The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 51 to 65.
A Comparison of Indian Legislation to Draft International Principles on Surveillance of Communications
https://cis-india.org/internet-governance/blog/comparison-of-indian-legislation-and-draft-principles-on-surveillance-of-communications
<b>This blog post is a comparison of the relevant Indian legislations allowing governmental access to communications and the Draft International Principles on Surveillance of Communications. The principles, first drafted in October 2012 and developed subsequently seeks to establish an international standard for surveillance of communications in the context of human rights. </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">The Centre for Internet and Society is contributing feedback to the drafting of the principles. The principles are still in draft form and the most recent version along with the preamble to the principles can be accessed at: <a class="external-link" href="http://necessaryandproportionate.net/">http://necessaryandproportionate.net/</a></p>
<p>The Principles:</p>
<p style="text-align: justify; "><b>1. </b><b>Principle - Legality</b><b>:</b><i> Any limitation to the right to privacy must be prescribed by law. Neither the Executive nor the Judiciary may adopt or implement a measure that interferes with the right to privacy without a previous act by the Legislature that results from a comprehensive and participatory process. Given the rate of technological change, laws enabling limitations on the right to privacy should be subject to periodic review by means of a participatory legislative or regulatory process. </i></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In India there are two predominant legislations with subsequent Rules and Licenses that allow for access to communications by law enforcement and the government. Though the basic power of interception of communications are prescribed by law, the Rules and Licenses build off of these powers and create procedural requirements, and requirements for assistance.</p>
<li><b>The Indian Telegraph Act, 1885</b>
<ul>
<li style="text-align: justify; "> <i>The Indian Telegraph Amendment Rules 2007: </i>These<i> </i>Rules are grounded in section 419A of the Indian Telegraph Act and establish procedures and safeguards for the interception of communications. </li>
<li style="text-align: justify; "><i>License Agreement for Provision of Unified Access Services After Migration from CMTS (UASL)</i>: This license is grounded in the Telegraph Act, and details what types of assistance service providers must provide to law enforcement and the government. </li>
<li style="text-align: justify; "><i>License Agreement for Provision of Internet Services</i>: This license is grounded in the Telegraph Act, and details what types of assistance service providers must provide to law enforcement and the government. </li>
<li><b>The Information Technology Act, 2000</b>
<ul>
<li style="text-align: justify; "><i>Procedure and Safeguards for Interception, Monitoring, and Decryption of Information Rules 2009:</i> These Rules were notified in 2009 and allow authorized governmental agencies to intercept, monitor, and decrypt information generated, transmitted, received, or stored in any computer resource. </li>
<li style="text-align: justify; "><i>Procedure and safeguard for Monitoring and Collecting Traffic Data or Information Rules 2009:</i> These Rules were notified in 2009 and allow authorized agencies to monitor and collect traffic data or information that is generated, transmitted, received or stored in any computer resource.</li>
</ul>
</li>
</ul>
</li>
<p><i> </i></p>
<p><b>2. </b><b>Principle - Legitimate Purpose</b>:<i> Laws should only allow access to communications or communications metadata by authorized public authorities for investigative purposes and in pursuit of a legitimate purpose, consistent with a free and democratic society.</i></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In relevant Indian legislation there are no specific provisions requiring that access by law enforcement must be for a legitimate purpose and consistent with a free and democratic society. Instead, Indian legislation defines and lays out specific circumstances for which access would be allowed.</p>
<p style="text-align: justify; ">Below are the circumstances for which access is allowed by each Act, Rule, and License:</p>
<li><b>The TA Rules 2007</b>: Interception is allowed in the following circumstances: <br />
<ul>
<li>On the occurrence of any public emergency</li>
</ul>
<ul>
<li>In the interest of the public safety</li>
</ul>
<ul>
<li>In the interests of the sovereignty and integrity of India</li>
</ul>
<ul>
<li>The security of the state</li>
</ul>
<ul>
<li>Friendly relations with foreign states</li>
</ul>
<ul>
<li>Public order</li>
</ul>
<ul>
<li>Preventing incitement to the commission of an offence</li>
</ul>
</li>
<li><b>ITA Interception and Monitoring Rules</b>: Interception, monitoring, and decryption of communications is allowed in the following circumstances:</li>
<ul>
<li>In the interest of the sovereignty or integrity of India, </li>
<li>Defense of India</li>
<li>Security of the state</li>
<li>Friendly relations with foreign states</li>
<li>Public order </li>
<li>Preventing incitement to the commission of any cognizable offence relating to the above </li>
<li>For investigation of any offence </li>
</ul>
<li style="text-align: justify; "><b>ITA Monitoring of Traffic Data Rules:</b> Monitoring of traffic data and collection of information is allowed for the following purposes related to cyber security: </li>
<ul>
<li>Forecasting of imminent cyber incidents </li>
<li>Monitoring network application with traffic data or information on computer resources </li>
<li>Identification and determination of viruses or computer contaminant </li>
<li>Tracking cyber security breaches or cyber security incidents </li>
<li>Tracking computer resource breaching cyber security or spreading virus’s or computer contaminants </li>
<li style="text-align: justify; ">Identifying or tracking of any person who has breached, or is suspected of having breached or being likely to breach cyber security. </li>
<li style="text-align: justify; ">Undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resource.</li>
<li style="text-align: justify; ">Accessing stored information for enforcement of any provisions of the laws relating to cyber security for the time being in force.</li>
<li>Any other matter relating to cyber security. </li>
</ul>
<li><b>UASL License</b>: Assistance must be provided to the government for the following reasons and times: </li>
<ul>
<li>Reasons defined in the Telegraph Act. <b>(Section 41.20 (xix))</b></li>
<li>National Security. <b>(Section 41.20 (xvii))</b></li>
<li style="text-align: justify; ">To counteract espionage, subversive act, sabotage, or any other unlawful activity. (Section 41.1)</li>
<li style="text-align: justify; ">Trace nuisance, obnoxious or malicious calls, messages or communications transported through his/her equipment. <b>(Section 40.4)</b></li>
<li>In the interests of security. <b>(Section 41.7)</b></li>
<li>For security reasons. <b>(Section 41.20 (iii))</b></li>
</ul>
<li><b>ISP License: </b>Assistance must be provided to the government for the following reasons and times:</li>
<ul>
<li>To counteract espionage, subversive act, sabotage, or any other unlawful activity. <b>(Section 34.1)</b></li>
<li>In the interests of security. <b>(Section 34.4)</b></li>
<li>For security reasons. <b>(Section 34.28 (iii))</b></li>
<li>Reasons defined in the Telegraph Act. <b>(Section 35.2)</b></li>
</ul>
<p style="text-align: justify; "><b>3. </b><b>Principle - Necessity</b>: <i>Laws allowing access to communications or communications metadata by authorized public authorities should limit such access to that which is strictly and demonstrably necessary, in the sense that an overwhelmingly positive justification exists, and justifiable in a democratic society in order for the authority to pursue its legitimate purposes, and which the authority would otherwise be unable to pursue. The onus of establishing this justification, in judicial as well as in legislative processes, is on the government.</i></p>
<p><b> </b></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> Relevant Indian legislation do not contain provisions mandating that access to communications must be demonstrably necessary, and do not give details of the criteria that authorizing authorities should use to determine if a request is a valid or not. Relevant Indian legislation does require that all directions contain reasons for the direction. Additionally, excluding the ITA <i>Procedure and safeguard for Monitoring and Collecting Traffic Data or Information Rules</i>, relevant Indian legislation requires that all other means for acquiring the information must be taken into consideration before a direction for access can be granted.</p>
<p>Below are summaries of the relevant provisions:</p>
<ul>
<li style="text-align: justify; "><b>TA Rules 2007</b>: Any order for interception issued by the competent authority must contain reasons for the direction <b>(Section 2).</b> While issuing orders for direction, all other means for acquiring the information must be taken into consideration, and directions can only be issued if it is not possible to acquire the information by any other reasonable means <b>(Section 3).</b></li>
<li style="text-align: justify; "><b>ITA Interception and Monitoring Rules: </b>Any direction issued by the competent authority must contain reasons for such direction <b>(Section 7). </b>The competent authority must consider the possibility of acquiring the necessary information by other means and the direction can be issued only when it is not possible to acquire the information any other reasonable means <b>(Section 8).</b></li>
<li style="text-align: justify; "><b>ITA Traffic Monitoring Rules:</b> Any direction issued by the competent authority must contain reasons for the direction <b>(Section 3(3)).</b></li>
<li style="text-align: justify; "><b>UASL & ISP License: </b>As laid out in the Telegraph Act and subsequent Rules.<b> </b></li>
</ul>
<p><b>4. </b><b><i>Principle - Adequacy</i></b><i>:</i> <i>Public authorities should restrain themselves from adopting or implementing any measure of intrusion allowing access to communications or communications metadata that is not appropriate for fulfillment of the legitimate purpose that justified establishing that measure. </i></p>
<p><b> </b></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In relevant Indian legislation there are provisions that require direction for access to be specific, but there are no provisions that specifically prohibit government agencies from collecting and accessing information that is not appropriate for fulfillment of the stated purpose of the direction.</p>
<p style="text-align: justify; "><b>5. </b><b>Principle - Competent Authority</b>: <i>Authorities capable of making determinations relating to communications or communications metadata must be competent and must act with independence and have adequate resources in exercising the functions assigned to them.</i></p>
<p><b> </b></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In relevant Indian legislation it is required that directions for access to be authorized by "competent authorities". The most common authority for authorizing orders for access is the Secretary to the Government of India in the Ministry of Home Affairs, but authorization can also come from other officials depending on the circumstance. The fact that authorization for access to communications content is not from a judge has been a contested topic, as in many countries a judicial order is the minimum requirement for access to communication content. It is unclear from the legislation if adequate resources are assigned to the competent authorities.</p>
<p>Below are summaries of relevant provisions:</p>
<li style="text-align: justify; "><b>The TA Rules 2007</b>: Under the Telegraph Act the authorizing authorities are:
<ul>
<li>The Secretary to the Government of India in the Ministry of Home Affairs at the Central Level</li>
<li>The Secretary to the State Government in charge of the Home Department in the case of the State Government. </li>
<li>In unavoidable circumstances an order for interception may only be made by an officer not below the rank of a Joint Secretary to the Government of India who has been authorized by the Union Home Secretary or the State Secretary.</li>
<li>In remote areas or for operational reasons where obtaining prior directions for interception is not feasible the head or the second senior most officer of the authorized security agency at the Central level and the officers authorized in this behalf and not below the rank of Inspector of General Police. <b>(Section 1(2))</b>. </li>
<li><b>ITA Interception and Monitoring Rules: </b>Under the ITA Rules related to the interception, monitoring, and decryption of communications, the competent authorities for authorizing directions are:
<ul>
<li>The Secretary in the Ministry of Home Affairs in case of the Central Government.</li>
<li>The Secretary in charge of the Home Department, in case of a State Government or Union Territory. </li>
<li>In unavoidable circumstances any officer not below the rank of the Joint Secretary to the Government of India who has been authorized by the competent authority. </li>
<li>In remote areas or for operational reasons where obtaining prior directions is not feasible, the head or the second senior most officer of the security and law enforcement agency at the Central level or the officer authorized and not below the rank of the inspector General of Police or an officer of equivalent rank at the State or Union territory level. <b>(Section 3)</b>.</li>
</ul>
</li>
<li><b>ITA Monitoring and Collecting Traffic Data Rules:</b> Under the ITA Rules related to the monitoring and collecting of traffic data, the competent authorities who can issue and authorize directions are:
<ul>
<li>The Secretary to the Government of Indian in the Department of Information Technology under the Ministry of Communications and Information Technology. <b>(Section 2(d))</b>.</li>
<li>An employee of an intermediary may complete the following if it is in relation to the services that he is providing including: accessing stored information from computer resource for the purpose of implementing information security practices in the computer resource, determining any security breaches, computer contaminant or computer virus, undertaking forensic of the concerned computer resource as a part of investigation or internal audit. Accessing or analyzing information from a computer resource for the purpose of tracing a computer resource or any person who has contravened or is suspected of having contravened or being likely to contravene any provisions of the Act that is likely to have an adverse impact on the services provided by the intermediary. <b>(Section 9 (2))</b>. </li>
</ul>
</li>
<li style="text-align: justify; "><b>UASL & ISP License: </b>As laid out in the Telegraph Act and subsequent Rules.<b> </b> </li>
</ul>
</li>
<p><b> </b></p>
<p style="text-align: justify; "><b>6. </b><b>Principle - Proportionality</b>:<i> Public authorities should only order the preservation and access to specifically identified, targeted communications or communications metadata on a case-by-case basis, under a specified legal basis. Competent authorities must ensure that all formal requirements are fulfilled and must determine the validity of each specific attempt to access or receive communications or communications metadata, and that each attempt is proportionate in relation to the specific purposes of the case at hand. Communications and communications metadata are inherently sensitive and their acquisition should be regarded as highly intrusive. As such, requests should <b>at a minimum</b> establish a) that there is a very high degree of probability that a serious crime has been or will be committed; b) and that evidence of such a crime would be found by accessing the communications or communications metadata sought; c) other less invasive investigative techniques have been exhausted; and d) that a plan to ensure that the information collected will be only that information reasonably related to the crime and that any excess information collected will be promptly destroyed or returned. Neither the scope of information types, the number or type of persons whose information is sought, the amount of data sought, the retention of that data held by the authorities, nor the level of secrecy afforded to the request should go beyond what is demonstrably necessary to achieve a specific investigation. </i></p>
<p style="text-align: justify; "><b>Indian Legislation</b>: In relevant Indian legislation there are no comprehensive provisions that ensure proportionality of the surveillance of communications but there are provisions that contribute to ensuring proportionality. These include provisions requiring: time frames for how long law enforcement can retain accessed and collected material, directions to be issued only after there are no other means for acquiring the information, requests to contain reasons for the order, the duration for which an order can remain in force to be limited, and requests to be for specified purpose based on a particular set of premises. All of these provisions are found in the Telegraph Rules issued in 2007 and the ITA <i>Procedures and Safeguards for Interception, Monitoring, and Decryption of Information Rules</i>. None of these requirements are found in the UASL or ISP licenses, and many are missing from the ITA <i>Safeguards for Monitoring and Collecting Traffic Data or Information Rules</i>.</p>
<p style="text-align: justify; ">Though the above are steps to ensuring proportionality, Indian legislation does not provide details of how the proportionality of requests would be measured as recommended by the principle. For example, it is not required that requests for access demonstrate that evidence of the crime would be found by accessing the communications or communications metadata sought, and that information only related directly to the crime will be collected. Furthermore, Indian legislation does not place restrictions on the amount of data sought, nor the level of secrecy afforded to the request.</p>
<p>Below is a summary of the relevant provisions:</p>
<li><b>TA Rules 2007: </b>
<ul>
<li style="text-align: justify; ">Service providers shall destroy record pertaining to directions for interception of message within two months of discontinuing the interception. <b>(Section 19)</b>.</li>
<li style="text-align: justify; ">Directions for interception should only be issued only when it is not possible to acquire the information by any other reasonable means. <b>(Section 3)</b>.</li>
<li style="text-align: justify; ">The interception must be of a message or class of message from and too one particular person that is specified or described in the order or one particular set of premises specified or described in the order. <b>(Section 4)</b>. </li>
<li style="text-align: justify; ">The direction for interception will remain in force for a period of 60 days, or 180 days if the directions are renewed. <b>(Section 6)</b>.</li>
<li><b> ITA Interception and Monitoring Rules:</b>
<ul>
<li style="text-align: justify; ">Any direction issued by the competent authority must contain reasons for such direction. <b>(Section 7)</b>.</li>
<li style="text-align: justify; ">The competent authority must consider all other possibilities of acquiring the information by other means, and the direction can only be issued when it is not possible to acquire the information by any other reasonable means. <b>(Section 8)</b>.</li>
<li style="text-align: justify; ">The direction of interception, monitoring, or decryption of any information generated, transmitted, received, or stored in any computer resource etc., as may be specified or described in the direction. <b>(Section 9)</b>. </li>
<li style="text-align: justify; ">The directions for interception, monitoring, or decryption will remain in force for a period of 60 days, or 180 days if the directions are renewed. <b>(Section 10)</b>.</li>
</ul>
</li>
<li><b>ITA Traffic and Monitoring Rules</b>:
<ul>
<li style="text-align: justify; ">Any direction issued by the competent authority must contain reasons for such direction. <b>(Section 3(3))</b>.</li>
<li style="text-align: justify; ">Every record including electronic records pertaining to such directions for monitoring or collection of traffic data shall be destroyed after the expiry of nine months by the designated officer. Except when the information is needed for an ongoing investigation, the person in charge of a computer resource shall destroy records within a period of six months of discontinuing the monitoring. <b>(Section 8)</b>.</li>
</ul>
</li>
</ul>
</li>
<p><b> </b></p>
<p style="text-align: justify; "><b>7. </b><b>Principle - Due process</b>:<i> Due process requires that governments must respect and guarantee an individual’s human rights, that any interference with such rights must be authorized in law, and that the lawful procedure that governs how the government can interfere with those rights is properly enumerated and available to the general public.(9) While criminal investigations and other considerations of public security and safety may warrant limited access to information by public authorities, the granting of such access must be subject to guarantees of procedural fairness. Every request for access should be subject to prior authorization by a competent authority, except when there is imminent risk of danger to human life.(10)</i></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In the relevant Indian legislation the only guarantee for due process is that every request for access must be subject to prior authorization by a competent authority.</p>
<li><b> TA Rules 2007:</b>
<ul>
<li style="text-align: justify; ">All orders for interception must be issued by the Secretary to the Government of India in the Ministry of Home Affairs. </li>
<li><b>ITA Interception and Monitoring Rules</b>:
<ul>
<li style="text-align: justify; ">All orders for interception must be issued by the Secretary to the Government of India in the Ministry of Home Affairs. </li>
</ul>
</li>
<li><b>ITA Monitoring of Traffic Rules:</b>
<ul>
<li style="text-align: justify; ">The Secretary to the Government of India in the Department of Information Technology under the Ministry of Communications and Information Technology is the competent authority for authorizing orders.</li>
</ul>
</li>
</ul>
</li>
<p style="text-align: justify; "><b>8. </b><b>Principle - User notification</b>:<i> Notwithstanding the notification and transparency requirements that governments should bear, service providers should notify a user that a public authority has requested his or her communications or communications metadata with enough time and information about the request so that a user may challenge the request. In specific cases where the public authority wishes to delay the notification of the affected user or in an emergency situation where sufficient time may not be reasonable, the authority should be obliged to demonstrate that such notification would jeopardize the course of investigation to the competent judicial authority reviewing the request. In such cases, it is the responsibility of the public authority to notify the individual affected and the service provider as soon as the risk is lifted or after the conclusion of the investigation, whichever is sooner.</i></p>
<p><b> </b></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In relevant Indian legislation there are no provisions that require the government or service providers to notify the user that a public authority has requested his or her communication data.</p>
<p><i> </i></p>
<p style="text-align: justify; "><b>9. </b><b>Principle - Transparency about use of government surveillance</b>: <i>The access capabilities of public authorities and the process for access should be prescribed by law and should be transparent to the public. The government and service providers should provide the maximum possible transparency about the access by public authorities without imperiling ongoing investigations and with enough information so that individuals have sufficient knowledge to fully comprehend the scope and nature of the law, and when relevant, challenge it. Service providers must also publish the procedure they apply to deal with data requests from public authorities.</i></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In relevant Indian legislation there are no requirements that access capabilities of the government and the process for access must be transparent to the public. Nor are service providers required to publish the procedure applied to handle data requests from public authorities.</p>
<p><i> </i></p>
<p style="text-align: justify; "><b>10. </b><b><i>Principle - Oversight</i></b><i>:</i> <i>An independent oversight mechanism should be established to ensure transparency of lawful access requests. This mechanism should have the authority to access information about public authorities' actions, including, where appropriate, access to secret or classified information, to assess whether public authorities are making legitimate use of their lawful capabilities, and to publish regular reports and data relevant to lawful access. This is in addition to any oversight already provided through another branch of government such as parliament or a judicial authority. This mechanism must provide – at minimum – aggregate information on the number of requests, the number of requests that were rejected, and a specification of the number of requests per service provider and per type of crime. (11)</i><b> </b></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In relevant Indian legislation there are requirements for a review committee to be established.<i> </i>The review committee must meet on a bi-monthly basis and review directions to ensure that they are in accordance with the prescribed law. Currently, it is unclear from the legislation if the review committees have the authority to access information about public authorities’ actions, and currently the review committee does not publish aggregate information about the number of requests, the number of requests that were rejected, and a specification of the number of requests per service provider and per type of crime. These standards are recommended by the principle.</p>
<p>The relevant provisions are summarized below:</p>
<li><b>TA Rules 2007</b>:
<ul>
<li style="text-align: justify; ">A review committee will be constituted by a state government that consists of a chief secretary, secretary of law, secretary to the state government. The review committee shall meet at least once in two months. If the committee finds that directions are not in accordance with the mandated provisions, then the committee can order the destruction of the directions. <b>(Section 17)</b>.<b> </b>Any order issued by the competent authority must contain reasons for such directions and a copy be forwarded to the concerned review committee within a period of seven working days. <b>(Section 2)</b>.</li>
<li><b>ITA Interception and Monitoring Rules: </b>
<ul>
<li style="text-align: justify; ">Any direction issued by the competent authority must be forwarded to the review committee within a period of seven working days from issuing. The review committee is the same as constituted under rule 419A of the Indian Telegraph Rules, 1951. The review committee must meet bi-monthly and determine whether directions are in accordance with the ITA Act. If the review committee finds that the directions are not in accordance with the Act, it may issue an order for the destruction of the copies of accessed information and set aside the directions. <b>(Section 22)</b>. </li>
</ul>
</li>
<li><b>ITA Traffic Monitoring Rules: </b>
<ul>
<li style="text-align: justify; ">Any direction issued by the competent authority must be forwarded to the review committee within a period of seven working days from issuing. The review committee is the same as constituted under rule 419A of the Indian Telegraph Rules, 1951. The review committee must meet bi-monthly and determine whether directions are in accordance with the ITA Act. If the review committee finds that the directions are not in accordance with the Act, it may issue an order for the destruction of the copies of accessed information and set aside the directions. <b>(Section 7)</b>.</li>
</ul>
</li>
</ul>
</li>
<p style="text-align: justify; "><b>11. </b><b>Principles - Integrity of communications and systems</b>: <i>It is the responsibility of service providers to transmit and store communications and communications metadata securely and to a degree that is minimally necessary for operation. It is essential that new communications technologies incorporate security and privacy in the design phases. In order, in part, to ensure the integrity of the service providers’ systems, and in recognition of the fact that compromising security for government purposes almost always compromises security more generally, governments shall not compel service providers to build surveillance or monitoring capability into their systems. Nor shall governments require that these systems be designed to collect or retain particular information purely for law enforcement or surveillance purposes. Moreover, a priori data retention or collection should never be required of service providers and orders for communications and communications metadata preservation must be decided on a case-by-case basis. Finally, present capabilities should be subject to audit by an independent public oversight body.</i></p>
<p><b> </b></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In relevant Indian legislation there are a number of security measures that must be put in place but these are predominantly actions that must be taken by service providers, and do not pertain to intelligence agencies. Furthermore, many provisions found in the ITA<i> Procedure and Safeguards for Interception, Monitoring, and Decryption of Information Rules</i>, and the ISP and UASL licenses include requirements for service providers to provide monitoring facilities and technical assistance, require information to be retained specifically for law enforcement purposes, and require service providers to comply with a-priori data retention mandates. In the ISP and UASL license, service providers are audited and inspected to ensure compliance with requirements listed in the license, but it unclear from the legislation if the access capabilities of government or governmental agencies are audited by an independent public oversight body. This standard is recommended by the principle.</p>
<p><b> </b></p>
<p>Relevant provisions are summarized below:</p>
<li style="text-align: justify; "><b>TA Rules 2007</b>: The service provider must put in place internal checks to ensure that unauthorized interception of messages does not take place. <b>(Section 14)</b> Service providers are also responsible for actions of their employees. In the case of unauthorized interception or a breach in security, service providers can be held liable for up to three years in prison, fines, and revocation of the service providers licenses depending on the nature and scale of the violation. <b>(Section 20, 20A 21, 23).</b></li>
<li style="text-align: justify; "><b> ITA Interception and Monitoring Rules: </b>The intermediary or person in charge of the computer resources must put in place adequate and effective internal checks to ensure that unauthorized interception of communications does not take place and extreme secrecy is maintained and utmost care and precaution taken in the matter of interception or monitoring or decryption of information as it affects privacy of citizens and also that it is handled only by the designated officers of the intermediary. <b>(Section 20)</b>. </li>
<li style="text-align: justify; "><b> ITA Traffic Monitoring Rules</b>: The intermediary or person in charge of the computer resources must put in place adequate and effective internal checks to ensure that unauthorized interception of communications does not take place and extreme secrecy is maintained and utmost care and precaution taken in the matter of interception or monitoring or decryption of information as it affects privacy of citizens and also that it is handled only by the designated officers of the intermediary. <b>(Section 5&6)</b>.</li>
<li style="text-align: justify; "><b>UASL License:</b> The intermediary or service provider is responsible for ensuring the protection of privacy of communication and to ensure that unauthorized interception of messages does not take place. <b>(Section 39.1, Section 39.2, Section 41.4)</b>.</li>
<li style="text-align: justify; "><b>ISP License:</b> The ISP has the responsibility of ensuring that unauthorized interception of messages does not take place. <b>(Section 32.1)</b> The ISP must take all necessary steps to safeguard the privacy and confidentiality of an information about a third party and its business and will do its best endeavor to ensure that no information, except what is necessary is divulged, and no employee of the ISP seeks information other than is necessary for the purpose of providing service to the third party. <b>(Section 32.2</b>) The ISP must also take necessary steps to ensure that any person acting on its behalf observe confidentiality of customer information. <b>(Section 32.3)</b>.</li>
<p>Provisions requiring the provision of facilities, assistance, and retention:</p>
<li><b>ITA Interception and Monitoring Rules: </b>
<ul>
<li style="text-align: justify; ">The intermediary must provide all facilities, co-operation for interception, monitoring, and decryption of information mentioned in the direction <b>(Section 13(2))</b>.</li>
<li style="text-align: justify; ">If a decryption direction or copy is handed to the decryption key holder to whom the decryption direction is addressed by the nodal officer, the decryption key holder must disclose the decryption key or provide the decryption assistance. <b>(Section 17)</b>. </li>
</ul>
</li>
<li><b>ITA Monitoring of Traffic Rules: </b>
<ul>
<li style="text-align: justify; ">The intermediary must extend all facilities, co-operation and assistance in installation, removal and testing of equipment and also enable online access to the computer resource for monitoring and collecting traffic data or information. <b>(Section 4(7))</b>.</li>
</ul>
</li>
<li><b>UASL License: </b>
<ul>
<li style="text-align: justify; ">The service provider cannot employ bulk encryption equipment in its network, and any encryption equipment connected to the licensee’s network for specific requirements must have prior evaluation an approval of the licensor. <b>(Section 39.1)</b>. </li>
<li style="text-align: justify; ">The service provider must provide all tracing facilities to trace nuisance, obnoxious or malicious calls, messages or communications transported through the equipment and network to authorized officers of the government for purposes of national security.<b>(Section 40.4)</b>.<b> </b></li>
<li style="text-align: justify; ">Suitable monitoring equipment as may be prescribed for each type of system used will be provided by the service provider for monitoring as and when required by the licensor. <b>(Section 41.7)</b>.</li>
<li style="text-align: justify; ">The designated person of the Central/State Government as conveyed to the Licensor from time to time in addition to the licensor or its nominee shall have the right to monitor the telecommunication traffic in every MSC/Exchange/MGC/MG. The service provider must make arrangements for the monitoring of simultaneous calls by Government security agencies. In case the security agencies intend to locate the equipment at the service provider’s premises for facilitating monitoring, the service provider should extend all support in this regard including space and entry of the authorized security personnel. The interface requirements as well as features and facilities as defined by the licensor should be implemented by the service provider for both data and speech. Presently, the service provider should ensure suitable redundancy in the complete chain of monitoring equipment for trouble free operations of monitoring of at least 210 simultaneous calls for seven security agencies. <b>(Section 41.10)</b>.</li>
<li style="text-align: justify; ">The service provider must also make the following records available: called/calling party mobile/PSTN numbers, Time/date and duration of interception, location of target subscribers, telephone numbers if any call-forwarding feature has been invoked by the target subscriber, data records for even failed attempts, and call data record of roaming subscribers. <b>(Section 41.10)</b>.</li>
<li style="text-align: justify; ">The service provider shall provide the facility to carry out surveillance of Mobile Terminal activity within a specified area. <b>(Section 41.11)</b>.</li>
<li style="text-align: justify; ">The complete list of subscribers must be made available by the service provider on their website to authorized intelligence agencies. This list must be updated on a regular basis. Hard copies of the list must also be made available to security agencies when requested. <b>(Section 41.14)</b>. The database of subscribers must also be made available to the licensor or its representatives. <b>(Section 41.16)</b>.</li>
<li style="text-align: justify; ">The service provider must maintain all commercial records with regard to the communications exchanged on the network. All records must be archived for at least one year. <b>(Section 41.17)</b>.</li>
<li style="text-align: justify; ">Calling Line Identification must be provided and the network should also support Malicious Call Identification.<b> (Section 41.18)</b>.</li>
<li style="text-align: justify; ">Information about bulk connections must be forwarded to the VTM Cell of DoT, DDG (Security) DoT, and any other officer authorized by the Licensor from time to time as well as Security Agencies on a monthly basis <b>(Section 41.19)</b>.</li>
<li style="text-align: justify; ">Subscribers having CLIR should be listed in a password protected website with their complete address and details so that authorized Government agencies can view or download for detection and investigation of misuse. <b>(Section 41.19(iv))</b>.</li>
<li style="text-align: justify; ">The service provider must provide traceable identities of their subscribers. If the subscriber is roaming from another foreign company, the Indian Company must try to obtain traceable identities from the foreign company as part of its roaming agreement. <b>(41.20 (ix))</b>.</li>
<li style="text-align: justify; ">On request by the licensor or any other agency authorized by the licensor, the licensee must be able to provide the geographical location (BTS location) of any subscriber at any point of time. <b>(41.20 (x))</b></li>
<li style="text-align: justify; ">Suitable technical devices should be made available at the Indian end to designated security agency/licensor in which a mirror image of the remote access information is available on line for monitoring purposes. <b>(41.20 (xiv))</b>. </li>
<li>A complete audit trail of the remote access activities pertaining to the network operated in India should be maintained for a period of six months and provided on request to the licensor. <b>(Section 41.20 (xv))</b>.</li>
