The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 61 to 75.
SCOSTA and UID Comparison not Valid, says Finance Committee
https://cis-india.org/internet-governance/blog/scosta-uid-comparison-invalid
<b>The Standing Committee on Finance Branch, Lok Sabha Secretariat has responded to the suggestions offered by CIS on the National Identification Authority of India, Bill 2010 and has requested it to mail its views by 14 October 2011.</b>
<p>On January 6, 2011, CIS had sent an <a href="https://cis-india.org/internet-governance/blog/blog/privacy/letter-to-finance-committee" class="external-link">open letter to the Parliamentary Finance Committee</a> demonstrating how the Aadhaar biometric standard is weaker than the SCOSTA standard. The text of the reply is reproduced below.</p>
<p>Sir,</p>
<p>This is in response to one of the views/suggestions offered by CIS on the National Identification Authority of India Bill, 2010.</p>
<h3>CIS View /Suggestion:</h3>
<div> </div>
<p>"Though the Aadhaar biometrics are useful for the de-duplication and identification of individuals, the Smart Card Operating System for Transport Application [(SCOSTA), developed by the National Informatics Centre in India)] standard is a more secure, structurally sound, and cost-effective approach to authentication of identity for India. Therefore, the Aadhaar biometric based authentication process should be replaced with a SCOSTA standard based authentication process."</p>
<p>In this regard, do you agree with the following view? If not, please justify.</p>
<p>"Comparison between SCOSTA and the UID project are not valid since SCOSTA is fundamentally a standard for smart card based authentication and does not work for the objectives of the unique id project.</p>
<p>The UID project follows a different approach and has multiple objectives — providing identity to residents of India, ensuring inclusion of poor and marginalized residents in order to enable access to benefits and services, eliminating the fakes, duplicates and ghost identities prevalent in other databases and provide a platform for authentication in a cost effective and accessible manner.</p>
<p>UIDAI is not issuing cards or smart cards. Cards can be issued by agencies that are providing services. UID authentication does not exclude smart cards — service providers can still choose to issue smart cards to their beneficiaries or customers if they want to."</p>
<p>You are requested to email your view by 14 October, 2011 positively.</p>
<p>Standing Committee on Finance Branch<br />Lok Sabha Secretariat</p>
<div> </div>
<div> </div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/scosta-uid-comparison-invalid'>https://cis-india.org/internet-governance/blog/scosta-uid-comparison-invalid</a>
</p>
No publisherelonnaiInternet Governance2011-11-22T16:37:43ZBlog EntryUnderstanding the Right to Information
https://cis-india.org/internet-governance/understanding-right-to-information
<b>Elonnai Hickok summarises the Right to Information Act, 2005, how it works, how to file an RTI request, the information that an individual can request under the Act, the possible responses and the challenges to the citizen and the government. She concludes by saying that there are many structural changes that both citizens and governmental officers can make to improve the system.</b>
<h2>Introduction</h2>
<p style="text-align: justify; ">The <a class="external-link" href="http://righttoinformation.gov.in/webactrti.htm">Right to Information Act, 2005</a> (RTI) was created in 2005 and marked an important time in Indian legislative history. The Right to Information enables citizens to hold the government accountable and ensure that it is a transparent body. Questions that can be asked by the citizen to the government range from anything that may concern to some meeting notes to why a teacher is not present in a public school, etc. In the current RTI system there are many challenges that are inhibiting the government’s efficient delivery of the RTI as a service to the people. This has changed the concept of how the citizens view the RTI, as the government feels harassed and the citizens feel as though their rights are being unjustly denied. Additionally, individuals have turned the RTI into a redressal mechanism rather than a way to ensure transparency and learn/understand how their government is functioning. The use of the RTI as a redressal mechanism has created a relationship of animosity between the government and citizens. The below note outlines the ecosystem of the RTI and notes specific challenges that both citizens and the government face.[<a href="#1">1</a>]</p>
<h2>The RTI Ecosystem</h2>
<h3>RTI work flow</h3>
<div>
<ul>
<li style="text-align: justify; ">An individual files an RTI with the central/ state public information officer (PIO) or a specific PIO. PIOs are often not trained, and rarely apply for the position, but are instead designated.</li>
<li style="text-align: justify; ">Within five days the information is to be forwarded to the correct PIO.</li>
<li style="text-align: justify; ">The PIO must open a file and dispose of the request within 30 days. </li>
<li style="text-align: justify; ">If the PIO fails to reply to the applicant by either approving or denying a request, the PIO is liable to pay a fine of Rs. 250 for each day of delay. </li>
<li style="text-align: justify; ">If information is electronically uploaded, it is stored in any format the officer chooses (jpeg, pdf, html, etc).</li>
