Centre for Internet and Society

The Centre for Internet and Society - Bulletin - July '11

praskrishna — 2011-08-19T06:43:57Z

Greetings from the Centre for Internet and Society! In this issue we are pleased to present you the latest updates about our research, upcoming events, and news and media coverage. Subscribe to our newsletter and get monthly updates in your inbox and read it at your convenience. The newsletter issue of June 2011 can be accessed here! Click below to download previous issues.

Researchers@Work

RAW is a multidisciplinary research initiative. CIS believes that in order to understand the contemporary concerns in the field of Internet and society, it is necessary to produce local and contextual accounts of the interaction between the Internet and socio-cultural and geo-political structures. To build original research knowledge base, the RAW programme has been collaborating with different organisations and individuals to focus on its three year thematic of Histories of the Internets in India. Six monographs Rewiring Bodies, Archive and Access, Pornography and the Law, The Leap of Rhodes or, How India Dealt with the Last Mile Problem - An Inquiry into Technology and Governance, Transparency and Politics and Internet, Society and Space in Indian Cities are published online and will be launched later this year.

# New Blog Entry

CEPT to Set up Centre to Research Role of Internet in Social Development [Published in the Indian Express on June 18, 2011]

# Upcoming Event in CEPT, Ahmedabad

Locating Internets: Histories of the Internet(s) in India — Research Training and Curriculum Workshop: Call for Participation [Deadline for submission – 15 July 2011; Workshop from 19 to 22 August 2011]

* Digital Natives*

Digital Natives with a Cause? is a knowledge programme initiated by CIS and Hivos, Netherlands. It is a research inquiry that seeks to look at the changing landscape of social change and political participation and the role that young people play through digital and Internet technologies, in emerging information societies. Consolidating knowledge from Asia, Africa and Latin America, it builds a global network of knowledge partners who want to critically engage with the dominant discourse on youth, technology and social change, in order to look at the alternative practices and ideas in the Global South. It also aims at building new ecologies that amplify and augment the interventions and actions of the digitally young as they shape our futures.

# The Digital Natives Newsletter

The Digital Dinosaurs [Volume 5]

* Pathways*

HE Cell's initiative on social justice, in collaboration with CIS, has initiated the Pathways Project for Learning in Higher Education. It is supported by the Ford Foundation. Under this project, nine under-graduate colleges in different parts of India will be identified to provide special skills in livelihood, knowledge and technology to underprivileged students in those colleges.

# New Blog Entry

Pathways for Learning in Higher Education

Accessibility

Estimates of the percentage of the world's population that is disabled vary considerably. But what is certain is that if we count functional disability, then a large proportion of the world's population is disabled in one way or another. At CIS we work to ensure that the digital technologies, which empower disabled people and provide them with independence, are allowed to do so in practice and by the law. To this end, we support web accessibility guidelines, and change in copyright laws that currently disempower the persons with disabilities.

# New Blog Entries

Policy Spotlight: 21st Century Communications and Video Accessibility Act [Written by Deepti Bharthur; contains an e-mail interview with Jenifer Simpson, Senior Director for Government Affairs and head of the Telecommunications & Technology Policy Initiative at the American Association of People with Disabilities ]
ICT Accessibility in Sri Lanka [Written by Nirmita Narasimhan]

Intellectual Property

CIS believes that access to knowledge and culture is essential as it promotes creativity and innovation and bridges the gaps between the developed and developing world positively. Hence, the campaigns for an international treaty on copyright exceptions for print-impaired, advocating against PUPFIP Bill, calls for the WIPO Broadcast Treaty to be restricted to broadcast, questioning the demonization of 'pirates', and supporting endeavours that explore and question the current copyright regime.

# Statement

Statement of CIS, India, on the WIPO Broadcast Treaty at the 22nd SCCR

# New Blog Entry

Putting a Lid on Royalty Outflows — How the RBI can Help Reduce your IP Costs [Written by Sanjana Govil]

Openness

CIS believes that innovation and creativity should be fostered through openness and collaboration and is committed towards promotion of open standards, open access, and free/libre/open source software.

# Submission

Comments on the draft National Data Sharing and Accessibility Policy [submitted to the National Spatial Data Infrastructure]

# Comments

Comments on Draft National Policy on ICT in School Education

Internet Governance

Although there may not be one centralized authority that rules the Internet, the Internet does not just run by its own volition: for it to operate in a stable and reliable manner, there needs to be in place infrastructure, a functional domain name system, ways to curtail cyber crime across borders, etc. The Tunis Agenda of the second World Summit on the Information Society (WSIS), paragraph 34 defined Internet governance as "the development and application by governments, the private sector and civil society, in their respective roles, of shared principles, norms, rules, decision-making procedures, and programmes that shape the evolution and use of the Internet."

# New Articles

The Present — and Future — Dangers of India's Draconian New Internet Regulations [By Anja Kovacs in the Caravan on June 1, 2011]
Big Brother is Watching You [By Sunil Abraham in Deccan Herald on June 1, 2011]
The Digital is Political [By Nishant Shah in Down to Earth, Issue of June 15, 2011]
Do You Want to be Watched? [By Sunil Abraham in Pragati on June 8, 2011]
Snooping Can Lead to Data Abuse [By Sunil Abraham in Mail Today on June 9, 2011]
Privacy and Security Can Co-exist [By Sunil Abraham in Mail Today on June 21, 2011]

Columns in Indian Express
Nishant Shah, Director-Research is writing a series of columns on Internet and Society issues:

Say 'Password' in Hindi [By Nishant Shah in the Indian Express, May 15, 2011]

# Upcoming Event

Socio-financial Online Networks: Globalizing Micro-Credit through Micro-transactional Networked Platforms – A Public Lecture by Radhika Gajalla [at the Centre for Internet and Society, Bangalore, July 8, 2011]

CIS is doing a project, ‘Privacy in Asia’. It is funded by Privacy International (PI), UK and the International Development Research Centre, Canada and is being administered in collaboration with the Society and Action Group, Gurgaon. The two-year project commenced on 24 March 2010 and will be completed as agreed to by the stakeholders. It was set up with the objective of raising awareness, sparking civil action and promoting democratic dialogue around challenges and violations of privacy in India. In furtherance of these goals it aims to draft and promote over-arching privacy legislation in India by drawing upon legal and academic resources and consultations with the public.

# Featured Research

# New Articles

A Street View of Private and the Public [By Prashant Iyengar in Tehelka on June 4, 2011]
The new Right to Privacy Bill 2011 — A Blind Man's View of the Elephunt [By Prashant Iyengar in Privacy India website on June 8, 2011]

# New Blog Entry

Bloggers' Rights Subordinated to Rights of Expression: Cyber Law Expert

# Event Organised in Guwahati

Privacy matters [Donbosco Institute, Kharguli, Guwahati, June 23, 2011]
Privacy Matters - A Public Conference in Hyderabad [The English and Foreign Languages University (TBC), Hyderabad, June 18, 2011]

# Upcoming Events

Internet Surveillance Policy: “…the second time as farce?” – A Public Lecture by Caspar Bowden [TERI, Bangalore, June 27, 2011]
Privacy Matters - A Public Conference in Hyderabad [Osmania University Center for International Program, Hyderabad, July 9, 2011]

Telecom

The growth in telecommunications in India has been impressive. While the potential for growth and returns exist, a range of issues need to be addressed for this potential to be realized. One aspect is more extensive rural coverage and the second aspect is a countrywide access to broadband which is low at about eight million subscriptions. Both require effective and efficient use of networks and resources, including spectrum. It is imperative to resolve these issues in the common interest of users and service providers. CIS campaigns to facilitate this:

# Articles by Shyam Ponappa

Shyam Ponappa is a Distinguished Fellow at CIS. He writes regularly on Telecom issues in the Business Standard and these articles are mirrored on the CIS website as well.

NTP 2011 Objective: Broadband [published in the Business Standard on June 2, 2011]

* Miscellaneous *

# Technology, Transparency and Accountability: A Bar-Camp in Delhi [June 5, 2011, Delhi]

Communication Policy Advocacy, Technology, and Online Freedom of Expression: A Toolkit for Media Development [June 20 – July 1, 2011, Budapest, Hungary]

News & Media Coverage

Your cyber space is a hackers paradise [Mail Today, June 6, 2011]
Centaur website reveals guests' personal info [Times of India, June 20, 2011]
Mumbai Takes Note of Sexting, the Seamier Side of Texting [Times of India, June 19, 2011]
Look what the state just did to you [Mid Day, June 12, 2011]
Tough neighbourhood tests India's e-tolerance [Times of India, June 12, 2011]
India Weighing Looser Web Rules [Wall Street Journal, May 30, 2011]
Public data on the Web leaves much to be desired [Hindu, May 28, 2011]
What documents will you need, to get UID? [CitizenMatters.in, May 28, 2011]
Mobile education comes to villages [Mail Today, May 27, 2011]
Google now stalks your street [Hindu, May 27, 2011]
Women in love with Facebook [Deccan Herald, May 27, 2011]
Google Unveils Controversial Street View Mapping in B’lore [Economic Times, Mumbai, May 27, 2011]
NGOs say eG8 report must stress internet rights [TELECOMPAPER, May 26, 2011]

* Follow us Elsewhere*

Get short, timely messages from us on Twitter
Follow CIS on identi.ca
Join the CIS group on Facebook
Visit us at www.cis-india.org

CIS is grateful to Kusuma Trust which was founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin, for its core funding and support for most of its projects.

Internet Surveillance Policy: “…the second time as farce?” – A Public Lecture by Caspar Bowden

praskrishna — 2011-09-08T03:19:35Z

The Centre for Internet and Society, Bangalore, invites you to a public lecture by Caspar Bowden*, the Chief Privacy Adviser of Microsoft’s Worldwide Technology Office, on Internet Surveillance Policy: “…the second time as farce?

Abstract

In 2000, as Director of the independent think-tank, "Foundation for Information Policy Research", Caspar led a campaign to revise several aspects of a new comprehensive UK law governing electronic surveillance ("the RIP Act"). UK legislated in this area many years before most other countries, and the approach was widely criticized although some amendments were achieved. After a hiatus of a decade, many Commonwealth countries are now copying the RIP law (evidently unaware of the original controversies over its defects). Caspar will discuss the legal-technical intricacies of such legislation, the underlying policy dilemmas, the background context of the failed 1990s policy of “key escrow”, and the subsequent privacy catastrophe of blanket retention of the “traffic data” of all of the 500m citizens of the EU.

Caspar Bowden

Caspar Bowden is Microsoft's Worldwide Technology Officer for Privacy, providing advice on technology policy matters concerning privacy in over 40 countries, with particular focus on Europe and regions with horizontal privacy law. His goal is to ensure that users of Microsoft products and services are in control of their personal data and that fair information practices are respected. He is a specialist in data protection policy, privacy enhancing technology research, identity management and authentication.

Earlier he was the director of the Foundation for Information Policy Research and was also an expert adviser to the UK Parliament for the passage of three bills concerning privacy issues, and was co-organizer of the influential Scrambling for Safety public conferences on UK encryption and surveillance policy. His previous career over two decades ranged from investment banking (proprietary trading risk-management for option arbitrage), to software engineering (graphics engines and cryptography), including work for Goldman Sachs, Microsoft Consulting Services, Acorn, Research Machines, and IBM.

Who should attend?

This public talk aims to engage in a dialogue with anybody interested in questions of technology, surveillance, policy and the politics of Internet based governance. Students, research scholars, academics, practitioners, those in the business of technology development, design and study, are invited to attend the lecture that approaches the issue from different angles of technology, society and politics.

Entry: Free; Limited Seating

Registration recommended: prasad@cis-india.org

For additional info click here [PDF, 521 kb]

* Caspar is speaking in his private capacity and his remarks do not necessarily reflect any official Microsoft position

Videos

For more details visit https://cis-india.org/events/internet-surveillance-policy-lecture

Privacy and Security Can Co-exist

sunil — 2012-03-21T09:05:57Z

The blanket surveillance the Centre seeks is not going to make India more secure, writes Sunil Abraham in this article published in Mail Today on June 21, 2011.

TODAY, the national discourse around the “ right to privacy” posits privacy as antithetical to security.

Nothing can be farther from the truth. Privacy is a necessary but not sufficient condition for security. A bank safe is safe only because the keys are held by a trusted few. No one else can access these keys or has the ability to duplicate them. The 2008 amendment of the IT Act and their associated rules notified April 2011 propose to eliminate whatever little privacy Indian netizens have had so far. Already as per the Internet Service Provider ( ISP) licence, citizens using encryption above 40- bit were expected to deposit the complete decryption key with the Ministry of Communications and Information Technology. This is as intelligent as citizens of a neighbourhood making duplicates of the keys to their homes and handing them over at the local police station.

Surveillance

Surveillance in any society is like salt in cooking — essential in small quantities but completely counter- productive even slightly in excess. Blanket surveillance makes privacy extinct, it compromises anonymity, essential ingredients for democratic governance, free media, arts and culture, and, most importantly, commerce and enterprise. The Telegraph Act only allowed for blanket surveillance as the rarest of the rare exception. The IT Act, on the other hand, mandates multitiered blanket surveillance of all lawabiding citizens and enterprises.

When your mother visits the local cybercafe to conduct an e- commerce transaction, at the very minimum there are two levels of blanket surveillance. According to the cyber- cafe rules, all her transaction logs will be captured and stored by the operator for a period of one year. This gentleman would also have access to her ID document and photograph. The ISPs would also store her logs for two years to be in compliance with the ISP licence ( even though none of them publish a data- retention policy). Some e- commerce website, to avoid liability, will under the Intermediary Due Diligence rules also retain logs.

Data retention at the cyber- cafe, by the ISP and also by the application service provider does not necessarily make Indian cyberspace more secure. On the contrary, redundant storage of sensitive personal information only opens up multiple points of failure and leaks — in the age of Nira Radia and Amar Singh no sensible bank would accept such intrusion into their core business processes.

Surveillance capabilities are not a necessary feature of information systems.

They have to be engineered into these systems. Once these features exist they could potentially serve both the legally authorised official and undesirable elements.

Terrorists, cyber- warriors and criminals will all find systems with surveillance capabilities easier to compromise.

In other words, surveillance compromises security at the level of system design. There were no Internet or phone lines in the Bin Laden compound — he was depending on a store and forward arrangement based on USB drives. Do we really think that registration of all USB drives, monitoring of their usage and the provision of back doors to these USBs via a master key would have led the investigators to him earlier?

Myth

Increase in security levels is not directly proportional to an increase in levels of surveillance gear. This is only a myth perpetuated by vendors of surveillance software and hardware via the business press. You wouldn't ask the vendors of Xray machines how many you should purchase for an airport, would you? An airport airport with 2,000 X- ray machines is not more secure than one with 20. But in the age of UID and NATGRID, this myth has been the best route for reaching salestargets using tax- payers’ money.

Surveillance must be intelligent, informed by evidence and guided by a scientific method. Has the ban on public WiFi and the current ID requirements at cyber- cafes led to the arrest of terrorists or criminals in India? Where is the evidence that more resource hungry blanket surveillance is going to provide a return on the investment? Unnecessary surveillance is counter- productive and distracts the security agenda with irrelevance.