<li>For monitoring traffic, the service provider should provide access of their network and other facilities as well as to books of accounts to the security agencies. <b>(Section 41.20 (xx))</b>.</li>
</ul>
</li>
<li><b>ISP License:</b>
<ul>
<li style="text-align: justify; ">The ISP must ensure that Bulk Encryption is not deployed by ISPs. Individuals/groups /organizations can use encryption up to 40 bit key length without obtaining permission from the licensor. If encryption equipments higher than this limit are deployed, individuals/groups/organizations must obtain prior written permission from the licensor and deposit the decryption key. <b>(Section 2.2(vii))</b>. </li>
<li style="text-align: justify; ">The ISP must furnish to the licensor/TRAI on demand documents, accounts, estimates, returns, reports, or other information. <b>(Section 9.1)</b>.</li>
<li style="text-align: justify; ">The ISP will provide tracing facilities to trace nuisance, obnoxious or malicious calls, messages or communications transported through his equipment and network when such information is necessary for investigations or detection of crimes and in the interest of national security. <b>(Section 33.4)</b>.</li>
<li style="text-align: justify; ">The ISP will provide the necessary facilities for continuous monitoring of the system, as required by the licensor or its authorized representatives. <b>(Section 30.1)</b>.</li>
<li style="text-align: justify; ">The ISP shall provide necessary facilities depending upon the specific situation at the relevant time to the Government to counteract espionage, subversive acts, sabotage or any other unlawful activity. <b>(Section 34.1)</b>.</li>
<li style="text-align: justify; ">In the interests of security, suitable monitoring equipment as may be prescribed for each type of system used, which will be provided by the licensee. <b>(Section 34.4)</b>.</li>
<li style="text-align: justify; ">The designated person of the Central/State Government or its nominee will have the right to monitor the telecommunication traffic. The ISP will make arrangements for monitoring simultaneous calls by Government security agencies. <b>(Section 34.6)</b>.</li>
<li style="text-align: justify; ">The ISP must install infrastructure in the service area with respect to: Internet telephony services offered by the ISP for processing, routing, directing, managing, authenticating the internet telephony calls including the generation of Call Details Record (CDR), called IP address, called numbers, date , duration, time and charges of internet telephony calls. <b>(Section 34.7)</b>.</li>
<li style="text-align: justify; ">ISPs must maintain a log of all users connected and the service that they are using (mail, telnet, http etc.). The ISPs must log every outward login or telnet through their computers. These logs as well as copies of all the packets originating from the Customer Premises Equipment of the ISP must be made available in real time to the Telecom Authority. <b>(Section 34.8)</b>.<b> </b></li>
<li style="text-align: justify; ">The ISP should provide the facility to carry out surveillance of Mobile Terminal activity within a specified area. <b>(Section 34.9)</b>.</li>
<li style="text-align: justify; ">The complete list of subscribers must be made available by the ISP on their website so that intelligence agencies can obtain the subscriber list at any time. <b>(Section 34.12)</b>.</li>
<li style="text-align: justify; ">The list of Internet leased line customers and sub-costumers must be placed on a password protected website with the following information: Name of customer, IP address allotted, bandwidth provided, address of installation, date of installation, contact person with phone number and email. This information should be accessible to authorized Government agencies.<b> (Section 34.13)</b>. </li>
<li style="text-align: justify; ">Monitoring of high UDP traffic value and to check for cases where upstream UDP traffic is similar to downstream UDP traffic and monitor such customer monthly with physical verification and personal identity. <b>(Section 34.15)</b>.</li>
<li style="text-align: justify; ">The licensor will have access to the database relating to the subscribers of the ISP. The ISP must make available at any instant the details of the subscribers using the service. <b>(Section 34.22)</b>. </li>
<li style="text-align: justify; ">The ISP must maintain all commercial records with regard to the communications exchanged on the network for at least one year and will be destroyed unless directed otherwise. <b>(Section 34.23)</b>.</li>
<li style="text-align: justify; ">Every international gateway with a route/switch having a capacity of 2Mbps must be equipped with a monitoring Centre at the cost of the ISP. The cost of meeting the requirements of the security agencies, the cost of maintenance of the monitoring equipment and infrastructure must be borne by the ISP. <b>(Section 34.27 (a(i))</b>.</li>
<li style="text-align: justify; ">Office space of 10 by 10 feet with adequate power supply and air-conditioning must be provided by the ISP free of cost. <b>(Section 34.27 (a(ii))</b> One local exclusive telephone must be made available by the ISP at the monitoring centre at the cost of the ISP. <b>(Section 34.27 (a(iii))</b>.</li>
<li style="text-align: justify; ">Each route/switch of the ISP should be connected by the LAN operating at the same speed as the router/switch; the monitoring equipment will be connected to this network. <b>(Section 34.27 (a(v))</b>.</li>
<li style="text-align: justify; ">The ISP must provide traceable identity of their subscribers. In the case of roaming subscribers the ISP must try to obtain the traceable identity of roaming subscribers from the foreign company. <b>(Section 34.27 (ix))</b>.</li>
<li style="text-align: justify; ">On request of the licensor or any other authorized agency, the ISP must be able to provide the geographical location of any subscriber (BTS location of wireless subscriber) at a given point of time. <b>(Section 34.27 (x))</b>.</li>
<li style="text-align: justify; ">Suitable technical devices should be made available to designated security agencies in which a mirror image of the remote access information is available on line for monitoring purposes. <b>(Section 34.27 (xiv))</b>.</li>
<li style="text-align: justify; ">A complete audit trail of the remote access activities pertaining to the network operated in India should be maintained for a period of six months and provided on request. <b>(Section 34.27 (xv))</b>.</li>
<li style="text-align: justify; ">ISPs must provide access of their network and other facilities, as well as books to security agencies. <b>(Section 34.27 (xx))</b>.</li>
</ul>
</li>
<p> </p>
<p><b> </b></p>
<p style="text-align: justify; "><b>12. </b><b>Principle - Safeguards for international cooperation</b>:<i> In response to changes in the flows of information and the technologies and services that are now used to communicate, governments may have to work across borders to fight crime. Mutual legal assistance treaties (MLATs) should ensure that, where the laws of more than one state could apply to communications and communications metadata, the higher/highest of the available standards should be applied to the data. Mutual legal assistance processes and how they are used should also be clearly documented and open to the public. The processes should distinguish between when law enforcement agencies can collaborate for purposes of intelligence as opposed to sharing actual evidence. Moreover, governments cannot use international cooperation as a means to surveil people in ways that would be unlawful under their own laws. States must verify that the data collected or supplied, and the mode of analysis under MLAT, is in fact limited to what is permitted. In the absence of an MLAT, service providers should not respond to requests of the government of a particular country requesting information of users if the requests do not include the same safeguards as providers would require from domestic authorities, and the safeguards do not match these principles. </i></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> India currently has signed 32 MLAT treaties with other countries, each with its own provisions and conditions relating to access to information. The provisions of the Information Technology Act 2000 apply to any contravention of the Act that is committed outside of India, thus the Rules related to interception, monitoring, decryption etc. would apply to any contravention of the Act outside of India. The provisions of the Indian Telegraph Act only apply to communications within India, but the licenses do specify when information held by service providers cannot be transferred across borders.</p>
<p>Below is a summary of the relevant provisions:</p>
<li style="text-align: justify; "><b>ITA 2000</b>: The Act will extend to the whole of India, and applies to any offence or contravention committed outside India by any person. <b>(Section 1(2))</b> </li>
<li style="text-align: justify; "><b>UASL License:</b> The service provider cannot transfer any accounting information relating to the subscriber or user information to any person or place outside of India (this does not restrict a statutorily required disclosure of financial nature. <b>(section (41.20 (viii))</b></li>
<li style="text-align: justify; "><b>ISP License:</b> For security reasons, domestic traffic of such entities as identified by the licensor will not be hauled or route to any place outside of India. <b>(Section 34.28 (iii)) </b>ISPs shall also not transfer accounting information relating to the subscriber or user information to any person or place outside of India (this does not restrict a statutorily required disclosure of financial nature) <b>(Section 34.28 (viii))</b></li>
<p style="text-align: justify; "><b>13. </b><b><i>Principle - Safeguards against illegitimate access</i></b><i>: To protect individuals against unwarranted attempts to access communications and communications metadata, governments should ensure that those authorities and organizations who initiate, or are complicit in, unnecessary, disproportionate or extra-legal interception or access are subject to sufficient and significant dissuasive penalties, including protection and rewards for whistleblowers, and that individuals affected by such activities are able to access avenues for redress. Any information obtained in a manner that is inconsistent with these principles is inadmissible as evidence in any proceeding, as is any evidence derivative of such information. </i></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> Though relevant Indian legislation does provide penalty for unauthorized interception or access, the penalty applies only to service providers, and does not hold governmental agencies responsible. Currently there are no avenues of redress for the individual, and there are no protections or rewards for whistleblowers. Both of these safeguards are recommended by the principle.</p>
<p>The relevant provisions are summarized below:</p>
<li style="text-align: justify; "><b>TA Rules 2007:</b> The Telegraph Act: The service provider must put in place internal checks to ensure that unauthorized interception of messages does not take place. <b>(Section 14)</b> Service providers are also responsible for actions of their employees. In the case of unauthorized interception or a breach in security on the part of the service provider, service providers can be held liable with penalty of imprisonment from 1 to 3 years and or a fine of rs.500 – 1000 depending on the exact violation<b>. (Section 20, 20A, 23, and 24 Indian Telegraph Act)</b>.</li>
<li style="text-align: justify; "><b> ITA Interception and Monitoring Rules:</b> The intermediary must be responsible for the actions of their employees and in the case of violation pertaining to the maintenance of secrecy and confidentiality of intercepted material or unauthorized interception, monitoring, or decrypting of information – the intermediary will be held liable under the relevant provisions of the laws in force. <b>(Section 21)</b>. </li>
<li style="text-align: justify; "><b> ITA Traffic Monitoring Rules:</b> The intermediary must be responsible for the actions of their employees and in the case of violation pertaining to the maintenance of secrecy and confidentiality of intercepted material or unauthorized interception, monitoring, or decrypting of information – the intermediary will be held liable under the relevant provisions of the laws in force. <b>(Section 6)</b>.</li>
<li><b>UASL License: </b>
<ul>
<li style="text-align: justify; ">In order to maintain privacy of voice and data, monitoring must be done in accordance with the 2007 Rules established under the Indian Telegraph Act, 1885. <b>(Section 41.20 (xix))</b>.</li>
<li style="text-align: justify; ">Any damage arising from the failure of the service provider to provider tracing assistance to the government for purposes of national security is payable by the service provider. <b>(Section 40.4)</b>.</li>
</ul>
</li>
<li><b>ISP License:</b>
<ul>
<li style="text-align: justify; ">In order to maintain the privacy of voice and data, monitoring can only be carried out after authorization by the Union Home Secretary or Home Secretaries of the State/Union Territories. <b>(Section 34.28 (xix))</b>.</li>
<li style="text-align: justify; ">The ISP indemnifies the licensor against all actions brought against the licensor for breach of privacy or unauthorized interruption of data transmitted by the subscribers. <b>(Section 8.4)</b>.</li>
<li style="text-align: justify; ">Any damages that occur from non-compliance on the part of the ISP must be paid by the ISP. <b>(Section 33.4)</b>.</li>
</ul>
</li>
<p style="text-align: justify; "><b>14. </b><b><i>Principle - Cost of surveillance</i></b><b><i>:</i></b><i> The financial cost of providing access to user data should be borne by the public authority undertaking the investigation. Financial constraints place an institutional check on the overuse of orders, but the payments should not exceed the service provider’s actual costs for reviewing and responding to orders, as such would provide a perverse financial incentive in opposition to user’s rights.</i></p>
<p style="text-align: justify; "><b>Indian Legislation:</b> In India, the ISP and the UASL licenses specifically state that the cost of providing facilities must be borne by the service provider. Though the ITA Interception and Monitoring Rules do require intermediaries to provide facilities, it is not clear from the Rules where the burden of the cost will fall. Currently, there are no requirements that the cost of access to user data should be borne by the public authority undertaking the investigation. This standard is recommended by the principle.</p>
<p>Below are summaries of relevant provisions:</p>
<li><b>UASL License</b>:
<ul>
<li style="text-align: justify; "> Any damage arising from the failure of the service provider to provider tracing assistance to the government for purposes of national security is payable by the service provider. <b>(Section 40.4)</b>.</li>
<li style="text-align: justify; ">Suitable monitoring equipment as may be prescribed for each type of system used will be provided by the service provider for monitoring as and when required by the licensor. <b>(Section 41.7)</b>.</li>
<li style="text-align: justify; ">The hardware and software required for the monitoring of calls must be engineered, provided/installed, and maintained by the service provider at the service providers cost. However the respective Government instrumentality must bear the cost of the user end hardware and leased line circuits from the MSC/Exchange/MGC/MG to the monitoring centers to be located as per their choice in their premises. <b>(Section 41.10)</b>.</li>
<li style="text-align: justify; ">The service provider must ensure that the necessary provision (hardware/software) is available in their equipment for doing the Lawful Interception and monitoring from a centralized location. <b>(Section 41.20 (xvi))</b>.</li>
<li><b>ISP License:</b>
<ul>
<li style="text-align: justify; ">Any damages that occur from non-compliance on the part of the ISP must be paid by the ISP. <b>(Section 33.4)</b>.</li>
<li style="text-align: justify; ">The hardware at the ISP end and the software required for monitoring of calls must be engineered, provided/installed, and maintained by the ISP. <b>(Section 34.7)</b>. </li>
<li style="text-align: justify; ">Every international gateway with a route/switch having a capacity of 2Mbps must be equipped with a monitoring Centre at the cost of the ISP. The cost of meeting the requirements of the security agencies, the cost of maintenance of the monitoring equipment and infrastructure must be borne by the ISP. <b>(Section 34.27 (a(i))</b>.</li>
<li style="text-align: justify; ">Office space of 10 by 10 feet with adequate power supply and air-conditioning must be provided by the ISP free of cost. <b>(Section 34.27 (a(ii))</b> One local exclusive telephone must be made available by the ISP at the monitoring centre at the cost of the ISP. <b>(Section 34.27 (a(iii))</b>.</li>
</ul>
</li>
</ul>
</li>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/comparison-of-indian-legislation-and-draft-principles-on-surveillance-of-communications'>https://cis-india.org/internet-governance/blog/comparison-of-indian-legislation-and-draft-principles-on-surveillance-of-communications</a>
</p>
No publisherelonnaiSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:40:51ZBlog EntryData Retention in India
https://cis-india.org/internet-governance/blog/data-retention-in-india
<b>As part of its privacy research, the Centre for Internet and Society has been researching upon data retention mandates from the Government of India and data retention practices by service providers. Globally, data retention has become a contested practice with regards to privacy, as many governments require service providers to retain more data for extensive time periods, for security purposes. Many argue that the scope of the retention is becoming disproportional to the purpose of investigating crimes. </b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<h3>The Debate around Data Retention</h3>
<p style="text-align: justify; ">According to the EU, data retention <i>“refers to the storage of traffic and location data resulting from electronic communications (not data on the content of the communications)”</i>.<a href="#fn1" name="fr1">[1]</a></p>
<p style="text-align: justify; ">The debate around data retention has many sides, and walks a fine line of balancing necessity with proportionality. For example, some argue that the actual retention of data is not harmful, and at least some data retention is necessary to assist law enforcement in investigations. Following this argument, the abuse of information is not found in the retention of data, but instead is found by who accesses the data and how it is used. Others argue that any blanket or <i>a priori </i>data<i> </i>retention requirements are increasingly becoming disproportional and can lead to harm and misuse. When discussing data retention it is also important to take into consideration what type of data is being collected and by what standard is access being granted. Increasingly, governments are mandating that service providers retain communication metadata for law enforcement purposes. The type of authorization required to access retained communication metadata varies from context to context. However, it is often lower than what is required for law enforcement to access the contents of communications. The retention and lower access standards to metadata is controversial because metadata can encompass a wide variety of information, including IP address, transaction records, and location information — all of which can reveal a great deal about an individual.<a href="#fn2" name="fr2">[2] </a>Furthermore, the definition of metadata changes and evolves depending on the context and the type of information being generated by new technologies.</p>
<h3 style="text-align: justify; ">Data Retention vs. Data Preservation</h3>
<p style="text-align: justify; ">Countries have taken different stances on what national standards for data retention by service providers should be. For example, in 2006 the EU passed the Data Retention Directive which requires European Internet Service Providers to retain telecom and Internet traffic data from customers' communications for at least six months and upto two years. The stored data can be accessed by authorized officials for law enforcement purposes.<a href="#fn3" name="fr3">[3]</a> Despite the fact that the Directive pertains to the whole of Europe, in 2010 the German Federal Constitutional Court annulled the law that harmonized German law with the Data Retention Directive.<a href="#fn4" name="fr4">[4]</a> Other European countries that have refused to adopt the Directive include the Czech Republic and Romania.<a href="#fn5" name="fr5">[5]</a> Instead of mandating the retention of data, Germany, along with the US, mandates the 'preservation' of data. The difference being that the preservation of data takes place through a specified request by law enforcement, with an identified data set. In some cases, like the US, after submitting a request for preservation, law enforcement must obtain a court order or subpoena for further access to the preserved information.<a href="#fn6" name="fr6">[6]</a></p>
<h3>Data Retention in India</h3>
<p style="text-align: justify; ">In India, the government has established a regime of data retention. Retention requirements for service providers are found in the ISP and UASL licenses, which are grounded in the Indian Telegraph Act, 1885.</p>
<h3>ISP License</h3>
<p style="text-align: justify; ">According to the ISP License,<a href="#fn7" name="fr7">[7]</a> there are eight categories of records that service providers are required to retain for security purposes that pertain to customer information or transactions. In some cases the license has identified how long records must be maintained, and in other cases the license only states that the records must be made available and provided. This language implies that records will be kept.</p>
<p>According to the ISP License, each ISP must maintain:<b><span> </span></b></p>
<p><span> </span></p>
<ul>
<span> </span>
<li><span><b><span>Users and Services</span></b></span>: A log of all users connected and the service they are using, which must be available in real time to the Telecom Authority. (Section 34.12).</li>
</ul>
<ul>
<li><span><b><span>Outward Logins or Telnet</span></b></span>: A log of every outward login or telnet through an ISPs computer must be available in real time to the Telecom Authority. (Section 34.12).</li>
</ul>
<ul>
<li><b><span><span>Packets</span>:</span></b> Copies of all packets originating from the Customer Premises Equipment of the ISP must be available in real time to the Telecom Authority. (Section 34.12).</li>
</ul>
<ul>
<li><b><span><span>Subscribers</span>:</span></b> A complete list of subscribers must be made available on the ISP website with password controlled access, available to authorized Intelligence Agencies at any time. (Section 34.12).</li>
<li style="text-align: justify; "><b><span><span>Internet Leased Line Customers</span>:</span></b> A complete list of Internet leased line customers and their sub-customers consisting of the following information: name of customer, IP address allotted, bandwidth provided, address of installation, date of installation/commissioning, and contact person with phone no./email. These must be made available on a password protected website (Section 34.14). The password and login ID must be provided to the DDG (Security), DoT HQ and concerned DDG(VTM) of DoT on a monthly basis. The information should also be accessible to authorized government agencies (Section 34.14).</li>
</ul>
<ul>
<li style="text-align: justify; "><b><span><span>Diagram Records and Reasons</span>:</span></b> A record of complete network diagram of set-up at each of the internet leased line customer premises along with details of connectivity must be made available at the site of the service provider. All details of other communication links (PSTN, NLD, ILD, WLL, GSM, other ISP) plus reasons for taking the links by the customer must be recorded before the activation of the link. These records must be readily available for inspection at the respective premises of all internet leased line customers (Section 34.18).</li>
<li style="text-align: justify; ">
<p class="MsoListParagraph" style="text-align:justify; "><span><span><span> </span></span></span><b><span><span><span>Commercial Records</span>:</span></span></b><span> All commercial records with regard to the communications exchanged on the network must be maintained for a year (Section 34.23).</span><b><span><span> </span></span></b></p>
</li>
<li style="text-align: justify; ">
<p class="MsoListParagraph" style="text-align:justify; "><b><span><span><span>Location</span>:</span></span></b> The service provider should be able to provide the geographical location of any subscriber at a given point of time (Section 34.28(x).</p>
<span> </span></li>
<span> </span>
<li style="text-align: justify; "><span> </span><b><span><span><span>Remote Activities</span>:</span></span></b><span> A complete audit trail of the remote access activities pertaining to the network operated in India. These must be retained for a period of six months, and must be provided on request to the licensor or any other agency authorized by the licensor (Section 34.28 (xv).</span></li>
</ul>
<h3>UASL License</h3>
<p style="text-align: justify; ">According to the UASL License<a href="#fn8" name="fr8">[8]</a>, <span>there are twelve categories of records that ISP’s are required to retain that pertain to costumer information or transactions for security purposes. In some cases the license has identified how long records must be maintained, and in other cases the license only states that the information must be provided and made available when requested. This language implies that records will be kept. </span></p>
<p style="text-align: justify; "><span>According to the license, service providers must maintain and make available: </span></p>
<p style="text-align: justify; "> </p>
<ul>
<li style="text-align: justify; "><span><span><span> </span></span></span><b><span><span>Numbers</span></span><span>: </span></b><span>Called/calling party mobile/PSTN numbers when required. Telephone numbers of any call-forwarding feature when required (Section 41.10).</span></li>
<li style="text-align: justify; "> <b><span><span>Interception records: </span></span></b><span>Time, date and duration of interception when required (Section 41.10).</span></li>
<li style="text-align: justify; ">
<p class="MsoListParagraph" style="text-align:justify; "><span><span><span> </span></span></span><b><span><span>Location:</span></span></b><span> Location of target subscribers. For the present, cell ID should be provided for location of the target subscriber when required (Section 41.10).</span><b><span><span> </span></span></b></p>
</li>
<li style="text-align: justify; ">
<p class="MsoListParagraph" style="text-align:justify; "><b><span><span>All call records:</span></span></b><span> All call data records handled by the system when required (Section 41.10). This includes:</span><b><span><span><br /></span></span></b></p>
<ol>
<li><b><span><span>Failed call records:</span></span></b><span> Call data records of failed call attempts when required. (Section 41.10).</span></li>
<li><b><span><span>Roaming subscriber records</span></span></b><span>: Call data records of roaming subscribers when required. (Section 41.10)</span></li>
</ol></li>
<li style="text-align: justify; "><b><span><span>Commercial records: </span></span></b><span>All commercial records with regards to the communications exchanged on the network must be retained for one year (Section 41.17).</span></li>
<li style="text-align: justify; "> <b><span><span>Outgoing call records: </span></span></b><span>A record of checks made on outgoing calls completed by customers who are making large outgoing calls day and night to various customers (Section 41.19(ii)).</span></li>
<li style="text-align: justify; "> <b><span><span>Calling line Identification:</span></span></b><span> A list of subscribers including address and details using calling line identification should be kept in a password protected website accessible to authorized government agencies (Section 41.19 (iv)).</span></li>
<li style="text-align: justify; ">
<p class="MsoListParagraph" style="text-align:justify; "><span><span><span> </span></span></span><b><span><span>Location:</span></span></b><span> The service provider must be able to provide the geographical location of any subscriber at any point of time (Section 41.20(x)).</span></p>
</li>
<li style="text-align: justify; "> <b><span><span>Remote access activities:</span></span></b><span><span> </span>Complete audit trail of the remote access activities pertaining to the network operated in India for a period of six months (Section<span> </span>41.20 (xv)).</span></li>
</ul>
<h3>RTI Request to <a href="https://cis-india.org/internet-governance/blog/bsnl-rti" class="internal-link">BSNL</a> and <a href="https://cis-india.org/internet-governance/blog/mtnl-rti-request.pdf" class="internal-link">MTNL</a><span> </span></h3>
<p style="text-align: justify; "><span>On September 10,<sup></sup> 2012, the Centre for Internet and Society sent an RTI to MTNL and BSNL with the following questions related to the respective data retention practices: </span></p>
<p style="text-align: justify; "> </p>
<ul type="disc">
<li class="MsoNormal"><span>Does MTNL/BSNL store the following information/data:</span></li>
<ul type="circle">
<li class="MsoNormal"><span>Text message detail (To and from cell numbers, timestamps)</span></li>
<li class="MsoNormal"><span>Text message content (The text and/or data content of the SMS or MMS)</span></li>
<li class="MsoNormal"><span>Call detail records (Inbound and outbound phone numbers, call duration)</span></li>
<li class="MsoNormal"><span>Bill copies for postpaid and recharge/top-up billing details for prepaid</span></li>
<li class="MsoNormal"><span>Location data (Based on cell tower, GPS, Wi-Fi hotspots or any combination thereof)</span></li>
</ul>
<li class="MsoNormal"><span>If it does store data then</span></li>
<ul type="circle">
<li class="MsoNormal"><span>For what period does MTNL/BSNL store: SMS and MMS messages, cellular and mobile data, customer data?</span></li>
<li class="MsoNormal"><span>What procedures for retention does MTNL/BSNL have for: SMS and MMS messages, cellular and mobile data, and customer data?</span></li>
<li class="MsoNormal"><span>What procedures for deletion of: SMS and MMS messages, cellular and mobile data, and customer data?</span></li>
<li class="MsoNormal"><span>What security procedures are in place for SMS and MMS messages, cellular and mobile data, and customer data?</span></li>
</ul>
</ul>
<h3>BSNL Response</h3>
<p>BSNL replied by stating that it stores at least three types of information including:</p>
<p></p>
<p> </p>
<ol type="1">
<li style="text-align: justify; "><span><span> </span>IP session information - connection start end time, bytes in and out (three years offline)</span></li>
<li class="MsoNormal" style="text-align:justify; "><span>MAC address of the modem/router/device (three years offline)</span></li>
<li class="MsoNormal"><span>Bill copies for post paid and recharge/top up billing details for prepaid. Billing information of post paid Broadband are available in CDR system under ITPC, prepaid voucher details (last six months).</span></li>
</ol>
<h3>MTNL Response</h3>
<p>MTNL replied by stating that it stores at least () types of information including:</p>
<p></p>
<p> </p>
<ol type="1">
<li class="MsoNormal" style="text-align:justify; "><span>Text message details (to and from cell number, timestamps) in the form of CDRs<span> </span>(one year)</span></li>
<li class="MsoNormal" style="text-align:justify; "><span>Call detail records including inbound and outbound phone numbers and call duration (one year)</span></li>
<li class="MsoNormal" style="text-align:justify; "><span>Bill copies from postpaid (one year) </span></li>
<li class="MsoNormal" style="text-align:justify; "><span>Recharge details for prepaid (three months) </span></li>
<li class="MsoNormal" style="text-align:justify; "><span>Location of the mobile number if it has used the MTNL GSM/3GCDMA network (one year)</span></li>
</ol>
<p class="MsoNormal" style="text-align:justify; "><span>It is interesting that BSNL stores information that is beyond the required time period required in both the ISP and the UASL licenses. The responses to the RTI showed that each service provider also stores different types of information. This could or could not be the actual case, as each question could have been interpreted differently by the responding officer.<span> </span></span></p>
<h3><span><span>Conclusion </span></span></h3>
<p> <span>The responses to the RTI from BSNL and MTNL are a step towards understanding data retention practices in India, but there are still many aspects about data retention in India which are unclear including:</span></p>
<ul>
<li><span><span><span> </span></span></span><span>What constitutes a ‘commercial record’ which must be stored for one year by service providers?</span><span> </span></li>
<li><span>How much data is retained by service providers on an annual basis?</span><span> </span></li>
<li><span>What is the cost involved in retaining data? For the service provider? For the public?</span><span> </span></li>
<li><span>How frequently is retained information accessed by law enforcement? What percentage of the data is accessed by law enforcement?</span><span> </span></li>
<li><span>How many criminal and civil cases rely on retained data?</span><span> </span></li>
<li><span>What is the authorization process for access to retained records? Are these standards for access the same for all types of retained data?</span></li>
</ul>
<p class="MsoListParagraph" style="text-align:justify; "><span>Having answers to these questions would be useful for determining if the Indian data retention regime is proportional and effective. It would also be useful in determining if it would be meaningful to maintain a regime of data retention or switch over to a more targeted regime of data preservation. </span></p>
<p class="MsoListParagraph" style="text-align:justify; "><span>Though it can be simple to say that a regime of data preservation is the most optimal choice as it gives the individual the greatest amount of immediate privacy protection, <span> </span></span></p>
<p class="MsoListParagraph" style="text-align:justify; "><span>A regime of data preservation would mean that all records would be treated like an interception, where the police or security agencies would need to prove that a crime was going to take place or is in the process of taking place and then request the ISP to begin retaining specific records. This approach to solving crime would mean that the police would never use retained data or historical data as part of an investigation – to either solve a case or to take the case to the next level.<span> </span>If Indian law enforcement is at a point where they are able to concisely identify a threat and then begin an investigation is a hard call to make. It is also important to note that though preservation of data can reduce the risk to individual privacy as it is not possible for law enforcement to track individuals based off of their historical data and access large amounts of data about an individual, preservation does not mean that there is no possibility for abuse. Other factors such as:</span></p>
<p></p>
<ul>
<li><span><span><span> </span></span></span><span>Any request for preservation and access to records must be legitimate and proportional</span></li>
<li><span>Accessed and preserved records must be used only for the purpose indicated </span></li>
</ul>
<ul>
<li><span><span><span> </span></span></span><span>Accessed and preserved records can only be shared with authorized authorities</span></li>
</ul>
<ul>
<li><span><span><span> </span></span></span><span>Any access to preserved records that do not pertain to an investigation must be deleted </span></li>
</ul>
<p></p>
<p> </p>
<p class="MsoListParagraph" style="text-align:justify; "><span>These factors must be enforced through the application of penalties for abuse of the system. These factors can also be applied to not only a data preservation regime, but also a data retention regime and are focused on preventing the actual abuse of data after retained. That said, before an argument for either data retention or data preservation can be made for India it is important to understand more about data retention practices in India and use of retained data by Indian law enforcement and access controls in place. </span></p>
<p></p>
<ul>
</ul>
<hr />
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>].<span><span><span> </span></span></span>European Commission – Press Release. Commission Takes Germany to Court Requesting that Fines be Imposed. May 31st 2012. Available at: <a class="external-link" href="http://bit.ly/14qXW6o">http://bit.ly/14qXW6o</a>. Last accessed: January 21st 2013<br />[<a href="#fr2" name="fn2">2</a>].Draft International Principles on Communications Surveillance and Human Rights: <a class="external-link" href="http://bit.ly/UpGA3D">http://bit.ly/UpGA3D</a><br />[<a href="#fr3" name="fn3">3</a>]. European Commission – Press Release. Commission Takes Germany to Court Requesting that Fines be Imposed. May 31<sup>st</sup> 2012. Available at: <a class="external-link" href="http://bit.ly/14qXW6o">http://bit.ly/14qXW6o</a><a href="http://europa.eu/rapid/press-release_IP-12-530_en.htm"></a>. Last accessed: January 21<sup>st</sup> 2013.<br />[<a href="#fr4" name="fn4">4</a>]. European Commission – Press Release. Commission Takes Germany to Court Requesting that Fines be Imposed. May 31<sup>st</sup> 2012. Available at: <a class="external-link" href="http://bit.ly/14qXW6o">http://bit.ly/14qXW6o</a>. Last accessed: January 21<sup>st</sup> 2013.<br />[<a href="#fr5" name="fn5">5</a>]. Tiffen, S. Sweden passes controversial data retention directive. DW. March 22 2012. Available at: <a class="external-link" href="http://bit.ly/WOfzaX">http://bit.ly/WOfzaX</a>. Last Accessed: January 21<sup>st</sup> 2013.<br />[<a href="#fr6" name="fn6">6</a>]. Kristina, R. The European Union's Data Retention Directive and the United State's Data Preservation Laws: Fining the Better Model. 5 Shilder J.L. Com. & Tech. 13 (2009) available at: <a class="external-link" href="http://bit.ly/VoQxQ9">http://bit.ly/VoQxQ9</a>. Last accessed: January 21<sup>st</sup> 2013<br />[<a href="#fr7" name="fn7">7</a>]. Government of India. Ministry of Communications & IT Department of Telecommunications. License Agreement for Provision of Internet Services.<br />[<a href="#fr8" name="fn8">8</a>]. Government of India. Ministry of Communications & IT Department of Telecommunications. License Agreement for Provision of Unified Access Services after Migration from CMTS. Amended December 3<sup>rd</sup> 2009.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/data-retention-in-india'>https://cis-india.org/internet-governance/blog/data-retention-in-india</a>
</p>
No publisherelonnaiSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:51:13ZBlog EntryDraft International Principles on Communications Surveillance and Human Rights
https://cis-india.org/internet-governance/blog/draft-intl-principles-on-communications-surveillance-and-human-rights
