of the crime;
the gravity of the offence and the circumstances in which it is committed;
age, physical and mental health of the accused to the extent they are known;
whether there is less intrusive and practical way of collecting evidence tending to confirm or disprove the involvement of the accused in the crime;
the reasons, if any, for the accused for refusing consent [32]

Most recently the draft DNA Profiling Bill pending before the Parliament attempts to create an ambitious centralized DNA bank that would store DNA records of virtually anyone who comes within any proximity to the criminal justice system. Specifically, records are maintained of suspects, offenders, missing persons and “volunteers”. The schedule to the Bill contains an expansive list of both civil and criminal cases where DNA data will be collected including cases of abortion, paternity suits and organ transplant. Provisions exist in the bill that limit access to and use of information contained in the records, and provide for their deletion on acquittal. These are welcome minimal guarantors of privacy.

It is evident that the utility of this mass of information – fingerprints, handwriting samples and photographs, DNA data – in solving crimes is immense. Without saying a word, it is possible for a person to be convicted based on these various bodily affects – the human body constantly bears witness and self-incriminates itself. Both handwriting and finger impressions beg the question of whether these would offend the protection against self-incrimination contained in Article 20(3) of our Constitution which provides that “No person accused of any offence shall be compelled to be a witness against himself.” This argument was considered by the Supreme Court in the State of Bombay vs Kathi Kalu Oghad and Ors. [33] The petitioner contended that the obtaining of evidence through legislations such as the Identification of Prisoners Act amounted to compelling the person accused of an offence "to be a witness against himself" in contravention of Article 20(3) of the Constitution. The court held that “there was no infringement of Article 20(3) of the Constitution in compelling an accused person to give his specimen handwriting or signature, or impressions of his thumb, fingers, palm or foot to the investigating officer or under orders of a court for the purposes of comparison. ...Compulsion was not inherent in the receipt of information from an accused person in the custody of a police officer; it will be a question of fact in each case to be determined by the court on the evidence before it whether compulsion had been used in obtaining the information.” [34]

Over the past two decades, forensics has shifted from trying to track down a criminal by following the trail left by her bodily traces, to attempting to apply a host of invasive technologies upon suspects in an attempt to ‘exorcise’ truth and lies directly from their body. One statement by Dr M.S. Rao, Chief Forensic Scientist, Government of India captures this shift:

Forensic psychology plays a vital role in detecting terrorist cases. Narco-analysis and brainwave fingerprinting can reveal future plans of terrorists and can be deciphered to prevent terror activities⁄ Preventive forensics will play a key role in countering terror acts. Forensic potentials must be harnessed to detect and nullify their plans. Traditional methods have proved to be a failure to handle them. Forensic facilities should be brought to the doorstep of the common man⁄ Forensic activism is the solution for better crime management. [35]

Although there are several such 'technologies' which operate on principles ranging from changes in respiration, to mapping the electrical activity in different areas of the brain, what is common to them all, in Lawrence Liang’s words is that they “maintain that there is a connection between body and mind; that physiological changes are indicative of mental states and emotions; and that information about an individual’s subjectivity and identity can be derived from these physiological and physiological measures of deception” [36]

So, how legal are these technologies, in view of the constitutional protections against self-incrimination? In a case in 2004 the Bombay High Court upheld these technologies by applying the logic of the Kathi Kalu Oghad case discussed above. The court drew a distinction between ‘statements’ and ‘testimonies’ and held that what was prohibited under Article 20(3) were only ‘statements’ that were made under compulsion by an accused. In the court’s opinion, “the tests of Brain Mapping and Lie Detector in which the map of the brain is the result, or polygraph, then either cannot be said to be a statement”. At the most, the court held, “it can be called the information received or taken out from the witness.” [37]

This position was however overturned recently by the Supreme Court in Selvi v. State of Karnataka (2010)[38]. In contrast with the Bombay High Court, the Supreme Court expressly invoked the right of privacy to hold these technologies unconstitutional.

“Even though these are non- invasive techniques the concern is not so much with the manner in which they are conducted but the consequences for the individuals who undergo the same. The use of techniques such as 'Brain Fingerprinting' and 'FMRI-based Lie-Detection' raise numerous concerns such as those of protecting mental privacy and the harms that may arise from inferences made about the subject's truthfulness or familiarity with the facts of a crime.”

Further down, the court held that such techniques invaded the accused’s mental privacy which was an integral aspect of their personal liberty.

“There are several ways in which the involuntary administration of either of the impugned tests could be viewed as a restraint on 'personal liberty' ... the drug-induced revelations or the substantive inferences drawn from the measurement of the subject's physiological responses can be described as an intrusion into the subject's mental privacy”

Following a thorough-going examination of the issue, the Supreme Court directed that “no individual should be forcibly subjected to any of the techniques in question, whether in the context of investigation in criminal cases or otherwise. Doing so would amount to an unwarranted intrusion into personal liberty.” The court however, left open the option of voluntary submission to such techniques and endorsed the following guidelines framed by the National Human Rights Commission:

No Lie Detector Tests should be administered except on the basis of consent of the accused. An option should be given to the accused whether he wishes to avail such test.
If the accused volunteers for a Lie Detector Test, he should be given access to a lawyer and the physical, emotional and legal implication of such a test should be explained to him by the police and his lawyer.
The consent should be recorded before a judicial magistrate.
During the hearing before the magistrate, the person alleged to have agreed should be duly represented by a lawyer.
At the hearing, the person in question should also be told in clear terms that the statement that is made shall not be a `confessional' statement to the magistrate but will have the status of a statement made to the police.
The magistrate shall consider all factors relating to the detention including the length of detention and the nature of the interrogation.
The actual recording of the lie detector test shall be done by an independent agency (such as a hospital) and conducted in the presence of a lawyer. 250
A full medical and factual narration of the manner of the information received must be taken on record.

Although the right against self-incrimination and the inherent fallaciousness of the technologies were the main ground on which decision ultimately rested, this case is valuable for the court’s articulation of a right of ‘mental privacy’ grounded on the fundamental right to life and personal liberty. It remains to be seen whether this articulation will find resonance in other determinations in domains such as, say, communications.

Privacy of Records

Since at least the mid-nineteenth century, we have been living in what Nicholas Dirks has termed an 'ethnographic state' — engaged relentlessly and fetishistically in the production and accumulation of facts about us. From records of birth and death, to our academic records, most of our important transactions, our income tax filings, our food entitlements and our citizenship, most of us have assuredly been documented and lead a shadow existence somewhere on the files. Not only does the government keep records about us, but a host of private service providers including banks, hospitals, insurance and telecommunications companies maintain volumes of records about us. In this last section of this paper, we look at the privacy expectation of records both maintained by the government and the private sector.

Various statutes require records to be maintained of activities conducted under their authority and entire bureaucracies exist solely in service of these documents. Thus, for instance, the Registration Act requires various registers to be kept which record documents which have been registered under the Act. [39]; Once registered under this Act, all documents become public documents and State Rules typically contain provisions enabling the public to obtain copies of all documents for a fee. Similarly, a number of legislation – typically dealing with land records at the state level contain enabling provisions that allow the public to access them upon payment of a fee.

Where no provisions are provided within the statute itself that enable the public to obtain records, two recourses are still available.

Firstly, the Evidence Act enables courts to access records maintained by any government body. Secondly, private citizens may access records kept in public offices through the Right to Information Act. Each of these avenues is described in some details below:

Section 74 of the Evidence Act defines 'public documents' as including the following

Documents forming the acts, or records of the acts

Of the sovereign authority,
Of Official bodies and the Tribunals, and
Of public officers, legislative, judicial and executive, of any part of India or of the Commonwealth, or of a foreign country.

Public records kept in any state of private documents

It is clear from this definition that most records maintained by any government body are regarded as public documents. Section 76 mandates that every public officer "having custody of a public document, which any person has a right to inspect, shall give that person on demand a copy of it on payment of the legal fees therefor together with a certificate written at the foot of such copy that it is a true copy of such document or part thereof".

Since there is no legislative guidance within the Evidence Act to indicate who may be said to possess "a right to inspect", this has been interpreted to mean that where the right to inspect and take a copy is not expressly conferred by a statute (as in the Registration Act mentioned above), “the extent of such right depends on the interest which the applicant has in what he wants to copy, and what is reasonably necessary for the protection of such interest". So it isn’t any officious meddler who may access such records – only persons with genuine interests in the matter, either personal or pecuniary, may obtain copies through this route.

In addition to the Evidence Act, copies of documents may also be obtained under the Right to Information Act 2005 which confers on citizens the right to inspect and take copies of any information held by or under the control of any public authority. Information is defined widely to include "any material in any form, including records, documents, memos, e-mails, opinions, advices, press releases, circulars, orders, logbooks, contracts, reports, papers, samples, models, data material held in any electronic form and information relating to any private body which can be accessed by a public authority under any other law for the time being in force".

Section 8 (j) of the Act exempts "disclosure of personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual” unless the relevant authority “is satisfied that the larger public interest justifies the disclosure of such information".

In an interesting case Mr. Ansari Masud A.K vs Ministry of External Affairs (2008)[40] , the Central Information Commission has held that “details of a passport are readily made available by any individual in a number of instances, example to travel agents, at airline counters, and whenever proof of residence for telephone connections etc. is required. For this reason, disclosure of details of a passport cannot be considered as causing unwarranted invasion of the privacy of an individual and, therefore, is not exempted from disclosure under Section 8(1)(j) of the RTI Act.” This is despite the fact that nothing in the Passport Act itself authorizes disclosure of any documents under any circumstances.

However, the Right to Information Act isn’t as convenient a vehicle for privacy abuse as this case may suggest. The RTI adjudicatory apparatus has on several occasions upheld the denial of information on grounds of privacy violation – most famously in a case where an applicant sought information from the Census Department on the ‘religion and faith’ of Sonia Gandhi – the President of the largest party currently in power in India. Both the Central Information Commission – the apex body adjudicating RTI appeals as well as the Punjab and Haryana High Court upheld the denial of information as it would otherwise lead to an unwarranted incursion into her privacy.[41]

A similar concept of 'public interest' would seem to apply when private companies disclose personal information without a person’s consent. Without delving into the issue in too much detail, it would suffice here to mention one of the most important cases to have come up on the issue. In Mr. X vs Hospital Z[42] , a person sued a hospital for having disclosed his HIV status to his fiancé without his knowledge resulting in their wedding being called off. The Supreme Court held that the hospital was not guilty of a violation of privacy since the disclosure was made to protect the public interest. While affirming the duty of confidentiality owed to patients, the court ruled that the right to privacy was not absolute and was "subject to such action as may be lawfully taken for the prevention of crime or disorder or protection of health or morals or protection of rights and freedom of others."

Conclusion

Reflecting on the volume of case law that we have in India on privacy, one is struck at once, both by the elasticity of the concept of privacy — spanning, as it does, diverse fields from criminal law to paternity suits to wiretapping —as well as its fragility — the flag of privacy is constantly being raised only to be ultimately overridden on pretexts that range from security of state, to a competing private interest.

On the one hand, one marvels at the success of the concept, only a few decades old in Indian law, in insinuating itself into legal arguments across diverse contexts. On the other hand, one is dismayed by the fact that rarely does the concept seem to score a victory. There is an almost ritual quality to the way in which the “right to privacy” is invoked in these cases - always named as a relevant factor; it never seems to substantially influence the outcome of the case at hand.

The right to privacy in India was an Oops baby, born on the ventilator of a minority decision of the Supreme Court, and nourished in the decades that followed by sympathetic judges, who never failed to point out that this right was contingent — not absolute, not meant to be under the Constitution, but carved out anyway. Some five decades after its first invocation by the Supreme Court, one gets the feeling that the right to privacy, conceptually, hasn’t moved, and is still what it was then. We don’t, today, for the many times it has been invoked by courts, have a thicker, more robust concept of privacy than we started out with. So the question, that one is stuck with is, what work does this concept of privacy do?

One of the failings of the concept of privacy in India is that it doesn’t exist as a positive right, but is merely a resistive right against targeted intrusion. So for instance, the right to privacy would be useless as a concept to resist something like generalized street video surveillance – as long as a citizen is not singled out for a disadvantage, this right would be of no use. So this right to privacy is a negative right to not be interfered with. Under it one does not have the right to be as private as one wishes, but only no less than the next person. Still, even this limited concept could be useful, if it were applied more rigorously.