Finally, there is the question of perception management. Perceptions of security do not only depend on reality but on personal and popular sentiment. There are two possible configurations for information systems — one, where the fundamental organising principle is trust and second, where the principle is suspicion.

Systems based on suspicion usually give rise to criminal and corrupt behaviour.

Perception

If the state were to repeatedly accuse its law- abiding citizens of being terrorists and criminals it might end up provoking them into living up to these unfortunate expectations. If citizens realise that every moment of their digital lives is being monitored by multiple private and government bodies, they will begin to use anonymisation and encryption technology round the clock even when it is not really necessary. Ordinary citizens will be forced to visit the darker and nastier corners of the Internet just to download encryption tools and other privacy enabling software. Like prohibition this will only result in further insecurity and break- down of the rule of law.

The writer is executive director of the Bangalore- based Centre for Internet and Society.

Read the original published in Mail Today here

For more details visit https://cis-india.org/internet-governance/blog/privacy-and-security

Snooping Can Lead to Data Abuse

sunil — 2012-03-21T10:39:22Z

THE NATGRID, aiming to link databases of 21 departments and ministries for better counter- terror measures, adopts blunt policy approach, subjecting every citizen to the same level of blanket surveillance, instead of a targeted approach that intelligently focuses on geographic or demographic areas that are currently important.

All you manage to do with the current approach help software, hardware and biometric equipment vendors achieve their sales targets. It is quite unlikely that security agencies will learn anything insightful by putting everybody under the same degree of surveillance. There is no scientific evidence to show that we will be a safer nation if the government eavesdropped into all aspects of a citizen’s life. Targeted surveillance, on the other hand, is like good old- fashioned detective work. Put a particular section — of potential troublemakers — under surveillance and leave the others alone.

With round- the- clock, 100- per cent, 360- degree surveillance, all the data is scrutinised all the time. The more effective approach is to sample and collect data while maintaining data trails. If anything suspicious is noticed, the rest of the trail can be dug up. Blanket surveillance only leads to leaks and abuse and tremendous distraction. The surveillance infrastructure will be overburdened as 99 per cent of the records and files scanned will be of no interest terms of fighting terrorism, etc.

The 21 databases need to be opened only when there is anything suspicious in any of the extracted and scrutinised samples or subsets. If there is a suspicious pattern, it should lead to opening of subsets in all the databases. Obviously, there should be ways in which the databases can talk to each other — demand for a particular subset, and not for all the records to be available to agencies all the time.

The NATGRID has to be able to let investigators selectively go in and out of the necessary subsets data. No one should be able to have a 360 degree view of all activities of all Indians. AS OF now, the NATGRID design does not appear to have a safeguard for data abuse. And no matter what you see Hollywood movies, this configuration does not exist in Europe or the US. Two important forms of protections that should be available in democracies with robust privacy laws are missing in India. The first is breach notification.

If intelligence agencies and the police have looked up your files, you have a right to be informed. Secondly, you can request for a copy of the information that is maintained on you and request modifications if the data is inaccurate, so as to prevent harassment. Such checks and balances are necessary an intelligent and appropriate surveillance regime.

Merging all 21 databases for 1.2 billion people into a single system only provides a juicy target for any internal or external enemy. From the perspective national security, it is a foolish thing to do. Terrorist groups will be able to target a single failure point destroy over a billion lives. Since the current configuration of the NATGRID only undermines national security, one is forced conclude that national security is a false pretext.

This explains the deep scepticism among many the intelligence agencies involved. The real purpose of the project is to scare citizens in the age of Arab springs. The NATGRID is a disciplinary measure aimed at social engineering of citizens’ behaviour. Unfortunately, our media has been misled by the corporate cheerleaders of this humongous waste of money.

The writer is executive director at the Centre for Internet and Society in Bangalore.
( As told to Max Martin)

Follow on Mail Today

Download the original here

For more details visit https://cis-india.org/internet-governance/blog/snooping-to-data-abuse

The New Right to Privacy Bill 2011 — A Blind Man's View of the Elephunt

Prashant Iyengar — 2012-02-29T05:45:41Z

Over the past few days various newspapers have reported the imminent introduction in Parliament, during the upcoming Monsoon session, of a Right to Privacy Bill. Since the text of this bill has not yet been made accessible to the public, this post attempts to grope its way – through guesswork – towards a picture of what the Bill might look like from a combined reading of all the newspaper accounts, writes Prashant Iyengar in this blog post which was posted on the Privacy India website on June 8, 2011.

I am relying entirely on the following three newspaper accounts in the Times of India, the Hindu and the Deccan Chronicle.

A Constitutional/Fundamental Right?

The Times of India piece which broke the story seems to have misunderstood/misquoted Law Minister Veerappa Moily. The article is titled “Right to privacy may become fundamental right” which connotes a constitutional amendment. However this is inconsistent with the later portions of the same article as well as subsequent newspaper accounts in DC and the Hindu. So its safe to assume that this will not be a fundamental right to privacy, but a statutory right to privacy – like what the Right to Information Act grants us.

Preamble

I’m extrapolating here from the Hindu article:

"To provide for such a right [of privacy] to citizens of India AND to regulate collection, maintenance, use and dissemination of their personal information."

So it’s an omnibus Privacy and Data Protection Law that’s being passed. How nice. This addresses some of the misgivings that we had last year against the "Approach Paper on Privacy" released by the Department of Personnel and Training.

Definition of ‘Right to Privacy’

The Hindu article appears to quote directly from the Bill.

Every individual shall have a right to his privacy — confidentiality of communication made to, or, by him — including his personal correspondence, telephone conversations, telegraph messages, postal, electronic mail and other modes of communication; confidentiality of his private or his family life; protection of his honour and good name; protection from search, detention or exposure of lawful communication between and among individuals; privacy from surveillance; confidentiality of his banking and financial transactions, medical and legal information and protection of data relating to individual.

This is a wonderfully expansive definition of the right to privacy which spans diverse areas including privacy of communications, reputational privacy, bodily/physical privacy, confidentiality, privacy of records and data protection. I’m especially pleased that this section does not limit this right to privacy only to claims against the state (as in the Right to Information Act).

The Deccan Chronicle article contains a slightly different definition of 'right to privacy' under the Bill. Here the right to privacy includes "confidentiality of communication, family life, bank and health records, protection of honour and good name and protection from use of photographs, fingerprints, DNA samples and other samples taken at police stations and other places."

This wording is slightly more granular, but less broad. I’m wondering if it is a part of the same section, or a different one entirely.

Interception

What is most interesting is the attempt made in this Bill at harmonization of interception rules across all modes of "communication". (Currently there are different rules/procedures that followed depending on the mode of communication used – Indian Post Act, Telegraph Act, IT Act.)

Here are some of the sweeping changes sought to be introduced:

The bill prohibits interception of communications except in certain cases with approval of Secretary-level officer – not below the rank of home secretary at the Central level and home secretaries in state governments
Mandatory destruction of intercepted material by the service provider within two months of discontinuance of interception.
Constitution of a Central Communication Interception Review Committee (CCIRC) to examine and review all interception orders passed (under all Acts?).
CCIRC empowered to order destruction of material intercepted under the Telgraph Act.
"unauthorised interception" (by whom?) punishable with a maximum of five years’ imprisonment, or a fine of Rs 1 lakh, or both, for each such interception. This makes it a cognizable, non-bailable offense.
Disclosure of legally intercepted communication by “government officials, employees of service providers and other persons” will be punishable with imprisonment up to three years. (It is unclear whether this will be a cognizable offence or not)

Data Protection

The Bill adds muscle to the newly introduced Data Protection Rules under the IT Act, by creating an overarching statutory regime for Data Protection.

Thus, the bill forbids "any person having a place of business in India but has data using equipment located in India" from collecting or processing, using or disclosing "any data relating to individual to any person without consent of such individual". I assume that there will be exceptions to this section. The wording of this section seems to preclude its application to the government (unless you can interpret the ‘government’ to mean ‘a person having a place of business in India’. I have no views on the likelihood of that argument.

The bill evidently authorizes the establishment of an oversight body called “Data Protection Authority of India” that will investigate complaints about alleged violations of data protection. The following appear to be the functions of this body

to monitor development in data processing and computer technology;
to examine law and to evaluate its effect on data protection
to give recommendations and to receive representations from members of the public on any matter generally affecting data protection.
to investigate any data security breach and issue orders to safeguard the security interests of affected individuals whose personal data has or is likely to have been compromised by such breach.

Video Surveillance

The bill includes a very interesting prohibition on "closed circuit television or other electronic or by any other mode", except in certain cases as per the specified procedure.

No further details are provided about the exceptions or the procedure and one expects the devil to be in the details.

Bodily Privacy

The bill prohibits "surveillance by following a person".

This innocuously worded provision has the potential to effect sweeping changes in the criminal administration of this country (if it is even applicable to the state police machinery) . Currently, Police Acts in the various states contain no provisions that enable a person to challenge the surveillance imposed on them. This new section could provide a powerful new shield to the victims of police harassment.

Impersonation and Financial Fraud

In a section apparently dealing with identity theft, the Bill criminalises inter alia "posing as another person when apprehended for a crime" and "using another’s identity to obtain credit, goods and services".

I think the first (at least) is unnecessary since it is already covered by the crime of Impersonation under the IPC.

Residual

A curious provision appears to be a fine imposed on “any persons who obtain any record of information concerning an individual from any officer of the government or agency under false pretext”. Such a person shall be punishable with a fine of up to Rs. 5 lakh.(unclear whether there is a term of imprisonment in addition).

It will be interesting to see how this section conflicts with the Right to Information under which no 'pretext' need be given to the public authority.

I also think it is ill-conceived to penalise the person obtaining the record of information – the government body in custody of the information should be made more responsible in scrutinizing the 'pretext' before handing over such information.

Tailpiece

That’s all I can make out from the three articles referenced. Looks like it’s going to be a really interesting bill. I’m optimistic about it for the sincere attempt it appears to make to grapple with the protean nature of Privacy concerns we encounter. Veerappa Moily has claimed that this bill will be introduced in the monsoon session in July but has also cautioned that "it’s difficult to commit the timeframe". I think we should make haste slowly with this Bill and hope that the Law Ministry will have the wisdom to solicit public comment before introducing it in Parliament.

I’d greatly appreciate someone sending me a copy of the bill if you have access to it.

Read the article published on the Privacy India website here.

For more details visit https://cis-india.org/internet-governance/blog/privacy/new-right-to-privacy-bill

Do You Want to be Watched?

sunil — 2012-03-21T09:11:45Z

The new rules under the IT Act are an assault on our freedom, says Sunil Abraham in this article published in Pragati on June 8, 2011.

Privacy is a necessary but not sufficient condition for security. A bank safe is safe only because the keys are held by a trusted few. No one else can access these keys or has the ability to duplicate them. The 2008 Amendment of the Information Technology (IT) Act and their associated rules notified April 2011 proposes to eliminate whatever little privacy Indian netizens have had so far. Already as per the internet service provider (ISP) license, citizens using encryption above 40-bit were expected to deposit the complete decryption key with the Ministry of Communications and Information Technology. This is as intelligent as citizens of a neighbourhood making duplicates of the keys to their homes and handing them over at the local police station. With the IT Act’s latest rules things get from bad to worse. (For an analysis of the new rules under the IT Act, see the In Parliament section of this issue).

Now imagine my daughter visits the neighborhood cybercafe, the manager would now be entitled to scan her ID document and take a photograph of her using his own camera. He would also be authorised to capture her browser history including unencrypted credentials and authentication factors. He would then store this information for a period of one year and provide them to any government entity that sends him a letter. He could continue to hold on to the files as there would be no clear guidelines or penalties around deletion. The ISP that provides connectivity to the cybercafe would store a copy of my daughter’s Internet activities for two years. None of our ISPs publish or provide on request a copy of their data retention policies.

Now suppose my daughter used an online peer-production like Wikipedia or social-media platform like MySpace to commit an act of blasphemy by drawing fan-art for her favorite Swedish symphonic black metal band. A neo-Pentecostal Church sends a takedown notice to the website hosting the artwork. Unfortunately, this is a fringe Web 2.0 platform run by Indian entrepreneur who happens to be a friend of yours. When the notice arrived, our entrepreneur was in the middle of a three-week trek in the Himalayas. Even though he had disabled anonymous contributions and started comprehensive data retention of user activity on the site, unfortunately he was not able to delete the offending piece of content within 36 hours. If the honourable judge is convinced, both your friend and my daughter would be sitting in jail for a maximum of three years for the newly christened offence of blasphemous online speech.

You might dismiss my misgivings by saying “after all we are not China, Saudi Arabia or Myanmar”, and that no matter what the law says we are always weak on implementation. But that is completely missing the point. The IT Act appears to be based on the idea that the the Indian public can be bullied into self-censorship via systemic surveillance. Employ tough language in the law and occasionally make public examples of certain minor infringers. There have been news reports of young men being jailed for using expletives against Indian politicians or referring to a head of state as a “rubber stamp.” The message is clear—you are being watched so watch your tongue.

Surveillance capabilities are not a necessary feature of information systems. They have to be engineered into these systems. Once these features exists, they could potentially serve both the legally authorised official and other undesirable elements. Terrorists, cyber-warriors and criminals will all find systems with surveillance capabilities easier to compromise. In other words, surveillance compromises security at the level of system design. There were no internet connections or phone lines in the bin Laden compound—he was depending on store and forward arrangement based on USB drives. Do we really think that registration of all USB drives, monitoring of their usage and the provision of back doors to these USBs via master key would have lead the investigators to him earlier? Has the ban on public wi-fi and the current ID requirements at cyber-cafes led to the arrest of any terrorists or criminals in India? Where is the evidence that resource hungry blanket surveillance is providing return on investment? Intelligence work cannot be replaced with resource-hungry blanket surveillance. Unnecessary surveillance distracts the security with irrelevance.

Increase in security levels is not directly proportional to increase in levels of surveillance. A certain amount of surveillance is unavoidable and essential. But after the optimum amount of surveillance has been reached, additional surveillance only undermines security. The multiple levels of data retention at the cybercafe, by the ISP and also by the application service provider does not necessarily make Indian cyberspace more secure. On the contrary, redundant storage of personal sensitive information only acts as multiple points of failure and leaks—in the age of Niira Radia and Amar Singh one does not have be reminded of authorised and unauthorised surveillance and their associated leaks.

Finally, there is the question of perception management. Perceptions of security does not only depend on reality but on personal and popular sentiment. There are two possible configurations for information systems—one, where the fundamental organising principle is trust or second, where the principle is suspicion. Systems based on suspicion usually gives rise to criminal and corrupt behavior. If the state were to repeatedly accuse its law-abiding citizens of being terrorists and criminals, it might end up provoking them into living up to these unfortunate expectations. If citizens realise that every moment of their digital lives is being monitored by multiple private and government bodies—they will begin to use anonymisation and encryption technology round the clock even when it is not really necessary. Ordinary citizens will be forced to visit the darker and nastier corners of the internet just to download encryption tools and other privacy enabling software. Like the prohibition, this will only result in further insecurity and break-down in the rule of law.