<b>These principles were developed by Privacy International and the Electronic Frontier Foundation and seek to define an international standard for the surveillance of communications. The Centre for Internet and Society has been contributing feedback to the principles. </b>
<hr />
<p>The principles are still in draft form. The most recent version can be accessed <a class="external-link" href="http://necessaryandproportionate.net">here</a>. <i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">Our goal is that these principles will provide civil society groups, industry, and governments with a framework against which we can evaluate whether current or proposed surveillance laws and practices are consistent with human rights. We are concerned that governments are failing to develop legal frameworks to adhere to international human rights and adequately protect communications privacy, particularly in light of innovations in surveillance laws and techniques.</p>
<p style="text-align: justify; ">These principles are the outcome of a consultation with experts from civil society groups and industry across the world. It began with a meeting in Brussels in October 2012 to address shared concerns relating to the global expansion of government access to communications. Since the Brussels meeting we have conducted further consultations with international experts in communications surveillance law, policy and technology.<a href="#fn1" name="fr1">[1]</a></p>
<p style="text-align: justify; ">We are now launching a global consultation on these principles. Please send us comments and suggestions by January 3rd 2013, by emailing rights (at) eff (dot) org.</p>
<p style="text-align: justify; "><b>Preamble</b><br />Privacy is a fundamental human right, and is central to the maintenance of democratic societies. It is essential to human dignity and it reinforces other rights, such as freedom of expression and association, and is recognised under international human rights law.<a href="#fn2" name="fr2">[2]</a> Activities that infringe on the right to privacy, including the surveillance of personal communications by public authorities, can only be justified where they are necessary for a legitimate aim, strictly proportionate, and prescribed by law.<a href="#fn3" name="fr3">[3]</a></p>
<p style="text-align: justify; ">Before public adoption of the Internet, well-established legal principles and logistical burdens inherent in monitoring communications generally limited access to personal communications by public authorities. In recent decades, those logistical barriers to mass surveillance have decreased significantly. The explosion of digital communications content and information about communications, or “communications metadata”, the falling cost of storing and mining large sets of data, and the commitment of personal content to third party service providers make surveillance possible at an unprecedented scale.<a href="#fn4" name="fr4">[4]</a></p>
<p style="text-align: justify; ">While it is universally accepted that access to communications content must only occur in exceptional situations, the frequency with which public authorities are seeking access to information about an individual’s communications or use of electronic devices is rising dramatically—without adequate scrutiny. <a href="#fn5" name="fr5">[5]</a> When accessed and analysed, communications metadata may create a profile of an individual's private life, including medical conditions, political and religious viewpoints, interactions and interests, disclosing even greater detail than would be discernible from the content of a communication alone. <a href="#fn6" name="fr6">[6]</a> Despite this, legislative and policy instruments often afford communications metadata a lower level of protection and do not place sufficient restrictions on how they can be subsequently used by agencies, including how they are data-mined, shared, and retained.</p>
<p style="text-align: justify; ">It is therefore necessary that governments, international organisations, civil society and private service providers articulate principles establishing the minimum necessary level of protection for digital communications and communications metadata (collectively "information") to match the goals articulated in international instruments on human rights— including a democratic society governed by the rule of law. The purpose of these principles is to:</p>
<ol>
<li style="text-align: justify; ">Provide guidance for legislative changes and advancements related to communications and communications metadata to ensure that pervasive use of modern communications technology does not result in an erosion of privacy.</li>
<li style="text-align: justify; ">Establish appropriate safeguards to regulate access by public authorities (government agencies, departments, intelligence services or law enforcement agencies) to communications and communications metadata about an individual’s use of an electronic service or communication media. </li>
</ol>
<p style="text-align: justify; ">We call on governments to establish stronger protections as required by their constitutions and human rights obligations, or as they recognize that technological changes or other factors require increased protection.</p>
<p style="text-align: justify; ">These principles focus primarily on rights to be asserted against state surveillance activities. We note that governments are required not only to respect human rights in their own conduct, but to protect and promote the human rights of individuals in general.<a href="#fn7" name="fr7">[7]</a> Companies are required to follow data protection rules and yet are also compelled to respond to lawful requests. Like other initiatives,<a href="#fn8" name="fr8">[8]</a> we hope to provide some clarity by providing the below principles on how state surveillance laws must protect human rights.</p>
<p><b>The Principles</b></p>
<p style="text-align: justify; "><b>Legality</b>: Any limitation to the right to privacy must be prescribed by law. Neither the Executive nor the Judiciary may adopt or implement a measure that interferes with the right to privacy without a previous act by the Legislature that results from a comprehensive and participatory process. Given the rate of technological change, laws enabling limitations on the right to privacy should be subject to periodic review by means of a participatory legislative or regulatory process</p>
<p style="text-align: justify; "><b>Legitimate Purpose</b>: Laws should only allow access to communications or communications metadata by authorised public authorities for investigative purposes and in pursuit of a legitimate purpose, consistent with a free and democratic society.</p>
<p style="text-align: justify; "><b>Necessity</b>: Laws allowing access to communications or communications metadata by authorised public authorities should limit such access to that which is strictly and demonstrably necessary, in the sense that an overwhelmingly positive justification exists, and justifiable in a democratic society in order for the authority to pursue its legitimate purposes, and which the authority would otherwise be unable to pursue. The onus of establishing this justification, in judicial as well as in legislative processes, is on the government.</p>
<p style="text-align: justify; "><b>Adequacy</b>: Public authorities should restrain themselves from adopting or implementing any measure of intrusion allowing access to communications or communications metadata that is not appropriate for fulfillment of the legitimate purpose that justified establishing that measure.</p>
<p style="text-align: justify; "><b>Competent Authority</b>: Authorities capable of making determinations relating to communications or communications metadata must be competent and must act with independence and have adequate resources in exercising the functions assigned to them.</p>
<p style="text-align: justify; "><b>Proportionality</b>: Public authorities should only order the preservation and access to specifically identified, targeted communications or communications metadata on a case-by-case basis, under a specified legal basis. Competent authorities must ensure that all formal requirements are fulfilled and must determine the validity of each specific attempt to access or receive communications or communications metadata, and that each attempt is proportionate in relation to the specific purposes of the case at hand. Communications and communications metadata are inherently sensitive and their acquisition should be regarded as highly intrusive. As such, requests should <b>at a minimum</b> establish a) that there is a very high degree of probability that a serious crime has been or will be committed; b) and that evidence of such a crime would be found by accessing the communications or communications metadata sought; c) other less invasive investigative techniques have been exhausted; and d) that a plan to ensure that the information collected will be only that information reasonably related to the crime and that any excess information collected will be promptly destroyed or returned. Neither the scope of information types, the number or type of persons whose information is sought, the amount of data sought, the retention of that data held by the authorities, nor the level of secrecy afforded to the request should go beyond what is demonstrably necessary to achieve a specific investigation.</p>
<p style="text-align: justify; "><b>Due process</b>: Due process requires that governments must respect and guarantee an individual’s human rights, that any interference with such rights must be authorised in law, and that the lawful procedure that governs how the government can interfere with those rights is properly enumerated and available to the general public.<a href="#fn9" name="fr9">[9]</a>While criminal investigations and other considerations of public security and safety may warrant limited access to information by public authorities, the granting of such access must be subject to guarantees of procedural fairness. Every request for access should be subject to prior authorisation by a competent authority, except when there is imminent risk of danger to human life. <a href="#fn10" name="fr10">[10]</a></p>
<p style="text-align: justify; "><b>User notification</b>: Notwithstanding the notification and transparency requirements that governments should bear, service providers should notify a user that a public authority has requested his or her communications or communications metadata with enough time and information about the request so that a user may challenge the request. In specific cases where the public authority wishes to delay the notification of the affected user or in an emergency situation where sufficient time may not be reasonable, the authority should be obliged to demonstrate that such notification would jeopardize the course of investigation to the competent judicial authority reviewing the request. In such cases, it is the responsibility of the public authority to notify the individual affected and the service provider as soon as the risk is lifted or after the conclusion of the investigation, whichever is sooner.</p>
<p style="text-align: justify; "><b>Transparency about use of government surveillance</b>: The access capabilities of public authorities and the process for access should be prescribed by law and should be transparent to the public. The government and service providers should provide the maximum possible transparency about the access by public authorities without imperiling ongoing investigations, and with enough information so that individuals have sufficient knowledge to fully comprehend the scope and nature of the law, and when relevant, challenge it. Service providers must also publish the procedure they apply to deal with data requests from public authorities.</p>
<p style="text-align: justify; "><b>Oversight</b>: An independent oversight mechanism should be established to ensure transparency of lawful access requests. This mechanism should have the authority to access information about public authorities' actions, including, where appropriate, access to secret or classified information, to assess whether public authorities are making legitimate use of their lawful capabilities, and to publish regular reports and data relevant to lawful access. This is in addition to any oversight already provided through another branch of government such as parliament or a judicial authority. This mechanism must provide – at a minimum – aggregate information on the number of requests, the number of requests that were rejected, and a specification of the number of requests per service provider and per type of crime. <a href="#fn11" name="fr11">[11]</a></p>
<p style="text-align: justify; "><b>Integrity of communications and systems</b>: It is the responsibility of service providers to transmit and store communications and communications metadata securely and to a degree that is minimally necessary for operation. It is essential that new communications technologies incorporate security and privacy in the design phases. In order, in part, to ensure the integrity of the service providers’ systems, and in recognition of the fact that compromising security for government purposes almost always compromises security more generally, governments shall not compel service providers to build surveillance or monitoring capability into their systems. Nor shall governments require that these systems be designed to collect or retain particular information purely for law enforcement or surveillance purposes. Moreover, <i>a priori</i> data retention or collection should never be required of service providers and orders for communications and communications metadata preservation must be decided on a case-by-case basis. Finally, present capabilities should be subject to audit by an independent public oversight body.</p>
<p style="text-align: justify; "><b>Safeguards for international cooperation</b>: In response to changes in the flows of information and the technologies and services that are now used to communicate, governments may have to work across borders to fight crime. Mutual legal assistance treaties (MLATs) should ensure that, where the laws of more than one state could apply to communications and communications metadata, the higher/highest of the available standards should be applied to the data. Mutual legal assistance processes and how they are used should also be clearly documented and open to the public. The processes should distinguish between when law enforcement agencies can collaborate for purposes of intelligence as opposed to sharing actual evidence. Moreover, governments cannot use international cooperation as a means to surveil people in ways that would be unlawful under their own laws. States must verify that the data collected or supplied, and the mode of analysis under MLAT, is in fact limited to what is permitted. In the absence of an MLAT, service providers should not respond to requests of the government of a particular country requesting information of users if the requests do not include the same safeguards as providers would require from domestic authorities, and the safeguards do not match these principles.</p>
<p style="text-align: justify; "><b>Safeguards against illegitimate access</b>: To protect individuals against unwarranted attempts to access communications and communications metadata, governments should ensure that those authorities and organisations who initiate, or are complicit in, unnecessary, disproportionate or extra-legal interception or access are subject to sufficient and significant dissuasive penalties, including protection and rewards for whistleblowers, and that individuals affected by such activities are able to access avenues for redress. Any information obtained in a manner that is inconsistent with these principles is inadmissible as evidence in any proceeding, as is any evidence derivative of such information.</p>
<p style="text-align: justify; "><b>Cost of surveillance</b>: The financial cost of providing access to user data should be borne by the public authority undertaking the investigation. Financial constraints place an institutional check on the overuse of orders, but the payments should not exceed the service provider’s actual costs for reviewing and responding to orders, as such would provide a perverse financial incentive in opposition to user’s rights.</p>
<p><b>Signatories</b></p>
<p><b>Organisations</b></p>
<ul>
<li>Article 19 (International)</li>
<li>Bits of Freedom (Netherlands)</li>
<li>Center for Internet & Society India (CIS India)</li>
<li>Derechos Digitales (Chile)</li>
<li>Electronic Frontier Foundation (International)</li>
<li>Privacy International (International)</li>
<li>Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic (Canada)</li>
<li>Statewatch (UK)</li>
</ul>
<p><b>Individuals</b></p>
<ul>
<li>Renata Avila, human rights lawyer (Guatemala)</li>
</ul>
<hr />
<p><b>Footnotes</b></p>
<ol>
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>]For more information about the background to these principles and the process undertaken, see https://www.privacyinternational.org/blog/towards-international-principles-on-communications-surveillance<br />[<a href="#fr2" name="fn2">2</a>]Universal Declaration of Human Rights Article 12, United Nations Convention on Migrant Workers Article 14, UN Convention of the Protection of the Child Article 16, International Covenant on Civil and Political Rights, International Covenant on Civil and Political Rights Article 17; regional conventions including Article 10 of the African Charter on the Rights and Welfare of the Child, Article 11 of the American Convention on Human Rights, Article 4 of the African Union Principles on Freedom of Expression, Article 5 of the American Declaration of the Rights and Duties of Man, Article 21 of the Arab Charter on Human Rights, and Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms; Johannesburg Principles on National Security, Free Expression and Access to Information, Camden Principles on Freedom of Expression and Equality.<br />[<a href="#fr3" name="fn3">3</a>]Martin Scheinin, “Report of the Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism,” p11, available at <a href="http://www2.ohchr.org/english/issues/terrorism/rapporteur/docs/A_HRC_13_37_AEV.pdf">http://www2.ohchr.org/english/issues/terrorism/rapporteur/docs/A_HRC_13_37_AEV.pdf</a>. See also General Comments No. 27, Adopted by The Human Rights Committee Under Article 40, Paragraph 4, Of The International Covenant On Civil And Political Rights, CCPR/C/21/Rev.1/Add.9, November 2, 1999, available at <a href="http://www.unhchr.ch/tbs/doc.nsf/0/6c76e1b8ee1710e380256824005a10a9?Opendocument">http://www.unhchr.ch/tbs/doc.nsf/0/6c76e1b8ee1710e380256824005a10a9?Opendocument</a>.<br />[<a href="#fr4" name="fn4">4</a>]Communications metadata may include information about our identities (subscriber information, device information), interests, including medical conditions, political and religious viewpoints (websites visited, books and other materials read, watched or listened to, searches conducted, resources used), interactions (origins and destinations of communications, people interacted with, friends, family, acquaintances), location (places and times, proximities to others); in sum, logs of nearly every action in modern life, our mental states, interests, intentions, and our innermost thoughts.<br />[<a href="#fr5" name="fn5">5</a>]For example, in the United Kingdom alone, there are now approximately 500,000 requests for communications metadata every year, currently under a self-authorising regime for law enforcement agencies, who are able to authorise their own requests for access to information held by service providers. Meanwhile, data provided by Google’s Transparency reports shows that requests for user data from the U.S. alone rose from 8888 in 2010 to 12,271 in 2011.<br />[<a href="#fr6" name="fn6">6</a>]See as examples, a review of Sandy Petland’s work, ‘Reality Mining’, in MIT’s Technology Review, 2008, available at <a href="http://www2.technologyreview.com/article/409598/tr10-reality-mining/">http://www2.technologyreview.com/article/409598/tr10-reality-mining/</a> and also see Alberto Escudero-Pascual and Gus Hosein, ‘Questioning lawful access to traffic data’, Communications of the ACM, Volume 47 Issue 3, March 2004, pages 77 - 82.<br />[<a href="#fr7" name="fn7">7</a>]Report of the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Frank La Rue, May 16 2011, available at <a href="http://www2.ohchr.org/english/bodies/hrcouncil/docs/17session/a.hrc.17.27_en.pdf">http://www2.ohchr.org/english/bodies/hrcouncil/docs/17session/a.hrc.17.27_en.pdf</a><br />[<a href="#fr8" name="fn8">8</a>]The Global Network Initiative establishes standards to help the ICT sector protect the privacy and free expression of their users. See <a href="http://www.globalnetworkinitiative.org/">http://www.globalnetworkinitiative.org/</a><br />[<a href="#fr9" name="fn9">9</a>]As defined by international and regional conventions mentioned above.<br />[<a href="#fr10" name="fn10">10</a>]Where judicial review is waived in such emergency cases, a warrant must be retroactively sought within 24 hours.<br />[<a href="#fr11" name="fn11">11</a>]One example of such a report is the US Wiretap report, published by the US Court service. Unfortunately this applies only to interception of communications, and not to access to communications metadata. See <a href="http://www.uscourts.gov/Statistics/WiretapReports/WiretapReport2011.aspx">http://www.uscourts.gov/Statistics/WiretapReports/WiretapReport2011.aspx</a>. The UK Interception of Communications Commissioner publishes a report that includes some aggregate data but it is does not provide sufficient data to scrutinise the types of requests, the extent of each access request, the purpose of the requests, and the scrutiny applied to them. See <a href="http://www.intelligencecommissioners.com/sections.asp?sectionID=2&type=top">http://www.intelligencecommissioners.com/sections.asp?sectionID=2&type=top</a>.</p>
</ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/draft-intl-principles-on-communications-surveillance-and-human-rights'>https://cis-india.org/internet-governance/blog/draft-intl-principles-on-communications-surveillance-and-human-rights</a>
</p>
No publisherelonnaiSAFEGUARDSInternet GovernancePrivacy2013-07-12T15:55:45ZBlog EntryState Surveillance and Human Rights Camp: Summary
https://cis-india.org/internet-governance/blog/state-surveillance-human-rights-camp-summary
<b>On December 13 and 14, 2012, the Electronic Frontier Foundation organized the Surveillance and Human Rights Camp held in Rio de Janeiro, Brazil. The meeting examined trends in surveillance, reasons for state surveillance, surveillance tactics that governments are using, and safeguards that can be put in place to protect against unlawful or disproportionate surveillance.</b>
<hr />
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<p style="text-align: justify; ">The camp also examined different types of data, understanding tools that governments can use to access data, and looked at examples of surveillance measures in different contexts. The camp was divided into plenary sessions and individual participatory workshops, and brought together activists, researchers, and experts from all over the world. Experiences from multiple countries were shared, with an emphasis on the experience of surveillance in Latin America. Among other things, this blog summarizes my understanding of the discussions that took place.</p>
<p style="text-align: justify; ">The camp also served as a platform for collaboration on the <i>Draft International Principles on Communications Surveillance and Human Rights</i>. These principles seek to set an international standard for safeguards to the surveillance of communications that recognizes and upholds human rights, and provide guidance for legislative changes related to communications and communications meta data to ensure that the use of modern communications technology does not violate individual privacy. The principles were first drafted in October 2012 in Brussels, and are still in draft form. A global consultation is taking place to bring in feedback and perspective on the principles.</p>
<p>The draft principles were institutionalized for a number of reasons including:</p>
<ul>
<li style="text-align: justify; ">Currently there are no principles or international best standards specifically prescribing necessary and important safeguards to surveillance of communication data. </li>
<li style="text-align: justify; ">Practices around surveillance of communications by governments and the technology used by governments is rapidly changing, while legislation and safeguards protecting individual communications from illegal or disproportionate surveillance are staying the same, and thus rapidly becoming outdated. </li>
<li style="text-align: justify; ">New legislation that allows surveillance through access to communication data that is being proposed often attempts to give sweeping powers to law enforcement for access to data across multiple jurisdictions, and mandates extensive cooperation and assistance from the private sector including extensive data retention policies, back doors, and built in monitoring capabilities.</li>
<li style="text-align: justify; ">Surveillance of communications is often carried out with few safeguards in place including limited transparency to the public, and limited forms of appeal or redress for the individual. </li>
</ul>
<p style="text-align: justify; ">This has placed the individual in a vulnerable position as opaque surveillance of communications is carried out by governments across the world — the abuse of which is unclear. The principles try to address these challenges by establishing standards and safeguards which should be upheld and incorporated into legislation and practices allowing the surveillance of communications.</p>
<p>A summary of the draft principles is below. As the principles are still a working draft, the most up to date version of the principles can be accessed <a class="external-link" href="http://necessaryandproportionate.net/">here</a><a href="http://necessaryandproportionate.net/">.</a></p>
<h2 style="text-align: justify; ">Summary of the Draft International Principles on Communications Surveillance and Human Rights</h2>
<p style="text-align: justify; "><b>Legality</b>: Any surveillance of communications undertaken by the government must be codified by statute. <b> </b></p>
<p style="text-align: justify; "><b>Legitimate Purpose</b>: Laws should only allow surveillance of communications for legitimate purposes.<b> </b></p>
<p style="text-align: justify; "><b>Necessity</b>: Laws allowing surveillance of communications should limit such measures to what is demonstrably necessary.</p>
<p style="text-align: justify; "><b>Adequacy</b>: Surveillance of communications should only be undertaken to the extent that is adequate for fulfilling legitimate and necessary purposes. <b> </b></p>
<p style="text-align: justify; "><b>Competent Authority</b>: Any authorization for surveillance of communications must be made by a competent and independent authority. <b> </b></p>
<p style="text-align: justify; "><b>Proportionality</b>: All measures of surveillance of communications must be specific and proportionate to what is necessary to achieve a specific purpose. <b> </b></p>
<p style="text-align: justify; "><b>Due process</b>: Governments undertaking surveillance of communications must respect and guarantee an individual’s human rights. Any interference with an individual's human rights must be authorized by a law in force.<b> </b></p>
<p style="text-align: justify; "><b>User notification</b>: Governments undertaking surveillance of communications must allow service providers to notify individuals of any legal access that takes place related to their personal information. <b> </b></p>
<p style="text-align: justify; "><b>Transparency about use of government surveillance</b>: The governments ability to survey communications and the process for surveillance should be transparent to the public. <b> </b></p>
<p style="text-align: justify; "><b>Oversight</b>: Governments must establish an independent oversight mechanism to ensure transparency and accountability of lawful surveillance measures carried out on communications. <b> </b></p>
<p style="text-align: justify; "><b>Integrity of communications and systems</b>: In order to enable service providers to secure communications securely, governments cannot require service providers to build in surveillance or monitoring capabilities.<b> </b></p>
<p style="text-align: justify; "><b>Safeguards for international cooperation</b>: When governments work with other governments across borders to fight crime, the higher/highest standard should apply. <b> </b></p>
<p style="text-align: justify; "><b>Safeguards against illegitimate access</b>: Governments should provide sufficient penalties to dissuade against unwarranted surveillance of communications. <b> </b></p>
<p><b>Cost of surveillance</b>: The financial cost of the surveillance on communications should be borne by the government undertaking the surveillance.</p>
<h3>Types of Data</h3>
<p style="text-align: justify; ">The conversations during the camp reviewed a number of practices related to surveillance of communications, and emphasized the importance of establishing the draft principles. Setting the background to various surveillance measures that can be carried out by the government, the different categories of communication data that can be easily accessed by governments and law enforcement were discussed. For example, law enforcement frequently accesses information such as IP address, account name and number, telephone number, transactional records, and location data. This data can be understood as 'non-content' data or communication data, and in many jurisdictions can easily be accessed by law enforcement/governments, as the requirements for accessing communication data are lower than the requirements for accessing the actual content of communications. For example, in the United States a court order is not needed to access communication data whereas a judicial order is needed to access the content of communications.<a href="#fn1" name="fr1">[1]</a></p>
<p style="text-align: justify; ">Similarly, in the UK law enforcement can access communication data with authorization from a senior police officer.<a href="#fn2" name="fr2">[2]</a></p>
<p style="text-align: justify; ">It was discussed how it is concerning that communication data can be accessed easily, as it provides a plethora of facts about an individual. Given the sensitivity of communication data and the ability for personal information to be derived from the data, the ease that law enforcement is accessing the data, and the unawareness of the individual about the access- places the privacy of users at risk.</p>
<h3 style="text-align: justify; ">Ways of Accessing Data</h3>
<p style="text-align: justify; ">Ways in which governments and law enforcement access information and associated challenges was discussed, both in terms of the legislation that allows for access and the technology that is used for access.</p>
<h3 style="text-align: justify; ">Access and Technology</h3>
<p style="text-align: justify; ">In this discussion it was pointed out that in traditional forms of accessing data governments are no longer effective for a number of reasons. For example, in many cases communications and transactions, etc., that take place on the internet are encrypted. The ubiquitous use of encryption means more protection for the individual in everyday use of the internet, but serves as an obstacle to law enforcement and governments, as the content of a message is even more difficult to access. Thus, law enforcement and governments are using technologies like commercial surveillance software, targeted hacking, and malware to survey individuals. The software is sold off the shelf at trade shows by commercial software companies to law enforcement and governments. Though the software has been developed to be a useful tool for governments, it was found that in some cases it has been abused by authoritarian regimes. For example in 2012, it was found that FinSpy, a computer espionage software made by the British company Gamma Group was being used to target political dissidents by the Government of Bahrain. FinSpy has the ability to capture computer screen shots, record Skype chats, turn on computer cameras and microphones, and log keystrokes.<a href="#fn3" name="fr3">[3]</a></p>
<p style="text-align: justify; ">In order to intercept communications or block access to sites, governments and ISPs also rely on the use of deep packet inspection (DPI).<a href="#fn4" name="fr4">[4]</a> Deep packet inspection is a tool traditionally used by internet service providers for effective management of the network. DPI allows for ISP's to monitor and filter data flowing through the network by inspecting the header of a packet of data and the content of the packet.<a href="#fn5" name="fr5">[5]</a> With this information it is possible to read the actual content of packets, and identify the program or service being used.<a href="#fn6" name="fr6">[6]</a></p>
<p style="text-align: justify; ">DPI can be used for the detection of viruses, spam, unfair use of bandwidth, and copyright enforcement. At the same time, DPI can allow for the possibility of unauthorized data mining and real time interception to take place, and can be used to block internet traffic whether it is encrypted or not.<a href="#fn7" name="fr7">[7]</a></p>
<p style="text-align: justify; ">Governmental requirements for deep packet inspection can in some cases be found in legislation and policy. In other cases it is not clear if it is mandatory for ISP's to provide DPI capabilities, thus the use of DPI by governments is often an opaque area. Recently, the ITU has sought to define an international standard for deep packet inspection known as the "Y.2770" standard. The standard proposes a technical interoperable protocol for deep packet inspection systems, which would be applicable to "application identification, flow identification, and inspected traffic types".<a href="#fn8" name="fr8">[8]</a></p>
<h3 style="text-align: justify; ">Access and Legislation</h3>
<p style="text-align: justify; ">The discussions also examined similarities across legislation and policy which allows governments legal access to data. It was pointed out that legislation providing access to different types of data is increasingly becoming outdated, and is unable to distinguish between communications data and personal data. Thus, relevant legislation is often based on inaccurate and outdated assumptions about what information would be useful and what types of safeguards are necessary. For example, it was discussed how US surveillance law has traditionally established safeguards based on assumptions like: surveillance of data on a personal computer is more invasive than access to data stored in the cloud, real-time surveillance is more invasive than access to stored data, surveillance of newer communications is more invasive than surveillance of older communications, etc. These assumptions are no longer valid as information stored in the cloud, surveillance of older communications, and surveillance of stored data can be more invasive than access to newer communications, etc. It was also discussed that increasingly relevant legislation also contains provisions that have generic access standards, unclear authorization processes, and provide broad circumstances in which communication data and content can be accessed. The discussion also examined how governments are beginning to put in place mandatory and extensive data retention plans as tools of surveillance. These data retention mandates highlight the changing role of internet intermediaries including the fact that they are no longer independent from political pressure, and no longer have the ability to easily protect clients from unauthorized surveillance.</p>
<hr />
<p style="text-align: justify; "><a href="#fr1" name="fn1">1</a>]. EFF. Mandatory Data Retention: United States. Available at: <a class="external-link" href="https://www.eff.org/issues/mandatory-data-retention/us">https://www.eff.org/issues/mandatory-data-retention/us</a><br />[<a href="#fr2" name="fn2">2</a>].Espiner, T. Communications Data Bill: Need to Know. ZDNet. June 18th 2012. <a class="external-link" href="http://www.zdnet.com/communications-data-bill-need-to-know-3040155406/">http://www.zdnet.com/communications-data-bill-need-to-know-3040155406/</a><br />[<a href="#fr3" name="fn3">3</a>]. Perlroth, M. Software Meant to Fight Crime is Used to Spy on Dissidents. The New York Times. August 30th 2012. Available at: <a class="external-link" href="http://www.nytimes.com/2012/08/31/technology/finspy-software-is-tracking-political-dissidents.html?_r=0">http://www.nytimes.com/2012/08/31/technology/finspy-software-is-tracking-political-dissidents.html?_r=0</a><br />[<a href="#fr4" name="fn4">4</a>]. Wawro, A. What is Deep Packet Inspection?. PCWorld. February 1st 2012. Available at: <a class="external-link" href="http://www.pcworld.com/article/249137/what_is_deep_packet_inspection_.html">http://www.pcworld.com/article/249137/what_is_deep_packet_inspection_.html</a><br />[<a href="#fr5" name="fn5">5</a>]. Geere, D. How deep packet inspection works. Wired. April 27th 2012. Available at: <a class="external-link" href="http://www.wired.co.uk/news/archive/2012-04/27/how-deep-packet-inspection-works">http://www.wired.co.uk/news/archive/2012-04/27/how-deep-packet-inspection-works</a><br />[<a href="#fr6" name="fn6">6</a>]. Kassner. M. Deep Packet Inspection: What You Need to Know. Tech Republic. July 27th 2008. Available at: <a class="external-link" href="http://www.techrepublic.com/blog/networking/deep-packet-inspection-what-you-need-to-know/609">http://www.techrepublic.com/blog/networking/deep-packet-inspection-what-you-need-to-know/609</a><br />[<a href="#fr7" name="fn7">7</a>]. Anonyproz. How to Bypass Deep Packet Inspection Devices or ISPs Blocking Open VPN Traffic. Available at: <a class="external-link" href="http://www.anonyproz.com/supportsuite/index.php?_m=knowledgebase&amp;_a=viewarticle&amp;kbarticleid=138">http://www.anonyproz.com/supportsuite/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=138</a><br />[<a href="#fr8" name="fn8">8</a>].Chirgwin. R. Revealed: ITU's deep packet snooping standard leaks online: Boring tech doc or Internet eating monster. The Register. December 6th 2012. Available at: <a class="external-link" href="http://www.theregister.co.uk/2012/12/06/dpi_standard_leaked/">http://www.theregister.co.uk/2012/12/06/dpi_standard_leaked/</a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/state-surveillance-human-rights-camp-summary'>https://cis-india.org/internet-governance/blog/state-surveillance-human-rights-camp-summary</a>
</p>
No publisherelonnaiInternet GovernanceSAFEGUARDS2013-07-12T16:02:51ZBlog EntryInternet-driven Developments — Structural Changes and Tipping Points
https://cis-india.org/internet-governance/blog/internet-driven-developments
<b>A symposium on Internet Driven Developments: Structural Changes and Tipping Points was held in Cambridge, Massachusetts at Harvard University from December 6 to 8, 2012. The symposium was sponsored by the Ford Foundation and the MacArthur Foundation and was hosted by the Berkman Center for Internet & Society. In this blog post, I summarize the discussions that took place over the two days and add my own personal reflections on the issues.