Unfortunately, as the case law indicates, the right to privacy cedes too quickly to competing interests. An incomplete rough catalog of these competing rights, drawn from the case law surveyed in this paper include:

public emergency and public safety (communications)
criminal investigation (search and seizure/communications)
competing private interests (divorce proceedings)
best interests of the child (paternity suits)
public interest (Right to Information)
competing fundamental rights (HIV status)

One may perhaps add judicial inactivity as one of the limiting factors on privacy. By holding that violations of procedure by investigating agencies would not vitiate trials, the judiciary has been complicit in perhaps some of the more damaging incursions into privacy. Once a person is implicated in any manner in the criminal justice system – either as a victim, a witness or an offender, investigating agencies are immediately invested with plenary powers. They can search his house without warrant. They can place him arrest. Subject him to ‘medical examinations’, take his fingerprints and DNA and hold it in a bank and there is nothing you can do. In this context, perhaps the strongest privacy safeguard can come from a reform in criminal procedure alone.

Notes

[1].The State of Uttar Pradesh V. Kaushaliya and Others AIR 1964 SC 416

[2].(1978) 2 SCR 621

[3]. 1 SCR 332

[4].AIR 1973 SC 157, 1973 SCR (2) 417

[5].(1975) 2 SCC 148

[6].(1994) 6 S.C.C. 632

[7].AIR 1997 SC 568

[8].AIR 1976 SC 789,1976 SCR (2)1060, (1976) 2 SCC 128

[9].Romesh Thappar vs The State Of Madras AIR 1950 SC 124 , 1950 SCR 594

[10].1966 AIR 1967 Ker 228, 1967 CriLJ 1511

[11].AIR 1980 SC 593 , 1980 SCR (2) 340

[12].[1963] Supp. 1 S.C.R. 408

[13].Distt. Registrar & Collector, Hyderabad v. Canara bank etc. AIR 2005 SC 186

[14].(2003) 4 SCC 493

[15].13-yr-old rape victim to HC: let me abort -, EXPRESS INDIA, April 21, 2010, http://tinyurl.com/13yrindian (last visited May 2, 2010).

[16].Suchita Srivastava v. Chandigarh Administration, (2009) 9 SCC 1. http://courtnic.nic.in/supremecourt/temp/dc%201798509p.txt (last visited May 2, 2010).

[17].Ibid

[18].410 U.S. 113 (1973)

[19].Article 21 does not limit the abridgement of the right to life by the state to only cases where the state has compelling state interest. The Article reads “No person shall be deprived of his life or personal librty except according to procedure established by law”

[20].Ibid

[21].Ibid

[22].AIR 1993 SC 2295, 1993 SCR (3) 917 <http://indiankanoon.org/doc/1259126/>

[23].AIR 2002 Delhi 217 <http://indiankanoon.org/doc/627683/>

[24].51 Cal. 3d 120; 271 Cal. Rptr. 146; 793 P.2d 479

[25].AIR 2010 SC 2851 <http://indiankanoon.org/doc/486945/>

[26].23 December, 2010 <http://indiankanoon.org/doc/504408/>

[27].Ibid

[28].AIR 1980 SC 791 , 1980 SCR (2)1067 , (1980) 2 SCC 343

[29].Sections 3 & 4 of the Identification of Prisoners Act, 1920

[30].Ibid, Section 5

[31].Section 7

[32].Thogorani Alias K. Damayanti vs State Of Orissa And Ors 2004 Cri L J 4003 (Ori) < http://indiankanoon.org/doc/860378/>

[33].AIR 1961 SC 1808 < http://indiankanoon.org/doc/1626264/>

[34].Ibid

[35].Keynote address given to the 93rd Indian Science Congress. See http://mindjustice.org/india2-06.htm, cited in Liang, L., 2007. And nothing but the truth, so help me science. In Sarai Reader 07 - Frontiers. Delhi: CSDS, Delhi, pp. 100-110. Available at: http://www.sarai.net/publications/readers/07-frontiers/100-110_lawrence.pdf [Accessed April 11, 2011].

[36].Ibid

[37].Ramchandra Ram Reddy v. State of Maharashtra [1 (2205) CCR 355 (DB)

[38].(2010) 7 SCC 263 http://indiankanoon.org/doc/338008/

[39].See Section 52 of the Registration Act 1908

[40].CIC/OK/A/2008/987/AD dated December 22, 2008 <http://indiankanoon.org/doc/1479476/>

[41].Anon, 2010. High Court dismisses appeal seeking information on Sonia Gandhi’s religion. NDTV Online. Available at: http://www.ndtv.com/article/india/high-court-dismisses-appeal-seeking-information-on-sonia-gandhi-s-religion-69356 [Accessed April 12, 2011].

[42].(2003) 1 SCC 500 40

Download file here [PDF, 312kb]

For more details visit https://cis-india.org/internet-governance/blog/privacy/limits-to-privacy

Privacy By Design — Conference Report

praskrishna — 2011-08-22T12:03:30Z

How do we imagine privacy? How is privacy being built into technological systems? On April 16th,The Center for Internet and Society hosted Privacy by Design, an Open Space meant to answer these questions and more around the topic of privacy. Below is a summary of the conversations and dialogs from the event.

Introduction

On April 16th, The Center for Internet and Society hosted Privacy by Design, an Open Space meant to foster discussions around questions related to how privacy is being designed into technological systems. The day opened with two basic questions: How do we imagine privacy? And how are individuals building technology systems incorporating privacy into the system? Throughout the day the conversations took many twist and turns, but at the end of the day three basic points about privacy had come out of the many discussions: 1. Privacy cannot be limited to one definition; it is constantly changing based on person and on context 2. To a person - privacy is a function of abuse and violation 3. The increased generation of data that was made possible by web 2.0 has lead to a rise in privacy issues and is significantly changing many traditional concepts, spaces, and relationships – such as what constitutes a public space, and the relationship between a state and its citizens.

Database architecture and privacy

The morning discussion focused on databases and privacy, and began with questions like: How can a database be built to protect privacy? When a database is built, what role does privacy play in the migration of data? Is privacy protected in databases simply by limiting access to certain parts of data sets? Though many of these were left unanswered, the conversation highlighted the fact that th databases are coded to segregate /regulate users and information in order to protect the system. Thus, databases are architected to incorporate privacy in such a way that protects the viability of only the system and not the individual. In our research we have seen many cases of this. Individual’s privacy has been violated because of malfunctioning or poorly constructed databases. For example, currently Indian governmental databases often have incorrect information, individuals do not have the ability to access and change their information, and if an individual’s information is compromised the government is not held accountable, and there is no course of action that an individual can take towards redress.

Security vs. Privacy

Embedded in this understanding of how privacy is built into technological systems is the question of what security is, and when systems are built, whether privacy and security are considered to be essentially the same. Thus far in our research we have distinguished between privacy and security, saying that, security and privacy have an interesting relationship, because they go hand in hand, and yet at the same time have a different focus, because of this differing focus data security and privacy are not the same. Data breaches that contain personal information of any sort that can be matched, tracked or otherwise co-related to a person or persons will result in a privacy breach too. Though data security is critical for protecting privacy, because data security and privacy have different focuses, the principles that each follows are also different and sometimes conflicting. For example, data security focuses on data retention, logging, etc, while privacy focuses on consent, restricted access to data, limited data retention, and anonymity. If security measures are carried out without privacy interests in mind, privacy violations can easily result. Therefore we have thought that data security should influence and support a privacy regime, but not drive it.

security and privacy have an interesting relationship, because they go hand in hand, and yet at the same time have a different focus, because of this differing focus data security and privacy are not the same. Data breaches that contain personal information of any sort that can be matched, tracked or otherwise co-related to a person or persons will result in a privacy breach too. Though data security is critical for protecting privacy, because data security and privacy have different focuses, the principles that each follows are also different and sometimes conflicting. For example, data security focuses on data retention, logging, etc, while privacy focuses on consent, restricted access to data, limited data retention, and anonymity. If security measures are carried out without privacy interests in mind, privacy violations can easily result. Therefore we have thought that data security should influence and support a privacy regime, but not drive it.

The right to be forgotten and regulation of data

The possibility of creating systems with "off switches" also came out of this thread of conversation. For instance, can a database be structured to show only necessary information to third parties based on the context. In this scenario a card would be created that has all of an individual’s information on it, but only the pertinent information will be shown based on the different situations - if, for example, a teenager goes to a bar, the card will only show a third party that he is over 18. This idea is already taking shape in many Western countries, and is similar to the idea of a federated identity system. A question to ask though is if such a system could work for India, or be even more appropriate for India than a system like the UID. The purpose of federated systems of identity is to take context into consideration, and enable users to keep contexts separate, and link information about an individual only takes place when consent is given by the user. In response to the idea of an identity system that allows only certain information to be seen by third parties based on the situation, it was brought out that privacy is not protected simply by the separation of data into public or private categories, because all data have the potential to be misused. The immediate response to this concern was that if all data have the potential to be mis-used – than the use of data should be carefully regulated. The regulation of data though is also a double edged sword. On one hand regulating the use of data can stop a company from misusing information, but on the other hand it can keep a country from having full and equal access to the internet. A question that came out of this discussion on regulation was about the right to be forgotten. Does an individual have the right to regulate all information about themselves that is in the public sphere? Can they ask for their photos or videos to be taken down from the internet? In India this question has yet to be answered by the law, and it is a question that our research is looking into.

The purpose of federated systems of identity is to take context into consideration, and enable users to keep contexts separate, and link information about an individual only takes place when consent is given by the user. In response to the idea of an identity system that allows only certain information to be seen by third parties based on the situation, it was brought out that privacy is not protected simply by the separation of data into public or private categories, because all data have the potential to be misused. The immediate response to this concern was that if all data have the potential to be mis-used – than the use of data should be carefully regulated. The regulation of data though is also a double edged sword. On one hand regulating the use of data can stop a company from misusing information, but on the other hand it can keep a country from having full and equal access to the internet. A question that came out of this discussion on regulation was about the right to be forgotten. Does an individual have the right to regulate all information about themselves that is in the public sphere? Can they ask for their photos or videos to be taken down from the internet? In India this question has yet to be answered by the law, and it is a question that our research is looking into.

Data types and privacy

Emerging from the conversation on database structure, a conversation on types of data in databases was started. The question was raised as to whether or not databases can actually handle certain types of data. The example given was caste-related data. Information about a person’s caste is constantly changing as people lie about their caste, change their caste, and become married and take on another caste. Furthermore, some people do not want to live with their caste and want to shed off their caste. Therefore, can a database accurately represent such a dynamic data set? Is it dangerous to put such a politically volatile concept as caste into a database where it will confine a person to one definition once entered? Another side to this question though is that perhaps it is in fact necessary to try and place a person in one caste, as there benefits enshrined by law based on a person’s caste, and an individual who has the ability to change his/her caste at their whim therefore defeats and takes advantage of governmental benefits. The point was also raised that by placing information like caste and identity into a database, governments have the ability to divide the country into subsets of identities that they decide to generate. Caste is not the only data that faces these complications and issues. For instance religion and race raise similar question. How can you define and represent a person’s relationship with God in a database? How to you represent a child of multiracial parents on a database?

Changes in the relationship between the state and the citizen

It was also brought out that the representation of citizens’ identities on a database changes the relationship between a state and its citizenry. States no longer see citizens as individuals, but instead as data samples. The UID is an example of an e-governance program that if enacted, could further such a change in the relationship between the state and the citizen, as the whole of India will suddenly and ubiquitously be recognized by the Government (and other entities/organizations) according to their aadhaar number. The relationship between the state and the citizen is not the only social change that databases bring about. Databases also change the concept of public space. As web 2.0 has facilitated the generation of large amounts of data, public space has become a space where one enters and interacts as a dataset. For example face book and twitter allow individuals to create datasets of them and interact with other people through their datasets. Beyond social networking online banking and online shopping also push people to form datasets about themselves and interact with services that were traditionally done in person as individuals, as datasets.

