Centre for Internet and Society

UID & Privacy - A Call for Papers

elonnai — 2012-03-21T10:03:44Z

Privacy India is inviting individuals to author short papers focused on Unique Identity (UID) and Privacy. Selected candidates will have their papers published on the CIS website, and their transportation and accommodation provided for the “Privacy Matters” conference being held in Kolkata on 22 January 2010.

Topic

Privacy and the UID

Submission Deadline

By 15 January 2010 to admin@privacyindia.org

Word Length

3,000-5,000 words

Topic Summary

The Aadhaar scheme, or Unique Identity (UID) scheme is a plan to provide citizens identity cards that are tied to their unique biometric data – such as their fingerprints or retinal scans. Although the most frequently cited justification for this project is to ensure the secure delivery of relief to beneficiaries of government aid schemes, it is clear that the uses to which it will be put exceed this narrow mandate.

As India embarks on one of its most ambitious techno-administrative projects to date, there is surprisingly little clarity or introspection into the implications of having such a concentrated identity locked into a single card. In particular it appears that the grave threats to privacy the scheme poses have not received due attention. Although the final draft UID Bill circulated by the UIDAI in October 2010 contains some provisions that reference privacy, there seems to be a tacit assumption that privacy is an expendable or at least a less-desirable privilege that can be attended to fully once the scheme is in fully in place.

We invite individuals to author short inter-disciplinary papers that engage various topics on the theme of Privacy and the UID, including but not limited to the following:

Comparative studies on privacy and national identity card schemes in other countries

Privacy and the UID Bill

How will a project such as the UID change the relationship between the state, the individual, and the market?

Selected candidates will have their papers published on the CIS website, and their transportation and accommodation provided for the “Privacy Matters” conference being held in Kolkata on January 22nd 2010.

Who We Are

Privacy India was set up with the collaboration of the Centre for Internet and Society (CIS) and Society in Action Group (SAG), under the auspices of the international organization ‘Privacy International’. Privacy International is a non-profit group that provides assistance to civil society groups, governments, international and regional bodies, the media and the public in a number of countries (see www.privacyinternational.org). Privacy India's objective is to raise awareness, spark civil action and promoting democratic dialogue around privacy challenges and violations in India. In furtherance of this goal we aim to draft and promote an over-arching privacy legislation in India by drawing upon legal and academic resources and consultations with the public.

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy_callforpapers

The Privacy Rights of Whistleblowers

elonnai — 2012-03-22T05:47:16Z

The recent disclosures from Wikileaks have shown that the right to information, whistle-blowing, and privacy are interconnected. This note looks at the different ways in which the three are related, as well as looking at the benefits and drawbacks to Wikileaks in terms of privacy.

Introduction

In a recent interview, the Canadian Privacy Commissioner was quoted as saying “Information and the manipulation of information is the key to power. Those who can control the information can influence society enormously.” History and present-day society have both proven the truth in this statement. It is one among many reasons that the right to information is important to uphold. In India, and in other countries, there are statutes – in India, the Right To Information Act – that entitles the public to request and receive information that pertains to public bodies and their conduct, information that is publicly available because it is intrinsically related to the public interest. An entirely separate but equally critical way in which the public is kept informed is through whistle-blowing. Traditionally, whistle-blowing is any disclosure made in the name of public interest. Recent events such as the Ratan Tata case and the leaks of US diplomatic cables have brought to light the relationship between the public’s right to information, the rights of whistleblowers, and the rights of individuals to privacy. These recent cases have shown that the right to information, whistle-blowing, and the right to privacy are interconnected, because privacy can provide individuals with the means to sustain autonomy against potentially overwhelming forces of government and persons who might have mixed motivations. The right to information and whistle-blowing are means by which the government is held accountable to the public if they violate the law or the public trust. The Wikileaks case and the Ratan Tata case raise important questions about when those two interests need to give way to private interests. One of the key questions that Wikileaks raises is: if whistleblowing is supposed to be disclosure in the public interest -- i.e., to protect the public – should disclosure of personal information be permissible only if a person can demonstrate that he/she is trying to remedy or avoid actual wrongdoing rather than simply publishing information that is "interesting to the public?"

What is a Whistleblower and how does a Whistleblower Benefit from Wikileaks?

Whistleblowing is the modern counterpart to “informers” – people who reveal others’ wrongdoing. Much whistleblowing occurs by going "up the chain" in a person's own department or agency or company. If the person is reporting wrongdoing and the person ultimately goes to the authorities about illegal activity, the individual reporting the leak can sometimes get immunity for his or her own actions, can sometimes collect part of the penalties, and can under certain statutes in some countries even bring suit if the company retaliates against him -- for example, by firing him. In this way traditional whistleblowing places the responsibility for legal and ethical conduct on employees who are better situated to see wrongdoing than outsiders would be. In many countries, a person may present information of a whistleblowing nature to a judicial body. The judicial body then determines the validity of the information, the degree of public interest involved, and the proper form of redress to be taken. The judicial body offers legal protection to the whistleblower. Another method of whistleblowing is to leak information to the press. Once information is in the public domain – at least if there is freedom of press -- the information can no longer be covered up. Neither the right to free press, nor the right to protection as a whistleblower is universal. The current critique of the Indian Whistle Blowing Bill is that the right to protection will not be ensured. A Times of India article issued in September 2010 pointed out that the Whistle Blowing Act’s biggest weakness is that the Bill’s Central Vigilance Commission is designated to play both the role as competent authority to deal with complaints file by whistleblowers and as the tribunal to protect whistleblowers. Structuring the power to allow one body to fulfil both functions runs the risk of bias and could breed distrust that would cause people to avoid the system altogether. The article complained that the Bill has no teeth, and that even if the Commission believes that the whistleblowing is valid, it is able only to give advice rather than actually to prosecute individuals. The article recites extreme instances in which individuals have blown the whistle and paid for it with their lives. For example: in 2005 a manager of the Indian Oil Corporation was killed after exposing a scheme in adulterated petrol, and in 2010 an RTI activist was killed after exposing land scams in Mahrashtra. In these situations, Wikileaks is an interesting and powerful tool for individuals who either do not want to leak their information to a judicial body or are not protected if they do so in their own country. Leaking information to Wikileaks is in one sense analogous to leaking information to the press, but it is not precisely the same because it is not a news media outlet, but instead is a way for a person to post information on a mass media outlet. It should be noted, however, that informants who leak to Wikileaks are not afforded the same immunity that individuals who leak to authorities are granted. When an individual shares documents or information with Wikileaks, the site in turn acts as a platform to publish the information on the web and with the press. Being an independent entity that is neither tied down to a certain territory, government, or entity – Wikileaks has the pull of non-bias. But the strength of Wikileaks is also its weakness. When 250,000 diplomatic cables were posted, there was no one who understood the context of the content to monitor to ensure that everything was appropriate to post. As a result, the information was transmitted to an audience who normally would not be entitled to it. By doing so, the leaked information placed individual diplomats in precarious positions that could potentially put them in harm’s way and unnecessarily damage their reputations, as well as putting the reputation of the United States on the line.

Privacy and Whistleblowing

As a result the United States is looking to press charges against Julian Assange, founder of Wikileaks, for espionage. The way in which Wikileaks leaked information and the nature of the leak has brought privacy into the picture. When looking at the act of whistleblowing through the lens of privacy, there are obvious privacy concerns for the whistleblower, for the person or entity whose information has been leaked, and for possible third parties involved. Paul Chadwick, the Victorian Privacy Commissioner, pointed out that for the whistleblower the main privacy concerns include the individual’s identity, safety, and reputation. For the alleged wrongdoer the privacy concerns include: identity, safety, employment, and liberty (where sanctions may include imprisonment). For third parties, reputation and safety can both be jeopardized by disclosures by whistleblowers. The Wikileaks leaks squarely present the question whether intent should be brought into the analysis of privacy and whistleblowers. If a whistleblower is disclosing with the intent protect the public, the protections afforded to this person should weigh differently against the privacy interests of alleged wrongdoers and third parties than for someone who is simply defining the public interest as “interesting to the public,” or, worse, as seen in the false leak by Pakistan against India, is looking to leak information to disrupt public interest. Even though Wikileaks works to protect the anonymity of individuals who leak information, it is not bound by any law to protect the privacy of individuals involved in the leak. The concept behind Wikileaks is important. By interacting with government information, it has the ability to bring accountability and transparency to governments, but the only regulation over Wikileaks is internal (and thus inherently subjective). Wikileaks needs to change its structure to take into account leaks shared without the intent of protecting the public interest and even then needs to monitor to prevent leaks that could place individuals in precarious situations or damage reputations with no validating information.

Sources:

http://www.ctv.ca/generic/generated/static/business/article1833688.html

Chadwick, Paul. Whistleblowing, Transparency, and Privacy: Aspects of the relationship between Victoria’s Whistleblowers Protection Act and the Information Privacy Act.

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-wikilileaks-whistleblowers

An Open Letter to the Finance Committee: SCOSTA Standards

elonnai — 2013-12-20T03:58:09Z

The UID Bill has been placed to the Finance Committee for review and approval. Through a series of open letters to the Finance Committee, civil society is asking the committee to take into consideration and change certain aspects of the Bill and the project. The below note compares the SCOSTA standard with the Aadhaar biometric standard, and explains why we believe the SCOSTA standard should replace the Aadhaar biometric standard for the authentication process in the UID scheme.

Introduction

This note is intended to demonstrate how the Aadhaar biometric standard is weaker than the SCOSTA standard. Through a comparison of the SCOSTA standard-based smart card and the Aadhaar biometric-based identification number, it will show how the SCOSTA standard is a more secure, structurally sound, and cost effective approach to authentication of identity for India. Though we recognize that Aadhaar biometrics are useful for the de-duplication and identification of individuals, we believe that the SCOSTA standard is more appropriate for the authentication of individuals. Thus, we ask that the Aadhaar biometric based authentication process be replaced with a SCOSTA standard based authentication process.

A background of the two standards

The SCOSTA standard is used in smart cards and was developed by the National Informatics Centre in India. It is:

1. Compliant with the international standard ISO-7816 for smart cards.

2. Based on a public/private key and pin authentication factor

3. Authentication factor refers to an individuals keys, pass-phrases, and pin.

The biometric standard authenticates the identity of an individual based on his or her physical fingerprints and iris scans (in the case of the UID). The standard:

1. Verifies if the individual exists within a known population by comparing the biometric data to those of other individuals stored in a secured centralized database.

2. Based on a symmetric authentication factor

A comparison of the two standards

Standard	SCOSTA - MNIC smart card	Aadhaar Biometric - UID number
Architecture	Decentralized SCOSTA standards require a pair and key combination with a pin, and thus can be structured in a decentralized manner	Centralized Aadhaar biometric standards require symmetric authentication factors, and thus must be structured in a centralized manner
Standards for Technology	Open standard Creates security through transparency	Closed standard Creates security though obscurity
Points of failure	Multiple points of failure The SCOSTA standard has multiple points of failure, because of decentralized structure, thus if one data base is compromised all data is not lost.	Single point of failure The Aadhaar Biometric standard has one single point of failure, because of centralized structure, thus if the data base is compromised all data is lost
Impact on local industry	Encourages Open standards allow local industry to compete in manufacturing technology	Discourages Closed standards allow foreign players to monopolize the manufacturing of technology
Cost analysis	Cost effective Increased competition keeps prices low	Cost ineffective Decreased competition keeps prices high
Revocation	Revocable If the key pair and pin are stolen, a new set of passwords can be issued	Permanent If the biometrics of an individual are stolen, they cannot be re-issued
Possibility of fraudulent authentication	Lower A thief must steal your smart card and your secret pin to commit fraud	Higher A thief only needs to collect your fingerprints using a glass tumbler to commit fraud
Viability of Technology	Proven effective for large populations	Not proven effective for large populations

For more details visit https://cis-india.org/internet-governance/blog/privacy/letter-to-finance-committee

Bloggers' Rights Subordinated to Rights of Expression: Cyber Law Expert

elonnai — 2012-03-21T09:35:06Z

Vijayashankar, an eminent cyber law expert answers Elonnai Hickok’s questions on bloggers' rights, freedom of expression and privacy in this e-mail interview conducted on May 19, 2011.

A set of rules relating to regulation of the Internet (mentioned in section 79 of the ITAA, 2008) was released in April 2011. In light of the rules framed under the IT Act, and as part of our research on privacy and Internet users, we have been looking into questions surrounding bloggers’ rights, freedom of expression, and privacy.

The new rules require among other things that intermediaries take down any content that could be considered disparaging. In practice, these rules will act to limit the ability of individuals to express their opinions on the Internet — especially for the bloggers. Though these requirements seem to only impact the freedom of expression of bloggers, a blogger’s privacy rights, especially in relation to the protection of their identity, are also pulled into question. Other issues surrounding bloggers’ rights and privacy include: if bloggers are identified as journalists, then whether they should be afforded the same protections and privileges, e.g., should bloggers have the right to free political speech and should intermediaries have freedom from liability for hosting speech or others’ comments? Are bloggers allowed to publish material that is under copyright on their website?

On May 19, 2011, through e-mail, I had the opportunity to interview Vijayashankar, an expert in cyber law, on issues regarding the rights of bloggers freedom of expression, and privacy. Vijayashankar has authored multiple books on cyber law, taught in many universities, and is an active leader of the Netizen movement in India. Below is a summary of the questions I posed to Vijayashankar and his responses.

I began the interview by trying to understand bloggers’ rights and how they are defined. Often the term 'bloggers' rights is used casually, but it is important to understand the different roles that a blogger plays in order to understand what his/her rights are, how they could be violated, and how they could be protected. Vijayashankar explained that a blog is comprised of two parties: a blogger and an intermediary – which is the application host. Bloggers have many different roles: authors, editors, or publishers of content, and thus, a blogger’s rights should be defined within these contexts. As authors, bloggers write their own article/blog or adds comments to others’ blogs. As such, they should have the freedom to express their thoughts and opinions and determine a level of privacy with which to maintain them, without regulation or censorship from a third party. Though the freedom of expression and privacy should be basic rights for blog authors, bloggers must also be held accountable and responsible for the content that they choose to make public by posting on accessible web pages.