</b>
<p style="text-align: justify; ">The symposium served as an inaugural event for the <i>Global Network of Interdisciplinary Centers</i>, which currently includes as its members:</p>
<ul>
<li>The Berkman Center for Internet and Society at Harvard University</li>
<li>The Alexander von Humboldt Institute for Internet & Society</li>
<li>The Centre for Internet and Society, Bangalore </li>
<li>The Center for Technology & Society at the Fundacao Getulio Vargas Law School, Keio University</li>
<li>The MIT Media Lab and its Center for Civic Media</li>
<li>The NEXA Center for Internet & Society at Politicnico di Torino. </li>
</ul>
<p style="text-align: justify; ">Individuals and researchers from the Centers focused on understanding the effects of internet and society. The participants were brought together to explore the past, present, and future tipping points of the internet, to identify knowledge gaps, and to find areas of collaboration and future action between institutes and individuals. Specifically, the symposium set out to examine fundamental questions about the internet, identify structural changes that are occurring because of the internet, and the forces that are catalyzing these changes. Questions asked and discussed included:</p>
<ul>
<li>What forces are changing production and service models? </li>
<li>What forces are influencing entrepreneurship and innovation? and </li>
<li>What forces are changing political participation?</li>
</ul>
<h2 style="text-align: justify; ">Production and Service Models</h2>
<h3>Discussion</h3>
<p style="text-align: justify; ">When participants discussed the changes that are happening to production and service models, concepts such as big data, algorithms, peer based models of production, and intermediaries were identified as actors and tools that are driving change in production and service models in the context of the internet. For example, big data and algorithms are being used to alter the nature, scope, and reach of business by allowing for the personalization and customization of services. To this end, many organizations have incorporated customer participation into business models, and provide platforms for feedback and input. The personalization of services has placed greater emphasis on the voice of the customer, allowing customers to guide and influence business by voicing preferences, satisfaction levels, etc. In this way, consumers can determine what type of service they want, and can also make political statements through their choices and feedback. In the process, however, such platforms generate and depend on large amounts of data and thus raise concerns about privacy.</p>
<p style="text-align: justify; ">Knowledge gaps that were identified during the conversation included how to predict what would make a participatory platform and peer based model successful, and how these platforms can be effectively researched. When looking at big data, a knowledge gap that was identified included how to ensure that data are collected ethically and accurately, as well as the related question: once large data sets are collected, how can the data be analyzed and used in a meaningful way?</p>
<p style="text-align: justify; ">There was also discussion about the increasingly critical and powerful role that intermediaries serve within the scope of the internet as they act as the platform provider and regulator for internet content. Intermediaries both allow for content to be posted on the internet, and determine what information is accessed through the filtering of web searches. Increasingly, governments are seeking to regulate intermediaries and create strict rules of compliance with governmental mandates. At the same time governments are placing the responsibility and liability of regulating what content is posted on internet on intermediaries, essentially placing them in the role of an adjudicator. This is one example of how the relationship between the private sector, the government, and the individual is changing, because it is only recently that private intermediaries have been held responsible first to governments, and only secondarily to customers.</p>
<p style="text-align: justify; ">Knowledge gaps identified in the discussion on intermediaries included understanding and researching how intermediaries decide to filter content found through searches. On what basis is each filter done? Are there actors influencing this process? And what are the economics behind the process?</p>
<h3 style="text-align: justify; ">Personal Thoughts</h3>
<p style="text-align: justify; ">When reflecting on how the internet is changing and influencing the production of goods and services, I personally would add to the points discussed in the meeting the fact that the internet has also impacted the job economy. Reports show that jobs in the extraction and manufacturing sector are decreasing, as the internet has created a mandatory new tech oriented skill set that often outweighs the need for other skill sets. This change is far reaching as the job economy influences what skills students choose to learn, why and for what purposes individuals migrate across borders for employment, and in what industries governments invest money towards domestic development. In addition to changing the nature of skills in demand, the nature of the services themselves is changing. Though services are becoming more personalized and tailored to the individual, this personalization is automated, and replacing the ‘human touch’ that was once prized in business. Whether customers care if the service they are given is generated by an algorithm or delivered by an individual may depend on a person’s preference, but the European Union has seen this shift as being significant enough to address automated decision making in Article 15 of the EU directive, which provides individuals the right to not be subject to a decision which legally impacts him/her which is based only on automated processing of data. This directive encompasses decisions such as evaluation of a person’s performance at work, creditworthiness, reliability, conduct, etc.</p>
<p style="text-align: justify; ">The internet has also increased the cost of small mistakes made by businesses, as any mistake will now potentially impact millions of customers. The impact of any mistake makes risk management much more important and difficult, as businesses must seek to anticipate and mitigate any and all mistakes. The internet has also created a new level of dependency on the network, as businesses shift all of their services and functions over to the internet. Thus, if the network goes down, businesses will lose revenue and customers. This level of dependency on the network that exists today is different from past reliance’s on technology — in the sense that in the past there was not one single type of technology that would be essential for many businesses to run. The closest analogue was transportation: if trucks, trains, or ships were unavailable, multiple industries would be impacted. The difference is that those who relied on rail could shift temporarily to ships or trucks. Those relying on the network have no alternatives. Furthermore, past technologies were constantly evolving in the resources they depended on — from coal to gas, etc, but for the internet, it seems that the resource is not evolving, so much as expanding as increased bandwidth and connectivity are the solution to allowing technological evolution and innovation through the internet.</p>
<p style="text-align: justify; ">As discussed above, intermediaries are becoming key and powerful players, but they also seem to be increasingly placed between a rock and a hard place, as governments around the world are asking national and multinational intermediaries to filter content that violates national laws in one context, but not another context. Furthermore, intermediaries are increasingly being asked to comply with law enforcement requests for access to data that is often not within the jurisdiction of the requesting country. The difficult position intermediaries are placed in demonstrates how the architecture of the internet is borderless but the regulation and use of the internet is still tied to borders and jurisdiction.</p>
<h2 style="text-align: justify; ">Entrepreneurship and Innovation</h2>
<h3>Discussion</h3>
<p style="text-align: justify; ">When discussing entrepreneurship and innovation it was pointed out by participants that grey markets and market failures are important indicators for possibilities of new business models and forms of innovation. Because of that, it is important to study what has failed and why when identifying new possibilities and trends. The importance of policies and laws that allow for innovation and entrepreneurship was also highlighted.</p>
<h3 style="text-align: justify; ">Personal Thoughts</h3>
<p style="text-align: justify; ">When thinking about entrepreneurship and innovation on the internet and forces driving them, it seems clear that tethering, conglomerating, and organizing information from multiple sources is one direction that innovation is headed. Services are coming out that have the ability to search the internet based on individual preferences and provide more accurate data quickly. This removes the need for individuals to search the internet at length to find the information or products they want. Along the same lines, it seems that there is a greater trend towards personalization. Services are finding new and innovative ways to bring individuals customized products. Another trend is the digitization of all services — from moving libraries online, to bookstores online, to grocery stores online. Lastly, there is a constant demand for new applications to be developed. These can range from applications enabling communication through social networking, to applications that act as personal financial consultants, to applications that act as personal trainers. The ability for concepts, trends, etc to go viral on the internet has also added another dimension to entrepreneurship and innovation as any individual can potentially become successful by something going viral. The ability for something to go viral on the internet does not just impact entrepreneurship and innovation, but also impacts political participation and production and service models.</p>
<h2 style="text-align: justify; ">Political Participation</h2>
<p style="text-align: justify; ">Discussions also centered on how political participation is changing as the internet is being used as a new platform for participation. For example, it is now possible for individuals to leverage their voice and message to local and global communities. Furthermore, this message can be communicated on a seemingly personal scale. Individuals from one community are able to connect to communities from another location — both local and abroad, and to work together to catalyze change. Messages and communications can be spread easily to millions of people and can go viral. This ability has changed and created new public spheres, where anyone can contribute to a dialogue from anywhere. Empowerment is shifting as well, because the internet allows for new power structures to be created by any actor who knows how to leverage the network. These factors allow for more voices to be heard and for greater citizen participation. The role of the youth in political movements was also emphasized in the discussions. On the other hand governments have responded by more heavily regulating speech and content on the internet when dissenting voices and campaigns are seen as a threat. It was also brought out that though emerging forms of online political participation have been heralded by many for achievements such as facilitating democracy, transparency, and bringing a voice to the silenced — many have warned that analysis of these political forms of participation overlook individual contributions and time. Other critiques that were discussed included the fact that digital revolutions also exclude individuals who do not have access to the internet or to platforms/applications and overlook actions and movements that take place offline.</p>
<p style="text-align: justify; ">Knowledge gaps that were identified included understanding the basics of the change that is happening in political participation through the internet. For example, it is unclear who the actors are that determine the conditions and scope for these changes, and like participatory forms of business, what enables and mobilizes change. Furthermore, it is unclear who specifically benefits from these changes and how, and who participates in the changes — and in what capacity. Additionally, much of the change has been quantified in the dialogue of the ‘global’ — global voices, global movements — but that dialogue ignores the local.</p>
<h3 style="text-align: justify; ">Personal Thoughts</h3>
<p style="text-align: justify; ">In addition to the discussions on political participation, I believe the internet has created the possibility for ‘social governance’. To address situations in which there is no particular law against an action, but individuals come together and speak out against actions that they see on the internet that they believe should be stopped or changed. Depending on the extent individuals choose to enforce these decisions, this can be potentially dangerous as individuals are essentially rewriting laws and social norms without subjecting them to the crucible of consensus decision-making or review. In addition, forms of political participation are not changing just in terms of how the individual engages politically with states and governments, but also in the ways that politicians are engaging with citizens. For example, politicians are using Facebook and Twitter as means to communicate and gather feedback from supporters. Politicians are also using technology to reach more individuals with their messages — from experimenting with 3D holograms, to web casting, to using technology like CCTV cameras to prove transparency. The impact of this could be interesting, as technology is becoming a mediating tool that works in both directions between citizens and governments. Is this changing the traditional understandings of the State and the relationship between the State and the citizen?</p>
<h2>Conclusion and ways forward</h2>
<p style="text-align: justify; ">The discussions also pulled out dichotomies that apply to the internet and illustrate tensions arising from different forces. These dichotomies can be shaped by individuals and actors attempting to regulate the internet, as for example with new models of regulation vs. old models of regulation, private vs. public, local vs. global, owned vs. unowned, and zoned vs. unzoned. These dichotomies can be shaped by how the internet is used. For example, fair vs. unfair, just vs. unjust, represented vs. silenced, and uniform vs. diverse.</p>
<p style="text-align: justify; ">Common questions being asked and areas for potential research that came out of these discussions included information communication and media, how to address different and at times contradictory policies and levels of development in different countries, and what is the impact of big data on different sectors and industries like e-health and journalism? What is the importance of ICT in creating economic progress? How is the Internet changing the nature of democracy?</p>
<p style="text-align: justify; ">When discussing ways forward and areas for future collaboration it was brought out that exploring ways to leverage open data, ways to effectively use and build off of perspectives and experiences from other contexts and cultures, and ways to share resources across borders including funding, human presence, and expertise were important questions to answer. Common challenges that were identified by participants ranged from cyber security and the rise of state and non-state actors in cyber warfare, finding adequate funding to support research, sustaining international collaborations, ensuring that research is meaningful and can translate into useful resources for policy and law makers, and ensuring that projects are designed with a long-term objective and vision in mind.</p>
<p style="text-align: justify; ">The discussions, presentations, and contributions by participants during the two day symposium were interesting and important as they demonstrated just how multi-faced the internet is, and how it is never one dimensional. How the internet is researched, how it is used, and how it is regulated will be constantly changing. Whether this change is a step forward, or a re-invention of what has already been done, is up to all who use the internet including the individual, the corporation, the researcher, the policy maker, and the government.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/internet-driven-developments'>https://cis-india.org/internet-governance/blog/internet-driven-developments</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-12-28T15:34:51ZBlog EntryQ&A to the Report of the Group of Experts on Privacy
https://cis-india.org/internet-governance/blog/question-and-answer-to-report-of-group-of-experts-on-privacy
<b>In January 2012 Justice A.P. Shah formed a committee consisting of a group of experts to contribute to and create a report of recommendations for a privacy legislation in India. The committee met a total of seven times from January to September 2012. The Centre for Internet and Society (CIS) was a member of the committee creating the report. This blog post is CIS’s attempt to answer questions that have arisen from media coverage on the report, based on our understanding. </b>
<h2>Executive Summary</h2>
<p style="text-align: justify; ">The executive summary explains how the need for a horizontal privacy legislation that recognizes the right to privacy has come about in India in light of projects and practices such as the UID, NATGRID, and the changing nature of business and technology. The executive summary highlights the committee’s recommendations of what should be considered by legislatures while enacting a privacy legislation in India.</p>
<p><b>Q: What are the salient features of the committee’s recommendations? </b></p>
<p><b>A:</b> In its report the committee recommended that any privacy legislation passed should:</p>
<ul>
<li style="text-align: justify; "> Be technologically neutral and interoperable with international standards to ensure that the regulation can adapt to changing technology, and that business will be promoted. </li>
<li style="text-align: justify; ">Recognize the multiple dimensions of privacy including physical and informational privacy. </li>
<li style="text-align: justify; ">Apply to all data controllers both in the private sector and the public sector to ensure that businesses and governments are held accountable to protecting privacy. </li>
<li style="text-align: justify; ">Establish a set of privacy principles that can be applicable to different practices, policies, projects, departments, and businesses to create a uniform level of privacy protection across all sectors. </li>
<li style="text-align: justify; ">Create an enforcement regime of co-regulation, where industry has the choice of developing privacy principles and ensuring compliance at the sectoral level with regular oversight by the Privacy Commissioners. </li>
</ul>
<h2>Chapter 1: Constitutional Basis for Privacy</h2>
<p>This chapter summarizes a number of decisions from the Indian Judiciary that demonstrate how the right to privacy in India has been defined on a case to case basis and has been defined as either a fundamental right or a common law right.</p>
<p><b>Q: What are the contexts of the cases covered? </b></p>
<p><b>A:</b> This chapter covers cases that speak to the:</p>
<ul>
<li>Right to privacy in the context of surveillance by the State </li>
<li>Balancing the ‘right to privacy’ against the ‘right to free speech’ </li>
<li>The ‘right to privacy’ of HIV patients </li>
<li>Prior judicial sanctions for tapping telephones </li>
<li>The ‘search and seizure’ powers of revenue authorities </li>
</ul>
<h2>Chapter 2: International Privacy Principles</h2>
<p>This chapter summarizes recent developments in privacy laws, international privacy principles, and privacy principles developed by specific countries. This review aided the Committee in forming its recommendations for the report.</p>
<p><b>Q: Privacy principles from which countries were reviewed by the Committee?</b></p>
<p><b>A:</b> The Committee reviewed privacy principles from the following countries and international organizations.</p>
<ul>
<li>EU Regulations of January 2012 </li>
<li>US Consumer Privacy Bill of Rights </li>
<li>OECD Privacy Principles </li>
<li>APEC Privacy Framework </li>
<li>Australia </li>
<li>Canada </li>
</ul>
<h2>Chapter 3: National Privacy Principles, Rationales, and Emerging Issues</h2>
<p style="text-align: justify; ">This chapter lays out the nine national privacy principles and describes the rationale for each principle along with emerging issues around each principle.</p>
<p><b>Q: What could the principles apply to? </b></p>
<p style="text-align: justify; "><b>A:</b> The principles apply to the collection, processing, storage, retention, access, disclosure, destruction, sharing, transfer, and anonymization of sensitive personal information, personal identifiable information, and identifiable information by data controllers. The national privacy principles can also be applied to legislation, projects, practices, and policies to ensure that provisions and requirements are in compliance with the national privacy principles.</p>
<p><b>Q: Who could be brought under the scope of the principles?</b></p>
<p style="text-align: justify; "><b>A:</b> The principles are applicable to every data controller in the private sector and the public sector. For example organizations and government departments that determine the purposes and means of processing personal information will be brought under the scope of the principles and will be responsible for carrying out the processing of data in accordance with sectoral privacy standards or the national privacy principles.</p>
<p><b>Q: How could the National Privacy Principles impact individuals? </b></p>
<p style="text-align: justify; "><b>A:</b> The principles provide individuals with the right to 1. Receive notice before giving consent stating what personal information is being collected, the purposes for which personal information is being collected, the uses of collected personal information, whether or not personal information will be disclosed to third persons, security safeguards established by the data controller, processes available to data subjects to access and correct personal information, and contact details of privacy officers. 2. Opt in and out of providing personal information 3. Withdraw given consent at any point of time. 4. Access and correct any personal information held by data controllers 5. Allow individuals to issue a complaint with the respective ombudsman, privacy commissioner, or court.</p>
<p><b>Q: Would the National Privacy Principles be binding for every data controller? </b></p>
<p><b>A:</b> Yes, but Self Regulating Organizations at the industry level have the option of developing principles for that specific sector. These principles must be approved by the privacy commissioner and be in compliance with the National Privacy Principles.</p>
<h2>Chapter 4: Analysis of Relevant Legislation, Bills, and Interests from a Privacy Perspective</h2>
<p style="text-align: justify; ">This chapter examines relevant legislation, bills, and interests from a privacy perspective. In doing so the chapter clarifies how the right to privacy should intersect with the right to information and the freedom of expression, and anaylzes current and upcoming legislation to demonstrate what existing provisions in the legislation uphold the privacy principles, what existing provisions are in conflict with the principles, and what provisions are missing to ensure that the legislation is compliant to the extent possible with the principles.</p>
<p><b>Q: How does the report understand the relationship between the Right to Information and the Right to Privacy?</b></p>
<p style="text-align: justify; "><b>A:</b> When applied the Privacy Act should not circumscribe the Right to Information Act. Furthermore, RTI recipients should not be considered data controllers and thus should not be brought under the ambit of the privacy principles.</p>
<p><b>Q: How does the report understand the relationship between the freedom of expression and privacy? </b></p>
<p style="text-align: justify; "><b>A:</b> Questions about how to balance the right to privacy with the freedom of expression can arise in many circumstances including: the right to be forgotten and data portability, journalistic expression, state secrecy and whistle blowers, and national security. Most often, public interest is the test used to determine if the right to privacy should supersede the freedom of expression or vice versa.</p>
<h2>Chapter 5: The Regulatory Framework</h2>
<p style="text-align: justify; ">This chapter outlines the committee’s recommendations for a regulatory framework for the Privacy Act.</p>
<p><b>Q: Who are the main actors in the regulatory framework?</b></p>
<p style="text-align: justify; "><b>A:</b> The report recommends that a regulatory framework be comprised of one privacy commissioner at the central level and four commissioners at the regional level, self regulating organizations (SRO’s) at the industry level, data controllers and privacy officers at the organization level, and courts.</p>
<p><b>Q: What are the salient features of the regulatory framework? </b></p>
<p style="text-align: justify; "><b>A:</b> The salient features of the regulatory framework include 1. A framework of co-regulation 2. Complaints 3. Exceptions to the Privacy Act 4. Offenses under the Act</p>
<p><b>Q: What are exceptions to the right to privacy? Are these blanket exceptions?</b></p>
<p style="text-align: justify; "><b>A:</b> National security; public order; disclosure of information in public interest; prevention, detection, investigation and prosecution of criminal offences; and protection of the individual or of the rights and freedoms of others are suggested exceptions to the right to privacy. The committee has qualified these exceptions with the statement that before an exception can be made for the following circumstances, the proportionality, legality, and necessity in a democratic state should be used to measure if the exception applies and the extent of the exception. Thus, they are not blanket exceptions to the right to privacy</p>
<p style="text-align: justify; ">Historical and scientific research and journalistic purposes were also recommended as additional exceptions to the right to privacy that may be considered. These exceptions will not be subjected to the principles of proportionality, legality, and necessary in a democratic state.</p>
<p><b>Q: What are the powers and responsibilities of the privacy commissioners? </b></p>
<p><b>A:</b> The powers and responsibilities of the Privacy Commissioners are the following:</p>
<p><b>Responsibilities:</b></p>
<ol>
<li>Enforcement of the Act </li>
<li style="text-align: justify; ">Broadly oversee interception/access, audio & video recordings, the use of personal identifiers, and the use of bodily or genetic material. </li>
<li>Evaluate and approve privacy principles developed by SRO’s </li>
<li style="text-align: justify; ">Collaborate with stakeholders to endure effective regulation, promote awareness of the Act, and sensitize citizens to privacy considerations </li>
</ol>
<p><b>Powers: </b></p>
<ol>
<li>Order privacy impact assessments on organisations </li>
<li>Investigate complaints suomotu or based off of complaints from data subjects (summon documents, call and examine witnesses, and take a case to court if necessary ) </li>
<li>Fine non-compliant data controllers </li>
</ol>
<p><b>Q: How does Co-regulation work? </b></p>
<p style="text-align: justify; "><b>A:</b> The purpose of establishing a regulatory framework of co-regulation is to ensure that appropriate policies and principles are articulated and enforced for all sectors. If a sector wishes to develop its own privacy standards, the industry level self regulating organization will submit to the privacy commissioner a sub set of self regulatory norms. If these norms are approved by the privacy commissioner the SRO will be responsible for enforcing those norms, but the privacy commissioner will have the power to sanction member data controllers for violating the norms. If a sector does not have an SRO or does not wish to develop its own set of standards, the National Privacy Principles will be binding.</p>
<p><b>Q: What are data controllers? What are privacy officers? What are ombudsmen? </b></p>
<p style="text-align: justify; "><b>A:</b> A data controller is any entity that handles or process data. Privacy officers receive and handle complaints at the organizational level and may be appointed as part of a SRO’s privacy requirements for a sector. Ombudsmen are appointed at the SRO level and are also responsible for receiving and handling complaints. The objective of having ombudsman and privacy officers is to reduce the burden of handling complaints on the commissioner and the courts.</p>
<p><b>Q: When can an individual issue a complaint? Which body should individuals issue complaints to? </b></p>
<p style="text-align: justify; "><b>A:</b> An individual can issue a complaint at any point of time when they feel that their personal information has not been handled by a data controller according to the principles, or that a data controller is not in compliance with the Act. When applicable complaints are encouraged to be issued first to the organization. If the complaint is not resolved, the individual can take the complaint to the SRO or privacy commissioner. The individual also has the option of taking a complaint straight to the courts. When a complaint is received by the commissioner, the commissioner may fine the data controller if it is found to be non-compliant. Data controllers cannot appeal fines issued by the commissioner, but they can appeal the initial decision of non-compliance.</p>
<p><b>Q: Can an individual receive compensation for a violation of privacy: </b></p>
<p style="text-align: justify; "><b>A:</b> Yes. Individuals who suffer damages caused by non-compliance with the principles or any obligation under the Act can receive compensation, but the compensation must be issued by the courts and cannot be issued by a privacy commissioner. Actors that can be held liable by individuals include data controllers, organization directors, agency directors, and heads of Governmental departments.</p>
<p><b>Q: What offences does the report reccomend?</b></p>
<p><b>A:</b> The following constitutes as an offence under the Act:</p>
<ul>
<li>Non-compliance with the privacy principles </li>
<li>Unlawful collection, processing, sharing/disclosure, access, and use of personal data </li>
<li>Obstruction of commissioner </li>
<li>Failure to comply with notification issued by commissioner
<ul>
<li> Processing data after receiving a notification </li>
<li> Failure to appear before commissioner </li>
<li>Failure to produce documents requested by commissioner </li>
<li> Sending report to commissioner with false or misleading information</li>
</ul>
</li>
</ul>
<h2>Chapter 6: The Multiple Dimensions of Privacy</h2>
<p style="text-align: justify; ">This chapter gives examples of practices that impact privacy in India which the national privacy principles could be applied to. These include interception/access, the use of electronic recording devices, the use of personal identifiers, and the use of bodily and genetic material. The current state of each practice in India is described, and the inconsistencies and gaps in the regimes are highlighted. Each section also provides recommendations of which privacy principles need to be addressed and strengthened in each practice, and how the privacy principles would be affected by each practice.<b> </b></p>
<p><b>Q: Does the report give specific recommendations as to how each practice should be amended to incorporate the National Privacy Principles?</b></p>
<p><b>A:</b> No. Each section explains the current state of the practice in India, gaps and inconsistencies with the current practice, and recommends broadly what principles need to be addressed and strengthened in the regime, and how the National Privacy Principles may be affected by the practice.</p>
<h3>Summary of Recommendations</h3>
<p>This chapter consolidates and clarifies all of the Committee’s recommendations for a Privacy Act in India.</p>
<p><b>Q: Are the recommendations in this chapter different from chapters above?</b></p>
<p style="text-align: justify; "><b>A:</b> No. The recommendations in this chapter reflect the recommendations made earlier. This chapter does clarify the recommended scope and objectives of the Privacy Act including:</p>
<ol>
<li style="text-align: justify; ">The Act should define and harmonize with existing laws in force. </li>
<li style="text-align: justify; ">The Act should extend the right of privacy to all individuals in India and all data processed by any company or equipment locating in India, and all data that originated in India. </li>
<li style="text-align: justify; ">The Act should clarify that the publication of personal data for artistic and journalistic purposes in public interest, the use of personal information for household purposes, and the disclosure of information as required by the Right to Information Act should not constitute an infringement of privacy. </li>
<li style="text-align: justify; ">The Act should not require a ‘reasonable expectation’ of privacy to be present for the right to be evoked. </li>
<li style="text-align: justify; ">If any other legislation provides more extensive protections than those set out by the Privacy Act, than the more extensive protections should apply. </li>
</ol>
<hr />
<p><a href="https://cis-india.org/internet-governance/blog/report-of-group-of-experts-on-privacy.pdf" class="internal-link">Report of the Group of Experts on Privacy</a> [PDF, 1270 Kb]</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/question-and-answer-to-report-of-group-of-experts-on-privacy'>https://cis-india.org/internet-governance/blog/question-and-answer-to-report-of-group-of-experts-on-privacy</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-11-09T10:20:48ZBlog EntryRethinking DNA Profiling in India
https://cis-india.org/internet-governance/blog/epw-web-exclusives-oct-27-2012-elonnai-hickok-rethinking-dna-profiling-india
<b>DNA profile databases can be useful tools in solving crime, but given that the DNA profile of a person can reveal very personal information about the individual, including medical history, family history and so on, a more comprehensive legislation regulating the collection, use, analysis and storage of DNA samples needs included in the draft Human DNA Profiling Bill.</b>
<hr />
<p style="text-align: justify; ">Elonnai Hickok's article was <a class="external-link" href="http://www.epw.in/web-exclusives/rethinking-dna-profiling-india.html">published in Economic & Political Weekly</a>, Vol - XLVII No. 43, October 27, 2012</p>
<hr />
<p style="text-align: justify; ">DNA evidence was first accepted by the courts in India in 1985,<a href="#fn1" name="fr1">[1]</a> and in 2005 the Criminal Code of Procedure was amended to allow for medical practitioners, after authorisation from a police officer who is not below the rank of sub-inspector, to examine a person arrested on the charge of committing an offence and with reasonable grounds that an examination of the individual will bring to light evidence regarding the offence. This can include</p>