Questions of ownership

The above thread of conversation led to the next question of whether or not individuals control technology or whether technology controls individuals. The example of Facebook was used to illustrate this question. Even though Facebook has a privacy policy, once a person engages with Facebook he or she accepts Facebook’s definition of privacy – which is two tiered. On one level Facebook defines user privacy in terms of restriction - allowing the user to limit who can see their profiles. On another level Facebook’s privacy policy allows the company to share and sell personal information. In these ways companies are constructing databases so that instead of the company being the custodian of information – an entity that provides a structure to protect and hold information - the companies are now the owners of information- selling and using individuals information for profit. In India, this is a problem. Companies, once they collect data, treat it as their own - selling and sharing data with third parties, or using it in ways that were not agreed to by the customer. The question of ownership was a critical question for the group. In the discussions it was important to individuals that they had control and ownership over their information. Individuals felt that information that could be traced back to them or their identity belonged to them, and that in order to protect privacy consent should be secured before any information is used. For instance, data mining by websites without notice was seen as a violation of privacy. The collection of data in public places for marketing purposes without a person’s consent or awareness was similarly seen as a privacy violation. It was also brought out from this conversation that the digitization of information has caused a commercialization of information, and that has led to a sense of ownership and need for privacy over information. For example, before, if someone were to take one’s name and mis-use it, that person was charged with defamation – not for violation of privacy – but if someone misuses information that is in a database or online, that person is now charged for a violation of privacy. This shift in thinking is another example of how web 2.0 has increased privacy violations.

Perceptions and expectations of privacy

The day ended with a conversation about the perceptions and expectations of privacy. Privacy as it relates to an individual is almost wholly dependent on expectation, which changes from person to person, from community to community, and from culture to culture. Just as the expectation of privacy varies between individuals, so does the degree of violation. Thus, it is important to recognize the changing nature of privacy, because it explains why it is difficult for the legal system to address all the nuances of privacy with one broad legislation. This point has been crucial in our research thus far as we are consulting with the public, analyzing legislation, and following news items to see if privacy legislation is wanted and needed in India, and if it is - how it should be shaped.

From the conversation on perceptions of privacy and privacy violations it was also brought out that the concept of privacy is on one hand related to the notion of ownership, and on the other hand it is related to the violation. From the experiences shared by individuals, their privacy never became a concern until it was violated, or they learned about someone else’s privacy being violated. This led to the observation that not only is it difficult for the law to address privacy violations because the violation is based on perception, but also because the effect when one’s privacy is violated is often an emotional one.

Conclusion

The conversations held throughout the day showed the dynamic and personal nature of privacy, and how when databases are constructed, and how our lives made digital this personal aspect is easily lost. When we think about the conversations held throughout the day in relation to our initial questions: what are the different ways of imagining privacy, and how is privacy being built into technological systems, besides the three basic themes of privacy highlighted in the beginning of this blog - there emerged to more themes. One theme portrayed an imagination of privacy that is more personal, and that address the emotional component and the perception component to privacy. Another theme portrayed an imagination of privacy that is technologically more controlled, that allows for more personal regulation, more precise segregation of information in a database, and restricted access by third parties. This imagination of privacy can be and is being met by new and developing technologies. Increasingly in many countries technology is being structured with privacy built into the system. The larger question that this open space has raised, and not completely answered is if privacy legislation can adequately protect an individual’s privacy, and if it cannot, can technology can fill the gaps that privacy legislation leaves open.

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy_privacybydesign

The DNA Profiling Bill 2007 and Privacy

elonnai — 2012-03-21T09:40:56Z

In 2007 a bill known as the Draft DNA Profiling Bill was piloted by the Centre for DNA Fingerprinting and Diagnostics, an autonomous organization funded by the Department of Biotechnology, Ministry of Science and Technology, Government of India. The below is a background to DNA collection/analysis in India, and a critique of the Bill a from a privacy perspective.

Introduction

In 2007 a bill known as the Draft DNA Profiling Bill was piloted by the Centre for DNA Fingerprinting and Diagnostics, an autonomous organization funded by the Department of Biotechnology, Ministry of Science and Technology, Government of India[1]. The Bill is pending in parliament. The DNA Profiling Bill looks to legalize the collection and analysis of DNA samples for forensic purposes. We believe that it is important that collection of DNA has associated legislation and regulation, because DNA is sensitive physical evidence that if used correctly can benefit the public good, but if misused can lead to serious privacy and human rights violations. Therefore it is important to create a balance between the constitutional rights of an individual and the public interest and bring accountability and transparency to the practice of DNA collection and testing.

In our research we consulted with GeneWatch UK to learn from their work and experience with DNA testing in the UK. This briefing is meant to give a background on the logistics of DNA testing, highlight ways in which DNA testing raises privacy concerns, and provide a critique of the DNA Profiling Bill.

Background Facts about DNA and DNA testing:

What is DNA: DNA is material that determines a persons hereditary traits such as hair color, eye color, body structure etc. Most DNA is located in the cell nucleus, and wrapped up in small structures called chromosomes. Every person inherits 50% of genetic material from their mother and 50% from their father. Genetic disorders are caused by mutations in a person's DNA, and comparing DNA within families can reveal paternity and non-paternity. DNA is found in every cell of our bodies, and each person has a unique strand of DNA [2]. Thus, DNA is seen as a useful form of identification with marginal room for error [3].

What is a DNA profile/ DNA database, and how can it be used/misused:

When DNA samples are taken from individuals they are analyzed in laboratories to produce a digitized representation of numbers known as a DNA profile. Once created, a DNA profile is stored on a DNA database (i.e. an electronic database) with other identifying information from the individual and information from the crime scene. A DNA profile is based on parts of a person's DNA, so it is not unique to an individual. The probability of an individual's DNA profile matching a stranger's by chance is very small, but not impossible. To collect a sample of DNA police normally use a mouth swab to scrape cells from inside the suspect's cheek. If the individual refuses, their DNA can be obtained by pulling some hairs out of their head (cut hair does not contain DNA, it is only in the roots), if the law allows DNA to be taken without consent. DNA samples are also collected from crime scenes, for example from a blood stain, and analyzed in the same way. DNA samples are sometimes stored indefinitely in the laboratory with a bar code number (or other information) that allows them to be linked back to the individual [3]. Stored DNA profiles from crime scenes can be helpful to exonerate an innocent person who is falsely accused of a crime if their DNA does not match a crime scene DNA profile that is thought to have come from the perpetrator. However, stored DNA profiles from individuals are not needed for exoneration because the individual's DNA can always be tested directly (it does not need to be stored on a database). Collecting DNA profiles from individuals can be useful during an investigation, to compare with a crime scene DNA profile and either exonerate an individual or confirm they are a suspect for the crime. Corroborating evidence is always needed because of the possibility of false matches (which can occur by chance or due to laboratory errors) and because there may be an innocent explanation for an individual's DNA being at a crime scene, or their DNA could have been planted there. Storing DNA profiles from individuals on a database is only useful to implicate those individuals in possible future crimes, not to exonerate innocent people, or to solve past crimes. An individual is implicated as a possible suspect for a crime if their stored DNA profile matches a new crime scene DNA profile that is loaded on to the database. For this reason, most countries only store DNA profiles from individuals who have committed serious crimes and may be at risk of re-offending in the future. Stored DNA profiles could in theory be used to track any individual on the database or to identify their relatives, so strict safeguards are needed to prevent misuse [4].

DNA testing in India:

At present, India does not have a national law that empowers the government to collect and store DNA profiles of convicts, but DNA collection and testing and is taking place in many states. For instance, in Pune the army is currently considering creating DNA profiles of troops who are involved in hazardous tasks inorder to help identify bodies mutilated beyond recognition [5]. In December of this year a judge in the Supreme Court ordered DNA testing on a congress spokesmen to determine if his child was really his child [6]. Also in December this year a news article announced the establishment of the first DNA profiling databank in Nehru Nagar [7]. Additionally DNA has been used to identify criminals , for instance in the Tandoor Murder DNA testing was used to reveal the identity of the culprit [8].

India hosts both private and public DNA labs. Public labs are sponsored by the Government, and use DNA purely for forensic purposes. For example The Centre for DNA Fingerprinting and Diagnostics (CDFD) located in Hyderabad is sponsored by the Department of Biotechnology and Ministry of Science. CDFD runs DNA testing for: establishment of parentage, identification of mutilated remains, establishment of biological relationships for immigration, organ transplantation, property inheritance cases, identification of missing children and child swapping in hospitals, identification of rapist in rape cases, identification in the case of murder.

Cases are only accepted by CDFD if they are referred by law enforcement agencies or by a court of law. Only an officer of the rank Inspector of Police or above may forward DNA cases to CDFD. Copies of DNA report are released to individuals if they are able to prove needed interest in the case through a notarized affidavit [9]. In 2010 CDFD received 100 cases from law enforcing agencies. Additionally, in 2010 CDFD was given rupees eighteen lakhs thirty nine thousand five hundred and forty five from the Government of India towards DNA fingerprinting services [10]. The Indian Government has also established National Facilities for Training in DNA Profiling in order to train individuals in DNA testing and expand the number of DNA examiners and laboratories available in the country [11].

Examples of private DNA labs include DNA labs India and Truth Labs. DNA labs India runs paternity testing, forensic testing, prenatal testing, and genetic testing [12]. Truth Labs is a private lab that provides legal services directly, without a court or police order [13].

The Complexity of privacy and DNA collection/ testing:
As mentioned above, the personal and sensitive nature of DNA, the use of DNA raises many privacy concerns. The concerns fall into three basic areas: first, if a person has given consent to have his or her DNA used for a specific purpose, must the DNA be destroyed or can it be used for other purposes as well? Related to that, if a person must give consent for a specific purpose, what happens if the person is no longer able to give consent -- if, for example, the person has died? Finally, if the testing of one person's DNA yields information that is likely, or probable, or certain to impact another person, does that person have a right to know the information discovered? There are variations on these questions -- as for example does DNA is permitted to be taken without consent (to test for a crime, perhaps), does that lack of need for consent permit all uses of DNA that others want. Who decides? The complexity of these questions demonstrates that in the situation of DNA collection and testing privacy cannot be protected simply through consent from an individual. Instead the law must permit specific thresholds to be established in order to cover the privacy needs of different situations.

Can DNA evidence be considered self-incriminating evidence?
According to the Supreme Court fingerprinting and other physical evidence is not covered by article 20(3). In the case of State of Bombay v. Kathi Kalu Oghad, the courts answered the question of whether or not the freedom against self-incrimination guaranteed under article 20(3) of the Constitution of India – which is meant to protect a person from torture from the police – can be extended to the collection of DNA? the courts answered this question by upholding that
“To be a witness may be equivalent to ‘furnishing evidence’ in the sense of making oral or written statement, but not in the larger sense of the expression so as to include giving of thumb impression or impression of palm or foot or fingers or specimen writing or exposing a part of the body by an accused person for purposes of identification [14]”

Critique of the DNA Profiling Bill 2007

Does India already have sufficient legislation?
The collection and use of biometrics for identification of criminals legally began in India during the 1920's with the approval of the Identification of Prisoners Bill 1920 [15]. The object of the Bill is to “provide legal authority for the taking of measurements of finger impression, foot-prints, and photographs of persons convicted or arrested…”[16] The Bill is still enforced in India, and in October 2010 was amended by the State Government of Tamil Nadu to include “blood samples” as a type of forensic evidence [17]. Other Indian legislation pertaining to forensic evidence is the CrPC and the Indian Evidence Act. In 2005 section 53A of the CrPC was amended to authorize investigating officers to collect DNA samples with the help of a registered medical practitioner, but the Indian Evidence Act fails to manage science and technology issues effectively [18]. The current state of statutes for DNA collection in India are not sufficient as the neglect to lay out precise procedures for collection, processing, storage, and dissemination of DNA samples. One question to consider though is if the Prisoners Identification Bill, CrPC, and Indian Evidence Act could be amended to incorporate DNA, and the needed safeguards, as a type of forensic evidence for all of India.

Lack of requirement for additional evidence: The preamble of the DNA Profiling Bill states that “The Deoxyribose Nucleic Acid (DNA) analysis of body substances is a powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another, and further to establish the biological relationship, if any, between two individuals, living or dead without any Doubt.” This statement is untrue as DNA test can be compromised under many circumstances including: techniques for declaring a match, the proficiency of examiners, laboratory control standards and statistical problems, and DNA samples can become degraded due to age or exposure to chemical or bacterial agents [19]. Because DNA is not foolproof individuals can be falsely implicated in a crime as a result of an incorrect DNA match. The Bill needs to put in place procedures for the court to recognize the fact that DNA is not 100% foolproof, present the statistics correctly, and require supporting evidence [20].

