Centre for Internet and Society

UID Meeting in Bangalore – A Report

praskrishna — 2011-01-04T08:14:52Z

On 23 November 2010 a public meeting was held for the UID in Bangalore. The speakers included B.K Chandrashekar, former Chairman of the Karnataka Legislature Council, Mr. Vidyashankar, Principal Secretary to Government of e-commerce, Sunil Abraham, Executive Director of Centre for Internet and Society, Jude D’Souza, Technology Specialist and Mathew Thomas, Retired Army Officer.

Mr. Chandrashekar opened the public talk by giving a summary of the UID scheme, and sharing his own personal apprehensions to the project. Voicing his concerns as to the scale and architecture of the project, the collection of biometrics from individuals, and the fact that other countries have abandoned similar projects – he raised many points that evoked thought from the audience.

In his presentation, Jude D’Souza explained how the technology (iris scanners and fingerprint readers) that is used in the UID project can be easily spoofed. Through demonstration he proved how fingerprints can be replicated and subsequently authenticated with the use of simply a wax model. He also raised the point that high resolution cameras are now able to capture an individual’s fingerprint and iris at that point the captured image can be transferred and duplicated, and subsequently used for authentication. The point emphasized by D’Souza was that the technology being used by the UID is not as fool proof as is being claimed, and yet nowhere in the Bill or project is this concern being addressed. Redress for possible transaction errors is not provided for in the Bill, and it is not clear if a problem does arise what steps an individual should take.

Sunil Abraham spoke on the legality of the UID project. Emphasizing the point that civil society does not oppose the project in itself, but that civil society is concerned with the weaknesses that exist in the proposed legislation. He noted problems such as an overly broad scope, privacy concerns, and lack of adequate forms of redress. Mr. Abraham also contrasted the UID project with the identity work that has been done in Estonia, and raised the question as to whether a centralized is entirely necessary as opposed to a decentralized system of identity.
Mathew Thomas, through the use of many examples drove home two main questions.

Why is a project that is based on biometrics with a centralized structure necessary?
Can the project realistically meet its proposed objectives of bringing benefits to the poor?

Using the UK’s failed centralized identity scheme, which is similar to the UID scheme, he made the argument that India has the opportunity to learn from the mistakes of others, and this opportunity should not be overlooked or passed by. Mr. Thomas also pointed out that a proper cost benefit analysis is lacking for the project, as well as proper test trials of the technology and scheme.

Mr. Vidyashankar presented on the progress of the UID in Karnataka and answered questions concerning the project. In particular he focused on explaining the collection of information for Know Your Resident (KYR), and Know Your Resident+ (KYR+). KYR information includes: an individual’s name, address, date of birth, gender, relation details, phone number (optional), email (optional), and financial information. KYR+ includes: Physically Handicapped, EPIC Card No, Pan No., Bank Details, LPG Gas Connection, Supply Card, MNREGA Job Card, RSBY Card No, Pension ID, National Population Register No, Property Tax, Electricity Consumer No., Water Connection No., and BPL Data. The purpose of collecting the extra data for KYR+ is to prevent the exploitations of subsidies. By having on record who is eligible for what benefit, the over collection of benefits will be stopped. Vidyashankar also addressed privacy concerns, assuring the audience that information is encrypted at the time of collection and secured for privacy measures.

The reaction from the audience was one of apprehension, and in some cases anger. Individuals questioned the achievability of the objectives of the project, and expressed concerns that their tax money was being wasted. The overall sentiment in the room was that the UID project and Bill will be passed through Parliament but that in the long run, it will not benefit the everyday Indian citizen.

In a later interview Mr. Vidyashankar kindly clarified different details of the project that were still unclear. For example, if an individual needs to update the information in their profile – like their address - they are able to by visiting the closest centre , authenticating themselves, and requesting that the information be changed. He also clarified that registrars and enrollers are monitored as they are registering and authenticating individuals. He also clarified that numbers issued today and in the pilot projects will be valid after the Bill is passed through parliament. At the close of the interview he again assured me that the UID project does account for individual’s privacy, and is able to adequately protect collected data on due to the use of level five encryption. Despite Mr. Vidyanshankar’s assurances, it does not seem logical that the UID project is privacy safe, if a Privacy Legislation is being created specifically to protect the data that the UID will be collecting. It is concerning that the UID project is being carried forward without adequate built in safeguards, and even more concerning that it will the Bill could be passed through parliament and become a living law without the much needed privacy safeguards in place.

Note: Recently a final draft of the UID Bill that will be submitted to the Lok Sabha was released to the public. Civil Society has responded with comments and concerns for the UID Bill, which can be found on the CIS website.

VIDEOS

For more details visit https://cis-india.org/internet-governance/blog/privacy/uid-meeting-november

UID & Privacy - A Call for Papers

elonnai — 2012-03-21T10:03:44Z

Privacy India is inviting individuals to author short papers focused on Unique Identity (UID) and Privacy. Selected candidates will have their papers published on the CIS website, and their transportation and accommodation provided for the “Privacy Matters” conference being held in Kolkata on 22 January 2010.

Topic

Privacy and the UID

Submission Deadline

By 15 January 2010 to admin@privacyindia.org

Word Length

3,000-5,000 words

Topic Summary

The Aadhaar scheme, or Unique Identity (UID) scheme is a plan to provide citizens identity cards that are tied to their unique biometric data – such as their fingerprints or retinal scans. Although the most frequently cited justification for this project is to ensure the secure delivery of relief to beneficiaries of government aid schemes, it is clear that the uses to which it will be put exceed this narrow mandate.

As India embarks on one of its most ambitious techno-administrative projects to date, there is surprisingly little clarity or introspection into the implications of having such a concentrated identity locked into a single card. In particular it appears that the grave threats to privacy the scheme poses have not received due attention. Although the final draft UID Bill circulated by the UIDAI in October 2010 contains some provisions that reference privacy, there seems to be a tacit assumption that privacy is an expendable or at least a less-desirable privilege that can be attended to fully once the scheme is in fully in place.

We invite individuals to author short inter-disciplinary papers that engage various topics on the theme of Privacy and the UID, including but not limited to the following:

Comparative studies on privacy and national identity card schemes in other countries

Privacy and the UID Bill

How will a project such as the UID change the relationship between the state, the individual, and the market?

Selected candidates will have their papers published on the CIS website, and their transportation and accommodation provided for the “Privacy Matters” conference being held in Kolkata on January 22nd 2010.

Who We Are

Privacy India was set up with the collaboration of the Centre for Internet and Society (CIS) and Society in Action Group (SAG), under the auspices of the international organization ‘Privacy International’. Privacy International is a non-profit group that provides assistance to civil society groups, governments, international and regional bodies, the media and the public in a number of countries (see www.privacyinternational.org). Privacy India's objective is to raise awareness, spark civil action and promoting democratic dialogue around privacy challenges and violations in India. In furtherance of this goal we aim to draft and promote an over-arching privacy legislation in India by drawing upon legal and academic resources and consultations with the public.

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy_callforpapers

The Privacy Rights of Whistleblowers

elonnai — 2012-03-22T05:47:16Z

The recent disclosures from Wikileaks have shown that the right to information, whistle-blowing, and privacy are interconnected. This note looks at the different ways in which the three are related, as well as looking at the benefits and drawbacks to Wikileaks in terms of privacy.

Introduction

In a recent interview, the Canadian Privacy Commissioner was quoted as saying “Information and the manipulation of information is the key to power. Those who can control the information can influence society enormously.” History and present-day society have both proven the truth in this statement. It is one among many reasons that the right to information is important to uphold. In India, and in other countries, there are statutes – in India, the Right To Information Act – that entitles the public to request and receive information that pertains to public bodies and their conduct, information that is publicly available because it is intrinsically related to the public interest. An entirely separate but equally critical way in which the public is kept informed is through whistle-blowing. Traditionally, whistle-blowing is any disclosure made in the name of public interest. Recent events such as the Ratan Tata case and the leaks of US diplomatic cables have brought to light the relationship between the public’s right to information, the rights of whistleblowers, and the rights of individuals to privacy. These recent cases have shown that the right to information, whistle-blowing, and the right to privacy are interconnected, because privacy can provide individuals with the means to sustain autonomy against potentially overwhelming forces of government and persons who might have mixed motivations. The right to information and whistle-blowing are means by which the government is held accountable to the public if they violate the law or the public trust. The Wikileaks case and the Ratan Tata case raise important questions about when those two interests need to give way to private interests. One of the key questions that Wikileaks raises is: if whistleblowing is supposed to be disclosure in the public interest -- i.e., to protect the public – should disclosure of personal information be permissible only if a person can demonstrate that he/she is trying to remedy or avoid actual wrongdoing rather than simply publishing information that is "interesting to the public?"

What is a Whistleblower and how does a Whistleblower Benefit from Wikileaks?

Whistleblowing is the modern counterpart to “informers” – people who reveal others’ wrongdoing. Much whistleblowing occurs by going "up the chain" in a person's own department or agency or company. If the person is reporting wrongdoing and the person ultimately goes to the authorities about illegal activity, the individual reporting the leak can sometimes get immunity for his or her own actions, can sometimes collect part of the penalties, and can under certain statutes in some countries even bring suit if the company retaliates against him -- for example, by firing him. In this way traditional whistleblowing places the responsibility for legal and ethical conduct on employees who are better situated to see wrongdoing than outsiders would be. In many countries, a person may present information of a whistleblowing nature to a judicial body. The judicial body then determines the validity of the information, the degree of public interest involved, and the proper form of redress to be taken. The judicial body offers legal protection to the whistleblower. Another method of whistleblowing is to leak information to the press. Once information is in the public domain – at least if there is freedom of press -- the information can no longer be covered up. Neither the right to free press, nor the right to protection as a whistleblower is universal. The current critique of the Indian Whistle Blowing Bill is that the right to protection will not be ensured. A Times of India article issued in September 2010 pointed out that the Whistle Blowing Act’s biggest weakness is that the Bill’s Central Vigilance Commission is designated to play both the role as competent authority to deal with complaints file by whistleblowers and as the tribunal to protect whistleblowers. Structuring the power to allow one body to fulfil both functions runs the risk of bias and could breed distrust that would cause people to avoid the system altogether. The article complained that the Bill has no teeth, and that even if the Commission believes that the whistleblowing is valid, it is able only to give advice rather than actually to prosecute individuals. The article recites extreme instances in which individuals have blown the whistle and paid for it with their lives. For example: in 2005 a manager of the Indian Oil Corporation was killed after exposing a scheme in adulterated petrol, and in 2010 an RTI activist was killed after exposing land scams in Mahrashtra. In these situations, Wikileaks is an interesting and powerful tool for individuals who either do not want to leak their information to a judicial body or are not protected if they do so in their own country. Leaking information to Wikileaks is in one sense analogous to leaking information to the press, but it is not precisely the same because it is not a news media outlet, but instead is a way for a person to post information on a mass media outlet. It should be noted, however, that informants who leak to Wikileaks are not afforded the same immunity that individuals who leak to authorities are granted. When an individual shares documents or information with Wikileaks, the site in turn acts as a platform to publish the information on the web and with the press. Being an independent entity that is neither tied down to a certain territory, government, or entity – Wikileaks has the pull of non-bias. But the strength of Wikileaks is also its weakness. When 250,000 diplomatic cables were posted, there was no one who understood the context of the content to monitor to ensure that everything was appropriate to post. As a result, the information was transmitted to an audience who normally would not be entitled to it. By doing so, the leaked information placed individual diplomats in precarious positions that could potentially put them in harm’s way and unnecessarily damage their reputations, as well as putting the reputation of the United States on the line.

Privacy and Whistleblowing

As a result the United States is looking to press charges against Julian Assange, founder of Wikileaks, for espionage. The way in which Wikileaks leaked information and the nature of the leak has brought privacy into the picture. When looking at the act of whistleblowing through the lens of privacy, there are obvious privacy concerns for the whistleblower, for the person or entity whose information has been leaked, and for possible third parties involved. Paul Chadwick, the Victorian Privacy Commissioner, pointed out that for the whistleblower the main privacy concerns include the individual’s identity, safety, and reputation. For the alleged wrongdoer the privacy concerns include: identity, safety, employment, and liberty (where sanctions may include imprisonment). For third parties, reputation and safety can both be jeopardized by disclosures by whistleblowers. The Wikileaks leaks squarely present the question whether intent should be brought into the analysis of privacy and whistleblowers. If a whistleblower is disclosing with the intent protect the public, the protections afforded to this person should weigh differently against the privacy interests of alleged wrongdoers and third parties than for someone who is simply defining the public interest as “interesting to the public,” or, worse, as seen in the false leak by Pakistan against India, is looking to leak information to disrupt public interest. Even though Wikileaks works to protect the anonymity of individuals who leak information, it is not bound by any law to protect the privacy of individuals involved in the leak. The concept behind Wikileaks is important. By interacting with government information, it has the ability to bring accountability and transparency to governments, but the only regulation over Wikileaks is internal (and thus inherently subjective). Wikileaks needs to change its structure to take into account leaks shared without the intent of protecting the public interest and even then needs to monitor to prevent leaks that could place individuals in precarious situations or damage reputations with no validating information.

Sources:

http://www.ctv.ca/generic/generated/static/business/article1833688.html

Chadwick, Paul. Whistleblowing, Transparency, and Privacy: Aspects of the relationship between Victoria’s Whistleblowers Protection Act and the Information Privacy Act.

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-wikilileaks-whistleblowers

An Open Letter to the Finance Committee: SCOSTA Standards

elonnai — 2013-12-20T03:58:09Z

The UID Bill has been placed to the Finance Committee for review and approval. Through a series of open letters to the Finance Committee, civil society is asking the committee to take into consideration and change certain aspects of the Bill and the project. The below note compares the SCOSTA standard with the Aadhaar biometric standard, and explains why we believe the SCOSTA standard should replace the Aadhaar biometric standard for the authentication process in the UID scheme.

Introduction

This note is intended to demonstrate how the Aadhaar biometric standard is weaker than the SCOSTA standard. Through a comparison of the SCOSTA standard-based smart card and the Aadhaar biometric-based identification number, it will show how the SCOSTA standard is a more secure, structurally sound, and cost effective approach to authentication of identity for India. Though we recognize that Aadhaar biometrics are useful for the de-duplication and identification of individuals, we believe that the SCOSTA standard is more appropriate for the authentication of individuals. Thus, we ask that the Aadhaar biometric based authentication process be replaced with a SCOSTA standard based authentication process.

A background of the two standards

The SCOSTA standard is used in smart cards and was developed by the National Informatics Centre in India. It is:

1. Compliant with the international standard ISO-7816 for smart cards.

2. Based on a public/private key and pin authentication factor

3. Authentication factor refers to an individuals keys, pass-phrases, and pin.

The biometric standard authenticates the identity of an individual based on his or her physical fingerprints and iris scans (in the case of the UID). The standard:

1. Verifies if the individual exists within a known population by comparing the biometric data to those of other individuals stored in a secured centralized database.

2. Based on a symmetric authentication factor

A comparison of the two standards

Standard	SCOSTA - MNIC smart card	Aadhaar Biometric - UID number
Architecture	Decentralized SCOSTA standards require a pair and key combination with a pin, and thus can be structured in a decentralized manner	Centralized Aadhaar biometric standards require symmetric authentication factors, and thus must be structured in a centralized manner
Standards for Technology	Open standard Creates security through transparency	Closed standard Creates security though obscurity
Points of failure	Multiple points of failure The SCOSTA standard has multiple points of failure, because of decentralized structure, thus if one data base is compromised all data is not lost.	Single point of failure The Aadhaar Biometric standard has one single point of failure, because of centralized structure, thus if the data base is compromised all data is lost
Impact on local industry	Encourages Open standards allow local industry to compete in manufacturing technology	Discourages Closed standards allow foreign players to monopolize the manufacturing of technology
Cost analysis	Cost effective Increased competition keeps prices low	Cost ineffective Decreased competition keeps prices high
Revocation	Revocable If the key pair and pin are stolen, a new set of passwords can be issued	Permanent If the biometrics of an individual are stolen, they cannot be re-issued
Possibility of fraudulent authentication	Lower A thief must steal your smart card and your secret pin to commit fraud	Higher A thief only needs to collect your fingerprints using a glass tumbler to commit fraud
Viability of Technology	Proven effective for large populations	Not proven effective for large populations

For more details visit https://cis-india.org/internet-governance/blog/privacy/letter-to-finance-committee

Privacy Matters — Conference Report

praskrishna — 2011-01-27T10:22:55Z

A one-day conference on Privacy Matters was held on Sunday, 23 January 2011 at the National University of Juridical Sciences (NUJS) Law School in Kolkata. This was the first of a series of eleven conferences on ‘privacy’ that Privacy India is scheduled to host in different Indian cities from January to June this year. Members of Parliament, Sri Manoj Bhattacharya from the Revolutionary Socialist Party (RSP) and Sri Nilotpal Basu from the Communist Party of India (Marxist) CPI (M) spoke in the conference. Students, the civil society and lawyers also participated in it.

Introduction

The conference was held to discuss elements of the privacy legislation that has been proposed to the Parliament of India, and the UID Bill and project. The conference focused on the tensions between privacy and society that exist in India today, and acted as a space for opinion sharing and discussion. Privacy India which was formed under the auspices of Privacy International, a UK based organization that works to protect the right of privacy around the world, the Centre for Internet and Society (CIS), an NGO based in Bangalore, and Society in Action Group (SAG), an NGO based in Delhi joined hands to host this event.

Rajan Gandhi, founder of SAG opened the conference with an explanation of the mandate of Privacy India, the objective of which is of raising awareness, sparking civil action and promoting democratic dialogue around privacy challenges and violations in India. One of Privacy India's goals is to build consensus towards the promulgation of comprehensive privacy legislation in India through consultations with the public, legislators and the legal and academic community.

Keynote

The keynote speech was delivered by Dr. Sudhir Krishnaswamy professor of law and governance. Dr. Krishnaswamy began by outlining the present situation of privacy in India. The right to privacy has been read into Sections 19 and 21 of the Constitution of India through case law, which has defined privacy — among other things — as the right to personal autonomy, the right against unreasonable search and seizure, and as a fundamental right that is critical to the person, but does not supersede public or national interest. Dr. Krishnaswamy also raised many intriguing questions including: what does privacy mean to India — is it linked to a person’s dignity and their honour? Or is it purely concerned with misappropriation of information, and further is privacy in India an issue of the individual or an issue of the family and the community? He also described the philosophical groundings of privacy as being in the right to dignity, the right to autonomy, and the misappropriation of information.

Privacy Challenges

The conference was spread into three sessions. In the first session Prashant Iyengar, head researcher of the project at Privacy India, spoke about the challenges that India specifically is facing in shaping a privacy legislation including: the need to balance the right to information/transparency and privacy, the need to create a definition of privacy that does not exclude lower classes and is not a negative right, but instead a positive right, and the problem of ubiquitous surveillance that is happening in society today. Elonnai Hickok, policy analyst at Privacy India, spoke specifically on wire tapping, and the Nira Radia tapes. In her presentation she first outlined other countries definitions of privacy which include: the right to be left alone, the protection from unauthorized searches, and the right to control information about oneself through consent. Using the case study of Nira Radia and Ratan Tata she spoke about the rising concern of wire tapping in the country as being indicative of a social change and relationship of the state and government. Elonnai also raised questions concerning whether privacy should be made inversely proportional to public figures, and if public interest will always supersede the private right of individuals.

UID and Privacy

The second session of the conference focused on the UID Bill and privacy. Presentations from NUJS student Amba Kak and Sai Vinod raised concerns about the UID project and privacy. Their presentation also compared and contrasted identity schemes of other countries with the UID. A few similarities that they found amongst all scheme were: the collection of data, the processing of data, and the storing of data. Deva Prasad from the National Law School of Bangalore presented on constitutional elements of the UID scheme ranging from loopholes in the Bill to connections that can be made when the UID Bill is placed in the larger picture. Sri Manoj Bhattacharya (MP) from RSP voiced his concerns of the UID, and emphasized that by giving an individual a number which acts as their fundamental identity which they use to function in society, the government in fact is eroding an individual’s actual identity, and that is an invasion of privacy. Sri Nilotpal Basu (MP) from CPI (M) spoke out strongly against the UID, voicing that his greatest concern with the UID is that it will be a way for corporate bodies to target individuals as consumers, and that privacy legislation could be used as a way for corporate bodies to hide from the public eye.