<p class="callout" style="text-align: justify; ">"the examination of blood, blood stains, semen, swabs in case of sexual offences, sputum and sweat, hair samples, and finger nail clippings, by the use of modern and scientific techniques including DNA profiling and such other tests which the registered medical practitioner thinks necessary in a particular case."<a href="#fn2" name="fr2">[2]</a></p>
<p style="text-align: justify; ">Though this provision establishes that authorisation is needed for collection of DNA samples, defines who can collect samples, creates permitted circumstances for collection, and lists material that can be collected, among other things, it does not address how the collected DNA evidence should be handled, and what will happen to the evidence after it is collected and analysed. These gaps in the provision indicate the need for a more comprehensive legislation regulating the collection, use, analysis and storage of DNA samples, including for crime-related purposes in India.</p>
<p>The initiative to draft a Bill regulating the use of DNA samples for crime-related reasons began in 2003, when the Department of Biotechnology (DoB) established a committee known as the DNA Profiling Advisory Committee to make recommendations for the drafting of the DNA profiling Bill 2006, which eventually became the Human DNA Profiling Bill 2007.<a href="#fn3" name="fr3">[3]</a> The 2007 draft Bill was prepared by the DoB along with the Centre for DNA Fingerprinting and Diagnostics (CDFD).<a href="#fn4" name="fr4">[4]</a></p>
<p style="text-align: justify; ">The CDFD is an autonomous institution supported by the DoB. In addition to the CDFD, there are multiple Central Forensic Science Laboratories in India under the control of the Ministry of Home Affairs and the Central Bureau of Investigation,<a href="#fn5" name="fr5">[5]</a>, along with a number of private labs <a href="#fn6" name="fr6">[6]</a> which analyse DNA samples for crime-related purposes.</p>
<p style="text-align: justify; ">In 2007, the draft Human DNA Profiling Bill was made public, but was never introduced in Parliament. In February 2012, a new version of the Bill was leaked. If passed, the Bill will establish state-level DNA databases which will feed into a national-level DNA database, and proposes to regulate the use of DNA for the purposes of</p>
<p class="callout" style="text-align: justify; ">"enhancing protection of people in the society and the administration of justice."<a href="#fn7" name="fr7">[7]</a></p>
<p style="text-align: justify; ">The Bill will also establish a DNA Profiling Board responsible for 24 functions, including specifying the list of instances for human DNA profiling and the sources of collection, enumerating guidelines for storage and destruction of biological samples, and laying down standards and procedures for establishment and functioning of DNA laboratories and DNA Data Banks.<a href="#fn8" name="fr8">[8]</a> The lack of harmonisation and clear policy indicates that there is a need in India for standardising the collection and use of DNA samples. Although DNA evidence can be useful for solving crimes, the current 2012 draft Bill is missing critical safeguards and technical standards essential to preventing the misuse of DNA and protecting individual rights.</p>
<p>Concerns that have been raised with regards to the Bill are both intrinsic, including problems with effectiveness of achieving the set objectives, and extrinsic, including concerns with the fundamental principles of the Bill. For example, the use of DNA material as evidence and the subsequent creation of a DNA database can be useful for solving crimes when the database contains DNA profiles from<a href="#fn9" name="fr9">[9]</a> from DNA samples<a href="#fn10" name="fr10">[10]</a> only from crime scenes, and is restricted to DNA profiles from individuals who might be repeat offenders. If a wide range of DNA profiles are added to the database, the effectiveness of the database decreases, and the likelihood of a false match increases as the ability to correctly identify a criminal depends on the number of crime scene DNA profiles on the database, and the number of false matches that occur is proportional to the number of comparisons made (more comparisons = more false matches).<a href="#fn11" name="fr11">[11]</a> This inverse relationship between the effectiveness of the DNA database and the size of the database was found in the UK when it was proven that the expansion of the UK DNA database did not help to solve more crimes, despite millions of profiles being added to the database.<a href="#fn12" name="fr12">[12]</a></p>
<p style="text-align: justify; ">The current scope of the draft 2012 Bill is not limited to crimes for which samples can be taken and placed in the database. Instead the Bill creates indexes within every databank including: <i>crime scene indexes, suspects index, offender’s index, missing persons index, unknown deceased persons’ index, volunteers’ index, and such other DNA indices as may be specified by regulations made by the Board</i>.<a href="#fn13" name="fr13">[13]</a> How independent each of these indices are, is unclear. For example, the Bill does not specify when a profile is searched for in the database – if all indices are searched, or if only the relevant indices are searched, and the Bill requires that when a DNA profile is added to the databank, it must be compared with all the existing profiles.<a href="#fn14" name="fr14">[14]</a> The Bill also lists a range of offences for which DNA profiling will be applicable and DNA samples collected, and used for the identification of the perpetrator including, unnatural offences, individual identification, issues relating to assisted reproductive technologies, adultery, outraging the modesty of women etc.<a href="#fn15" name="fr15">[15]</a> Though the Bill is not incorrect in its list of offences where DNA profiling could be applicable, it is unclear if DNA profiles from all the listed offenses will be stored on the database. If it is the case that the DNA profiles will be stored, it would make the scope of the database too broad.</p>
<p style="text-align: justify; ">Unlike other types of identifiers, such as fingerprints, DNA can reveal very personal information about an individual, including medical history, family history and location.<a href="#fn16" name="fr16">[16]</a> Thus, having a DNA database with a broad scope and adding more DNA profiles onto a database, increases the potential for misuse of information stored on the database, because there is more opportunity for profiling, tracking of individuals, and access to private data. In its current form, the Bill protects against such misuse to a certain extent by limiting the information that will be stored with a DNA profile and in the indices,<a href="#fn17" name="fr17">[17]</a> but the Bill does not make it clear if the DNA profiles of individuals convicted for a crime will be stored and searched independently from other profiles. Additionally, though the Bill limits the use of DNA profiles and DNA samples to identification of perpetrators,<a href="#fn18" name="fr18">[18]</a> it allows for DNA profiles/DNA samples and related information related to be shared for <i>creation and maintenance of a population statistics database that is to be used, as prescribed, for the purpose of identification research, protocol development, or quality control provided that it does not contain any personally identifiable information and does not violate ethical norms</i>.”<a href="#fn19" name="fr19">[19]</a></p>
<p style="text-align: justify; ">An indication of the possibility of how a DNA database could be misused in India can be seen in the CDFD’s stated objectives, where it lists "to create DNA marker databases of different caste populations of India."<a href="#fn20" name="fr20">[20]</a> CDFD appears to be collecting this data by requiring caste and origin of state to be filled in on the identification form that is submitted with any DNA sample.<a href="#fn21" name="fr21">[21]</a> Though an argument could be made that this information could be used for research purposes, there appears to be no framework over the use of this information and this objective. Is the information stored along with the DNA sample? Is it used in criminal cases? Is it revealed during court cases or at other points of time?</p>
<p style="text-align: justify; ">Similarly, in the Report of the Working Group for the Eleventh Five Year Plan, it lists the following as a possible use of DNA profiling technology:</p>
<p class="callout" style="text-align: justify; ">"Human population analysis with a view to elicit profiling of different caste populations of India to use them in forensic DNA fingerprinting and develop DNA databases."<a href="#fn22" name="fr22">[22]</a></p>
<p style="text-align: justify; ">This objective is based on the assumption that caste is an immutable genetic trait and seems to ignore the fact that individuals change their caste and that caste is not uniformly passed on in marriage. Furthermore, using caste for forensic purposes and to develop DNA databases could far too easily be abused and result in the profiling of individuals, and identification errors. For example, in 2011 the UK police, in an attempt to catch the night stalker Delroy Grant, used DNA to (incorrectly) predict that he originated from the Winward Islands. The police then used mass DNA screenings of black men. The police initially eliminated Delroy Grant as a suspect because another Delroy Grant was on the DNA database, and the real Delroy Grant was eventually caught when the police pursued more traditional forms of investigation.<a href="#fn23" name="fr23">[23]</a></p>
<p style="text-align: justify; ">Other uses for DNA databases and DNA samples in India have been envisioned over the years. For example, in 2010 the state of Tamil Nadu sought to amend the Prisoners Identification Act 1920 to allow for the establishment of a prisoners’ DNA database – which would require that any prisoner’s DNA be collected and stored.<a href="#fn24" name="fr24">[24]</a> In another example, the home page of BioAxis DNA Research Centre (P) Limited, a private DNA laboratory offering forensic services states,</p>
<p style="text-align: justify; ">"<i>In a country like India which is densely populated there is huge requirement for these type of databases which may help in stopping different types of fraud like Ration card fraud, Voter ID Card fraud, Driving license fraud etc. The database may help the Indian police to differentiate the criminals and non criminals</i>."<a href="#fn25" name="fr25">[25]</a> Not only is this statement incorrect in stating that a DNA database will differentiate between criminals and non-criminals, but DNA evidence is not useful in stopping ration card fraud etc. as it would require that DNA be extracted and authenticated for every instance of service. In 2012, the Department of Forensic Medicine and Toxicology at AFMC Pune proposed to establish a DNA data bank containing profiles of armed forces personnel.<a href="#fn26" name="fr26">[26]</a> And in Uttar Pradesh, the government ordered mandatory sampling for DNA fingerprinting of dead bodies.<a href="#fn27" name="fr27">[27]</a> These examples raise important questions about the scope of use, collection and storage of DNA profiles in databases that the Bill is silent on.</p>
<p style="text-align: justify; ">The assumption in the Bill that DNA evidence is infallible is another point of contention. The preamble of the Bill states that, <i>"DNA analysis of body substances is a powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another, and further to establish the biological relationship, if any, between two individuals, living or dead with any doubt."</i><a href="#fn28" name="fr28">[28]</a></p>
<p style="text-align: justify; ">This statement ignores the possibility of false matches, cross-contamination, and laboratory error<a href="#fn29" name="fr29">[29]</a> as DNA evidence is only as infallible as the humans collecting, analysing, and marshalling the evidence. These mistakes are not purely speculative, as cases that have relied on DNA as evidence in India demonstrate that the reliability of DNA evidence is questionable due to collection, analysis, and chain of custody errors. For example, in the Aarushi murder case the forensic expert who testified failed to remember which samples were collected at the scene of the crime<a href="#fn30" name="fr30">[30]</a> in the French diplomat rape case, the DNA report came out with both negative and positive results;<a href="#fn31" name="fr31">[31]</a> and in the Abhishek rape case the DNA sample had to be reanalysed after initial analysis did not prove conclusive.<a href="#fn32" name="fr32">[32]</a> Yet the Bill does not mandate a set of best practices that could help in minimising these errors, such as defining what profiling system will be used nationally, and defining specific security measures that must be taken by DNA laboratories – all of which are currently left to be determined by the DNA board.<a href="#fn33" name="fr33">[33]</a></p>
<p style="text-align: justify; ">The assumption in the preamble that DNA can establish if a relationship exists between two individuals without a doubt is also misleading as it implies that the use of DNA samples and the creation of a database will increase the conviction rate, when in actuality the exact number of accurate convictions resulting purely from DNA evidence is unknown, as is the number of innocent people who are falsely accused of a crime based on DNA evidence in India. This misconception is reflected on the website of the Department of Biotechnology’s information page for CDFD where it states:</p>
<p class="callout" style="text-align: justify; ">"…The DNA fingerprinting service, given the fact that it has been shown to bring about dramatic increase in the conviction rate, will continue to be in much demand. With the crime burden on the society increasing, more and more requests for DNA fingerprinting are naturally anticipated. For example, starting from just a few cases of DNA fingerprinting per month, CDFD is now handling similar number of cases every day."<a href="#fn34" name="fr34">[34]</a></p>
<p style="text-align: justify; ">In addition to the claim that the DNA fingerprinting service has shown a dramatic increase in the conviction rate, is not supported by evidence in this article, according to the CDFD 2010-2011 annual report, the centre analysed DNA from 57 cases of deceased persons, 40 maternity/paternity cases, four rape and murder cases, eight sexual assault cases, and three kidney transplantation cases.<a href="#fn35" name="fr35">[35]</a> This is in comparison to the 2006 – 2007 annual report, which quoted 83 paternity/maternity dispute cases, 68 identification of deceased, 11 cases of sexual assault, eight cases of murder, and two cases of wildlife poaching.<a href="#fn36" name="fr36">[36]</a> From the numbers quoted in the CDFD annual report, it appears that paternity/maternity cases and identification of the deceased are the most frequent types of cases using DNA evidence.</p>
<p style="text-align: justify; ">Other concerns with the Bill include access controls to the database and rights of the individual. For example, the Bill does not require that a court order be issued for access to a DNA profile, and instead leaves it in the hand of the DNA bank manager to determine if communication of information relating to a match to a court, tribunal, law enforcement agency, or DNA laboratory is appropriate.<a href="#fn37" name="fr37">[37]</a></p>
<p style="text-align: justify; ">Additionally, the Data Bank Manager is empowered to grant access to any information on the database to any person or class of persons that he/she considers appropriate for the purposes of proper operation and maintenance or for training purposes.<a href="#fn38" name="fr38">[38]</a> The low standards for access that are found in the Bill are worrisome as the possibility for tampering of evidence and analysis is increased.</p>
<p style="text-align: justify; ">The Bill is also missing important provisions that would be necessary to protect the rights of the individual. For example, individuals are not permitted a private cause of action for the unlawful collection, use, or retention of DNA, and individuals do not have the right to access their own information stored on the database.<a href="#fn39" name="fr39">[39]</a> These are significant gaps in the proposed legislation as it restricts the rights of the individual.</p>
<p style="text-align: justify; ">In conclusion, India could benefit from having a legislation regulating, standardising, and harmonising the use, collection, analysis, and retention of DNA samples for crime-related purposes. The current 2012 draft of the Bill is a step in the right direction, and an improvement from the 2007 DNA Profiling Bill. The 2012 draft draws upon best practices from the US and Canada, but could also benefit from drawing upon best practices from countries like Scotland. Safeguards missing from the current draft that would strengthen the Bill include: limiting the scope of the DNA database to include only samples from a crime scene for serious crimes and not minor offenses, requiring the destruction of DNA samples once a DNA profile is created, clearly defining when a court order is needed to collect DNA samples, defining when consent is required and is not required from the individual for a DNA sample to be taken, and ensuring that the individual has a right of appeal.</p>
<hr />
<p>[<a href="#fr1" name="fn1">1</a>]. Law Commission of India. Review of the Indian Evidence Act 1872. Pg. 43 Available at:<span> <a href="http://lawcommissionofindia.nic.in/reports/185thReport-PartII.pdf">http://lawcommissionofindia.nic.in/reports/185thReport-PartII.pdf</a></span>. Last accessed: October 9th 2012.<br />[<a href="#fr2" name="fn2">2</a>]. Section 53. The Criminal Code of Procedure, 1973. Available at: <span><a href="http://www.vakilno1.com/bareacts/crpc/s53.htm">http://www.vakilno1.com/bareacts/crpc/s53.htm</a></span>. Last accessed October 9th 2012.<br />[<a href="#fr3" name="fn3">3</a>]. Department of Biotechnology. Ministry of Science & Technology GOI. Annual Report 2009 – 2010. pg. 189. Available at: <span><a href="http://dbtindia.nic.in/annualreports/DBT-An-Re-2009-10.pdf">http://dbtindia.nic.in/annualreports/DBT-An-Re-2009-10.pdf</a></span>. Last Accessed October 9th 2012.<br />[<a href="#fr4" name="fn4">4</a>]. Chhibber, M. Govt Crawling on DNA Profiling Bill, CBI urges it to hurry, cites China. The Indian Express. July 12 2010. Available at: <span><a href="http://www.indianexpress.com/news/govt-crawling-on-dna-profiling-bill-cbi-urges-it-to-hurry-cites-china/645247/0">http://www.indianexpress.com/news/govt-crawling-on-dna-profiling-bill-cbi-urges-it-to-hurry-cites-china/645247/0</a></span>. Last accessed: October 9th 2012.<br />[<a href="#fr5" name="fn5">5</a>]. Perspective Plan for Indian Forensics. Final report 2010. Table 64.1 -64.3 pg. 264-267. Available at: <span><a href="http://mha.nic.in/pdfs/IFS%282010%29-FinalRpt.pdf">http://mha.nic.in/pdfs/IFS%282010%29-FinalRpt.pdf</a></span>. Last accessed: October 9th 2012. And CBI Manual. Chapter 27. Available at: <span><a href="http://mha.nic.in/pdfs/IFS%282010%29-FinalRpt.pdf">http://mha.nic.in/pdfs/IFS%282010%29-FinalRpt.pdf</a></span>. Last accessed: October 9th 2012.<br />[<a href="#fr6" name="fn6">6</a>]. For example: International Forensic Sciences, DNA Labs India (DLI), Truth Labs and Bio-Axis DNA Research Centre (P) Limited.<br />[<a href="#fr7" name="fn7">7</a>]. Draft Human DNA Profiling Bill 2012. Introduction.<br />[<a href="#fr8" name="fn8">8</a>]. Id. section 12(a-z)<br />[<a href="#fr9" name="fn9">9</a>]. Id. Definition l. “DNA Profile” means results of analysis of a DNA sample with respect to human identification.<br />[<a href="#fr10" name="fn10">10</a>]. Id. Definition m. “DNA sample” means biological specimen of any nature that is utilized to conduct CAN analysis, collected in such manner as specified in Part II of the Schedule.<br />[<a href="#fr11" name="fn11">11</a>]. The UK DNA database and the European Court of Human Rights: Lessons India can learn from UK mistakes. PowerPoint Presentation. Dr. Helen Wallace, Genewatch UK. September 2012.<br />[<a href="#fr12" name="fn12">12</a>]. Hope, C. Crimes solved by DNA evidence fall despite millions being added to database. The Telegraph. November 12th 2008. Available at: <span><a href="http://www.telegraph.co.uk/news/uknews/law-and-order/3418649/Crimes-solved-by-DNA-evidence-fall-despite-millions-being-added-to-database.html">http://www.telegraph.co.uk/news/uknews/law-and-order/3418649/Crimes-solved-by-DNA-evidence-fall-despite-millions-being-added-to-database.html</a></span>. Last accessed: October 9th 2012<br />[<a href="#fr13" name="fn13">13</a>]. Draft Human DNA Profiling Bill 2012. Section 32 (4(a-g))<br />[<a href="#fr14" name="fn14">14</a>]. Id. Section 35<br />[<a href="#fr15" name="fn15">15</a>]. Id. Schedule: List of applicable instances of Human DNA Profiling and Sources of Collection of Samples for DNA Test.<br />[<a href="#fr16" name="fn16">16</a>]. Gruber J. Forensic DNA Databases. Council for Responsible Genetics. September 2012. Powerpoint presentation.<br />[<a href="#fr17" name="fn17">17</a>]. Draft Human DNA Profiling Bill 2012. Section 32 (5)-
<span class="" id="text-1">
<a class="link-wiki-add" title="Click to add a new page" href="https://cis-india.org/internet-governance/blog/epw-web-exclusives-oct-27-2012-elonnai-hickok-rethinking-dna-profiling-india/@@wickedadd?Title=6)(a)-(b&section=text">
6)(a)-(b<sup>[+]</sup></a>
</span>
. Indices will only contain DNA identification records and analysis prepared by the laboratory and approved by the DNA Board, while profiles in the offenders index will contain only the identity of the person, and other profiles will contain only the case reference number.<br />[<a href="#fr18" name="fn18">18</a>]. Id. Section 39<br />[<a href="#fr19" name="fn19">19</a>]. Id. Section 40(c)<br />[<a href="#fr20" name="fn20">20</a>]. CDFD. Annual Report 2010-2011. Pg19. Available at: <span><a href="http://www.cdfd.org.in/images/AR_2010_11.pdf">http://www.cdfd.org.in/images/AR_2010_11.pdf</a></span>. Last accessed: October 9th 2012.<br />[<a href="#fr21" name="fn21">21</a>]. Caste and origin of state is a field of information that is required to be completed when an ‘identification form’ is sent to the CDFD along with a DNA sample for analysis. Form available at: <a href="http://www.cdfd.org.in/servicespages/dnafingerprinting.html" title="http://www.cdfd.org.in/servicespages/dnafingerprinting.html">http://www.cdfd.org.in/servicespages/dnafingerprinting.html</a><br />[<a href="#fr22" name="fn22">22</a>]. Report of the Working Group for the Eleventh Five Year Plan (2007 – 2012). October 2006. Pg. 152. Section: R&D Relating Services. Available at: <span><a href="http://planningcommission.nic.in/aboutus/committee/wrkgrp11/wg11_subdbt.pdf">http://planningcommission.nic.in/aboutus/committee/wrkgrp11/wg11_subdbt.pdf</a></span>. Last accessed: October 9th 2012<br />[<a href="#fr23" name="fn23">23</a>]. Evans. M. Night Stalker: police blunders delayed arrest of Delroy Grant. March 24th 2011. The Telegraph. Available at: <span><a href="http://www.telegraph.co.uk/news/uknews/crime/8397585/Night-Stalker-police-blunders-delayed-arrest-of-Delroy-Grant.html">http://www.telegraph.co.uk/news/uknews/crime/8397585/Night-Stalker-police-blunders-delayed-arrest-of-Delroy-Grant.html</a></span>. Last accessed: October 10th 2012.<br />[<a href="#fr24" name="fn24">24</a>]. Narayan, P. A prisoner DNA database: Tamil Nadu shows the way. May 17th 2012. Available at: <span><a href="http://timesofindia.indiatimes.com/india/A-prisoner-DNA-database-Tamil-Nadu-shows-the-way/iplarticleshow/5938522.cms">http://timesofindia.indiatimes.com/india/A-prisoner-DNA-database-Tamil-Nadu-shows-the-way/iplarticleshow/5938522.cms</a></span>. Last accessed: October 9th 2012.<br />[<a href="#fr25" name="fn25">25</a>]. BioAxis DNA Research Centre (P) Limited. Website Available at: <span><a href="http://www.dnares.in/dna-databank-database-of-india.php">http://www.dnares.in/dna-databank-database-of-india.php</a></span>. Last accessed: October 10th 2012.<br />[<a href="#fr26" name="fn26">26</a>]. Times of India. AFMC to open DNA profiling centre today. February 2012. Available at:<span><a href="http://articles.timesofindia.indiatimes.com/2012-02-08/pune/31037108_1_dna-profile-dna-fingerprinting-data-bank">http://articles.timesofindia.indiatimes.com/2012-02-08/pune/31037108_1_dna-profile-dna-fingerprinting-data-bank</a></span>. Last accessed: October 10th 2012.<br />[<a href="#fr27" name="fn27">27</a>]. Siddiqui, P. UP makes DNA sampling mandatory with postmortem. Times of India. September 4th 2012. Available at:http://articles.timesofindia.indiatimes.com/2012-09-04/lucknow/33581061_1_dead-bodies-postmortem-house-postmortem-report. Last accessed: October 10th 2012.<br />[<a href="#fr28" name="fn28">28</a>]. Draft DNA Human Profiling Bill 2012. Introduction<br />[<a href="#fr29" name="fn29">29</a>]. Council for Responsible Genetics. Overview and Concerns Regarding the Indian Draft DNA Profiling Bill. September 2012. Pg. 2. Available at: <span><a href="https://cis-india.org/internet-governance/indian-draft-dna-profiling-act.pdf/view">http://cis-india.org/internet-governance/indian-draft-dna-profiling-act.pdf/view</a></span>. Last accessed: October 9th 2012.<br />[<a href="#fr30" name="fn30">30</a>]. DNA. Aarushi case: Expert forgets samples collected from murder spot. August 28th 2012. Available at: <span><a href="http://www.dnaindia.com/india/report_aarushi-case-expert-forgets-samples-collected-from-murder-spot_1733957">http://www.dnaindia.com/india/report_aarushi-case-expert-forgets-samples-collected-from-murder-spot_1733957</a></span>. Last accessed: October 10th 2012.<br />[<a href="#fr31" name="fn31">31</a>]. India Today. Daughter rape case: French diplomat’s DNA test is inconclusive. July 7th 2012. Available at: <span><a href="http://indiatoday.intoday.in/story/french-diplomat-father-rapes-daughter-dna-test-bangalore/1/204270.html">http://indiatoday.intoday.in/story/french-diplomat-father-rapes-daughter-dna-test-bangalore/1/204270.html</a></span>. Last accessed: October 10th 2012.<br />[<a href="#fr32" name="fn32">32</a>]. The Times of India. DNA tests indicate Abhishek raped woman. May 30th 2006. Available at: <span><a href="http://articles.timesofindia.indiatimes.com/2006-05-30/india/27826225_1_abhishek-kasliwal-dna-fingerprinting-dna-tests">http://articles.timesofindia.indiatimes.com/2006-05-30/india/27826225_1_abhishek-kasliwal-dna-fingerprinting-dna-tests</a></span>. Last accessed: October 10th 2012.<br />[<a href="#fr33" name="fn33">33</a>]. Draft Human DNA Profiling Bill 2012. Section 18-27.<br />[<a href="#fr34" name="fn34">34</a>]. Department of Biotechnology. DNA Fingerprinting & Diagnostics, Hyderabad. Available at: <span><a href="http://dbtindia.nic.in/uniquepage.asp?id_pk=124">http://dbtindia.nic.in/uniquepage.asp?id_pk=124</a></span>. Last accessed: October 10 2012.<br />[<a href="#fr35" name="fn35">35</a>]. CDFD Annual Report 2010 – 2011.Pg.19. Available at: <span><a href="http://www.cdfd.org.in/images/AR_2010_11.pdf">http://www.cdfd.org.in/images/AR_2010_11.pdf</a></span>. Last accessed: October 10th 2012.<br />[<a href="#fr36" name="fn36">36</a>]. CDFD Annual Report 2006-2007.Pg. 13. Available at: <span><a href="http://www.cdfd.org.in/images/AR_2006_07.pdf">http://www.cdfd.org.in/images/AR_2006_07.pdf</a></span>. Last accessed: October 10th 2012.<br />[<a href="#fr37" name="fn37">37</a>]. Draft Human DNA Profiling Bill 2012. Section 35<br />[<a href="#fr38" name="fn38">38</a>]. Id. Section 41.<br />[<a href="#fr39" name="fn39">39</a>].Council for Responsible Genetics. Overview and Concerns Regarding the Indian Draft DNA Profiling Bill. September 2012. Pg. 9 Available at: <span><a href="https://cis-india.org/internet-governance/indian-draft-dna-profiling-act.pdf/view">http://cis-india.org/internet-governance/indian-draft-dna-profiling-act.pdf/view</a></span>. Last accessed: October 9th 2012.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/epw-web-exclusives-oct-27-2012-elonnai-hickok-rethinking-dna-profiling-india'>https://cis-india.org/internet-governance/blog/epw-web-exclusives-oct-27-2012-elonnai-hickok-rethinking-dna-profiling-india</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-10-29T08:00:01ZBlog EntryPrivacy Perspectives on the 2012 -2013 Goa Beach Shack Policy
https://cis-india.org/internet-governance/blog/privacy-perspectives-on-the-2012-2013-goa-beach-shack-policy
<b>CCTVs in India are increasingly being employed by private organizations and the government in India as a way to increase security and prevent/ deter crime from taking place. When the government mandates the use of CCTV’s for this purpose, it often does so by means of a blunt policy mandate, requiring the installation of CCTV systems, but without any further clarification as to who should oversee the use of the cameras, what bodies should have access to the records, how access should be granted or obtained, and how long the recordings should be retained. </b>
<p style="text-align: justify; ">The lack of clarity and specificity in these requirements, the fact that these technologies are used in public spaces to collect undefined categories and amounts of information, and the fact that the technology can cut through space – and does not distinguish between private and public and primarily captures information where it is directed to, give rise to privacy concerns and raises fundamental questions about the ways in which technologies can be used to effectively increase security while still protecting the rights of individuals and the promotion of business.</p>
<p style="text-align: justify; ">An example of a blanket CCTV installation requirement from the government is seen in the 2012-2013 Goa Beach Shack Policy.<a href="#fn1" name="fr1">[1]</a> This blog will examine the shack policy from a privacy perspective, and how identification requirements are evolving. The blog will explore different principles by which surveillance technologies like CCTVs can be employed in order to promote effectiveness and protect the rights of individuals.</p>
<p style="text-align: justify; ">To help understand the current status of the Shack Policy and the extent of CCTV use in Goa, I spoke with a number of shack owners, cyber café owners, the Ministry of Tourism, and the Police of Goa. In this blog I do not use any direct quotes and write only from the perspective of my personal observations.</p>
<h2 style="text-align: justify; ">Current Status of the Shack Policy</h2>
<p style="text-align: justify; ">This year, for the 2012-2013 tourist season, the Department of Tourism of Goa is implementing the Beach Shack Policy for regulating the establishment and running of temporary shacks at beaches in Goa. The policy applies only to the licensing, construction, maintenance, and demolition of temporary shacks on beaches owned by the government. The policy lays out requirements that must be submitted by applicants for obtaining a license and requirements relating to the operation of the shacks including size, security, health and safety, and noise control. Shacks, huts, hotels, etc. built on private land do not come under the scope of the policy. The shacks can only be bars and restaurants that can run from November 1<sup>st</sup> through May 31<sup>st</sup>, after which they must be taken down until the next season. The licensing of these shacks is to enable local employment opportunities in Goa. This can be seen by the requirement in the policy that Shacks are to be granted to only one member of the family who is unemployed.<a href="#fn2" name="fr2">[2]</a> Currently, the Ministry of Tourism has almost completed the allotment of shack spaces on all beaches in Goa. The police will assist in the enforcement of the policy, but their exact role is in the process of being clarified. Before the 2012-2013 policy, shacks were regulated by annual beach shack policies, which are not available online, but can be accessed through an RTI request to the Department of Tourism. Resistance to the policy has been seen by some because of concerns that the shacks will take away business from local private owners, will block fishing boats, will cause trash and sewage problems, and create issues for free movement of people on the beach.</p>
<h2 style="text-align: justify; ">Inside the policy:</h2>
<h3>Application Requirements</h3>
<p style="text-align: justify; ">To apply for a license for a temporary shack, every application must be turned in by hand and must be accompanied by a residence certificate in original issued by Village Panchayat Municipality, attested copy of ration card, four copies of a recent colored passport photos with name written on the back, attested copy of birth certificate/passport copy/Pan Card and any other information that the applicant desires to furnish, and affidavit. In addition individuals must provide their name, address, telephone number, name of the shack, name of the beach stretch, nationality, experience, and any other information they wishes to provide.<a href="#fn3" name="fr3">[3]</a> These requirements are not excessive and have been kept to what seems minimally necessary for providing a license, though the option for individuals to provide any additional information they wish – could be used to convey meaningful information or extraneous information to the government.</p>
<h3 style="text-align: justify; ">Operational Requirements</h3>
<p style="text-align: justify; ">The policy has a number of operational requirements for shack owners as well. For example owners must clearly display a self identifying photograph on the shack<a href="#fn4" name="fr4">[4]</a> and they must agree to assist the Tourism Department and Police department in stopping any crime and violation of any law along the Beach.<a href="#fn5" name="fr5">[5]</a></p>
<p style="text-align: justify; ">The policy also requires that any person handling food must take a course conducted by IHMCT, GTDC, or Porvorim,<a href="#fn6" name="fr6">[6]</a> shacks must also be made out of eco friendly material as much as possible and the use of cement is banned,<a href="#fn7" name="fr7">[7]</a> and the proper disposal of trash and waste water will be the responsibility of the shack owner.<a href="#fn8" name="fr8">[8]</a> Furthermore, foreigners working in the shacks must have a work visa,<a href="#fn9" name="fr9">[9]</a> and loud music is not allowed to be played after 10:30 p.m.<a href="#fn10" name="fr10">[10]</a></p>
<p style="text-align: justify; ">As noted in the introduction, each shack must install a CCTV surveillance system that provides real-time footage with an internal looping system in a non-invasive form. <a href="#fn11" name="fr11">[11]</a> But I got to understand that the CCTV requirement will be slowly introduced and will not be implemented this year due to resistance from shack owners. When the requirement is implemented, hopefully different aspects around the use of CCTVs will be clarified including: the retention period for the recordings, access control to the recordings, the responsibilities of the shack owner, where the camera will be set up and where it needs to be directed to, etc.</p>