Scope for DNA Collection: The stated object of the DNA Bill is to: “enhance protection of people and administration of justice, analysis of DNA found at the crime scene, establish identity of victim and offender”. The list of offenses and situations in which the collection and testing of DNA is permitted, found in the Schedule of the Bill, provides for the collection DNA from individuals who are not related to a crime scene, are not victims, and are not criminals. Furthermore, section 13(xxii) allows this list to be expanded by the DNA board. We believe these sections should be omitted from the scope of the Bill, so that it is limited to only identifying individuals who are victims and offenders, and that a statutory body besides the DNA board be given the authority to expand the list of proposed offences [21]. Furthermore, within the Bill there are many places where vague language permits the DNA testing of individuals who are not yet convicted of a crime, which will constitute an invasion of privacy unless the DNA is provided voluntarily to release a person suspected or accused of a crime [22]. Additionally as mentioned above it is critical that the Bill recognizes and allows for different thresholds of privacy when collecting, analyzing and sharing DNA profiles.

Clear definition of when collection of DNA samples can be taken: The schedule of the Bill only lists the offenses and situations for which the collection of DNA is permitted. We believe a provision must be added that clarify when exactly DNA can be collected e.g. whether the DNA can be collected on arrest or on charge, whether the DNA has to be relevant to the offence, or whether the police decide this for themselves, and what are the oversight mechanisms for these decisions [23].

Privacy Principles: The Bill enables the DNA Profiling Board to recommend privacy protection statutes, regulations, and practices concerning: use and dissemination, accuracy, security, and confidentiality, and destruction of DNA information [24]. Privacy principles should not be left to recommendations by the board or to regulations of the Bill, but instead should be incorporated into the Bill itself to ensure that such practices are in place if the Bill is passed. Furthermore, the appropriate collection, access, and retention of DNA information should be specified in this Bill.

Obligations for DNA laboratories: Section 19 of the Bill lays out the obligations of DNA laboratories [25]. We recommend that the implementation of a privacy policy should be mandatory under this section.

Storage of DNA profiles and samples: Currently the Bill allows for the complete storage of DNA of: volunteers, suspects, victims, offenders, children (with parental consent), and convicted persons. DNA samples taken from individuals contain unlimited genetic information (including health-related information) and are not needed for identification purposes once the profiles have been obtained from them, thus we recommend that the bill requires that DNA samples be stored temporarily for quality assurance purposes (e.g. for up to six months) and then destroyed to prevent misuse. This is an important privacy protection, which also reduces the cost of storing samples. The only purpose of retaining DNA profiles on a criminal database is to help identify the individual if they reoffend. Thus we recommend that the criminal databases should be restricted to holding DNA profiles only from convicted persons, and the types of offence and time period for retention should be limited. Although DNA profiles may have alternative uses other than solving crimes (e.g. identifying missing persons) we recommend that the missing persons databases are kept separate from criminal databases. Furthermore, although collecting DNA from victims and volunteers may be useful during the investigation of a crime, DNA profiles obtained from victims and volunteers should be destroyed once an investigation is complete.

Conflicting Clauses: Section 14 of the Bill provides that DNA laboratories can only undertake DNA procedures with the approval, in writing, from the DNA profiling Board. Section 15(2) contradicts this statement by permitting already existing DNA laboratories to function and use DNA already collected even before they receive approval from the DNA profiling Board. We suggest that Section 14 is clearly written so that DNA laboratories that have already been set up are unable to continue functioning until they have met the approval of the DNA Profiling Board, and Section 15(2) should thus be deleted.

Access: According to section 41 of the Bill, the Data Bank Manager is given sole discretion as to who may have access to the DNA database, including persons given access for training purposes [26]. Low standards such as these vest too much discretion in the Data Bank Manager. We recommend that access is strictly limited to trained personnel who have undergone proper security clearance. Furthermore, we recommend that the role of Data Bank Manager be analogous to a custodian for the databank. Thus, the manager would be accountable for the integrity and security of the data held in the DNA databank.

Offenses: Though the Bill provides for penalties such as unauthorized access, disclosure, destruction, alterations, and tampering [27], the Bill fails to provide punishment for the illegal collection of DNA samples. This should be made an offense under the Bill.

Redress: The Bill provides no redress mechanism to an individual whose DNA was illegally used or collected. Furthermore, section 49 (1) only permits the Central Government or DNA Profiling Board to bring complaints to the courts [28]. Thus, we recommend that individuals are enabled to bring charges against entities (such as DNA labs or police officials) for the misuse of their data.

Delegation of powers: The Bill allows the DNA Profiling Board to form committees of the members and delegate them the powers and functions of the board. This clause could allow outsourcing, and could allow a dilution of authority by which the DNA Profiling Board weighs approval or rejection of requests [29]. We recommend that the outsourcing of functions be limited to administration duties and jobs that do not directly relate to the core duties of the DNA Profiling Board.

Access by law enforcement agencies: The Bill currently allows for the DNA Profiling Board to grant law enforcement agencies access to DNA profiles [30]. We recommend that DNA profiles are only accessed by the Data Bank Manager. Law enforcement agencies should send requests for matches to the Data Bank Manager, and the Manger would provide the needed intelligence [31].

Public interest: The Bill allows for DNA laboratories to continue to operate, even if the laboratory has violated the specified procedures, if the DNA Profiling Board finds it in the public interest [32]. We believe that where there have been violations, a laboratory should be required to demonstrate remediation before being allowed to resume operations.

Contamination of DNA samples: Currently the Bill holds laboratories responsible for “minimizing the contamination of DNA.”[33] DNA Laboratories should be held fully and legally responsible for preserving the quality of DNA samples. If a DNA sample is contaminated, and the DNA lab does not follow due diligence to discard the contaminated sample and or collect a new sample, and subsequently the DNA used wrongly against an individual - an individual should have the ability to press charges against the institution.

Audits: The Bill provides for the auditing of DNA laboratories, but the DNA Profiling Board must also undergo annual audits [34].

Indices Held by DNA Banks: Under section 33 (4),(5)The Bill provides for the DNA data bank to set up indices that hold DNA identification records and DNA analysis from: crime scenes, suspects, offenders, missing persons, unknown deceased persons, volunteers and such other indexes as specified by regulations. We believe the DNA data bank should not hold indexes on suspects, missing persons, or volunteers without consent and the ability for the individual to withdraw their consent. Furthermore, the Bill requires the taking of a victim’s DNA, but it is not listed as an index. We recommend that this section be deleted, as the creation of a DNA index is simply another copy of a DNA profile, and it does not serve a particular purpose.

Communicating of DNA Profile with Foreign States: Section 35 permits, with the approval of the Central Government, the sharing of DNA profiles with Foreign States [35]. We recommend that communication and use of a DNA profile with Foreign States should be limited to comparison only.

Access to Data Banks for administration purposes: Section 39 of the Bill permits access to the databank for “administrative purposes”. We recommend that the Bill clarify what exactly constitutes “administrative purposes”, and clarify that the process/procedures that permit access to data banks for administration purposes will not require access to data stored in Data Banks [36].

Enforcement for the removal of innocents: Section 36(3) of the Bill requires that the DNA profile of individuals who are found innocent be removed from the database. This provision should have legal mechanisms to ensure enforcement of the provision e.g. reporting by the Board [37].

Ability to access one’s own DNA Profile: A provision should be added to the Bill that gives individuals the right to ask the police for any of their own details held on police databases, so an individual has the ability to know if their data is being held against the law [38].

Clear Definition of identity: Section 33(6)(i) maintains that the DNA Data Bank will contain in relation to each of the DNA profiles… the “identity of the person”. The Bill needs to define what is "identity" and how “identifying” information can be used. Furthermore, it is important to ensure that no other information (like an identity number) that would allow for function creep, is included in the DNA data base[39].

Transparency of the DNA board: Section 13 of the Bill describes the powers and functions the DNA Board. In this section the DNA board should be required to publish and submit minutes and annual reports including detailed information on how it has exercised all its functions to the public and to Parliament. The report should include: numbers of profiles added to the database; numbers removed on acquittal, numbers of matches and solved crimes; costs; numbers of quality assurance inspections, and breakdowns of these figures by state [40].

Restricted use of DNA database: Section 39 (1) of the Bill permits the DNA database to be used for identification purposes that are not related to solving a crime including the “ identification of victims of: accidents, disasters or missing persons or for such other purposes”. The DNA database should be restricted to the identification of a perpetrator of a specified criminal offence, and consent or a court order must be sought for any other use of the database for identification purposes.

Probability of error published: Because profiles found in the DNA data base are comprised of only parts of individuals DNA, the profiles are not unique to individuals. Thus, the number of false matches that are expected to occur by chance between crime scene DNA profiles and stored individual's profiles depends on how the profiling system used, how complete the crime scene DNA is before it is added to the database (many crime scene DNA stains are degraded and not complete), and how many comparisons are done (i.e. how big the database it is and how often it is searched). With a population the size of India, the number of these false matches could be very high. The DNA board needs to take this probability for error into consideration and publish researched statistics on how many false matches they expect to occur purely by chance, based on the numbers of profiles they expect to store under the proposed criteria for entry and removal of profiles [41].

Cost analysis: The DNA board should publish a cost benefit analysis for the implementation the Bill. This should include the cost of storing samples, collecting sample, and testing samples [42].

Bibliography

http://www.cdfd.org.in/
http://ghr.nlm.nih.gov/handbook/basics/dna
Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007 pg.6, 22
Ibid email conversation with Dr. Wallace from Genewatch UK April 2nd 2002
http://articles.timesofindia.indiatimes.com/2011-01-02/india/28371869_1_dna-data-bank-blood-samples-bodies
http://www.merinews.com/article/justice-s-rabindra-bhatt-orders-dna-test-for-nd-tiwari/15838508.shtml
http://www.dnaindia.com/mumbai/report_nehru-nagar-first-region-in-country-to-have-dna-profiling-database_1477211
Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007. Pg.263
http://www.cdfd.org.in/servicespages/dnafingerprinting.html
ibidhttp://www.cdfd.org.in/image/AR_2009_10.pdf
http://planningcommission.nic.in/plans/planrel/fiveyr/11th/11_v1/11v1_ch8.pdf
http://www.dnalabsindia.com/
http://www.truthlabs.org/
AIR 1961 SC 1808
The Prisoners Identification Bill was most recently amended 1981
http://lawcommissionofindia.nic.in/51-100/report87.pdf
http://www.tn.gov.in/stationeryprinting/extraordinary/2010/305-Ex-IV-2.pdf
Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007 pg. 259
Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007 pg. 245
Email conversation with Dr. Wallace from Genewatch UK. April 2nd
Schedule of offenses 5) Miscarriage or therapeutic abortion, b. Unnatural offenses, 7) Other criminal offenses b. Prostitution 9) Mass disaster b) Civil (purpose of civil cases) c. Identification purpose 10) b) Civil:1) Paternity dispute 2) Marital dispute 3) Infidelity 4) Affiliation c) Personal Identification 1) Living 2) Dead 3) Tissue Remains d)
2 (xxvii) “offender” means a person who has been convicted of or is under trial charged with a specified offense.
2(1)(vii) “crime scene index” means an index of DNA profiles derived from
forensic material found: (a) at any place (whether within or outside India) where a specified offense was, or is reasonably suspected of having been, committed;
or (b) on or within the body of the victim, or a person reasonably
suspected of being a victim, of an offense (DNA Profiling Bill)
Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007 Pg. 291
Section (1) (xv) –(xvi) of DNA Profiling Bill
Section 19 of DNA Profiling Bill
Section 41(i) (ii) of DNA Profiling Bill
Section 45, and section 46 of DNA Profiling Bill
Section 49 (1) of DNA Profiling Bill
Section 52 (2) The DNA Profiling Board may, by a general or special order in writing,
also form committees of the members and delegate to them the powers
and of the Board as may be specified by the regulations.
Section 13(x), Section(2) The DNA Profiling Board may, by a general or special order in writing,also form committees of the members and delegate to them the powers and functions of the Board as may be specified by the regulations.
Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007 Pg. 300
Section 17 (2) of DNA Profiling Bill
Section 22 of DNA Profiling Bill
Section 28 of DNA Profiling Bill
Section 35 (1) of DNA Profiling Bill
Section 39 of DNA Profiling Bill
http://www.genewatch.org/sub-539478
http://www.genewatch.org/sub-539478
http://www.genewatch.org/article.shtml?als[cid]=492860&als[itemid]=567376
Email conversation with Dr. Wallace from Gene Watch UK April 2nd
Standard setting and quality regulation in forensic science. GeneWatch UK submission to the Home Office Consultation.
October 2006.
Standard setting and quality regulation in forensic science. GeneWatch UK submission to the Home Office Consultation.
October 2006.