The need for a blogger to be held responsible and accountable is similar to the limitation on speech that informs defamation law, and it means that a blogger cannot be entirely anonymous – at least not once a blog is public and is challenged. Thus, accountability must limit the right to be entirely private and anonymous. Though a blogger should be held accountable, the international implications give rise to thorny issues of jurisdiction and accountability under unforeseen laws: all of which raises the question whether, instead of local jurisdictions seeking to enforce their laws against potentially out-of-the-jurisdiction bloggers, an international third party should be entrusted with the responsibility of holding bloggers accountable and responsible – whether that takes the form of an organization like the WTO or WIPO or looks more like specially trained international arbitrators.

This challenge arises because bloggers live in different jurisdictions where different rules apply, but their opinions cross multiple borders and boundaries. This raises questions such as: Which jurisdictional law should the blogger be accountable to? Should a blogger be held responsible for actions that are considered violations in a jurisdiction in which a blog is read, even if those actions are not violations in the jurisdiction in which it is written? And if a blogger is to be held responsible, who should hold him responsible – the country where the action is considered a violation or his own country – and where does a private party have a cause of action? According to Vijayashankar, blogger’s rights’ are always subordinated to the rights of expression guaranteed to the blogger in his country where he is a citizen.

Furthermore, the rights of a blogger have to be seen in the context of who has the "cause of action" against blog writing, i.e., which party involved has the right to complain. If an individual is a victim of a blog, and that individual is a citizen of another country and is guaranteed certain rights, the blogger's rights cannot override the rights of the victim in his own country. Hence, the victim has the right to invoke law enforcement in his country, and the law enforcement agencies do have a right to seek information from the blogger. If, however, a citizen brings a private civil action against a blogger, the discovery limitations are much more severe across boundaries, and the blogger’s national policy on responding to discovery from other countries will determine the extent to which information from the blogger will be made available. To the extent that the impact of a blogger’s expression reaches across boundaries, his actions should be considered similar to a situation where a citizen of one country does certain things which affect the rights enjoyed by a citizen of another country. It does not seem right that a blogger can say something offensive in one jurisdiction and be held liable, but a different blogger can say the same thing from another jurisdiction and be protected. On the one hand, since the Internet as a medium broadcasts across geographical boundaries, it is the responsibility of the individual countries to erect their "cyber boundaries" if they do not want the broadcast to reach their citizens. On the other, individuals should be able to invoke international laws to seek consistent application of standards about what is actionable and what information is discoverable in support of an action. This suggests that an international tribunal might be the best solution.

Other questions to think about when exploring the idea of a trusted third party holding online bloggers accountable include: who would form the third party, what legal authority/power would they have, would this group also be in charge of reviewing a country’s "cyber boundaries" in addition to holding online bloggers accountable? and how would it avoid being influenced by any one government or by other stakeholders?

Next I asked him for examples of common privacy violations that happen to online users. A few he said included identity theft in the form of phishing, which leads to financial frauds, and is one of the most dangerous consequences of privacy breach. Other examples included manipulation of online profiles in social networking sites to cause annoyance, defamation, and coercion; cyber squatting with content which can be misleading; posting of obscene pictures with or without morphing of victim’s photographs to other obscene photographs/pictures; and SPAM – particularly through mobile phones – are all serious forms of privacy violations.

My third question focused on privacy violations and bloggers. How could a blogger’s rights be compromised, especially with a focus on privacy? For bloggers, is privacy important simply to protect their identity and content, or are there other implications for privacy and bloggers? In our research we have looked into ways in which practices such as data retention by ISPs, government/law enforcements’ access to web content including private conversations, and poorly established user control over privacy settings on websites can violate online users’ privacy. According to Vijayashankar, a blogger is mainly concerned about privacy in the context of protecting his identity. It is important for bloggers to protect their identity because the content they create could be considered controversial or illegal in different regions. Thus, it is critical for bloggers to have the right to blog anonymously. An exception to this right is that if the blog is so offensive then the law enforcement agency can take action. In some countries individuals also can sue bloggers. To help protect bloggers from unreasonable and ungrounded searches, Vijayashankar suggested that a mechanism be created by which international and domestic law enforcement agencies can request 'sensitive' information. This mechanism would work to filter and evaluate requests for information without bias, and according to a country’s law own domestic law.

I then asked him what legal protections he felt bloggers needed. He said that he believes that it is important that bloggers and online users’ right to anonymity, protection of identity and freedom of expression (political and non-political) are protected from excessive regulations. An interesting point that he raised was about the protection of bloggers from international requests for information. According to –him — bloggers can be protected only to the extent to which their rights are protected in their own country. If a request for information comes to a law enforcement agency of a country of which the blogger is a citizen, information may need to be released unless an “asylum” has been granted.

An example of the situation Vijayashankar is referring to is that if a blogger in India writes content that is found to be controversial by the U.S Government; the U.S Government then has a right to request and access that information, unless the Indian Government provides protection over the citizen and the information and refuses to release it. Though right to information requests tend to be governmental, this rule changes if it is a citizen requesting information. Very rarely can a citizen of one country request information about a blogger from another country and gain access. The question of international discovery over Internet material is one that has many angles that need to be taken into consideration – a few being: what the content on the blog contained; was the content against an individual or a government; who is requesting the information — a citizen or the government, and whom are they requesting the information from? For example, in the US Supreme Court case, Calder vs. Jones 465 U.S. 783 (1984), information about a woman, Shirley Jones, was published in another state, but the court ruled that the wrongful action was directed to her where she was.

A large part of the debate over bloggers’ rights is centered on governments’ need to monitor online activity. Developments such as the new rules to the IT Act, the Indian Government’s request for blackberry’s encryption keys, and the news about the government wiretapping citizens’ phones show that the Government of India is demanding access to see and regulate content created by online users in India. When asked about bloggers’ rights and government access to content, Vijayashankar stressed that there has to be a mechanism to check the requests from government agencies, and any such mechanism should have popular representation. He went on to explain that presently an order for the blocking of a blog or for private information is made by a government agency or a court. Unfortunately, government agencies may be responsive to certain interests. Likewise, decisions of conventional courts can be inconsistent. Therefore, it is important that a mechanism that reflects the common person’s input is put in place. This could either be a stand-alone private body, such as Netizen Protection Agency, acting as one more layer of protection, or the government body itself could build in adequate public representation. Courts would need to recognize such bodies and seek their opinion as an input to any dispute. This is an innovative option, but one that is a radical departure from the view of a court as an impartial tribunal that is supposed to weigh every matter independently on its merits.

Lastly, I asked if a privacy legislation could address the issue at hand i.e., could a privacy legislation work to protect bloggers’ rights by providing them identity protection and protection of their content and in general what should be included in a comprehensive privacy legislation? Though India already addresses bloggers’ rights through the Information Technology Act, it could be possible that privacy legislation could establish a third party group to work to protect bloggers’ rights and hold both governments and bloggers’ accountable. When asked what should be included in a comprehensive privacy legislation, Vijayashankar suggested that it should recognize that privacy rights of individuals are part of the larger interests of the society, and a comprehensive legislation should work to take all the stakeholders into consideration.

For more details visit https://cis-india.org/internet-governance/blog/privacy/bloggers-rights-and-privacy

An Interview with Activist Shubha Chacko: Privacy and Sex Workers

elonnai — 2012-03-28T06:26:03Z

On February 20th I had the opportunity to speak with Shubha Chacko on privacy and sex workers. Ms. Chacko is an activist who works for Aneka, an NGO based in Bangalore, which fights for the human rights of sexual minorities. In my interview with Ms. Chacko I tried to understand how privacy impacts the lives of sex workers in India. The below is an account of our conversation.

Introduction

In our research we have been exploring where and how privacy is found in different areas of Indian society, law, and culture. As part of our research we have been holding public conferences across the country to raise awareness and gather opinions around privacy. One area that was discussed in the public conference in Bangalore was the privacy of sex workers. Shubha Chacko, who is from Aneka - an NGO located in Bangalore which fights for the human rights of sexual minorities, made a presentation that focused on the privacy challenges that sex workers in India face. In our interview Ms. Chacko pointed out many misconceptions that society holds about sex workers’ lives. She also detailed the challenges of stigma and discrimination that sex workers face, and described the precarious position that sex workers find themselves in as their work is constantly being pushed out of the public sphere by the law and society. I later interviewed Ms. Chacko to follow up on her presentation on privacy and sex workers. During the interview I had the opportunity to speak with both Ms. Chacko and a board member from the Karnataka Sex Workers Union. The following is meant to provide a perspective on how and in what ways society, law, media and tradition invades the privacy of sex workers. Though the piece is focused on the lives of sex workers, many of the issues raised are not limited to only sex workers, but characterize other marginalized communities as well.

When I began the interview with Ms. Chacko I was hoping to do a piece that looked at the different elements of a sex worker’s life, and identified the points at which their privacy was invaded – such as in contacting a client, going to the doctors, etc. After I began my interview only, I realized how privacy impacts sex workers is much more complicated than a life cycle analysis. Among other things, privacy issues for sex workers prompt questions challenging social definitions of public and private, having the right to an identity and a recognized profession, and having the autonomy to control decisions about oneself.

Basic Facts and Background Information:

Karnataka has been found to have 85,000 sex workers, and India has an estimated 2 million female sex workers [1]

Sex work is not against the law in India, but any commercialized aspect of the trade is prohibited – including running a brothel or soliciting a client.

Sex work is a multi-faceted profession with many positive and negative complexities that are rarely known to the public.

Understanding the Challenge of the Public and the Private

My interview with Ms. Chacko began with my seeking an understanding of the challenges that traditional notions of the public sphere and the private sphere pose for sex workers. Ms. Chacko explained that to understand how privacy impacts the life of a sex worker, it is important to first understand that sex workers by profession confront and question traditional conceptions of the public and the private. Sex and everything associated with it is seen as something that is to be kept only in the private sphere. The work of sex workers brings sex into the public sphere, and thus the workers are seen as being public women not entitled to privacy, because they stand on street corners and conduct their work in the public. This notion that sex workers are public women without a right to privacy shows through in the way they are treated by the media, the police, NGOs, and researchers. An example of this tension and society’s response can be seen in the recent elections. On April 6th, a Times of India news article reported that the election commission will be setting up “special booths” for sex workers to vote in because “while the sex workers had been waiting in queues to cast their votes, common people were not comfortable with that”[2]

What is the Challenge of the Public and the Private?

“It starts with a conception of issues around privacy vis-à-vis sex workers. The general perception is that sex workers are considered “public women”, because they are considered available to the public and because they sell sexual services on the streets (and are seen in contrast to the “good” woman who is confined to the private world of the home This then leads people to assume that then sex workers have are not entitled to privacy. Also sex workers are forced to reckon with issues of sex and sexuality, and if you talk about issues of sexuality - issues that are considered private are forced into the public domain, so sex workers by their presence force these issues into the public domain. So notions of privacy become complicated by this challenge of what is public and private, because the sex workers’ presence brings into the public domain what is private.”

How does this tension of the public and the private translate into privacy violations?

"Due to the stigma around sex work all rights of sex workers are seriously compromised; with impunity. Thus, privacy is a threshold issue.

The violation of privacy happens at various points, for example the way the media deals with them – publishing their photographs, outing them without their consent, talking about them without their consent. There are the police who are often engaged in so called “rescue and rehabilitation” work, but in the process of rescuing the sex workers, disregard the harmful impacts that compromising their right to privacy will do to them. The HIV prevention intervention programs that are in place now that target sex workers (along with other ‘high risk groups”) also erode their right to confidentiality. Besides intimate details of their lives being recorded, their address and other coordinates are noted. This information along with other sensitive information including their HIV status, is often accessible to a host of people and is a potential threat to their privacy and anonymity. Researchers and NGOs too often quiz sex workers about a range of intimate details about their lives with little sensitivity and expect them to be totally candid. These interviews also raise questions that relate to privacy."

Stigma, Discrimination, and Identity

Ms. Chacko also spoke about how the stigma and discrimination that sex workers face invades their privacy. Society views sex workers in one light – as immoral women. This stigma is attached to them permanently and is a source of violence and discrimination in the home, from the state, and from society. The sex workers’ right to anonymity and identity is also restricted because of the stigma attached to their work. Sex workers do not have the ability to control information about themselves, and they face challenges in obtaining official documents like a PAN card or a passport. This stigma and its consequences impedes sex workers from functioning comfortably in society and creates a difficult tension for sex workers to live with. Society denies the presence of sex workers, and police patrol parks and other public areas chasing away individuals whom they believe to be sex workers. The increased passivisation of public spaces – parks, (for example) and the over gentrification of the neighborhoods squeeze them out

In New York, one way that sex workers have overcome this constant and sometimes violent confrontation with society is through the use of mobile phones. Sex workers will contact clients only through mobile phones. This allows them to find their clients in private and anonymous ways, and it eliminates the need of a pimp or other type of ring leader. When I asked Ms. Chacko if sex workers are using this same technique in India, she recognized that they are, but said that it is not a yet widely practiced - especially among women in rural areas.

How Restricting is the Stigma?

“Huge - hardly ever does a person’s entire identity get conflated with her with occupation or livelihood option; the way it does with sex workers. … I mean, for example, if you go to a movie - people would not say; oh, look, there is a researcher come to see a movie - people would call you by name, but if a sex worker goes to a movie they always say: oh, look, there is a sex worker. There is only one side to her identity according to society. And everyone wants to know the same thing - How did they get into sex work. There is an excessive interest in this aspect alone (and generally they are seeking simple answers) - they never ask other questions about them as a person, only about them as a sex worker. Thus, real issues of violence and exploitation are never dealt with”.