<p style="text-align: justify; ">Currently in Goa there are official requirements for CCTVs to be installed in Cyber Cafes under section 144 of the CrPc. This requirement only came into effect on October 1st 2012.<a href="#fn12" name="fr12">[12]</a>Some private hotels, huts, and restaurants run CCTV cameras for their own security purposes. When asked if CCTVs will also become mandatory for private areas, some said this will happen, while others said it would be difficult to implement.</p>
<h3 style="text-align: justify; ">Enforcement</h3>
<p style="text-align: justify; ">The policy uses a number of measures to ensure enforcement. For examples, successful applicants must place a security deposit of 10,000 with Director of Tourism. If any term of the policy is violated, the deposited amount will be given to the Government Treasury and the individual is required to pay another Rs. 10,000 to continue operating.<a href="#fn13" name="fr13">[13]</a>The placement of deck beds on the beach without authorization will also be treated as an offense under the Goa Tourist Places (protection and maintenance) Act 2001 and will be punished with a term of imprisonment minimum three months, which may extend to 3 years, and a fine which may extend to Rs. 5,000 or both. All offenses under the Act are cognizable and non-refundable. <a href="#fn14" name="fr14">[14]</a> If the shack is not dismantled at the end of the season, the individual will have their application rejected for the next three years.<a href="#fn15" name="fr15">[15]</a> Shack owners will also be penalized of they are caught discriminating against who can and cannot enter into the shack.<a href="#fn16" name="fr16">[16]</a></p>
<p style="text-align: justify; ">Interestingly, though CCTV cameras can be used to ‘catch’ a number of offenses, the offenses that are penalized under the Act do not seem to require the presence of a CCTV camera. Additionally, the policy is missing penalties for the tampering and misuse of these cameras and unauthorized access to recordings.</p>
<h2 style="text-align: justify; ">Other practices around security and identification in Goa</h2>
<p style="text-align: justify; ">In 2011 Goa also issued a new ‘C’ form that must be filled out by foreigners entering hotels.<a href="#fn17" name="fr17">[17]</a></p>
<p>The form requires twenty six categories of information to be filled out including: permanent address, next destination to be proceeded to, contact number in hotel, purpose of visit, whether employed in India, and where the foreigner arrived from. According to hotel owners, three copies of these records are made. Two are submitted to the police and one is kept with the hotel. The records kept with the hotel are often kept for an undefined time period. In 2011 the police also enforced a new practice where every shack, hut, hotel etc. must have an all night security guard to ensure security on the beach. It was noted that registration of migrant workers is now mandatory, and that non-registered or undocumented vendors are removed from working on the beaches.</p>
<h2 style="text-align: justify; ">Will the 2012 – 2013 Beach Shack Policy have new implications?</h2>
<p style="text-align: justify; ">In its current form, especially taking into consideration that the CCTV requirement will not be implemented immediately, the 2012 – 2013 shack policy does not seem alarming from a privacy perspective. On the general policy, though the penalties, such as the possibility of three months in prison for having too many beach chairs, seems to be over-reaching, there are a number of positive requirements in the policy such as the use of eco-friendly material, noise control, and strict procedures for disposing of trash and sewage.</p>
<p style="text-align: justify; ">The privacy perspective could change when CCTVs are implemented. The amount of data that would be generated and the ambiguity around the employment of the cameras could raise a number of privacy concerns. Yet the fact that this part of the policy will only be implemented later down the road seems indicative of both the shack owners discomfort in using the technology, and perhaps the government’s recognition that a certain level of ground work needs to be done before CCTVs are made mandatory for every shack in the state. Hopefully before the requirement is implemented, the ground work will be set up either at a national level – in the form of a national privacy legislation, or at the state level – in the form of appropriate safeguards and procedures built into the policy.</p>
<p style="text-align: justify; ">At the macro level, and when examined in the context of the growing use of CCTVs by private owners, the implementation of the UID and NPR requirements in Goa, and the introduction of the new ‘C’ form for foreigners, the CCTV requirement found in the Shack Policy seems to part of a growing trend across the country where the government seems to seek to identify all individuals and their movements/actions for unclear and undefined purposes, and looks towards identification through the collection of personal information and use of technology as a means to solve security issues.</p>
<p style="text-align: justify; ">For example, Goa is not the only city to consider mandatory installation of CCTV’s. In Delhi, the Department of Tourism issued a similar requirement in a 2012 amendment to the “existing Guidelines for Classification/Reclassification of Hotels”. According to the amendment hotels applying for approval are required to provide documentation that security features including CCTV systems are in place.<a href="#fn18" name="fr18">[18]</a> Similarly, in 2011 the Delhi State Industrial and Infrastructure Development Corporation began implementing a plan to install CCTVs outside of government and private liquor shops, amounting to 550 shops in total. The goal was to use the CCTV cameras to catch individuals breaking the Excise Act on camera and use the recordings during trials. According to news coverage, the cameras are required to be capable of recording images 50 meters away and all data must be stored for a period of 30 days.<a href="#fn19" name="fr19">[19]</a></p>
<p style="text-align: justify; ">The ambiguity that exists around the legal use of many of these security systems and technologies, including CCTV’s was recently highlighted in Report of the Group of Experts on Privacy headed by Justice A.P Shah.<a href="#fn20" name="fr20">[20]</a> The report noted that the use of CCTV cameras and more broadly the use of electronic recording devices in India is an area that needs regulation and privacy safeguards. The report describes how the nine proposed national privacy principles of notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, and openness, could be applied and will be affected by the use of these technologies.<a href="#fn21" name="fr21">[21]</a></p>
<h2 style="text-align: justify; ">Conclusion</h2>
<p style="text-align: justify; ">In India and elsewhere, the police are faced on a daily basis with the challenge of preventing and responding to all types of crime, and from this perspective – any information, clue, or lead is helpful and necessary, and the potential usefulness of CCTVs in identifying criminals and to some extent deterring crime is clear. On the other hand when CCTVs are employed without safeguards and regulations it could result in infractions of privacy and rights or could simply move the crime away from the surveilled area to an unsurveilled area.</p>
<p style="text-align: justify; ">Finding a way to ensure that police have access to the information that they need and that crime is prevented, while at the same time ensuring that the rights of individuals are not compromised, and the private sectors ability to easily do business is not limited by unrealistic security requirements, is an important discussion that governments, policy makers, and the public should be having. The answer hopefully is not found in a binary game of all or nothing, surveillance or no surveillance – but instead is found through mechanisms and principles that apply to both security and privacy such as transparency, oversight, proportionality, and necessity. For example, practices around what access the police legally have via surveillance systems, retention practices, cost of implementing surveillance, and amount of surveillance undertaken each year could be made transparent to the public to ensure that the public is informed and aware of the basic information around these systems. Furthermore, clear oversight over surveillance systems including distinction between the responsibilities and liabilities can ensure that unreasonable requirements are not placed. Lastly any surveillance that is undertaken should be necessary and proportional to the crime or threat that it is being used to prevent or detect. These principles along with the defined National Privacy Principles could help measure what amount and what type of surveillance could be the most effective, and ensure that when surveillance is employed it is done in a way that also protects the rights of individuals and the private sector.</p>
<hr />
<p style="text-align: justify; "><b>Notes</b><br />[<a href="#fr1" name="fn1">1</a>].Ministry of Tourism. Goa Government. 2012-2013 Beach Shack Policy. Available at: <a class="external-link" href="http://bit.ly/Xk18NH">http://bit.ly/Xk18NH</a>. Last accessed: October 24th 2012.<br />[<a href="#fr2" name="fn2">2</a>]. Id. Section 2.<br />[<a href="#fr3" name="fn3">3</a>]. Id. Application Requirements 1-8. Pg 1&2.<br />[<a href="#fr4" name="fn4">4</a>]. Section 33.<br />[<a href="#fr5" name="fn5">5</a>].A part of the affidavit<br />[<a href="#fr6" name="fn6">6</a>].Id. Section 4.<br />[<a href="#fr7" name="fn7">7</a>]. Id. Section 17.<br />[<a href="#fr8" name="fn8">8</a>].Id. Section 28.<br />[<a href="#fr9" name="fn9">9</a>]. Id. Section 35.<br />[<a href="#fr10" name="fn10">10</a>].Id. Section 37.<br />[<a href="#fr11" name="fn11">11</a>]. Id. Section 38.<br />[<a href="#fr12" name="fn12">12</a>]. Order No. 38/10/2006. Under Section 144 of the Code of Criminal Procedure, 1973. Available at: <a class="external-link" href="http:// www.goaprintingpress.gov.in/downloads/1213/1213-28-SIII-OG.pdf">http:// www.goaprintingpress.gov.in/downloads/1213/1213-28-SIII-OG.pdf</a><br />[<a href="#fr13" name="fn13">13</a>]. Beach Shack Policy 2012 - 2013, Section 16.<br />[<a href="#fr14" name="fn14">14</a>]. Id. Section 18.<br />[<a href="#fr15" name="fn15">15</a>]. Id. Section 22.<br />[<a href="#fr16" name="fn16">16</a>]. Id. Section 32.<br />[<a href="#fr17" name="fn17">17</a>]. Arrival Report of Foreigner in Hotel.”Form C” . Available at: <a class="external-link" href="http://bit.ly/TbUO4S">http://bit.ly/TbUO4S</a><br />[<a href="#fr19" name="fn18">18</a>]. Government of India. Ministry of Tourism. Amendment in the existing Guidelines for Classification / Reclassification of Hotels. June 28<sup>th</sup> 2012. Available at: <a class="external-link" href="http://bit.ly/RXtgBg">http://bit.ly/RXtgBg</a>. Last Accessed: October 24th 2012.<br />[<a href="#fr19" name="fn19">19</a>]. Bajpaj, Ravi. CCTV shots to check drinking outside city liquor vends. The Indian Express reproduced on the website of dsidc. December 20<sup>th</sup> 2011. Available at: <a class="external-link" href="http://bit.ly/VHwCz">http://bit.ly/VHwCz</a>d. Last accessed: October 24th 2012.<br />[<a href="#fr20" name="fn20">20</a>]. GOI. Report of the Group of Experts on Privacy. October 2012. Available at: <a class="external-link" href="http://bit.ly/VqzKtr">http://bit.ly/VqzKtr</a>. <span> </span>Last accessed: October 24th 2012.<span> </span><br />[<a href="#fr21" name="fn21">21</a>]. Id. pg. 61-62.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy-perspectives-on-the-2012-2013-goa-beach-shack-policy'>https://cis-india.org/internet-governance/blog/privacy-perspectives-on-the-2012-2013-goa-beach-shack-policy</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-10-25T10:23:50ZBlog EntryA Public Meeting on DNA Profiling Bill in Delhi
https://cis-india.org/internet-governance/blog/public-meeting-on-dna-profiling-bill
<b>On September 27, 2012, the Centre for Internet and Society hosted a public talk at the Indian International Centre focused on the draft DNA Profiling Bill. Presenting at the meeting were international experts Dr. Helen Wallace, director of GeneWatch UK and Jeremy Gruber, president and executive director of the Council for Responsible Genetics US, and Dr. Anupuma Raina, senior scientist at AIIMs.</b>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The use of DNA samples for forensics purposes has been increasing as law enforcement in India are relying on DNA samples as a source of evidence to solve crimes. India currently does not have a legislation specifically regulating the collection, use, and storage of DNA samples for forensics purposes. To address this gap, in 2007 a draft DNA Profiling Bill was created by the Centre for DNA Fingerprinting and Diagnostics. In February 2012 a new draft of the bill from the department of biotechnology was been leaked. The draft Bill envisions creating state level DNA databases that will feed into a national level DNA database for the purposes of solving crime.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Opening the meeting was a presentation by Dr. Anupama that focused on how DNA analysis has been used in various cases in India. Dr. Anupama emphasized the important role that DNA plays and the usefulness of the technology, but also cautioned that the police are still perfecting the use of DNA samples for forensic purposes. She promoted the passing of the DNA profiling bill with the correct safeguards. Dr. Anupama also provided insight into the current procedure for DNA analysis in India noting that consent is taken from individuals before taking DNA samples, and that ethical clearance is taken before DNA samples are taken and used for research purposes. She also noted that labs are working on improving quality insurance and emphasized the importance of chain of custody in ensuring that DNA samples are not contaminated.</p>
<p style="text-align: justify; ">Following Dr. Anupama, Jeremy Gruber spoke about the US experience with DNA databases and explained how DNA testing was initially introduced as a tool for establishing additional evidence for convicting violent felony offenders or freeing innocent individuals on a case to case basis. He explained how the technology of DNA sampling and its use in forensic cases can be both a useful tool when used justly and democratically, or can be harmful when used unjustly and undemocratically. He noted that there has been an increase in the routine use and retention of DNA by law enforcement today for purposes such as using DNA databases for familial searching purposes, and using DNA analysis to create profiles of individuals. Concerns that Jeremy Gruber raised with respect to the draft DNA Profiling Bill included the assumption in the preamble of the bill that DNA is an infallible piece of evidence, pointing out that when DNA is used for forensic purposes it is vulnerable to inaccuracies such as false matches, sample contamination, and analysis error. He also made the point that the definitions found in the bill are overly broad and work to expand the scope by defining a wide range of crimes for which individuals will be added to the DNA database for. These broad definitions essentially turn the database into an all crimes database. Other concerns with the bill included that DNA laboratories are not clearly independent of the police, and that the bill allows for the additional collection of DNA from missing persons and victims.</p>
<p style="text-align: justify; ">In her presentation, Dr. Helen Wallace described the UK experience, where the first DNA database was established in 1995. In 2000 a major expansion of the UK DNA database took place, but was controversial for a number of reasons. In 2008 the European Court of Justice ruled that the regime of retaining DNA samples in the UK was unlawful and a breach of privacy. Now the UK law requires that only a barcode with identifying information be stored. Dr. Wallace also emphasized the fact that the number of convictions resulting from DNA <span>detections</span> has not increased as the UK DNA database has expanded, because the number of solved crimes is driven by the number of crime scene samples. Thus, samples on a database are only useful if they relate directly to the crime scene and a possible criminal. Therefore the more profiles that are added to the database that are related to petty crimes, civil cases, victims, volunteers etc. the less efficient and accurate the database becomes. Dr. Wallace recommended that a DNA database contain only careful crime scene evidence in order to ensure samples are matched accurately. Concerns with the DNA profiling Bill emphasized by Dr. Wallace included that consent is not provided for in the bill, and court orders are not required. Furthermore, the bill does contain a removal process, and it is unclear what DNA profiling system will be used.</p>
<p style="text-align: justify; ">Responding to the presentations made by the speakers, members of the audience raised concerns over the use of DNA sampling in India for reasons beyond forensic purposes, such as requiring surrogate mothers and the children to undergo DNA tests. Other members of the audience pointed out that the bill does not address the rights of suspects and prisoners. Additionally the question of the evidentiary weight of DNA samples in court was raised, along with the concern that the broad collection of DNA samples from individuals is just another example of the growing trend by the Indian government to collect and store information about its citizens.</p>
<ul>
<li><a href="https://cis-india.org/internet-governance/blog/uk-dna-database-and-european-court-of-human-rights.ppt" class="internal-link">Download Dr. Helen Wallace's presentation</a></li>
</ul>
<ul>
<li><a href="https://cis-india.org/internet-governance/blog/forensic-dna-databases.ppt" class="internal-link">Download Jeremy Gruber's presentation</a></li>
</ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/public-meeting-on-dna-profiling-bill'>https://cis-india.org/internet-governance/blog/public-meeting-on-dna-profiling-bill</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-10-10T10:58:32ZBlog EntryAn Interview with Dr. Ann Cavoukian, Information and Privacy Commissioner, Ontario, Canada
https://cis-india.org/internet-governance/interview-with-anne-cavoukian
<b>Elonnai Hickok interviewed Dr. Ann Cavoukian, Information and Privacy Commissioner, Ontario, Canada. The full interview is reproduced below.</b>
<ol><li><strong>When Canada weighed a broad privacy legislation against sectoral legislation, was the decision close? What were the most decisive factors?</strong><br /><br />Canada’s legislative privacy regime consists of both broad and sectoral privacy legislation.<br /><br />Broadly, the use of personal information in Canadian commercial activities is regulated by federal legislation under the <em><a class="external-link" href="http://www.priv.gc.ca/leg_c/leg_c_p_e.cfm">Personal Information Protection and Electronic Documents Act (PIPEDA)</a></em>, or by provincial legislation that is “substantially similar” to PIPEDA, or by provincial legislation that is “substantially similar” to <em>PIPEDA</em>.<br /><br />Sectorally, a prime example is the protection of personal health information under Ontario's <em><a class="external-link" href="http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_04p03_e.htm">Personal Health Information Protection Act, 2004 (PHIPA)</a></em>.<br /><br />Regarding the decisive factors surrounding Parliament's passing of a broad private sector privacy statute, you may know that oversight of PIPEDA falls within the jurisdiction of the <a class="external-link" href="http://www.priv.gc.ca/leg_c/leg_c_p_e.cfm">Office of the Privacy Commissioner of Canada (OPC)</a>. Accordingly, you may wish to focus your contact with the OPC regarding your question. In addition, <a class="external-link" href="http://www.ic.gc.ca/ic_wp-pa.htm">Industry Canada</a> may have some helpful resources regarding the federal government’s decision to enact <em>PIPEDA</em>.<br /><br /></li><li><strong>Do you see the different perceptions and cultural understandings of privacy as something to be addressed through legislation? If not, do you think it should be addressed at all? How? </strong><br /><br />In an era marked by the widespread use of new information technologies, globalization, and the international flow of personal information, the establishment of global privacy standards is required to effectively protect personal privacy. Fortunately, an international community of data protection commissioners is hard at work contributing to the establishment of a set of global privacy principles. At the annual International Data Protection Commissioners Conference in 2005, Dr. Ann Cavoukian, Information and Privacy Commissioner of Ontario, chaired a Working Group of Data Protection Commissioners that led to the <a class="external-link" href="http://www.ipc.on.ca/images/Resources/gps.pdf">Creation of a Global Privacy Standard</a>. Such a principled but flexible approach can also be seen, for example, in the landmark <a class="external-link" href="http://www.privacybydesign.ca/content/uploads/2010/11/pbd-resolution.pdf"><em>Privacy by Design</em> (PbD) resolution</a> adopted unanimously, in 2010, by the international Privacy Authorities and Regulators at the International Conference of Data Protection and Privacy Commissioners in Jerusalem.<a name="fr1" href="#fn1">[1]</a><br /><br />The resolution recognizes <em><a class="external-link" href="http://privacybydesign.ca/about/principles/">PbD</a></em> as an “essential component of fundamental privacy protection” – an International Standard, and urges its adoption in regulations and legislation around the world. Governments that employ this internationally recognized standard will be able to both protect privacy and address local and national priorities.<a name="fr2" href="#fn2">[2]<br /><br /></a></li><li><strong>How does the Canadian model implement self-regulation of privacy standards? How is that balanced against legal enforcement of privacy legislation?</strong><br /><br />In Canada, as elsewhere, private sector privacy regulation recognizes the dual purposes of protecting the individual's right to privacy, on the one hand, and recognizing the commercial need for access to personal information, on the other.<a name="fr3" href="#fn3">[3]</a><em><br /><br />PIPEDA</em> furthers these two purposes by tying a set of flexible, technology-neutral privacy principles to a statutory framework of rules governing the collection, use, and disclosure of personal information.<br /><br />In particular, Part I of PIPEDA provides the overarching statutory framework, while Schedule I, which was borrowed from the Canadian Standards Association’s Model Code for the Protection of Personal Information, provides flexible, technology-neutral privacy principles. To accomplish the dual purposes that animate PIPEDA and its Schedule, Canada’s Federal Court of Appeal has directed that the interpretation and application of this regulatory framework should be guided by "flexibility, common sense and pragmatism."<a name="fr4" href="#fn4">[4]</a><br /><br />Such an approach allows organizations to address their own goals and priorities within a privacy protective framework. Moreover, by incorporating the flexible principles of PbD, organizations can "go beyond mere legal compliance with notice, choice, access, security and enforcement requirements." Instead, they can be empowered to design their own responsive approaches to risk management and privacy-related innovation, within the context of the relevant regulatory framework. This approach allows organizations to develop doubly-enabling, positive-sum solutions that are win/win in nature and appropriate given the size and nature of the organization, the personal information it manages, and the range of risks, opportunities, and solutions available.<br /><br /></li><li><strong>Does Canada favor private forms of redress or agency/state enforcement to prevent and remedy privacy violations? In what circumstances is one more effective than the other?</strong><br /><br />Canadian privacy legislation includes both state enforcement and private forms of redress; neither is necessarily favoured.<br /><br />For example, under <em>PHIPA</em>, the Attorney General may impose fines of up to $50,000 for individuals and $250,000 for corporations who are found to be in breach of <em>PHIPA</em>. Further, our office has broad powers of investigation and can directly order a custodian to comply with its obligations. An individual affected by a Commissioner’s final <em>PHIPA </em>order may commence a proceeding in the Ontario Superior Court for damages for actual harm suffered.<br /><br />Another example is under <em>PIPEDA</em> where contravention can result in fines of up to $100,000 depending upon the type and severity of the matter. Further, the federal privacy Commissioner has powers to investigate and report findings with respect to privacy complaints. Following the release of the Commissioner’s report, a complainant may apply to the Federal Court to seek remedies that include damages and an order requiring an organization to correct its practices.<br /><br />Generally, fines and other penalties imposed on individuals and corporations by the government are effective in deterring certain actions and protecting the public from a variety of harmful practices. On the other hand, a private right of action may be effective when a particular individual is harmed by an individual or corporation and is seeking damages to compensate or redress that particular harm.<br /><br /></li><li><strong>What types of privacy violations are the most common? How have these been addressed?<br /></strong><br />The most common types of privacy violations are inadvertent disclosures or privacy breaches of personal information, including personal health information. In particular, these violations usually stem from the improper retention, transfer and disclosure of personal information.<br /><br />Privacy breaches are addressed in a variety of ways, depending on the type and amount of information disclosed. For example, under <em>PHIPA</em>, if health information is stolen, lost, or accessed by unauthorized persons, the health information custodian must notify the affected individual at the first reasonable opportunity and should take immediate steps to contain the breach. Further, the Commissioner may order the health information custodian to take corrective action such as requiring the custodian to implement a certain procedure when handling personal health information or conduct privacy training.<br /><br /></li><li><strong>What forms of privacy education has Canada pursued? What audiences have been targeted? Which efforts have been the most successful and why?</strong><br /><br />Canadian institutions and organizations have pursued a wide variety of privacy education initiatives including programs that award professional designations (e.g. <a class="external-link" href="https://www.privacyassociation.org/certification/">IAPP</a>, <a class="external-link" href="http://capapa.org/">CAPAPA</a>, <a class="external-link" href="http://www.ipsi.utoronto.ca/">University of Toronto Identity, Privacy and Security Initiative</a>, <a class="external-link" href="http://www.extension.ualberta.ca/study/government-studies/iapp/">University of Alberta Program</a>).<br /><br />Our Office has led a wide variety of educational initiatives to spread the word about privacy protection and freedom of information under our Ontario legislation. We have focused on a variety of audiences from the general public to individuals who deal with privacy and access to information issues as part of their daily professional role.<br /><br />Initiatives include frequent contact between our Information Officers and the public, and dozens of marketing materials geared to providing guidance (e.g. “<a class="external-link" href="http://www.ipc.on.ca/images/Resources/circle-care.pdf">Circle of Care: Sharing of Personal Health Information for Health-Care purposes</a>”, “<a class="external-link" href="http://www.ipc.on.ca/images/Resources/hprivbreach-e.pdf">What to do When Faced With a Privacy Breach: Guidelines for the Health Sector</a>”). Our Office has developed Educational Resource Guides (<a class="external-link" href="http://www.ipc.on.ca/english/Resources/Educational-Material/Educational-Material-Summary/?id=183">Grade 5</a>, <a class="external-link" href="http://www.ipc.on.ca/english/Resources/Educational-Material/Educational-Material-Summary/?id=184">Grade 10</a>, <a class="external-link" href="http://www.ipc.on.ca/english/Resources/Educational-Material/Educational-Material-Summary/?id=1110">Grades 11/12</a>), which have been added to the formal Ontario curriculum to help teachers educate about privacy protection. Commissioner Cavoukian participates in extensive presentations and speeches at numerous conferences and events. As well, representatives from our Office reach out into the community to educate about our offerings and role (hospitals, conference, community events etc.). In addition, to educate Ontarians about privacy protection, the IPC also allots significant resources to many marketing initiatives including a <a class="external-link" href="http://www.ipc.on.ca/english/Resources/Newsletters/Newsletters-Summary/?id=1100">quarterly e-newsletter</a>, video production, and social media outreach. Most recently, we circulated an <a class="external-link" href="http://www.ipc.on.ca/english/Resources/IPC-Corporate/IPC-Corporate-Summary/?id=482">online tool kit </a>(available via USB as well), to assist new Freedom of Information and Protection of Privacy Co-ordinators in the public sector. Most of our resources are available in English and French.<br /><br />Without a doubt, the IPC’s most successful educational effort thus far is in the area of PbD, now an international standard. This Ontario-made solution was created by Commissioner Cavoukian who has led the IPC in partnering with global stalwarts such as IBM, Intel, and Nokia to advance Privacy by Design, and to foster innovation in many fields, including <a class="external-link" href="http://www.privacybydesign.ca/content/uploads/2011/02/pbd-olg-facial-recog.pdf">biometrics</a>, the <a class="external-link" href="http://www.privacybydesign.ca/content/uploads/2011/02/pbd-ont-smartgrid-casestudy.pdf">Smart Grid</a> and even <a class="external-link" href="http://www.ipc.on.ca/images/Resources/AVAwhite6.pdf">Targeted Advertising</a>. <em>Privacy by Design</em> knows no boundaries and makes sense for everyone — especially businesses. Not only is it cheaper to build in privacy before a breach occurs, it is also a compelling way to win the trust of clients and build a successful brand.<br /><br /></li><li><strong>What [have] proven to be [the main] challenges or obstacles to protecting privacy in Canada?</strong><br /><br />The most common obstacle to protecting privacy is that key stakeholders hold on to misconceptions about privacy. <br />Misconception #1 – Privacy is dead or obsolete. <br />Misconception #2 – Privacy stops us from performing our job.<br />Misconception #3 – With the massive growth of online social media, you cannot have both widespread connectivity and privacy.<br /><br />Not only do these misconceptions contradict each other, they are both dead wrong!<br /><br />Privacy is alive and well and more relevant than ever. Consider, for example, that the same technologies that serve to threaten privacy may also be enlisted to support it. Properly understood, privacy is becoming increasingly critical to achieving success in the new economy. In this environment, PbD offers a principled, flexible, and technology-neutral vehicle for engaging with privacy issues, and for resolving them in ways that support multiple outcomes in a full functionality, positive-sum, win-win scenario.<br /><br />It does so by ensuring that privacy is built in right up front, directly into the design specifications and architecture of new systems and processes. <em><br /><br />PbD</em> seeks to accommodate all legitimate interests and objectives in a positive-sum “win-win” manner, not through a dated, zero-sum approach, where unnecessary trade-offs are made. PbD avoids the pretense of false dichotomies or unnecessary trade-offs, such as privacy vs. security, demonstrating that it is possible to have both. For more on PbD, go to <a class="external-link" href="http://www.privacybydesign.ca/">www.privacybydesign.ca<br /><br /></a></li></ol>
<h3>Dr. Ann Cavoukian, Ph.D., Information and Privacy Commissioner, Ontario, Canada</h3>
<p>Dr. Ann Cavoukian is recognized as one of the leading privacy experts in the world. Noted for her seminal work on Privacy Enhancing Technologies (PETs) in 1995, her concept of Privacy by Design seeks to proactively embed privacy into the design specifications of information technology and accountable business practices, thereby achieving the strongest protection possible. In October, 2010, regulators from around the world gathered at the annual assembly of International Data Protection and Privacy Commissioners in Jerusalem, Israel, and unanimously passed a landmark Resolution recognizing <em>Privacy by Design</em> as an essential component of fundamental privacy protection. This was followed by the U.S. Federal Trade Commission’s inclusion of <em>Privacy by Design</em> as one of its three recommended practices for protecting online privacy – a major validation of its significance.</p>
<p>An avowed believer in the role that technology can play in the protection of privacy, Dr. Cavoukian’s leadership has seen her office develop a number of tools and procedures to ensure that privacy is strongly protected, not only in Canada, but around the world. She has been involved in numerous international committees focused on privacy, security, technology and business, and endeavours to focus on strengthening consumer confidence and trust in emerging technology applications.</p>
<p>Dr. Cavoukian serves as the Chair of the Identity, Privacy and Security Institute at the University of Toronto, Canada. She is also a member of several Boards including, the European Biometrics Forum, Future of Privacy Forum, RIM Council, and has been conferred a Distinguished Fellow of the Ponemon Institute. Dr. Cavoukian was honoured with the prestigious <em>Kristian Beckman Award</em> in 2011 for her pioneering work on <em>Privacy by Design</em> and privacy protection in modern international environments. In the same year, Dr. Cavoukian was also named by<em> Intelligent Utility </em>Magazine as one of the Top 11 Movers and Shakers for the Global Smart Grid industry, received the SC Canada Privacy Professional of the Year Award and was honoured by the University of Alberta Information Access and Protection of Privacy Program for her positive contribution to the field of privacy. Most recently in November 2011, Dr. Cavoukian was ranked by Women of Influence Inc. as one of the top 25 Women of Influence recognizing her contribution to the Canadian and global economy. This award follows her recognition in 2007 by the Women’s Executive Network as one of the Top 100 Most Powerful Women in Canada.</p>
<hr />
<p><strong>Notes</strong></p>