Conclusion

In the concluding session the floor was opened up to the public for questions and opinion sharing. Many participants shared what they believed needed to be included in privacy legislation, and what issues a privacy legislation needs to address. A few of these include: privacy rights and the media, privacy and the right to information, the privacy rights of minorities, and the privacy rights of the government. Also types of regulatory models for privacy were discussed. For instance, should privacy in India be represented and protected through a data protection law, or should privacy be seen as a fundamental right to privacy? Should privacy be represented through a broad framework, or through sector specific statutes? What should the redressal and enforcement mechanisms look like?

As seen from the presentations and the comments at the conference one thing which is clear is that privacy is an issue that concerns every person in India. Over the next six months Privacy India will be conducting ten more conferences in different Indian cities to engage the public in dialogues of privacy and raise awareness around the issues of privacy. The next workshop will be held on 5 February 2011 in Bangalore.

Download the conference summary here

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-nujsconference-summary

Privacy By Design — Conference Report

praskrishna — 2011-08-22T12:03:30Z

How do we imagine privacy? How is privacy being built into technological systems? On April 16th,The Center for Internet and Society hosted Privacy by Design, an Open Space meant to answer these questions and more around the topic of privacy. Below is a summary of the conversations and dialogs from the event.

Introduction

On April 16th, The Center for Internet and Society hosted Privacy by Design, an Open Space meant to foster discussions around questions related to how privacy is being designed into technological systems. The day opened with two basic questions: How do we imagine privacy? And how are individuals building technology systems incorporating privacy into the system? Throughout the day the conversations took many twist and turns, but at the end of the day three basic points about privacy had come out of the many discussions: 1. Privacy cannot be limited to one definition; it is constantly changing based on person and on context 2. To a person - privacy is a function of abuse and violation 3. The increased generation of data that was made possible by web 2.0 has lead to a rise in privacy issues and is significantly changing many traditional concepts, spaces, and relationships – such as what constitutes a public space, and the relationship between a state and its citizens.

Database architecture and privacy

The morning discussion focused on databases and privacy, and began with questions like: How can a database be built to protect privacy? When a database is built, what role does privacy play in the migration of data? Is privacy protected in databases simply by limiting access to certain parts of data sets? Though many of these were left unanswered, the conversation highlighted the fact that th databases are coded to segregate /regulate users and information in order to protect the system. Thus, databases are architected to incorporate privacy in such a way that protects the viability of only the system and not the individual. In our research we have seen many cases of this. Individual’s privacy has been violated because of malfunctioning or poorly constructed databases. For example, currently Indian governmental databases often have incorrect information, individuals do not have the ability to access and change their information, and if an individual’s information is compromised the government is not held accountable, and there is no course of action that an individual can take towards redress.

Security vs. Privacy

Embedded in this understanding of how privacy is built into technological systems is the question of what security is, and when systems are built, whether privacy and security are considered to be essentially the same. Thus far in our research we have distinguished between privacy and security, saying that, security and privacy have an interesting relationship, because they go hand in hand, and yet at the same time have a different focus, because of this differing focus data security and privacy are not the same. Data breaches that contain personal information of any sort that can be matched, tracked or otherwise co-related to a person or persons will result in a privacy breach too. Though data security is critical for protecting privacy, because data security and privacy have different focuses, the principles that each follows are also different and sometimes conflicting. For example, data security focuses on data retention, logging, etc, while privacy focuses on consent, restricted access to data, limited data retention, and anonymity. If security measures are carried out without privacy interests in mind, privacy violations can easily result. Therefore we have thought that data security should influence and support a privacy regime, but not drive it.

security and privacy have an interesting relationship, because they go hand in hand, and yet at the same time have a different focus, because of this differing focus data security and privacy are not the same. Data breaches that contain personal information of any sort that can be matched, tracked or otherwise co-related to a person or persons will result in a privacy breach too. Though data security is critical for protecting privacy, because data security and privacy have different focuses, the principles that each follows are also different and sometimes conflicting. For example, data security focuses on data retention, logging, etc, while privacy focuses on consent, restricted access to data, limited data retention, and anonymity. If security measures are carried out without privacy interests in mind, privacy violations can easily result. Therefore we have thought that data security should influence and support a privacy regime, but not drive it.

The right to be forgotten and regulation of data

The possibility of creating systems with "off switches" also came out of this thread of conversation. For instance, can a database be structured to show only necessary information to third parties based on the context. In this scenario a card would be created that has all of an individual’s information on it, but only the pertinent information will be shown based on the different situations - if, for example, a teenager goes to a bar, the card will only show a third party that he is over 18. This idea is already taking shape in many Western countries, and is similar to the idea of a federated identity system. A question to ask though is if such a system could work for India, or be even more appropriate for India than a system like the UID. The purpose of federated systems of identity is to take context into consideration, and enable users to keep contexts separate, and link information about an individual only takes place when consent is given by the user. In response to the idea of an identity system that allows only certain information to be seen by third parties based on the situation, it was brought out that privacy is not protected simply by the separation of data into public or private categories, because all data have the potential to be misused. The immediate response to this concern was that if all data have the potential to be mis-used – than the use of data should be carefully regulated. The regulation of data though is also a double edged sword. On one hand regulating the use of data can stop a company from misusing information, but on the other hand it can keep a country from having full and equal access to the internet. A question that came out of this discussion on regulation was about the right to be forgotten. Does an individual have the right to regulate all information about themselves that is in the public sphere? Can they ask for their photos or videos to be taken down from the internet? In India this question has yet to be answered by the law, and it is a question that our research is looking into.

The purpose of federated systems of identity is to take context into consideration, and enable users to keep contexts separate, and link information about an individual only takes place when consent is given by the user. In response to the idea of an identity system that allows only certain information to be seen by third parties based on the situation, it was brought out that privacy is not protected simply by the separation of data into public or private categories, because all data have the potential to be misused. The immediate response to this concern was that if all data have the potential to be mis-used – than the use of data should be carefully regulated. The regulation of data though is also a double edged sword. On one hand regulating the use of data can stop a company from misusing information, but on the other hand it can keep a country from having full and equal access to the internet. A question that came out of this discussion on regulation was about the right to be forgotten. Does an individual have the right to regulate all information about themselves that is in the public sphere? Can they ask for their photos or videos to be taken down from the internet? In India this question has yet to be answered by the law, and it is a question that our research is looking into.

Data types and privacy

Emerging from the conversation on database structure, a conversation on types of data in databases was started. The question was raised as to whether or not databases can actually handle certain types of data. The example given was caste-related data. Information about a person’s caste is constantly changing as people lie about their caste, change their caste, and become married and take on another caste. Furthermore, some people do not want to live with their caste and want to shed off their caste. Therefore, can a database accurately represent such a dynamic data set? Is it dangerous to put such a politically volatile concept as caste into a database where it will confine a person to one definition once entered? Another side to this question though is that perhaps it is in fact necessary to try and place a person in one caste, as there benefits enshrined by law based on a person’s caste, and an individual who has the ability to change his/her caste at their whim therefore defeats and takes advantage of governmental benefits. The point was also raised that by placing information like caste and identity into a database, governments have the ability to divide the country into subsets of identities that they decide to generate. Caste is not the only data that faces these complications and issues. For instance religion and race raise similar question. How can you define and represent a person’s relationship with God in a database? How to you represent a child of multiracial parents on a database?

Changes in the relationship between the state and the citizen

It was also brought out that the representation of citizens’ identities on a database changes the relationship between a state and its citizenry. States no longer see citizens as individuals, but instead as data samples. The UID is an example of an e-governance program that if enacted, could further such a change in the relationship between the state and the citizen, as the whole of India will suddenly and ubiquitously be recognized by the Government (and other entities/organizations) according to their aadhaar number. The relationship between the state and the citizen is not the only social change that databases bring about. Databases also change the concept of public space. As web 2.0 has facilitated the generation of large amounts of data, public space has become a space where one enters and interacts as a dataset. For example face book and twitter allow individuals to create datasets of them and interact with other people through their datasets. Beyond social networking online banking and online shopping also push people to form datasets about themselves and interact with services that were traditionally done in person as individuals, as datasets.

Questions of ownership

The above thread of conversation led to the next question of whether or not individuals control technology or whether technology controls individuals. The example of Facebook was used to illustrate this question. Even though Facebook has a privacy policy, once a person engages with Facebook he or she accepts Facebook’s definition of privacy – which is two tiered. On one level Facebook defines user privacy in terms of restriction - allowing the user to limit who can see their profiles. On another level Facebook’s privacy policy allows the company to share and sell personal information. In these ways companies are constructing databases so that instead of the company being the custodian of information – an entity that provides a structure to protect and hold information - the companies are now the owners of information- selling and using individuals information for profit. In India, this is a problem. Companies, once they collect data, treat it as their own - selling and sharing data with third parties, or using it in ways that were not agreed to by the customer. The question of ownership was a critical question for the group. In the discussions it was important to individuals that they had control and ownership over their information. Individuals felt that information that could be traced back to them or their identity belonged to them, and that in order to protect privacy consent should be secured before any information is used. For instance, data mining by websites without notice was seen as a violation of privacy. The collection of data in public places for marketing purposes without a person’s consent or awareness was similarly seen as a privacy violation. It was also brought out from this conversation that the digitization of information has caused a commercialization of information, and that has led to a sense of ownership and need for privacy over information. For example, before, if someone were to take one’s name and mis-use it, that person was charged with defamation – not for violation of privacy – but if someone misuses information that is in a database or online, that person is now charged for a violation of privacy. This shift in thinking is another example of how web 2.0 has increased privacy violations.

Perceptions and expectations of privacy

The day ended with a conversation about the perceptions and expectations of privacy. Privacy as it relates to an individual is almost wholly dependent on expectation, which changes from person to person, from community to community, and from culture to culture. Just as the expectation of privacy varies between individuals, so does the degree of violation. Thus, it is important to recognize the changing nature of privacy, because it explains why it is difficult for the legal system to address all the nuances of privacy with one broad legislation. This point has been crucial in our research thus far as we are consulting with the public, analyzing legislation, and following news items to see if privacy legislation is wanted and needed in India, and if it is - how it should be shaped.

From the conversation on perceptions of privacy and privacy violations it was also brought out that the concept of privacy is on one hand related to the notion of ownership, and on the other hand it is related to the violation. From the experiences shared by individuals, their privacy never became a concern until it was violated, or they learned about someone else’s privacy being violated. This led to the observation that not only is it difficult for the law to address privacy violations because the violation is based on perception, but also because the effect when one’s privacy is violated is often an emotional one.

Conclusion

The conversations held throughout the day showed the dynamic and personal nature of privacy, and how when databases are constructed, and how our lives made digital this personal aspect is easily lost. When we think about the conversations held throughout the day in relation to our initial questions: what are the different ways of imagining privacy, and how is privacy being built into technological systems, besides the three basic themes of privacy highlighted in the beginning of this blog - there emerged to more themes. One theme portrayed an imagination of privacy that is more personal, and that address the emotional component and the perception component to privacy. Another theme portrayed an imagination of privacy that is technologically more controlled, that allows for more personal regulation, more precise segregation of information in a database, and restricted access by third parties. This imagination of privacy can be and is being met by new and developing technologies. Increasingly in many countries technology is being structured with privacy built into the system. The larger question that this open space has raised, and not completely answered is if privacy legislation can adequately protect an individual’s privacy, and if it cannot, can technology can fill the gaps that privacy legislation leaves open.

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy_privacybydesign

Bloggers' Rights Subordinated to Rights of Expression: Cyber Law Expert

elonnai — 2012-03-21T09:35:06Z

Vijayashankar, an eminent cyber law expert answers Elonnai Hickok’s questions on bloggers' rights, freedom of expression and privacy in this e-mail interview conducted on May 19, 2011.

A set of rules relating to regulation of the Internet (mentioned in section 79 of the ITAA, 2008) was released in April 2011. In light of the rules framed under the IT Act, and as part of our research on privacy and Internet users, we have been looking into questions surrounding bloggers’ rights, freedom of expression, and privacy.

The new rules require among other things that intermediaries take down any content that could be considered disparaging. In practice, these rules will act to limit the ability of individuals to express their opinions on the Internet — especially for the bloggers. Though these requirements seem to only impact the freedom of expression of bloggers, a blogger’s privacy rights, especially in relation to the protection of their identity, are also pulled into question. Other issues surrounding bloggers’ rights and privacy include: if bloggers are identified as journalists, then whether they should be afforded the same protections and privileges, e.g., should bloggers have the right to free political speech and should intermediaries have freedom from liability for hosting speech or others’ comments? Are bloggers allowed to publish material that is under copyright on their website?

On May 19, 2011, through e-mail, I had the opportunity to interview Vijayashankar, an expert in cyber law, on issues regarding the rights of bloggers freedom of expression, and privacy. Vijayashankar has authored multiple books on cyber law, taught in many universities, and is an active leader of the Netizen movement in India. Below is a summary of the questions I posed to Vijayashankar and his responses.

I began the interview by trying to understand bloggers’ rights and how they are defined. Often the term 'bloggers' rights is used casually, but it is important to understand the different roles that a blogger plays in order to understand what his/her rights are, how they could be violated, and how they could be protected. Vijayashankar explained that a blog is comprised of two parties: a blogger and an intermediary – which is the application host. Bloggers have many different roles: authors, editors, or publishers of content, and thus, a blogger’s rights should be defined within these contexts. As authors, bloggers write their own article/blog or adds comments to others’ blogs. As such, they should have the freedom to express their thoughts and opinions and determine a level of privacy with which to maintain them, without regulation or censorship from a third party. Though the freedom of expression and privacy should be basic rights for blog authors, bloggers must also be held accountable and responsible for the content that they choose to make public by posting on accessible web pages.

The need for a blogger to be held responsible and accountable is similar to the limitation on speech that informs defamation law, and it means that a blogger cannot be entirely anonymous – at least not once a blog is public and is challenged. Thus, accountability must limit the right to be entirely private and anonymous. Though a blogger should be held accountable, the international implications give rise to thorny issues of jurisdiction and accountability under unforeseen laws: all of which raises the question whether, instead of local jurisdictions seeking to enforce their laws against potentially out-of-the-jurisdiction bloggers, an international third party should be entrusted with the responsibility of holding bloggers accountable and responsible – whether that takes the form of an organization like the WTO or WIPO or looks more like specially trained international arbitrators.

This challenge arises because bloggers live in different jurisdictions where different rules apply, but their opinions cross multiple borders and boundaries. This raises questions such as: Which jurisdictional law should the blogger be accountable to? Should a blogger be held responsible for actions that are considered violations in a jurisdiction in which a blog is read, even if those actions are not violations in the jurisdiction in which it is written? And if a blogger is to be held responsible, who should hold him responsible – the country where the action is considered a violation or his own country – and where does a private party have a cause of action? According to Vijayashankar, blogger’s rights’ are always subordinated to the rights of expression guaranteed to the blogger in his country where he is a citizen.

Furthermore, the rights of a blogger have to be seen in the context of who has the "cause of action" against blog writing, i.e., which party involved has the right to complain. If an individual is a victim of a blog, and that individual is a citizen of another country and is guaranteed certain rights, the blogger's rights cannot override the rights of the victim in his own country. Hence, the victim has the right to invoke law enforcement in his country, and the law enforcement agencies do have a right to seek information from the blogger. If, however, a citizen brings a private civil action against a blogger, the discovery limitations are much more severe across boundaries, and the blogger’s national policy on responding to discovery from other countries will determine the extent to which information from the blogger will be made available. To the extent that the impact of a blogger’s expression reaches across boundaries, his actions should be considered similar to a situation where a citizen of one country does certain things which affect the rights enjoyed by a citizen of another country. It does not seem right that a blogger can say something offensive in one jurisdiction and be held liable, but a different blogger can say the same thing from another jurisdiction and be protected. On the one hand, since the Internet as a medium broadcasts across geographical boundaries, it is the responsibility of the individual countries to erect their "cyber boundaries" if they do not want the broadcast to reach their citizens. On the other, individuals should be able to invoke international laws to seek consistent application of standards about what is actionable and what information is discoverable in support of an action. This suggests that an international tribunal might be the best solution.

Other questions to think about when exploring the idea of a trusted third party holding online bloggers accountable include: who would form the third party, what legal authority/power would they have, would this group also be in charge of reviewing a country’s "cyber boundaries" in addition to holding online bloggers accountable? and how would it avoid being influenced by any one government or by other stakeholders?

Next I asked him for examples of common privacy violations that happen to online users. A few he said included identity theft in the form of phishing, which leads to financial frauds, and is one of the most dangerous consequences of privacy breach. Other examples included manipulation of online profiles in social networking sites to cause annoyance, defamation, and coercion; cyber squatting with content which can be misleading; posting of obscene pictures with or without morphing of victim’s photographs to other obscene photographs/pictures; and SPAM – particularly through mobile phones – are all serious forms of privacy violations.

My third question focused on privacy violations and bloggers. How could a blogger’s rights be compromised, especially with a focus on privacy? For bloggers, is privacy important simply to protect their identity and content, or are there other implications for privacy and bloggers? In our research we have looked into ways in which practices such as data retention by ISPs, government/law enforcements’ access to web content including private conversations, and poorly established user control over privacy settings on websites can violate online users’ privacy. According to Vijayashankar, a blogger is mainly concerned about privacy in the context of protecting his identity. It is important for bloggers to protect their identity because the content they create could be considered controversial or illegal in different regions. Thus, it is critical for bloggers to have the right to blog anonymously. An exception to this right is that if the blog is so offensive then the law enforcement agency can take action. In some countries individuals also can sue bloggers. To help protect bloggers from unreasonable and ungrounded searches, Vijayashankar suggested that a mechanism be created by which international and domestic law enforcement agencies can request 'sensitive' information. This mechanism would work to filter and evaluate requests for information without bias, and according to a country’s law own domestic law.

I then asked him what legal protections he felt bloggers needed. He said that he believes that it is important that bloggers and online users’ right to anonymity, protection of identity and freedom of expression (political and non-political) are protected from excessive regulations. An interesting point that he raised was about the protection of bloggers from international requests for information. According to –him — bloggers can be protected only to the extent to which their rights are protected in their own country. If a request for information comes to a law enforcement agency of a country of which the blogger is a citizen, information may need to be released unless an “asylum” has been granted.

An example of the situation Vijayashankar is referring to is that if a blogger in India writes content that is found to be controversial by the U.S Government; the U.S Government then has a right to request and access that information, unless the Indian Government provides protection over the citizen and the information and refuses to release it. Though right to information requests tend to be governmental, this rule changes if it is a citizen requesting information. Very rarely can a citizen of one country request information about a blogger from another country and gain access. The question of international discovery over Internet material is one that has many angles that need to be taken into consideration – a few being: what the content on the blog contained; was the content against an individual or a government; who is requesting the information — a citizen or the government, and whom are they requesting the information from? For example, in the US Supreme Court case, Calder vs. Jones 465 U.S. 783 (1984), information about a woman, Shirley Jones, was published in another state, but the court ruled that the wrongful action was directed to her where she was.

A large part of the debate over bloggers’ rights is centered on governments’ need to monitor online activity. Developments such as the new rules to the IT Act, the Indian Government’s request for blackberry’s encryption keys, and the news about the government wiretapping citizens’ phones show that the Government of India is demanding access to see and regulate content created by online users in India. When asked about bloggers’ rights and government access to content, Vijayashankar stressed that there has to be a mechanism to check the requests from government agencies, and any such mechanism should have popular representation. He went on to explain that presently an order for the blocking of a blog or for private information is made by a government agency or a court. Unfortunately, government agencies may be responsive to certain interests. Likewise, decisions of conventional courts can be inconsistent. Therefore, it is important that a mechanism that reflects the common person’s input is put in place. This could either be a stand-alone private body, such as Netizen Protection Agency, acting as one more layer of protection, or the government body itself could build in adequate public representation. Courts would need to recognize such bodies and seek their opinion as an input to any dispute. This is an innovative option, but one that is a radical departure from the view of a court as an impartial tribunal that is supposed to weigh every matter independently on its merits.