For more details visit https://cis-india.org/internet-governance/blog/privacy/dna-profiling-bill

An Interview with Activist Shubha Chacko: Privacy and Sex Workers

elonnai — 2012-03-28T06:26:03Z

On February 20th I had the opportunity to speak with Shubha Chacko on privacy and sex workers. Ms. Chacko is an activist who works for Aneka, an NGO based in Bangalore, which fights for the human rights of sexual minorities. In my interview with Ms. Chacko I tried to understand how privacy impacts the lives of sex workers in India. The below is an account of our conversation.

Introduction

In our research we have been exploring where and how privacy is found in different areas of Indian society, law, and culture. As part of our research we have been holding public conferences across the country to raise awareness and gather opinions around privacy. One area that was discussed in the public conference in Bangalore was the privacy of sex workers. Shubha Chacko, who is from Aneka - an NGO located in Bangalore which fights for the human rights of sexual minorities, made a presentation that focused on the privacy challenges that sex workers in India face. In our interview Ms. Chacko pointed out many misconceptions that society holds about sex workers’ lives. She also detailed the challenges of stigma and discrimination that sex workers face, and described the precarious position that sex workers find themselves in as their work is constantly being pushed out of the public sphere by the law and society. I later interviewed Ms. Chacko to follow up on her presentation on privacy and sex workers. During the interview I had the opportunity to speak with both Ms. Chacko and a board member from the Karnataka Sex Workers Union. The following is meant to provide a perspective on how and in what ways society, law, media and tradition invades the privacy of sex workers. Though the piece is focused on the lives of sex workers, many of the issues raised are not limited to only sex workers, but characterize other marginalized communities as well.

When I began the interview with Ms. Chacko I was hoping to do a piece that looked at the different elements of a sex worker’s life, and identified the points at which their privacy was invaded – such as in contacting a client, going to the doctors, etc. After I began my interview only, I realized how privacy impacts sex workers is much more complicated than a life cycle analysis. Among other things, privacy issues for sex workers prompt questions challenging social definitions of public and private, having the right to an identity and a recognized profession, and having the autonomy to control decisions about oneself.

Basic Facts and Background Information:

Karnataka has been found to have 85,000 sex workers, and India has an estimated 2 million female sex workers [1]

Sex work is not against the law in India, but any commercialized aspect of the trade is prohibited – including running a brothel or soliciting a client.

Sex work is a multi-faceted profession with many positive and negative complexities that are rarely known to the public.

Understanding the Challenge of the Public and the Private

My interview with Ms. Chacko began with my seeking an understanding of the challenges that traditional notions of the public sphere and the private sphere pose for sex workers. Ms. Chacko explained that to understand how privacy impacts the life of a sex worker, it is important to first understand that sex workers by profession confront and question traditional conceptions of the public and the private. Sex and everything associated with it is seen as something that is to be kept only in the private sphere. The work of sex workers brings sex into the public sphere, and thus the workers are seen as being public women not entitled to privacy, because they stand on street corners and conduct their work in the public. This notion that sex workers are public women without a right to privacy shows through in the way they are treated by the media, the police, NGOs, and researchers. An example of this tension and society’s response can be seen in the recent elections. On April 6th, a Times of India news article reported that the election commission will be setting up “special booths” for sex workers to vote in because “while the sex workers had been waiting in queues to cast their votes, common people were not comfortable with that”[2]

What is the Challenge of the Public and the Private?

“It starts with a conception of issues around privacy vis-à-vis sex workers. The general perception is that sex workers are considered “public women”, because they are considered available to the public and because they sell sexual services on the streets (and are seen in contrast to the “good” woman who is confined to the private world of the home This then leads people to assume that then sex workers have are not entitled to privacy. Also sex workers are forced to reckon with issues of sex and sexuality, and if you talk about issues of sexuality - issues that are considered private are forced into the public domain, so sex workers by their presence force these issues into the public domain. So notions of privacy become complicated by this challenge of what is public and private, because the sex workers’ presence brings into the public domain what is private.”

How does this tension of the public and the private translate into privacy violations?

"Due to the stigma around sex work all rights of sex workers are seriously compromised; with impunity. Thus, privacy is a threshold issue.

The violation of privacy happens at various points, for example the way the media deals with them – publishing their photographs, outing them without their consent, talking about them without their consent. There are the police who are often engaged in so called “rescue and rehabilitation” work, but in the process of rescuing the sex workers, disregard the harmful impacts that compromising their right to privacy will do to them. The HIV prevention intervention programs that are in place now that target sex workers (along with other ‘high risk groups”) also erode their right to confidentiality. Besides intimate details of their lives being recorded, their address and other coordinates are noted. This information along with other sensitive information including their HIV status, is often accessible to a host of people and is a potential threat to their privacy and anonymity. Researchers and NGOs too often quiz sex workers about a range of intimate details about their lives with little sensitivity and expect them to be totally candid. These interviews also raise questions that relate to privacy."

Stigma, Discrimination, and Identity

Ms. Chacko also spoke about how the stigma and discrimination that sex workers face invades their privacy. Society views sex workers in one light – as immoral women. This stigma is attached to them permanently and is a source of violence and discrimination in the home, from the state, and from society. The sex workers’ right to anonymity and identity is also restricted because of the stigma attached to their work. Sex workers do not have the ability to control information about themselves, and they face challenges in obtaining official documents like a PAN card or a passport. This stigma and its consequences impedes sex workers from functioning comfortably in society and creates a difficult tension for sex workers to live with. Society denies the presence of sex workers, and police patrol parks and other public areas chasing away individuals whom they believe to be sex workers. The increased passivisation of public spaces – parks, (for example) and the over gentrification of the neighborhoods squeeze them out

In New York, one way that sex workers have overcome this constant and sometimes violent confrontation with society is through the use of mobile phones. Sex workers will contact clients only through mobile phones. This allows them to find their clients in private and anonymous ways, and it eliminates the need of a pimp or other type of ring leader. When I asked Ms. Chacko if sex workers are using this same technique in India, she recognized that they are, but said that it is not a yet widely practiced - especially among women in rural areas.

How Restricting is the Stigma?

“Huge - hardly ever does a person’s entire identity get conflated with her with occupation or livelihood option; the way it does with sex workers. … I mean, for example, if you go to a movie - people would not say; oh, look, there is a researcher come to see a movie - people would call you by name, but if a sex worker goes to a movie they always say: oh, look, there is a sex worker. There is only one side to her identity according to society. And everyone wants to know the same thing - How did they get into sex work. There is an excessive interest in this aspect alone (and generally they are seeking simple answers) - they never ask other questions about them as a person, only about them as a sex worker. Thus, real issues of violence and exploitation are never dealt with”.

HIV Initiatives, Medical Counseling , and Privacy

Medical consultations, especially those related to HIV/AIDS, in many ways violate the privacy of sex workers.

HIV Initiatives

HIV initiatives run by the Government are often invasive and function off of privacy-violating techniques. The government runs many HIV initiatives where sex workers are employed to be “peer educators.” A peer educator’s job is to spread awareness about HIV, distribute condoms, and bring sex workers for HIV testing. The privacy and anonymity of peer educators is compromised in the job title itself. Everyone in the community knows that to be a peer educator, one must also be a sex worker. Thus, if a person is a peer educator or with a peer educator, she is immediately outed and identified as a sex worker. Furthermore, HIV testing is compulsory for sex workers, though on paper it looks as though it is a choice. Because there are quotas that must be filled, sex workers often go through HIV testing without full consent.

How do Government HIV Initiatives Violate Privacy?

“The whole HIV intervention itself violates sex workers’ privacy. Both in the sense that people get jobs as peer educators and they have to carry condoms around and talk to other sex workers, and everyone thinks that if you are a peer educator then you are a sex worker, and there is no protection for these people even though it is sponsored by the state government.”

Line Listing

The HIV programs and testing centers also violate the privacy of sex workers. The clinics have a system known as line listing, which is meant to ensure that there are no duplications in data. In order to ensure this they collect identifying information from sex workers including address and phone number. The information is not protected and is easily accessible to whoever wishes to see it.

Line Listing and Privacy

“HIV programs have a process called line listing, which is to ensure that there is no duplication. So they take all your facts from you, and from that a sex workers address and such go out, and it’s put out with no safeguards.”

HIV Counselors and Doctors

HIV counselors also violate the privacy of sex workers. Though a patient’s HIV status is only supposed to be known to the counselor at the testing clinic and the lab technician, it often becomes the case that HIV results are widely shared. As per protocol, doctors and counselors must follow up with sex workers every three months if a sex worker is HIV negative. This is to ensure that they are still HIV negative, and to provide them treatment at the soonest if they do contract the disease. To carry out this follow-up work, counselors keep a list of patients whom they have seen. This list is supposed to be confidential, but other personnel in the hospital are assigned to do the follow-up phone calls, and thus the list is in fact easily accessible. If a person’s name disappears from the list, it is obvious that the person is now HIV positive, and that person’s privacy is violated and her status known.

How does HIV Counseling compromise Privacy?

“…only the counselor and the lab technician is supposed to know about it, but it turns out a whole number of people know about it, because of follow up. The counselor is supposed to follow up on the list with people every three months for further testing, but if you are positive then you do not need to follow up. Plus, these results are shared with everyone. Because of the stigma attached to HIV there is a need for privacy to be protected, so confidentiality is routinely violated.”

Media and Research

Media

Media was another area of contention that Ms.Chacko pointed out. Though the media plays an important role as being a channel for the voice of sex workers, it can also be intrusive on the sex worker by publishing stories without their consent, or reporting in ways that can be misconstrued. Through their coverage, the media can also deepen the stigma against sex workers and place them under an unwanted social spotlight. For example, a news article in The Hindu spoke about the World Cup bringing an “off day” for sex workers.

“With hoards of supporters glued to their television screens for the World Cup cricket final between India and Sri Lanka on Saturday, sex workers are anticipating a slow day, but they are not disappointed. It is a rare weekend for them with their children. The prospects of fewer clients coming in only buoyed the enthusiasm of the women in Sonagachi, the largest red-light area in the city…”[3]

The media is also often a part of raids by cover stories of brothels being uncovered, and in doing so expose the lives of sex workers, often printing sensitive information, including addresses, while portraying the sex workers as victims. The media, along with NGOs and the police will conduct raids that severely violate the privacy of sex workers. For example, in an Express India article a raid was described that took place in Pune with NGOs and the police in which sex workers were dragged out, beaten, and molested by the police against their will [4].

How does the media violate the privacy of sex workers?

“The media conducts raids, and so do NGOs in an attempt to rescue them. Once they are rescued and taken back with police escorts to their village, the whole village knows that she was in sex work, and then her privacy is violated because she was publicly returned. My problem is not about them being rescued, but they need to have consent from the person. If a person wants to do sex work – this decision needs to be respected. The media is difficult because you don’t want to ask for a ban, so we don’t ask for banning, but we do put pressure on the media to be more responsible in their reporting.”

Research/Films

Ms. Chacko also spoke about how research often violates the privacy of sex workers, in ways that range from the words that are used to describe sex workers to the one-sided victim story that is too often used to describe the lives of sex workers, to the methods researchers use to find their facts. Thus, perhaps without meaning to, research can de-legitimatize the work that sex workers do, and can work to increase the amount of violence or abuse that they are exposed to.

Research and Privacy

“Researchers who are writing a report on sex workers - land up in some village and end up violating their privacy as everyone in the village wants to know why the researchers came. The researchers also ask invasive questions. They want to know details about the sex workers’ lives: what kind of sex they have and with whom? What do they experience with their clients? What is their relationship with their partners? What is the status of their relationship.? They do not have a sense of whether the workers will want to talk about their lives or not…Some people make films and some make them in extremely exploitative ways. Films are also often incorrect and invasive of privacy in that way as well.”