<p>[<a name="fn1" href="#fr1">1</a>].Information and Privacy Commissioner/Ontario, Landmark Resolution passed to preserve the Future of Privacy, <a class="external-link" href="http://www.ipc.on.ca/images/Resources/2010-10-29-Resolution-e_1.pdf">http://www.ipc.on.ca/images/Resources/2010-10-29-Resolution-e_1.pdf</a><br />[<a name="fn2" href="#fr2">2</a>].For a discussion of how governments might employ an PbD approach to privacy regulation, see Commissioner Cavoukian’s White Paper, Privacy by Design in Law, Policy, and Practice available at:<br /><a class="external-link" href="http://www.ipc.on.ca/english/Resources/Discussion-Papers/Discussion-Papers-Summary/?id=1095">http://www.ipc.on.ca/english/Resources/Discussion-Papers/Discussion-Papers-Summary/?id=1095</a><br />[<a name="fn3" href="#fr3">3</a>].See the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (Can.), <a class="external-link" href="http://www.canlii.org/en/ca/laws/stat/sc-2000-c-5/latest/sc-2000-c-5.html">http://www.canlii.org/en/ca/laws/stat/sc-2000-c-5/latest/sc-2000-c-5.html</a>.<br />[<a name="fn4" href="#fr4">4</a>].<em>Englander v. Telus Communications Inc.</em>, 2004 FCA 387, Locus Para. 38-46.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/interview-with-anne-cavoukian'>https://cis-india.org/internet-governance/interview-with-anne-cavoukian</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2011-12-03T01:26:04ZBlog EntrySCOSTA and UID Comparison not Valid, says Finance Committee
https://cis-india.org/internet-governance/blog/scosta-uid-comparison-invalid
<b>The Standing Committee on Finance Branch, Lok Sabha Secretariat has responded to the suggestions offered by CIS on the National Identification Authority of India, Bill 2010 and has requested it to mail its views by 14 October 2011.</b>
<p>On January 6, 2011, CIS had sent an <a href="https://cis-india.org/internet-governance/blog/blog/privacy/letter-to-finance-committee" class="external-link">open letter to the Parliamentary Finance Committee</a> demonstrating how the Aadhaar biometric standard is weaker than the SCOSTA standard. The text of the reply is reproduced below.</p>
<p>Sir,</p>
<p>This is in response to one of the views/suggestions offered by CIS on the National Identification Authority of India Bill, 2010.</p>
<h3>CIS View /Suggestion:</h3>
<div> </div>
<p>"Though the Aadhaar biometrics are useful for the de-duplication and identification of individuals, the Smart Card Operating System for Transport Application [(SCOSTA), developed by the National Informatics Centre in India)] standard is a more secure, structurally sound, and cost-effective approach to authentication of identity for India. Therefore, the Aadhaar biometric based authentication process should be replaced with a SCOSTA standard based authentication process."</p>
<p>In this regard, do you agree with the following view? If not, please justify.</p>
<p>"Comparison between SCOSTA and the UID project are not valid since SCOSTA is fundamentally a standard for smart card based authentication and does not work for the objectives of the unique id project.</p>
<p>The UID project follows a different approach and has multiple objectives — providing identity to residents of India, ensuring inclusion of poor and marginalized residents in order to enable access to benefits and services, eliminating the fakes, duplicates and ghost identities prevalent in other databases and provide a platform for authentication in a cost effective and accessible manner.</p>
<p>UIDAI is not issuing cards or smart cards. Cards can be issued by agencies that are providing services. UID authentication does not exclude smart cards — service providers can still choose to issue smart cards to their beneficiaries or customers if they want to."</p>
<p>You are requested to email your view by 14 October, 2011 positively.</p>
<p>Standing Committee on Finance Branch<br />Lok Sabha Secretariat</p>
<div> </div>
<div> </div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/scosta-uid-comparison-invalid'>https://cis-india.org/internet-governance/blog/scosta-uid-comparison-invalid</a>
</p>
No publisherelonnaiInternet Governance2011-11-22T16:37:43ZBlog EntryUnderstanding the Right to Information
https://cis-india.org/internet-governance/understanding-right-to-information
<b>Elonnai Hickok summarises the Right to Information Act, 2005, how it works, how to file an RTI request, the information that an individual can request under the Act, the possible responses and the challenges to the citizen and the government. She concludes by saying that there are many structural changes that both citizens and governmental officers can make to improve the system.</b>
<h2>Introduction</h2>
<p style="text-align: justify; ">The <a class="external-link" href="http://righttoinformation.gov.in/webactrti.htm">Right to Information Act, 2005</a> (RTI) was created in 2005 and marked an important time in Indian legislative history. The Right to Information enables citizens to hold the government accountable and ensure that it is a transparent body. Questions that can be asked by the citizen to the government range from anything that may concern to some meeting notes to why a teacher is not present in a public school, etc. In the current RTI system there are many challenges that are inhibiting the government’s efficient delivery of the RTI as a service to the people. This has changed the concept of how the citizens view the RTI, as the government feels harassed and the citizens feel as though their rights are being unjustly denied. Additionally, individuals have turned the RTI into a redressal mechanism rather than a way to ensure transparency and learn/understand how their government is functioning. The use of the RTI as a redressal mechanism has created a relationship of animosity between the government and citizens. The below note outlines the ecosystem of the RTI and notes specific challenges that both citizens and the government face.[<a href="#1">1</a>]</p>
<h2>The RTI Ecosystem</h2>
<h3>RTI work flow</h3>
<div>
<ul>
<li style="text-align: justify; ">An individual files an RTI with the central/ state public information officer (PIO) or a specific PIO. PIOs are often not trained, and rarely apply for the position, but are instead designated.</li>
<li style="text-align: justify; ">Within five days the information is to be forwarded to the correct PIO.</li>
<li style="text-align: justify; ">The PIO must open a file and dispose of the request within 30 days. </li>
<li style="text-align: justify; ">If the PIO fails to reply to the applicant by either approving or denying a request, the PIO is liable to pay a fine of Rs. 250 for each day of delay. </li>
<li style="text-align: justify; ">If information is electronically uploaded, it is stored in any format the officer chooses (jpeg, pdf, html, etc).</li>
<li style="text-align: justify; ">Except for land records and staff records, files are retained for a maximum of one year. </li>
<li style="text-align: justify; ">If the PIO does not dispose of the request, there is scope for an appeal within 30-45 days to the appellate authority.</li>
<li style="text-align: justify; ">There is scope for a second appeal to the information commissioner if the authority does not respond within 90 days or the answer is found to be unsatisfactory. </li>
<li style="text-align: justify; ">The final decision of the information commissioner is binding. </li>
</ul>
</div>
<h3><span class="Apple-style-span">Filing an RTI request</span></h3>
<div style="text-align: justify; ">Though there is no specific format an individual must follow when submitting an RTI, when filing a request, individuals must include:</div>
<div>
<ul>
<li style="text-align: justify; ">His /her name and address.</li>
<li style="text-align: justify; ">The name and address of the public information officer (PIO).</li>
<li style="text-align: justify; ">The particulars of information/documents required (limited to 150 words and one subject matter).</li>
<li style="text-align: justify; ">The time period of the information required.</li>
<li style="text-align: justify; ">Proof of payment.</li>
<li style="text-align: justify; ">Signature.</li>
<li style="text-align: justify; ">Proof if the individual is a BPL holder.[<a href="#2">2</a>] </li>
</ul>
</div>
<h3>Information that an individual can request under the RTI Act</h3>
<div>
<ul>
<li style="text-align: justify; ">Inspection of work, documents, and records</li>
<li style="text-align: justify; ">Taking notes, extracts or certified copies of documents or records.</li>
<li style="text-align: justify; ">Taking certified samples of material.</li>
<li style="text-align: justify; ">Obtaining of information in the form of diskettes, floppies, tapes, and video cassettes, or in any other electronic mode, or through printouts where such information is stored in a computer, or in any other device.</li>
<li style="text-align: justify; ">Obtaining the status of an RTI request or complaint.</li>
</ul>
</div>
<div style="text-align: justify; ">Note: If an individual is requesting third party information, the PIO must inform the third party and provide the individual the opportunity to state a reason for not disclosing the information.</div>
<div>
<h3>Accepted format of requested materials and records</h3>
<ul>
<li style="text-align: justify; ">Material requested can be in any format including: records, documents, memos, emails, opinions, advices, press releases, circulars, orders, logbooks, contracts, reports, papers, samples, models, and data material held in any electronic form.</li>
<li style="text-align: justify; ">Records requested can include: any document, manuscript and file, any microfilm, microfiche and facsimile copy of a document, and reproduction of image or images embodied in such microfilm (whether enlarged or not), and any other material produced by a computer or any other device.</li>
</ul>
</div>
<h3><span class="Apple-style-span">Possible Responses to an RTI request</span></h3>
<div>
<div><b>An information officer can respond to an RTI in the following ways</b>:</div>
<div>
<ul>
<li style="text-align: justify; ">Transfer request to appropriate PIO within five days and notify the applicant about the transfer.</li>
<li style="text-align: justify; ">Provide the requested information within 30 days.</li>
<li style="text-align: justify; ">Reject the request information within 30 days stating the reasons for rejection, the period within which an appeal against such rejection may be preferred, and the details of the appellate authority.</li>
<li style="text-align: justify; ">Not respond to the applicant. If no response is received within 30 days the officer is liable for a penalty of Rs. 250 per day.</li>
</ul>
</div>
<h3><span class="Apple-style-span">Appeal/Complaint Process</span></h3>
<div>
<ul>
<li style="text-align: justify; ">First appeal can be filed after 30 days or if the information given was unsatisfactory. The appeal must include: name and address of the appellant, name and address of the PIO involved, brief facts leading to appeal, relief sought, grounds for appeal, and copies of the application or documents involved, including copies of the reply, if received from the PIO.</li>
<li style="text-align: justify; ">Second appeal must contain: name and address of the applicant, and name and address of the PIO involved, particulars of the Order including the number if any against which the appeal is preferred, brief facts leading to the appeal, if appeal/complaint is preferred against deemed refusal then the particulars of the application, including number and date and name, address of the PIO to whom the application was originally made, relief sought, grounds for the relief, verification by the applicant, any other information which the commission may deem necessary for deciding during the appeal, self attested copies of the application or documents involved, copies of the documents relied upon by the appellant and referred to in the appeal, and an index of the documents referred to in the appeal.</li>
<li style="text-align: justify; ">A complaint must include: name and address of the complainant, name and address of the state PIO against whom the complaint is being made, facts leading to the complaint, particulars of the application [number, date, name and address of the PIO (three copies)], relief sought, grounds and proof for relief, verification of the complainant (three copies), index of documents referred to in the complaint, and any other necessary information.[<a href="#3">3</a>]</li>
</ul>
</div>
<h2>Challenges to the Citizen</h2>
<h3>Knowing the correct Public Information Officer</h3>
<p style="text-align: justify; ">Knowing which public information officer to mail in the RTI request is the first difficulty that an individual faces. As noted above in 2008 there were a total of 73,256 recorded public information commissioners in the State of Karnataka. New public information commissioners are created every day, because the RTI extends not only to any department of the government, but to any sub-contracted company, organization, school, or NGO that is receiving government funding and doing work on behalf of the government directly or indirectly. Lists of PIOs can be found on department bulletin boards and websites, but there is no clear method for an individual to know what information each PIO is the custodian over. Thus, they are left to determine on their own, and rely on the PIO to forward their application to the correct individual.</p>
</div>
<h3>Filing in the correct format</h3>
<div>
<p style="text-align: justify; ">Though it is stated in the law what language an RTI request will be accepted in, and what information should be included – individuals are often unaware of the guidelines and unaware of how to correctly fill out an RTI request. An incorrectly formatted request is one of the major reasons for rejection of a request by the PIO.</p>
</div>
<h3>Language</h3>
<div>
<p style="text-align: justify; ">In the State of Karnataka, RTIs can be filed only in two languages: Kannada and English. By law, RTI responses are given only in the language that the department works in on a daily basis, and in English. The information that is supplied through the request is given in its original language. For example, if you ask for a document that is originally in Marathi, the document will be photo copied and sent to you. No translation of documents takes place, because it is not the job function of the officer to translate documents.</p>
</div>
<h3>Appeals</h3>
<div>
<p style="text-align: justify; ">If an individual is denied information, or does not receive a reply within 30 days, they have the option of seeking an appeal through an appellate authority. In 2008 Karnataka had 5416 Appellate Authorities. Currently, because of the backlog in appeal cases and the slow functioning of the system, an individual might have to wait for upto one year for his/her appeal to be heard. Often at this point the information is no longer relevant or needed.</p>
</div>
<h3>Privacy</h3>
<div>
<p style="text-align: justify; ">In some cases individuals are denied a request for information based on the grounds that it would invade the privacy of the public officer. This is sometimes the case and sometimes not the case. Finding the right balance between the right to information and privacy is important, as protecting an individual’s privacy is crucial, but privacy should not be used as a reason for the government to be less transparent to the citizen and be used as a way to deny a citizen the information that they are entitled to.[<a href="#4">4</a>]</p>
</div>
<h2>Challenges in the RTI System for the Government</h2>
<ul>
<li style="text-align: justify; "><b>Too many RTI requests and no system to record duplicates</b>: As the figure shows above, in 2008, the Karnataka Government received 42208 RTI requests. Currently, it is not possible to know how many of these requests were duplicates since departments handling RTIs do not make it a practice to upload and organize filed RTI requests in a format easily accessible to citizens. Thus, there is no present system in place to track, upload, and store past RTI's in a meaningful way.</li>
<li style="text-align: justify; "><b>Additional overhead in recording, organizing, accessing, and storing data</b>: In the current system every time an RTI request is received by the government, they open a new file for that request. Though in some ways this system of storage simplifies the process of finding past RTIs, it adds an additional overhead cost as photocopies must be made, new files created, and correctly added to the organized system. Each state follows its own method of recording, organizing, accessing, and storing data – thus, currently it is not possible to easily access the information from another state or combine information from two separate states.</li>
<li style="text-align: justify; "><b>Lack of compliance with section 4(d) pro-active disclosure</b>: Under section 4 (d), the government is required to pro-actively disclose a pre-determined data to the public via websites and other useful modes. Currently there is very little compliance with section 4(d) from governmental departments. There are many factors that contribute to the low rate of compliance that exist including lack of resources and lack of proper enforcement. If governmental departments were to comply with section 4(d) then the load of RTI requests and the time each request must take to answer could be lightened considerably as the government could respond by pointing citizens to the already disclosed information. </li>
</ul>
<h2>Conclusion</h2>
<div style="text-align: justify; ">Though the Right to Information is an important right, the above entry looks at some of the weaknesses and challenges in the system. There are many structural changes that both citizens and governmental officers can make to improve the system such as pro-actively disclosing information, ensuring that an RTI is filed correctly, and creating a system for organizing previously asked questions. Alongside of these structural changes it is also critical that a positive culture of transparency and accountability is fostered throughout society, thus encouraging citizens to actively engage with the government and exercise their right to information.</div>
<div style="text-align: justify; "></div>
<hr />
<p><b>Notes</b></p>
<p>[<a href="#fr1" name="fn1">1</a>].I am grateful to N. Vikram Simha, RTI activist, for his insight and feedback into the RTI system.</p>
<p>[<a href="#fr2" name="fn2">2</a>].N. Vikram Simha, Right to Information Act of 2005: Guide for Citizens.</p>
<p>[<a href="#fr3" name="fn3">3</a>].N. Vikram Simha, Right to Information: Trend Ahead. Karanataka State Chartered Accountants Association, Bangalore</p>
<p>[<a href="#fr4" name="fn4">4</a>].N. Vikram Simha, RTI and Protection of Individual Privacy</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/understanding-right-to-information'>https://cis-india.org/internet-governance/understanding-right-to-information</a>
</p>
No publisherelonnaiInternet Governance2013-06-12T11:39:05ZBlog EntryRight to Privacy Bill 2010 — A Few Comments
https://cis-india.org/internet-governance/blog/privacy/privacy-bill-2010
<b>Earlier this year, in February 2011, Rajeev Chandrasekhar introduced the Right to Privacy Bill, 2010 in the Rajya Sabha. The Bill is meant to “provide protection to the privacy of persons including those who are in public life”. Though the Bill states that its objective is to protect individuals’ fundamental right to privacy, the focus of the Bill is on the protection against the use of electronic/digital recording devices in public spaces without consent and for the purpose of blackmail or commercial use.</b>
<h2>Specific Recommendations</h2>
<div>
<div> </div>
</div>
<p>The use of electronic recording devices in public is an important and expansive aspect of privacy, which is yet to be directly covered by Indian law. Though the Bill addresses the basic usage of electronic devices with built-in cameras, it frames the violation as a personal violation. In doing so, the Bill has taken a punitive approach, making it criminal to take photographs in situations outside of the laid-out regulations, rather than protective in nature, i.e., working to protect individuals from harassment and blackmail, and offer forms of redress to those damaged. </p>
<p>The Bill fails to address scenarios such as Google street view, satellite photographs, news channels, and live feeds at events and conferences. In these situations live data is being transmitted and posted on the Web for public to view by the media. When looking at the dilemma of photographs being taken in public by the media, the privacy interests are different to those that are based on control of personal information alone. They are substantive, as opposed to informational, and engage directly with individual dignity, autonomy, and the freedom of expression. For example, the interest in freedom of expression encompasses both those of the photographers and journalists producing material for his/her journal. Can a journalist print a photograph taken in a public space — of a public figure, which the public figure did not consent to, and which that person considers defamatory? </p>
<p>Interestingly, Europe has strong laws regulating the taking of photographs in public spaces, but these rules are covered by the Protection from Harassment Act, 1997 (UK), which speaks specifically to the media’s behaviour towards public figures — or they fall under a tort of misuse. In the US taking photographs only becomes an issue in the use of the photograph. Essentially anyone can be photographed without consent except when they have secluded themselves in places where they have a reasonable expectation of privacy such as dressing rooms, restrooms, medical facilities, or inside a private residence. This legal standard applies regardless of the age, sex, or other attributes of the individual. Once a photograph is taken, and if that photograph is used for commercial gain without consent or publicizes an otherwise private person inappropriately, then that person can be held liable under the tort of misappropriation. </p>
<h2>Specific Comments to the Bill</h2>
<h3>Misguiding Title</h3>
<p>The title of the Bill is, the Personal Data Protection Bill, 2006," but the scope of the Bill is focused on regulating the use of electronic recording devices, and it does not include many aspects of privacy. So we recommend that the title of the Bill be modified to "The Electronic Recording Devices Bill, 2010".</p>
<h3><span class="Apple-style-span">Inappropriate Blanket Use of Privacy </span></h3>
<p>The introduction to the Bill states that its purpose is "for the protection of the right to privacy of persons including those who are in public life so as to protect them from being blackmailed or harassed or their image and reputation being tarnished in order to spoil their public life and for the prevention of misuse of digital technology for such purposes and for matters connected therewith and incidental thereto." </p>
<p><strong>Comment</strong>: Notwithstanding the fact that violations of privacy extend beyond blackmail, harassment, and defamation, and that digital technologies are not the only vehicles for privacy violations, it is important to qualify that privacy is not a blanket right, and that for public persons, the privacy that they are afforded is determined by balancing their interest against the public interest. </p>
<h3>Narrow Definition of Public Figures </h3>
<p>Section 2 (b) of the Bill states: "persons in public life" includes the representatives of the people in Parliament, state legislatures, local self government bodies, and office bearers of recognized political parties</p>
<p><strong>Comment</strong>: Persons in public life include persons beyond the political sphere, specifically those in higher positions that influence the behaviour, lifestyles, and culture of the general population. Thus, we recommend that this definition be extended to include actors, actresses, athletes, artists, and musicians, CEOs, and authors.</p>
<h3>Insufficient Limits to the Right to Privacy</h3>
<p>Section 3 (1) states: “Notwithstanding anything contained in any other law for the time being in force every person, including persons in public life, shall have the right to privacy which shall be exclusive, unhindered and there shall be no unwarranted infringement thereof by any other person, agency, media or anyone: </p>
<p>Provided that sub-section (1) of section 3 shall not apply in cases of corruption, and misuse of official positions by persons in public life.</p>
<p><strong>Comment</strong>: We recommend that the right to privacy, as any right, need not be identified as exclusive or unhindered. The right to privacy must be determined on a case by case basis relative to the public interest, and, while cases of corruption and misuse of official position by persons in public life certainly qualify, they do not encompass the wider variety of situations in which an individual’s right to privacy should be limited. For instance, if a public figure speaks out on an issue in a way that contradicts an earlier position that was captured on video, shouldn’t that be allowed to be made public? If a public figure is photographed in a morally questionable position, shouldn’t that be allowed to be made public? Indeed, even for private individuals, privacy is a matter of context. In airports and other sensitive public places it is commonly accepted that an individual’s right to privacy can be limited. If an individual has a disease such as HIV, under what circumstances should some or all of the greater public should be informed and their right to privacy may be limited? </p>
<h3>Limited Scope of Technology </h3>
<p>Section 4 of the Bill states: "No person shall use a cellular phone with an inbuilt camera, if it does not produce a sound of at least 65 decibels and flash a light when used to take a picture of any object or person, as the case may be. </p>
<p><strong>Comment</strong>: We recommend that this clause clarifies if only cellular phones, and not cameras, computers, or other devices with built-in cameras are required to produce the sound of at least 65 decibels.</p>
<h2>Overly Complicated Clauses </h2>
<p>Section 5 of the Bill states: Notwithstanding anything contained in any other law for the time being in force, no person shall make digital recording or take photographs or make videography in any manner whatsoever of: </p>
<div>
<p>Section 5(a): any part or whole of a human body which is unclothed or partially clothed without the consent of the person concerned. </p>
<p>Section 5 (b): any part or whole of a human body at any public place without the consent of the person concerned and</p>
<p>Section 5 (c): the personal and intimate relationship of any couple in a home, hotel, resort, or any place within the four walls by hidden digital or other cameras and such other instruments, or any place within the four walls by hidden digital cameras and such other instruments…with the intent of blackmail or of making commercial gains from it or otherwise. </p>
<p><strong>Comment</strong>: Section 5 currently lists certain circumstances in which photographs are not allowed to be taken of individuals in public without consent if they are to be used for the purpose of commercial gain or blackmail. Blackmail or commercial gains are not the only ways in which digital recordings of people can be misused. Certainly, taking such pictures to post for purposes of hurting one’s reputation or causing humiliation is as reprehensible as taking pictures for commercial gain, so the provision is too narrow. It may also be overboard, because a person may be captured in an artistic or political photograph but have, for example, bare arms or legs. That would be a picture of a part of a human body at a public place. We recommend that the list of offences include misappropriation and false light, and that the manner of the picture-taking not be limited to clauses (a) to (c) above.</p>
<p>Section 5 is the first instance in which the use of digital recordings for commercial gain has been mentioned as a violation in the Bill. We recommend that commercial gain as a violation should be added to the introduction of the Bill.</p>
</div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy-bill-2010'>https://cis-india.org/internet-governance/blog/privacy/privacy-bill-2010</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-03-22T06:26:14ZBlog EntryBloggers' Rights Subordinated to Rights of Expression: Cyber Law Expert
https://cis-india.org/internet-governance/blog/privacy/bloggers-rights-and-privacy
<b>Vijayashankar, an eminent cyber law expert answers Elonnai Hickok’s questions on bloggers' rights, freedom of expression and privacy in this e-mail interview conducted on May 19, 2011.</b>
<p>A set of <a class="external-link" href="http://www.mit.gov.in/sites/upload_files/dit/files/RNUS_CyberLaw_15411.pdf">rules</a> relating to regulation of the Internet (mentioned in section 79 of the ITAA, 2008) was released in April 2011. In light of the rules framed under the IT Act, and as part of our research on privacy and Internet users, we have been looking into questions surrounding bloggers’ rights, freedom of expression, and privacy.</p>
<p>The new rules require among other things that intermediaries take down any content that could be considered disparaging. In practice, these rules will act to limit the ability of individuals to express their opinions on the Internet — especially for the bloggers. Though these requirements seem to only impact the freedom of expression of bloggers, a blogger’s privacy rights, especially in relation to the protection of their identity, are also pulled into question. Other issues surrounding bloggers’ rights and privacy include: if bloggers are identified as journalists, then whether they should be afforded the same protections and privileges, e.g., should bloggers have the right to free political speech and should intermediaries have freedom from liability for hosting speech or others’ comments? Are bloggers allowed to publish material that is under copyright on their website?</p>
<p>On May 19, 2011, through e-mail, I had the opportunity to interview <a class="external-link" href="http://www.naavi.org/naavi_profile.html">Vijayashankar</a>, an expert in cyber law, on issues regarding the rights of bloggers freedom of expression, and privacy. Vijayashankar has authored multiple books on cyber law, taught in many universities, and is an active leader of the Netizen movement in India. Below is a summary of the questions I posed to Vijayashankar and his responses. </p>
<p>I began the interview by trying to understand bloggers’ rights and how they are defined. Often the term 'bloggers' rights is used casually, but it is important to understand the different roles that a blogger plays in order to understand what his/her rights are, how they could be violated, and how they could be protected. Vijayashankar explained that a blog is comprised of two parties: a blogger and an intermediary – which is the application host. Bloggers have many different roles: authors, editors, or publishers of content, and thus, a blogger’s rights should be defined within these contexts. As authors, bloggers write their own article/blog or adds comments to others’ blogs. As such, they should have the freedom to express their thoughts and opinions and determine a level of privacy with which to maintain them, without regulation or censorship from a third party. Though the freedom of expression and privacy should be basic rights for blog authors, bloggers must also be held accountable and responsible for the content that they choose to make public by posting on accessible web pages. </p>
<p>The need for a blogger to be held responsible and accountable is similar to the limitation on speech that informs defamation law, and it means that a blogger cannot be entirely anonymous – at least not once a blog is public and is challenged. Thus, accountability must limit the right to be entirely private and anonymous. Though a blogger should be held accountable, the international implications give rise to thorny issues of jurisdiction and accountability under unforeseen laws: all of which raises the question whether, instead of local jurisdictions seeking to enforce their laws against potentially out-of-the-jurisdiction bloggers, an international third party should be entrusted with the responsibility of holding bloggers accountable and responsible – whether that takes the form of an organization like the WTO or WIPO or looks more like specially trained international arbitrators.</p>
<p>This challenge arises because bloggers live in different jurisdictions where different rules apply, but their opinions cross multiple borders and boundaries. This raises questions such as: Which jurisdictional law should the blogger be accountable to? Should a blogger be held responsible for actions that are considered violations in a jurisdiction in which a blog is read, even if those actions are not violations in the jurisdiction in which it is written? And if a blogger is to be held responsible, who should hold him responsible – the country where the action is considered a violation or his own country – and where does a private party have a cause of action? According to Vijayashankar, blogger’s rights’ are always subordinated to the rights of expression guaranteed to the blogger in his country where he is a citizen. </p>
<p>Furthermore, the rights of a blogger have to be seen in the context of who has the "cause of action" against blog writing, i.e., which party involved has the right to complain. If an individual is a victim of a blog, and that individual is a citizen of another country and is guaranteed certain rights, the blogger's rights cannot override the rights of the victim in his own country. Hence, the victim has the right to invoke law enforcement in his country, and the law enforcement agencies do have a right to seek information from the blogger. If, however, a citizen brings a private civil action against a blogger, the discovery limitations are much more severe across boundaries, and the blogger’s national policy on responding to discovery from other countries will determine the extent to which information from the blogger will be made available. To the extent that the impact of a blogger’s expression reaches across boundaries, his actions should be considered similar to a situation where a citizen of one country does certain things which affect the rights enjoyed by a citizen of another country. It does not seem right that a blogger can say something offensive in one jurisdiction and be held liable, but a different blogger can say the same thing from another jurisdiction and be protected. On the one hand, since the Internet as a medium broadcasts across geographical boundaries, it is the responsibility of the individual countries to erect their "cyber boundaries" if they do not want the broadcast to reach their citizens. On the other, individuals should be able to invoke international laws to seek consistent application of standards about what is actionable and what information is discoverable in support of an action. This suggests that an international tribunal might be the best solution.</p>
<p>Other questions to think about when exploring the idea of a trusted third party holding online bloggers accountable include: who would form the third party, what legal authority/power would they have, would this group also be in charge of reviewing a country’s "cyber boundaries" in addition to holding online bloggers accountable? and how would it avoid being influenced by any one government or by other stakeholders?</p>