HIV Initiatives, Medical Counseling , and Privacy

Medical consultations, especially those related to HIV/AIDS, in many ways violate the privacy of sex workers.

HIV Initiatives

HIV initiatives run by the Government are often invasive and function off of privacy-violating techniques. The government runs many HIV initiatives where sex workers are employed to be “peer educators.” A peer educator’s job is to spread awareness about HIV, distribute condoms, and bring sex workers for HIV testing. The privacy and anonymity of peer educators is compromised in the job title itself. Everyone in the community knows that to be a peer educator, one must also be a sex worker. Thus, if a person is a peer educator or with a peer educator, she is immediately outed and identified as a sex worker. Furthermore, HIV testing is compulsory for sex workers, though on paper it looks as though it is a choice. Because there are quotas that must be filled, sex workers often go through HIV testing without full consent.

How do Government HIV Initiatives Violate Privacy?

“The whole HIV intervention itself violates sex workers’ privacy. Both in the sense that people get jobs as peer educators and they have to carry condoms around and talk to other sex workers, and everyone thinks that if you are a peer educator then you are a sex worker, and there is no protection for these people even though it is sponsored by the state government.”

Line Listing

The HIV programs and testing centers also violate the privacy of sex workers. The clinics have a system known as line listing, which is meant to ensure that there are no duplications in data. In order to ensure this they collect identifying information from sex workers including address and phone number. The information is not protected and is easily accessible to whoever wishes to see it.

Line Listing and Privacy

“HIV programs have a process called line listing, which is to ensure that there is no duplication. So they take all your facts from you, and from that a sex workers address and such go out, and it’s put out with no safeguards.”

HIV Counselors and Doctors

HIV counselors also violate the privacy of sex workers. Though a patient’s HIV status is only supposed to be known to the counselor at the testing clinic and the lab technician, it often becomes the case that HIV results are widely shared. As per protocol, doctors and counselors must follow up with sex workers every three months if a sex worker is HIV negative. This is to ensure that they are still HIV negative, and to provide them treatment at the soonest if they do contract the disease. To carry out this follow-up work, counselors keep a list of patients whom they have seen. This list is supposed to be confidential, but other personnel in the hospital are assigned to do the follow-up phone calls, and thus the list is in fact easily accessible. If a person’s name disappears from the list, it is obvious that the person is now HIV positive, and that person’s privacy is violated and her status known.

How does HIV Counseling compromise Privacy?

“…only the counselor and the lab technician is supposed to know about it, but it turns out a whole number of people know about it, because of follow up. The counselor is supposed to follow up on the list with people every three months for further testing, but if you are positive then you do not need to follow up. Plus, these results are shared with everyone. Because of the stigma attached to HIV there is a need for privacy to be protected, so confidentiality is routinely violated.”

Media and Research

Media

Media was another area of contention that Ms.Chacko pointed out. Though the media plays an important role as being a channel for the voice of sex workers, it can also be intrusive on the sex worker by publishing stories without their consent, or reporting in ways that can be misconstrued. Through their coverage, the media can also deepen the stigma against sex workers and place them under an unwanted social spotlight. For example, a news article in The Hindu spoke about the World Cup bringing an “off day” for sex workers.

“With hoards of supporters glued to their television screens for the World Cup cricket final between India and Sri Lanka on Saturday, sex workers are anticipating a slow day, but they are not disappointed. It is a rare weekend for them with their children. The prospects of fewer clients coming in only buoyed the enthusiasm of the women in Sonagachi, the largest red-light area in the city…”[3]

The media is also often a part of raids by cover stories of brothels being uncovered, and in doing so expose the lives of sex workers, often printing sensitive information, including addresses, while portraying the sex workers as victims. The media, along with NGOs and the police will conduct raids that severely violate the privacy of sex workers. For example, in an Express India article a raid was described that took place in Pune with NGOs and the police in which sex workers were dragged out, beaten, and molested by the police against their will [4].

How does the media violate the privacy of sex workers?

“The media conducts raids, and so do NGOs in an attempt to rescue them. Once they are rescued and taken back with police escorts to their village, the whole village knows that she was in sex work, and then her privacy is violated because she was publicly returned. My problem is not about them being rescued, but they need to have consent from the person. If a person wants to do sex work – this decision needs to be respected. The media is difficult because you don’t want to ask for a ban, so we don’t ask for banning, but we do put pressure on the media to be more responsible in their reporting.”

Research/Films

Ms. Chacko also spoke about how research often violates the privacy of sex workers, in ways that range from the words that are used to describe sex workers to the one-sided victim story that is too often used to describe the lives of sex workers, to the methods researchers use to find their facts. Thus, perhaps without meaning to, research can de-legitimatize the work that sex workers do, and can work to increase the amount of violence or abuse that they are exposed to.

Research and Privacy

“Researchers who are writing a report on sex workers - land up in some village and end up violating their privacy as everyone in the village wants to know why the researchers came. The researchers also ask invasive questions. They want to know details about the sex workers’ lives: what kind of sex they have and with whom? What do they experience with their clients? What is their relationship with their partners? What is the status of their relationship.? They do not have a sense of whether the workers will want to talk about their lives or not…Some people make films and some make them in extremely exploitative ways. Films are also often incorrect and invasive of privacy in that way as well.”

The Role of a Privacy Legislation

In our research, we are looking at how a privacy legislation could help remedy the challenges to privacy that different people face in society; or ,if a privacy legislation cannot offer a solution, if there are other ways in which a legislation or society can offer solutions. When I asked Ms. Chacko if a privacy legislation or the right to privacy could improve the lives of sex workers, she was not certain if a privacy legislation would make a difference directly, and thought it might in fact overlook sex workers because currently they are seen in society as immoral women that are not to be afforded the right to privacy. In fact, it is the law and enforcers of the law itself that is invading their privacy. For example, in a study done by the World Health Organization it was found that in India 70 per cent of sex workers in a survey reported being beaten by the police, and more than 80 per cent had been arrested without evidence [5]. Thus, before a right to privacy can apply to sex workers, sex work itself must be decriminalized and recognized as a legitimate profession worthy of labor rights and other rights. Furthermore the debate around sex work needs to move away from the traditional dialogue of who is having sex and who is not to one that looks at what rights should be protected for every person. At that point perhaps a law which protects dignity and regulates the use of information could be useful. On another note, the UID (the Unique Identification Project) could be a potential benefit for sex workers as it would serve as identity that would give only a yes or no response at the time of a transaction.

Could a Privacy Legislation help?

“Some of the privacy is violated by the raids that happen by the police. So those raids are problematic. What kind of laws would help? One would be to decriminalize sex work itself and also work with society to gain understanding and perspective. Because now people think: they are immoral women ,so what privacy do they deserve? The sexual debate should not be about who is having sex and who is not, but about who has the power…”

The Current Law

In India, the Immoral Trafficking prevention Act ( ITPA) is the law that governs sex work. The ITPA does not make prostitution illegal, but instead tries to target the commercialized aspects of the trade such as brothel keeping, pimping, and soliciting. Though the law does not attack the sex workers as individuals, and its stated purpose is to prevent the trafficking of sex workers, the law has become a tool of harassment and abuse by law enforcement agencies. Sections 5A, 5B, 5C, which pertain to trafficking are the most troublesome, because the clauses do not distinguish between trafficking and sex work, but instead defines them as the same[6]. Thus, the new definitions of prostitution and trafficking leave room for reading all sex work as within the meaning of trafficking, and thus criminalizing sex work by defacto.[7] In addition, under the new Section 5C, clients visiting or found in a brothel will face imprisonment and/or fines [8]. Penalization of clients is a significant modification to the the ITPA, which formally targeted 'third parties' profiting from prostitution and not sex workers or clients themselves [9]. Sex workers have fought for a long time to overturn the ITPA. In June 2008, sex workers went on a hunger strike in the hopes of forcing the bill to be discarded [10]. In 2010 sex workers demonstrated against the amendment of the ITPA that would hold the clients of sex workers liable. Despite their protests and demands for their occupation to be treated equally, the Indian courts are slow to move forward and recognize sex work as a dignified profession. “A woman is compelled to indulge in prostitution not for pleasure but because of abject poverty,” the court said last month. “If such woman is granted opportunity to avail some technical or vocational training, she would be able to earn her livelihood by such vocational training and skill instead of selling her body.” The court has also promised to initiate a program in May for vocational training of sex workers [11]. Unfortunately, vocational training fails to address the actual issues and violations that sex workers face – a fact that was demonstrated by one sex worker’s saying: “If we can’t solicit clients without getting arrested, we will naturally rely on pimps to carry on our trade…What we need are practical measures that free us from exploitation created by the law itself.”

Solutions

One of the most impactful source of aid for sex workers currently is the sex workers union. I had the opportunity to speak with a member from the board of the Karnataka Sex Workers
union. She spoke about the challenges that sex workers face and how the Union provides assistance to the sex workers. The union helps them obtain benefits, helps with enrolling their children in schools, and answers questions that they would not be able to seek legal or other assistance on. The union is a confidential and safe space for sex workers to function in society. The person interviewed feels as though the information about herself that should be kept confidential is: her medical information, her clients, where she meets her clients, and information about her family. Ms. Chacko also spoke about the positives that an identity scheme like the UID could have on sex workers, because the transactions would be done through a yes/ no response, and no one will be denied a UID number. Most importantly, Ms. Chacko stressed that it is important to recognize sex work as a legitimate profession,and focus on the actual problems, rather than limiting the debate to stigmas around sex. The interview with Ms. Chacko demonstrated that protection of sex workers’ and sexual minorities’ privacy cannot be addressed simply by a law, but must be embodied by an ethos and a culture before that law is meaningful.

Bibliography

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy_privacyandsexworkers

Right to Privacy Bill 2010 — A Few Comments

elonnai — 2012-03-22T06:26:14Z

Earlier this year, in February 2011, Rajeev Chandrasekhar introduced the Right to Privacy Bill, 2010 in the Rajya Sabha. The Bill is meant to “provide protection to the privacy of persons including those who are in public life”. Though the Bill states that its objective is to protect individuals’ fundamental right to privacy, the focus of the Bill is on the protection against the use of electronic/digital recording devices in public spaces without consent and for the purpose of blackmail or commercial use.

Specific Recommendations

The use of electronic recording devices in public is an important and expansive aspect of privacy, which is yet to be directly covered by Indian law. Though the Bill addresses the basic usage of electronic devices with built-in cameras, it frames the violation as a personal violation. In doing so, the Bill has taken a punitive approach, making it criminal to take photographs in situations outside of the laid-out regulations, rather than protective in nature, i.e., working to protect individuals from harassment and blackmail, and offer forms of redress to those damaged.

The Bill fails to address scenarios such as Google street view, satellite photographs, news channels, and live feeds at events and conferences. In these situations live data is being transmitted and posted on the Web for public to view by the media. When looking at the dilemma of photographs being taken in public by the media, the privacy interests are different to those that are based on control of personal information alone. They are substantive, as opposed to informational, and engage directly with individual dignity, autonomy, and the freedom of expression. For example, the interest in freedom of expression encompasses both those of the photographers and journalists producing material for his/her journal. Can a journalist print a photograph taken in a public space — of a public figure, which the public figure did not consent to, and which that person considers defamatory?

Interestingly, Europe has strong laws regulating the taking of photographs in public spaces, but these rules are covered by the Protection from Harassment Act, 1997 (UK), which speaks specifically to the media’s behaviour towards public figures — or they fall under a tort of misuse. In the US taking photographs only becomes an issue in the use of the photograph. Essentially anyone can be photographed without consent except when they have secluded themselves in places where they have a reasonable expectation of privacy such as dressing rooms, restrooms, medical facilities, or inside a private residence. This legal standard applies regardless of the age, sex, or other attributes of the individual. Once a photograph is taken, and if that photograph is used for commercial gain without consent or publicizes an otherwise private person inappropriately, then that person can be held liable under the tort of misappropriation.

Specific Comments to the Bill

Misguiding Title

The title of the Bill is, the Personal Data Protection Bill, 2006," but the scope of the Bill is focused on regulating the use of electronic recording devices, and it does not include many aspects of privacy. So we recommend that the title of the Bill be modified to "The Electronic Recording Devices Bill, 2010".

Inappropriate Blanket Use of Privacy

The introduction to the Bill states that its purpose is "for the protection of the right to privacy of persons including those who are in public life so as to protect them from being blackmailed or harassed or their image and reputation being tarnished in order to spoil their public life and for the prevention of misuse of digital technology for such purposes and for matters connected therewith and incidental thereto."

Comment: Notwithstanding the fact that violations of privacy extend beyond blackmail, harassment, and defamation, and that digital technologies are not the only vehicles for privacy violations, it is important to qualify that privacy is not a blanket right, and that for public persons, the privacy that they are afforded is determined by balancing their interest against the public interest.

Narrow Definition of Public Figures

Section 2 (b) of the Bill states: "persons in public life" includes the representatives of the people in Parliament, state legislatures, local self government bodies, and office bearers of recognized political parties

Comment: Persons in public life include persons beyond the political sphere, specifically those in higher positions that influence the behaviour, lifestyles, and culture of the general population. Thus, we recommend that this definition be extended to include actors, actresses, athletes, artists, and musicians, CEOs, and authors.

Insufficient Limits to the Right to Privacy

Section 3 (1) states: “Notwithstanding anything contained in any other law for the time being in force every person, including persons in public life, shall have the right to privacy which shall be exclusive, unhindered and there shall be no unwarranted infringement thereof by any other person, agency, media or anyone:

Provided that sub-section (1) of section 3 shall not apply in cases of corruption, and misuse of official positions by persons in public life.