The Role of a Privacy Legislation

In our research, we are looking at how a privacy legislation could help remedy the challenges to privacy that different people face in society; or ,if a privacy legislation cannot offer a solution, if there are other ways in which a legislation or society can offer solutions. When I asked Ms. Chacko if a privacy legislation or the right to privacy could improve the lives of sex workers, she was not certain if a privacy legislation would make a difference directly, and thought it might in fact overlook sex workers because currently they are seen in society as immoral women that are not to be afforded the right to privacy. In fact, it is the law and enforcers of the law itself that is invading their privacy. For example, in a study done by the World Health Organization it was found that in India 70 per cent of sex workers in a survey reported being beaten by the police, and more than 80 per cent had been arrested without evidence [5]. Thus, before a right to privacy can apply to sex workers, sex work itself must be decriminalized and recognized as a legitimate profession worthy of labor rights and other rights. Furthermore the debate around sex work needs to move away from the traditional dialogue of who is having sex and who is not to one that looks at what rights should be protected for every person. At that point perhaps a law which protects dignity and regulates the use of information could be useful. On another note, the UID (the Unique Identification Project) could be a potential benefit for sex workers as it would serve as identity that would give only a yes or no response at the time of a transaction.

Could a Privacy Legislation help?

“Some of the privacy is violated by the raids that happen by the police. So those raids are problematic. What kind of laws would help? One would be to decriminalize sex work itself and also work with society to gain understanding and perspective. Because now people think: they are immoral women ,so what privacy do they deserve? The sexual debate should not be about who is having sex and who is not, but about who has the power…”

The Current Law

In India, the Immoral Trafficking prevention Act ( ITPA) is the law that governs sex work. The ITPA does not make prostitution illegal, but instead tries to target the commercialized aspects of the trade such as brothel keeping, pimping, and soliciting. Though the law does not attack the sex workers as individuals, and its stated purpose is to prevent the trafficking of sex workers, the law has become a tool of harassment and abuse by law enforcement agencies. Sections 5A, 5B, 5C, which pertain to trafficking are the most troublesome, because the clauses do not distinguish between trafficking and sex work, but instead defines them as the same[6]. Thus, the new definitions of prostitution and trafficking leave room for reading all sex work as within the meaning of trafficking, and thus criminalizing sex work by defacto.[7] In addition, under the new Section 5C, clients visiting or found in a brothel will face imprisonment and/or fines [8]. Penalization of clients is a significant modification to the the ITPA, which formally targeted 'third parties' profiting from prostitution and not sex workers or clients themselves [9]. Sex workers have fought for a long time to overturn the ITPA. In June 2008, sex workers went on a hunger strike in the hopes of forcing the bill to be discarded [10]. In 2010 sex workers demonstrated against the amendment of the ITPA that would hold the clients of sex workers liable. Despite their protests and demands for their occupation to be treated equally, the Indian courts are slow to move forward and recognize sex work as a dignified profession. “A woman is compelled to indulge in prostitution not for pleasure but because of abject poverty,” the court said last month. “If such woman is granted opportunity to avail some technical or vocational training, she would be able to earn her livelihood by such vocational training and skill instead of selling her body.” The court has also promised to initiate a program in May for vocational training of sex workers [11]. Unfortunately, vocational training fails to address the actual issues and violations that sex workers face – a fact that was demonstrated by one sex worker’s saying: “If we can’t solicit clients without getting arrested, we will naturally rely on pimps to carry on our trade…What we need are practical measures that free us from exploitation created by the law itself.”

Solutions

One of the most impactful source of aid for sex workers currently is the sex workers union. I had the opportunity to speak with a member from the board of the Karnataka Sex Workers
union. She spoke about the challenges that sex workers face and how the Union provides assistance to the sex workers. The union helps them obtain benefits, helps with enrolling their children in schools, and answers questions that they would not be able to seek legal or other assistance on. The union is a confidential and safe space for sex workers to function in society. The person interviewed feels as though the information about herself that should be kept confidential is: her medical information, her clients, where she meets her clients, and information about her family. Ms. Chacko also spoke about the positives that an identity scheme like the UID could have on sex workers, because the transactions would be done through a yes/ no response, and no one will be denied a UID number. Most importantly, Ms. Chacko stressed that it is important to recognize sex work as a legitimate profession,and focus on the actual problems, rather than limiting the debate to stigmas around sex. The interview with Ms. Chacko demonstrated that protection of sex workers’ and sexual minorities’ privacy cannot be addressed simply by a law, but must be embodied by an ethos and a culture before that law is meaningful.

Bibliography

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy_privacyandsexworkers

Limits to Privacy

praskrishna — 2012-12-14T10:28:59Z

In this chapter we attempt to build a catalogue of these various justifications, without attempting to be exhaustive, with the objective of arriving at a rough taxonomy of such frequently invoked terms. In addition we also examine some the more important justifications such as “public interest” and “security of the state” that have been invoked in statutes and upheld by courts to deprive persons of their privacy.

For more details visit https://cis-india.org/internet-governance/publications/limits-privacy.pdf

Privacy and the Information Technology Act — Do we have the Safeguards for Electronic Privacy?

Prashant Iyengar — 2012-12-14T10:29:12Z

How do the provisions of the Information Technology Act measure up to the challenges of privacy infringement? Does it provide an adequate and useful safeguard for our electronic privacy? Prashant Iyengar gives a comprehensive analysis on whether and how the Act fulfils the challenges and needs through a series of FAQs while drawing upon real life examples.

What kinds of computer related activities impinge on privacy?

Although Information and Communications Technologies (ICTs) have greatly enhanced our capacities to collect, store, process and communicate information, it is ironically these very capacities of technology which make us vulnerable to intrusions of our privacy on a previously impossible scale. Firstly, data on our own personal computers can compromise us in unpleasant ways — with consequences ranging from personal embarrassment to financial loss. Secondly, transmission of data over the Internet and mobile networks is equally fraught with the risk of interception — both lawful and unlawful — which could compromise our privacy. Thirdly, in this age of cloud computing when much of "our" data — our emails, chat logs, personal profiles, bank statements, etc., reside on distant servers of the companies whose services we use, our privacy becomes only as strong as these companies’ internal electronic security systems. Fourthly, the privacy of children, women and minorities tend to be especially fragile in this digital age and they have become frequent targets of exploitation. Fifthly, Internet has spawned new kinds of annoyances from electronic voyeurism to spam or offensive email to ‘phishing’ — impersonating someone else’s identity for financial gain — each of which have the effect of impinging on one’s privacy.

Although there are a number of technological measures through which these risks can be reduced, it is equally important to have a robust legal regime in place which lays emphasis on the maintenance of privacy. This note looks at whether and how the Information Technology Act that we currently have in India measures up to these challenges of electronic privacy [1].

What provisions in the IT Act protect against violations of privacy?

At the outset, it would be pertinent to note that the IT Act defines a ‘computer resource’; expansively as including a “computer, computer system, computer network, data, computer database or software” [2]. As is evident, this definition is wide enough to cover most intrusions which involve any electronic communication devices or networks — including mobile networks. Briefly, then IT Act provides for both civil liability and criminal penalty for a number of specifically proscribed activities involving use of a computer — many of which impinge on privacy directly or indirectly. These will be examined in detail in the following sub-sections.

Intrusions into computers and mobile devices

accessing

downloading/copying/extraction of data or extracts any data

introduction of computer contaminant[3];or computer virus[4]

causing damage either to the computer resource or data residing on it

disruption

denial of access

facilitating access by an unauthorized person

charging the services availed of by a person to the account of another person,

destruction or diminishing of value of information

stealing, concealing, destroying or altering source code with an intention

The Act provides for the civil remedy of “damages by way of compensation” for damages caused by any of these actions. In addition anyone who “dishonestly” and “fraudulently” does any of these specified acts is liable to be punished with imprisonment for a term of upto three years or with a fine which may extend to five lakh rupees, or with both[5].

Bangalore techie convicted for hacking govt site (2009, Deccan Herald)[6]

In November 2009, The Additional Chief Metropolitan Magistrate, Egmore, Chennai, sentenced N G Arun Kumar, a techie from Bangalore to undergo a rigorous imprisonment for one year with a fine of Rs 5,000 under section 420 IPC (cheating) and Section 66 of IT Act (hacking).

Investigations had revealed that Kumar was logging on to the BSNL broadband Internet connection as if he was the authorised genuine user and ‘made alteration in the computer database pertaining to broadband Internet user accounts’ of the subscribers.

The CBI had registered a cyber crime case against Kumar and carried out investigations on the basis of a complaint by the Press Information Bureau, Chennai, which detected the unauthorised use of broadband Internet.

The complaint also stated that the subscribers had incurred a loss of Rs 38,248 due to Kumar’s wrongful act. He used to ‘hack’ sites from Bangalore as also from Chennai and other cities, they said.

Children's privacy online

As computers and the Internet become ubiquitous children have increasingly become exposed to crimes such as pornography and stalking that make use of their private information. The newly inserted section 67B of the IT Act (2008) attempts to safeguard the privacy of children below 18 years by creating a new enhanced penalty for criminals who target children.

The section firstly penalizes anyone engaged in child pornography. Thus, any person who “publishes or transmits” any material which depicts children engaged in sexually explicit conduct, or anyone who creates, seeks, collects, stores, downloads, advertises or exchanges this material may be punished with imprisonment upto five years (seven years for repeat offenders) and with a fine of upto Rs. 10 lakh.

Secondly, this section punishes the online enticement of children into sexually explicitly acts, and the facilitation of child abuse, which are also punishable as above.

Viewed together, these provisions seek to carve out a limited domain of privacy for children from would-be sexual predators.

The section exempts from its ambit, material which is justified on the grounds of public good, including the interests of "science, literature, art, learning or other objects of general concern". Material which is kept or used for bona fide "heritage or religious purpose" is also exempt.

In addition, the newly released Draft Intermediary Due-Diligence Guidelines, 2011 [7]require ‘intermediaries’[8]to notify users not to store, update, transmit and store any information that is inter alia, “pedophilic” or “harms minors in any way”. An intermediary who obtains knowledge of such information is required to “act expeditiously to work with user or owner of such information to remove access to such information that is claimed to be infringing or to be the subject of infringing activity”. Further, the intermediary is required to inform the police about such information and preserve the records for 90 days.

Electronic Voyeurism

Although once regarded as only the stuff of spy cinema, the explosion in consumer electronics has lowered the costs and the size of cameras to such an extent that the threat of hidden cameras recording people’s intimate moments has become quite real. Responding to the growing trend of such electronic voyeurism, a new section 66E has been inserted into the IT Act which penalizes the capturing, publishing and transmission of images of the "private area" [9]of any person without their consent, "under circumstances violating the privacy" [10] of that person.

This offence is punishable with imprisonment of upto three years or with a fine of upto Rs. two lakh or both.

Phishing – or Identity Theft

The word 'phishing' is commonly used to describe the offence of electronically impersonating someone else for financial gain. This is frequently done either by using someone else’s login credentials to gain access to protected systems, or by the unauthorized application of someone else’s digital signature in the course of electronic contracts. Increasingly a new type of crime has emerged wherein sim cards of mobile phones have been ‘cloned’ enabling miscreants to make calls on others' accounts. This is also a form of identity theft.

Two sections of the amended IT Act penalize these crimes:

Section 66C makes it an offence to “fraudulently or dishonestly” make use of the electronic signature, password or other unique identification feature of any person. Similarly, section 66D makes it an offence to “cheat by personation” [11] by means of any ‘communication device’[12] or 'computer resource'.

Both offences are punishable with imprisonment of upto three years or with a fine of upto Rs. one lakh.

Mumbai Police Solves Phishing scam [13]

In 2005, a financial institute complained that they were receiving misleading emails ostensibly emanating from ICICI Bank’s email ID.

An investigation was carried out with the emails received by the customers of that financial institute and the accused were arrested. The place of offence, Vijaywada was searched for the evidence. One laptop and mobile phone used for committing the crime was seized.

The arrested accused had used open source code email application software for sending spam e-mails. He had downloaded the same software from the Internet and then used it as it is.

He used only VSNL to spam the e-mail to customers of the financial institute because VSNL email service provider does not have spam box to block the unsolicited emails.

After spamming e-mails to the institute customers he got the response from around 120 customers of which 80 are genuine and others are not correct because they do not have debit card details as required for e-banking."