<li style="text-align: justify; ">Except for land records and staff records, files are retained for a maximum of one year. </li>
<li style="text-align: justify; ">If the PIO does not dispose of the request, there is scope for an appeal within 30-45 days to the appellate authority.</li>
<li style="text-align: justify; ">There is scope for a second appeal to the information commissioner if the authority does not respond within 90 days or the answer is found to be unsatisfactory. </li>
<li style="text-align: justify; ">The final decision of the information commissioner is binding. </li>
</ul>
</div>
<h3><span class="Apple-style-span">Filing an RTI request</span></h3>
<div style="text-align: justify; ">Though there is no specific format an individual must follow when submitting an RTI, when filing a request, individuals must include:</div>
<div>
<ul>
<li style="text-align: justify; ">His /her name and address.</li>
<li style="text-align: justify; ">The name and address of the public information officer (PIO).</li>
<li style="text-align: justify; ">The particulars of information/documents required (limited to 150 words and one subject matter).</li>
<li style="text-align: justify; ">The time period of the information required.</li>
<li style="text-align: justify; ">Proof of payment.</li>
<li style="text-align: justify; ">Signature.</li>
<li style="text-align: justify; ">Proof if the individual is a BPL holder.[<a href="#2">2</a>] </li>
</ul>
</div>
<h3>Information that an individual can request under the RTI Act</h3>
<div>
<ul>
<li style="text-align: justify; ">Inspection of work, documents, and records</li>
<li style="text-align: justify; ">Taking notes, extracts or certified copies of documents or records.</li>
<li style="text-align: justify; ">Taking certified samples of material.</li>
<li style="text-align: justify; ">Obtaining of information in the form of diskettes, floppies, tapes, and video cassettes, or in any other electronic mode, or through printouts where such information is stored in a computer, or in any other device.</li>
<li style="text-align: justify; ">Obtaining the status of an RTI request or complaint.</li>
</ul>
</div>
<div style="text-align: justify; ">Note: If an individual is requesting third party information, the PIO must inform the third party and provide the individual the opportunity to state a reason for not disclosing the information.</div>
<div>
<h3>Accepted format of requested materials and records</h3>
<ul>
<li style="text-align: justify; ">Material requested can be in any format including: records, documents, memos, emails, opinions, advices, press releases, circulars, orders, logbooks, contracts, reports, papers, samples, models, and data material held in any electronic form.</li>
<li style="text-align: justify; ">Records requested can include: any document, manuscript and file, any microfilm, microfiche and facsimile copy of a document, and reproduction of image or images embodied in such microfilm (whether enlarged or not), and any other material produced by a computer or any other device.</li>
</ul>
</div>
<h3><span class="Apple-style-span">Possible Responses to an RTI request</span></h3>
<div>
<div><b>An information officer can respond to an RTI in the following ways</b>:</div>
<div>
<ul>
<li style="text-align: justify; ">Transfer request to appropriate PIO within five days and notify the applicant about the transfer.</li>
<li style="text-align: justify; ">Provide the requested information within 30 days.</li>
<li style="text-align: justify; ">Reject the request information within 30 days stating the reasons for rejection, the period within which an appeal against such rejection may be preferred, and the details of the appellate authority.</li>
<li style="text-align: justify; ">Not respond to the applicant. If no response is received within 30 days the officer is liable for a penalty of Rs. 250 per day.</li>
</ul>
</div>
<h3><span class="Apple-style-span">Appeal/Complaint Process</span></h3>
<div>
<ul>
<li style="text-align: justify; ">First appeal can be filed after 30 days or if the information given was unsatisfactory. The appeal must include: name and address of the appellant, name and address of the PIO involved, brief facts leading to appeal, relief sought, grounds for appeal, and copies of the application or documents involved, including copies of the reply, if received from the PIO.</li>
<li style="text-align: justify; ">Second appeal must contain: name and address of the applicant, and name and address of the PIO involved, particulars of the Order including the number if any against which the appeal is preferred, brief facts leading to the appeal, if appeal/complaint is preferred against deemed refusal then the particulars of the application, including number and date and name, address of the PIO to whom the application was originally made, relief sought, grounds for the relief, verification by the applicant, any other information which the commission may deem necessary for deciding during the appeal, self attested copies of the application or documents involved, copies of the documents relied upon by the appellant and referred to in the appeal, and an index of the documents referred to in the appeal.</li>
<li style="text-align: justify; ">A complaint must include: name and address of the complainant, name and address of the state PIO against whom the complaint is being made, facts leading to the complaint, particulars of the application [number, date, name and address of the PIO (three copies)], relief sought, grounds and proof for relief, verification of the complainant (three copies), index of documents referred to in the complaint, and any other necessary information.[<a href="#3">3</a>]</li>