Comment: We recommend that the right to privacy, as any right, need not be identified as exclusive or unhindered. The right to privacy must be determined on a case by case basis relative to the public interest, and, while cases of corruption and misuse of official position by persons in public life certainly qualify, they do not encompass the wider variety of situations in which an individual’s right to privacy should be limited. For instance, if a public figure speaks out on an issue in a way that contradicts an earlier position that was captured on video, shouldn’t that be allowed to be made public? If a public figure is photographed in a morally questionable position, shouldn’t that be allowed to be made public? Indeed, even for private individuals, privacy is a matter of context. In airports and other sensitive public places it is commonly accepted that an individual’s right to privacy can be limited. If an individual has a disease such as HIV, under what circumstances should some or all of the greater public should be informed and their right to privacy may be limited?

Limited Scope of Technology

Section 4 of the Bill states: "No person shall use a cellular phone with an inbuilt camera, if it does not produce a sound of at least 65 decibels and flash a light when used to take a picture of any object or person, as the case may be.

Comment: We recommend that this clause clarifies if only cellular phones, and not cameras, computers, or other devices with built-in cameras are required to produce the sound of at least 65 decibels.

Overly Complicated Clauses

Section 5 of the Bill states: Notwithstanding anything contained in any other law for the time being in force, no person shall make digital recording or take photographs or make videography in any manner whatsoever of:

Section 5(a): any part or whole of a human body which is unclothed or partially clothed without the consent of the person concerned.

Section 5 (b): any part or whole of a human body at any public place without the consent of the person concerned and

Section 5 (c): the personal and intimate relationship of any couple in a home, hotel, resort, or any place within the four walls by hidden digital or other cameras and such other instruments, or any place within the four walls by hidden digital cameras and such other instruments…with the intent of blackmail or of making commercial gains from it or otherwise.

Comment: Section 5 currently lists certain circumstances in which photographs are not allowed to be taken of individuals in public without consent if they are to be used for the purpose of commercial gain or blackmail. Blackmail or commercial gains are not the only ways in which digital recordings of people can be misused. Certainly, taking such pictures to post for purposes of hurting one’s reputation or causing humiliation is as reprehensible as taking pictures for commercial gain, so the provision is too narrow. It may also be overboard, because a person may be captured in an artistic or political photograph but have, for example, bare arms or legs. That would be a picture of a part of a human body at a public place. We recommend that the list of offences include misappropriation and false light, and that the manner of the picture-taking not be limited to clauses (a) to (c) above.

Section 5 is the first instance in which the use of digital recordings for commercial gain has been mentioned as a violation in the Bill. We recommend that commercial gain as a violation should be added to the introduction of the Bill.

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-bill-2010

A Stolen Perspective

elonnai — 2012-03-21T09:43:51Z

The note below is a perspective piece on biometrics. On March 11th I traveled down to the Philippines, and had a chance to experience the possible convenience of biometric based identification.

A Sequence of Events

On the evening of March 11th I found myself on a plane destined to the Philippines for a week long joint privacy and ICT development conference in Bohol. After a 14 hour journey I landed in Manila, and was welcomed by the hot tropical weather, so familiar to the Philippines. Hungry I quickly dropped my checked bag at the hotel, and taking my backpack, set out immediately to explore Filipino food culture. Over a dinner of rice and grilled chicken, the standard local cuisine every tourists nightmare came true for me. I was robbed. While eating a group of men made a commotion around me and snatched my bag. Much to my distress the thief was able to get away with not only money and my camera, but my entire wallet consisting of my passport, Indian visa, Canadian visa, health card, FRO paper, and debit cards. In a nutshell – the wallet had every document essential and of value to my life. Little does the thief know, but his one snatching act has made me reconsider many aspects of my life, including my position on biometric forms of identification.

For the past several months I have been researching biometric forms of identification in response to the UID scheme that is being proposed in India. My stance on biometrics in my research has always been neutral – trying to draw out both the pro’s and the con’s of using biometrics. Personally though, I had always swayed away from the idea of my biometric being the strongest form of identification. The possibility that my daily motions could be easily tracked through the constant use of my finger print for transactions never settled well with me. Potential convergence of databases, unreliable technology, the possibility of stolen fingerprints, no choice to use other forms of identification have all been concerns that swayed me to the less optimistic side of the debate. But after jumping over hurdle after hurdle that came along with trying to replace the lost paper documents, and sweating at night thinking of all the possible ways the thief could exploit my papers, I am more privy to the idea of biometrics as a strong form of identification.

The process of recovering my documents started off with a police report and the cancelling of my cards. The second task was not as easy as I had hoped, as I had not brought photocopies of my cards. Thus, it took me three hours to actually cancel my cards. Throughout the whole process I kept thinking that if my account was only accessible through my fingerprint – I would not have to worry about closing the accounts. Or if I could have identified, verified, and cancelled my account with the use of a cell phone equipped with a fingerprint reader, I would not have had the stress of rushing around trying to find adequate information to cancel my bank account.

The next step in the process started early Monday morning when I set out to the American Embassy. Luckily the hotel had taken a copy of my American passport (I did not have a photocopy of this either). With the copy of the passport, police report, and my social security number – the American embassy was able to pull up my information, and issue me an emergency passport that would be valid for three months. If I had not had a copy of my passport – the process of getting an emergency passport I can only imagine would have been even more challenging. As I sat for hours in the embassy my mind wandered to the thief and the known market for American passports. I could not help but think about how much more secure my passport would be if verification was based on my fingerprints accompanied by a passport, rather than just my passport and a picture. Speaking with the embassy officer confirmed my thoughts. He talked about how fake American passports are becoming harder and harder to use now that the biometric has been introduced. In this situation the biometric would be a form of convenience and security – a way of lowering the risks of my stolen passport from being misused and my identity from being taken advantage of.

On Tuesday morning I took on the challenge of the Indian embassy. I officially came to India 8 months ago on an employment visa. When I explained my situation to the embassy I hit my first road block of the day. By rule, all matters relating to employment visa’s must be handled by and at the place of issuance. Country databases do not talk between eachother – thus the Indian embassy in the Philippines could not contact the Indian embassy in the States or in India to verify my information. Therefore, for my employment visa to be replaced I would need to return to New York and speak with the embassy there. This was not an option. Speaking again with the officer, he finally suggested a tourist visa. Typically tourist visa’s are not issued on 3 months passports (my emergency passport was only three months), but the officer made an exception and agreed to issue a tourist visa. When I went to pay for my tourist visa I hit my second road block of the day. I was lucky and had kept one credit card in another bag, but as it turns out, the Indian embassy only accepted cash. The day was almost over and I needed to pay for my application for it to be processed. The officer had already made an additional exception, and had agreed to process my visa in three days (when my return flight to India was scheduled) rather than the typical six working days. Trying to think on my feet I sped to the nearest mall and tried to take money out of an ATM. No luck. I tried to get cash back on a grocery store purchase. No luck. I tried to western union myself money from my VISA. No luck. Finally I was able to get through to a friend of my boss who could loan me the cash, but not until the next morning. So, I rushed back to the embassy and begged with the officer to process my visa in two days rather than one. Thankfully he agreed. Riding the local metro back to my hotel I thought again about how convenient it would have been to have my credit accessible through my fingerprint, and not have to rely on a card.

Biometric is a convenience:

This experience, and the many hurdles that I needed to jump in order to replace my lost papers made me realize that one side of the biometric debate that is often glazed over with talk of security and privacy, is that of convenience. It would have been incredibly convenient if on my initial visit to the American Embassy they had been able to pull up my entire file, re-issue me my lost passport and visas, and accepted payment through credit accessed through my fingerprint and a pin. Though I am still aware of the risks associated with biometrics as a form of identity, this experience has shown me the positive side and convenience of having a biometric identification rather than paper forms of identification.

Perhaps there is a privacy happy medium:

This experience has shown me that the use of biometric technology has many benefits. I do not think it is too far a leap to say that biometrics can be convenient and privacy enhancing. For instance, based off of research done by the Canadian Government on biometrics, there are many pivotal areas of biometrics which determine whether they are used in a way that enhances privacy or used in a way which invades privacy such as:

Distinguish between authentication and identification:

Identification involves a comparison of one biometric against all collected biometrics in one central database. Authentication involves a comparison of a live biometric against a stored template. Thus , the central database should not be accessed for both authentication and identification processes . Placing a biometric on a smart card puts the control of access for authentication in the hands of the data subject [1].

Encryption

A biometric should be encrypted whenever it is used. A biometric should be encrypted to this degree that it is not possible to reconstruct the biometric data. After an encrypted version of the biometric is made, the original biometric should be deleted [2].

No unique identification

A fingerprint scan should not, and cannot be used alone to identify an individual [3].

Access control

Strict control on access regarding third parties should be enforced. To bolster this point, a warrant or court order should be required for access by external agencies.

Transactional information stored separately

Transactional information about a person should be stored separately from personal identifiers such as name or date of birth [4].

Procedural safeguards given legality

All procedural and technical safeguards that are established should be placed in a legislation to give them the force of the law.

Biometrics in India

Though there is no way to make a biometric perfectly safe, these standards, if enforced, I believe work to ensure that a biometric is as secure as possible. In India biometrics has become a controversial topic as the country is currently considering/has begun to implement the UID – an identity scheme based off of biometrics. Concerns with the project include the centralized storage of biometric information, the possibility of tracking individuals through the use of their biometric, and the unreliability of the technology. For example in an article found in Money Life, test results from the UID project showed the possibility of up to 15,000 false positives for every Indian resident [5]. Biometrics have been used in India even before the UID scheme. In 2009 schools proposed to use biometrics as a way of marking attendance for both the students and the teachers in order to decrease the dropout rate and insure that teachers are present in school [6] . Also in 2009 fishermen in the coastal village of Awas were issued the biometric based multi-purpose National Identity Card [7]. The MNIC scheme was later dropped. Clearly India is in a position where she must think about the convenience of biometrics weighed against the privacy risks, and determine how biometric use in India should be secured in order to find a balance between the two.

Bibliography

Office of the Privacy Commissioner of Canada. Data At Your Fingertips: Biometrics and the Challenges to Privacy. Pg.10
Cavoukian, Dr. Ann. Privacy and Biometrics. Information and Privacy Commissioner Ontario, Canada. Pg. 4
Office of the Privacy Commissioner of Canada. Data At Your Fingertips: Biometrics and the Challenges to Privacy. Pg.10
Office of the Privacy Commissioner of Canada. Data At Your Fingertips: Biometrics and the Challenges to Privacy. Pg.9
http://www.moneylife.in/article/how-uidai-goofed-up-pilot-test-results-to-press-forward-with-uid- scheme/14863.html
http://articles.timesofindia.indiatimes.com/2009-02-25/mumba
http://28038452_1_smart-cards-biometric-coastal-villages

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy_astolenperspective

Encryption Standards and Practices

elonnai — 2012-03-22T05:39:16Z

The below note looks at different types of encryption, varying practices of encryption in India, and the relationship between encryption, data security, and national security.

Introduction: Different Types of Encryption

When looking at the informational side of privacy, encryption is an important component to understand. Encryption in itself is a useful tool for protecting data that is highly personal in nature and is being stored, used in a transaction, or shared across multiple databases. The quality of encryption is judged by the ability to prevent an outside party from determining the original content of an encrypted message. There are many different types of encryption including:

Symmetric Key Encryption: Communicating parties share the same private key that is used to encrypt and decrypt the data. This form of encryption is the most basic, and is fast and effective, but there have been problems in the secure exchange of the unique keys between communicating parties over networks [1].

Asymmetric Key Encryption: This system relies on the use of two keys– one public, and one private. In this system only the user knows the private key. In order to ensure security in the system a mathematical algorithm that is easy to calculate in one direction, but nearly impossible to reverse calculate is often used. Use of a public and a private key asymmetric avoids the problem of secure exchange that is experienced by symmetric key encryption. The basis of the two keys should be so different, that it is possible to publicize one without the danger of being able to derive the original data. Decoding of data takes place in a two step process. The first step is to decrypt the symmetric key using the private key. The second step is to decode the data using the symmetric key and interpret the actual data[2].

One-way Hash Functions: One-way hash functions are mathematical algorithms that transform an input message into a message of fixed length. The key to the security of hash functions is that the inverse of the hash function must be impossible to prove[3].

Message Authentication Codes: MACs are data blocks appended to messages to protect the authentication and integrity of messages. MACs typically depend on the use of one-way hash functions[4].

Random Number Generators: An unpredictable sequence of numbers that is produced by a mathematical algorithm[5].

Encryption in India

Encryption in India is a hotly debated and very confusing subject. The government has issued one standard, but individuals and organizations follow completely different standards. According to a note issued by the Department of Telecommunications (“DOT”) in 2007, the use of bulk encryption is not permitted by Licensees, but nevertheless Licensees are still responsible for the privacy of consumers’ data (section 32.1). The same note pointed out that encryption up to 40 bit key length in the symmetric key algorithms is permitted, but any encryption higher than this may be used only with the written permission of the Licensor. Furthermore, if higher encryption is used, the decryption key must be split into two parts and deposited with the Licensor. The 40 bit key standard was previously established in 2002 in a note submitted by the DOT:“License Agreement for Provision of Internet Service (including Internet Telephony)’ issued by Department of Telecommunications”[6] Though a 40 bit standard has been established, there are many sectors that do not adhere to this rule. Below are a few sectoral examples:

A) Banking: ‘Report on Internet Banking’ by the Reserve Bank of India 22 June 2001:

"All transactions must be authenticated using a user ID and password. SSL/128 bit encryption must be used as the minimum level of security. As and when the regulatory framework is in place, all such transactions should be digitally certified by one of the licensed Certification Authorities.”[7]

B).Trade: The following advanced security products are advisable:

"Microprocessor based SMART cards, Dynamic Password (Secure ID Tokens), 64 bit/128 bit encryption"[8]

C).Trains: ‘Terms & Conditions’ for online Railway Booking 2010:

"Credit card details will travel on the Internet in a fully encrypted (128 bit, browser independent encryption) form. To ensure security, your card details are NOT stored in our Website.”[9]

The varying level of standards poses a serious obstacle to Indian business, as foreign countries do not trust that their data will be secure in India. Also, the differing standards will pose a compliance problem for Indian businesses attempting to launch their services on the cloud.