Lastly, I asked if a privacy legislation could address the issue at hand i.e., could a privacy legislation work to protect bloggers’ rights by providing them identity protection and protection of their content and in general what should be included in a comprehensive privacy legislation? Though India already addresses bloggers’ rights through the Information Technology Act, it could be possible that privacy legislation could establish a third party group to work to protect bloggers’ rights and hold both governments and bloggers’ accountable. When asked what should be included in a comprehensive privacy legislation, Vijayashankar suggested that it should recognize that privacy rights of individuals are part of the larger interests of the society, and a comprehensive legislation should work to take all the stakeholders into consideration.

For more details visit https://cis-india.org/internet-governance/blog/privacy/bloggers-rights-and-privacy

A Street View of Private and the Public

Prashant Iyengar — 2012-03-21T09:34:23Z

Prashant Iyengar on how in the eyes of the law, the internet giant is like the homeless in India. This article was published by Tehelka on June 4, 2011.

Since last Thursday, Internet-search giant Google has been busy collecting images of roads in Bengaluru in order to launch its popular StreetView service for the city. It is a feature that allows users of Google Maps to virtually navigate and explore cities through a 360-degree, street-level imagery. To achieve this, Google drives vehicles with cameras mounted on them through each street and neighbourhood in a city, systematically capturing everything in their path, including buildings, roads, traffic, animals and human subjects.

Intrinsically, the idea is exciting for its ability to enable distant users to sample street life in cities and neighbourhoods that they may have never physically visited. Or, even for the exhilaration it permits of viewing familiar spaces virtually.

However, this technology has also raised interesting privacy concerns in countries where it has previously been launched. In April 2008, shortly after the service was first launched in the US, Google was sued by a couple who objected to the pictures of their home being publicly displayed. This suit was settled out-of-court two years later. Google had, meanwhile, made changes to their service, permitting users to "opt out" of the service, rendering similar suits unnecessary. Google has faced similar concerns in other jurisdictions, including Europe and Japan, and has successfully fended them off by adapting its service by voluntarily blurring faces of all individuals captured during the process and vesting more agency in the hands of users to take down information that offends them.

Putting aside the privacy debate over StreetView in other jurisdictions momentarily, I want to raise two questions about India and the Indian law in the context of StreetView: first, does Indian privacy law – that evanescent sub-topic of tort and constitutional law – contain anything useful or even informative which we can bring to bear on this discussion? And, do the specificities of the Indian street life merit a different approach to the privacy question?

On the first question, the legal right to privacy in India has been, for the most part, a child of the higher judiciary. However, despite a fairly substantial volume of case law that has accumulated by now that references "privacy", one cannot suppress a sense that the concept lacks, even today, a definitive articulation. The individual’s privacy in India today is an uneven concept – stronger in some situations and non-existent in others. It is a contingent, rather tame concept of a general right to privacy that we have, from which it is not possible to mount a confident attack against Google.

Given this state of indeterminacy about one’s right to privacy, a case for the extension of this right in public spaces seems even more far-fetched. Indeed, in specific cases, courts have dealt damaging blows to the emergence of such a concept. For instance, in a tort case from colonial times, it was held that a window overlooking a public street would not infringe the privacy of the neighbours across the street. Likewise, in a case involving sex workers, the Supreme Court held that they were not entitled to move freely in a public place due to the very subversive nature of the professions they practiced in private – signalling that the private seeps into the public only as a limiting or negative concept.

Against this context Google’s extension of its opt-out privacy principles to India is commendable, because they are not warranted by the current state of law in the country. Indeed, it may even result in a "wagging the dog" of privacy jurisprudence in India by seeding the notion of a limited "right to public anonymity", which is currently indeterminate in the Indian law. That individuals have no “legitimate expectation of privacy in a public place” is axiomatic in most other common-law jurisdictions and is one of the hidden legal ballasts that supports Google’s StreetView service. However, there has not yet been an occasion for the Supreme Court to pronounce on this question. It is very likely that the court will defer to international precedent on the matter. However, until this eventuality, the legal position on the question must be regarded as unsettled.

Turning briefly to the second question regarding the specificities of the Indian situation, India is home to one of the largest populations of urban homeless persons. To them the street, generally, and pavements and bridges, more specifically, are "home" regardless of their tenuous legal title to these claims. To casually dismiss their claims is to crudely conflate privacy with property, which is insensitive to the tragedies of urban life in India. In his insightful essay on filth and the public sphere, Sudipta Kaviraj makes the fascinating point that "for the poor, homeless and other destitute people" of India, "public means not-private spaces, from which they could not be excluded by somebody’s right to property.

It comprises assets which are owned by some general institution like the government or city municipality which does not exercise fierce vigilance over its properties as individual owners do, and which allows through default, indifference and a strangely lazy generosity, its owned things to be despoiled by those with out other means. Public space is a matter not of collective pride but of desperate uses that can range from free riding to vandalizing.

I would add here that this notion of public space is shared not just by the homeless but Google as well, which has taken advantage of the lazy generosity of the Bengaluru traffic police to appropriate images of the city for its purposes. Like the homeless, Google is willing to cede to competing private interests, if they are asserted strongly enough. (This makes Google StreetView, despite its origins in Mountain View in California, characteristically Indian!) In the past, Google has required users to submit documentary proof of their titles before their claims to opt out are honoured. In the context of the homeless particularly, honouring privacy in India may require a different approach. Fortunately for Google, the homeless are not likely to fiercely assert this right.

To conclude, I will like to clarify that I write to praise Google not to bury him, since Google is an honourable man. Over the past several decades, technology – from wire tapping to DNA tests to paternity tests – has been the site and discursive nucleus that has facilitated an efflorosence of privacy jurisprudence in the country. Two decades ago we did not have Facebook, Google, unsolicited calls and spam, and, correspondingly, neither did we have a sharp notion of our privacy. One awaits with optimism the kinds of changes in privacy jurisprudence that might emerge from StreetView.

Prashant Iyengar is a lawyer and consultant on privacy issues with the Centre for Internet and Society, Bengaluru.

He can be contacted at prashantiyengar@gmail.com.

Read the original published in Tehelka here

For more details visit https://cis-india.org/internet-governance/blog/privacy/street-view-of-private-and-public

Privacy Matters, Guwahati — Event Report

praskrishna — 2011-08-26T10:31:08Z

On June 23, a public seminar on “Privacy Matters” was held at the Don Bosco Institute in Karhulli, Guwahati. It was organised by IDRC, Society in Action Group, IDEA Chirang, an NGO initiative working with grassroots initiatives in Assam, Privacy India and CIS and was attended by RTI activists and grass roots NGO representatives from across the North Eastern region: Manipur, Arunachal Pradesh, Tripura, Nagaland, Assam and Sikkim. The event focused on the challenges and concerns of privacy in India.

Unfortunately many of the scheduled invitees had to drop out owing to developments on the Lokpal issue at the Centre, and simultaneously Guwahati was witnessing unrest following an agitation over land rights that left three persons dead.

Welcoming the participants, Prashant Iyengar, lead researcher for Privacy India, gave an introduction to the objectives of Privacy India, and briefed the gathering about the thematic “Privacy Matters” consultations previously held across the country in Kolkata, Bangalore and Ahmedabad. Mr. Iyengar also gave a background to issues that India is facing in concern with privacy, explaining the many contexts that privacy can be found in, and raising questions such as: Why is privacy important? How can it be maintained with the way technology is encroaching upon our lives? And how can we make privacy laws functional?

"Privacy objectives are to raise awareness, spark civil action and promote democratic dialogue around privacy challenges and violations in India. One of Privacy India’s goals is to build consensus towards the promulgation of a comprehensive privacy legislation in India through consultation with the public, legislators and the legal and academic community."

Prashant Iyengar, Privacy India.

Event Sessions

The structure of the event was one of open discussion, with presentations made by those who wanted to share. Throughout the day, the conversation fell into three main topics including: privacy and the RTI, privacy and the UID, and privacy and surveillance in the context of North East India.

Privacy and the RTI

Prashant Iyengar opened the discussion on privacy and the RTI by highlighting the tension between the need for transparency of the State, and the need to protect the privacy of public figures. For many participants privacy and transparency was a new concept that they had just started thinking about. Participant Rakesh (HRLN, Manipur) spoke on the shortcomings that he saw in the RTI Act noting that though the RTI brings some transparency to society, many citizens still do not understand the extent of their Right to Information as it is protected under the Act. Furthermore, the RTI Act is still not applied equally across the country, and the transparency that the RTI tries to achieve is still in very nascent stages. Lowang, a participant from Aru nachal Pradesh, shared the importance of drawing a line between privacy and transparency when it comes to information related to education and health. Anjuman Azra Begum, a research scholar working on indigenous people rights, noted the irony of the RTI as it is meant to bring transparency to the state, yet all ministers and MLA’s take an oath of secrecy, not transparency. Anjuman also spoke on the fact that the RTI often fails to protect the privacy of sensitive issues, such as sexual balance. She echoed Rakesh’s comment on the inaccessibility of the RTI, sharing that for a common person to exercise his/her rights is a very daunting task. Anthony Debbarmun, a human rights activist from Tripura noted that he felt that the North Eastern states are by and large seen as resource (land) by the centre and has shown no concern for citizens and their well-being. Government is seen as a dictator in this region, hence the question — Transparency for whom?, Privacy for Whom? The distinction between the transparency brought about by the RTI and individual privacy was also made. It was pointed out that the RTI is concerned with transparency of the State, but individual privacy is separate from this concept.

Personal Experiences Shared

Anjuman Azra Begum shared her sister’s experience with the RTI. Her sister had applied for a job in 2008. Their family filed an RTI for details of the procedure, but was denied details by the RTI officer, who said that furnishing details would violate the privacy of other candidates. This example raises questions about when it is appropriate for RTI officers to withhold information in the name of privacy, and what mechanisms can be put in place to ensure that the RTI does not use privacy as a way to deny information. Lowang also shared his experience with the RTI. He had filed an RTI asking for answer sheets because he doubted the appointment of police personnel. He was told that the cost in total would be Rs.2000, when in reality each sheet costs Rs.2 — the misconstruing of facts was another example of how RTI officials restrict access information indirectly. From these examples the concern about RTI officials using privacy as an excuse to deny information was brought to the surface. To highlight the problems with the current implementation of the RTI and the lack of basic knowledge of how to use the RTI Mhao Lotha from the DICE Foundation shared a personal experience of his friend who had filed an RTI against the fishery department, and the RTI official simply shouted at her. L. Rima told a similar story as Mhao Lotha. In her experience the RTI is good in theory, but in practice it has become a commercial platform, where officers pay money to applicants for RTI cases to be taken off.

From the discussion and the shared experiences it was clear that the RTI, although a strong law on paper, still faces many challenges in implementation that a privacy law could also face, and that the fact that if more privacy is brought into the RTI, it will become yet another way for the State to avoid disclosing information.

Questions to Consider

Can a privacy law be made to be functional in the same way that the RTI is functional?
In terms of the RTI who should have more privacy? Who should be more transparent? Can NGOs be held accountable under the RTI?
What mechanism should be established to enforce the balance between privacy and transparency?

Privacy and Security/Law Enforcement in the North East of India

Another important discussion held during the conference was the practices of law enforcement in the North East, security, and privacy. Because the North East is in a state of armed conflict several laws such as the Armed Forces Special Powers Act, Sedition Act and provisions in the IPC give immunity to security forces. This has led to gross violation of citizens’ privacy by law enforcement agencies — as the acts give large amounts

of power to law enforcement agencies with little or no accountability, and the acts are often misused. Furthermore, the security laws that exist in the North East explicitly prohibit access to individual personal information. For example, in the Assam Police Manual, which is followed by police in the North East — no papers can be given out to the public except to the investigation officer — this includes personal information such as medical records and post-mortem reports. Anjuman shared an example of how this rule violates individual privacy. In her example, a victim was not allowed access her own medical report, but her medical records were being circulated among police, doctors, and media. This example highlights how privacy and the right to information can go hand in hand as it was the victim’s right to access her own medical file, and at the same time getting access to her own medical file is an act of personal privacy protection.

Personal Experiences Shared

Participants shared how individual privacy is often violated by the army, as it is allowed to enter and search any space without warrant, if there is any type of “suspicion”. They also shared how phone tapping and random monitoring is a common practice by both the army and civil police. For example, one day the police recorded a conversation by Director of the Police, Wireless who was giving a lecture on how to lead an effective agitation. The transcript was handed to the high court and the director punished. Other examples include policemen frisking women in public, newspapers publishing police frisking women in public, and law enforcement agencies compelling pregnant women to give birth in open in front of people. The discussion surrounding privacy and security/law enforcement highlighted an important way in which privacy is violated in the North East. The unregulated action of law enforcement acts as a very real and dangerous way in which individual privacy is violated on a daily basis.

Questions to Consider

Can privacy legislation regulate the acts of law enforcement agencies?
Will privacy legislation be implemented differently in the North East because of the armed conflict?
Will a privacy law supersede other laws such as the AFSPA?

Privacy and the UID

During the conference the discussion also briefly focused on the UID and privacy. It was shared that there had yet to be UID consultations in the North East of India. The only information individuals had about the UID was that it was going to allow individuals to access BPL benefits more easily.

Questions around the UID included: why is the UID needed for citizens living within their own country? How will the UID impact and help families who send their children to gather rations from the ration shops? What is the connection between the UID and the expected privacy law? What is the connection between the UID and intelligence agencies? What would UID mean to people living in border areas?

Conclusion

Privacy as a Fundamental Right

In the closing discussion Prashant Iyengar shared different examples of privacy in Indian case law, and the various ways in which the Supreme Court has defined privacy as a right that is implicit in the right to life. The participants discussed what privacy means to them, and what they thought a right to privacy should entail. Among the points raised, it was brought up that privacy should be a right that is legally protected for sovereign individuals. The law should also include parameters and limitations in order to protect an individual’s autonomy. Furthermore, privacy should be understood and linked to the concept of human rights and individual rights. From the closing session, and the above sessions many themes and questions pertaining to privacy came out that will need to be addressed when considering the way forward for a privacy legislation including:

Property rights and privacy
Privacy rights of minorities
Privacy and the UID
Privacy and law enforcement agencies
Privacy as a fundamental right
The interplay of privacy law and traditional law

Download the Event Report here [PDF, 178 kb]

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-guwahati-report

An Overview of DNA Labs in India

shilpa — 2016-02-02T13:11:31Z

DNA fingerprinting has become the most precise and technologically advanced method for identifying crimes such as murder, kidnapping, robbery and rape. Police and judicial authorities and in some cases even private parties retain this in their records, writes Shilpa in this blog post.

At present, India does not have a national law that empowers the government to collect and store DNA profiles of convicts but if the Parliament of India passes the DNA Profiling Bill,[1] 2007, India will soon join countries such as the US and UK in creating a national DNA database.[2] Government, CBI and organizations connected with the investigation process argue that data retention is necessary to combat terrorism and crime. According to Google Transparency Report [3] for the first half of 2010, India had 1,430 data requests, which made it one of the top nations in generating government inquiries for information.

In this blog I am citing my interviews with DNA labs, Issues regarding lab samples and data, and DNA Profiling Bill 2007 on lab practices. I am thankful to Anthony Jackson and Dr. Helen Wallace, Executive Director from Gene watch UK who helped me with the questionnaire for survey interview.

Interviews with DNA labs

I interviewed few government as well as private labs to find out how DNA practices are being carried out. This was to highlight ways in which DNA testing raises privacy concerns.

In public labs, DNA testing is used for the forensic purposes only. These labs are funded by the government whereas private labs deal with legal as well as private purposes. DNA Labs India (DLI), Truth Labs and Bio-Axis DNA Research Centre (P) Limited are some leading private firms involved in DNA testing.

Dr. Madhusudan Reddy Nandineni, who is the Scientist and In-charge of the Centre for DNA Fingerprinting and Diagnostics (CDFD) talked about the working of DNA practise and services provided by their laboratory. “CDFD located in Hyderabad is an autonomous institution supported by the Department of Biotechnology and Ministry of Science. CDFD provides services for DNA testing for establishment of parentage, identification of mutilated remains, establishment of biological relationships for immigration, organ transplantation, property inheritance cases, identification of missing children and child swapping in hospitals, identification of rapists in rape cases, and murderers in murder cases. CDFD assists police personnel, forensic scientists, lawyers and the judiciary”, says Dr. Madhusudan Nandineni over a telephonic interview.

The ND Tiwari Case (Published in the Deccan Herald, 24 July 2011)
Eighty-five-year-old leader ND Tiwari was asked to undergo a DNA test in the paternity suit filed by Rohit Shekhar who claims to be his biological son. The high court asked the Centre for DNA Fingerprinting and Diagontics (CDFD) at Hyderabad to conduct a DNA test on Tiwari.[4] Also refusing to grant any relief to Tiwari, the court said that considering the age of the leader, it is necessary to have a DNA test so that the Rohit Shekhar is not left without any remedy if something happens to Tiwari. The court said that it is the right of a child to know his or her biological father.[5]

Dr. BK Mahapatra, Assistant Director, Biology & DNA Finger printing Unit at Central Forensic Science Laboratory, Delhi says “CFSL undertakes cases referred by CBI, Delhi police, judiciary, vigilance department of ministries, public undertakings and state/central government departments. We don’t contract with private laboratory to do a DNA testing. We accept all type of DNA cases submissions like criminal, known, unknown, etc. CFSL saves DNA samples for re-testing, however, for this we do have a privacy policy followed by National Accreditation Board for Testing and Calibration Laboratories (NABL). It is an autonomous body under the aegis of the Department of Science and Technology, Government of India and is registered under the Societies Act”, he clarified.

In a telephonic interview with Ravi Kiran Reddy, DNA expert, DLI a, tells us about the services provided and security supervise by the laboratory. “DLI provides services for paternity testing, forensic testing, prenatal testing, and genetic testing. DLI contracted with a private laboratory to do DNA testing. We accept all DNA cases like suicide attempts, cases from Indian Army, etc. DLI saves DNA samples for re-testing for six months and if necessary for life time and a database is also maintained. He further said that to protect and secure database, bar coding is being prepared and therefore, no identity is revealed.

Some of the labs refused to participate in the research exercise like the truth labs. Truth Labs is a private lab that provides legal services directly, without a court or police order.[6] Another private laboratory which provides DNA testing is Bio-Axis DNA Research Centre. It also provide various DNA Identification services for private purposes, legal purposes, peace of mind, confidential purposes, immigration purposes, crime investigation and human identification purposes.[7]

Issues Regarding Lab Samples and Data

Readers may have heard of rapists being caught because of a match between a suspect's DNA and sperm left behind in a victim. Or, as often the case, an innocent person may be released because the DNA of that person does not match that found in a crime scene.[8]

Possibility of Framing Innocents: Kshitij Urs, an Action Aid said, “There can be some problems if one were to rely too much on DNA databases in the criminal justice system as DNA evidence can be planted in a crime scene intentionally”, in an event organised by CIS.
Insecurity of Centralised Storage: With DNA tests, a patient's medical file will contain information they would prefer to be confidential. But the whole idea of general DNA testing will only be effective if the data is stored in a single electronic database, which makes the confidentiality problem extremely pressing. For example, the results of DNA testing might reveal that a person who is legally a child's father isn't really his biological father.[9]
Other Privacy Concerns: DNA contains information that raises a much broader privacy and other civil liberties concerns. It can tell investigators about ourselves, our family members, diseases we may have inherited our physical attributes and broad ancestry. Genetic information can be used in all sorts of discriminatory ways.[10]

What can be done?
There should be a DNA retention policy to protect an individual. It will identify personal data which has to be maintained and contain guidelines for how long certain documents should be kept and how they should be destroyed.[11] In the situation of DNA collection and testing privacy cannot be protected simply through consent from an individual. Instead the law must permit specific thresholds to be established in order to cover the privacy needs of different situations. DNA profiling Bill 2007 will regulate the use of DNA profiles which is pending in the Parliament.

DNA Profiling Bill 2007 on Lab Practices

According to the DNA Profiling Bill there are certain rules for the DNA laboratories which are followed by these labs.