</ul>
</div>
<h2>Challenges to the Citizen</h2>
<h3>Knowing the correct Public Information Officer</h3>
<p style="text-align: justify; ">Knowing which public information officer to mail in the RTI request is the first difficulty that an individual faces. As noted above in 2008 there were a total of 73,256 recorded public information commissioners in the State of Karnataka. New public information commissioners are created every day, because the RTI extends not only to any department of the government, but to any sub-contracted company, organization, school, or NGO that is receiving government funding and doing work on behalf of the government directly or indirectly. Lists of PIOs can be found on department bulletin boards and websites, but there is no clear method for an individual to know what information each PIO is the custodian over. Thus, they are left to determine on their own, and rely on the PIO to forward their application to the correct individual.</p>
</div>
<h3>Filing in the correct format</h3>
<div>
<p style="text-align: justify; ">Though it is stated in the law what language an RTI request will be accepted in, and what information should be included – individuals are often unaware of the guidelines and unaware of how to correctly fill out an RTI request. An incorrectly formatted request is one of the major reasons for rejection of a request by the PIO.</p>
</div>
<h3>Language</h3>
<div>
<p style="text-align: justify; ">In the State of Karnataka, RTIs can be filed only in two languages: Kannada and English. By law, RTI responses are given only in the language that the department works in on a daily basis, and in English. The information that is supplied through the request is given in its original language. For example, if you ask for a document that is originally in Marathi, the document will be photo copied and sent to you. No translation of documents takes place, because it is not the job function of the officer to translate documents.</p>
</div>
<h3>Appeals</h3>
<div>
<p style="text-align: justify; ">If an individual is denied information, or does not receive a reply within 30 days, they have the option of seeking an appeal through an appellate authority. In 2008 Karnataka had 5416 Appellate Authorities. Currently, because of the backlog in appeal cases and the slow functioning of the system, an individual might have to wait for upto one year for his/her appeal to be heard. Often at this point the information is no longer relevant or needed.</p>
</div>
<h3>Privacy</h3>
<div>
<p style="text-align: justify; ">In some cases individuals are denied a request for information based on the grounds that it would invade the privacy of the public officer. This is sometimes the case and sometimes not the case. Finding the right balance between the right to information and privacy is important, as protecting an individual’s privacy is crucial, but privacy should not be used as a reason for the government to be less transparent to the citizen and be used as a way to deny a citizen the information that they are entitled to.[<a href="#4">4</a>]</p>
</div>
<h2>Challenges in the RTI System for the Government</h2>
<ul>
<li style="text-align: justify; "><b>Too many RTI requests and no system to record duplicates</b>: As the figure shows above, in 2008, the Karnataka Government received 42208 RTI requests. Currently, it is not possible to know how many of these requests were duplicates since departments handling RTIs do not make it a practice to upload and organize filed RTI requests in a format easily accessible to citizens. Thus, there is no present system in place to track, upload, and store past RTI's in a meaningful way.</li>
<li style="text-align: justify; "><b>Additional overhead in recording, organizing, accessing, and storing data</b>: In the current system every time an RTI request is received by the government, they open a new file for that request. Though in some ways this system of storage simplifies the process of finding past RTIs, it adds an additional overhead cost as photocopies must be made, new files created, and correctly added to the organized system. Each state follows its own method of recording, organizing, accessing, and storing data – thus, currently it is not possible to easily access the information from another state or combine information from two separate states.</li>
<li style="text-align: justify; "><b>Lack of compliance with section 4(d) pro-active disclosure</b>: Under section 4 (d), the government is required to pro-actively disclose a pre-determined data to the public via websites and other useful modes. Currently there is very little compliance with section 4(d) from governmental departments. There are many factors that contribute to the low rate of compliance that exist including lack of resources and lack of proper enforcement. If governmental departments were to comply with section 4(d) then the load of RTI requests and the time each request must take to answer could be lightened considerably as the government could respond by pointing citizens to the already disclosed information. </li>
</ul>
<h2>Conclusion</h2>