Data Security, Encryption, and Privacy:

To understand how encryption relates to privacy, it is important to begin by looking at data security vs. privacy. Security and privacy have an interesting relationship, because they go hand in hand, and yet at the same time they are opposed to each other. First, data security and privacy are not the same. Breaches in data security occur when information is accessed without authorization. There is no loss of privacy, however, until that information is misused. Though data security is critical for protecting privacy, the principles of data security call for practices that threaten privacy principles. For example, data security focuses on data retention, logging, etc, while privacy focuses on the consent, restricted access to data, limited data retention, and anonymity[10]. If security measures are carried out without privacy interests in mind, surveillance can easily result in severe privacy violations. Thus, data security should influence and support a privacy regime but not drive it. In this context, encryption and data security will create an expectation of privacy, rather than undermine or overshadow privacy. By the same token encryption cannot be seen as the cure for privacy challenges. Encryption cannot adequately protect data, but when supported by a strong privacy and security regime – it can be very effective. It is also a good measuring rod for determining how committed a company has been to protecting a person’s privacy and ensuring the security of his or her data. In light of the symbiotic yet complicated relationship that privacy and data security have with each other, it would make sense for legislation and domestic encryption standards to be merged and addressed together. This would ensure that a) the standard is not archaic (as the current 40 bit one is); b) would take into account the threat to privacy that surveillance can impose and would address decryption when addressing encryption; and c) would anticipate the collection and cataloging of data and ensure security of the data and person as well as national security.

National Security and Encryption

Encryption is a subject that causes governments a great deal of concern. For example in order to preserve foreign policy and in national security interests, the US maintains export controls on encryption items [10]. This means that a license is required to export or re-export identified items. Though the Indian government currently does not have an analogous system, it would be prudent to consider one. Though the government is aware of the connection between encryption and national security, it seems to be addressing it by setting a low standard for the public which enables it to monitor communications etc. easily. It is important to remember though that today we live in a digital age where there are no boundaries. One cannot encrypt data at 40 bits in India and think it is safe, because that encryption can be broken everywhere else in the world. Despite the fact that there are no boundaries in the digital age, users of the internet and communication technologies are subject to different and potentially inconsistent regulatory and self-regulatory data security frameworks and consequently different encryption standards. One way to overcome this problem could be to set in fact a global standard for encryption that would be maximal for the prevention of data leaks. For instance, there are existing algorithms that are royalty free and available to the global public such as the Advanced Encryption Standard algorithm, which is available worldwide. The public disclosure and analysis of the algorithm bolsters the likelihood that it is genuinely secure, and its widespread use will lead to the expedited discovery of vulnerabilities and accelerated efforts to resolve potential weaknesses. Another concern that standardized encryption levels would resolve is the problem of differing export standards and export controls. As seen by the example of the US, industrialized nations often restrict the export of encryption algorithms that are of such strength that they are considered “dual use” – in other words, algorithms that are strong enough to be used for military as well as commercial purposes. Some countries require that the keys be shared, while others take a hands-off approach. In India joining a global standard or creating a national standard of maximum strength would work to address the current issue of inconsistencies among the required encryption levels.

The Relationship between the Market, the Individual, the State, and Encryption

Moving away from the technical language it is useful to break down encryption from a social science point of view. Who are the actors involved – what is their relationship with each other, and how does encryption come into the picture. When one looks at encryption it is possible to conceive of many different scenarios, each with different players. In the first scenario there is an individual and another individual. They are sending information back and forth. The third individual could be an entity, a business, or just another individual. The first two individuals want to keep their information away from this third, unknown person or entity. For that reason, the first two encrypt their communications. Encryption is a tool that has the ability to re-draw the lines between the public and private sphere by giving individuals the ability to form a very private line of communication, and thus a very private relationship in a space that is very non-private - such as the internet. In another scenario between the individuals and the markets – the market wants information about an individual to enhance its effectiveness and profits. To create trust, the market promises that information given is encrypted. Thus, the market is attempting to initiate a trusting relationship with individuals. This relationship though, is forced and false, because individuals must compromise how much information they disclose for a product or service in return.

In the second scenario, there is an individual, another individual, and a Government. In this situation the two individuals again say that they want to have a private conversation in a public space, and so it is encrypted, but the Government – which is worried about national security decides that it wants to listen in on the conversation. This places a new dynamic on the relationship. No longer are the two individuals private. Not only can the government hear their conversation, but they have no choice over whether their conversation is heard or not. This is a relationship based off of the premises of distrust between the government and individuals. It presupposes, and is biased in assuming, that if you have done nothing wrong – you have nothing to hide.Using the same set of actors, perhaps a government requires the collection of information about its citizenry that is sensitive. To ensure the privacy of its people, the government encrypts the information, but the individual has essentially lost control over his/her information. He/she is forced to trust that the Government will not misuse the information given.

In the third scenario there is a market, an, individual, and the government. The market gathers information about an individual on transactional levels, but encrypts it – because in the wrong hands – this information could be misused. The government still wants access to the information and so they demand the information. What does the market say? Does it side with the individual or the Government? If governments sanction the market, they can make it bend to their will. Thus, the government is in a position to control the market and the individual, but to what ends and for what means. In all of these situations the understood role of the market, the government, and the individual has been shifted by the ability to encrypt information. The idea of using encryption as a means to keep information safe speaks to a new relationship that has formed between the government, the market, and the individual.

Bibliography:

Burke, Jerome. McDonald, John. Architectural Support for Fast Symmetric-Key Cryptography
Munro, Paul. Public Key Encrpytion. University of Pittsburgh. 2004
Merkle, Ralph. One Way Hash Functions and DES.
Department of Commerce. Federal information Processing Standards Publication. The Keyed - Hash Message Authentication Code. http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf
http://www.ruskwig.com/random_encryption.htm
http://www.indentvoice.com/other/ISPLicense.pdf
Report on Internet Banking’ by The Reserve Bank of India: 22 June 2001
Internet Trading guidelines issued by Securities & Exchange Board of India: 31 January 2000
Website of IRCTC (a public sector undertaking under the Ministry of Railways)
American Bar Assiociation: International Guide to Privacy.
Department of Commerce: Bureau of Industry and Security – Encryption Export Controls. June 25 2010

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy_encryption

Privacy Protection Bill, 2013 (With Amendments based on Public Feedback)

elonnai — 2013-07-12T10:50:22Z

In 2013 CIS drafted the Privacy Protection Bill as a citizens' version of a privacy legislation for India. Since April 2013, CIS has been holding Privacy Roundtables in collaboration with FICCI and DSCI, with the objective of gaining public feedback to the Privacy Protection Bill and other possible frameworks for privacy in India.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

As a part of this process, CIS has been amending the Privacy Protection Bill based on public feedback. Below is the text of the Bill as amended according to feedback gained from the New Delhi, Bangalore, and Chennai Roundtables.

Click to download the Privacy Protection Bill, 2013 with latest amendments (PDF, 196 Kb).

For more details visit https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-with-amendments-based-on-public-feedback

Another Step towards Privacy Law

elonnai — 2018-01-18T01:50:59Z

A comparison between the 2012 experts’ report and the 2017 white paper on data protection.

The column was published in Governance Now in January 15, 2018 issue.


(Illustration: Ashish Asthana)

On July 31 the ministry of electronics and information technology (MeitY) constituted a committee of experts, headed by justice (retired) BN Srikrishna, to deliberate on a data protection framework for India. The committee is another step in India’s journey in formulating a national-level privacy legislation.

The formulation of a privacy law started as early as 2010 with an approach paper for a legislation on privacy towards envisioning a privacy framework for India. In 2011, a bill on right to privacy was drafted. In 2012 the planning commission constituted a group of experts, with justice (retired) AP Shah as its chief, which prepared a report recommending a privacy framework.

A month after the formation of the committee, in August, the sectoral regulator, Telecom Regulatory Authority of India (TRAI), released the consultation paper, ‘Privacy, Security and Ownership of the Data in the Telecom Sector’. In the same month, the supreme court in a landmark decision recognised privacy as a fundamental right.

In November 2017, the expert group released a ‘White Paper of the Committee of Experts on a Data Protection Framework for India’ to solicit public comments on the contours of a data protection law for India.

To understand the evolution of the thinking around a privacy framework for India, this article outlines and analyses common themes and differences between (a) the 2012 group of experts’ report, and the 2017 expert committee’s white paper.

The white paper seeks to gather inputs from the public on key issues towards the development of a data protection law for India. The paper places itself in the context of the NDA government’s Digital India initiative, the justice Shah committee report, and the judicial developments on the right to privacy in India. It is divided into three substantive parts: (1) scope and exemptions, (2) grounds of processing, obligation and entities, individual rights, and (3) regulation and enforcement. Each part is comprised of deep dives into key issues, international practices, preliminary views of the committee, and questions for public consultation.

Broadly, the 2012 report defined nine national-level privacy principles and recommended a co-regulatory framework that consisted of privacy commissioners, courts, self-regulating organisations, data controllers, and privacy officers at the organisational level. At the outset, the 2017 white paper is different from that report simply by the fact that it is a consultation paper soliciting views as compared to a report that recommends a broad privacy framework for India. In doing so, the white paper explores a broader set of issues than those discussed in the justice Shah report – ranging from the implications of emerging technologies on the relevance of traditional privacy principles, data localisation, child’s consent, individual participation rights, the right to be forgotten, cross-border flow of data, breach notification etc. Given that the white paper is a consultation paper, this article examines the provisional views shared in it with the recommendations of the 2012 report.

Key areas that the both the documents touch upon (though not necessarily agree on) include:

Applicability

The 2012 report of experts recommended a privacy legislation that extends the right to privacy to all persons in India, all data that is processed by a company or equipment located in India, and to data that originate in India.

Provisional views in the white paper reflect this position, but also offer that applicability could be in part determined by the legitimate interest of the state, carrying on a business or offering services or goods in India, and if, despite location, the entity is processing the personal data of Indian citizens. The provisional views also touch upon retrospective application of a data protection law and agree with the 2012 report by recommending that a law apply to privacy and public bodies. They also go a step further by recommending specific exemptions in application for well defined categories of public or private entities.

Exceptions

The experts’ report defined the following exceptions to the right to privacy: artistic and journalistic purposes, household purposes, historic and scientific research, and the Right to Information. Exceptions that must be weighed against the principles of proportionality, legality, and necessary in a democratic state included: national security, public order, disclosure in public interest, prevention, detection, investigation, and prosecution of criminal offences, and protection of the individual or of the rights and freedoms of others.

Provisional views in the 2017 white paper broadly mirror the exemptions defined in the experts’ report, but do not weigh exceptions related to national security and public interest etc. against the principles of proportionality, legality, and necessary in a democratic state and instead explored a review mechanism for these exceptions.

Consent

Provisional views in the white paper on consent note that aspects of consent should include that it is freely given, informed and specific and that standards for implied consent need to be evolved.

Though the 2012 experts’ report defined a principle for choice and consent, this principle did not define aspects of what would constitute valid consent, yet it did incorporate an opt-out mechanism.

Notice

Provisional views in the white paper hold that notice is important in enabling consent and explore a number of mechanisms that can be implemented to effect meaningful notice such as codes of practice for designing notice, multilayered notices, assessing notices in privacy impact assessments, assigning ‘data trust scores’ based on their data use policy, and having a ‘consent dashboard’ to help individuals manage their consent across entities.

These views build upon and complement the principle of notice defined in the 2012 report which defined components of a privacy policy as well as other forms of notice including data breach (also addressed in the white paper) and legal access to personal information.

Purpose limitation/minimisation

Provisional views in the white paper recognise the challenges that evolving technology is posing to the principle of purpose limitation and recommend that layered privacy policies and the standard of reasonableness can be used to contextualise this principle to actual purposes and uses.

Though the 2012 report defined a purpose limitation principle, the principle does not incorporate a standard of reasonableness or explore methods of implementation.

Data Retention and Quality

Provisional views in the white paper suggest that the principles of data retention and data quality can be guided by the terms “reasonably and necessary” to ensure that they are not overly burdensome on industry.

The 2012 report of experts briefly touched on data retention in the principle of purpose limitation –holding that practices should be in compliance with the national privacy principles.

Right to Access

Provisional views in the white paper recognise the importance of the right confirmation, access, and rectify personal information of the individual, but note that this is increasingly becoming harder to enforce with respect to data that is observed behavioral data and derived from habits. A suggested solution is to impose a fee on individuals for using these rights to deter frivolous requests.

Though the 2012 report defined a principle of access and correction it did not propose a fee for using this right and it included the caveat that if the access would affect the privacy rights of others, access may not be given by the data controller.

Enforcement Mechanisms

Provisional views in the 2017 white paper broadly agree with the appropriateness of the model of co-regulation and development of codes of practice as suggested in the 2012 report. Within the system envisioned in the 2012 report of experts, self-regulating organisations at the industry level will have the ability to develop industry specific norms and standards in compliance with the national privacy principles to be approved by the privacy commissioner.

Accountability

The provisional views of the white paper go beyond the principle of accountability defined in the 2012 report by suggesting that data controllers should not only be held accountable for implementation of defined data protection standards, but in defined circumstances, also for harm that is caused to an individual.

Additional Obligations and Data Controllers

Provisional views in the white paper suggest the following mechanisms as methods towards ensuring accountability of specific categories of data controllers: registration, data protection impact assessment, data audits, and data protection officers that are centres of accountability.

The 2012 experts’ report also envisioned impact assessments and investigations carried out by the privacy commissioner and the role of a data controller, but did not explore registration of these entities.

Authorities and Adjudication

The both documents are in agreement on the need for a privacy commissioner/data protection authority and envision similar functions such as conducting privacy impact assessments, audits, investigation, and levying of fines. The white paper differs from the 2012 experts’ report in its view that the appellate tribunals under the IT Act and bodies like the National Commission Disputes Redressal Commission could potentially be appropriate venues for adjudicating and resolving disputes.