Prohibition for undertaking DNA procedures: It states that DNA laboratories have to take prior permission from the DNA Profiling Board to undertake any DNA procedures.
Security and minimize contamination: There should be proper facility of security and minimize contamination of DNA samples.
Confidentiality, Access to DNA Profiles, Samples and Records: DNA Profiling Bill states that all DNA profiles, samples and records forwarded to the DNA laboratory or any authority of the lab has to be kept confidential.
Use of DNA profiles, samples and records: All DNA profiles, samples and records should be used only for facilitating identification of the perpetrator(s) of a specified offence and also to identify victims of accidents, disasters or missing persons or for such other purposes.
Authorised Access: It also says that information stored on the DNA database system may be accessed by the authorized persons for the purposes of forensic comparison permitted under this Act, administering the DNA database system, accessing any information contained in it by law enforcement officers or any other persons, as may be prescribed, in accordance with provisions of any law for the time being in force, inquest or inquiry.
Restrictions on use of information on DNA profiles, samples and data identification records: Laboratory cannot use the information for any purpose other than the purpose for which the communication or access is permitted.
Destruction, alterations, contamination, tampering with biological evidence: The Bill states that whoever knowingly or intentionally destroys alters, contaminates or tampers with biological evidence will be punishable with imprisonment for a term which may extend to five years, or with fine not exceeding twenty thousand rupees, or with both.[12]

Conclusion

Currently the Bill allows for the complete storage of DNA of criminals, suspects, victims, offenders and volunteers.
There are no standard practices for data retention across lab. Thereby there is an increased risk that data might fall in wrong hands and information may also be misused. Therefore, DNA databases should be restricted to be stored for not more than a limited time period. Such indefinite retention of the DNA profiles of innocent individuals is a disproportionate and unnecessary interference with an individual’s right to privacy.
DNA labs in India have numerous constraints and operating in different level. Therefore, India has to be having even more carefully designed laws.

List of Laboratories

Central Forensic Science Laboratory, Delhi
Dr. BK Mahapatra
Associate Biology Division
Ph: 9312523536, 24360095
Mail: ssofs_dfs@dfs.gov.in

Centre For Fingerprinting and Diagnostics (CDFD), Hyderabad
Dr. Madhusudan Nandineni
Scientist and In-charge
Ph: 24749331, 24749330
Mail: dsp@cdfd.org.in

DNA Labs India, Hyderabad
Ravi Kiran Reddy
Ph: 9395142800
Mail: info@dnalabsindia.org

Bio-Axis DNA Research Centre
Ph: 9246338983
Mail: drc@dnares.in

Truth Labs, Hyderabad
Ph: 9490690222, 04023390999
Mail: gandhi@truthlabs.org

Notes

[1]http://timesofindia.indiatimes.com/topic/DNA-Profiling-Bill

[2]http://www.gene-watch.org/blog/post/India-May-Soon-Have-a-National-DNA-Database.aspx

[3]Amy Miller, “Google’s new tool shows which countries are censoring the internet” http://www.law.com/jsp/cc/PubArticleCC.jsp?id=1202472346375

[4]Paternity case: No relief for N D Tiwari as Supreme Court allows DNA test http://www.indianexpress.com/news/paternity-case-no-relief-for-n-d-tiwari-as/762146/

[5]Paternity case: ND Tiwari to provide blood sample for DNA test http://www.deccanherald.com/content/165408/paternity-case-nd-tiwari-provide.html

[6]http://www.truthlabs.org/

[7]Bio-Axis Research Centre, http://www.dnatestinginindia.ewebsite.com

[8]Sujatha Byravan , A public, private database http://www.indiatogether.org/2009/sep/hrt-dnadb.htm

[9]Vibhor Verdhan, Data Retention Policies- An Emerging Requirement & Various Compliances http://www.legalserviceindia.com/article/l428-Data-Retention-Policies.html

[10]Andrei Kislyakov , DNA testing: pros & cons http://en.rian.ru/analysis/20090104/119294260.html

[11]Vibhor Verdhan, Data Retention Policies- An Emerging Requirement & Various Compliances

[12]DNA Profiling Bill http://dbtindia.nic.in/DNA_Bill.pdf

Click here for the Survey Questions

Deoxyribonucleic acid (DNA) is the main constituent of the chromosomes of all organisms, and is found in the form of a double helix within the nucleus of every somatic cell. Consequently, a small sample of human body cells can be decoded to reveal a pattern that is shared only by a genetically identical twin. The DNA of each individual does not change during his lifetime. This technique is commonly used in police investigations and is termed ‘DNA fingerprinting. For more see the Wikipedia definition of DNA.

For more details visit https://cis-india.org/internet-governance/blog/privacy/dna-overview

My Experiment with Scam Baiting

sahana — 2012-03-13T10:43:28Z

Today, as I am sure many of you have experienced, Internet scams are widespread and very deceptive. As part of my research into privacy and the Internet, I decided to follow a scam and attempt to fully understand how Internet scams work, and what privacy implications they have for Internet users. Though there are many different types of scams that take place over the Internet —identity scams, housing scams, banking scams— just to name a few. I decided to look in depth at the lottery scam.

Day 1: July 4, 2011

On July 4, I received a spam mail from Shell BP Manchester England (lamarc65@cs.com). The e-mail informed me that my e-mail address had won a sum of $550,000 which was held on July 3, 2011 in England. In order to claim my prize the e-mail instructed me to confirm the receipt of the mail by submitting a few of my personal details to one Dr. Mohammed Al Maliki. This is an extract from the letter asking for my information:

Information Requested:

Your full Name:
Contact address:
Your Telephone:
Your Age:
Your occupation:
Your country of origin:

Congratulations.
Yours Sincerely,
Mrs Roseline Lott
Shell Prize announcer, England.

Deciding to reply to the email and see what happened, I responded to Dr. Mohammed Al Maliki (dr.mohamedmalik@gmail.com) with the information that the e-mail had asked, only I substituted my real information with the following fake information:

Shaiza Sarkar
B-196, CR Park, New Delhi - 110019
09916000603
23 yrs old
India

To my surprise he replied to my mail the same day at 4:59pm. In this mail he informed me that he had sent my details to Lloyds Bank who would be responsible for the payment of my prize. He asked me to inform him after I receive a mail from the bank. The e-mail contained a phone number for me to call. I tried to call the number mentioned in the mail but there was no reply.

Again to my surprise, I received a mail from Lloyds Bank at 6:58 p.m. the same day with a list of documents and details that I was supposed to send them to claim the prize money. Lloyds Bank had also attached a deposit certificate to ‘prove’ that Shell Petroleum Development Company had deposited the prize money in the bank. Below is an extraction of the e-mail I received from Lloyds Bank.

"FROM THE DESK OF DR. MOHAMED MALIK
REGIONAL CLAIMS AGENT,
SHELL PETROLEUM INTERNATIONAL LOTTERY PROGRAM.
Regional Office:
St James Court, Great Park Road,
Almondsbury Park, Bradley Stoke,
Bristol BS32 4QJ, England
Contact: +447035974608
“LLOYDS BANK PLC
ADMINISTRATIVE HEADQUARTERS.
LONDON, ENGLAND, UNITED KINGDOM.
REF...FILENOS2345/LTB
ATTENTION: SARKAR SHAIZA
*REGARDING YOUR PRIZE FROM SHELL PETROLEUM DEVELOPMENT COMPANY*
PLEASE SEND US THE DOCUMENTS BELOW;
1. A CERTIFICATE OF AWARD FROM SHELL PETROLEUM CONTACT DR MOHAMED MALIK
2. A SCANNED COPY OF EITHER YOUR DRIVERS LICENSE OR YOUR INTERNATIONAL PASSPORT OR WORK I.D CARD.
3. A SWORN AFFIDAVIT OF CLAIM FROM THE CROWN COURT HERE IN LONDON,YOU ARE REQUIRED TO CONTACT [DR MOHAMED MALIK]YOUR AGENT FOR ALL THIS.
SIR PAUL WISCONFIELD.
HEAD OF OPERATIONS.
LLOYDS TSB BANK PLC

Day 2: July 5, 2011

The next day I informed Dr. Mohammed Al Maliki of the above letter from the bank, as instructed to at 8:58 p.m. At 9:45 p.m., Dr. Mohammed Al Maliki emailed me back with the certificate of award from Shell Petroleum Development Company with my fake name printed on it.

Though the first two documents that Lloyds Bank required me to obtain were standard enough, the turning point in this entire scam was the third document that Lloyds Bank asked me to acquire. The third document asked me to present a sworn affidavit of claim from the Crown Court in London. Following the instructions given by the bank, I again emailed Dr. Mohammed Al Maliki. He replied with instructions for me to contact Barrister Wilson Burrows (ESQ) of Wilson and Co. Law Chambers for this document. I tried to search for Wilson and Co. Chambers on the Internet and found that no company with such a name exists.

This is the certificate of award provided to me by Dr. Mohammed Al Maliki:

Day 3: July 6, 2011

At 1:47 p.m. I mailed Wilson and Co. Law Chambers informing them about the sworn affidavit that I required in order to claim the lottery prize. The same day at 8:25 p.m. the Law Chambers sent me the following mail with an application form, and asked me to transfer 520 pounds through a Western Union Money Transfer to the Chamber’s Accountant Mr. Preston Doyle. I checked the address provided in the mail to see if it existed. The Google map showed that the given pin code “L14JJ”- London - was a pin code for Liverpool, Merseyside UK, which is not London , and not where Wilson and Co. Law Chambers claimed to be based. Additionally, the Law Chambers attached a form for the affidavit in this mail.

Below is an extract from the email I received from Wilson and Co. Law Chambers:
“The Principal Attorney
Wilson and co Chambers
#18 Harms Road Manchester
L14JJ - London.
Supreme Solicitors, Principal Attorneys and Property Managers
Kind Attention: Client,
As stated in the attached form, the completed form should be returned with the Court Oath Fee. For further processing, see below fees;
Court Oath Fee: 250 Pounds
Attorney Fee: 270 Pounds
------------------------------------------
Total Fee: 520 Pounds
-----------------------------------------
To send this money, go to any WESTERN UNION MONEY TRANSFER OFFICE nearest to you and make the payment to the Chamber's Accountant - Mr. Preston Doyle with the following details -
Receiver's Name: Mr. Preston Doyle
Receiver's Location: London, United Kingdom.
Receiver's Address: #18 Harms Road Manchester, L14JJ – London
Amount: £ 520.00 (Five Hundred and Twenty Pounds)
Regards,
Mrs.Wilson Burrows(ESQ)
(Registrar)
Mrs. Ivon Samuel (KBE) (Secretary)”

Day 4: July 7, 2011

After receiving the e-mail asking for a money transfer, I was curious and wished to probe more. Thus, I wrote to Wilson and Co Law Chambers and explained that a Western Union Transfer was not available in my village. The same day at 6:48 p.m. the Law Chambers sent me a mail saying that the Honourable Chamber recognizes only Western Union Transfer as the safest mode for transactions. I did not reply to this mail, as I knew I would not be able to go any further with my investigation. Though I was disappointed because this was the end to my investigation into lottery scams, and I still had questions that I wanted answered, the last e-mail the Law Chambers sent me was very interesting. In the last email sent to me by the Law Chambers requested (in a very pushy tone) that I should not tell anyone about my prize money, and that it was in fact in my best interest not to tell anyone.

Below is the extract of this mail:

“So do not discuss your winning with anybody until your prize has been transferred to you. It is for your own good. And it is at that time alone that you can be used for advert purposes by our company. So the success of this transfer lies sorely in your hands. These are the exact words from the Director this morning.”

Regards,

Mrs.Wilson Burrows (ESQ)

(Registrar)

His Lordship, Justice Ivon Samuel (KBE) (Secretary)

Day 5: July 8, 2011

Originally I wrote to the Law Chambers telling them I did not have access to a Western Union for the purpose of seeing if they use other mediums to receive money. Surprisingly, at 1:47 p.m. Wilson and Co. Law Chambers emailed me. The e-mail said that they would grant me the privilege of using a direct deposit of the 250 pounds into their correspondents account in India. In the mail they asked me to confirm that I would use this method of payment, and that once confirmed, that they would furnish me with their correspondent’s account details. Interested, I confirmed. After my e-mail confirmation at 9:47 p.m. they emailed me the details of their correspondent in India.

Below are the details of the account that I was supposed to transfer the money into:

This is the account details you will deposit the money into:
Account Name: L. MOHAN SINGH
Bank name: HDFC BANK
Branch: DELHI
Account number: 0609190004391
Ifsc Code : HDFC0000609
Pan Card: DDMPS9075M

Day 6: July 11, 2011

I did not deposit the money (obviously) and I did not e-mail the bank or the Law Chambers, I did receive a mail from Wilson and Co. Law Chambers informing me that their reputable organization would not tolerate my laxity. Unfortunately, because I could not pay the fee to their correspondent and obtain the affidavit, I was unable to follow the scam any further. Despite this dead end I was curious to know if they would provide me with the phone number of their Indian correspondent. Thus, I wrote them a mail to humbly apologise for the delay. I further asked them to provide me with the correspondent’s phone number claiming that the bank was rejecting his profile due to security protocols.

Day 7: July 12, 2011

The Law Chambers responded, informing me that they did not wish to give the correspondents number. In their e-mail they made it quite clear that for online banking all that is needed is the IFSC code. Therefore, I had to stop here.

This is the extract of the mail they sent me when I asked for the phone number:

The Principal Attorney
Wilson and co Chambers
#18 Harms Road Manchester
L14JJ - London.
Supreme Solicitors, Principal Attorneys and Property Managers

Kind Attention: Client,
This Honorable Chambers is in receipt of your mail. It is very important for you to know that laxity will not be accepted anymore. For the online transfer of this payment, you do not need any phone number, all you need is the IFSC Code already supplied to you. Once more, the IFSC Code is HDFC0000609. That is all you need to make an online transfer.

While I stopped following the scam at this point, many people might have continued with the process without any knowledge of it being a scam. Thus, one should be very sceptical about individuals or organizations who ask for personal and banking information.

Conclusions

In my experiment with scam baiting, I realized that:

They introduced me to various parties to make this entire scheme look professional. I initially assumed that I would have to carry out the process with the Shell Petroleum Development Company alone.
In the beginning of the experiment I initially thought the scam was about taking my account number and hacking into it. During my experiment I realized that the scam was not designed to make money by emptying my bank account, but instead was designed to profit off of the various admission fees such as the Sworn Affidavit.
Due to the speed by which they were able to respond to my emails, I realized that they had pre-prepared fake documents – ready to send to anyone who emailed them regarding claiming the offered lottery prize.
Throughout all of our e-mail exchanges I noticed that the individuals behind the scam only used a G-mail account. Curious, I checked their IP address – hoping to find out more information and possibly track their location – but found that Google does not reveal senders IP address information (which is in fact a very good thing in terms of privacy protection!)

For a detailed understanding of different types of scams visit here.

For more details visit https://cis-india.org/internet-governance/blog/privacy/scam-baiting

UID: Nothing to Hide, Nothing to Fear?

shilpa — 2011-09-28T11:44:21Z

Isn’t it interesting that authorities ask you about your identity and you end up showing your proof of existence! Isn’t this breaching into one’s personal life? Why so much transparency only from the public side? Why can’t the government be equally transparent to the public?, asks Shilpa Narani.

Before I get into an argument, I would like to share with you that my research is based on a comparative study of articles published on UID in leading newspapers like the Times of India, the Indian Express, the Hindustan Times, and its supplement LiveMint, Business Standard, Asian Age, DNA India, Bangalore Mirror, Deccan Chronicle and Deccan Herald. My research shows that the government officials and the individuals working for the UIDAI, who are involved in proposing identity system, are in fact hide their own identity from the public.

Background

A pan-India project to “identify” each resident was formally inaugurated in 2009, with the establishment of the Unique Identification Authority of India (UIDAI) as an office attached to the Planning Commission.[1] The goal of the Unique ID project is to issue a unique identity number to every resident in the country. The Unique Identification number (UID) will be linked to every resident’s basic demographic and biometric details, and stored in the UIDAI central database.[2] Now a 12 digit number will henceforth decide whether you exist or not? It will decide whether you remain a known or an unknown person? With this blog I would like to highlight the irony in the UIDAI's attempt to establish if a person is known or is unknown with a 12 digit number.

An identity card virus seems to be spreading across India. Everyone is praising the UID and the social, economic, and political improvements it will bring. “The aim of the UID scheme is to bring transparency in the system,'' says Sonia Gandhi.[3] One has to wonder though — if the aim of the UID is to bring transparency, why it is that government and UIDAI officials are not transparent themselves?

Findings

According to my research, in 55 news articles taken from different newspapers mentioned above, there are 66 persons who shared their views on UID only on the condition of anonymity. Most of these individuals were public servants who themselves did not wish to be identified. For instance, one individual was from the department of information technology, who is working on the UID project and with the UIDAI itself.

Total Anonymous

As one can see from the graph above, the total number of anonymous people sharing their perspectives on the UID are more than the total number of identified people sharing their perspective on the UID. Below is a detailed review of UID articles from each newspaper:

Times of India: Out of 13 articles, Times of India quoted nine anonymous sources in which there were HRD officials, civic sources, sources from census operation department, collectorate sources, senior postal officials, UIDAI officials, and unclassified individuals. Times of India only quoted four identified sources.

Indian Express: Out of 10 articles, the Indian Express quoted twelve anonymous sources including sources from senior officials of the AADHAR office, senior Delhi government officials and some unclassified sources. Again only four identified sources were quoted.

LiveMint: Out of 7 articles, the Live Mint quoted 15 anonymous sources including sources from the Information Regulatory and Development Authority (IRDA), UIDAI, Bank of India, a senior SEBI official, sources from ministry, etc. Only 11 sources revealed their identity.

Hindustan Times: Out of 3 articles, there were 6 anonymous sources, and 5 sources that were identified. Anonymous sources were from UIDAI, finance ministry, and other government officials.

Deccan Herald: Out of 11 articles, there were 14 anonymous sources and only 6 were identified. Anonymous sources included UIDAI officials, banks, senior officials from government, and unclassified sources as well.

Asian Age: Out of 4 articles, there were 5 anonymous sources. Anonymous sources included government officials and some unclassified officials.

Power of Identity: Why is anonymity important?

UID has the potential to threaten an individual’s ability to be anonymous in society. Anonymity results when the personal identity or personally identifiable information of a person is not known. As demonstrated above, a certain amount of anonymity already exists in India today, but with the coming of the UID there is the potential that this will be changed.

Conclusion

As Sonia Gandhi herself said, the UID's aim is to bring transparency in the system. Though the government is eager to make the Indian public transparent in their everyday lives, clearly from the analysis above, individuals working for the government and UIDAI are not comfortable being transparent to the public. It is ironic that the individuals developing and working for this scheme are not willing to voice their opinion and be identified, but private individuals are. Though the UID scheme is being promoted as a way to make the people accountable and visible in the eyes of the government, from the very start of the project the UIDAI and government have kept themselves under a cloud of secrecy. The government’s non-transparent attitude towards this project and the unawareness of its use on the people makes the whole scheme shady and unnecessary.

Notes

[1]http://uidai.gov.in/UID_PDF/Front_Page_Articles/Documents/Strategy_Overveiw-001.pdf

[2]http://uidai.gov.in/UID_PDF/Working_Papers/UID_and_iris_paper_final.pdf

[3]http://articles.timesofindia.indiatimes.com/2010-09-30/india/28243557_1_uid-number-unique-id-numbers-tembhli

Download the UID Summary Grid here [Excel, 19kb]

For the summary of articles in newspapers, click here

For more details visit https://cis-india.org/internet-governance/blog/privacy/uid-nothing-to-hide-fear

An Interview with Activist Shubha Chacko: Privacy and Sex Workers

elonnai — 2012-03-28T06:26:03Z

On February 20th I had the opportunity to speak with Shubha Chacko on privacy and sex workers. Ms. Chacko is an activist who works for Aneka, an NGO based in Bangalore, which fights for the human rights of sexual minorities. In my interview with Ms. Chacko I tried to understand how privacy impacts the lives of sex workers in India. The below is an account of our conversation.