<div style="text-align: justify; ">Though the Right to Information is an important right, the above entry looks at some of the weaknesses and challenges in the system. There are many structural changes that both citizens and governmental officers can make to improve the system such as pro-actively disclosing information, ensuring that an RTI is filed correctly, and creating a system for organizing previously asked questions. Alongside of these structural changes it is also critical that a positive culture of transparency and accountability is fostered throughout society, thus encouraging citizens to actively engage with the government and exercise their right to information.</div>
<div style="text-align: justify; "></div>
<hr />
<p><b>Notes</b></p>
<p>[<a href="#fr1" name="fn1">1</a>].I am grateful to N. Vikram Simha, RTI activist, for his insight and feedback into the RTI system.</p>
<p>[<a href="#fr2" name="fn2">2</a>].N. Vikram Simha, Right to Information Act of 2005: Guide for Citizens.</p>
<p>[<a href="#fr3" name="fn3">3</a>].N. Vikram Simha, Right to Information: Trend Ahead. Karanataka State Chartered Accountants Association, Bangalore</p>
<p>[<a href="#fr4" name="fn4">4</a>].N. Vikram Simha, RTI and Protection of Individual Privacy</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/understanding-right-to-information'>https://cis-india.org/internet-governance/understanding-right-to-information</a>
</p>
No publisherelonnaiInternet Governance2013-06-12T11:39:05ZBlog EntryRight to Privacy Bill 2010 — A Few Comments
https://cis-india.org/internet-governance/blog/privacy/privacy-bill-2010
<b>Earlier this year, in February 2011, Rajeev Chandrasekhar introduced the Right to Privacy Bill, 2010 in the Rajya Sabha. The Bill is meant to “provide protection to the privacy of persons including those who are in public life”. Though the Bill states that its objective is to protect individuals’ fundamental right to privacy, the focus of the Bill is on the protection against the use of electronic/digital recording devices in public spaces without consent and for the purpose of blackmail or commercial use.</b>
<h2>Specific Recommendations</h2>
<div>
<div> </div>
</div>
<p>The use of electronic recording devices in public is an important and expansive aspect of privacy, which is yet to be directly covered by Indian law. Though the Bill addresses the basic usage of electronic devices with built-in cameras, it frames the violation as a personal violation. In doing so, the Bill has taken a punitive approach, making it criminal to take photographs in situations outside of the laid-out regulations, rather than protective in nature, i.e., working to protect individuals from harassment and blackmail, and offer forms of redress to those damaged. </p>
<p>The Bill fails to address scenarios such as Google street view, satellite photographs, news channels, and live feeds at events and conferences. In these situations live data is being transmitted and posted on the Web for public to view by the media. When looking at the dilemma of photographs being taken in public by the media, the privacy interests are different to those that are based on control of personal information alone. They are substantive, as opposed to informational, and engage directly with individual dignity, autonomy, and the freedom of expression. For example, the interest in freedom of expression encompasses both those of the photographers and journalists producing material for his/her journal. Can a journalist print a photograph taken in a public space — of a public figure, which the public figure did not consent to, and which that person considers defamatory? </p>
<p>Interestingly, Europe has strong laws regulating the taking of photographs in public spaces, but these rules are covered by the Protection from Harassment Act, 1997 (UK), which speaks specifically to the media’s behaviour towards public figures — or they fall under a tort of misuse. In the US taking photographs only becomes an issue in the use of the photograph. Essentially anyone can be photographed without consent except when they have secluded themselves in places where they have a reasonable expectation of privacy such as dressing rooms, restrooms, medical facilities, or inside a private residence. This legal standard applies regardless of the age, sex, or other attributes of the individual. Once a photograph is taken, and if that photograph is used for commercial gain without consent or publicizes an otherwise private person inappropriately, then that person can be held liable under the tort of misappropriation. </p>
<h2>Specific Comments to the Bill</h2>
<h3>Misguiding Title</h3>
<p>The title of the Bill is, the Personal Data Protection Bill, 2006," but the scope of the Bill is focused on regulating the use of electronic recording devices, and it does not include many aspects of privacy. So we recommend that the title of the Bill be modified to "The Electronic Recording Devices Bill, 2010".</p>
<h3><span class="Apple-style-span">Inappropriate Blanket Use of Privacy </span></h3>
<p>The introduction to the Bill states that its purpose is "for the protection of the right to privacy of persons including those who are in public life so as to protect them from being blackmailed or harassed or their image and reputation being tarnished in order to spoil their public life and for the prevention of misuse of digital technology for such purposes and for matters connected therewith and incidental thereto." </p>