Though the 2012 experts’ report recommended that complaints can be issued through an alternative dispute resolution mechanism, to central and regional level commissioners, or to the courts – for remedies– enforcement of penalties should involve district and high-level courts and the supreme court. The 2012 report specified that a distinct tribunal should not be created nor should existing tribunals be relied upon as there is the possibility that the institution will not have the capacity to rule on a broad right of privacy. Individuals that can be held liable by individuals include data controllers, organisation directors, agency directors, and heads of governmental departments.

Penalty and Remedy

The white paper goes much further in its thinking on penalties, remedies and compensation than the 2012 report of experts – discussing potential models for calculation of civil penalties including nature and extent of violation of the data protection obligation, nature of personal information involved, number of individuals affected, whether infringement was intentional or negligent, measures taken by the data controller to mitigate the damage, and previous track record of the data controller.

The white paper is a progressive and positive step towards formulating a data protection law for India that is effective and relevant nationally and internationally. It will be interesting to see the public response to it and the response of the committee to the inputs received from the consultation as well as how the final recommendations differ, build upon, and incorporate previous policy steps towards a comprehensive privacy framework for India.

For more details visit https://cis-india.org/internet-governance/blog/governance-now-elonnai-hickok-another-step-towards-privacy-law-data-protection

Privacy and Governmental Databases

elonnai — 2012-03-22T05:41:38Z

In our research we have found that most government databases are incrementally designed in response to developments and improvements that need to be incorporated from time to time. This method of architecting a system leads to a poorly designed database with many privacy risks such as: inaccurate data, incomplete data, inappropriate disclosure of data, inappropriate access to data, and inappropriate security over data. To address these privacy concerns it is important to analyze the problem that is being addressed from the perspective of potential and planned interoperability with other government databases. Below is a list of problems and recommendations concerning privacy, concerning government databases.

Government Databases and recommendations for privacy practices

Citizen-State relationships and privacy standards
Government databases foster different types of relationships between the state and its citizenry. For instance: User databases, service providing databases, and information providing databases. Each one these relationships requires a different level of privacy. Thus, it is important to identify the type of relationship that the database will foster in order to determine what type of privacy model to implement.
Specific privacy policy

Each government database should have a specific privacy policy that are tailored to the information that they hold. Each policy should cover the following areas:
- data collection
- digitization
- usage
- storage
- security
- disclosure
- retrieval
- access (inter departmental and public)
- anonymization, obfuscation and deletion.
Personal vs. personal sensitive and public vs. non-public data categories

Data in government databases requires varying degrees of privacy safeguards. The division of personal information vs. non personal information etc. creates distinct

categories for security levels over data and permissibility of public disclosure. Ex of personal information: Name, address, telephone number, religion. Ex of non-personal data: gender, age. This could work to avoid situations such as the census - where a person’s name, address, age, etc, were all printed for the public eye.
Standardization of Privacy Policies and Access Control

Government databases should all be designed upon interoperable standards so that the databases can "talk" to each other. The ability to coalesce databases strengthens the potential for use and reuse by different stakeholders. Furthermore, the interoperability of systems helps to avoid the creation of silos that hold multiple copies of the same data. To protect the privacy in interoperable systems - restricted and authorized access within departments and between departments is key. The Department of Information Technology has recently published a "Government Interoperability Framework" titled "Interoperability Framework for eGovernance" This policy document is the appropriate place to articulate interoperable privacy policies that could be adopted across eGovernance projects.
Record of breach notification

If data breach occurs in government database, the breach should be recorded and the appropriate individuals notified.
Anonymization/obfuscation and deletion policies

Once the purpose for which the data has been collected has been served it must be anonymized/obfuscated or deleted as appropriate. All data-sets cannot be deleted as bulk aggregate data is very useful to those interested in trend analysis. Anonymizing/obfuscating the personal details of a data set ensures that privacy is protected during such trend analysis.
Accountability for accuracy of data

Frequently data that is collected and entered into government databases is not accurate, because the departments are not collecting the data themselves. Thus, they feel no responsibility for its accuracy. If a mechanism is built into each database for identification of each data source this brings accountability for data accuracy.
Appropriate uses of government databases

Businesses should feel automatically entitled to aggregate and consolidate public information from government databases because it is technically possible to do so. Their uses of government database must be guided by policies that define "appropriate usage."
Access, updation and control of personal information

Citizens must be able to access and update their information. Furthermore, they should be able to define to a certain extent access control to their information - which would automatically make them eligible or ineligible for various government services.

Bibliography

Rezhui, Abdemounaam. Preserving Privacy in Web Services. Department of Computer Sciences, Virginia Tech.
Medjahed, Brahim. Infrastructure for E-Government Web Services. IEEE Internet Computing, Virgina Tech. January/Feburary 2003.

Mladen, Karen. A Report of Research on Privacy for Electronic Government. Privacy in Canada

joi.ito.com/privacyreport/Contents_Distilled/.../Canada_E_p252-314.pdf

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-govt-databases

Surveillance Technologies

elonnai — 2012-03-22T05:40:24Z

The following post briefly looks at different surveillance technologies, and the growing use of the them in India.

Surveillance...

New security technologies are constantly emerging that push the edge between privacy and a reasonable level of security. Society's tolerance level is constantly being tested by governments who use surveillance and monitoring technologies to protect the nation. Governments claim that they need absolute access to citizens life. They need to monitor phones, look through emails, peer into files – in-order to maintain security and protect against terrorism. Though as a side note, in an Economic Times article published on Nov. 4 2010 it was reported that government computers were being hacked into through viruses, and top secret documents were being stolen. The irony of the story is that the viruses were introduced to the computers through porn websites visited by officials.

...In a Car? On the Street? In an Airport?

Despite the fact that governmental monitoring might make the common man uncomfortable, the reality is that governments will always win the national security vs privacy fight. The story becomes more complicated when it moves from the government directly monitoring individuals, to security agencies monitoring individuals. For instance the use of full body scanners at airports, or trucks equipped with scatter x-ray machines used to control crime in neighborhoods - is a much more heated debate. There are other ways in which to check passengers for banned items, and other ways to keep crime off the streets without mandating that individuals submit themselves to invasive scans, or scanning unaware individuals.

...In the Movie Theater????..for Marketing Purposes????

Surveillance technology has now been taken even another step further. No longer is it being just used to prevent violent crimes or terrorist attacks. Today the movie industry is using controversial anti-piracy tools to protect the films they produce. For instance the security company Aralia Systems manufacturers products such as: CCTV cameras and anti-camcorder systems that shine infrared light beams on audiences as they watch a movie. The light beams reflect off camcorders and alerts the theater that there are camcorders present. Though this practice can be seen as invasive - individuals might be opposed to being probed by light beams throughout movies, the extent of potential privacy invasion does not stop there. Aralia Systems has partnered with Machine Vision Lab and has created a system that harvests audiences emotions and movements as they watch movies. The data can then be used by market researchers to better tailor their behavioral advertising schemes. Essentially movie theater monitoring has merged surveillance technologies with behavioral marketing technologies in a twisted invasion of movie watchers personal privacy.

Is this technology in India?

Though behavioral monitoring and piracy technologies such as ones produced by Aralia Systems are not yet used in Indian movie theaters – security measures against piracy are used. Movie theaters across India are equipped with metal detectors at the door, and security personel check your handbag or back pack for camcorders. According to a Indian Express article, the organization Allegiance Against Copyright Theft believes one of the reasons monitoring technology is not yet used in theaters is because there is no present Indian legislation that penalizes recording in halls. Once legislation is passed, they speculate there will be a push to use these technologies. Even though monitoring technology is not yet used in theaters, monitoring of consumers behavior is increasing. Recently in India the WPP owned research agency IMRB International has developed an online audience measurement system that uses tailored metering technology to track the sites that users visit. The Web Audience Measurement System has launched this technology in a sample size of 21,000 Indian households, covering 90,000 individuals. IMRB has said that the meters are capable of capturing usage data from multiple computers, and that they can then use the information to market to the individual. Does it seem ironic to anyone that companies now charge for a service – movie tickets, internet services, telephone services – and make an extra profit by data mining at the expense of a persons privacy?

Sources

http://economictimes.indiatimes.com/news/politics/nation/Govt-depts-asked-not-to-store-sensitive-info-on-Net-connected-computers/articleshow/6874631.cms
http://www.research-live.com/news/technology/imrb-unveils-web-measurement-service-for-indian-market/4003941.article
http://blogs.computerworld.com/17276/anti_piracy_tool_will_harvest_market_your_emotions?source=rss_blogs
http://www.indianexpress.com/news/antipiracy-unit-joins-hands-with-cinema-halls-to-curb-camcording/695439/2

For more details visit https://cis-india.org/internet-governance/blog/privacy/surveillance-technologies

A Dissent Note to the Expert Committee for DNA Profiling

elonnai — 2016-07-21T11:01:44Z

The Centre for Internet and Society has participated in the Expert Committee for DNA Profiling constituted by the Department of Biotechnology in 2012 for the purpose of deliberating on and finalizing the draft Human DNA Profiling Bill and appreciates this opportunity. CIS respectively dissents from the January 2015 draft of the Bill.

Click for DNA Bill Functions, DNA List of Offences, and CIS Note on DNA Bill. A modified version was published by Citizen Matters Bangalore on July 28.

Based on the final draft of the Human DNA Profiling Bill that was circulated on the 13th of January 2015 by the committee, the Centre for Internet and Society is issuing this note of dissent on the following grounds:

The Centre for Internet and Society has made a number of submissions to the committee regarding different aspects of the Bill including recommendations for the functions of the board, offences for which DNA can be collected, and a general note on the Bill. Though the Centre for Internet and Society recognizes that the present form of the Bill contains stronger language regarding human rights and privacy, we do not find these to be adequate and believe that the core concerns or recommendations submitted to the committee by CIS have not been incorporated into the Bill.

The Centre for Internet and Society has foundational objections to the collection of DNA profiles for non-forensic purposes. In the current form the DNA Bill provides for collection of DNA for the following non forensic purposes:

Section 31(4) provides for the maintenance of indices in the DNA Bank and includes a missing person’s index, an unknown deceased person’s index, a volunteers’ index, and such other DNA indices as may be specified by regulation.
Section 38 defines the permitted uses of DNA profiles and DNA samples including: identifying victims of accidents or disasters or missing persons or for purposes related to civil disputes and other civil matters and other offences or cases listed in Part I of the Schedule or for other purposes as may be specified by regulation.
Section 39 defines the permitted instances of when DNA profiles or DNA samples may be made available and include: for the creation and maintenance of a population statistics Data Bank that is to be used, as prescribed, for the purposes of identification research, protocol development or quality control provided that it does not contain any personally identifiable information and does not violate ethical norms.
Part I of the schedule lists laws, disputes, and offences for which DNA profiles and DNA samples can be used. These include, among others, the Motor Vehicles Act, 1988, parental disputes, issues relating to pedigree, issues relating to assisted reproductive technologies, issues relating to transplantation of human organs, issues relating to immigration and emigration, issues relating to establishment of individual identity, any other civil matter as may be specified by the regulations, medical negligence, unidentified human remains, identification of abandoned or disputed children.

While rejecting non-forensic use entirely, we have specific substantive and procedural objections to the provisions relating to forensic profiling in the present version of the Bill. These include:

Over delegation of powers to the board: The DNA Board currently has vast powers as delegated by Section 12 including:
“authorizing procedures for communication of DNA profiles for civil proceedings and for crime investigation by law enforcement and other agencies, establishing procedure for cooperation in criminal investigation between various investigation agencies within the country and with international agencies, specifying by regulations the list of applicable instances of human DNA profiling and the sources and manner of collection of samples in addition to the lists contained in the Schedule, undertaking any other activity which in the opinion of the Board advances the purposes of this Act.”

Section 65 gives the Board the power to make regulations for a number purposes including: “other purposes in addition to identification of victims of accidents, disasters or missing persons or for purposes related to civil disputes and other civil matters and other offences or cases lists in Part I of the Schedule for which records or samples may be used under section 38, other laws, if any, to be included under item (viii) of para B of Part I of the Schedule, other civil matters, if any, to be included under item (vii) of para C of Part I of the Schedule, and authorization of other persons, if any, for collection of non intimate body samples and for performance of non-intimate forensic procedures, under Part III of the Schedule.

Ideally these powers would lie with the legislative or judicial branch. Furthermore, the Bill establishes no mechanism for accountability or oversight over the functioning of the Board and section 68 specifically states that “no civil court shall have jurisdiction to entertain any suit or proceeding in respect to any matter which the Board is empowered by or under this Act to determine.”

The above represents only a few instances of the overly broad powers that have been given to the Board. Indeed, the Bill gives the Board the power to make regulations for 37 different aspects relating to the collection, storage, use, sharing, analysis, and deletion of DNA samples and DNA profiles. As a result, the Bill establishes a Board that controls the entire ecosystem of DNA collection, analysis, and use in India without strong external oversight or accountability.
Key terms undefined: Section 31 (5) states that the “indices maintained in every DNA Data Bank will include information of data based on DNA analysis prepared by a DNA laboratory duly approved by the Board under section 1 of the Act, and of records relating thereto, in accordance with the standards as may be specified by the regulations.”

The term’ DNA analysis’ is not defined in the Act, yet it is a critical term as any information based on such an analysis and associated records can be included in the DNA Database.
Low standards for sharing of information: Section 34 empowers the DNA Data Bank Manager to compare a received DNA profile with the profiles stored in the databank and for the purposes of any investigation or criminal prosecution, communicate the information regarding the received DNA profile to any court, tribunal, law enforcement agencies, or DNA laboratory which the DNA Data Bank Manager considers is concerned with it.