The customers who received his e-mail felt that it originated from the bank. When they filled the confidential information and submitted it the said information was directed to the accused. This was possible because the dynamic link was given in the first page (home page) of the fake website. The dynamic link means when people click on the link provided in spam that time only the link will be activated. The dynamic link was coded by handling the Internet Explorer onclick () event and the information of the form will be submitted to the web server (where the fake website is hosted). Then server will send the data to the configured e-mail address and in this case the e-mail configured was to the e-mail of the accused. All the information after phishing (user name, password, transaction password, debit card number and PIN, mother’s maiden name) which he had received through the Wi-Fi Internet connectivity of Reliance.com was now available on his Acer laptop.

This crime was registered under section 66 of the IT Act, sections 419, 420, 465, 468 and 471 of the Indian Penal Code and sections 51, 63 and 65 of the Indian Copyright Act, 1957 which attract the punishment of three years imprisonment and fine upto Rs 2 lac which the accused never thought of.

Spam and Offensive Messages

Although the advent of e-mail has greatly enhanced our communications capacities, most e-mail networks today remain susceptible to attacks from spammers who bulk-email unsolicited promotional or even offensive messages to the nuisance of users. Among the more notorious of these scams is/was the so-called "section 409 scam" in which victims receive e-mails from alleged millionaires who induce them to disclose their credit information in return for a share in millions.

Section 66A of the IT Act attempts to address this situation by penalizing the sending of:

any message which is grossly offensive or has a menacing character
false information for the purpose of causing annoyance, inconvenience, danger, insult, criminal intimidation, enmity, hatred or ill-will
any electronic e-mail for the purpose of causing annoyance or inconvenience, or to deceive the addressee about the origin of such messages;

This offence is punishable with imprisonment upto three years and with a fine[14]

Hoax E-mails [15]

In 2009, a 15-year-old Bangalore teenager was arrested by the cyber crime investigation cell (CCIC) of the city crime branch for allegedly sending a hoax e-mail to a private news channel. In the e-mail, he claimed to have planted five bombs in Mumbai, challenging the police to find them before it was too late.

According to police officials, at around 1p.m. on May 25, the news channel received an e-mail that read: “I have planted five bombs in Mumbai; you have two hours to find it.” The police, who were alerted immediately, traced the Internet Protocol (IP) address to Vijay Nagar in Bangalore. The Internet service provider for the account was BSNL, said officials.

Minor Hoax Spells Major Trouble

Sixteen-year-old Rakesh Patel (name changed), a student from Ahmedabad, sent an e-mail to a private news channel on March 18, 2008, warning officials of a bomb on an Andheri-bound train. In the e-mail, he claimed to be a member of the Dawood Ibrahim gang. Three days later, the crime investigation cell (CCIC) of the city police arrested the boy under section 506 (ii) for criminal intimidation. He was charge-sheeted on November 28, 2008.
Status: Patel was given a warning by a juvenile court
A 14-year-old Colaba boy sent a hoax e-mail to a TV channel in Madhya Pradesh, three days after the July 26, 2008, Ahmedabad bomb blasts. He claimed that 29 bombs would go off in Jabalpur. He was picked up by officers of the anti-terrorism squad (ATS) who, with the help of the MP police, were able to trace the e-mail to a cyber café in Colaba.
Status: No FIR was registered. The Cuffe Parade police registered a non-cognizable (NC) complaint against him, and the boy was allowed to go home after the police gave him a “strict warning”.
Shariq Khan, 18, was arrested in Bhopal on July 26, 2006, for sending out three e-mails claiming to be a member of the terrorist organisation, which the police believed was behind the 7/11 train bombings. He was arrested by the Bhopal police. Later, the ATS brought the boy to Mumbai and also booked him for a five-year-old unsolved case where an unknown accused had sent e-mail warnings to the department of Atomic Energy (DAE) in 2001.
Status: The police filed a charge-sheet against Shariq who claimed that he had sent the e-mails for fun. Trial is pending in a juvenile court. Shariq is presently out on bail in Bhopal.
On February 26, 2006, a 17-yearold student from Jamnabai Narsee School called an Alitalia flight bound to Milan at 2 a.m. telling them there was a bomb on board. He wanted to stop his girlfriend from going abroad. She was one of the 12 students on their way to attend a mock United Nations session in Geneva.
Status: After being grilled by the police, he was arrested, but let out on bail.

Lawful Interception and monitoring of electronic communications under the IT Act

In addition to violations of privacy by criminal and the mischievous minded, electronic communications and storage are also a goldmine for governmental supervision and surveillance. This section provides a brief overview of the provisions in the IT Act which circumscribe the powers of the state to intercept electronic communications.

The newly amended IT Act completely rewrote its provisions in relation to lawful interception. The new section 69 dealing with “power to issue directions for interception or monitoring or decryption of any information through any computer resource” is much more elaborate than the one it replaced, In October 2009, the Central Government notified rules under section 69 which lay down procedures and safeguards for interception, monitoring and decryption of information (the “Interception Rules 2009”). This further thickens the legal regime in this context.

Unlawful Intercept

In August 2007, Lakshmana Kailash K., a techie from Bangalore was arrested on the suspicion of having posted insulting images of Chhatrapati Shivaji, a major historical figure in the state of Maharashtra, on the social-networking site Orkut. The police identified him based on IP address details obtained from Google and Airtel – Lakshmana’s ISP. He was brought to Pune and detained for 50 days before it was discovered that the IP address provided by Airtel was erroneous. The mistake was evidently due to the fact that while requesting information from Airtel, the police had not properly specified whether the suspect had posted the content at 1:15 p.m. or a.m.

Taking cognizance of his plight from newspaper accounts, the State Human Rights Commission subsequently ordered the company to pay Rs 2 lakh to Lakshmana as damages [16].

The incident highlights how minor privacy violations by ISPs and intermediaries could have impacts that gravely undermine other basic human rights [17].

In addition to section 69, the Government has been empowered under the newly inserted section 69B to "monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource".

"Traffic data" has been defined in the section to mean “any data identifying or purporting to identify any person, computer system or computer network or any location to or from which communication is or may be transmitted.” Rules have been issued by the Central Government under this section (the “Monitoring and Collecting Traffic Data Rules, 2009”) which are similar, although with important distinctions, to the rules issued under section 69.

Thus, there are two parallel interception and monitoring regimes in place under the Information Technology Act. In the paragraphs that follow, we provide an overview of the regime of surveillance under section 69 — since they are more targeted towards the individual, and consequently the threats to privacy are more severe — while highlighting important differences in the rules drafted under section 69.

Who may lawfully intercept?

Section 69 empowers the “Central Government or a state government or any of its officers specially authorised by the Central Government or the state government, as the case may be” to exercise powers of interception under this section.

Under the Interception Rules 2009, the secretary in the Ministry of Home Affairs has been designated as the "competent authority", with respect to the Central Government, to issue directions pertaining to interception, monitoring and decryption. Similarly, the respective state secretaries in charge of Home Departments of the various states and union territories are designated as "competent authorities" to issue directions with respect to the state government [18].

	Central Government	State/Union Territory
Ordinary Circumstances	Secretary in the Ministry of Home Affairs	Secretary in charge of Home Departments of State
Emergency	Head or second senior most officer of security and law enforcement	Authorized officer not below the rank of Inspectors General of Police

However, an exception is made in cases of emergency, either

in remote areas where obtaining prior directions from the competent authority is not feasible or

for ‘operational reasons’ where obtaining prior directions is not feasible.

In such cases it would be permissible to carry out interception after obtaining the orders of the Head or second senior most officer of security and law enforcement at the central level, and an authorized officer not below the rank of Inspector General of Police at the state or union territory level. The order must be communicated to the competent authority within three days of its issue, and approval must be obtained from the authority within seven working days, failing which the order would lapse.

Where a state/union territory wishes to intercept/monitor or decrypt information beyond its territory, the competent authority for that state must make a request to the competent authority of the Central Government to issue appropriate directions.

Under what circumstances a direction to intercept may be issued?

Purposes for which interception may be directed

Under section 69, the powers of interception may be exercised by the authorized officers “when they are satisfied that it is necessary or expedient” to do so in the interest of:

sovereignty or integrity of India,

defense of India,

security of the state,

friendly relations with foreign states or

public order or

preventing incitement to the commission of any cognizable offence relating to above or

for investigation of any offence.

Under section 69B, the competent authority may issue directions for monitoring for a range of “cyber security”[20] purposes including, inter alia, “identifying or tracking of any person who has breached, or is suspected of having breached or being likely to breach cyber security”.

Contents of direction

The reasons for ordering interception must be recorded in writing [21].

In the case of a direction under section 69, in arriving at its decision, the competent authority must consider alternate means of acquiring the information other than issuing a direction for interception [22]. The direction must relate to information sent or likely to be sent from one or more particular computer resources to another (or many) computer resources [23]. The direction must specify the name and designation of the officer to whom information obtained is to be disclosed, and also specify the uses for which the information is to be employed [24].

Duration of interception and periodic review

Once issued, an interception direction issued under section 69 remains in force for a period of 60 days (unless withdrawn earlier), and may be renewed for a total period not exceeding 180 days [25]. A direction issued under section 69B does not expire automatically through the lapse of time and theoretically would continue until withdrawn.

Within seven days of its issue, a copy of a direction issued under either section 69 or section 69B must be forwarded to the review committee constituted to oversee wiretapping under the Indian Telegraph Act [26]. Every two months, the review committee is required to meet and record its findings as to whether the direction was validly issued in light of section 69(3) [27]. If the review committee is of the opinion that it was not, it can set aside the direction and order destruction of all information collected [28].

What powers of interception do they have?

The competent authority may, in his written direction “direct any agency of the appropriate government to intercept monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource”[29].

Accordingly, the subscriber or intermediary or any person in charge of the computer resource is must, if required by the designated government agency, extend all facilities, equipment and technical assistance to:

provide access to or secure access to the computer resource generating, transmitting, receiving or storing such information; or

intercept, monitor, or decrypt[30] the information, as the case may be; or

provide information stored in computer resource.

The intermediary must maintain records mentioning the intercepted information, the particulars of the person, e-mail account, computer resource, etc., that was intercepted, the particulars of the authority to whom the information was disclosed, number of copies of the information that were made, the date of their destruction, etc. [31]. This list of requisitions received must be forwarded to the government agency once every 15 days to ensure their authenticity [32].

In addition, a responsibility is cast on the intermediary to put in place adequate internal checks to ensure that unauthorized interception does not take place, and extreme secrecy of intercepted information is maintained [33].

How long can information collected during interception be retained?

Interception rules require all records, including electronic records pertaining to interception to be destroyed by the government agency “in every six months except in cases where such information is required or likely to be required for functional purposes”. In the case of the Monitoring and Collecting of Traffic Data Rules 2009, this period is nine months from the date of creation of record.

In addition, all records pertaining to directions for interception and monitoring are to be destroyed by the intermediary within a period of two months following discontinuance of interception or monitoring, unless they are required for any ongoing investigation or legal proceedings. In the case of Monitoring Rules, this period is six months from the date of discontinuance.

What penalties accrue to intermediaries and subscribers for resisting interception?

Section 69 stipulates a penalty of imprisonment upto a term of seven years and fine for any “subscriber or intermediary or any person who fails to assist the agency” empowered to intercept.

Data Protection under the IT Act

Data Retention Requirements of 'Intermediaries'

Section 67C of the amended IT Act mandates ‘intermediaries’[34] to maintain and preserve certain information under their control for durations which are to be specified by law.

Any intermediary who fails to retain such electronic records may be punished with imprisonment up to three years and a fine.

Liability for body-corporates under section 43A

The newly inserted section 43A makes a start at introducing a mandatory data protection regime in Indian law. The section obliges corporate bodies who ‘possess, deal or handle’ any ‘sensitive personal data’ to implement and maintain ‘reasonable’ security practices, failing which they would be liable to compensate those affected by any negligence attributable to this failure.

It is only the narrowly-defined ‘body corporates’ [35] engaged in ‘commercial or professional activities’ who are the targets of this section. Thus government agencies and non-profit organisations are entirely excluded from the ambit of this section [36].

“Sensitive personal data or information” is any information that the Central Government may designate as such, when it sees fit to.

The “reasonable security practices” which the section obliges body corporates to observe are restricted to such measures as may be specified either “in an agreement between the parties” or in any law in force or as prescribed by the Central Government.

By defining both “sensitive personal data” and “reasonable security practice” in terms that require executive elaboration, the section in effect pre-empts the courts from evolving an iterative, contextual definition of these terms.