Read the original here

For more details visit https://cis-india.org/internet-governance/blog/want-to-be-watched

Your cyber space is a hackers paradise

praskrishna — 2011-08-23T00:58:21Z

It Looks like hackers are having a ball targeting all kinds of websites — gaming, news, government, personal email and even those run by terror networks, writes Shayan Ghosh. The article was published in Mail Today on June 6, 2011.

After Sony PlayStation Network and Gmail breaches this week, the latest is an attack on Sony Pictures.

The hackers who broke into the Sony Pictures website have collected private information such as passwords and email identities.

"A group of criminal hackers known as LulzSec claimed to have breached some of our websites," CEO of Sony Pictures Entertainment Michael Lynton said.

LulzSec, involved in the hacking of several leading US media firms last month, however, has another story to tell. The group blamed Sony Pictures for carelessness.

"Every bit of data we took wasnt encrypted. Sony stored over 10 lakh passwords of its customers in plaintext, which means it is just a matter of taking it." "We broke into SonyPictures. com and compromised over 10 lakh users personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony data associated with their accounts.

Among other things, we also compromised all administration details of Sony Pictures ( including passwords) along with 75,000 music codes and 3.5 million coupons", the group said in a post on Pastebin. com . Google mail, too, was breached this week and the hackers gained access to email accounts of hundreds of people, including senior US government officials and journalists. Google confirmed that Gmail accounts were hacked." We recently uncovered a campaign to collect user passwords, likely through phishing,” the search, cloud and net tech giant said on its blog.

Asked about reports that Gmail accounts of some Indian diplomats based in China had been hacked, Google declined to comment, saying it had no data of any specific people whose accounts have been hacked.

But the company pointed fingers at China.

"This campaign, which appears to originate from Jinan in China, affected what seem to be the personal Gmail accounts of hundreds of users, including senior US government officials, Chinese political activists, officials in several Asian countries ( predominantly South Korea), military personnel and journalists, among others," a posting on the companys official blog said.

Indian experts, too, blame Chinese hackers. "China poses a serious threat to our national security as these hacking issues dont just seem to stop," Ahmedabadbased cybercrime consultant Sunny Vaghela said.

The hackers probably targeted Gmail because of the number of users they have, Vaghela added.

All regimes have now started implementing surveillance mechanisms on the Internet. This is a disturbing trend all over the world.

China has supremacy on it mainly because they are an early adopter of Internet surveillance and content filtering mechanisms,” a software consultant based in Bangalore, Anivar Aravind, said.

"Its become more about proving a point. Hackers want to tell people that I can hack into your system and show its vulnerability," Center for Internet and Society director of research in Bangalore Nishant Shah said.

But LulzSec has its own logic: "Our goal here is not to come across as master hackers… Why do you put such faith in a company that allows itself to become open to these simple attacks?"

Online Safety Measures

Secure your Email:

Change passwords often
Use the Gmail feature to check your “ last account activity”. It shows the IP address ( denoting a specific computer) used to access your email
Do not open unknown email attachments
Do not store sensitive and personal data in email accounts

Things to Avoid

Do not visit unknown sites; Use different passwords for different accounts
Do not divulge credit card numbers over emails or on social networks
Keep track of your credit/ debit card account
For online transactions use encrypted websites. Look for SSL certificate or padlock icon

Read the original published by Mail Today here

For more details visit https://cis-india.org/news/cyber-space-hackers-paradise

Big Brother is Watching You

sunil — 2012-03-21T09:32:28Z

The government is massively expanding its surveillance power over law-abiding citizens and businesses, says Sunil Abraham in this article published by the Deccan Herald on June 1, 2011.

Imagine: An HIV positive woman calls a help-line from an ISD/STD booth. The booth operator can get to know who she called, when and for how long. But he would not have any idea on who she is or where she lives.

Now, instead of a phone call, imagine that she uses a cyber café to seek help on a website for HIV positive people. The cyber-cafe operator would have a copy of her ID – remember that many ID documents have phone numbers and addresses. He may then take her photograph using his own camera. One can only hope that he will take only a mug-shot without using the zoom lens inappropriately. He would also use a software – to log her Internet activities and make a reasonable guess on her HIV status.

The average Facebook page may have 50 different URLs to display the various images, animations and videos that are linked to that page. Each of those URLs would be stored, regardless of whether she scrolls down to see any of them.

The cyber-cafe operator is obliged under the Cyber Cafe rules to store this information for a period of one year. But there are no clear guidelines on when and how he should dispose of these logs. An unethical operator could leak the logs to a marketeer, a spammer, a neighbourhood Romeo or the local moral police. A careless operator maybe vulnerable to digital or physical theft and before you know it, such logs could end up on the Internet.

Ever since 26/11, cyber-cafes in metros have been photocopying ID documents – but so far not a single terrorist attack has been foiled or a crime solved thanks to this highly intrusive measure. But despite the lack of evidence to prove the efficacy of the current levels of surveillance, the government has decided to expand them exponentially.

Imagine again: A media organisation such as Deccan Herald is investigating a public interest issue with the help of a whistle-blower or an anonymous informant. Deccan Herald reporters may think that by turning the encryption on when using Gmail or Hotmail they are protecting their source.

But the ISP serving Deccan Herald is obliged by the license terms to log all traffic be it broadband, dial-up or mobile users passing through it. Again, there are no clear guidelines on when to delete these logs and none of the Indian ISPs publicly publish a data retention policy. Besides retaining data, the ISPs have to install real-time surveillance equipment within their network infrastructure and make them available for government officials. If a government official wants to track who is talking to Deccan Herald reporters, he just has to ask.

With ISPs and online service providers – all the police have to do is send an information request under Section 92 of the Code of Criminal Procedure. In other words, they don't even have to bother about a court order. Between January 2010 to June 2010 Google received 1,430 information requests from India. Many other companies, for example, Microsoft, are not as transparent as Google about the state surveillance. So we will never know what they are subjected to.

If the whistle-blower was using Blackberry, all traffic would be transferred from the device to the RIM's Network Operation Centre situated outside India in an encrypted tunnel before it travels onto the Internet. This prevents the government from learning which mail server is being used from the logs and surveillance equipment at the ISP premises. And that is why the government has been engaged in a five-year long public fight with RIM over access to Blackberry traffic.

Now, thanks to the IT Act, the government can demand the service providers, including RIM, to hand over the decryption keys by accusing any individual of a variety of vague offenses -- for example engaging in communication that is ‘grossly harmful’ or ‘harms minors in any way’ – under the IT Act. Refusal to hand over the keys is punishable with a jail term of three years.

Finally, imagine that an Indian enterprise is developing trade-secrets or handling trade-secrets on behalf of their international partners. This enterprise is using a VPN or virtual private network for confidential digital communication. As per the ISP license all encryption above 40-bit is only permitted with written permission from DoT along with mandatory deposit of the decryption key.

In the age of wire-tap leaks, only a miniscule minority of international business partners would trust the government of India not to leak or misuse the keys that have been deposited with them. Most individuals, SMEs and large enterprises routinely use encryption higher than 40 bit strength. For example, Gmail uses128 bit and Skype uses 256 bit encryption. Many services use dynamic encryption, that is generate different keys for each session.

So far I have not heard of anyone who has actually secured permission or deposited the keys. In other words, the Indian enterprise has two choices – either break the law to protect business confidentiality or obey it and lose clients.

The IT Act (Amendment 2008) and its associated Rules, notified in April this year are a massive expansion of blanket surveillance on ordinary, law-abiding Indians. They represent a paradigm shift in surveillance and a significant dilution in privacy protections afforded to citizens under the Telegraph Act.

This has terrifying consequences for our plural society, free media and businesses. Department of Information Technology in particular Dr. Gulshan Rai's office has so far only brushed aside these concerns and denied receiving feedback from the industry and civil society. If our media continues to ignore this clamp down on our civil liberties, we will soon have to furnish ID documents before purchasing thumb drives. After all, Bin Laden was found using them in his Abbottabad home.

Read the original here

For more details visit https://cis-india.org/internet-governance/blog/big-brother-watching-you

Sunil Abraham, CIS : "Avec l’e-G8, Nicolas Sarkozy veut promouvoir de nouvelles restrictions à la liberté d’expression"

praskrishna — 2011-05-25T11:54:51Z

Le débat continue de faire rage en Inde au sujet d’une nouvelle législation posant des limites floues et, selon certains, potentiellement dangereuses, à la liberté d’expression sur Internet. Et alors que s’ouvre à Paris l’e-G8, sur fond de polémiques autour des intentions de son principal supporteur, le président de la République Française, Nicolas Sarkozy, Sunil Abraham, directeur exécutif de l’ONG Center for Internet & Societies, a accepté de partager son regard sur l’événement, depuis Bangalore. This news was published in LE MAG IT on May 24, 2011.

LeMagIT: L’Inde vient de se doter d’une nouvelle législation relative aux technologies de l’information et de la communication. Que dénoncez-vous dans cette législation ?

Sunil Abraham: Il y a trois principales préoccupations, pour la société civile. Tout d’abord, cette nouvelle législation va au-delà de son périmètre légitime et définit des limites vagues et inconstitutionnelles à la liberté d’expression sur Internet. Par exemple, un discours dénigrant, relevant du harcèlement, blasphématoire ou haineux n’a jamais été criminel ou considéré comme tel par la justice indienne. Mais du fait de cette nouvelle législation, cela peut être puni de 3 ans de prison. Ensuite, ces règles introduisent un biais contre la participation citoyenne à toute forme de publication en ligne, en particulier dans les médias sociaux ou la production de contenus collective. Ainsi, une fois qu’un ordre de retrait a été notifié, le contenu contestable visé doit être supprimé dans un délai de 36 heures. Ou c’est l’intermédiaire concerné qui est susceptible de voir engagée sa responsabilité. De grandes entreprises telles que Google seront en mesure de gérer de telles injections et d’engager des procédures en justice mais de simples individus seront écrasés par la censure privée sans application équitable de la loi. En outre, les individus ne seront pas notifiés de l’application d’une telle censure et aucune pénalité n’est prévue pour ceux qui abuseraient du système en émettant des ordres de retrait de contenu en masse de manière automatisée. Enfin, l’État a créé un système de surveillance à plusieurs niveaux impliquant cyber-cafés, FAI et fournisseurs de services en ligne. Les garde-fous sur les réquisitions judiciaires émises par les agences de renseignement ont été dilués. La rétention de logs redondante à plusieurs niveaux fournit en outre des cibles multiples avec des vulnérabilités multiples aux criminels à la fois au sein et en dehors de ces institutions. Les violations de la vie privée vont se multiplier et ne feront que distraire les agents du renseignement de leurs missions de fond pour lutter contre la criminalité et le terrorisme.

En clair, nous pensons que ces nouvelles règles vont réfréner la liberté d’expression sur Internet en Inde en stimulant l’auto-censure, la censure privée et la surveillance. Cela va nuire à l’exercice démocratique, à la liberté des médias, et à la transparence des institutions publiques, à la culture et à la créativité, à la recherche et au développement, et enfin - mais ce n’est pas rien - à l’entrepreneuriat.

LeMagIT: Dans un contexte de suspicion sur les objectifs du forum e-G8, et avec la perspective de la nouvelle législation indienne, quel regard portez-vous sur le sommet international qui s’ouvre ce mardi 24 mai en France ?

Sunil Abraham: Nicolas Sarkozy et les nations développées de l’Ouest ont complètement perdu leur légitimité morale dans le débat sur la liberté sur Internet. Leur duplicité et leur double-langage ont été mis en lumière - d’un côté, ils critiquent la Birmanie, l’Arabie Saoudite et la Chine mais, dans le même temps, à l’intérieur de leurs frontières, ces nations ont courbé l’échine pour satisfaire aux demandes des ayants-droits. Rétention de données, exigence de justification d’identité dans les cyber-cafés, riposte graduée, investigations transnationales, etc... sont en train de devenir la norme. Nicolas Sarkozy semble avoir oublié que l’accès au savoir est le prérequis de la liberté d’expression. Le partage de l’information est une composante essentielle des activités quotidiennes des citoyens du Net. Criminaliser ces actes afin de soutenir les modèles économiques moribonds des éditeurs de logiciels et des sociétés de production de médias ne fera que réduire Internet à une télévision interactive.

En tant que personne mariée à un ayant-droit en quête de rente, Nicolas Sarkozy n’a naturellement que peu de sympathie pour l’accès [libre] à la connaissance et peut ainsi se faire le champion vocal des régimes de riposte graduée. Il serait bien capable d’interdire à quelqu’un de lire sous un livre prétexte que cette personne aurait partagé les photocopies de ce livre avec trois de ses amis. Il n’y a aucune proportionnalité entre le préjudice et la punition.

Avec l’e-G8, Nicolas Sarkozy essaie de pousser d’autres restrictions à la liberté d’expression avec son concept “d’Internet civilisé” - les régimes répressifs du monde entier ont de quoi se réjouir. Leur régulation draconienne a été importée par le pays de “liberté, égalité, fraternité.” J’espère que le peuple français se joindra aux sociétés civiles du monde entier pour rejeter les propositions de Nicolas Sarkozy.

Sunil's original response in English

What is wrong with the latest IT Rules 2011 [Intermediary Due Diligence, Cyber Cafe and Reasonable Security Measures) under the IT Act [Amendment 2008]

There are 3 broad concerns that civil society has with the latest IT rules. One, they go beyond the the scope of the IT Act and place unconstitutional and vague limits on freedom of expression online. For example speech that is harmful, harassing, disparaging, blasphemous or hateful has never been criminal or defined by Indian courts. But thanks to the latest rules, they are punishable with 3 years of imprisonment. Two, the rules are biased against citizen participation in online publication especially in the form of social media and commons based peer production. Once a take down notice is received the objectionable content has to be deleted within 36 hour otherwise the intermediary looses immunity. Large corporations like Google will be able to manage due diligence and also fight court battles but individual users will becrushed by private censorship sans due process of law. This individuals will not be notified when such censorship occurs and there is no penalty for those who abuse the system by sending bulk machine generated take-downs. Three, the state has mandated a multi-tier blanket surveillance regime - by cyber-cafes, ISPs and application service providers. Safeguards for information requests by intelligence agencies have been diluted. Redundant multi-level retention of logs provides multiple targets with multiple vulnerabilities to criminals both inside and outside these institutions. Privacy violations will multiply only serving a big distraction from the real intelligence work required to stop criminals and terrorists.

In brief - we believe the latest rules have a chilling effect on online freedom of expression in India via self-censorship, private censorship and blanket surveillance. This will undermine - democratic governance, free media, transparency and accountability in public institutions, culture and creativity, research and development and last but not least entrepreneurship.

What is wrong with Sarkozy's agenda at the e-G8

Sarkozy and developed western nations have completely lost their higher moral ground on net freedom. Their duplicity and double-speak has been exposed - on the one hand they criticise Burma, Saudi Arabia and China. But simultaneously at home these nations have bent backwards to please rights-holders. Blanket data retention, real ID requirements at cyber-cafes, three strikes regime, cross-border searches, etc are becoming the norm. Sarkozy appears to have forgotten that access to knowledge is the precondition for freedom of expression. Sharing of information is an essential component of the everyday Internet use of ordinary netizens. Criminalising these acts in order to prop up extinct business models of media houses and software companies will only reduce the Internet to interactive television.