The decision to share compared profiles and with whom should be made by an independent third party authority, rather than the DNA Bank Manager. Furthermore, this provision isvague and although the intention seems to be that the DNA profiles should be matched and the results communicated only in certain cases, the generic wording could take into its ambit every instance of receipt of a DNA profile. For eg. the regulations envisaged under section 31(4)(g) may prescribe for a DNA Data Bank for medical purposes, but section 34 as it is currently worded may include DNA profiles of patients to be compared and their information released to various agencies by the Data Bank Manager as an unintentional consequence.
Missing privacy safeguards: Though the Bill refers to security and privacy procedures that labs are to follow, these have been left to be developed and implemented by the DNA Board. Thus, except for bare minimum standards and penalties addressing the access, sharing, and use of data – the Bill contains no privacy safeguards.

In our interactions with the committee we have asked that the Bill be brought in line with the nine national privacy principles established by the Report of the Group of Experts on Privacy submitted to the Planning Commission in 2012. This has not been done.

For more details visit https://cis-india.org/internet-governance/blog/dna-dissent

Comparison of the Human DNA Profiling Bill 2012 with: CIS recommendations, Sub-Committee Recommendations, Expert Committee Recommendations, and the Human DNA Profiling Bill 2015

elonnai — 2015-08-10T03:20:59Z

This blog a comparison of 1. The Human DNA Profiling Bill 2012 vs. the Human DNA Profiling Bill 2015, 2. CIS's main recommendations vs. the 2015 Bill 3. The Sub-Committee Recommendations vs. the 2015 Bill 4. The Expert Committee Recommendations vs. the 2015 Bill.

In 2013 the Expert Committee to discuss the draft Human DNA Profiling Bill was constituted by the Department of Biotechnology. The Expert Committee had constituted a Sub-Committee to modify the draft Bill in the light of invited comments/inputs from the members of the Committee

These changes were then deliberated upon by the Expert Committee. The Record Notes and Meeting Minutes of the Expert Committee and Sub-Committee can be found here. The Centre for Internet and Society was a member of the Expert Committee and sat on the Sub-Committee. In addition to input in meetings, CIS submitted a number of recommendations to the Committee. The Committee has drafted a 2015 version of the Bill and the same is to be introduced to Parliament.

Below is a comparison of 1. The 2012 Bill vs. the 2015 Bill, 2. CIS's main recommendations vs. the 2015 Bill 3. The Sub-Committee Recommendations vs. the 2015 Bill 4. The Expert Committee Recommendations vs. the 2015 Bill.

Introduction

CIS Recommendation: Recognition that DNA evidence is not infallible.
Sub-Committee Recommendation: N/A
Expert Committee Recommendation: N/A
2015 Bill: No change from 2012 Bill
CIS Recommendation:

Chapter I : Preliminary

Inclusion of an 'Objects Clause' that makes clear that (i) the principles of notice, confidentiality, collection limitation, personal autonomy, purpose limitation and data minimization must be adhered to at all times; (ii) DNA profiles merely estimate the identity of persons, they do not conclusively establish unique identity; (iii) all individuals have a right to privacy that must be continuously weighed against efforts to collect and retain DNA; (iv) centralized databases are inherently dangerous because of the volume of information that is at risk; (v) forensic DNA profiling is intended to have probative value; therefore, if there is any doubt regarding a DNA profile, it should not be received in evidence by a court; (vi) once adduced, the evidence created by a DNA profile is only corroborative and must be treated on par with other biometric evidence such as fingerprint measurements.

Sub Committee Recommendation: The Bill will not regulate DNA research. The current draft will only regulate use of DNA for civil and criminal purposes.

Expert Committee Recommendation: The Bill will not regulate DNA research. The current draft will only regulate use of DNA for civil and criminal purposes.
2015 Bill: No Change from the 2012 Bill

Chapter II : Definitions

CIS Recommendation:

Removal of 2(1)(a) “analytical procedure”
Removal of 2(1)(b) “audit”
Removal of 2(1)(d) “calibration”
Re-drafting of 2(1)(h) “DNA Data Bank”
Re-naming of 2(1)(i) “DNA Data Bank Manager” to “National DNA Data Bank Manager”
Re-drafting of 2(1)(j) “DNA laboratory”
Re-drafting of 2(1)(l) “DNA Profile”
Re-drafting of 2(1)(o) “forensic material”
Removal of 2(1)(q) “intimate body sample”
Removal of 2(1)(v) “non-intimate body sample”
Removal of 2(1)(r) “intimate forensic procedure”
Removal of 2(1)(w) “non-intimate forensic procedure”
Removal of 2(1)(s) “known samples”
Re-drafting of 2(1)(y) “offender”
Removal of 2(1)(zb) “proficiency testing”
Re-drafting of 2(1)(zi) “suspect”

Sub-Committee Recommendation: N/A
Expert Committee Recommendation: N/A
2015 Bill: No change from the 2012 Bill.

Chapter III : DNA Profiling Board

CIS Recommendation:

The board should be made up of no more than five members. The Board must contain at least one ex-Judge or senior lawyer since the Board will perform the legal function of licensing and must obey the tenets of administrative law. To further multi-stakeholder interests, the Board should have an equal representation from civil society – both institutional (e.g NHRC and the State Human Rights Commissions) and non-institutional (well-regarded and experienced civil society persons). The Board should also have privacy advocates. CIS also recommended that the functions of the board be limited to: licensing, developing standards and norms, safeguarding privacy and other rights, ensuring public transparency, promoting information and debate and a few other limited functions necessary for a regulatory authority. CIS also recommended a 'duty to consult' with affected or impacted individuals, interested individuals, and the public at large.

Sub-Committee Recommendation:

Reduce the DNA Profiling Board (Section 4) from 16 members to 11 members and include civil society representation on the Board.
Include either clause 4(f) or (g) i.e. Chief Forensic Scientist, Directorate of Forensic Science, Ministry of Home Affairs, Government of India - ex-officio Member or Director of a Central Forensic Science Laboratory to be nominated by Ministry of Home Affairs, Government of India- ex-officio Member;
Change clause 4(i) i.e., to replace Chairman, National Bioethics Committee of Department of Biotechnology, Government of India- ex-officio Member with Chairman, National Human Rights Commissions or his nominee.
Delete Members mentioned in clause 4(l) i.e. Two molecular biologists to be nominated by the Secretary, Department of Biotechnology, Ministry of Science and Technology, Government of India- Members;
DPB Members with potential conflict of interest in matters under consideration should recuse themselves in deliberations in respect of such matters (Section 7), and they should be liable to be removed from the Board in case they are found to have not disclosed the nature of such interest.
With regards to the establishment of the DNA Profiling Board (clause 3) the committee clarified that the DNA Board needs to be a body corporate
The functions of the Board should be redrafted with fewer functions, and these should be listed in descending order of priority to sharpen this function – namely regulate process, regulate the labs, regulate databanks.

Expert Committee Recommendation:

Accepted sub-committee recommendation to reduce the Board from 16 to 11 members and the detailed changes.
Accepted sub-committee recommendation to include civil society on the Board.
Accepted sub-committee recommendation to reduce the functions of the Board.

2015 Bill:

Addition in 2015 Bill of Section 4 (b) – “Chairman, National Human Rights Commission or his nominee – ex-officio Member” (2015 Bill) Note: This change represents incorporation of CIS's recommendation, sub-committee recommendation, and expert committee recommendation.
Changing of Section 4 (h) from: “Director of a State Forensic Science Laboratory to be nominated by Ministry of Home Affairs, Government of India- ex-officio Member” (2012 Bill) to “Director cum – Chief Forensic Scientist, Directorate of Forensic Science Services, Ministry of Home Affairs, Government of India -ex-officio Member”(2015 Bill) Note: This change represents partial incorporation of the sub-committee recommendation and expert committee recommendation.
Changing of Section 4 (j) from: “Director, National Accreditation Board for Testing and Calibration of Laboratories, New Delhi- ex-officio Member”; (2012 Bill) to “Director of a State Forensic Science Lab to be nominated by MHA ex-officio member” (2015 Bill)
Addition of section 11(4) and 11(5) “(4) The Board shall, in carrying out its functions and activities, consult with all persons and groups of persons whose rights and related interests may be affected or impacted by any DNA collection, storage, or profiling activity. (5) The Board shall, while considering any matter under its purview, co-opt or include any person, group of persons, or organisation, in its meetings and activities if it is satisfied that that person, group of persons, or organisation, has a substantial interest in the matter and that it is necessary in the public interest to allow such participation.” Note: This change represents partial incorporation of CIS's recommendation and Expert Committee recommendation.

Chapter IV : Approval of DNA Laboratories

CIS Recommendation: N/A
Sub-Committee Recommendation:

Add in section 16 1(d), the words “including audit reports”
Include in section 16(1)(c) that if labs do not file their audit report on an annual basis, the lab will lose approval. If the lab loses their approval - all the materials will be shifted to another lab and the data subject will be informed.

Expert Committee Recommendation: N/A
2015 Bill: No change from the 2012 Bill.

Chapter V : Standards, Quality Control and Quality Assurance

CIS Recommendation: N/A
Sub-Committee Recommendation:

Section 19(2) DNA laboratory to be headed by person possessing a doctorate in a subject germane to molecular biology.
Clauses 20 and 30 should be merged into Clause 20 to read as:

“(1). The staff of every DNA laboratory shall possess such qualifications and experience commensurate with the job requirements as may be specified by the regulations.

(2). Every DNA laboratory shall employ such qualified technical personnel as may be specified by the regulations and technical personnel shall undergo regular training in DNA related subjects in such institutions and at such intervals as may be specified by the regulations.

(3). Head of every DNA laboratory shall ensure that laboratory personnel keep abreast of developments within the field of DNA and maintain such records on the relevant qualifications, training, skills and experience of the technical personnel employed in the laboratory as may be specified by the regulations.

Accordingly, change the Title: “Qualification, Recruitment and Training of DNA lab personnel.”

Require DNA labs to have in place an evidence control system (Clause 22) Note: This existed in the DNA 2012 Bill
Amend Clause 23(1) to read as ““Every DNA laboratory shall possess and shall follow a validation process as may be specified by the regulations.”
Paraphrase Clause 27 as, “Every DNA laboratory shall have audits conducted annually in accordance with the standards as may be specified by the regulations.” It was agreed that the audits of the DNA Laboratory (clause 27) do not need to be external. Note: This existed in the DNA 2012 Bill.
Bring sections 28-31 on infrastructure and training brought into Chapter V and thus new title of the chapter reads as “Standards, Quality Control and Quality Assurance Obligations of DNA Laboratory and Infrastructure and Training”.

Expert Committee Recommendation: N/A
2015 Bill

Changing of Section 20 (2) from “(2) Head of every DNA laboratory shall ensure that laboratory personnel keep abreast of developments within the field of DNA and maintain such records on the relevant qualifications, training, skills and experience of the technical personnel employed in the laboratory as may be specified by the regulations made by the Board. (2012) to Every DNA laboratory shall employ such qualified technical personnel as may be specified by the regulations and technical personnel shall undergo regular training in DNA related subjects in such institutions and at such intervals as may be specified by the regulations; (2015)” and Addition in 2015 Bill of Section 20 (3) - “Head of every DNA laboratory shall ensure that laboratory personnel keep abreast of developments within the field of DNA profiling and maintain such records on the relevant qualifications, training, skills and experience of the technical personnel employed in the laboratory as may be specified by the regulations” (2015) Note: This is as per the Sub-Committee's recommendation.
Amending of Clause 23(1) to read as ““Every DNA laboratory shall possess and shall follow a validation process as may be specified by the regulations.” Note: This is as per the Sub-Committee's recommendation.
Changing of section 30 from:“Every DNA laboratory shall employ such qualified technical personnel as may be specified by the regulations made by the Board and technical personnel shall undergo regular training in DNA related subjects in such institutions and at such intervals as may be specified by the regulations made by the Board.” (2012) to “Every DNA laboratory shall have installed appropriate security system and system for safety of personnel as may be specified by the regulations.”

Sections 28-31 on infrastructure and training brought into Chapter V and thus new title of the chapter reads as “Standards, Quality Control and Quality Assurance Obligations of DNA Laboratory and Infrastructure and Training”. Note: This is as per the Sub-Committee's recommendation.
CIS Recommendation:

Chapter VI : DNA Data Bank

Removal of section 32(6) which requires the names of individuals to be connected to their profiles and recommended that DNA profiles once developed, should be anonymized and retained separate from the names of their owners.
Section 34(2) to be limited to containing only an offenders' index and a crime scene index
Removal of section 36 which allows for international dicslosures of DNA profiles of Indians.

Sub-Committee Recommendation:

Amend Clause 32(1) to reads as: “The Central Government shall, by notification, establish a National DNA Data Bank”.
Anonymize the volunteer's database.

Expert Committee Recommendation: N/A
2015 Bill: No change from 2012 Bill.

Chapter VII : Confidentiality of and access to DNA profiles, samples, and records

CIS Recommendation:

Re-drafting section 39 and 40 to specify that DNA can only be used for forensic purposes and specify the manner in which DNA profiles may be received in evidence.
Removal of section 40
Removal of section 43
Re-dreaft section 45 as it sets out a post-conviction right related to criminal procedure and evidence. This would fundamentally alter the nature of India’s criminal justice system, which currently does not contain specific provisions for post-conviction testing rights. However, courts may re-try cases in certain narrow cases when fresh evidence is brought forth that has a nexus to the evidence upon which the person was convicted and if it can be proved that the fresh evidence was not earlier adduced due to bias. Any other fresh evidence that may be uncovered cannot prompt a new trial. Clause 45 is implicated by Article 20(2) of the Constitution of India and by 6 section 300 of the CrPC. The principle of autrefois acquit that informs section 300 of the CrPC specifically deals with exceptions to the rule against double jeopardy that permit re-trials. [See, for instance, Sangeeta Mahendrabhai Patel (2012) 7 SCC 721.]