Mphasis BPO Fraud: 2005 [37]

In December 2004, four call centre employees, working at an outsourcing facility operated by MphasiS in India, obtained PIN codes from four customers of MphasiS’ client, Citi Group. These employees were not authorized to obtain the PINs.

In association with others, the call centre employees opened new accounts at Indian banks using false identities. Within two months, they used the PINs and account information gleaned during their employment at MphasiS to transfer money from the bank accounts of CitiGroup customers to the new accounts at Indian banks.

By April 2005, the Indian police had tipped off to the scam by a U.S. bank, and quickly identified the individuals involved in the scam. Arrests were made when those individuals attempted to withdraw cash from the falsified accounts, $426,000 was stolen; the amount recovered was $230,000.

Draft Reasonable Security Practices Rules 2011 [38]

In February 2011, the Ministry of Information and Technology, published draft rules under section 43A in order to define “sensitive personal information” and to prescribe “reasonable security practices” that body corporates must observe in relation to the information they hold.

Sensitive Personal Information
Rule 3 of these Draft Rules designates the following types of information as ‘sensitive personal information’:

password;

user details as provided at the time of registration or thereafter;

information related to financial information such as Bank account / credit card / debit card / other payment instrument details of the users;

physiological and mental health condition;

medical records and history;(vi) Biometric information;

information received by body corporate for processing, stored or processed under lawful contract or otherwise;

call data records;

This however, does not apply to “any information that is freely available or accessible in public domain or accessible under the Right to Information Act, 2005”.

They and “any person” holding sensitive personal information are forbidden from “keeping that information for longer than is required for the purposes for which the information may lawfully be used”[40]

Mandatory Privacy Policies for body corporates

Rule 4 of the draft rules enjoins a body corporate or its representative who “collects, receives, possess, stores, deals or handles” data to provide a privacy policy “for handling of or dealing in user information including sensitive personal information”. This policy is to be made available for view by such “providers of information” [41]. The policy must provide details of:

Type of personal or sensitive information collected under sub-rule (ii) of rule 3;
Purpose, means and modes of usage of such information;
Disclosure of information as provided in rule 6 [42].

Prior Consent and Use Limitation during Data Collection

In addition to the restrictions on collecting sensitive personal information, body corporate must obtain prior consent from the “provider of information” regarding “purpose, means and modes of use of the information”. The body corporate is required to “take such steps as are, in the circumstances, reasonable”[43] to ensure that the individual from whom data is collected is aware of :

the fact that the information is being collected; and
the purpose for which the information is being collected; and
the intended recipients of the information; and
the name and address of :
the agency that is collecting the information; and
the agency that will hold the information.

During data collection, body corporates are required to give individuals the option to opt-in or opt-out from data collection [44]. They must also permit individuals to review and modify the information they provide "wherever necessary" [45]. Information collected is to be kept securely [46], used only for the stated purpose [47] and any grievances must be addressed by the body corporate “in a time bound manner” [48].

Unlike "sensitive personal information" there is no obligation to retain information only for as long as is it is required for the purpose collected.

Limitations on Disclosure of Information

The draft rules require a body corporate to obtain prior permission from the provider of such information obtained either “under lawful contract or otherwise” before information is disclosed [49]. The body corporate or any person on its behalf shall not publish the sensitive personal information [50]. Any third party receiving this information is prohibited from disclosing it further [51]. However, a proviso to this sub-rule mandates information to be provided to ‘government agencies’ for the purposes of “verification of identity, or for prevention, detection, investigation, prosecution, and punishment of offences”. In such cases, the government agency is required to send a written request to the body corporate possessing the sensitive information, stating clearly the purpose of seeking such information. The government agency is also required to “state that the information thus obtained will not be published or shared with any other person” [52].

Sub-rule (2) of rule 6 requires “any information” to be “disclosed to any third party by an order under the law for the time being in force.” This is to be done “without prejudice” to the obligations of the body corporate to obtain prior permission from the providers of information [53].

Reasonable Security Practices

Rule 7 of the draft rules stipulates that a body corporate shall be deemed to have complied with reasonable security practices if it has implemented security practices and standards which require:

a comprehensive documented information security program; and

information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected.

In case of an information security breach, such body corporate will be “required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security program and information security policies”.

The rule stipulates that by adopting the International Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements”, a body corporate will be deemed to have complied with reasonable security practices and procedures.

The rule also permits “industry associations or industry clusters” who are following standards other than IS/ISO/IEC 27001 but which nevertheless correspond to the requirements of sub-rule 7(1), to obtain approval for these codes from the government. Once this approval has been sought and obtained, the observance of these standards by a body corporate would deem them to have complied with the reasonable security practice requirements of section 43A.

Penalties and Remedies for breach of Data Protection

Civil Liability for Corporates

As mentioned above, any body corporates who fail to observe data protection norms may be liable to pay compensation if:

it is negligent in implementing and maintaining reasonable security practices, and thereby

causes wrongful loss or wrongful gain to any person;[54]

Claims for compensation are to be made to the adjudicating officer appointed under section 46 of the IT Act. Further, details of the powers and functions of this officer are given in succeeding sections of this note.

Criminal liability for disclosure of information obtained in the course of exercising powers under the IT Act

Section 72 of the Information Technology Act imposes a penalty on “any person” who, having secured access to any electronic record, correspondence, information, document or other material using powers conferred by the Act or rules, discloses such information without the consent of the person concerned. Such unauthorized disclosure is punishable “with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.”

Criminal Liability for unauthorized disclosure of information by any person of information obtained under contract

Section 72A of the IT Act imposes a penalty on any person [55] (including an intermediary) who

has obtained personal information while providing services under a lawful contract and

discloses the personal information without consent of the person,

with the intent to cause, or knowing it is likely to cause wrongful gain or wrongful loss [56]

Such unauthorised disclosure to a third person is punishable with imprisonment upto three years or with fine upto Rs five lakh, or both.

Whom to call? Adjudicatory Mechanism and Remedies under the IT Act

This section provides a brief outline of the mechanism installed by the IT Act to activate the various remedies and penalties prescribed in various sections of the Act. As a victim of online intrusion, how does one use the IT Act to seek redressal?

As mentioned above, the IT Act provides for both the civil remedy of damages in compensation (Chapter IX) as well as criminal penalties for offences such as imprisonment and fine (Chapter XI). In general, claiming a civil remedy does not bar one from seeking criminal prosecution and ideally both should be pursued together. For clarity, in the sections that follow, we will be discussing the two procedures separately.

Civil Damages and Compensation

Whom to approach?

Section 46 of the IT Act empowers the Central Government to appoint “adjudication officers” to adjudicate whether any person has committed any of the contraventions described in Chapter IX of the Act (See section 2.1 and 4.2 above) and to determine the quantum of compensation payable. Accordingly, the Central Government has designated the secretaries of the Department of Information Technology of each of the states or union territories as the “adjudicating officer” with respect to each of their territories [57].

However, a pecuniary limit has been placed on the powers of adjudicating officers, and they may only adjudicate cases where the quantum of compensation claimed does not exceed Rs. five crores. In cases where the compensation claimed exceeds this amount, jurisdiction would vest in the “competent court”, under the Code of Civil Procedure [58].

Section 61 of the Act bars ordinary civil courts from jurisdiction over matters which the adjudicating officers have been empowered to decide under this Act.

When must a complaint be filed?

The Limitation Act provides that a suit must be filed within three years from when the right to sue accrues [59].

What is the procedure?

Section 46 and the rules framed under that section provide elaborate guidelines on the procedure that is to be followed by the adjudicating officer. Thus, the adjudicating officer is required to give the accused person “a reasonable opportunity for making representation in the matter”. Thereafter, if , on an inquiry, “he is satisfied that the person has committed the contravention, he may impose such penalty or award such compensation as he thinks fit in accordance with the provisions of that section.”

In order to carry out their duties adjudicating officer have been invested with the powers of a civil court which are conferred on the cyber appellate tribunal [60]. Additionally, they have the power to punish for their contempt undert the Code of Criminal Procedure.

Rules framed under the section provide further details on the procedure that must be followed and provide for the issuance of a “show cause notice”, manner of holding enquiry, compounding of offences, etc. [61].

Section 47 provides that in adjudging the quantum of compensation, the adjudicating officer shall have due regard to the following factors, namely:—

the amount of gain of unfair advantage, wherever quantifiable, made as a result of the default;

the amount of loss caused to any person as a result of the default;

the repetitive nature of the default.

Where must a complaint be filed and in what format?

The complaint must be made to the adjudicating officer of the state or union territory on the basis of location of computer system, computer network. The complaint must be made on a plain paper in the format provided in the Performa attached to the rules [62].

In case the offender or computer resource is located abroad, it would be deemed, for the purpose of prosecution to be located in India [63].

How long does the process take?

The Rules direct that the whole matter should be heard and decided “as far as possible” within a period of six months [64].

How much does it cost?

The Rules stipulates a variable fee payable by a bank draft calculated on the basis of damages claimed by way of compensation

a) Upto Rs. 10,000	10% ad valorem rounded off to nearest next hundred
b) From 10001 to Rs.50000	Rs. 1000 plus 5% of the amount exceeding Rs.10,000 rounded off to nearest next hundred
c) From Rs.50001 to Rs.100000	Rs. 3000/- plus 4% of the amount exceeding Rs. 50,000 rounded off to nearest next hundred
d) More than Rs. 100000	Rs.5000/- plus 2% of the amount exceeding Rs. 100,000 rounded off to nearest next hundred

Appeals to the Cyber Appellate Tribunal and the High Court

The Act provides for the constitution of a cyber appellate tribunal to hear appeals from cases decided by the adjudicating officer.

Within 25 days of the copy of the decision being made available by the adjudicating officer, the aggrieved party may file an appeal before the cyber appellate tribunal.

Section 57 provides that the appeal filed before the cyber appellate tribunal shall be dealt with by it as expeditiously as possible and endeavor shall be made by it to dispose of the appeal finally within six months from the date of receipt of the appeal. Section 62 gives the right of appeal to a high court to any person aggrieved by any decision or order of the cyber appellate tribunal on any question of fact or law arising out of such order. Such an appeal must be filed within 60 days from the date of communication of the decision or order of the cyber appellate tribunal.

Can contraventions be compounded (compromised) with the offender?

Except in the case of repeat offenders, contraventions may be compromised by the adjudicating officer or between the parties either before or after institution of the suit. Where any contravention has been compounded the IT Act provides that “no proceeding or further proceeding, as the case may be, shall be taken against the person guilty of such contravention in respect of the contravention so compounded”[65].

Criminal Penalties

The process described above applies to “contraventions” under Chapter IX of the Act. In addition to being liable to pay compensation, in the cases falling under section 43, such offenders may also be liable for criminal penalties such as imprisonment and fines [66]. This sub-section of this paper deals with the procedure to be followed with respect to the criminal offences set out under Chapter XI of the Act (for example, see sections 2.2 to 2.5 above).

Whom to approach? Who can take cognizance of offences and investigate them?

Section 78 of the IT Act empowers police officers of the rank of Inspectors and above to investigate offences under the IT Act.

Many states have set up dedicated cyber crime police stations to investigate offences under this Act [67]. Thus, for example, the State of Karnataka has set up a special cyber crime police station responsible for investigating all offences under the IT Act with respect to the entire territory of Karnataka [68].

When must a complaint be lodged?

Although there is no time limit prescribed by the IT Act or the Code of Criminal Procedure with respect to when an FIR must be filed, in general, courts tend to take an adverse view when a significant delay has occurred between the time of occurrence of an offence and it’s reporting to the nearest police station.

The Code of Criminal Procedure forbids courts from taking cognizance of cases after three years “if the offence is punishable with imprisonment for a term exceeding one year but not exceeding three years”. Where either the commission of the offence was not known to the person aggrieved, or where it is not known by whom the offence committed, this period is computed from the date on which respectively the offence or the identity of the offender comes to the knowledge of the person aggrieved [69].

What is the procedure?

No special procedure is prescribed for the trial of cyber offences and hence the general provisions of criminal procedure would apply with respect to investigation, charge sheet, trial, decision, sentencing and appeal.

Can offences be compounded?

Offences punishable with imprisonment of upto three years are compoundable by a competent court. However, repeat offenders cannot have their subsequent offences compounded. Additionally, offences which “affect the socio-economic conditions of the country” or those committed against a child under 18 years of age or against women cannot be compounded [70].