Read the original published by LeMagIT here

For more details visit https://cis-india.org/news/avec-i-e-g-8

Your Privacy is Public Property

praskrishna — 2011-05-18T02:28:11Z

Rules issued by a control-obsessed government have armed officials with widespread powers to pry into your private life. This article was published in Mail Today on Sunday, May 15, 2011.

The government has gifted itself the power to pry into your electronic personal details without a search warrant. With new IT Rules, it can lay claim to an array of your most sensitive and zealously guarded personal details — ranging from your ATM pin, your net banking password, your credit card details, to the status of your mental health, your DNA profile, and even your sexual orientation. “These rules are a complete invasion of privacy
with immense potentiality of misuse,” says Supreme Court advocate and cyber law expert Pawan Duggal. Drawing attention to the fact that such executive orders are often drafted by government officials who aren’t legally qualified, Duggal asks: "Our medical records and sexual orientation have no bearing on the verification of our identity or our cyber crime record. So why should the state want access to this data?" That is not all. Every key stroke you make at a cyber cafe will now be under the scanner — with cafe owners being asked to maintain logs of your online activities for a minimum of one year. The rules have also turned the heat on internet service providers and social-networking sites to remove objectionable content posted on them, leading to strong objections from Google.

Under provisions of the Indian Post Office Act, 1898, The Indian Telegraph Act, 1885, and the Information Technology Act, 2000, the state already has the power to snoop through the letters you post, the emails you send and the calls you make. But while such surveillance came with several checks and balances, cyber law experts and internet activists say that the government can now access private data with far more ease.

"Whenever any government agency needs to access information on individuals, detailed processes need to be followed so that the rights of the citizen are protected. You need a magistrate — who is not part of the government — to sign a search warrant. A home secretary with the centre or state has to sanction a phone tapping request," points out M.R. Madhavan, head of research, PRS Legislative Research.

These safeguards have not been included for access to electronic databases. "An investigating officer simply needs to give a request in writing, in contravention of all other norms," says Madhavan.

Your privacy is being violated at several levels with the new rules, says Sunil Abraham, executive director of Bangalore’s Centre for Internet and Society. "Cyber cafe owners across the country can now take photos of women coming to their cafes. They also have to show their identity proof. Many women fear they can be harassed on the basis of this information." Cyber cafe owners also have to maintain records on who you are mailing, the subject, how often you access a web page, the packets of data sent and received, etc. Be prepared for rampant leakage of personal information with this provision, warns Abraham.

"A boy who fancies you could easily bribe the cafe owner to get the list of websites you access. The owner will have all the information on you stored for a minimum of one year. No process of destroying the logs has been specified by the IT rules and regulations," says Abraham.

The trouble, says Venkatesh Nayak, the Programme Coordinator for Access to Information, Commonwealth Human Rights Initiative, is that everyone is suspect in the eyes of the government because of the perception that terrorists don’t function like organised crime syndicates.

Privacy concerns are taken far more seriously in the West. "In countries which have a data protection law, there are data protection tribunals and data protection commissioners. It is not that easy for governments to collect sensitive information on individuals and keep it away from them," says Nayak.

The government, meanwhile, denies any invasion of privacy with the rules. "The intent of the rules is to protect sensitive personal information. The rules do not give any undue powers to government agencies for free access of sensitive personal information," the department of Information Technology has said in a statement.

Cyber experts aren’t convinced, and believe that the days of greater surveillance lie ahead. "After 9/11, the US Homeland Security had started accessing databases of public libraries to find out what people were reading. The day may not be far for us," is Nayak’s dark projection.

Read the original published by Mail Today here

For more details visit https://cis-india.org/news/privacy-public-property

The Second IJLT-CIS Lecture Series at National Law School, Bangalore

praskrishna — 2011-05-13T11:03:04Z

The Indian Journal of Law and Technology and the Centre for Internet and Society, present the second IJLT- CIS Lecture Series, an event comprised of an intensive series of lectures by luminaries with expertise in law and technology to give students, professionals and anyone interested in a comprehensive idea about the theme, "Emerging Issues in Privacy law".

The focus will be on contemporary sub-issues of critical relevance such as:

The Unique Identification Project and Challenges to Privacy
Cloud Computing and Behavioural Tracking
The State and Privacy: Electronic Surveillance

Speakers

The following delegates would be speaking at the conference:

Usha Ramanathan
Malavika Jayaram
Vivek Durai
Prof. Sudhir Krishnaswamy

Profiles of the Speakers

Usha Ramanathan

Dr. Usha Ramanathan is an internationally recognized expert on law and poverty. She studied law at Madras University, the University of Nagpur and Delhi University. She is a frequent adviser to non-governmental organisations and international organizations. She is a member of Amnesty International's Advisory Panel on Economic, Social and Cultural Rights and has been called upon by the World Health Organisation as a expert on mental health on various occasions. Her research interests include human rights, displacement, torts and environment. She has published extensively in India and abroad.

Malavika Jayaram

Malavika Jaya has an experience of more than 15 years as a lawyer with a specialization in information technology and intellectual property. She is a partner in Jayaram & Jayaram, Bangalore managing a portfolio of work that has a strong focus on IT/IP and commercial work, especially with an international angle and is a fellow of the Centre for Internet and Society. She works with CIS in its efforts to explore, understand, and affect the shape and form of the Internet, and its relationship with the cultural and social milieu of our time.

More info on Malavika Jayaram can be found here

Vivek Durai

Vivek G Durai is co-founder and managing partner at Atman Law Partners. He represents Indian and overseas clients in connection with their India entry strategies, venture capital and private equity investments, infrastructure projects, technology contracts, procurement and supply agreements and real estate investments.

More info on Vivek Durai can be found here

Professor (Dr.) Sudhir Krishnaswamy

Prof. Sudhir Krishnaswamy graduated from National Law School Bangalore with a BA LLB (Hons) degree. He then went onto finish a BCL and DPhil in Law from the University of Oxford on a Rhodes Scholarship. He has taught at National Law School, Bangalore and Pembroke College, University of Oxford among other places. His research interests include constitutional law, administrative law, intellectual property law, legal profession and reform of the legal system.

More info on Prof. Krishnaswamy can be found here

Admission will not charged but in order to enable us to ensure adequate seating, do register without fail by the 18th of May by email at editorialboard@ijlt.in.

Updates regarding the conference will be posted here.

For more details visit https://cis-india.org/events/ijlt-cis-lecture-series

Limits to Privacy

Prashant Iyengar — 2012-12-14T10:28:55Z

In his research article, Prashant Iyengar examines the limits to privacy for individuals in light of the provisions of the Constitution of India, public interest, security of state and maintenance of law and order. The article attempts to build a catalogue of all these justifications and arrive at a classification of all such frequently used terms invoked in statutes and upheld by courts to deprive persons of their privacy.

Introduction

In 1965, the Supreme Court of India heard and decided State of UP v. Kaushaliya[1], a case which involved the question of whether women who are engaged in prostitution can be forcibly removed from their residences and places of occupation, or whether they were entitled, along with other citizens of India, to the fundamental right to move freely throughout the territory of India, and to reside and settle in any part of the territory of India [under Article 19(1)(d) and (e) of the Constitution of India]. In other words, did these women possess an absolute right of privacy over their decisions in respect to their occupation and place of residence? In its decision, the Supreme Court denied them this right holding that "the activities of a prostitute in a particular area... are so subversive of public morals and so destructive of public health that it is necessary in public interest to deport her from that place." In view of their 'subversiveness', the statutory restrictions imposed by the Suppression of Immoral Traffic Act on prostitutes, were upheld by the court as constitutionally-permissible “reasonable restrictions” on their movements.

The legal alibis that the State employs to justify its infringement of our privacy are numerous, and range from ‘public interest’ to 'security of the state' to the 'maintenance of law and order'. In this chapter we attempt to build a catalogue of these various justifications, without attempting to be exhaustive, with the objective of arriving at a rough taxonomy of such frequently invoked terms. In addition we also examine some the more important justifications such as 'public interest' and 'security of the state' that have been invoked in statutes and upheld by courts to deprive persons of their privacy.

The statutory venues of deprivation of privacy by the state being many – strictly, any statute that imposes any restriction on movement, or authorizes the search or examination of any residence or book, or the interception of communication may be read as a violation of a privacy right — tracking each of these down would not only be an impossible exercise, but also contribute little to the analytical exercise we are attempting here. Instead, in this chapter we only list provisions from a few statutes that are the familiar instruments by which the state impinges on our privacy. This is done with the limited object of arriving at a rough inventory of the common technologies which the state employs to impinge on our privacy.

Even if intrusions into our privacy are statutorily authorised, these statutes must withstand constitutional scrutiny. We therefore, begin this chapter with a discussion of the constitutional framework within which these statutes operate, and against which the severity of their incursions must be measured.

Constitutional Jurisprudence on Privacy

The 'right to privacy' has been canvassed by litigants before the higher judiciary in India by including it within the fold of two fundamental rights: the right to freedom under Article 19 and the right to life and personal liberty under Article 21.

It would be instructive to provide a brief background to each of these Articles before delving deeper into the privacy jurisprudence expounded by the courts under them.

Part III of the Constitution of India (Articles 12 through 35) is titled ‘fundamental rights’ and lists out several rights which are regarded as fundamental to all citizens of India (some apply all persons in India whether citizens or not). Article 13 forbids the State from making “any law which takes away or abridges the rights conferred by this Part”.

Thus, Article 19(1) (a) stipulates that "all citizens shall have the right to freedom of speech and expression". However this is qualified by Article 19(2) which states that this will not "affect the operation of any existing law, or prevent the State from making any law, in so far as such law imposes reasonable restrictions on the exercise of the right … in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence".

Thus, the freedom of expression guaranteed by Article 19(1) (a) is not absolute, but a qualified right that is susceptible, under the Constitutional scheme, to being curtailed under specified conditions.

The other important fundamental right from the perspective of privacy jurisprudence is Article 21 which reads "No person shall be deprived of his life or personal liberty except according to procedure established by law."

Where Article 19 contains a detailed list of conditions under which freedom of expression may be curtailed, by contrast Article 21 is thinly-worded and only requires a "procedure established by law" as a pre-condition for the deprivation of life and liberty. However, the Supreme Court has held in a celebrated case Maneka Gandhi vs. Union of India [2] that any procedure "which deals with the modalities of regulating, restricting or even rejection of a fundamental right falling within Article 21 has to be fair, not foolish, carefully designed to effectuate, not to subvert, the substantive right itself. Thus, understood, 'procedure' must rule out anything arbitrary, freakish or bizarre."

Four decisions by the Supreme Court have established the right to privacy in India as flowing from Articles 19 and 21.

The first was a seven-judge bench judgment in Kharak Singh vs The State of U.P.[3] The question for consideration before this court was whether 'surveillance' under Chapter XX of the U.P. Police Regulations constituted an infringement of any of the fundamental rights guaranteed by Part III of the Constitution. Regulation 236(b) which permitted surveillance by 'domiciliary visits at night' was held to be violative of Article 21.The word ‘life’ and the expression ‘personal liberty’ in Article 21 were elaborately considered by this court in Kharak Singh`s case. Although the majority found that the Constitution contained no explicit guarantee of a ‘right to privacy’, it read the right to personal liberty expansively to include a right to dignity. It held that "an unauthorised intrusion into a person's home and the disturbance caused to him thereby, is as it were the violation of a common law right of a man —an ultimate essential of ordered liberty, if not of the very concept of civilization."

In a minority judgment in this case, Justice Subba Rao held that "the right to personal liberty takes is not only a right to be free from restrictions placed on his movements, but also free from encroachments on his private life. It is true our Constitution does not expressly declare a right to privacy as a fundamental right but the said right is an essential ingredient of personal liberty. Every democratic country sanctifies domestic life; it is expected to give him rest, physical happiness, peace of mind and security. In the last resort, a person's house, where he lives with his family, is his 'castle' it is his rampart against encroachment on his personal liberty." This case, especially Justice Subba Rao’s observations, paved the way for later elaborations on the right to privacy using Article 21.

In 1972, the Supreme Court decided a case — one of the first of its kind — on wiretapping. In R. M. Malkani vs State of Maharashtra [4] the petitioner’s voice had been recorded in the course of a telephonic conversation where he was attempting blackmail. He asserted in his defence that his right to privacy under Article 21 had been violated. The Supreme Court declined his plea holding that “the telephonic conversation of an innocent citizen will be protected by courts against wrongful or high handed interference by tapping the conversation. The protection is not for the guilty citizen against the efforts of the police to vindicate the law and prevent corruption of public servants.”

The third case, Govind vs. State of Madhya Pradesh [5] , by a three-judge bench of the Supreme Court is regarded as being a setback to the right to privacy jurisprudence. Here, the court was evaluating the constitutional validity of Regulations 855 and 856 of the Madhya Pradesh Police Regulation which provided for police surveillance of habitual offenders including domiciliary visits and picketing. The Supreme Court desisted from striking down these invasive provisions holding that "It cannot be said that surveillance by domiciliary visit, would always be an unreasonable restriction upon the right of privacy. It is only persons who are suspected to be habitual criminals and those who are determined to lead criminal lives that are subjected to surveillance."

The court went on to make some observations on the right to privacy under the Constitution:

"Too broad a definition of privacy will raise serious questions about the propriety of judicial reliance on a right that is not explicit in the Constitution. The right to privacy will, therefore, necessarily, have to go through a process of case by case development. Hence, assuming that the right to personal liberty, the right to move freely throughout India and the freedom of speech create an independent fundamental right of privacy as an emanation from them it could not he absolute. It must be subject to restriction on the basis of compelling public interest. But the law infringing it must satisfy the compelling state interest test. It could not be that under these freedoms that the Constitution-makers intended to protect or protected mere personal sensitiveness."

The next case in the series was R. Rajagopal vs. State of Tamil Nadu [6] which involved a balancing of the right of privacy of citizens against the right of the press to criticize and comment on acts and conduct of public officials. The case related to the alleged autobiography of Auto Shankar who was convicted and sentenced to death for committing six murders. In the autobiography, he had commented on his contact and relations with various police officials. The right of privacy of citizens was dealt with by the Supreme Court in the following terms: -

The right to privacy is implicit in the right to life and liberty guaranteed to the citizens of this country by Article 21. It is a "right to be let alone". A citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, childbearing and education among other matters. None can publish anything concerning the above matters without his consent — whether truthful or otherwise and whether laudatory or critical. If he does so, he would be violating the right to privacy of the person concerned and would be liable in an action for damages. Position may, however, be different, if a person voluntarily thrusts himself into controversy or voluntarily invites or raises a controversy.
The rule aforesaid is subject to the exception, that any publication concerning the aforesaid aspects becomes unobjectionable if such publication is based upon public records including court records. This is for the reason that once a matter becomes a matter of public record, the right to privacy no longer subsists and it becomes a legitimate subject for comment by press and media among others. We are, however, of the opinion that in the interests of decency [Article 19(2)] an exception must be carved out to this rule, viz., a female who is the victim of a sexual assault, kidnap, abduction or a like offence should not further be subjected to the indignity of her name and the incident being publicised in press/media.