Introduction

In our research we have been exploring where and how privacy is found in different areas of Indian society, law, and culture. As part of our research we have been holding public conferences across the country to raise awareness and gather opinions around privacy. One area that was discussed in the public conference in Bangalore was the privacy of sex workers. Shubha Chacko, who is from Aneka - an NGO located in Bangalore which fights for the human rights of sexual minorities, made a presentation that focused on the privacy challenges that sex workers in India face. In our interview Ms. Chacko pointed out many misconceptions that society holds about sex workers’ lives. She also detailed the challenges of stigma and discrimination that sex workers face, and described the precarious position that sex workers find themselves in as their work is constantly being pushed out of the public sphere by the law and society. I later interviewed Ms. Chacko to follow up on her presentation on privacy and sex workers. During the interview I had the opportunity to speak with both Ms. Chacko and a board member from the Karnataka Sex Workers Union. The following is meant to provide a perspective on how and in what ways society, law, media and tradition invades the privacy of sex workers. Though the piece is focused on the lives of sex workers, many of the issues raised are not limited to only sex workers, but characterize other marginalized communities as well.

When I began the interview with Ms. Chacko I was hoping to do a piece that looked at the different elements of a sex worker’s life, and identified the points at which their privacy was invaded – such as in contacting a client, going to the doctors, etc. After I began my interview only, I realized how privacy impacts sex workers is much more complicated than a life cycle analysis. Among other things, privacy issues for sex workers prompt questions challenging social definitions of public and private, having the right to an identity and a recognized profession, and having the autonomy to control decisions about oneself.

Basic Facts and Background Information:

Karnataka has been found to have 85,000 sex workers, and India has an estimated 2 million female sex workers [1]

Sex work is not against the law in India, but any commercialized aspect of the trade is prohibited – including running a brothel or soliciting a client.

Sex work is a multi-faceted profession with many positive and negative complexities that are rarely known to the public.

Understanding the Challenge of the Public and the Private

My interview with Ms. Chacko began with my seeking an understanding of the challenges that traditional notions of the public sphere and the private sphere pose for sex workers. Ms. Chacko explained that to understand how privacy impacts the life of a sex worker, it is important to first understand that sex workers by profession confront and question traditional conceptions of the public and the private. Sex and everything associated with it is seen as something that is to be kept only in the private sphere. The work of sex workers brings sex into the public sphere, and thus the workers are seen as being public women not entitled to privacy, because they stand on street corners and conduct their work in the public. This notion that sex workers are public women without a right to privacy shows through in the way they are treated by the media, the police, NGOs, and researchers. An example of this tension and society’s response can be seen in the recent elections. On April 6th, a Times of India news article reported that the election commission will be setting up “special booths” for sex workers to vote in because “while the sex workers had been waiting in queues to cast their votes, common people were not comfortable with that”[2]

What is the Challenge of the Public and the Private?

“It starts with a conception of issues around privacy vis-à-vis sex workers. The general perception is that sex workers are considered “public women”, because they are considered available to the public and because they sell sexual services on the streets (and are seen in contrast to the “good” woman who is confined to the private world of the home This then leads people to assume that then sex workers have are not entitled to privacy. Also sex workers are forced to reckon with issues of sex and sexuality, and if you talk about issues of sexuality - issues that are considered private are forced into the public domain, so sex workers by their presence force these issues into the public domain. So notions of privacy become complicated by this challenge of what is public and private, because the sex workers’ presence brings into the public domain what is private.”

How does this tension of the public and the private translate into privacy violations?

"Due to the stigma around sex work all rights of sex workers are seriously compromised; with impunity. Thus, privacy is a threshold issue.

The violation of privacy happens at various points, for example the way the media deals with them – publishing their photographs, outing them without their consent, talking about them without their consent. There are the police who are often engaged in so called “rescue and rehabilitation” work, but in the process of rescuing the sex workers, disregard the harmful impacts that compromising their right to privacy will do to them. The HIV prevention intervention programs that are in place now that target sex workers (along with other ‘high risk groups”) also erode their right to confidentiality. Besides intimate details of their lives being recorded, their address and other coordinates are noted. This information along with other sensitive information including their HIV status, is often accessible to a host of people and is a potential threat to their privacy and anonymity. Researchers and NGOs too often quiz sex workers about a range of intimate details about their lives with little sensitivity and expect them to be totally candid. These interviews also raise questions that relate to privacy."

Stigma, Discrimination, and Identity

Ms. Chacko also spoke about how the stigma and discrimination that sex workers face invades their privacy. Society views sex workers in one light – as immoral women. This stigma is attached to them permanently and is a source of violence and discrimination in the home, from the state, and from society. The sex workers’ right to anonymity and identity is also restricted because of the stigma attached to their work. Sex workers do not have the ability to control information about themselves, and they face challenges in obtaining official documents like a PAN card or a passport. This stigma and its consequences impedes sex workers from functioning comfortably in society and creates a difficult tension for sex workers to live with. Society denies the presence of sex workers, and police patrol parks and other public areas chasing away individuals whom they believe to be sex workers. The increased passivisation of public spaces – parks, (for example) and the over gentrification of the neighborhoods squeeze them out

In New York, one way that sex workers have overcome this constant and sometimes violent confrontation with society is through the use of mobile phones. Sex workers will contact clients only through mobile phones. This allows them to find their clients in private and anonymous ways, and it eliminates the need of a pimp or other type of ring leader. When I asked Ms. Chacko if sex workers are using this same technique in India, she recognized that they are, but said that it is not a yet widely practiced - especially among women in rural areas.

How Restricting is the Stigma?

“Huge - hardly ever does a person’s entire identity get conflated with her with occupation or livelihood option; the way it does with sex workers. … I mean, for example, if you go to a movie - people would not say; oh, look, there is a researcher come to see a movie - people would call you by name, but if a sex worker goes to a movie they always say: oh, look, there is a sex worker. There is only one side to her identity according to society. And everyone wants to know the same thing - How did they get into sex work. There is an excessive interest in this aspect alone (and generally they are seeking simple answers) - they never ask other questions about them as a person, only about them as a sex worker. Thus, real issues of violence and exploitation are never dealt with”.

HIV Initiatives, Medical Counseling , and Privacy

Medical consultations, especially those related to HIV/AIDS, in many ways violate the privacy of sex workers.

HIV Initiatives

HIV initiatives run by the Government are often invasive and function off of privacy-violating techniques. The government runs many HIV initiatives where sex workers are employed to be “peer educators.” A peer educator’s job is to spread awareness about HIV, distribute condoms, and bring sex workers for HIV testing. The privacy and anonymity of peer educators is compromised in the job title itself. Everyone in the community knows that to be a peer educator, one must also be a sex worker. Thus, if a person is a peer educator or with a peer educator, she is immediately outed and identified as a sex worker. Furthermore, HIV testing is compulsory for sex workers, though on paper it looks as though it is a choice. Because there are quotas that must be filled, sex workers often go through HIV testing without full consent.

How do Government HIV Initiatives Violate Privacy?

“The whole HIV intervention itself violates sex workers’ privacy. Both in the sense that people get jobs as peer educators and they have to carry condoms around and talk to other sex workers, and everyone thinks that if you are a peer educator then you are a sex worker, and there is no protection for these people even though it is sponsored by the state government.”

Line Listing

The HIV programs and testing centers also violate the privacy of sex workers. The clinics have a system known as line listing, which is meant to ensure that there are no duplications in data. In order to ensure this they collect identifying information from sex workers including address and phone number. The information is not protected and is easily accessible to whoever wishes to see it.

Line Listing and Privacy

“HIV programs have a process called line listing, which is to ensure that there is no duplication. So they take all your facts from you, and from that a sex workers address and such go out, and it’s put out with no safeguards.”

HIV Counselors and Doctors

HIV counselors also violate the privacy of sex workers. Though a patient’s HIV status is only supposed to be known to the counselor at the testing clinic and the lab technician, it often becomes the case that HIV results are widely shared. As per protocol, doctors and counselors must follow up with sex workers every three months if a sex worker is HIV negative. This is to ensure that they are still HIV negative, and to provide them treatment at the soonest if they do contract the disease. To carry out this follow-up work, counselors keep a list of patients whom they have seen. This list is supposed to be confidential, but other personnel in the hospital are assigned to do the follow-up phone calls, and thus the list is in fact easily accessible. If a person’s name disappears from the list, it is obvious that the person is now HIV positive, and that person’s privacy is violated and her status known.

How does HIV Counseling compromise Privacy?

“…only the counselor and the lab technician is supposed to know about it, but it turns out a whole number of people know about it, because of follow up. The counselor is supposed to follow up on the list with people every three months for further testing, but if you are positive then you do not need to follow up. Plus, these results are shared with everyone. Because of the stigma attached to HIV there is a need for privacy to be protected, so confidentiality is routinely violated.”

Media and Research

Media

Media was another area of contention that Ms.Chacko pointed out. Though the media plays an important role as being a channel for the voice of sex workers, it can also be intrusive on the sex worker by publishing stories without their consent, or reporting in ways that can be misconstrued. Through their coverage, the media can also deepen the stigma against sex workers and place them under an unwanted social spotlight. For example, a news article in The Hindu spoke about the World Cup bringing an “off day” for sex workers.

“With hoards of supporters glued to their television screens for the World Cup cricket final between India and Sri Lanka on Saturday, sex workers are anticipating a slow day, but they are not disappointed. It is a rare weekend for them with their children. The prospects of fewer clients coming in only buoyed the enthusiasm of the women in Sonagachi, the largest red-light area in the city…”[3]

The media is also often a part of raids by cover stories of brothels being uncovered, and in doing so expose the lives of sex workers, often printing sensitive information, including addresses, while portraying the sex workers as victims. The media, along with NGOs and the police will conduct raids that severely violate the privacy of sex workers. For example, in an Express India article a raid was described that took place in Pune with NGOs and the police in which sex workers were dragged out, beaten, and molested by the police against their will [4].

How does the media violate the privacy of sex workers?

“The media conducts raids, and so do NGOs in an attempt to rescue them. Once they are rescued and taken back with police escorts to their village, the whole village knows that she was in sex work, and then her privacy is violated because she was publicly returned. My problem is not about them being rescued, but they need to have consent from the person. If a person wants to do sex work – this decision needs to be respected. The media is difficult because you don’t want to ask for a ban, so we don’t ask for banning, but we do put pressure on the media to be more responsible in their reporting.”

Research/Films

Ms. Chacko also spoke about how research often violates the privacy of sex workers, in ways that range from the words that are used to describe sex workers to the one-sided victim story that is too often used to describe the lives of sex workers, to the methods researchers use to find their facts. Thus, perhaps without meaning to, research can de-legitimatize the work that sex workers do, and can work to increase the amount of violence or abuse that they are exposed to.

Research and Privacy

“Researchers who are writing a report on sex workers - land up in some village and end up violating their privacy as everyone in the village wants to know why the researchers came. The researchers also ask invasive questions. They want to know details about the sex workers’ lives: what kind of sex they have and with whom? What do they experience with their clients? What is their relationship with their partners? What is the status of their relationship.? They do not have a sense of whether the workers will want to talk about their lives or not…Some people make films and some make them in extremely exploitative ways. Films are also often incorrect and invasive of privacy in that way as well.”

The Role of a Privacy Legislation

In our research, we are looking at how a privacy legislation could help remedy the challenges to privacy that different people face in society; or ,if a privacy legislation cannot offer a solution, if there are other ways in which a legislation or society can offer solutions. When I asked Ms. Chacko if a privacy legislation or the right to privacy could improve the lives of sex workers, she was not certain if a privacy legislation would make a difference directly, and thought it might in fact overlook sex workers because currently they are seen in society as immoral women that are not to be afforded the right to privacy. In fact, it is the law and enforcers of the law itself that is invading their privacy. For example, in a study done by the World Health Organization it was found that in India 70 per cent of sex workers in a survey reported being beaten by the police, and more than 80 per cent had been arrested without evidence [5]. Thus, before a right to privacy can apply to sex workers, sex work itself must be decriminalized and recognized as a legitimate profession worthy of labor rights and other rights. Furthermore the debate around sex work needs to move away from the traditional dialogue of who is having sex and who is not to one that looks at what rights should be protected for every person. At that point perhaps a law which protects dignity and regulates the use of information could be useful. On another note, the UID (the Unique Identification Project) could be a potential benefit for sex workers as it would serve as identity that would give only a yes or no response at the time of a transaction.

Could a Privacy Legislation help?

“Some of the privacy is violated by the raids that happen by the police. So those raids are problematic. What kind of laws would help? One would be to decriminalize sex work itself and also work with society to gain understanding and perspective. Because now people think: they are immoral women ,so what privacy do they deserve? The sexual debate should not be about who is having sex and who is not, but about who has the power…”

The Current Law

In India, the Immoral Trafficking prevention Act ( ITPA) is the law that governs sex work. The ITPA does not make prostitution illegal, but instead tries to target the commercialized aspects of the trade such as brothel keeping, pimping, and soliciting. Though the law does not attack the sex workers as individuals, and its stated purpose is to prevent the trafficking of sex workers, the law has become a tool of harassment and abuse by law enforcement agencies. Sections 5A, 5B, 5C, which pertain to trafficking are the most troublesome, because the clauses do not distinguish between trafficking and sex work, but instead defines them as the same[6]. Thus, the new definitions of prostitution and trafficking leave room for reading all sex work as within the meaning of trafficking, and thus criminalizing sex work by defacto.[7] In addition, under the new Section 5C, clients visiting or found in a brothel will face imprisonment and/or fines [8]. Penalization of clients is a significant modification to the the ITPA, which formally targeted 'third parties' profiting from prostitution and not sex workers or clients themselves [9]. Sex workers have fought for a long time to overturn the ITPA. In June 2008, sex workers went on a hunger strike in the hopes of forcing the bill to be discarded [10]. In 2010 sex workers demonstrated against the amendment of the ITPA that would hold the clients of sex workers liable. Despite their protests and demands for their occupation to be treated equally, the Indian courts are slow to move forward and recognize sex work as a dignified profession. “A woman is compelled to indulge in prostitution not for pleasure but because of abject poverty,” the court said last month. “If such woman is granted opportunity to avail some technical or vocational training, she would be able to earn her livelihood by such vocational training and skill instead of selling her body.” The court has also promised to initiate a program in May for vocational training of sex workers [11]. Unfortunately, vocational training fails to address the actual issues and violations that sex workers face – a fact that was demonstrated by one sex worker’s saying: “If we can’t solicit clients without getting arrested, we will naturally rely on pimps to carry on our trade…What we need are practical measures that free us from exploitation created by the law itself.”

Solutions

One of the most impactful source of aid for sex workers currently is the sex workers union. I had the opportunity to speak with a member from the board of the Karnataka Sex Workers
union. She spoke about the challenges that sex workers face and how the Union provides assistance to the sex workers. The union helps them obtain benefits, helps with enrolling their children in schools, and answers questions that they would not be able to seek legal or other assistance on. The union is a confidential and safe space for sex workers to function in society. The person interviewed feels as though the information about herself that should be kept confidential is: her medical information, her clients, where she meets her clients, and information about her family. Ms. Chacko also spoke about the positives that an identity scheme like the UID could have on sex workers, because the transactions would be done through a yes/ no response, and no one will be denied a UID number. Most importantly, Ms. Chacko stressed that it is important to recognize sex work as a legitimate profession,and focus on the actual problems, rather than limiting the debate to stigmas around sex. The interview with Ms. Chacko demonstrated that protection of sex workers’ and sexual minorities’ privacy cannot be addressed simply by a law, but must be embodied by an ethos and a culture before that law is meaningful.

Bibliography

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy_privacyandsexworkers

Limits to Privacy

Prashant Iyengar — 2012-12-14T10:28:55Z

In his research article, Prashant Iyengar examines the limits to privacy for individuals in light of the provisions of the Constitution of India, public interest, security of state and maintenance of law and order. The article attempts to build a catalogue of all these justifications and arrive at a classification of all such frequently used terms invoked in statutes and upheld by courts to deprive persons of their privacy.

Introduction

In 1965, the Supreme Court of India heard and decided State of UP v. Kaushaliya[1], a case which involved the question of whether women who are engaged in prostitution can be forcibly removed from their residences and places of occupation, or whether they were entitled, along with other citizens of India, to the fundamental right to move freely throughout the territory of India, and to reside and settle in any part of the territory of India [under Article 19(1)(d) and (e) of the Constitution of India]. In other words, did these women possess an absolute right of privacy over their decisions in respect to their occupation and place of residence? In its decision, the Supreme Court denied them this right holding that "the activities of a prostitute in a particular area... are so subversive of public morals and so destructive of public health that it is necessary in public interest to deport her from that place." In view of their 'subversiveness', the statutory restrictions imposed by the Suppression of Immoral Traffic Act on prostitutes, were upheld by the court as constitutionally-permissible “reasonable restrictions” on their movements.

The legal alibis that the State employs to justify its infringement of our privacy are numerous, and range from ‘public interest’ to 'security of the state' to the 'maintenance of law and order'. In this chapter we attempt to build a catalogue of these various justifications, without attempting to be exhaustive, with the objective of arriving at a rough taxonomy of such frequently invoked terms. In addition we also examine some the more important justifications such as 'public interest' and 'security of the state' that have been invoked in statutes and upheld by courts to deprive persons of their privacy.

The statutory venues of deprivation of privacy by the state being many – strictly, any statute that imposes any restriction on movement, or authorizes the search or examination of any residence or book, or the interception of communication may be read as a violation of a privacy right — tracking each of these down would not only be an impossible exercise, but also contribute little to the analytical exercise we are attempting here. Instead, in this chapter we only list provisions from a few statutes that are the familiar instruments by which the state impinges on our privacy. This is done with the limited object of arriving at a rough inventory of the common technologies which the state employs to impinge on our privacy.

Even if intrusions into our privacy are statutorily authorised, these statutes must withstand constitutional scrutiny. We therefore, begin this chapter with a discussion of the constitutional framework within which these statutes operate, and against which the severity of their incursions must be measured.

Constitutional Jurisprudence on Privacy

The 'right to privacy' has been canvassed by litigants before the higher judiciary in India by including it within the fold of two fundamental rights: the right to freedom under Article 19 and the right to life and personal liberty under Article 21.

It would be instructive to provide a brief background to each of these Articles before delving deeper into the privacy jurisprudence expounded by the courts under them.

Part III of the Constitution of India (Articles 12 through 35) is titled ‘fundamental rights’ and lists out several rights which are regarded as fundamental to all citizens of India (some apply all persons in India whether citizens or not). Article 13 forbids the State from making “any law which takes away or abridges the rights conferred by this Part”.

Thus, Article 19(1) (a) stipulates that "all citizens shall have the right to freedom of speech and expression". However this is qualified by Article 19(2) which states that this will not "affect the operation of any existing law, or prevent the State from making any law, in so far as such law imposes reasonable restrictions on the exercise of the right … in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence".

Thus, the freedom of expression guaranteed by Article 19(1) (a) is not absolute, but a qualified right that is susceptible, under the Constitutional scheme, to being curtailed under specified conditions.

The other important fundamental right from the perspective of privacy jurisprudence is Article 21 which reads "No person shall be deprived of his life or personal liberty except according to procedure established by law."

Where Article 19 contains a detailed list of conditions under which freedom of expression may be curtailed, by contrast Article 21 is thinly-worded and only requires a "procedure established by law" as a pre-condition for the deprivation of life and liberty. However, the Supreme Court has held in a celebrated case Maneka Gandhi vs. Union of India [2] that any procedure "which deals with the modalities of regulating, restricting or even rejection of a fundamental right falling within Article 21 has to be fair, not foolish, carefully designed to effectuate, not to subvert, the substantive right itself. Thus, understood, 'procedure' must rule out anything arbitrary, freakish or bizarre."

Four decisions by the Supreme Court have established the right to privacy in India as flowing from Articles 19 and 21.

The first was a seven-judge bench judgment in Kharak Singh vs The State of U.P.[3] The question for consideration before this court was whether 'surveillance' under Chapter XX of the U.P. Police Regulations constituted an infringement of any of the fundamental rights guaranteed by Part III of the Constitution. Regulation 236(b) which permitted surveillance by 'domiciliary visits at night' was held to be violative of Article 21.The word ‘life’ and the expression ‘personal liberty’ in Article 21 were elaborately considered by this court in Kharak Singh`s case. Although the majority found that the Constitution contained no explicit guarantee of a ‘right to privacy’, it read the right to personal liberty expansively to include a right to dignity. It held that "an unauthorised intrusion into a person's home and the disturbance caused to him thereby, is as it were the violation of a common law right of a man —an ultimate essential of ordered liberty, if not of the very concept of civilization."