<p>Next I asked him for examples of common privacy violations that happen to online users. A few he said included identity theft in the form of phishing, which leads to financial frauds, and is one of the most dangerous consequences of privacy breach. Other examples included manipulation of online profiles in social networking sites to cause annoyance, defamation, and coercion; cyber squatting with content which can be misleading; posting of obscene pictures with or without morphing of victim’s photographs to other obscene photographs/pictures; and SPAM – particularly through mobile phones – are all serious forms of privacy violations.</p>
<p>My third question focused on privacy violations and bloggers. How could a blogger’s rights be compromised, especially with a focus on privacy? For bloggers, is privacy important simply to protect their identity and content, or are there other implications for privacy and bloggers? In our research we have looked into ways in which practices such as data retention by ISPs, government/law enforcements’ access to web content including private conversations, and poorly established user control over privacy settings on websites can violate online users’ privacy. According to Vijayashankar, a blogger is mainly concerned about privacy in the context of protecting his identity. It is important for bloggers to protect their identity because the content they create could be considered controversial or illegal in different regions. Thus, it is critical for bloggers to have the right to blog anonymously. An exception to this right is that if the blog is so offensive then the law enforcement agency can take action. In some countries individuals also can sue bloggers. To help protect bloggers from unreasonable and ungrounded searches, Vijayashankar suggested that a mechanism be created by which international and domestic law enforcement agencies can request 'sensitive' information. This mechanism would work to filter and evaluate requests for information without bias, and according to a country’s law own domestic law.</p>
<p>I then asked him what legal protections he felt bloggers needed. He said that he believes that it is important that bloggers and online users’ right to anonymity, protection of identity and freedom of expression (political and non-political) are protected from excessive regulations. An interesting point that he raised was about the protection of bloggers from international requests for information. According to –him — bloggers can be protected only to the extent to which their rights are protected in their own country. If a request for information comes to a law enforcement agency of a country of which the blogger is a citizen, information may need to be released unless an “asylum” has been granted.</p>
<p>An example of the situation Vijayashankar is referring to is that if a blogger in India writes content that is found to be controversial by the U.S Government; the U.S Government then has a right to request and access that information, unless the Indian Government provides protection over the citizen and the information and refuses to release it. Though right to information requests tend to be governmental, this rule changes if it is a citizen requesting information. Very rarely can a citizen of one country request information about a blogger from another country and gain access. The question of international discovery over Internet material is one that has many angles that need to be taken into consideration – a few being: what the content on the blog contained; was the content against an individual or a government; who is requesting the information — a citizen or the government, and whom are they requesting the information from? For example, in the US Supreme Court case, <a class="external-link" href="http://caselaw.lp.findlaw.com/scripts/getcase.pl?navby=search&court=US&case=/us/465/783.html"><em>Calder vs. Jones</em></a> 465 U.S. 783 (1984), information about a woman, Shirley Jones, was published in another state, but the court ruled that the wrongful action was directed to her where she was.</p>
<p>A large part of the debate over bloggers’ rights is centered on governments’ need to monitor online activity. Developments such as the new rules to the IT Act, the Indian Government’s request for blackberry’s encryption keys, and the news about the government wiretapping citizens’ phones show that the Government of India is demanding access to see and regulate content created by online users in India. When asked about bloggers’ rights and government access to content, Vijayashankar stressed that there has to be a mechanism to check the requests from government agencies, and any such mechanism should have popular representation. He went on to explain that presently an order for the blocking of a blog or for private information is made by a government agency or a court. Unfortunately, government agencies may be responsive to certain interests. Likewise, decisions of conventional courts can be inconsistent. Therefore, it is important that a mechanism that reflects the common person’s input is put in place. This could either be a stand-alone private body, such as Netizen Protection Agency, acting as one more layer of protection, or the government body itself could build in adequate public representation. Courts would need to recognize such bodies and seek their opinion as an input to any dispute. This is an innovative option, but one that is a radical departure from the view of a court as an impartial tribunal that is supposed to weigh every matter independently on its merits. </p>
<p>Lastly, I asked if a privacy legislation could address the issue at hand i.e., could a privacy legislation work to protect bloggers’ rights by providing them identity protection and protection of their content and in general what should be included in a comprehensive privacy legislation? Though India already addresses bloggers’ rights through the Information Technology Act, it could be possible that privacy legislation could establish a third party group to work to protect bloggers’ rights and hold both governments and bloggers’ accountable. When asked what should be included in a comprehensive privacy legislation, Vijayashankar suggested that it should recognize that privacy rights of individuals are part of the larger interests of the society, and a comprehensive legislation should work to take all the stakeholders into consideration. </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/bloggers-rights-and-privacy'>https://cis-india.org/internet-governance/blog/privacy/bloggers-rights-and-privacy</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-03-21T09:35:06ZBlog EntryThe DNA Profiling Bill 2007 and Privacy
https://cis-india.org/internet-governance/blog/privacy/dna-profiling-bill
<b>In 2007 a bill known as the Draft DNA Profiling Bill was piloted by the Centre for DNA Fingerprinting and Diagnostics, an autonomous organization funded by the Department of Biotechnology, Ministry of Science and Technology, Government of India. The below is a background to DNA collection/analysis in India, and a critique of the Bill a from a privacy perspective. </b>
<h3>Introduction</h3>
<p>In 2007 a bill known as the Draft DNA Profiling Bill was piloted by the Centre for DNA Fingerprinting and Diagnostics, an autonomous organization funded by the Department of Biotechnology, Ministry of Science and Technology, Government of India[1]. The Bill is pending in parliament. The DNA Profiling Bill looks to legalize the collection and analysis of DNA samples for forensic purposes. We believe that it is important that collection of DNA has associated legislation and regulation, because DNA is sensitive physical evidence that if used correctly can benefit the public good, but if misused can lead to serious privacy and human rights violations. Therefore it is important to create a balance between the constitutional rights of an individual and the public interest and bring accountability and transparency to the practice of DNA collection and testing.</p>
<p>In our research we consulted with GeneWatch UK to learn from their work and experience with DNA testing in the UK. This briefing is meant to give a background on the logistics of DNA testing, highlight ways in which DNA testing raises privacy concerns, and provide a critique of the DNA Profiling Bill.</p>
<h3>Background Facts about DNA and DNA testing:</h3>
<p><br /><strong>What is DNA:</strong> DNA is material that determines a persons hereditary traits such as hair color, eye color, body structure etc. Most DNA is located in the cell nucleus, and wrapped up in small structures called chromosomes. Every person inherits 50% of genetic material from their mother and 50% from their father. Genetic disorders are caused by mutations in a person's DNA, and comparing DNA within families can reveal paternity and non-paternity. DNA is found in every cell of our bodies, and each person has a unique strand of DNA [2]. Thus, DNA is seen as a useful form of identification with marginal room for error [3].</p>
<p><strong>What is a DNA profile/ DNA database, and how can it be used/misused:</strong></p>
<p>When DNA samples are taken from individuals they are analyzed in laboratories to produce a digitized representation of numbers known as a DNA profile. Once created, a DNA profile is stored on a DNA database (i.e. an electronic database) with other identifying information from the individual and information from the crime scene. A DNA profile is based on parts of a person's DNA, so it is not unique to an individual. The probability of an individual's DNA profile matching a stranger's by chance is very small, but not impossible. To collect a sample of DNA police normally use a mouth swab to scrape cells from inside the suspect's cheek. If the individual refuses, their DNA can be obtained by pulling some hairs out of their head (cut hair does not contain DNA, it is only in the roots), if the law allows DNA to be taken without consent. DNA samples are also collected from crime scenes, for example from a blood stain, and analyzed in the same way. DNA samples are sometimes stored indefinitely in the laboratory with a bar code number (or other information) that allows them to be linked back to the individual [3]. Stored DNA profiles from crime scenes can be helpful to exonerate an innocent person who is falsely accused of a crime if their DNA does not match a crime scene DNA profile that is thought to have come from the perpetrator. However, stored DNA profiles from individuals are not needed for exoneration because the individual's DNA can always be tested directly (it does not need to be stored on a database). Collecting DNA profiles from individuals can be useful during an investigation, to compare with a crime scene DNA profile and either exonerate an individual or confirm they are a suspect for the crime. Corroborating evidence is always needed because of the possibility of false matches (which can occur by chance or due to laboratory errors) and because there may be an innocent explanation for an individual's DNA being at a crime scene, or their DNA could have been planted there. Storing DNA profiles from individuals on a database is only useful to implicate those individuals in possible future crimes, not to exonerate innocent people, or to solve past crimes. An individual is implicated as a possible suspect for a crime if their stored DNA profile matches a new crime scene DNA profile that is loaded on to the database. For this reason, most countries only store DNA profiles from individuals who have committed serious crimes and may be at risk of re-offending in the future. Stored DNA profiles could in theory be used to track any individual on the database or to identify their relatives, so strict safeguards are needed to prevent misuse [4].</p>
<p><strong>DNA testing in India:</strong></p>
<p>At present, India does not have a national law that empowers the government to collect and store DNA profiles of convicts, but DNA collection and testing and is taking place in many states. For instance, in Pune the army is currently considering creating DNA profiles of troops who are involved in hazardous tasks inorder to help identify bodies mutilated beyond recognition [5]. In December of this year a judge in the Supreme Court ordered DNA testing on a congress spokesmen to determine if his child was really his child [6]. Also in December this year a news article announced the establishment of the first DNA profiling databank in Nehru Nagar [7]. Additionally DNA has been used to identify criminals , for instance in the Tandoor Murder DNA testing was used to reveal the identity of the culprit [8].</p>
<p>India hosts both private and public DNA labs. Public labs are sponsored by the Government, and use DNA purely for forensic purposes. For example The Centre for DNA Fingerprinting and Diagnostics (CDFD) located in Hyderabad is sponsored by the Department of Biotechnology and Ministry of Science. CDFD runs DNA testing for: establishment of parentage, identification of mutilated remains, establishment of biological relationships for immigration, organ transplantation, property inheritance cases, identification of missing children and child swapping in hospitals, identification of rapist in rape cases, identification in the case of murder.</p>
<p>Cases are only accepted by CDFD if they are referred by law enforcement agencies or by a court of law. Only an officer of the rank Inspector of Police or above may forward DNA cases to CDFD. Copies of DNA report are released to individuals if they are able to prove needed interest in the case through a notarized affidavit [9]. In 2010 CDFD received 100 cases from law enforcing agencies. Additionally, in 2010 CDFD was given rupees eighteen lakhs thirty nine thousand five hundred and forty five from the Government of India towards DNA fingerprinting services [10]. The Indian Government has also established National Facilities for Training in DNA Profiling in order to train individuals in DNA testing and expand the number of DNA examiners and laboratories available in the country [11]. <br /><br />Examples of private DNA labs include DNA labs India and Truth Labs. DNA labs India runs paternity testing, forensic testing, prenatal testing, and genetic testing [12]. Truth Labs is a private lab that provides legal services directly, without a court or police order [13]. </p>
<p><strong>The Complexity of privacy and DNA collection/ testing:</strong><br />As mentioned above, the personal and sensitive nature of DNA, the use of DNA raises many privacy concerns. The concerns fall into three basic areas: first, if a person has given consent to have his or her DNA used for a specific purpose, must the DNA be destroyed or can it be used for other purposes as well? Related to that, if a person must give consent for a specific purpose, what happens if the person is no longer able to give consent -- if, for example, the person has died? Finally, if the testing of one person's DNA yields information that is likely, or probable, or certain to impact another person, does that person have a right to know the information discovered? There are variations on these questions -- as for example does DNA is permitted to be taken without consent (to test for a crime, perhaps), does that lack of need for consent permit all uses of DNA that others want. Who decides? The complexity of these questions demonstrates that in the situation of DNA collection and testing privacy cannot be protected simply through consent from an individual. Instead the law must permit specific thresholds to be established in order to cover the privacy needs of different situations.</p>
<p><br /><strong>Can DNA evidence be considered self-incriminating evidence?</strong><br />According to the Supreme Court fingerprinting and other physical evidence is not covered by article 20(3). In the case of State of Bombay v. Kathi Kalu Oghad, the courts answered the question of whether or not the freedom against self-incrimination guaranteed under article 20(3) of the Constitution of India – which is meant to protect a person from torture from the police – can be extended to the collection of DNA? the courts answered this question by upholding that <br /> “To be a witness may be equivalent to ‘furnishing evidence’ in the sense of making oral or written statement, but not in the larger sense of the expression so as to include giving of thumb impression or impression of palm or foot or fingers or specimen writing or exposing a part of the body by an accused person for purposes of identification [14]”<br /><br /></p>
<h3>Critique of the DNA Profiling Bill 2007</h3>
<p><br /><strong>Does India already have sufficient legislation? </strong><br />The collection and use of biometrics for identification of criminals legally began in India during the 1920's with the approval of the Identification of Prisoners Bill 1920 [15]. The object of the Bill is to “provide legal authority for the taking of measurements of finger impression, foot-prints, and photographs of persons convicted or arrested…”[16] The Bill is still enforced in India, and in October 2010 was amended by the State Government of Tamil Nadu to include “blood samples” as a type of forensic evidence [17]. Other Indian legislation pertaining to forensic evidence is the CrPC and the Indian Evidence Act. In 2005 section 53A of the CrPC was amended to authorize investigating officers to collect DNA samples with the help of a registered medical practitioner, but the Indian Evidence Act fails to manage science and technology issues effectively [18]. The current state of statutes for DNA collection in India are not sufficient as the neglect to lay out precise procedures for collection, processing, storage, and dissemination of DNA samples. One question to consider though is if the Prisoners Identification Bill, CrPC, and Indian Evidence Act could be amended to incorporate DNA, and the needed safeguards, as a type of forensic evidence for all of India.<br /><br /><strong>Lack of requirement for additional evidence:</strong> The preamble of the DNA Profiling Bill states that “The Deoxyribose Nucleic Acid (DNA) analysis of body substances is a powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another, and further to establish the biological relationship, if any, between two individuals, living or dead without any Doubt.” This statement is untrue as DNA test can be compromised under many circumstances including: techniques for declaring a match, the proficiency of examiners, laboratory control standards and statistical problems, and DNA samples can become degraded due to age or exposure to chemical or bacterial agents [19]. Because DNA is not foolproof individuals can be falsely implicated in a crime as a result of an incorrect DNA match. The Bill needs to put in place procedures for the court to recognize the fact that DNA is not 100% foolproof, present the statistics correctly, and require supporting evidence [20]. </p>
<p><br /><strong>Scope for DNA Collection:</strong> The stated object of the DNA Bill is to: “enhance protection of people and administration of justice, analysis of DNA found at the crime scene, establish identity of victim and offender”. The list of offenses and situations in which the collection and testing of DNA is permitted, found in the Schedule of the Bill, provides for the collection DNA from individuals who are not related to a crime scene, are not victims, and are not criminals. Furthermore, section 13(xxii) allows this list to be expanded by the DNA board. We believe these sections should be omitted from the scope of the Bill, so that it is limited to only identifying individuals who are victims and offenders, and that a statutory body besides the DNA board be given the authority to expand the list of proposed offences [21]. Furthermore, within the Bill there are many places where vague language permits the DNA testing of individuals who are not yet convicted of a crime, which will constitute an invasion of privacy unless the DNA is provided voluntarily to release a person suspected or accused of a crime [22]. Additionally as mentioned above it is critical that the Bill recognizes and allows for different thresholds of privacy when collecting, analyzing and sharing DNA profiles. </p>
<p><br /><strong>Clear definition of when collection of DNA samples can be taken:</strong> The schedule of the Bill only lists the offenses and situations for which the collection of DNA is permitted. We believe a provision must be added that clarify when exactly DNA can be collected e.g. whether the DNA can be collected on arrest or on charge, whether the DNA has to be relevant to the offence, or whether the police decide this for themselves, and what are the oversight mechanisms for these decisions [23].</p>
<p><strong>Privacy Principles:</strong> The Bill enables the DNA Profiling Board to recommend privacy protection statutes, regulations, and practices concerning: use and dissemination, accuracy, security, and confidentiality, and destruction of DNA information [24]. Privacy principles should not be left to recommendations by the board or to regulations of the Bill, but instead should be incorporated into the Bill itself to ensure that such practices are in place if the Bill is passed. Furthermore, the appropriate collection, access, and retention of DNA information should be specified in this Bill. </p>
<p><strong>Obligations for DNA laboratories:</strong> Section 19 of the Bill lays out the obligations of DNA laboratories [25]. We recommend that the implementation of a privacy policy should be mandatory under this section. </p>
<p><strong>Storage of DNA profiles and samples:</strong> Currently the Bill allows for the complete storage of DNA of: volunteers, suspects, victims, offenders, children (with parental consent), and convicted persons. DNA samples taken from individuals contain unlimited genetic information (including health-related information) and are not needed for identification purposes once the profiles have been obtained from them, thus we recommend that the bill requires that DNA samples be stored temporarily for quality assurance purposes (e.g. for up to six months) and then destroyed to prevent misuse. This is an important privacy protection, which also reduces the cost of storing samples. The only purpose of retaining DNA profiles on a criminal database is to help identify the individual if they reoffend. Thus we recommend that the criminal databases should be restricted to holding DNA profiles only from convicted persons, and the types of offence and time period for retention should be limited. Although DNA profiles may have alternative uses other than solving crimes (e.g. identifying missing persons) we recommend that the missing persons databases are kept separate from criminal databases. Furthermore, although collecting DNA from victims and volunteers may be useful during the investigation of a crime, DNA profiles obtained from victims and volunteers should be destroyed once an investigation is complete. </p>
<p><strong>Conflicting Clauses:</strong> Section 14 of the Bill provides that DNA laboratories can only undertake DNA procedures with the approval, in writing, from the DNA profiling Board. Section 15(2) contradicts this statement by permitting already existing DNA laboratories to function and use DNA already collected even before they receive approval from the DNA profiling Board. We suggest that Section 14 is clearly written so that DNA laboratories that have already been set up are unable to continue functioning until they have met the approval of the DNA Profiling Board, and Section 15(2) should thus be deleted. <strong><br /></strong></p>
<p><strong>Access:</strong> According to section 41 of the Bill, the Data Bank Manager is given sole discretion as to who may have access to the DNA database, including persons given access for training purposes [26]. Low standards such as these vest too much discretion in the Data Bank Manager. We recommend that access is strictly limited to trained personnel who have undergone proper security clearance. Furthermore, we recommend that the role of Data Bank Manager be analogous to a custodian for the databank. Thus, the manager would be accountable for the integrity and security of the data held in the DNA databank.</p>
<p><strong>Offenses:</strong> Though the Bill provides for penalties such as unauthorized access, disclosure, destruction, alterations, and tampering [27], the Bill fails to provide punishment for the illegal collection of DNA samples. This should be made an offense under the Bill.</p>
<p><strong>Redress:</strong> The Bill provides no redress mechanism to an individual whose DNA was illegally used or collected. Furthermore, section 49 (1) only permits the Central Government or DNA Profiling Board to bring complaints to the courts [28]. Thus, we recommend that individuals are enabled to bring charges against entities (such as DNA labs or police officials) for the misuse of their data.</p>
<p><strong>Delegation of powers:</strong> The Bill allows the DNA Profiling Board to form committees of the members and delegate them the powers and functions of the board. This clause could allow outsourcing, and could allow a dilution of authority by which the DNA Profiling Board weighs approval or rejection of requests [29]. We recommend that the outsourcing of functions be limited to administration duties and jobs that do not directly relate to the core duties of the DNA Profiling Board. </p>
<p><strong>Access by law enforcement agencies:</strong> The Bill currently allows for the DNA Profiling Board to grant law enforcement agencies access to DNA profiles [30]. We recommend that DNA profiles are only accessed by the Data Bank Manager. Law enforcement agencies should send requests for matches to the Data Bank Manager, and the Manger would provide the needed intelligence [31].</p>
<p><strong>Public interest:</strong> The Bill allows for DNA laboratories to continue to operate, even if the laboratory has violated the specified procedures, if the DNA Profiling Board finds it in the public interest [32]. We believe that where there have been violations, a laboratory should be required to demonstrate remediation before being allowed to resume operations.</p>
<p><strong>Contamination of DNA samples:</strong> Currently the Bill holds laboratories responsible for “minimizing the contamination of DNA.”[33] DNA Laboratories should be held fully and legally responsible for preserving the quality of DNA samples. If a DNA sample is contaminated, and the DNA lab does not follow due diligence to discard the contaminated sample and or collect a new sample, and subsequently the DNA used wrongly against an individual - an individual should have the ability to press charges against the institution.</p>
<p><strong>Audits:</strong> The Bill provides for the auditing of DNA laboratories, but the DNA Profiling Board must also undergo annual audits [34].</p>
<p><strong>Indices Held by DNA Banks:</strong> Under section 33 (4),(5)The Bill provides for the DNA data bank to set up indices that hold DNA identification records and DNA analysis from: crime scenes, suspects, offenders, missing persons, unknown deceased persons, volunteers and such other indexes as specified by regulations. We believe the DNA data bank should not hold indexes on suspects, missing persons, or volunteers without consent and the ability for the individual to withdraw their consent. Furthermore, the Bill requires the taking of a victim’s DNA, but it is not listed as an index. We recommend that this section be deleted, as the creation of a DNA index is simply another copy of a DNA profile, and it does not serve a particular purpose.</p>
<p><strong>Communicating of DNA Profile with Foreign States: </strong>Section 35 permits, with the approval of the Central Government, the sharing of DNA profiles with Foreign States [35]. We recommend that communication and use of a DNA profile with Foreign States should be limited to comparison only. </p>
<p><strong>Access to Data Banks for administration purposes:</strong> Section 39 of the Bill permits access to the databank for “administrative purposes”. We recommend that the Bill clarify what exactly constitutes “administrative purposes”, and clarify that the process/procedures that permit access to data banks for administration purposes will not require access to data stored in Data Banks [36].</p>
<p><strong>Enforcement for the removal of innocents: </strong>Section 36(3) of the Bill requires that the DNA profile of individuals who are found innocent be removed from the database. This provision should have legal mechanisms to ensure enforcement of the provision e.g. reporting by the Board [37].</p>
<p><strong>Ability to access one’s own DNA Profile:</strong> A provision should be added to the Bill that gives individuals the right to ask the police for any of their own details held on police databases, so an individual has the ability to know if their data is being held against the law [38].</p>
<p><strong>Clear Definition of identity: </strong>Section 33(6)(i) maintains that the DNA Data Bank will contain in relation to each of the DNA profiles… the “identity of the person”. The Bill needs to define what is "identity" and how “identifying” information can be used. Furthermore, it is important to ensure that no other information (like an identity number) that would allow for function creep, is included in the DNA data base[39]. </p>
<p><strong>Transparency of the DNA board: </strong> Section 13 of the Bill describes the powers and functions the DNA Board. In this section the DNA board should be required to publish and submit minutes and annual reports including detailed information on how it has exercised all its functions to the public and to Parliament. The report should include: numbers of profiles added to the database; numbers removed on acquittal, numbers of matches and solved crimes; costs; numbers of quality assurance inspections, and breakdowns of these figures by state [40].</p>
<p><strong>Restricted use of DNA database:</strong> Section 39 (1) of the Bill permits the DNA database to be used for identification purposes that are not related to solving a crime including the “ identification of victims of: accidents, disasters or missing persons or for such other purposes”. The DNA database should be restricted to the identification of a perpetrator of a specified criminal offence, and consent or a court order must be sought for any other use of the database for identification purposes. </p>
<p><strong>Probability of error published:</strong> Because profiles found in the DNA data base are comprised of only parts of individuals DNA, the profiles are not unique to individuals. Thus, the number of false matches that are expected to occur by chance between crime scene DNA profiles and stored individual's profiles depends on how the profiling system used, how complete the crime scene DNA is before it is added to the database (many crime scene DNA stains are degraded and not complete), and how many comparisons are done (i.e. how big the database it is and how often it is searched). With a population the size of India, the number of these false matches could be very high. The DNA board needs to take this probability for error into consideration and publish researched statistics on how many false matches they expect to occur purely by chance, based on the numbers of profiles they expect to store under the proposed criteria for entry and removal of profiles [41].</p>
<p><strong>Cost analysis:</strong> The DNA board should publish a cost benefit analysis for the implementation the Bill. This should include the cost of storing samples, collecting sample, and testing samples [42].</p>
<h3>Bibliography<br /></h3>
<ol><li>http://www.cdfd.org.in/</li><li>http://ghr.nlm.nih.gov/handbook/basics/dna</li><li>Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007 pg.6, 22</li><li>Ibid email conversation with Dr. Wallace from Genewatch UK April 2nd 2002</li><li>http://articles.timesofindia.indiatimes.com/2011-01-02/india/28371869_1_dna-data-bank-blood-samples-bodies</li><li> http://www.merinews.com/article/justice-s-rabindra-bhatt-orders-dna-test-for-nd-tiwari/15838508.shtml</li><li> http://www.dnaindia.com/mumbai/report_nehru-nagar-first-region-in-country-to-have-dna-profiling-database_1477211</li><li>Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007. Pg.263</li><li>http://www.cdfd.org.in/servicespages/dnafingerprinting.html<br /></li><li>ibidhttp://www.cdfd.org.in/image/AR_2009_10.pdf</li><li>http://planningcommission.nic.in/plans/planrel/fiveyr/11th/11_v1/11v1_ch8.pdf</li><li>http://www.dnalabsindia.com/</li><li>http://www.truthlabs.org/</li><li>AIR 1961 SC 1808</li><li> The Prisoners Identification Bill was most recently amended 1981</li><li>http://lawcommissionofindia.nic.in/51-100/report87.pdf</li><li> http://www.tn.gov.in/stationeryprinting/extraordinary/2010/305-Ex-IV-2.pdf</li><li>Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007 pg. 259</li><li>Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007 pg. 245 <br /></li><li>Email conversation with Dr. Wallace from Genewatch UK. April 2nd</li><li>Schedule of offenses 5) Miscarriage or therapeutic abortion, b. Unnatural offenses, 7) Other criminal offenses b. Prostitution 9) Mass disaster b) Civil (purpose of civil cases) c. Identification purpose 10) b) Civil:1) Paternity dispute 2) Marital dispute 3) Infidelity 4) Affiliation c) Personal Identification 1) Living 2) Dead 3) Tissue Remains d)</li><li> 2 (xxvii) “offender” means a person who has been convicted of or is under trial charged with a specified offense. <br />2(1)(vii) “crime scene index” means an index of DNA profiles derived from<br />forensic material found: (a) at any place (whether within or outside India) where a specified offense was, or is reasonably suspected of having been, committed;<br />or (b) on or within the body of the victim, or a person reasonably<br />suspected of being a victim, of an offense (DNA Profiling Bill)</li><li> Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007 Pg. 291</li><li>Section (1) (xv) –(xvi) of DNA Profiling Bill</li><li>Section 19 of DNA Profiling Bill <br /></li><li>Section 41(i) (ii) of DNA Profiling Bill</li><li>Section 45, and section 46 of DNA Profiling Bill</li><li> Section 49 (1) of DNA Profiling Bill</li><li> Section 52 (2) The DNA Profiling Board may, by a general or special order in writing,<br />also form committees of the members and delegate to them the powers<br />and of the Board as may be specified by the regulations.</li><li>Section 13(x), Section(2) The DNA Profiling Board may, by a general or special order in writing,also form committees of the members and delegate to them the powers and functions of the Board as may be specified by the regulations.</li><li>Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007 Pg. 300</li><li>Section 17 (2) of DNA Profiling Bill</li><li>Section 22 of DNA Profiling Bill</li><li>Section 28 of DNA Profiling Bill</li><li>Section 35 (1) of DNA Profiling Bill<br /></li><li>Section 39 of DNA Profiling Bill<br /></li><li>http://www.genewatch.org/sub-539478</li><li>http://www.genewatch.org/sub-539478</li><li>http://www.genewatch.org/article.shtml?als[cid]=492860&als[itemid]=567376</li><li>Email conversation with Dr. Wallace from Gene Watch UK April 2nd</li><li>Standard setting and quality regulation in forensic science. GeneWatch UK submission to the Home Office Consultation.<br />October 2006.</li><li>Standard setting and quality regulation in forensic science. GeneWatch UK submission to the Home Office Consultation.<br />October 2006.<br /><br /><br /><br /> <br /><br /><br /><br /><br /><br /><br /></li></ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/dna-profiling-bill'>https://cis-india.org/internet-governance/blog/privacy/dna-profiling-bill</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-03-21T09:40:56ZBlog Entry