Elsewhere in the same decision, the court took a cautionary stance and held that "the right to privacy...will necessarily have to go through a process of case-by-case development."

The final case that makes up the 'privacy quintet' in India was the case of PUCL v. Union of India [7] in which the court was called upon to consider whether wiretapping was an unconstitutional infringement of a citizen’s right to privacy. The court held:

The right privacy — by itself — has not been identified under the Constitution. As a concept it may be too broad and moralistic to define it judicially. Whether right to privacy can be claimed or has been infringed in a given case would depend on the facts of the said case. But the right to hold a telephone conversation in the privacy of one’s home or office without interference can certainly be claimed as a ‘right to privacy’. Conversations on the telephone are often of an intimate and confidential character. Telephone conversation is a part of modern man's life. It is considered so important that more and more people are carrying mobile telephone instruments in their pockets. Telephone conversation is an important facet of a man's private life. Right to privacy would certainly include telephone-conversation in the privacy of one's home or office. Telephone-tapping would, thus, infract Article 21 of the Constitution of India unless it is permitted under the procedure established by law.

The court also read this right to privacy as simultaneously deriving from Article 19. "When a person is talking on telephone, he is exercising his right to freedom of speech and expression", the court observed, and therefore "telephone-tapping unless it comes within the grounds of restrictions under Article 19(2) would infract Article 19(1) (a) of the Constitution."

However, the court in this case made two observations which would have a lasting impact on privacy jurisprudence in India –firstly, it rejected the contention that 'prior judicial scrutiny' should be mandated before any wiretapping could take place and accepted the contention that administrative safeguards would be sufficient.

Thus, to conclude this section of this chapter, it may be observed that the right to privacy in India is, at its foundations a limited right rather than an absolute one. In the sections that follow, it will become apparent that this limited nature of the right provides a somewhat unstable assurance of privacy since it is frequently made to yield to all manners of competing interests which happen to have a more pronounced legal standing.

Vocabularies of Privacy Limitation

Article 12 of the Universal Declaration of Human Rights (1948) defines privacy in the following terms:

"No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."

Similarly, Article 17 of the International Covenant of Civil and Political Rights (to which India is a party) declares that:

"No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home and correspondence, nor to unlawful attacks on his honour and reputation."

In this section, we look briefly at sections in some statutes that authorize the deprivation of privacy. These statutes have been classified under three headings, following the aforementioned international covenants, each dealing with a) our communications, b) our homes and c) bodily privacy.

Privacy of Communications

Communications laws

All laws dealing with mediums of inter-personal communication — post, telegraph and telephony and email – contain similarly worded provisions permitting interception under specified conditions.

Thus, section 26 of the India Post Office Act 1898 confers powers of interception of postal articles for the 'public good'. According to this section, this power may be invoked "On the occurrence of any public emergency, or in the interest of the public safety or tranquillity". The section further clarifies that “a certificate from the State or Central Government” would be conclusive proof as to the existence of a public emergency or interest of public safety or tranquillity.

Similarly, section 5(2) of the Telegraph Act authorizes the interception of any message

on the occurrence of any public emergency, or in the interest of the public safety; and
if satisfied that it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence,

Thus, the events that trigger an action of interception are the occurrence of any ‘public emergency’ or in the interests of ‘public safety’.

Most recently, section 69 of the Information Technology Act 2008 contains a more expanded power of interception which may be exercised "when they [the authorised officers] are satisfied that it is necessary or expedient" to do so in the interest of:

sovereignty or integrity of India,
defence of India,
security of the State,
friendly relations with foreign States or
public order or
preventing incitement to the commission of any cognizable offence relating to above or
for investigation of any offence,

[More details of the occasions and the mandatory procedural safeguards before these powers may be exercised are contained in our briefing notes on Privacy and Telecommunications and Privacy and the IT Act]

From a plain reading of these sections, there appears to be a gradual loosening of standards from the Post Office Act to the latest Information Technology Act. The Post Office Act requires the existence of a ‘state of public emergency’ or a ‘threat to public safety and tranquillity’ as a precursor to the exercise of the power of interception. This requirement is continued in the Telegraph Act with the addition of a few more conditions, such as expediency in the interests of sovereignty, etc. Under the most recent IT Act, the requirement of a public emergency or a threat to public safety is dispensed with entirely – here, the government may intercept merely if it feels it ‘necessary or expedient’.

How much of a difference does it make?

In Hukam Chand Shyam Lal v. Union of India and ors [8] , the Supreme Court was required to interpret the meaning of ‘public emergency’. Here, the court was required to consider whether disconnection of a telephone could be ordered due to an ‘economic emergency’. The Government of Delhi had ordered the disconnection of the petitioner’s telephones due to their alleged involvement, through the use of telephones, in (then forbidden) forward trading in agricultural commodities. According to the government, this constituted an ‘economic emergency’ due to the escalating prices of food. Declining this contention, the Supreme Court held that:

a 'public emergency' within the contemplation of this section is one which raises problems concerning the interest of the public safety, the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or the prevention of incitement to the commission of an offence.

Economic emergency is not one of those matters expressly mentioned in the statute. Mere 'economic emergency'— as the high court calls it—may not necessarily amount to a 'public emergency' and justify action under this section unless it raises problems relating to the matters indicated in the section.

In addition the other qualifying term, 'public safety' was interpreted in an early case by the Supreme Court to mean "security of the public or their freedom from danger. In that sense, anything which tends to prevent dangers to public health may also be regarded as securing public safety. The meaning of the expression must, however, vary according to the context."[9]

Thus, the words ‘public emergency’ and 'public safety' does provide some legal buffer before the government may impinge on our privacy in the case of post and telecommunications. In a sense, they operate both as limits on our privacy as well as limits on the government’s ability to impinge on our privacy — since the government must demonstrate their existence to the satisfaction of the court, failing which their actions would be illegal.

However, as mentioned, even these requirements have been dispensed with in the case of electronic communications falling under the purview of the Information Technology Act where sweeping powers of interception have been provided extending from matters affecting the sovereignty of the nation, to the more mundane 'investigation of any offence'.

Privileged Communications

In addition to laying down procedural safeguards which restrict the conditions under which our communication may be intercepted, the law also safeguards our privacy in certain contexts by taking away the evidentiary value of certain communications.

Thus, for instance, under the Evidence Act, communications between spouses and communications with legal advisors are accorded a special privilege.

Section 122 of the Evidence Act forbids married couples from disclosing any communications made between them during marriage without the consent of the person who made it. This however, does not apply in suits “between married persons, or proceedings in which one married person is prosecuted for any crime committed against the other.”

This rule was applied in a case before the Kerala High Court, T.J. Ponnen vs M.C. Varghese [10] where a man sued his son-in-law for defamation based on statements about him written in a letter addressed to his daughter. The trial court held that the prosecution was invalid since it was based on privileged communications between the couple. This was upheld by the high court. The petitioner had attempted to argue that it was immaterial how he gained possession of the letter. The high court disagreed with this contention holding that this would defeat the purpose of section 122.

Similarly section 126 forbids “barristers, attorneys, pleaders or vakils” from disclosing, without their client’s express consent “any communication made to him in the course and for the purpose of his employment as such barrister, pleader, attorney or vakil... or to state the contents or condition of any document with which he has become acquainted in the course and for the purpose of his professional employment or to disclose any advice given by him to his client in the course and for the purpose of such employment.”

As with section 122, this privilege also comes with exceptions. Thus, the following kinds of communications are exempted from the privilege:

any communication made in furtherance of any illegal purpose,
any fact observed by any barrister, pleader, attorney or vakil, in the course of his employment as such showing that any crime or fraud has been committed since the commencement of his employment.

Section 127 extends the scope attorney-client privilege to include any interpreters, clerks and servants of the attorney or barrister. They are also not permitted to disclose the contents of any communication between the attorney and her client.

Section 129 enacts a reciprocal protection and provides that clients shall not be compelled to disclose to the court any "confidential communication which has taken place between him and his legal professional adviser."

Section 131 of the Evidence Act further cements the legal protection afforded to married couples, attorneys and their clients by providing that "No one shall be compelled to produce documents in his possession, which any other person would be entitled to refuse to produce if they were in his possession" unless that person consents to the production of such documents.

Note that these privileges do not limit the ability of the state to intercept communications – they merely negate the evidentiary value of any communications so intercepted.

Privacy of the Home: Search and Seizure Provisions

Under what circumstances may the State invade the privacy of our homes? What are the limits of these powers? Technically, any law that authorizes “search and seizure” can be said to authorize an invasion of our privacy. Many laws permit searches, for various grounds — ranging from the Income Tax Act which authorizes searches to recover undisclosed income, to the Narcotics Act which prescribes a procedure to search and sieze drugs, to the Excise Act and the Customs Act which do so in order to discover goods that are manufactured or imported in violation of those respective statutes. In this section we deal only with the general provisions for search and seizure under the Code of Criminal Procedure.

The Code of Criminal Procedure (CrPC) provides that a house or premises may be searched either under a search warrant issued by a court, or, in the absence of a court-issued-warrant, by a police officer in the course of investigation of offences.

Thus, a court may issue a search warrant where

it has reason to believe that a person to whom a summons has been, or might be, addressed, will not or would not produce the document or thing as required by such summons; or
where such document or thing is not known to the court to be in the possession of any person, or
where the court considers that the purposes of any inquiry, trial or other proceeding under this Code will be served by a general search or inspection,

Similarly, section 165 of the Code of Criminal Procedure permits for searches to be conducted by “police officers in charge of police station or a police officer making an investigation” without first obtaining a warrant. Such a search may be conducted if he has “reasonable grounds for believing that anything necessary for the purposes of an investigation into any offence which he is authorised to investigate may be found in any place within the limits of the police station of which he is in charge, or to which he is attached”, and if, in his opinion, such thing cannot “be otherwise obtained without undue delay”.

Such officer must record in writing the grounds of his belief and specify “so far as possible” the thing for which search is to be made.

In both cases, the Code of Criminal Procedure requires the search to conform to procedures including the presence of "two or more independent and respectable inhabitants of the locality”. The preparation, in their presence, of “a list of all things seized in the course of such search, and of the places in which they are respectively found", the delivery of this list to the occupant of the place being searched.

However, in reality, these requirements are observed more in the breach. Courts have consistently held that not following these provisions would not make evidence obtained inadmissible — it would make the search irregular, not unlawful. Thus, in State of Maharashtra v. Natwarlal Damodardas Soni [11], where a search was conducted under the Customs Act to recover smuggled gold, the Supreme Court held that

Assuming that the search was illegal it would not affect either the validity of the seizure and further investigation by the customs authorities or the validity of the trial which followed on the complaint of the Assistant Collector of Customs.

In a different case, Radhakrishan v. State of U.P. [12] which involved an illegal search in contravention of the Code of Criminal Procedure , the Supreme Court held that:

"So far as the alleged illegality of the search is concerned, it is sufficient to say that even assuming that the search was illegal the seizure of the Articles is not vitiated. It may be that where the provisions of ... Code of Criminal Procedure, are contravened the search could be resisted by the person whose premises are sought to be searched. It may also be that because of the illegality of the search the Court may be inclined to examine carefully the evidence regarding the seizure. But beyond these two consequences no further consequence ensues."

India inherits the common law notion that a man’s house is his castle. In the light of the cases discussed above, this claim certainly appears to be lofty. However, there is still hope. In a recent case, the Supreme Court struck down provisions of a legislation on grounds that it was too intrusive of citizens’ right to privacy. The case involved an evaluation of the Andhra Pradesh Stamp Act which authorized the collector to delegate “any person” to enter any premises in order to search for and impound any document that was found to be improperly stamped. Thus, for instance, banks could be compelled to cede all documents in their custody, including clients documents, for inspection on the mere chance that some of them may be improperly stamped. These banks were then compelled under law to pay the deficit stamp duty on the documents, even if they themselves were not party to the transactions recorded in the documents.

After an exhaustive analysis of privacy laws across the world, and in India, the Supreme Court held that in the absence of any safeguards as to probable or reasonable cause or reasonable basis, this provision was violative of the constitutionally guaranteed right to privacy, both of the house and of the person. [13]

The case marks a welcome redrawing of the boundaries of the right to privacy against state intrusion.

Privacy of the Body

To what extent do we have a right to privacy that protects what we may do with our own bodies and may be done to them? This section deals with this question in the context of four issues that have arisen before courts:

the ability of the state to order persons to undergo medical-examination,
to undergo a range of 'truth technologies' including narco analysis, brain mapping, etc.,
to submit to DNA testing and d) to abortion. In most cases, as we shall see, the right to privacy cedes ground to any available competing interest.

Court-ordered Medical Examinations

Can courts compel persons to undergo medical examinations against their will? In the case of Sharda v. Dharmpal[14], decided in 2003, the Supreme Court held that they could. Here a man filed for divorce on that grounds that his wife suffered from a mental illness. In order to establish his case, he requested the court to direct his wife to submit herself to a medical examination. The trial court and the high court both granted his application. On appeal to the Supreme Court, the woman contested the order on grounds firstly, that compelling a person to undergo a medical examination by an order of the court would be violative of her right to 'personal liberty' guaranteed under Article 21 of the Constitution of India. Secondly, in absence of a specific empowering provision, a court dealing with matrimonial cases cannot subject a party to undergo medical examination against his her volition. The court could merely draw an adverse inference.

The Supreme Court rejected these contentions holding that the right to privacy in India was not absolute. If the "respondent avoids such medical examination on the ground that it violates his/her right to privacy or for a matter right to personal liberty as enshrined under Article 21 of the Constitution of India, then it may in most of such cases become impossible to arrive at a conclusion. It may render the very grounds on which divorce is permissible nugatory."

The court upheld the rights of matrimonial courts to order a person to undergo medical test. Such an order, the court held, would not be in violation of the right to personal liberty under Article 21 of the Constitution of India. However, this power could only be exercised if the applicant had a strong prima facie case, and there was sufficient material before the court. Crucially, the court held that if, despite the order of the court, the respondent refused to submit herself to medical examination, the court would be entitled to draw an adverse inference against him.

Thus, oddly, one limitation on the right to privacy appears to be the statutory rights of others. One is entitled to the privacy of one’s body, to the extent that another person is not, thereby, deprived of a statutory right – as in this case, to divorce.

Reproductive Rights

Ahmedabad: A 13-year-old girl, who conceived after being repeatedly raped, has moved the Gujarat High Court and sought permission to medically terminate her pregnancy after a sessions court rejected her plea.

Express India(April 2010) [15]

To what extent do pregnant women enjoy a right to privacy over their bodies and their reproductive decisions? Are there circumstances when the State can intervene and either order or forbid an abortion?

According to the Medical Termination of Pregnancy Act, 1971 a pregnancy may be terminated before the twentieth week if:

the continuance of the pregnancy would involve a risk to the life of the pregnant woman or of grave injury to her physical or mental health; or
there is a substantial risk that if the child were born, it would suffer from such physical or mental abnormalities to be seriously handicapped.
where any pregnancy is alleged by the pregnant woman to have been caused by rape,
where any pregnancy occurs as a result of failure of any device or method used by any married woman or her husband for the purpose of limiting the number of children.