In a minority judgment in this case, Justice Subba Rao held that "the right to personal liberty takes is not only a right to be free from restrictions placed on his movements, but also free from encroachments on his private life. It is true our Constitution does not expressly declare a right to privacy as a fundamental right but the said right is an essential ingredient of personal liberty. Every democratic country sanctifies domestic life; it is expected to give him rest, physical happiness, peace of mind and security. In the last resort, a person's house, where he lives with his family, is his 'castle' it is his rampart against encroachment on his personal liberty." This case, especially Justice Subba Rao’s observations, paved the way for later elaborations on the right to privacy using Article 21.

In 1972, the Supreme Court decided a case — one of the first of its kind — on wiretapping. In R. M. Malkani vs State of Maharashtra [4] the petitioner’s voice had been recorded in the course of a telephonic conversation where he was attempting blackmail. He asserted in his defence that his right to privacy under Article 21 had been violated. The Supreme Court declined his plea holding that “the telephonic conversation of an innocent citizen will be protected by courts against wrongful or high handed interference by tapping the conversation. The protection is not for the guilty citizen against the efforts of the police to vindicate the law and prevent corruption of public servants.”

The third case, Govind vs. State of Madhya Pradesh [5] , by a three-judge bench of the Supreme Court is regarded as being a setback to the right to privacy jurisprudence. Here, the court was evaluating the constitutional validity of Regulations 855 and 856 of the Madhya Pradesh Police Regulation which provided for police surveillance of habitual offenders including domiciliary visits and picketing. The Supreme Court desisted from striking down these invasive provisions holding that "It cannot be said that surveillance by domiciliary visit, would always be an unreasonable restriction upon the right of privacy. It is only persons who are suspected to be habitual criminals and those who are determined to lead criminal lives that are subjected to surveillance."

The court went on to make some observations on the right to privacy under the Constitution:

"Too broad a definition of privacy will raise serious questions about the propriety of judicial reliance on a right that is not explicit in the Constitution. The right to privacy will, therefore, necessarily, have to go through a process of case by case development. Hence, assuming that the right to personal liberty, the right to move freely throughout India and the freedom of speech create an independent fundamental right of privacy as an emanation from them it could not he absolute. It must be subject to restriction on the basis of compelling public interest. But the law infringing it must satisfy the compelling state interest test. It could not be that under these freedoms that the Constitution-makers intended to protect or protected mere personal sensitiveness."

The next case in the series was R. Rajagopal vs. State of Tamil Nadu [6] which involved a balancing of the right of privacy of citizens against the right of the press to criticize and comment on acts and conduct of public officials. The case related to the alleged autobiography of Auto Shankar who was convicted and sentenced to death for committing six murders. In the autobiography, he had commented on his contact and relations with various police officials. The right of privacy of citizens was dealt with by the Supreme Court in the following terms: -

The right to privacy is implicit in the right to life and liberty guaranteed to the citizens of this country by Article 21. It is a "right to be let alone". A citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, childbearing and education among other matters. None can publish anything concerning the above matters without his consent — whether truthful or otherwise and whether laudatory or critical. If he does so, he would be violating the right to privacy of the person concerned and would be liable in an action for damages. Position may, however, be different, if a person voluntarily thrusts himself into controversy or voluntarily invites or raises a controversy.
The rule aforesaid is subject to the exception, that any publication concerning the aforesaid aspects becomes unobjectionable if such publication is based upon public records including court records. This is for the reason that once a matter becomes a matter of public record, the right to privacy no longer subsists and it becomes a legitimate subject for comment by press and media among others. We are, however, of the opinion that in the interests of decency [Article 19(2)] an exception must be carved out to this rule, viz., a female who is the victim of a sexual assault, kidnap, abduction or a like offence should not further be subjected to the indignity of her name and the incident being publicised in press/media.

Elsewhere in the same decision, the court took a cautionary stance and held that "the right to privacy...will necessarily have to go through a process of case-by-case development."

The final case that makes up the 'privacy quintet' in India was the case of PUCL v. Union of India [7] in which the court was called upon to consider whether wiretapping was an unconstitutional infringement of a citizen’s right to privacy. The court held:

The right privacy — by itself — has not been identified under the Constitution. As a concept it may be too broad and moralistic to define it judicially. Whether right to privacy can be claimed or has been infringed in a given case would depend on the facts of the said case. But the right to hold a telephone conversation in the privacy of one’s home or office without interference can certainly be claimed as a ‘right to privacy’. Conversations on the telephone are often of an intimate and confidential character. Telephone conversation is a part of modern man's life. It is considered so important that more and more people are carrying mobile telephone instruments in their pockets. Telephone conversation is an important facet of a man's private life. Right to privacy would certainly include telephone-conversation in the privacy of one's home or office. Telephone-tapping would, thus, infract Article 21 of the Constitution of India unless it is permitted under the procedure established by law.

The court also read this right to privacy as simultaneously deriving from Article 19. "When a person is talking on telephone, he is exercising his right to freedom of speech and expression", the court observed, and therefore "telephone-tapping unless it comes within the grounds of restrictions under Article 19(2) would infract Article 19(1) (a) of the Constitution."

However, the court in this case made two observations which would have a lasting impact on privacy jurisprudence in India –firstly, it rejected the contention that 'prior judicial scrutiny' should be mandated before any wiretapping could take place and accepted the contention that administrative safeguards would be sufficient.

Thus, to conclude this section of this chapter, it may be observed that the right to privacy in India is, at its foundations a limited right rather than an absolute one. In the sections that follow, it will become apparent that this limited nature of the right provides a somewhat unstable assurance of privacy since it is frequently made to yield to all manners of competing interests which happen to have a more pronounced legal standing.

Vocabularies of Privacy Limitation

Article 12 of the Universal Declaration of Human Rights (1948) defines privacy in the following terms:

"No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."

Similarly, Article 17 of the International Covenant of Civil and Political Rights (to which India is a party) declares that:

"No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home and correspondence, nor to unlawful attacks on his honour and reputation."

In this section, we look briefly at sections in some statutes that authorize the deprivation of privacy. These statutes have been classified under three headings, following the aforementioned international covenants, each dealing with a) our communications, b) our homes and c) bodily privacy.

Privacy of Communications

Communications laws

All laws dealing with mediums of inter-personal communication — post, telegraph and telephony and email – contain similarly worded provisions permitting interception under specified conditions.

Thus, section 26 of the India Post Office Act 1898 confers powers of interception of postal articles for the 'public good'. According to this section, this power may be invoked "On the occurrence of any public emergency, or in the interest of the public safety or tranquillity". The section further clarifies that “a certificate from the State or Central Government” would be conclusive proof as to the existence of a public emergency or interest of public safety or tranquillity.

Similarly, section 5(2) of the Telegraph Act authorizes the interception of any message

on the occurrence of any public emergency, or in the interest of the public safety; and
if satisfied that it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence,

Thus, the events that trigger an action of interception are the occurrence of any ‘public emergency’ or in the interests of ‘public safety’.

Most recently, section 69 of the Information Technology Act 2008 contains a more expanded power of interception which may be exercised "when they [the authorised officers] are satisfied that it is necessary or expedient" to do so in the interest of:

sovereignty or integrity of India,
defence of India,
security of the State,
friendly relations with foreign States or
public order or
preventing incitement to the commission of any cognizable offence relating to above or
for investigation of any offence,

[More details of the occasions and the mandatory procedural safeguards before these powers may be exercised are contained in our briefing notes on Privacy and Telecommunications and Privacy and the IT Act]

From a plain reading of these sections, there appears to be a gradual loosening of standards from the Post Office Act to the latest Information Technology Act. The Post Office Act requires the existence of a ‘state of public emergency’ or a ‘threat to public safety and tranquillity’ as a precursor to the exercise of the power of interception. This requirement is continued in the Telegraph Act with the addition of a few more conditions, such as expediency in the interests of sovereignty, etc. Under the most recent IT Act, the requirement of a public emergency or a threat to public safety is dispensed with entirely – here, the government may intercept merely if it feels it ‘necessary or expedient’.

How much of a difference does it make?

In Hukam Chand Shyam Lal v. Union of India and ors [8] , the Supreme Court was required to interpret the meaning of ‘public emergency’. Here, the court was required to consider whether disconnection of a telephone could be ordered due to an ‘economic emergency’. The Government of Delhi had ordered the disconnection of the petitioner’s telephones due to their alleged involvement, through the use of telephones, in (then forbidden) forward trading in agricultural commodities. According to the government, this constituted an ‘economic emergency’ due to the escalating prices of food. Declining this contention, the Supreme Court held that:

a 'public emergency' within the contemplation of this section is one which raises problems concerning the interest of the public safety, the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or the prevention of incitement to the commission of an offence.

Economic emergency is not one of those matters expressly mentioned in the statute. Mere 'economic emergency'— as the high court calls it—may not necessarily amount to a 'public emergency' and justify action under this section unless it raises problems relating to the matters indicated in the section.

In addition the other qualifying term, 'public safety' was interpreted in an early case by the Supreme Court to mean "security of the public or their freedom from danger. In that sense, anything which tends to prevent dangers to public health may also be regarded as securing public safety. The meaning of the expression must, however, vary according to the context."[9]

Thus, the words ‘public emergency’ and 'public safety' does provide some legal buffer before the government may impinge on our privacy in the case of post and telecommunications. In a sense, they operate both as limits on our privacy as well as limits on the government’s ability to impinge on our privacy — since the government must demonstrate their existence to the satisfaction of the court, failing which their actions would be illegal.

However, as mentioned, even these requirements have been dispensed with in the case of electronic communications falling under the purview of the Information Technology Act where sweeping powers of interception have been provided extending from matters affecting the sovereignty of the nation, to the more mundane 'investigation of any offence'.

Privileged Communications

In addition to laying down procedural safeguards which restrict the conditions under which our communication may be intercepted, the law also safeguards our privacy in certain contexts by taking away the evidentiary value of certain communications.

Thus, for instance, under the Evidence Act, communications between spouses and communications with legal advisors are accorded a special privilege.

Section 122 of the Evidence Act forbids married couples from disclosing any communications made between them during marriage without the consent of the person who made it. This however, does not apply in suits “between married persons, or proceedings in which one married person is prosecuted for any crime committed against the other.”

This rule was applied in a case before the Kerala High Court, T.J. Ponnen vs M.C. Varghese [10] where a man sued his son-in-law for defamation based on statements about him written in a letter addressed to his daughter. The trial court held that the prosecution was invalid since it was based on privileged communications between the couple. This was upheld by the high court. The petitioner had attempted to argue that it was immaterial how he gained possession of the letter. The high court disagreed with this contention holding that this would defeat the purpose of section 122.

Similarly section 126 forbids “barristers, attorneys, pleaders or vakils” from disclosing, without their client’s express consent “any communication made to him in the course and for the purpose of his employment as such barrister, pleader, attorney or vakil... or to state the contents or condition of any document with which he has become acquainted in the course and for the purpose of his professional employment or to disclose any advice given by him to his client in the course and for the purpose of such employment.”

As with section 122, this privilege also comes with exceptions. Thus, the following kinds of communications are exempted from the privilege:

any communication made in furtherance of any illegal purpose,
any fact observed by any barrister, pleader, attorney or vakil, in the course of his employment as such showing that any crime or fraud has been committed since the commencement of his employment.

Section 127 extends the scope attorney-client privilege to include any interpreters, clerks and servants of the attorney or barrister. They are also not permitted to disclose the contents of any communication between the attorney and her client.

Section 129 enacts a reciprocal protection and provides that clients shall not be compelled to disclose to the court any "confidential communication which has taken place between him and his legal professional adviser."

Section 131 of the Evidence Act further cements the legal protection afforded to married couples, attorneys and their clients by providing that "No one shall be compelled to produce documents in his possession, which any other person would be entitled to refuse to produce if they were in his possession" unless that person consents to the production of such documents.

Note that these privileges do not limit the ability of the state to intercept communications – they merely negate the evidentiary value of any communications so intercepted.

Privacy of the Home: Search and Seizure Provisions

Under what circumstances may the State invade the privacy of our homes? What are the limits of these powers? Technically, any law that authorizes “search and seizure” can be said to authorize an invasion of our privacy. Many laws permit searches, for various grounds — ranging from the Income Tax Act which authorizes searches to recover undisclosed income, to the Narcotics Act which prescribes a procedure to search and sieze drugs, to the Excise Act and the Customs Act which do so in order to discover goods that are manufactured or imported in violation of those respective statutes. In this section we deal only with the general provisions for search and seizure under the Code of Criminal Procedure.

The Code of Criminal Procedure (CrPC) provides that a house or premises may be searched either under a search warrant issued by a court, or, in the absence of a court-issued-warrant, by a police officer in the course of investigation of offences.

Thus, a court may issue a search warrant where

it has reason to believe that a person to whom a summons has been, or might be, addressed, will not or would not produce the document or thing as required by such summons; or
where such document or thing is not known to the court to be in the possession of any person, or
where the court considers that the purposes of any inquiry, trial or other proceeding under this Code will be served by a general search or inspection,

Similarly, section 165 of the Code of Criminal Procedure permits for searches to be conducted by “police officers in charge of police station or a police officer making an investigation” without first obtaining a warrant. Such a search may be conducted if he has “reasonable grounds for believing that anything necessary for the purposes of an investigation into any offence which he is authorised to investigate may be found in any place within the limits of the police station of which he is in charge, or to which he is attached”, and if, in his opinion, such thing cannot “be otherwise obtained without undue delay”.

Such officer must record in writing the grounds of his belief and specify “so far as possible” the thing for which search is to be made.

In both cases, the Code of Criminal Procedure requires the search to conform to procedures including the presence of "two or more independent and respectable inhabitants of the locality”. The preparation, in their presence, of “a list of all things seized in the course of such search, and of the places in which they are respectively found", the delivery of this list to the occupant of the place being searched.

However, in reality, these requirements are observed more in the breach. Courts have consistently held that not following these provisions would not make evidence obtained inadmissible — it would make the search irregular, not unlawful. Thus, in State of Maharashtra v. Natwarlal Damodardas Soni [11], where a search was conducted under the Customs Act to recover smuggled gold, the Supreme Court held that

Assuming that the search was illegal it would not affect either the validity of the seizure and further investigation by the customs authorities or the validity of the trial which followed on the complaint of the Assistant Collector of Customs.

In a different case, Radhakrishan v. State of U.P. [12] which involved an illegal search in contravention of the Code of Criminal Procedure , the Supreme Court held that:

"So far as the alleged illegality of the search is concerned, it is sufficient to say that even assuming that the search was illegal the seizure of the Articles is not vitiated. It may be that where the provisions of ... Code of Criminal Procedure, are contravened the search could be resisted by the person whose premises are sought to be searched. It may also be that because of the illegality of the search the Court may be inclined to examine carefully the evidence regarding the seizure. But beyond these two consequences no further consequence ensues."

India inherits the common law notion that a man’s house is his castle. In the light of the cases discussed above, this claim certainly appears to be lofty. However, there is still hope. In a recent case, the Supreme Court struck down provisions of a legislation on grounds that it was too intrusive of citizens’ right to privacy. The case involved an evaluation of the Andhra Pradesh Stamp Act which authorized the collector to delegate “any person” to enter any premises in order to search for and impound any document that was found to be improperly stamped. Thus, for instance, banks could be compelled to cede all documents in their custody, including clients documents, for inspection on the mere chance that some of them may be improperly stamped. These banks were then compelled under law to pay the deficit stamp duty on the documents, even if they themselves were not party to the transactions recorded in the documents.

After an exhaustive analysis of privacy laws across the world, and in India, the Supreme Court held that in the absence of any safeguards as to probable or reasonable cause or reasonable basis, this provision was violative of the constitutionally guaranteed right to privacy, both of the house and of the person. [13]

The case marks a welcome redrawing of the boundaries of the right to privacy against state intrusion.

Privacy of the Body

To what extent do we have a right to privacy that protects what we may do with our own bodies and may be done to them? This section deals with this question in the context of four issues that have arisen before courts:

the ability of the state to order persons to undergo medical-examination,
to undergo a range of 'truth technologies' including narco analysis, brain mapping, etc.,
to submit to DNA testing and d) to abortion. In most cases, as we shall see, the right to privacy cedes ground to any available competing interest.

Court-ordered Medical Examinations

Can courts compel persons to undergo medical examinations against their will? In the case of Sharda v. Dharmpal[14], decided in 2003, the Supreme Court held that they could. Here a man filed for divorce on that grounds that his wife suffered from a mental illness. In order to establish his case, he requested the court to direct his wife to submit herself to a medical examination. The trial court and the high court both granted his application. On appeal to the Supreme Court, the woman contested the order on grounds firstly, that compelling a person to undergo a medical examination by an order of the court would be violative of her right to 'personal liberty' guaranteed under Article 21 of the Constitution of India. Secondly, in absence of a specific empowering provision, a court dealing with matrimonial cases cannot subject a party to undergo medical examination against his her volition. The court could merely draw an adverse inference.

The Supreme Court rejected these contentions holding that the right to privacy in India was not absolute. If the "respondent avoids such medical examination on the ground that it violates his/her right to privacy or for a matter right to personal liberty as enshrined under Article 21 of the Constitution of India, then it may in most of such cases become impossible to arrive at a conclusion. It may render the very grounds on which divorce is permissible nugatory."

The court upheld the rights of matrimonial courts to order a person to undergo medical test. Such an order, the court held, would not be in violation of the right to personal liberty under Article 21 of the Constitution of India. However, this power could only be exercised if the applicant had a strong prima facie case, and there was sufficient material before the court. Crucially, the court held that if, despite the order of the court, the respondent refused to submit herself to medical examination, the court would be entitled to draw an adverse inference against him.

Thus, oddly, one limitation on the right to privacy appears to be the statutory rights of others. One is entitled to the privacy of one’s body, to the extent that another person is not, thereby, deprived of a statutory right – as in this case, to divorce.

Reproductive Rights

Ahmedabad: A 13-year-old girl, who conceived after being repeatedly raped, has moved the Gujarat High Court and sought permission to medically terminate her pregnancy after a sessions court rejected her plea.

Express India(April 2010) [15]

To what extent do pregnant women enjoy a right to privacy over their bodies and their reproductive decisions? Are there circumstances when the State can intervene and either order or forbid an abortion?

According to the Medical Termination of Pregnancy Act, 1971 a pregnancy may be terminated before the twentieth week if:

the continuance of the pregnancy would involve a risk to the life of the pregnant woman or of grave injury to her physical or mental health; or
there is a substantial risk that if the child were born, it would suffer from such physical or mental abnormalities to be seriously handicapped.
where any pregnancy is alleged by the pregnant woman to have been caused by rape,
where any pregnancy occurs as a result of failure of any device or method used by any married woman or her husband for the purpose of limiting the number of children.

Consent for termination needs to be obtained from the guardian in cases of minors or women who are mentally ill. In all other cases, the woman herself must consent.

Beyond the period of 20 weeks, the pregnancy may only be terminated if there is immediate danger to the life of the woman.

In August 2009, the Supreme Court heard an expedited appeal that was filed on behalf of a destitute mentally retarded woman who had become pregnant consequent to having been raped at a government run shelter. The government had approached the high court seeking permission to terminate her pregnancy, which had been granted by that court despite the finding by an ‘expert body’ of medical practitioners that she was keen on continuing the pregnancy. On appeal the Supreme Court held, very curiously, that the woman was not ‘mentally ill’, but ‘mentally retarded’, and consequently her consent was imperative under the Act. [16] However, not content to stop there, the court made several puzzling and contradictory observations:

Firstly, the court took the opportunity to affirm, generally, women’s rights to make reproductive choices as a dimension of their `personal liberty' as guaranteed by Article 21 (Right to Life and Personal Liberty) of the Constitution of India. The court observed:

“It is important to recognise that reproductive choices can be exercised to procreate as well as to abstain from procreating. The crucial consideration is that a woman's right to privacy, dignity and bodily integrity should be respected. This means that there should be no restriction whatsoever on the exercise of reproductive choices such as a woman's right to refuse participation in sexual activity or alternatively the insistence on use of contraceptive methods. Furthermore, women are also free to choose birth-control methods such as undergoing sterilisation procedures. Taken to their logical conclusion, reproductive rights include a woman's entitlement to carry a pregnancy to its full term, to give birth and to subsequently raise children. (emphasis mine) [17]

However, the court went on to affirm, in language that curiously imitates Roe v Wade,[18] that there was “a `compelling state interest' in protecting the life of the prospective child.[19]

Secondly, the Supreme Court upheld the woman’s consent as determinative and in doing so, categorically rejected the high court approach. The court held that since she suffered from `mild mental retardation' this did not render her "incapable of making decisions for herself". Simultaneously, however, the Supreme Court proceeded gratuitously to apply the common law doctrine of `parens patriae' to resume jurisdiction over the woman in her “best interests”. According to a court-appointed expert committee, her mental age was “close to that of a nine-year old child” and she was capable of “learning through rote memorisation and imitation” and of performing “basic bodily functions”.[20] In this light, the court deemed in her ‘best interests’, as defined by an expert committee, to defer to her wishes.