Sub-Committee Recommendation:

Amend Clause 40 (f) to read as “-------to the concerned parties to the said civil dispute or civil matter, with the concurrence of the court and to the concerned judicial officer or authority”.Incorporated, but is now located at section 39
Include in Chapter VIII additional Sections: Clause 42A: “A person whose DNA profile has been created shall be given a copy of the DNA profile upon request”. Clause 42B: A person whose DNA profile has been created and stored shall be given information as to who has accessed his DNA profile or DNA information.

Expert Committee: N/A
2015 Bill:

Addition of the phrase in section 39 “with the concurrence of the court”, thus the new clause reads as: “-------to the concerned parties to the said civil dispute or civil matter, with the concurrence of the court” and to the concerned judicial officer or authority”. Note: This as per the recommendations of the Sub-Committee.

Chapter VIII : Finance, Accounts, and Audit

CIS Recommendation: N/A
Sub-Committee Recommendation: N/A
Expert Committee Recommendation: N/A
2015 Bill: No change from the 2012 Bill

Chapter IX : Offences and Penalties

CIS Recommendation:

The law prohibits the delegation of “essential legislative functions” [In re Delhi Laws, 1951]. The creation of criminal offences must be conducted by a statute that is enacted by Parliament, and when offences are created via delegated legislation, such as Rules, the quantum of punishment must be pre-set by the parent statute.
Since the listing of offences for DNA profiling will directly affect the fundamental right of personal liberty, it is an undeniable fact that the identification of these offences should be subject to a democratic process of the legislature rather than be determined by the whims of the executive.

Sub-Committee Recommendation:

Ensure a minimal jail term for any offence under the Act from DNA Data Banks without authorization is a period of one month (chapter 10 (53)) Note: This already existed in the 2012 Bill.
Add to Section 56 the phrase “… or otherwise willfully neglects any other duty cast upon him under the provisions of this Act, shall be punishable …”.

Expert Committee: N/A
2015 Bill: No change from 2012 Bill
CIS Recommendation: N/A
Sub-Committee Recommendation: N/A
Expert Committee Recommendation: N/A
2015 Bill: No change from 2012 Bill

Chapter X : Miscellaneous

Schedule

CIS Recommendation

The creation of a list of offenses under which upon arrest under which DNA samples may lawfully be collected from the arrested person without his consent including:

Any offence under the Indian Penal Code, 1860 if it is listed as a cognizable offence in Part I of the First Schedule of the Code of Criminal Procedure, 1973; [Alternatively, all cognizable offences under the Indian Penal Code may be listed here]
Every offence punishable under the Immoral Traffic (Prevention) Act, 1956;
Any cognizable offence under the Indian Penal Code, 1860 that is committed by a registered medical practitioner and is not saved under section 3 of the Medical Termination of Pregnancy Act, 1971; [Note that the ITP Act does not itself create or list any offences, it only saves doctors from prosecution from IPC offences if certain conditions are met]
Every offence punishable under the Pre-conception and Pre-natal Diagnostic Techniques (Prohibition of Sex Selection) Act, 1994;
The offence listed under sub-section (1) of section 31 of the Protection of Women from Domestic Violence Act, 2005;
Every offence punishable under the Protection of Civil Rights Act, 1955;
Every offence punishable under the Scheduled Castes and the Scheduled Tribes (Prevention of Atrocities) Act, 1989.

Sub-Committee Recommendation: N/A
Expert Committee Recommendation: Incorporation of CIS's recommendation to the schedule regarding instances of when DNA samples can be collected without consent.
2015 Bill:

Addition in 2015 of “Part II: List of specified offences - Any offence under the Indian Penal Code, 1860 if it is listed as a cognizable offence in Part I of the First Schedule of the Code of Criminal Procedure, 1973” (2015). Note: This represents partial incorporation of CIS's recommendation.
Expansion of sources of samples for DNA profiling from - “(1) Scene of occurrence or crime (2) Tissue and skeleton remains (3) Clothing and other objects (4) Already preserved body fluids and other samples” (2012) to “1. Scene of occurrence, or scene of crime 2. Tissue and skeleton remains 3. Clothing and other objects 4. Already preserved body fluids and other samples 5. Medical Examination 6. Autopsy examination 7. Exhumation” (2015)” and Deletion of “Manner of collection of samples for DNA: (1) Medical Examination (2) Autopsy examination (3) Exhumation “ (2012)

For more details visit https://cis-india.org/internet-governance/blog/comparison-of-the-human-dna-profiling-bill-2012-with-cis-recommendations-sub-committee-recommendations-expert-committee-recommendations-and-the-human-dna-profiling-bill-2015

Big Data and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011

elonnai — 2015-08-11T07:01:12Z

Experts and regulators across jurisdictions are examining the impact of Big Data practices on traditional data protection standards and principles. This will be a useful and pertinent exercise for India to undertake as the government and the private and public sectors begin to incorporate and rely on the use of Big Data in decision making processes and organizational operations.This blog provides an initial evaluation of how Big Data could impact India's current data protection standards.

Experts and regulators across the globe are examining the impact of Big Data practices on traditional data protection standards and principles. This will be a useful and pertinent exercise for India to undertake as the government and the private and public sectors begin to incorporate and rely on the use of Big Data in decision making processes and organizational operations.

Below is an initial evaluation of how Big Data could impact India's current data protection standards.

India currently does not have comprehensive privacy legislation - but the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules 2011 formed under section 43A of the Information Technology Act 2000[1] define a data protection framework for the processing of digital data by Body Corporate. Big Data practices will impact a number of the provisions found in the Rules:

Scope of Rules: Currently the Rules apply to Body Corporate and digital data. As per the IT Act, Body Corporate is defined as "Any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities."

The present scope of the Rules excludes from its purview a number of actors that do or could have access to Big Data or use Big Data practices. The Rules would not apply to government bodies or individuals collecting and using Big Data. Yet, with technologies such as IoT and the rise of Smart Cities across India – a range of government, public, and private organizations and actors could have access to Big Data.

Definition of personal and sensitive personal data: Rule 2(i) defines personal information as "information that relates to a natural person which either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person."

Rule 3 defines sensitive personal information as:

Password,
Financial information,
Physical/physiological/mental health condition,
Sexual orientation,
Medical records and history,
Biometric information

The present definition of personal data hinges on the factor of identification (data that is capable of identifying a person). Yet this definition does not encompass information that is associated to an already identified individual - such as habits, location, or activity.

The definition of personal data also addresses only the identification of 'such person' and does not address data that is related to a particular person but that also reveals identifying information about another person - either directly - or when combined with other data points.

By listing specific categories of sensitive personal information, the Rules do not account for additional types of sensitive personal information that might be generated or correlated through the use of Big Data analytics.

Importantly, the definitions of sensitive personal information or personal information do not address how personal or sensitive personal information - when anonymized or aggregated – should be treated.

Consent: Rule 5(1) requires that Body Corporate must, prior to collection, obtain consent in writing through letter or fax or email from the provider of sensitive personal data regarding the use of that data.

In a context where services are delivered with little or no human interaction, data is collected through sensors, data is collected on a real time and regular basis, and data is used and re-used for multiple and differing purposes - it is not practical, and often not possible, for consent to be obtained through writing, letter, fax, or email for each instance of data collection and for each use.

Notice of Collection: Rule 5(3) requires Body Corporate to provide the individual with a notice during collection of information that details the fact that information is being collected, the purpose for which the information is being collected, the intended recipients of the information, the name and address of the agency that is collecting the information and the agency that will retain the information. Furthermore body corporate should not retain information for longer than is required to meet lawful purposes.

Though this provision acts as an important element of transparency, in the context of Big Data, communicating the purpose for which data is collected, the intended recipients of the information, the name and address of the agency that is collecting the information and the agency that will retain the information could prove to be difficult to communicate as they are likely to encompass numerous agencies and change depending upon the analysis being done.

Access and correction: Rule 5(6) provides individuals with the ability to access sensitive personal information held by the body corporate and correct any inaccurate information.

This provision would be difficult to implement effectively in the context of Big Data as vast amounts of data are being generated and collected on an ongoing and real time basis and often without the knowledge of the individual.

Purpose Limitation: Rule 5(5) requires that body corporate should use information only of the purpose which it has been collected.

In the context of Big Data this provision would overlook the re-use of data that is inherent in such practices.

Security: Rule 8 states that any Body Corporate or person on its behalf will be understood to have complied with reasonable security practices and procedures if they have implemented such practices and have in place codes that address managerial, technical, operational and physical security control measures. These codes could follow the IS/ISO/IEC 27001 standard or another government approved and audited standard.

This provision importantly requires that data controllers collecting and processing data have in place strong security practices. In the context of Big Data – the security of devices that might be generating or collecting data and algorithms processing and analysing data is critical. Once generated, it might be challenging to ensure the data is being transferred to or being analysed by organisations that comply with such security practices as listed.

Data Breach : Rule 8 requires that if a data breach occurs, Body Corporate would have to be able to demonstrate that they have implemented their documented information security codes.

Though this provision holds a company accountable for the implementation of security practices, it does not address how a company should be held accountable for a large scale data breach as in the context of Big Data the scope and impact of a data breach is on a much larger scale.

Opt in and out and ability to withdraw consent : Rule 5(7) requires Body Corporate or any person on its behalf, prior to the collection of information - including sensitive personal information - must give the individual the option of not providing information and must give the individual the option of withdrawing consent. Such withdrawal must be sent in writing to the body corporate.

The feasibility of such a provision in the context of Big Data is unclear, especially in light of the fact that Big Data practices draw upon large amounts of data, generated often in real time, and from a variety of sources.

Disclosure of Information: Rule 6 maintains that disclosure of sensitive personal data can only take place with permission from the provider of such information or as agreed to through a lawful contract.

This provision addresses disclosure and does not take into account the “sharing” of information that is enabled through networked devices, as well as the increasing practice of companies to share anonymized or aggregated data.

Privacy Policy : Rule 4 requires that body corporate have in place a privacy policy on their website that provides clear and accessible statements of its practices and policies, type of personal or sensitive personal information that is being collected, purpose of the collection, usage of the information, disclosure of the information, and the reasonable security practices and procedures that have been put in place to secure the information.

In the context of Big Data where data from a variety of sources is being collected, used, and re-used it is important for policies to 'follow data' and appear in a contextualized manner. The current requirement of having Body Corporate post a single overarching privacy policy on its website could prove to be inadequate.

Remedy : Section 43A of the Act holds that if a body corporate is negligent in implementing and maintain reasonable security practices and procedures which results in wrongful loss or wrongful gain to any person, the body corporate can be held liable to pay compensation to the affected person.

This provision will provide limited remedy for an affected individual in the context of Big Data. Though important to help prevent data breaches resulting from negligent data practices, implementation of reasonable security practices and procedures cannot be the only hinging point for determining liability of a Body Corporate for violations and many of the harms possible through Big Data are not in the form of wrongful loss or wrongful gain to another person. Indeed many harms possible through Big Data are non-economic in nature – including physical invasion of privacy, and discriminatory practices that can arise from decisions based on Big Data analytics. Nor does the provision address the potential for future damage that can result from a 'Big Data data breach'.

The safeguards noted in the above section are not the only legal provisions that speak to privacy in India. There are over fifty sectoral legislation that have provisions addressing privacy - for example provisions addressing confidentiality of health and banking information. The government of India is also in the process of drafting a privacy legislation. In 2012 the Report of the Group of Experts on Privacy provided recommendations for a privacy framework in India. The Report envisioned a framework of co-regulation - with sector level self regulatory organization developing privacy codes (that are not lower than the defined national privacy principles) and that are enforced by a privacy commissioner.[2] Perhaps this method would be optimal for the regulation of Big Data- allowing for the needed flexibility and specificity in standards and device development. Though the Report notes that individuals can seek remedy from the court and the Privacy Commissioner can issue fines for a violation, the development of privacy legislation in India has yet to clearly integrate the importance of due process and remedy. With the onset of Big Data - this will become more important than ever.

Conclusion

The use and generation of Big Data in India is growing. Plans such as free wifi zones in cities[3], city wide CCTV networks with facial recognition capabilities[4], and the implementation of an identity/authentication platform for public and private services[5], are indicators towards a move of data generation that is networked and centralized, and where the line between public and private is blurred through the vast amount of data that is collected.

In such developments and innovations what is privacy and what role does privacy play? Is it the archaic inhibitor - limiting the sharing and use of data for new and innovative purposes? Will it be defined purely by legislative norms or through device/platform design as well? Is it a notion that makes consumers think twice about using a product or service or is it a practice that enables consumer and citizen uptake and trust and allows for the growth and adoption of these services?

How privacy will be regulated and how it will be perceived is still evolving across jurisdictions, technologies, and cultures - but it is clear that privacy is not being and cannot be overlooked. Governments across the world are reforming and considering current and future privacy regulation targeted towards life in a quantified society. As the Indian government begins to roll out initiatives that create a "Digital India" indeed a "quantified India", taking privacy into consideration could facilitate the uptake, expansion, and success of these practices and services. As the Indian government pursues the opportunities possible through Big Data it will be useful to review existing privacy protections and deliberate on if, and in what form, future protections for privacy and other rights will be needed.

[1]Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules 2011). Available at: http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf

[2]Group of Experts on Privacy. (2012). Report of the Group of Experts on Privacy. New Delhi: Planning Commission, Government of India. Retrieved May 20, 2015, from http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf

[3] NDTV. “Free Public Wi-Fi Facility in Delhi to Have Daily Data Limit. NDTV, May 25^th 2015, Available at: http://gadgets.ndtv.com/internet/news/free-public-wi-fi-facility-in-delhi-to-have-daily-data-limit-695857. Accessed: July 2^nd 2015.

[4]FindBiometrics Global Identity Management. “Surat Police Get NEC Facial Recognition CCTV System”. July 21^st 2015. Available at: http://findbiometrics.com/surat-police-nec-facial-recognition-27214/

[5]UIDAI Official Website. Available at: https://uidai.gov.in/

For more details visit https://cis-india.org/internet-governance/blog/big-data-and-information-technology-rules-2011