Consent for termination needs to be obtained from the guardian in cases of minors or women who are mentally ill. In all other cases, the woman herself must consent.

Beyond the period of 20 weeks, the pregnancy may only be terminated if there is immediate danger to the life of the woman.

In August 2009, the Supreme Court heard an expedited appeal that was filed on behalf of a destitute mentally retarded woman who had become pregnant consequent to having been raped at a government run shelter. The government had approached the high court seeking permission to terminate her pregnancy, which had been granted by that court despite the finding by an ‘expert body’ of medical practitioners that she was keen on continuing the pregnancy. On appeal the Supreme Court held, very curiously, that the woman was not ‘mentally ill’, but ‘mentally retarded’, and consequently her consent was imperative under the Act. [16] However, not content to stop there, the court made several puzzling and contradictory observations:

Firstly, the court took the opportunity to affirm, generally, women’s rights to make reproductive choices as a dimension of their `personal liberty' as guaranteed by Article 21 (Right to Life and Personal Liberty) of the Constitution of India. The court observed:

“It is important to recognise that reproductive choices can be exercised to procreate as well as to abstain from procreating. The crucial consideration is that a woman's right to privacy, dignity and bodily integrity should be respected. This means that there should be no restriction whatsoever on the exercise of reproductive choices such as a woman's right to refuse participation in sexual activity or alternatively the insistence on use of contraceptive methods. Furthermore, women are also free to choose birth-control methods such as undergoing sterilisation procedures. Taken to their logical conclusion, reproductive rights include a woman's entitlement to carry a pregnancy to its full term, to give birth and to subsequently raise children. (emphasis mine) [17]

However, the court went on to affirm, in language that curiously imitates Roe v Wade,[18] that there was “a `compelling state interest' in protecting the life of the prospective child.[19]

Secondly, the Supreme Court upheld the woman’s consent as determinative and in doing so, categorically rejected the high court approach. The court held that since she suffered from `mild mental retardation' this did not render her "incapable of making decisions for herself". Simultaneously, however, the Supreme Court proceeded gratuitously to apply the common law doctrine of `parens patriae' to resume jurisdiction over the woman in her “best interests”. According to a court-appointed expert committee, her mental age was “close to that of a nine-year old child” and she was capable of “learning through rote memorisation and imitation” and of performing “basic bodily functions”.[20] In this light, the court deemed in her ‘best interests’, as defined by an expert committee, to defer to her wishes.

The findings recorded by the expert body indicate that her mental age is close to that of a nine-year old child and that she is capable of learning through rote-memorisation and imitation. Even the preliminary medical opinion indicated that she had learnt to perform basic bodily functions and was capable of simple communications. In light of these findings, it is the `best interests' test alone which should govern the inquiry in the present case and not the `substituted judgment' test. [21]

If one disregards the liberalism of its outcome, there are various problems with this decision. Chiefly, the Supreme Court relied on the woman’s expressed consent to deny the legitimacy of the high court’s decision in favour of abortion. Inexplicably, however, in the same move, the Supreme Court reserved to itself the right to adjudicate the ‘best interests’ of the woman. Thus, in relation to abortion, mentally retarded women are more autonomous than minor girls (since their own consent is determinative, rather than their guardians) but they are still less autonomous than ‘normal’ women (since their decisions are subject to adjudication based on what the court thinks is in their best interests)!

DNA Tests in Civil Suits

Do we have a right to privacy over the interiors of our body – our blood, our tissue, our DNA? There is, by now, a strong line of cases decided by the Supreme Court in which our right to ‘bodily integrity’ has been held to not be absolute, and may be interfered with in order to settle many terrestrial issues. In most cases, this question has arisen in the context of the determination of paternity – either in divorce or maintenance proceedings. Central in the determination of these issues is section 112 of the Evidence Act which stipulates that birth of a child during the continuance of a valid marriage (or within 280 days of its dissolution) would be conclusive proof of legitimacy of that child, “unless it can be shown that the parties to the marriage had no access to each other at any time when he could have been begotten.”

As is evident, this section creates a strong legal presumption of legitimacy that leaves no room for a scientific rebuttal. Various litigants have, nevertheless, sought the courts’ indulgence in accepting medical evidence to displace this formidable legal presumption. These efforts have yielded a measure of success, and a steady line of precedents since the early 1990s now affirms the right of courts to direct medical evidence in cases they consider fit. In these cases, the court has frequently invoked privacy rights as an important consideration to be weighed before ordering a person to submit to any test.

In one of the earliest and most frequently invoked cases, Goutam Kundu vs State of West Bengal and Anr (1993) [22] the Supreme Court laid down guidelines governing the power of courts to order blood tests. The court held:

courts in India cannot order blood test as matter of course;

wherever applications are made for such prayers in order to have roving inquiry, the prayer for blood test cannot be entertained.

There must be a strong prima facie case in that the husband must establish non-access in order to dispel the presumption arising under section 112 of the Evidence Act.

The court must carefully examine as to what would be the consequence of ordering the blood test; whether it will have the effect of branding a child as a bastard and the mother as an unchaste woman.

No one can be compelled to give sample of blood for analysis.

On the particular facts of this case, the Supreme Court refused to order the respondent to submit to the test, since in its view, there was no prima facie case made out that cast doubts on the legal presumption of legitimacy.

These guidelines have been frequently invoked in subsequent cases. In a complex set of facts, in Ms. X vs Mr. Z and Anr (2001), [23] the Delhi High Court was called to consider whether a foetus had a ‘right to privacy’ – or whether the mother of the foetus could assert a right to privacy on it’s behalf. A woman had given birth to a still-born child and tissues from the foetus had been stored at the All India Institute of Medical Sciences. Her husband approached to obtain an order permitting a DNA test to be carried out to determine if he was the father. In her defence, the woman claimed that this would offend her right to privacy. The high court reaffirmed the guidelines laid down in the Gautam Kundu case (supra), and also upheld the petitioner’s right to privacy over her own body. However, the court took the stance that she did not have a right of privacy over the foetus once it had been discharged from her body:

"The petitioner indeed has a right of privacy but is being not an absolute right, therefore, when a foetus has been preserved in All India Institute of Medical Science, the petitioner, who has already discharged the same cannot claim that it affects her right of privacy.

However, if the petitioner was being compelled to subject herself to blood test or otherwise, she indeed could raise a defense that she cannot be compelled to be a witness against herself in a criminal case or compelled to give evidence against her own even in a civil case but the position herein is different. The petitioner is not being compelled to do any such act. Something that she herself has discharged, probably with her consent, is claimed to be subjected to DNA test. In that view of the matter, in the peculiar facts, it cannot be termed that the petitioner has any right of privacy."

The decision has wide-ranging implications since it virtually divests control and ownership over any material that has been discarded from the body – from nails to hair to tissue samples. In an interesting case in the US, Moore v. Regents of the University of California [24], the Supreme Court of California was faced with a suit to determine whether a man retained ownership over cells that had been removed from his body through a surgical procedure. In this case, cells from a patient’s spleen were used to conduct research which resulted in the patenting of a cell-line by the defendant. The patient sued for a share in the profits, but this was rejected by the court which held that he had no property rights to his discarded cells or any profits made from them. The court specifically rejected the argument that his spleen should be protected as property as an aspect of his privacy and dignity. The court held these interests were already protected by informed consent.

In a sense the Ms. X vs Mr. Z case arrives at identical conclusions without as much deliberation on its implications. It would be interesting to see how subsequent courts interpret and apply this precedent.

One of the most critical factors, consistently weighed by courts alongside the privacy rights implicated, is the ‘best interests’ of the child. Thus, in Bhabani Prasad Jena v. Convenor Secretary, Orissa State Commission for Women & Anr.[25], the Supreme Court quashed a high court-mandated DNA test to determine the paternity of an unborn child in a woman’s womb. In doing so, the SC observed:

“In a matter where paternity of a child is in issue before the court, the use of DNA is an extremely delicate and sensitive aspect. One view is that when modern science gives means of ascertaining the paternity of a child, there should not be any hesitation to use those means whenever the occasion requires. The other view is that the court must be reluctant in use of such scientific advances and tools which result in invasion of right to privacy of an individual and may not only be prejudicial to the rights of the parties but may have devastating effect on the child. Sometimes the result of such scientific test may bastardise an innocent child even though his mother and her spouse were living together during the time of conception. In our view, when there is apparent conflict between the right to privacy of a person not to submit himself forcibly to medical examination and duty of the court to reach the truth, the court must exercise its discretion only after balancing the interests of the parties and on due consideration whether, for a just decision in the matter, DNA is eminently needed. (emphasis added)

A strong trend, evident in this case, is the bussing of the interests of the child (in not being declared illegitimate), along with the privacy rights of the mother. The two create a composite interest opposed to that of the putative father, which the courts have been reluctant to interfere with except for the most compelling reasons. But what happens when then the interests of the child conflict with the privacy rights of either parent?

In a high profile case in 2010, Shri Rohit Shekhar vs Shri Narayan Dutt Tiwari[26], the Delhi High was called upon to determine whether a man had a right to subject the person he named as his biological father to a DNA test. Contrary to the trend in the preceding cases, it was the biological father who pleaded his right to privacy in this case. The court relied on international covenants to affirm the “right of the child to know of her (or his) biological antecedents” irrespective of her (or his) legitimacy. The court ruled:

There is of course the vital interest of child to not be branded illegitimate; yet the conclusiveness of the presumption created by the law in this regard must not act detriment to the interests of the child. If the interests of the child are best sub-served by establishing paternity of someone who is not the husband of her (or his) mother, the court should not shut that consideration altogether.

The protective cocoon of legitimacy, in such case, should not entomb the child’s aspiration to learn the truth of her or his paternity.

The court went on to draw a distinction between legitimacy and paternity that may both "be accorded recognition under Indian law without prejudice to each other. While legitimacy may be established by a legal presumption [under section 112 of the Evidence Act], paternity has to be established by science and other reliable evidence"[27] The court, however, reaffirmed that the same considerations would apply as was laid down in previous cases – i.e., the plaintiff would have to establish a prima facie case and weigh the competing interests of privacy and justice before it could order a DNA test. In this case, the petitioner was able to produce DNA evidence that excluded the possibility that his legal father was his biological father. In addition, photographic and testimonial evidence suggested that the respondent could be his biological father. On these grounds the Delhi High Court ordered the respondent to undergo a DNA test. This was upheld in an appeal to the Supreme Court.

So from the foregoing cases, it appears that it is the ‘best interests of the child’ that undergrids the right to privacy of either parent. When the two are in conflict it is the former that will, the case law suggests, invariably prevail.

Bodily Effects — Fingerprints, handwriting samples, photographs, Irises, narco-analysis, brain maps and DNA

The human body easily betrays itself. We are incessantly dropping residues of our existence wherever we go – from shedding hair and fingernails, to fingerprints and footprints, handwriting – which, through use of modern technology, can implicate our bodies, and identify us against our will. Not even our thoughts are immune as new technologies like brain mapping pretend to be able to harvest psychic clues from our physiology.

In this section we explore occasions when the state may compel us to 'perform' our existence for instance, by submitting to photography, providing finger impressions or handwriting samples, submit to narco-analysis and truth tests, and more recently to provide iris scan data or our DNA.

Section 73 of the Evidence Act stipulates that the court "may direct any person present in the court to write any words or figures for the purpose of enabling the court to compare the words or figures so written with any words or figures alleged to have been written by such person."

This section was interpreted by the Supreme Court in State of U.P. v. Ram Babu Misra [28] where it was held that there must be “some proceeding before the court in which...it might be necessary... to compare such writings”. This specifically excludes, say, a situation where the case is still under investigation and there is no present proceeding before the court. “The language of section 73 does not permit a court to give a direction to the accused to give specimen writings for anticipated necessity for comparison in a proceeding which may later be instituted in the court.”

The pre-independence Identification of Prisoners Act, 1920 provides for the mandatory taking, by police officers, of 'measurements' and photograph of persons arrested or convicted for any offence punishable with rigorous imprisonment for a term of one year of upwards or ordered to give security for his good behaviour under section 118 of the Code of Criminal Procedure. [29] The Act also empowers a magistrate to order a person to be measured or photographed if he is satisfied that it is required for the purposes of any investigation or proceeding under the Code of Criminal Procedure, 1898. [30]

The Act also provides for the destruction of all photographs and records of measurements on discharge or acquittal. [31]

In addition, the Code of Criminal Procedure was amended in 2005 to enable the collection of a host of medical details from accused persons upon their arrest. Section 53 of the Code of Criminal Procedure provides that upon arrest, an accused person may be subjected to a medical examination if there are “reasonable grounds for believing” that such examination will afford evidence as to the crime. The scope of this examination was expanded in 2005 to include “the examination of blood, blood-stains, semen, swabs in case of sexual offences, sputum and sweat, hair samples and finger nail clippings by the use of modern and scientific techniques including DNA profiling and such other tests which the registered medical practitioner thinks necessary in a particular case.”

In a case in 2004, the Orissa High Court affirmed the legality of ordering a DNA test in criminal cases to ascertain the involvement of persons accused. Refusal to co-operate would result in an adverse inference drawn against the accused.

After weighing the privacy concerns involved, the court laid down the following considerations as relevant before the DNA test could be ordered:

the extent to which the accused may have participated in the commission of the crime;
the gravity of the offence and the circumstances in which it is committed;
age, physical and mental health of the accused to the extent they are known;
whether there is less intrusive and practical way of collecting evidence tending to confirm or disprove the involvement of the accused in the crime;
the reasons, if any, for the accused for refusing consent [32]

Most recently the draft DNA Profiling Bill pending before the Parliament attempts to create an ambitious centralized DNA bank that would store DNA records of virtually anyone who comes within any proximity to the criminal justice system. Specifically, records are maintained of suspects, offenders, missing persons and “volunteers”. The schedule to the Bill contains an expansive list of both civil and criminal cases where DNA data will be collected including cases of abortion, paternity suits and organ transplant. Provisions exist in the bill that limit access to and use of information contained in the records, and provide for their deletion on acquittal. These are welcome minimal guarantors of privacy.