The findings recorded by the expert body indicate that her mental age is close to that of a nine-year old child and that she is capable of learning through rote-memorisation and imitation. Even the preliminary medical opinion indicated that she had learnt to perform basic bodily functions and was capable of simple communications. In light of these findings, it is the `best interests' test alone which should govern the inquiry in the present case and not the `substituted judgment' test. [21]

If one disregards the liberalism of its outcome, there are various problems with this decision. Chiefly, the Supreme Court relied on the woman’s expressed consent to deny the legitimacy of the high court’s decision in favour of abortion. Inexplicably, however, in the same move, the Supreme Court reserved to itself the right to adjudicate the ‘best interests’ of the woman. Thus, in relation to abortion, mentally retarded women are more autonomous than minor girls (since their own consent is determinative, rather than their guardians) but they are still less autonomous than ‘normal’ women (since their decisions are subject to adjudication based on what the court thinks is in their best interests)!

DNA Tests in Civil Suits

Do we have a right to privacy over the interiors of our body – our blood, our tissue, our DNA? There is, by now, a strong line of cases decided by the Supreme Court in which our right to ‘bodily integrity’ has been held to not be absolute, and may be interfered with in order to settle many terrestrial issues. In most cases, this question has arisen in the context of the determination of paternity – either in divorce or maintenance proceedings. Central in the determination of these issues is section 112 of the Evidence Act which stipulates that birth of a child during the continuance of a valid marriage (or within 280 days of its dissolution) would be conclusive proof of legitimacy of that child, “unless it can be shown that the parties to the marriage had no access to each other at any time when he could have been begotten.”

As is evident, this section creates a strong legal presumption of legitimacy that leaves no room for a scientific rebuttal. Various litigants have, nevertheless, sought the courts’ indulgence in accepting medical evidence to displace this formidable legal presumption. These efforts have yielded a measure of success, and a steady line of precedents since the early 1990s now affirms the right of courts to direct medical evidence in cases they consider fit. In these cases, the court has frequently invoked privacy rights as an important consideration to be weighed before ordering a person to submit to any test.

In one of the earliest and most frequently invoked cases, Goutam Kundu vs State of West Bengal and Anr (1993) [22] the Supreme Court laid down guidelines governing the power of courts to order blood tests. The court held:

courts in India cannot order blood test as matter of course;

wherever applications are made for such prayers in order to have roving inquiry, the prayer for blood test cannot be entertained.

There must be a strong prima facie case in that the husband must establish non-access in order to dispel the presumption arising under section 112 of the Evidence Act.

The court must carefully examine as to what would be the consequence of ordering the blood test; whether it will have the effect of branding a child as a bastard and the mother as an unchaste woman.

No one can be compelled to give sample of blood for analysis.

On the particular facts of this case, the Supreme Court refused to order the respondent to submit to the test, since in its view, there was no prima facie case made out that cast doubts on the legal presumption of legitimacy.

These guidelines have been frequently invoked in subsequent cases. In a complex set of facts, in Ms. X vs Mr. Z and Anr (2001), [23] the Delhi High Court was called to consider whether a foetus had a ‘right to privacy’ – or whether the mother of the foetus could assert a right to privacy on it’s behalf. A woman had given birth to a still-born child and tissues from the foetus had been stored at the All India Institute of Medical Sciences. Her husband approached to obtain an order permitting a DNA test to be carried out to determine if he was the father. In her defence, the woman claimed that this would offend her right to privacy. The high court reaffirmed the guidelines laid down in the Gautam Kundu case (supra), and also upheld the petitioner’s right to privacy over her own body. However, the court took the stance that she did not have a right of privacy over the foetus once it had been discharged from her body:

"The petitioner indeed has a right of privacy but is being not an absolute right, therefore, when a foetus has been preserved in All India Institute of Medical Science, the petitioner, who has already discharged the same cannot claim that it affects her right of privacy.

However, if the petitioner was being compelled to subject herself to blood test or otherwise, she indeed could raise a defense that she cannot be compelled to be a witness against herself in a criminal case or compelled to give evidence against her own even in a civil case but the position herein is different. The petitioner is not being compelled to do any such act. Something that she herself has discharged, probably with her consent, is claimed to be subjected to DNA test. In that view of the matter, in the peculiar facts, it cannot be termed that the petitioner has any right of privacy."

The decision has wide-ranging implications since it virtually divests control and ownership over any material that has been discarded from the body – from nails to hair to tissue samples. In an interesting case in the US, Moore v. Regents of the University of California [24], the Supreme Court of California was faced with a suit to determine whether a man retained ownership over cells that had been removed from his body through a surgical procedure. In this case, cells from a patient’s spleen were used to conduct research which resulted in the patenting of a cell-line by the defendant. The patient sued for a share in the profits, but this was rejected by the court which held that he had no property rights to his discarded cells or any profits made from them. The court specifically rejected the argument that his spleen should be protected as property as an aspect of his privacy and dignity. The court held these interests were already protected by informed consent.

In a sense the Ms. X vs Mr. Z case arrives at identical conclusions without as much deliberation on its implications. It would be interesting to see how subsequent courts interpret and apply this precedent.

One of the most critical factors, consistently weighed by courts alongside the privacy rights implicated, is the ‘best interests’ of the child. Thus, in Bhabani Prasad Jena v. Convenor Secretary, Orissa State Commission for Women & Anr.[25], the Supreme Court quashed a high court-mandated DNA test to determine the paternity of an unborn child in a woman’s womb. In doing so, the SC observed:

“In a matter where paternity of a child is in issue before the court, the use of DNA is an extremely delicate and sensitive aspect. One view is that when modern science gives means of ascertaining the paternity of a child, there should not be any hesitation to use those means whenever the occasion requires. The other view is that the court must be reluctant in use of such scientific advances and tools which result in invasion of right to privacy of an individual and may not only be prejudicial to the rights of the parties but may have devastating effect on the child. Sometimes the result of such scientific test may bastardise an innocent child even though his mother and her spouse were living together during the time of conception. In our view, when there is apparent conflict between the right to privacy of a person not to submit himself forcibly to medical examination and duty of the court to reach the truth, the court must exercise its discretion only after balancing the interests of the parties and on due consideration whether, for a just decision in the matter, DNA is eminently needed. (emphasis added)

A strong trend, evident in this case, is the bussing of the interests of the child (in not being declared illegitimate), along with the privacy rights of the mother. The two create a composite interest opposed to that of the putative father, which the courts have been reluctant to interfere with except for the most compelling reasons. But what happens when then the interests of the child conflict with the privacy rights of either parent?

In a high profile case in 2010, Shri Rohit Shekhar vs Shri Narayan Dutt Tiwari[26], the Delhi High was called upon to determine whether a man had a right to subject the person he named as his biological father to a DNA test. Contrary to the trend in the preceding cases, it was the biological father who pleaded his right to privacy in this case. The court relied on international covenants to affirm the “right of the child to know of her (or his) biological antecedents” irrespective of her (or his) legitimacy. The court ruled:

There is of course the vital interest of child to not be branded illegitimate; yet the conclusiveness of the presumption created by the law in this regard must not act detriment to the interests of the child. If the interests of the child are best sub-served by establishing paternity of someone who is not the husband of her (or his) mother, the court should not shut that consideration altogether.

The protective cocoon of legitimacy, in such case, should not entomb the child’s aspiration to learn the truth of her or his paternity.

The court went on to draw a distinction between legitimacy and paternity that may both "be accorded recognition under Indian law without prejudice to each other. While legitimacy may be established by a legal presumption [under section 112 of the Evidence Act], paternity has to be established by science and other reliable evidence"[27] The court, however, reaffirmed that the same considerations would apply as was laid down in previous cases – i.e., the plaintiff would have to establish a prima facie case and weigh the competing interests of privacy and justice before it could order a DNA test. In this case, the petitioner was able to produce DNA evidence that excluded the possibility that his legal father was his biological father. In addition, photographic and testimonial evidence suggested that the respondent could be his biological father. On these grounds the Delhi High Court ordered the respondent to undergo a DNA test. This was upheld in an appeal to the Supreme Court.

So from the foregoing cases, it appears that it is the ‘best interests of the child’ that undergrids the right to privacy of either parent. When the two are in conflict it is the former that will, the case law suggests, invariably prevail.

Bodily Effects — Fingerprints, handwriting samples, photographs, Irises, narco-analysis, brain maps and DNA

The human body easily betrays itself. We are incessantly dropping residues of our existence wherever we go – from shedding hair and fingernails, to fingerprints and footprints, handwriting – which, through use of modern technology, can implicate our bodies, and identify us against our will. Not even our thoughts are immune as new technologies like brain mapping pretend to be able to harvest psychic clues from our physiology.

In this section we explore occasions when the state may compel us to 'perform' our existence for instance, by submitting to photography, providing finger impressions or handwriting samples, submit to narco-analysis and truth tests, and more recently to provide iris scan data or our DNA.

Section 73 of the Evidence Act stipulates that the court "may direct any person present in the court to write any words or figures for the purpose of enabling the court to compare the words or figures so written with any words or figures alleged to have been written by such person."

This section was interpreted by the Supreme Court in State of U.P. v. Ram Babu Misra [28] where it was held that there must be “some proceeding before the court in which...it might be necessary... to compare such writings”. This specifically excludes, say, a situation where the case is still under investigation and there is no present proceeding before the court. “The language of section 73 does not permit a court to give a direction to the accused to give specimen writings for anticipated necessity for comparison in a proceeding which may later be instituted in the court.”

The pre-independence Identification of Prisoners Act, 1920 provides for the mandatory taking, by police officers, of 'measurements' and photograph of persons arrested or convicted for any offence punishable with rigorous imprisonment for a term of one year of upwards or ordered to give security for his good behaviour under section 118 of the Code of Criminal Procedure. [29] The Act also empowers a magistrate to order a person to be measured or photographed if he is satisfied that it is required for the purposes of any investigation or proceeding under the Code of Criminal Procedure, 1898. [30]

The Act also provides for the destruction of all photographs and records of measurements on discharge or acquittal. [31]

In addition, the Code of Criminal Procedure was amended in 2005 to enable the collection of a host of medical details from accused persons upon their arrest. Section 53 of the Code of Criminal Procedure provides that upon arrest, an accused person may be subjected to a medical examination if there are “reasonable grounds for believing” that such examination will afford evidence as to the crime. The scope of this examination was expanded in 2005 to include “the examination of blood, blood-stains, semen, swabs in case of sexual offences, sputum and sweat, hair samples and finger nail clippings by the use of modern and scientific techniques including DNA profiling and such other tests which the registered medical practitioner thinks necessary in a particular case.”

In a case in 2004, the Orissa High Court affirmed the legality of ordering a DNA test in criminal cases to ascertain the involvement of persons accused. Refusal to co-operate would result in an adverse inference drawn against the accused.

After weighing the privacy concerns involved, the court laid down the following considerations as relevant before the DNA test could be ordered:

the extent to which the accused may have participated in the commission of the crime;
the gravity of the offence and the circumstances in which it is committed;
age, physical and mental health of the accused to the extent they are known;
whether there is less intrusive and practical way of collecting evidence tending to confirm or disprove the involvement of the accused in the crime;
the reasons, if any, for the accused for refusing consent [32]

Most recently the draft DNA Profiling Bill pending before the Parliament attempts to create an ambitious centralized DNA bank that would store DNA records of virtually anyone who comes within any proximity to the criminal justice system. Specifically, records are maintained of suspects, offenders, missing persons and “volunteers”. The schedule to the Bill contains an expansive list of both civil and criminal cases where DNA data will be collected including cases of abortion, paternity suits and organ transplant. Provisions exist in the bill that limit access to and use of information contained in the records, and provide for their deletion on acquittal. These are welcome minimal guarantors of privacy.

It is evident that the utility of this mass of information – fingerprints, handwriting samples and photographs, DNA data – in solving crimes is immense. Without saying a word, it is possible for a person to be convicted based on these various bodily affects – the human body constantly bears witness and self-incriminates itself. Both handwriting and finger impressions beg the question of whether these would offend the protection against self-incrimination contained in Article 20(3) of our Constitution which provides that “No person accused of any offence shall be compelled to be a witness against himself.” This argument was considered by the Supreme Court in the State of Bombay vs Kathi Kalu Oghad and Ors. [33] The petitioner contended that the obtaining of evidence through legislations such as the Identification of Prisoners Act amounted to compelling the person accused of an offence "to be a witness against himself" in contravention of Article 20(3) of the Constitution. The court held that “there was no infringement of Article 20(3) of the Constitution in compelling an accused person to give his specimen handwriting or signature, or impressions of his thumb, fingers, palm or foot to the investigating officer or under orders of a court for the purposes of comparison. ...Compulsion was not inherent in the receipt of information from an accused person in the custody of a police officer; it will be a question of fact in each case to be determined by the court on the evidence before it whether compulsion had been used in obtaining the information.” [34]

Over the past two decades, forensics has shifted from trying to track down a criminal by following the trail left by her bodily traces, to attempting to apply a host of invasive technologies upon suspects in an attempt to ‘exorcise’ truth and lies directly from their body. One statement by Dr M.S. Rao, Chief Forensic Scientist, Government of India captures this shift:

Forensic psychology plays a vital role in detecting terrorist cases. Narco-analysis and brainwave fingerprinting can reveal future plans of terrorists and can be deciphered to prevent terror activities⁄ Preventive forensics will play a key role in countering terror acts. Forensic potentials must be harnessed to detect and nullify their plans. Traditional methods have proved to be a failure to handle them. Forensic facilities should be brought to the doorstep of the common man⁄ Forensic activism is the solution for better crime management. [35]

Although there are several such 'technologies' which operate on principles ranging from changes in respiration, to mapping the electrical activity in different areas of the brain, what is common to them all, in Lawrence Liang’s words is that they “maintain that there is a connection between body and mind; that physiological changes are indicative of mental states and emotions; and that information about an individual’s subjectivity and identity can be derived from these physiological and physiological measures of deception” [36]

So, how legal are these technologies, in view of the constitutional protections against self-incrimination? In a case in 2004 the Bombay High Court upheld these technologies by applying the logic of the Kathi Kalu Oghad case discussed above. The court drew a distinction between ‘statements’ and ‘testimonies’ and held that what was prohibited under Article 20(3) were only ‘statements’ that were made under compulsion by an accused. In the court’s opinion, “the tests of Brain Mapping and Lie Detector in which the map of the brain is the result, or polygraph, then either cannot be said to be a statement”. At the most, the court held, “it can be called the information received or taken out from the witness.” [37]

This position was however overturned recently by the Supreme Court in Selvi v. State of Karnataka (2010)[38]. In contrast with the Bombay High Court, the Supreme Court expressly invoked the right of privacy to hold these technologies unconstitutional.

“Even though these are non- invasive techniques the concern is not so much with the manner in which they are conducted but the consequences for the individuals who undergo the same. The use of techniques such as 'Brain Fingerprinting' and 'FMRI-based Lie-Detection' raise numerous concerns such as those of protecting mental privacy and the harms that may arise from inferences made about the subject's truthfulness or familiarity with the facts of a crime.”

Further down, the court held that such techniques invaded the accused’s mental privacy which was an integral aspect of their personal liberty.

“There are several ways in which the involuntary administration of either of the impugned tests could be viewed as a restraint on 'personal liberty' ... the drug-induced revelations or the substantive inferences drawn from the measurement of the subject's physiological responses can be described as an intrusion into the subject's mental privacy”

Following a thorough-going examination of the issue, the Supreme Court directed that “no individual should be forcibly subjected to any of the techniques in question, whether in the context of investigation in criminal cases or otherwise. Doing so would amount to an unwarranted intrusion into personal liberty.” The court however, left open the option of voluntary submission to such techniques and endorsed the following guidelines framed by the National Human Rights Commission:

No Lie Detector Tests should be administered except on the basis of consent of the accused. An option should be given to the accused whether he wishes to avail such test.
If the accused volunteers for a Lie Detector Test, he should be given access to a lawyer and the physical, emotional and legal implication of such a test should be explained to him by the police and his lawyer.
The consent should be recorded before a judicial magistrate.
During the hearing before the magistrate, the person alleged to have agreed should be duly represented by a lawyer.
At the hearing, the person in question should also be told in clear terms that the statement that is made shall not be a `confessional' statement to the magistrate but will have the status of a statement made to the police.
The magistrate shall consider all factors relating to the detention including the length of detention and the nature of the interrogation.
The actual recording of the lie detector test shall be done by an independent agency (such as a hospital) and conducted in the presence of a lawyer. 250
A full medical and factual narration of the manner of the information received must be taken on record.

Although the right against self-incrimination and the inherent fallaciousness of the technologies were the main ground on which decision ultimately rested, this case is valuable for the court’s articulation of a right of ‘mental privacy’ grounded on the fundamental right to life and personal liberty. It remains to be seen whether this articulation will find resonance in other determinations in domains such as, say, communications.

Privacy of Records

Since at least the mid-nineteenth century, we have been living in what Nicholas Dirks has termed an 'ethnographic state' — engaged relentlessly and fetishistically in the production and accumulation of facts about us. From records of birth and death, to our academic records, most of our important transactions, our income tax filings, our food entitlements and our citizenship, most of us have assuredly been documented and lead a shadow existence somewhere on the files. Not only does the government keep records about us, but a host of private service providers including banks, hospitals, insurance and telecommunications companies maintain volumes of records about us. In this last section of this paper, we look at the privacy expectation of records both maintained by the government and the private sector.

Various statutes require records to be maintained of activities conducted under their authority and entire bureaucracies exist solely in service of these documents. Thus, for instance, the Registration Act requires various registers to be kept which record documents which have been registered under the Act. [39]; Once registered under this Act, all documents become public documents and State Rules typically contain provisions enabling the public to obtain copies of all documents for a fee. Similarly, a number of legislation – typically dealing with land records at the state level contain enabling provisions that allow the public to access them upon payment of a fee.

Where no provisions are provided within the statute itself that enable the public to obtain records, two recourses are still available.

Firstly, the Evidence Act enables courts to access records maintained by any government body. Secondly, private citizens may access records kept in public offices through the Right to Information Act. Each of these avenues is described in some details below:

Section 74 of the Evidence Act defines 'public documents' as including the following

Documents forming the acts, or records of the acts

Of the sovereign authority,
Of Official bodies and the Tribunals, and
Of public officers, legislative, judicial and executive, of any part of India or of the Commonwealth, or of a foreign country.

Public records kept in any state of private documents

It is clear from this definition that most records maintained by any government body are regarded as public documents. Section 76 mandates that every public officer "having custody of a public document, which any person has a right to inspect, shall give that person on demand a copy of it on payment of the legal fees therefor together with a certificate written at the foot of such copy that it is a true copy of such document or part thereof".

Since there is no legislative guidance within the Evidence Act to indicate who may be said to possess "a right to inspect", this has been interpreted to mean that where the right to inspect and take a copy is not expressly conferred by a statute (as in the Registration Act mentioned above), “the extent of such right depends on the interest which the applicant has in what he wants to copy, and what is reasonably necessary for the protection of such interest". So it isn’t any officious meddler who may access such records – only persons with genuine interests in the matter, either personal or pecuniary, may obtain copies through this route.