It is evident that the utility of this mass of information – fingerprints, handwriting samples and photographs, DNA data – in solving crimes is immense. Without saying a word, it is possible for a person to be convicted based on these various bodily affects – the human body constantly bears witness and self-incriminates itself. Both handwriting and finger impressions beg the question of whether these would offend the protection against self-incrimination contained in Article 20(3) of our Constitution which provides that “No person accused of any offence shall be compelled to be a witness against himself.” This argument was considered by the Supreme Court in the State of Bombay vs Kathi Kalu Oghad and Ors. [33] The petitioner contended that the obtaining of evidence through legislations such as the Identification of Prisoners Act amounted to compelling the person accused of an offence "to be a witness against himself" in contravention of Article 20(3) of the Constitution. The court held that “there was no infringement of Article 20(3) of the Constitution in compelling an accused person to give his specimen handwriting or signature, or impressions of his thumb, fingers, palm or foot to the investigating officer or under orders of a court for the purposes of comparison. ...Compulsion was not inherent in the receipt of information from an accused person in the custody of a police officer; it will be a question of fact in each case to be determined by the court on the evidence before it whether compulsion had been used in obtaining the information.” [34]

Over the past two decades, forensics has shifted from trying to track down a criminal by following the trail left by her bodily traces, to attempting to apply a host of invasive technologies upon suspects in an attempt to ‘exorcise’ truth and lies directly from their body. One statement by Dr M.S. Rao, Chief Forensic Scientist, Government of India captures this shift:

Forensic psychology plays a vital role in detecting terrorist cases. Narco-analysis and brainwave fingerprinting can reveal future plans of terrorists and can be deciphered to prevent terror activities⁄ Preventive forensics will play a key role in countering terror acts. Forensic potentials must be harnessed to detect and nullify their plans. Traditional methods have proved to be a failure to handle them. Forensic facilities should be brought to the doorstep of the common man⁄ Forensic activism is the solution for better crime management. [35]

Although there are several such 'technologies' which operate on principles ranging from changes in respiration, to mapping the electrical activity in different areas of the brain, what is common to them all, in Lawrence Liang’s words is that they “maintain that there is a connection between body and mind; that physiological changes are indicative of mental states and emotions; and that information about an individual’s subjectivity and identity can be derived from these physiological and physiological measures of deception” [36]

So, how legal are these technologies, in view of the constitutional protections against self-incrimination? In a case in 2004 the Bombay High Court upheld these technologies by applying the logic of the Kathi Kalu Oghad case discussed above. The court drew a distinction between ‘statements’ and ‘testimonies’ and held that what was prohibited under Article 20(3) were only ‘statements’ that were made under compulsion by an accused. In the court’s opinion, “the tests of Brain Mapping and Lie Detector in which the map of the brain is the result, or polygraph, then either cannot be said to be a statement”. At the most, the court held, “it can be called the information received or taken out from the witness.” [37]

This position was however overturned recently by the Supreme Court in Selvi v. State of Karnataka (2010)[38]. In contrast with the Bombay High Court, the Supreme Court expressly invoked the right of privacy to hold these technologies unconstitutional.

“Even though these are non- invasive techniques the concern is not so much with the manner in which they are conducted but the consequences for the individuals who undergo the same. The use of techniques such as 'Brain Fingerprinting' and 'FMRI-based Lie-Detection' raise numerous concerns such as those of protecting mental privacy and the harms that may arise from inferences made about the subject's truthfulness or familiarity with the facts of a crime.”

Further down, the court held that such techniques invaded the accused’s mental privacy which was an integral aspect of their personal liberty.

“There are several ways in which the involuntary administration of either of the impugned tests could be viewed as a restraint on 'personal liberty' ... the drug-induced revelations or the substantive inferences drawn from the measurement of the subject's physiological responses can be described as an intrusion into the subject's mental privacy”

Following a thorough-going examination of the issue, the Supreme Court directed that “no individual should be forcibly subjected to any of the techniques in question, whether in the context of investigation in criminal cases or otherwise. Doing so would amount to an unwarranted intrusion into personal liberty.” The court however, left open the option of voluntary submission to such techniques and endorsed the following guidelines framed by the National Human Rights Commission:

No Lie Detector Tests should be administered except on the basis of consent of the accused. An option should be given to the accused whether he wishes to avail such test.
If the accused volunteers for a Lie Detector Test, he should be given access to a lawyer and the physical, emotional and legal implication of such a test should be explained to him by the police and his lawyer.
The consent should be recorded before a judicial magistrate.
During the hearing before the magistrate, the person alleged to have agreed should be duly represented by a lawyer.
At the hearing, the person in question should also be told in clear terms that the statement that is made shall not be a `confessional' statement to the magistrate but will have the status of a statement made to the police.
The magistrate shall consider all factors relating to the detention including the length of detention and the nature of the interrogation.
The actual recording of the lie detector test shall be done by an independent agency (such as a hospital) and conducted in the presence of a lawyer. 250
A full medical and factual narration of the manner of the information received must be taken on record.

Although the right against self-incrimination and the inherent fallaciousness of the technologies were the main ground on which decision ultimately rested, this case is valuable for the court’s articulation of a right of ‘mental privacy’ grounded on the fundamental right to life and personal liberty. It remains to be seen whether this articulation will find resonance in other determinations in domains such as, say, communications.

Privacy of Records

Since at least the mid-nineteenth century, we have been living in what Nicholas Dirks has termed an 'ethnographic state' — engaged relentlessly and fetishistically in the production and accumulation of facts about us. From records of birth and death, to our academic records, most of our important transactions, our income tax filings, our food entitlements and our citizenship, most of us have assuredly been documented and lead a shadow existence somewhere on the files. Not only does the government keep records about us, but a host of private service providers including banks, hospitals, insurance and telecommunications companies maintain volumes of records about us. In this last section of this paper, we look at the privacy expectation of records both maintained by the government and the private sector.

Various statutes require records to be maintained of activities conducted under their authority and entire bureaucracies exist solely in service of these documents. Thus, for instance, the Registration Act requires various registers to be kept which record documents which have been registered under the Act. [39]; Once registered under this Act, all documents become public documents and State Rules typically contain provisions enabling the public to obtain copies of all documents for a fee. Similarly, a number of legislation – typically dealing with land records at the state level contain enabling provisions that allow the public to access them upon payment of a fee.

Where no provisions are provided within the statute itself that enable the public to obtain records, two recourses are still available.

Firstly, the Evidence Act enables courts to access records maintained by any government body. Secondly, private citizens may access records kept in public offices through the Right to Information Act. Each of these avenues is described in some details below:

Section 74 of the Evidence Act defines 'public documents' as including the following

Documents forming the acts, or records of the acts

Of the sovereign authority,
Of Official bodies and the Tribunals, and
Of public officers, legislative, judicial and executive, of any part of India or of the Commonwealth, or of a foreign country.

Public records kept in any state of private documents

It is clear from this definition that most records maintained by any government body are regarded as public documents. Section 76 mandates that every public officer "having custody of a public document, which any person has a right to inspect, shall give that person on demand a copy of it on payment of the legal fees therefor together with a certificate written at the foot of such copy that it is a true copy of such document or part thereof".

Since there is no legislative guidance within the Evidence Act to indicate who may be said to possess "a right to inspect", this has been interpreted to mean that where the right to inspect and take a copy is not expressly conferred by a statute (as in the Registration Act mentioned above), “the extent of such right depends on the interest which the applicant has in what he wants to copy, and what is reasonably necessary for the protection of such interest". So it isn’t any officious meddler who may access such records – only persons with genuine interests in the matter, either personal or pecuniary, may obtain copies through this route.

In addition to the Evidence Act, copies of documents may also be obtained under the Right to Information Act 2005 which confers on citizens the right to inspect and take copies of any information held by or under the control of any public authority. Information is defined widely to include "any material in any form, including records, documents, memos, e-mails, opinions, advices, press releases, circulars, orders, logbooks, contracts, reports, papers, samples, models, data material held in any electronic form and information relating to any private body which can be accessed by a public authority under any other law for the time being in force".

Section 8 (j) of the Act exempts "disclosure of personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual” unless the relevant authority “is satisfied that the larger public interest justifies the disclosure of such information".

In an interesting case Mr. Ansari Masud A.K vs Ministry of External Affairs (2008)[40] , the Central Information Commission has held that “details of a passport are readily made available by any individual in a number of instances, example to travel agents, at airline counters, and whenever proof of residence for telephone connections etc. is required. For this reason, disclosure of details of a passport cannot be considered as causing unwarranted invasion of the privacy of an individual and, therefore, is not exempted from disclosure under Section 8(1)(j) of the RTI Act.” This is despite the fact that nothing in the Passport Act itself authorizes disclosure of any documents under any circumstances.

However, the Right to Information Act isn’t as convenient a vehicle for privacy abuse as this case may suggest. The RTI adjudicatory apparatus has on several occasions upheld the denial of information on grounds of privacy violation – most famously in a case where an applicant sought information from the Census Department on the ‘religion and faith’ of Sonia Gandhi – the President of the largest party currently in power in India. Both the Central Information Commission – the apex body adjudicating RTI appeals as well as the Punjab and Haryana High Court upheld the denial of information as it would otherwise lead to an unwarranted incursion into her privacy.[41]

A similar concept of 'public interest' would seem to apply when private companies disclose personal information without a person’s consent. Without delving into the issue in too much detail, it would suffice here to mention one of the most important cases to have come up on the issue. In Mr. X vs Hospital Z[42] , a person sued a hospital for having disclosed his HIV status to his fiancé without his knowledge resulting in their wedding being called off. The Supreme Court held that the hospital was not guilty of a violation of privacy since the disclosure was made to protect the public interest. While affirming the duty of confidentiality owed to patients, the court ruled that the right to privacy was not absolute and was "subject to such action as may be lawfully taken for the prevention of crime or disorder or protection of health or morals or protection of rights and freedom of others."

Conclusion

Reflecting on the volume of case law that we have in India on privacy, one is struck at once, both by the elasticity of the concept of privacy — spanning, as it does, diverse fields from criminal law to paternity suits to wiretapping —as well as its fragility — the flag of privacy is constantly being raised only to be ultimately overridden on pretexts that range from security of state, to a competing private interest.

On the one hand, one marvels at the success of the concept, only a few decades old in Indian law, in insinuating itself into legal arguments across diverse contexts. On the other hand, one is dismayed by the fact that rarely does the concept seem to score a victory. There is an almost ritual quality to the way in which the “right to privacy” is invoked in these cases - always named as a relevant factor; it never seems to substantially influence the outcome of the case at hand.

The right to privacy in India was an Oops baby, born on the ventilator of a minority decision of the Supreme Court, and nourished in the decades that followed by sympathetic judges, who never failed to point out that this right was contingent — not absolute, not meant to be under the Constitution, but carved out anyway. Some five decades after its first invocation by the Supreme Court, one gets the feeling that the right to privacy, conceptually, hasn’t moved, and is still what it was then. We don’t, today, for the many times it has been invoked by courts, have a thicker, more robust concept of privacy than we started out with. So the question, that one is stuck with is, what work does this concept of privacy do?

One of the failings of the concept of privacy in India is that it doesn’t exist as a positive right, but is merely a resistive right against targeted intrusion. So for instance, the right to privacy would be useless as a concept to resist something like generalized street video surveillance – as long as a citizen is not singled out for a disadvantage, this right would be of no use. So this right to privacy is a negative right to not be interfered with. Under it one does not have the right to be as private as one wishes, but only no less than the next person. Still, even this limited concept could be useful, if it were applied more rigorously.

Unfortunately, as the case law indicates, the right to privacy cedes too quickly to competing interests. An incomplete rough catalog of these competing rights, drawn from the case law surveyed in this paper include:

public emergency and public safety (communications)
criminal investigation (search and seizure/communications)
competing private interests (divorce proceedings)
best interests of the child (paternity suits)
public interest (Right to Information)
competing fundamental rights (HIV status)

One may perhaps add judicial inactivity as one of the limiting factors on privacy. By holding that violations of procedure by investigating agencies would not vitiate trials, the judiciary has been complicit in perhaps some of the more damaging incursions into privacy. Once a person is implicated in any manner in the criminal justice system – either as a victim, a witness or an offender, investigating agencies are immediately invested with plenary powers. They can search his house without warrant. They can place him arrest. Subject him to ‘medical examinations’, take his fingerprints and DNA and hold it in a bank and there is nothing you can do. In this context, perhaps the strongest privacy safeguard can come from a reform in criminal procedure alone.

Notes

[1].The State of Uttar Pradesh V. Kaushaliya and Others AIR 1964 SC 416

[2].(1978) 2 SCR 621

[3]. 1 SCR 332

[4].AIR 1973 SC 157, 1973 SCR (2) 417

[5].(1975) 2 SCC 148

[6].(1994) 6 S.C.C. 632

[7].AIR 1997 SC 568

[8].AIR 1976 SC 789,1976 SCR (2)1060, (1976) 2 SCC 128

[9].Romesh Thappar vs The State Of Madras AIR 1950 SC 124 , 1950 SCR 594

[10].1966 AIR 1967 Ker 228, 1967 CriLJ 1511

[11].AIR 1980 SC 593 , 1980 SCR (2) 340

[12].[1963] Supp. 1 S.C.R. 408

[13].Distt. Registrar & Collector, Hyderabad v. Canara bank etc. AIR 2005 SC 186

[14].(2003) 4 SCC 493

[15].13-yr-old rape victim to HC: let me abort -, EXPRESS INDIA, April 21, 2010, http://tinyurl.com/13yrindian (last visited May 2, 2010).

[16].Suchita Srivastava v. Chandigarh Administration, (2009) 9 SCC 1. http://courtnic.nic.in/supremecourt/temp/dc%201798509p.txt (last visited May 2, 2010).

[17].Ibid

[18].410 U.S. 113 (1973)

[19].Article 21 does not limit the abridgement of the right to life by the state to only cases where the state has compelling state interest. The Article reads “No person shall be deprived of his life or personal librty except according to procedure established by law”

[20].Ibid

[21].Ibid

[22].AIR 1993 SC 2295, 1993 SCR (3) 917 <http://indiankanoon.org/doc/1259126/>

[23].AIR 2002 Delhi 217 <http://indiankanoon.org/doc/627683/>

[24].51 Cal. 3d 120; 271 Cal. Rptr. 146; 793 P.2d 479

[25].AIR 2010 SC 2851 <http://indiankanoon.org/doc/486945/>

[26].23 December, 2010 <http://indiankanoon.org/doc/504408/>

[27].Ibid

[28].AIR 1980 SC 791 , 1980 SCR (2)1067 , (1980) 2 SCC 343

[29].Sections 3 & 4 of the Identification of Prisoners Act, 1920

[30].Ibid, Section 5

[31].Section 7

[32].Thogorani Alias K. Damayanti vs State Of Orissa And Ors 2004 Cri L J 4003 (Ori) < http://indiankanoon.org/doc/860378/>

[33].AIR 1961 SC 1808 < http://indiankanoon.org/doc/1626264/>

[34].Ibid

[35].Keynote address given to the 93rd Indian Science Congress. See http://mindjustice.org/india2-06.htm, cited in Liang, L., 2007. And nothing but the truth, so help me science. In Sarai Reader 07 - Frontiers. Delhi: CSDS, Delhi, pp. 100-110. Available at: http://www.sarai.net/publications/readers/07-frontiers/100-110_lawrence.pdf [Accessed April 11, 2011].

[36].Ibid

[37].Ramchandra Ram Reddy v. State of Maharashtra [1 (2205) CCR 355 (DB)

[38].(2010) 7 SCC 263 http://indiankanoon.org/doc/338008/

[39].See Section 52 of the Registration Act 1908

[40].CIC/OK/A/2008/987/AD dated December 22, 2008 <http://indiankanoon.org/doc/1479476/>

[41].Anon, 2010. High Court dismisses appeal seeking information on Sonia Gandhi’s religion. NDTV Online. Available at: http://www.ndtv.com/article/india/high-court-dismisses-appeal-seeking-information-on-sonia-gandhi-s-religion-69356 [Accessed April 12, 2011].