In addition to the Evidence Act, copies of documents may also be obtained under the Right to Information Act 2005 which confers on citizens the right to inspect and take copies of any information held by or under the control of any public authority. Information is defined widely to include "any material in any form, including records, documents, memos, e-mails, opinions, advices, press releases, circulars, orders, logbooks, contracts, reports, papers, samples, models, data material held in any electronic form and information relating to any private body which can be accessed by a public authority under any other law for the time being in force".

Section 8 (j) of the Act exempts "disclosure of personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual” unless the relevant authority “is satisfied that the larger public interest justifies the disclosure of such information".

In an interesting case Mr. Ansari Masud A.K vs Ministry of External Affairs (2008)[40] , the Central Information Commission has held that “details of a passport are readily made available by any individual in a number of instances, example to travel agents, at airline counters, and whenever proof of residence for telephone connections etc. is required. For this reason, disclosure of details of a passport cannot be considered as causing unwarranted invasion of the privacy of an individual and, therefore, is not exempted from disclosure under Section 8(1)(j) of the RTI Act.” This is despite the fact that nothing in the Passport Act itself authorizes disclosure of any documents under any circumstances.

However, the Right to Information Act isn’t as convenient a vehicle for privacy abuse as this case may suggest. The RTI adjudicatory apparatus has on several occasions upheld the denial of information on grounds of privacy violation – most famously in a case where an applicant sought information from the Census Department on the ‘religion and faith’ of Sonia Gandhi – the President of the largest party currently in power in India. Both the Central Information Commission – the apex body adjudicating RTI appeals as well as the Punjab and Haryana High Court upheld the denial of information as it would otherwise lead to an unwarranted incursion into her privacy.[41]

A similar concept of 'public interest' would seem to apply when private companies disclose personal information without a person’s consent. Without delving into the issue in too much detail, it would suffice here to mention one of the most important cases to have come up on the issue. In Mr. X vs Hospital Z[42] , a person sued a hospital for having disclosed his HIV status to his fiancé without his knowledge resulting in their wedding being called off. The Supreme Court held that the hospital was not guilty of a violation of privacy since the disclosure was made to protect the public interest. While affirming the duty of confidentiality owed to patients, the court ruled that the right to privacy was not absolute and was "subject to such action as may be lawfully taken for the prevention of crime or disorder or protection of health or morals or protection of rights and freedom of others."

Conclusion

Reflecting on the volume of case law that we have in India on privacy, one is struck at once, both by the elasticity of the concept of privacy — spanning, as it does, diverse fields from criminal law to paternity suits to wiretapping —as well as its fragility — the flag of privacy is constantly being raised only to be ultimately overridden on pretexts that range from security of state, to a competing private interest.

On the one hand, one marvels at the success of the concept, only a few decades old in Indian law, in insinuating itself into legal arguments across diverse contexts. On the other hand, one is dismayed by the fact that rarely does the concept seem to score a victory. There is an almost ritual quality to the way in which the “right to privacy” is invoked in these cases - always named as a relevant factor; it never seems to substantially influence the outcome of the case at hand.

The right to privacy in India was an Oops baby, born on the ventilator of a minority decision of the Supreme Court, and nourished in the decades that followed by sympathetic judges, who never failed to point out that this right was contingent — not absolute, not meant to be under the Constitution, but carved out anyway. Some five decades after its first invocation by the Supreme Court, one gets the feeling that the right to privacy, conceptually, hasn’t moved, and is still what it was then. We don’t, today, for the many times it has been invoked by courts, have a thicker, more robust concept of privacy than we started out with. So the question, that one is stuck with is, what work does this concept of privacy do?

One of the failings of the concept of privacy in India is that it doesn’t exist as a positive right, but is merely a resistive right against targeted intrusion. So for instance, the right to privacy would be useless as a concept to resist something like generalized street video surveillance – as long as a citizen is not singled out for a disadvantage, this right would be of no use. So this right to privacy is a negative right to not be interfered with. Under it one does not have the right to be as private as one wishes, but only no less than the next person. Still, even this limited concept could be useful, if it were applied more rigorously.

Unfortunately, as the case law indicates, the right to privacy cedes too quickly to competing interests. An incomplete rough catalog of these competing rights, drawn from the case law surveyed in this paper include:

public emergency and public safety (communications)
criminal investigation (search and seizure/communications)
competing private interests (divorce proceedings)
best interests of the child (paternity suits)
public interest (Right to Information)
competing fundamental rights (HIV status)

One may perhaps add judicial inactivity as one of the limiting factors on privacy. By holding that violations of procedure by investigating agencies would not vitiate trials, the judiciary has been complicit in perhaps some of the more damaging incursions into privacy. Once a person is implicated in any manner in the criminal justice system – either as a victim, a witness or an offender, investigating agencies are immediately invested with plenary powers. They can search his house without warrant. They can place him arrest. Subject him to ‘medical examinations’, take his fingerprints and DNA and hold it in a bank and there is nothing you can do. In this context, perhaps the strongest privacy safeguard can come from a reform in criminal procedure alone.

Notes

[1].The State of Uttar Pradesh V. Kaushaliya and Others AIR 1964 SC 416

[2].(1978) 2 SCR 621

[3]. 1 SCR 332

[4].AIR 1973 SC 157, 1973 SCR (2) 417

[5].(1975) 2 SCC 148

[6].(1994) 6 S.C.C. 632

[7].AIR 1997 SC 568

[8].AIR 1976 SC 789,1976 SCR (2)1060, (1976) 2 SCC 128

[9].Romesh Thappar vs The State Of Madras AIR 1950 SC 124 , 1950 SCR 594

[10].1966 AIR 1967 Ker 228, 1967 CriLJ 1511

[11].AIR 1980 SC 593 , 1980 SCR (2) 340

[12].[1963] Supp. 1 S.C.R. 408

[13].Distt. Registrar & Collector, Hyderabad v. Canara bank etc. AIR 2005 SC 186

[14].(2003) 4 SCC 493

[15].13-yr-old rape victim to HC: let me abort -, EXPRESS INDIA, April 21, 2010, http://tinyurl.com/13yrindian (last visited May 2, 2010).

[16].Suchita Srivastava v. Chandigarh Administration, (2009) 9 SCC 1. http://courtnic.nic.in/supremecourt/temp/dc%201798509p.txt (last visited May 2, 2010).

[17].Ibid

[18].410 U.S. 113 (1973)

[19].Article 21 does not limit the abridgement of the right to life by the state to only cases where the state has compelling state interest. The Article reads “No person shall be deprived of his life or personal librty except according to procedure established by law”

[20].Ibid

[21].Ibid

[22].AIR 1993 SC 2295, 1993 SCR (3) 917 <http://indiankanoon.org/doc/1259126/>

[23].AIR 2002 Delhi 217 <http://indiankanoon.org/doc/627683/>

[24].51 Cal. 3d 120; 271 Cal. Rptr. 146; 793 P.2d 479

[25].AIR 2010 SC 2851 <http://indiankanoon.org/doc/486945/>

[26].23 December, 2010 <http://indiankanoon.org/doc/504408/>

[27].Ibid

[28].AIR 1980 SC 791 , 1980 SCR (2)1067 , (1980) 2 SCC 343

[29].Sections 3 & 4 of the Identification of Prisoners Act, 1920

[30].Ibid, Section 5

[31].Section 7

[32].Thogorani Alias K. Damayanti vs State Of Orissa And Ors 2004 Cri L J 4003 (Ori) < http://indiankanoon.org/doc/860378/>

[33].AIR 1961 SC 1808 < http://indiankanoon.org/doc/1626264/>

[34].Ibid

[35].Keynote address given to the 93rd Indian Science Congress. See http://mindjustice.org/india2-06.htm, cited in Liang, L., 2007. And nothing but the truth, so help me science. In Sarai Reader 07 - Frontiers. Delhi: CSDS, Delhi, pp. 100-110. Available at: http://www.sarai.net/publications/readers/07-frontiers/100-110_lawrence.pdf [Accessed April 11, 2011].

[36].Ibid

[37].Ramchandra Ram Reddy v. State of Maharashtra [1 (2205) CCR 355 (DB)

[38].(2010) 7 SCC 263 http://indiankanoon.org/doc/338008/

[39].See Section 52 of the Registration Act 1908

[40].CIC/OK/A/2008/987/AD dated December 22, 2008 <http://indiankanoon.org/doc/1479476/>

[41].Anon, 2010. High Court dismisses appeal seeking information on Sonia Gandhi’s religion. NDTV Online. Available at: http://www.ndtv.com/article/india/high-court-dismisses-appeal-seeking-information-on-sonia-gandhi-s-religion-69356 [Accessed April 12, 2011].

[42].(2003) 1 SCC 500 40

Download file here [PDF, 312kb]

For more details visit https://cis-india.org/internet-governance/blog/privacy/limits-to-privacy

Video Surveillance and Its Impact on the Right to Privacy

Vaishnavi Chillakuru — 2011-09-29T05:35:56Z

The need for video surveillance has grown in this technologically driven era as a mode of law enforcement. Video Surveillance is very useful to governments and law enforcement to maintain social control, recognize and monitor threats, and prevent/investigate criminal activity. In this regard it is pertinent to highlight that not only are governments using this system, but residential communities in certain areas are also using this system to create a safer environment.

However, this move is fundamentally opposed by many civil rights and privacy groups across different jurisdictions and have expressed concern that by allowing continual increases in government surveillance of citizens that we will end up in a mass surveillance society, with extremely limited, or non-existent political and/or personal freedoms.

European Union

The Data Protection Directive [1]of 1995, a Directive was issued by the European Union (EU) to regulate the processing and free movement of personal data. In pursuance with this Directive, every country of the EU passed a legislation to govern the protection of personal data. In this regard, the United Kingdom (UK) enacted the Data Protection Act (DPA) in 1998 and the same was brought into force in the year 2001.

The DPA sets forth eight, Data Protection Principles (DPP)[2] to protect personal data in the public sphere. Although video surveillance has not been explicitly referred to in the legislation, the definition given by the DPA is broad enough to encompass it. The application of these principles to video surveillance has been made explicit through the publication of the CCTV Code of Practice (CoP) by the information commissioner. The CoP does not apply to surveillance cameras used for household purposes. Images captured for recreational purposes with a camera, video recorder, etc., are also exempt. The main features of the CoP have been summarized below:

It is important to ascertain who has the responsibility for the control of the images i.e., deciding what is to be recorded, how the images should be used and to whom they may be disclosed. The body which makes these decisions is called the data controller and is responsible for the compliance with the DPA. The body has to notify the information commissioner as to who the data controller is.
An impact assessment should be done to evaluate the scheme’s impact on the privacy rights of the public. While conducting such an assessment, the data controller should take into account what benefits can be gained, whether better solutions exist, and what effect it may have on individuals. The results of the assessment should be used to determine whether video surveillance is justified and if so, how it should be operated.
The camera equipment should be chosen so as to fulfill the purposes for which the surveillance is being carried out. They should have the necessary technical specification so that the images are of appropriate quality. The camera should be positioned in such a way that only those areas which are intended to be the subject of surveillance are covered.
Viewing of live feed must be restricted to authorized personnel only. The data controller should try and protect the images from public view. Disclosure of recorded images should also be controlled and limited to the purpose for which the surveillance was set up. All other requests for viewing images should be considered carefully and balanced against the privacy rights of other individuals who may be affected by the disclosure of the images.
The DPA does not prescribe any minimum or maximum period of retention. It should be ascertained keeping in mind the purpose for which the surveillance system was set up. However, the images should not be kept for longer than is strictly necessary.
There should be prominently placed signs to let people know that they are in an area which is under video surveillance. This can be supplemented by an audio announcement in places where public announcements are already being used, such as in stations. Systems in public spaces and shopping centres should have signs giving the name and contact details of the company, organisation or authority responsible.
Staff operating the system needs to be aware of the rights of the individual under the DPA.

Canada

Canada has two federal laws which deal with privacy — the Privacy Act, 1985 and the Personal Information Protection and Electronic Documents Act, 2000 (PIPEDA). The former protects privacy rights by limiting the collection, use and disclosure of personal information by the federal government departments and agencies whereas the latter deals with the collection, use and disclosure of personal information by private sector organizations. In addition to these two legislations, every province or territory has their own privacy legislations.

A privacy commissioner is appointed to receive and investigate complaints filed by Canadian citizens pertaining to allegations of violation of the Acts. They also conduct research into privacy issues and promote awareness. The privacy commissioner reports directly to the House of Commons and the Senate. Every province or territory may also have its own commissioner or ombudsman authorized to investigate complaints. The Office of the Privacy Commissioner of Canada (OPC) published two sets of guidelines in order to define and circumscribe the use of video surveillance and ensure that the impact on privacy is minimized.

The first set of guidelines is meant to guide the regulation of video surveillance (by law enforcement agencies) in public spaces i.e., in places where there is free and unrestricted access to everyone. These guidelines were drawn up after extensive discussions between the OPC and the Royal Canadian Mount Police (RCMP). However, these guidelines are to be considered merely as an aid and notwithstanding anything stated in the guidelines, the RCMP has the right to carry out its functions as it deems fit. Some of the important pointers are[3]

Video surveillance should only be used to address a "real and pressing problem" which is of sufficient in magnitude so as to warrant the overriding of the privacy rights of citizens. Hence, there should be "real and verifiable" instances of crime or concern for public safety.
Video surveillance should be conducted only as a last resort i.e., in circumstances where there in no other less privacy-intrusive alternative.
A "privacy impact assessment" should be conducted beforehand to assess the degree of interference that will result due to the video surveillance.
Relevant stakeholders (for example, members of the communities that will be affected by the surveillance systems) should be considered before arriving at a decision.
Video surveillance must comply with all applicable laws including over arching laws such as the Canadian Charter of Rights and Freedoms.
The video surveillance should be conducted in such a way that impact on the privacy rights of citizens is minimized. For example, limited use of video surveillance (e.g., for limited periods of day, public festivals, peak periods) should be preferred to be always on surveillance if it will achieve substantially the same result.
The public should be informed that they are under surveillance. Clear signs should be put up mentioning the perimeter of the surveillance areas, the person responsible for surveillance and his contact details in case of any queries.
Security of the equipment and images should be assured.
People whose images are recorded should be able to request access to their recorded personal information.

The second set of guidelines is with respect to video surveillance in private sector organizations. These guidelines apply to overt video surveillance of the public by private sector organizations in publicly accessible areas. They do not apply to covert video surveillance nor do they apply to the surveillance of employees.

"Determine whether a less privacy-invasive alternative to video surveillance would meet your needs.
Establish the business reason for conducting video surveillance and use video surveillance only for that reason.
Develop a policy on the use of video surveillance.
Limit the use and viewing range of cameras as much as possible.
Inform the public that video surveillance is taking place.
Store any recorded images in a secure location, with limited access, and destroy them when they are no longer required for business purposes.
Be ready to answer questions from the public. Individuals have the right to know who is watching them and why, what information is being captured, and what is being done with recorded images.
Give individuals access to information about themselves. This includes video images.
Educate camera operators on the obligation to protect the privacy of individuals.
Periodically evaluate the need for video surveillance."

United States of America

Statutory laws governing the regulation of video surveillance in America are scarce. While there are some state laws which regulate aspects of public video surveillance, there are virtually no federal laws which directly deal with it. However, video surveillance implicates certain constitutional doctrines — especially the first and the fourth amendments. Although it cannot be denied that the liberties enshrined by these amendments can be severely affected by continuous surveillance, so far, the American courts and jurisprudence on the subject have been very permissive.

Another important directive is the "Fair Information Practices" (FIP) originating from the recommendations written by the United States Government which provide certain rights to individuals with respect to the use and dissemination of personal information. Although these guidelines do not have the force of law, they can prove to be a valuable guide for the treatment of any government-held record containing personally identifiable information. The rights of individuals listed by the FIP, in their most basic form, have been given below:[4]

"Notice and awareness of the purpose of data collection, and how such information is used;
Consent to the collection of personal information, and choice concerning how it is used;
Access to and participation in the process of data collection and use, including the right to correct errors;
Integrity and security adequate to protect the information against loss or misuse; and
Redress and accountability for injury resulting from loss or misuse of personal information."

Also, the American Bar Association, in 1999, published standards for technologically-assisted physical surveillance, including video surveillance. Some of the key points of these guidelines are given below:

While regulating the use of video surveillance for law enforcement purposes, certain factors should be kept in mind. For example, the nature of the law enforcement objective or objectives sought to be achieved, the extent to which the surveillance will achieve the law enforcement objectives, the nature and extent of the crime involved, etc.
The extent to which the surveillance invades privacy should be assessed. While conducting such an assessment, care should be taken to enhance the privacy of the location under surveillance by taking into consideration the nature of the place, activity, condition, or location.
Alternate measures should be preferred over video surveillance in order to maintain a balance between the right to privacy and the need for surveillance.
Notice of the surveillance should be given when appropriate.
The scope of the surveillance should be limited to its authorized objectives and be terminated when those objectives are achieved.

Australia

Neither the Australian Federal Constitution nor the Constitutions of the six states and two territories contain any express provisions relating to privacy. However, there are several state and federal privacy laws governing specific sectors and aspects. The primary federal statute is the Privacy Act of 1988 (PA). This statute was enacted in a bid to give effect to Australia's commitment to the International Covenant on Civil and Political Rights and the Organization for Economic Cooperation and Development (OECD). There are four key areas of application of the Act out of which only two are relevant in the context of video surveillance. The first is the eleven Information Privacy Principles (IPPs), based on the OECD Guidelines. These principles are applicable to federal government agencies. The second is the National Privacy Principles (NPP) which regulates private sector organizations. However, private organizations can set forth their own "code of practice" and get it approved by the privacy commissioner as long as it does not go against the broad framework laid down by the NPPs.

Apart from the PA, each state or territory may have its own laws or practices regarding video surveillance. For instance, covert video surveillance in New South Wales is governed by the Workplace Video Surveillance Act, 1998. The Government of New South Wales also published a report on CCTV in public places. Similarly, Victoria is governed by the Surveillance Devices Act, 1999 and Western Australia by the Surveillance Devices Act, 1998. However, South Australia, Tasmania, Northern Territory and Australian Capital Region have no legislation dealing with the use of video surveillance.

Japan

The Constitution of Japan does not contain any express provisions guaranteeing the right to privacy. Till 2003, even statutory law in the field of data protection was non-existent and the government followed a policy of self regulation. It was only in 2003 that the Japanese Parliament enacted the Protection of Personal Information Act. The law underlying privacy in Japan[6] protects only personal information that is obtained and held by administrative agencies, private agencies. It seeks to set forth penal provisions in order to curb leakage of personal information by the government. The subsequent amendments to this Act have widened its scope to cover data that is paper based as well as computerized. Therefore, it can be said that the instant legislation is broad enough to encompass video surveillance data as well.

In this regard it is set forth that there exists no consolidated law to govern video-surveillance systems. Nevertheless, Japan uses video surveillance systems in order to assist the law enforcement agencies. The National Police Agency uses a video surveillance system called the "N system"[7] in order to record license plate numbers of vehicles on roads, highways, etc. This facilitates effective and efficacious law enforcement in Japan. Furthermore, Tokyo police have been operating surveillance cameras on utility poles and buildings to monitor pedestrians in the several densely populated districts of the city.[8] However, this mechanism has been challenged severely by litigants and many privacy groups in the court of law.

Conclusion

We have now moved into an age where security seems to be the primary issue for most countries and their citizens. Video surveillance is increasingly being used to assuage the fears of the citizens and bring perpetrators to justice. In such a scenario, the issue of privacy rights of individuals seems to have taken a backseat. While some countries such as Canada and Britain have attempted to strike a balance between the need for surveillance and the privacy rights of the people, other countries such as the United States of America and Japan do not seem to have made much progress in terms of creating video surveillance norms or regulations to protect the privacy rights of citizens.

Considering the pressing need for video surveillance to address national security issues, India surprisingly has no laws on the same. In this regard, India needs to draw from the experience of the United Kingdom and Canada. The first step is to enact laws permitting video surveillance.

These laws should be tightly worded and strictly connoted, considering the encroachment on civil liberties. Further, in order to balance security with privacy, the next step is to create an office for the information commissioner. It should be created and powers should be conferred to ensure that the privacy related disputes are handled efficiently and expeditiously. Furthermore, the misuse of the powers conferred upon surveillance authorities should be deterred by giving further powers to the commissioner to impose pecuniary liability.