[42].(2003) 1 SCC 500 40

Download file here [PDF, 312kb]

For more details visit https://cis-india.org/internet-governance/blog/privacy/limits-to-privacy

April 2011 Bulletin

praskrishna — 2012-07-30T10:45:01Z

Greetings from the Centre for Internet and Society! In this issue we are pleased to present you the latest updates about our research, upcoming events, and news and media coverage:

Researchers@Work

Workshops organised in Bangalore

Shadow Search Project (SSP) [CIS, April 18, 2011]
Facebook Resistance [CIS, April 2, 2011]

Digital Natives with a Cause?

Columns on Digital Natives

A fortnightly column on ‘Digital Natives’ authored by Nishant Shah is featured in the Sunday Eye, the national edition of Indian Express, Delhi, from 19 September 2010 onwards. The following were published in the month of April:

Who the Hack? [Indian Express, April 24, 2011]
One for the avatar [Indian Express, April 3, 2011]

Digital Natives Newsletter

Links in the Chain is a bi-monthly publication which highlights the projects, ideas and news of the Digital Natives with a Cause? The first issue of volume IV is here:

links in the chain volume 4 Best Practices

New Blog Entry by Samuel Tettner

Samuel Tettner is a Digital Natives Coordinator in CIS. He has written the following blog entry:

Cyber Fears: What scares Digital Natives and those around them

Accessibility

Workshop organised in Hyderabad

Web Sites Accessibility Evaluation Methodologies: Conference Report

Openness

Submission

Comments on Draft National Policy on ICT in School Education

New Blog Entry

Towards Open and Equitable Access to Research and Knowledge for Development [PLoS, March 29, 2011]

Internet Governance

Although there may not be one centralized authority that rules the Internet, the Internet does not just run by its own volition: for it to operate in a stable and reliable manner, there needs to be in place infrastructure, a functional domain name system, ways to curtail cyber crime across borders, etc. The Tunis Agenda of the second World Summit on the Information Society (WSIS), paragraph 34 defined Internet governance as “the development and application by governments, the private sector and civil society, in their respective roles, of shared principles, norms, rules, decision-making procedures, and programmes that shape the evolution and use of the Internet.” Its latest endeavour has resulted into these:

Featured Research

Interview

An Interview with Activist Shubha Chacko: Privacy and Sex workers

Workshops organized in Ahmedabad and Bangalore

'Privacy Matters', Ahmedabad: Conference Report [Ahmedabad Management Association, Ahmedabad, March 26, 2011]
Privacy, By Design [CIS, April 16, 2011]

New Blog Entries

Telecom

Column

Shyam Ponappa is a Distinguished Fellow at CIS. He writes regularly on Telecom issues in the Business Standard and these articles are mirrored on the CIS website as well.

Learning from Fukushima [published in the Business Standard on April 7, 2011]

News & Media Coverage

The Gary Chapman International School on Digital Transformation[International School on Digital Transformation, July 17-22, 2011]
Iraqi delegation in Bangalore to study e-governance projects [Economic Times, April 20, 2011]
Dark waders [Time Out Bengaluru, Vol. 3, Issue 20, April 15 - 28, 2011]
Beyond Clicktivism [Outlook, April 18, 2011]
Gone in a flash [Times of India, April 16, 2011]
How Web 2.0 responded to Hazare [Hindu, April 11, 2011]
EU Commissioner Hedegaard to deliver keynote address at consumer world congress
Net cracker [Time Out Bengaluru Vol. 3 Issue 19, April 1 - 14, 2011]
On the Path to Global Open Access: A Few More Miles to Go [PLoS, March 2011, Volume 8, Issue 3]

Follow us elsewhere

Get short, timely messages from us on Twitter
Follow CIS on identi.ca
Join the CIS group on Facebook
Visit us at www.cis-india.org

CIS is grateful to Kusuma Trust which was founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin, for its core funding and support for most of its projects.

For more details visit https://cis-india.org/about/newsletters/april-2011-bulletin

We are anonymous, we are legion

sunil — 2012-03-21T09:38:56Z

Online anonymity is vital for creativity and entrepreneurship on the Web, writes Sunil Abraham. The article was published in the Hindu on April 18, 2011.

During his keynote at the International World Wide Web Conference recently, Sir Tim Berners-Lee argued for the preservation of online anonymity as a safeguard against oppression. This resonated with his audience in Hyderabad, given the recent uproar in the Indian blogosphere and twitterverse around the IT Act (Amendment 2008) and the recently published associated rules for intermediaries and cyber cafes.

Over time, there has been a dilution of standards for blanket surveillance. The Telegraph Act allowed for blanket surveillance of phone traffic only as the rarest of exceptions. The IT Act and the ISP licence on the other hand, authorise and require ISPs and cyber cafes to undertake blanket surveillance as the norm in the form of data retention. The transaction database of the UID (Unique Identification Number) project will log of all our interactions with the government, private sector and other citizens; all these are frightening developments for freedom of expression in general and anonymous speech in particular.

Anonymous speech is a necessary pre-condition for democratic and open governance, free media, protection of whistle-blowers and artistic freedom. On many controversial areas of policy formulation, it is usually anonymous officials from various ministries making statements to the press. Would mapping UIDs to IP address compromise the very business of government? A traditional newspaper may solicit anonymous tips regarding an ongoing investigative journalism campaign through their website.

Would data retention by ISPs expose their anonymous sources? Whistle-blowers usually use public Wi-Fi or cyber cafes because they don't want their communications traced back to residential or official IP addresses. Won't the ban on open public Wi-Fi networks and the mandatory requirement for ID documents at cyber cafes jeopardise their safety significantly? Throughout history, great art has been produced anonymously or under a nom de plume. Will the draft Intermediary Due Diligence Rules, which prohibits impersonation even if it is without any criminal intent, result in artists sanitising their art into banality?

Anonymous speech online is facilitated by three forms of sharing — shared standards, shared software and shared identities. Shared or open standards such as asymmetric encryption and digital signatures allow for anonymous, private and yet authenticated communications. Shared software or Free/Open Source Software reassures all parties involved that there is no spy-ware or back door built into tools and technologies built around these standards.

Shared identities, unlike shared software and standards, is a cultural hack and, therefore, almost impossible to protect against. V for Vendetta, the graphic novel by Alan Moore gives us an insight into how this is could be done. The hero, V, hides his identity behind a Guy Fawkes mask. Towards the end of the novel, he couriers thousands of similar masks to the homes of ordinary citizens.

In the final showdown between V and the oppressive regime, these citizens use these masks to form an anonymous mob that confuses the security forces into paralysis. Shared identities online therefore, is the perfect counterfoil to digital surveillance.

As Dr. Berners-Lee spoke in Hyderabad, the Internet Rights and Principles Dynamic Coalition of the Internet Governance Forum released a list of 10 principles for online governance at the meeting convened by the UN Special Rapporteur on Freedom of Expression in Stockholm.

The fifth principle includes “freedom from surveillance, the right to use encryption, and the right to online anonymity”. One hopes that Gulshan Rai of CERT-IN will heed the advice provided by his international peers and amend the IT Act rules before they have a chilling effect on online creativity and entrepreneurship.

Read the article originally published in the Hindu, here

For more details visit https://cis-india.org/internet-governance/blog/online-anonymity

You Have the Right to Remain Silent

anja — 2011-08-02T07:55:22Z

India has a long history of censorship that it justifies in the name of national security. But new laws governing the Internet are unreasonable and — given the multitude of online voices — poorly thought out, argues Anja Kovacs in this article published in the Sunday Guardian on 17 April 2011.

In March 2011, Indian media - both social and traditional - was ablaze with fears that a new set of rules, proposed to complement the IT (Amendment) Act 2008, would thwart the freedom of expression of India's bloggers: contrary to standard international practice, the Intermediary Due Dilligence Rules seemed intent on making bloggers responsible for comments made by readers on their site. Only a few weeks earlier, the threat of online censorship had manifested itself in a different form: although the block was implemented unevenly, mobile applications market space Mobango, bulk SMS provider Clickatell, hacking-related portal Zone-H.com and blogs hosted on Typepad were suddenly no longer accessible for most Indian netizens, without warning or explanation.

Censorship in India is nothing new. At the time of Independence, there was widespread fear among its lawmakers that unrestricted freedom of expression could become a barrier to the social reforms necessary to put the country on Nehru's path to development – particularly as the memory of Partition continued to be vivid. Although freedom of expression is guaranteed by the Constitution, it is therefore subject to a fairly extensive list of so-called "reasonable" restrictions: the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence. But while this long list might have made sense at the time of Partition, in the mature democracy that India has now become, its existence, and the numerous opportunities for censorship and surveillance that it has enabled or justified, seems out of place. Indeed, though all these restrictions in themselves are considered acceptable internationally, there are few other democratic states that include all of them in the basic laws of their land.

An appetite for censorship does not only exist among India's legislature and judiciary, however. Especially since the early nineties, instances of vigilante groups destroying art, preventing film screenings, or even attacking offending artists, writers and editors have become noteworthy for their regularity. But it is worth noting that even more progressive sections of society have not been averse to censorship: for example, section of the Indian feminist movement have voiced strong support for the Indecent Representation of Women Act that seeks to censor images of women which are derogatory, denigrating or likely to corrupt public morality.

What connects all these efforts? A belief that suppressing speech and opinions makes it possible to contain the conflicts that emanate from India's tremendous diversity, while simultaneously ensuring its homogenous moral as much as political development. But if the advent of satellite television already revealed the vulnerabilities of this strategy, the Internet has made clear that in the long term, it is simply untenable. It is not just that the authors of a speech act may not be residents of India; it is that everybody can now become an author, infinitely multiplying the number of expressions that are produced each year and that thus could come within the Law's ambit. In this context, even if it may still have a role, suppression clearly can no longer be the preferred or even dominant technology of choice to manage disagreements. What is urgently needed is the building of a much stronger culture of respectful disagreement and debate within and across the country's many social groups. If more and more people are now getting an opportunity to speak, what we need to make sure is that they end up having a conversation.

Yet the government of India so far has mostly continued on the beaten track, putting into place a range of legislations and policies to meticulously monitor and police the freedom of expression of netizens within its borders. Thus, for example, section 66F(1)(B) of the IT (Amendment) Act 2008 defines "cyberterrorism" so broadly as to include the unauthorised access to information on a computer with a belief that that information may be used to cause injury to...decency or morality. The suggested sentence may extend to imprisonment for life. The proposed Intermediary Due Dilligence Rules 2011 privatise the responsibility for censorship by making intermediaries responsible for all content that they host or store, putting unprecedented power over our acts of speech into the hands of private bodies. The proposed Cyber Cafe Rules 2011 order that children who do not possess a photo identity card need to be accompanied by an adult who does, constraining the Internet access of crores of young people among the less advantaged sections of society in particular. And while the US and other Western countries continue to debate the desireability of an Internet Kill Switch, the Indian government obtained this prerogative through section 69A of the IT (Amendment Act) 2008 years ago.

Such measures are given extra teeth by being paired with unprecedented systems of surveillance. For example, there are proposals on the table that make it obligatory for telecommunication carriers and manufacturers of telecommunications equipment to ensure their equipment and services have built-in surveillance capabilities. While at present, records are only kept if there is a specific requirement by intelligence or security agencies, the Intelligence Bureau has proposed that ISPs keep a record of all online activities of all customers for at least six months. The IB has also suggested putting into place a unique identification system for all Internet users, whereby they would be required to submit some form of online identification every time they go online.

Proponents of such legislation often point to the new threats to safety and security that the Internet poses to defend these measures, and it is indeed a core obligation of any state to ensure the safety of its citizens. But the hallmark of a democracy is that it carefully balances any measures to do so with the continued guarantee of its citizens' fundamental rights. Despite the enormous changes and challenges that the Internet brings for freedom of expression everywhere, such an exercise seems to sadly not yet have been systematically undertaken in India so far.

The recent blocking of websites with which we started this article reflects the urgent need to do so. In response to RTI applications by the Centre for Internet and Society and Medianama, the Department of Information Technology, which is authorised to order such blocks, admitted to blocking Zone-H, but not any of the other websites affected earlier this year. In an interview with The Hindu, the Department of Telecommunication too had denied ordering the blocking of access, despite the fact that some users trying to access Typepad had reported seeing the message "this site has been blocked as per request by Department of Telecom" on their screen. In the mean time, Clickatell and Mobango remain inaccessible for this author at the time of writing. That we continue to be in the dark as to why this is so in the world's largest democracy deserves to urgently become a rallying point.

For more details visit https://cis-india.org/internet-governance/blog/your-right-to-remain-silent

Centre for Internet and Society

The Centre for Internet and Society - Bulletin - July '11

*Researchers@Work*

* Digital Natives*

* Pathways*

*Accessibility*

*Intellectual Property*

*Openness*

*Internet Governance*

*Telecom*

* Miscellaneous *

*News & Media Coverage*

* Follow us Elsewhere*

*Archives*

Internet Surveillance Policy: “…the second time as farce?” – A Public Lecture by Caspar Bowden

Abstract

Caspar Bowden

Who should attend?

Videos

Privacy and Security Can Co-exist

Surveillance

Myth

Perception

Snooping Can Lead to Data Abuse

The New Right to Privacy Bill 2011 — A Blind Man's View of the Elephunt

A Constitutional/Fundamental Right?

Preamble

Definition of ‘Right to Privacy’

Interception

Data Protection

Video Surveillance

Bodily Privacy

Impersonation and Financial Fraud

Residual

Tailpiece

Do You Want to be Watched?

Your cyber space is a hackers paradise

Big Brother is Watching You

Sunil Abraham, CIS : "Avec l’e-G8, Nicolas Sarkozy veut promouvoir de nouvelles restrictions à la liberté d’expression"

Sunil's original response in English

What is wrong with the latest IT Rules 2011 [Intermediary Due Diligence, Cyber Cafe and Reasonable Security Measures) under the IT Act [Amendment 2008]

What is wrong with Sarkozy's agenda at the e-G8

Your Privacy is Public Property

The Second IJLT-CIS Lecture Series at National Law School, Bangalore

Speakers

Profiles of the Speakers

Usha Ramanathan

Malavika Jayaram

Vivek Durai

Professor (Dr.) Sudhir Krishnaswamy

Limits to Privacy

Introduction

Constitutional Jurisprudence on Privacy

Vocabularies of Privacy Limitation

Privacy of Communications

Privileged Communications

Privacy of the Home: Search and Seizure Provisions

Privacy of the Body

Court-ordered Medical Examinations

Reproductive Rights

DNA Tests in Civil Suits

Bodily Effects — Fingerprints, handwriting samples, photographs, Irises, narco-analysis, brain maps and DNA

Privacy of Records

Conclusion

Notes

April 2011 Bulletin

Researchers@Work

Workshops organised in Bangalore

Digital Natives with a Cause?

Columns on Digital Natives

Digital Natives Newsletter

New Blog Entry by Samuel Tettner

Accessibility

Workshop organised in Hyderabad

Openness

Submission

New Blog Entry

Internet Governance

Featured

New Blog Entries

Researchers@Work

Accessibility

Intellectual Property

Openness

Internet Governance

Telecom

News & Media Coverage

Archives