<p><strong>Comment</strong>: Notwithstanding the fact that violations of privacy extend beyond blackmail, harassment, and defamation, and that digital technologies are not the only vehicles for privacy violations, it is important to qualify that privacy is not a blanket right, and that for public persons, the privacy that they are afforded is determined by balancing their interest against the public interest. </p>
<h3>Narrow Definition of Public Figures </h3>
<p>Section 2 (b) of the Bill states: "persons in public life" includes the representatives of the people in Parliament, state legislatures, local self government bodies, and office bearers of recognized political parties</p>
<p><strong>Comment</strong>: Persons in public life include persons beyond the political sphere, specifically those in higher positions that influence the behaviour, lifestyles, and culture of the general population. Thus, we recommend that this definition be extended to include actors, actresses, athletes, artists, and musicians, CEOs, and authors.</p>
<h3>Insufficient Limits to the Right to Privacy</h3>
<p>Section 3 (1) states: “Notwithstanding anything contained in any other law for the time being in force every person, including persons in public life, shall have the right to privacy which shall be exclusive, unhindered and there shall be no unwarranted infringement thereof by any other person, agency, media or anyone: </p>
<p>Provided that sub-section (1) of section 3 shall not apply in cases of corruption, and misuse of official positions by persons in public life.</p>
<p><strong>Comment</strong>: We recommend that the right to privacy, as any right, need not be identified as exclusive or unhindered. The right to privacy must be determined on a case by case basis relative to the public interest, and, while cases of corruption and misuse of official position by persons in public life certainly qualify, they do not encompass the wider variety of situations in which an individual’s right to privacy should be limited. For instance, if a public figure speaks out on an issue in a way that contradicts an earlier position that was captured on video, shouldn’t that be allowed to be made public? If a public figure is photographed in a morally questionable position, shouldn’t that be allowed to be made public? Indeed, even for private individuals, privacy is a matter of context. In airports and other sensitive public places it is commonly accepted that an individual’s right to privacy can be limited. If an individual has a disease such as HIV, under what circumstances should some or all of the greater public should be informed and their right to privacy may be limited? </p>
<h3>Limited Scope of Technology </h3>
<p>Section 4 of the Bill states: "No person shall use a cellular phone with an inbuilt camera, if it does not produce a sound of at least 65 decibels and flash a light when used to take a picture of any object or person, as the case may be. </p>
<p><strong>Comment</strong>: We recommend that this clause clarifies if only cellular phones, and not cameras, computers, or other devices with built-in cameras are required to produce the sound of at least 65 decibels.</p>
<h2>Overly Complicated Clauses </h2>
<p>Section 5 of the Bill states: Notwithstanding anything contained in any other law for the time being in force, no person shall make digital recording or take photographs or make videography in any manner whatsoever of: </p>
<div>
<p>Section 5(a): any part or whole of a human body which is unclothed or partially clothed without the consent of the person concerned. </p>
<p>Section 5 (b): any part or whole of a human body at any public place without the consent of the person concerned and</p>
<p>Section 5 (c): the personal and intimate relationship of any couple in a home, hotel, resort, or any place within the four walls by hidden digital or other cameras and such other instruments, or any place within the four walls by hidden digital cameras and such other instruments…with the intent of blackmail or of making commercial gains from it or otherwise. </p>
<p><strong>Comment</strong>: Section 5 currently lists certain circumstances in which photographs are not allowed to be taken of individuals in public without consent if they are to be used for the purpose of commercial gain or blackmail. Blackmail or commercial gains are not the only ways in which digital recordings of people can be misused. Certainly, taking such pictures to post for purposes of hurting one’s reputation or causing humiliation is as reprehensible as taking pictures for commercial gain, so the provision is too narrow. It may also be overboard, because a person may be captured in an artistic or political photograph but have, for example, bare arms or legs. That would be a picture of a part of a human body at a public place. We recommend that the list of offences include misappropriation and false light, and that the manner of the picture-taking not be limited to clauses (a) to (c) above.</p>
<p>Section 5 is the first instance in which the use of digital recordings for commercial gain has been mentioned as a violation in the Bill. We recommend that commercial gain as a violation should be added to the introduction of the Bill.</p>
</div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy-bill-2010'>https://cis-india.org/internet-governance/blog/privacy/privacy-bill-2010</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-03-22T06:26:14ZBlog EntryBloggers' Rights Subordinated to Rights of Expression: Cyber Law Expert
https://cis-india.org/internet-governance/blog/privacy/bloggers-rights-and-privacy
<b>Vijayashankar, an eminent cyber law expert answers Elonnai Hickok’s questions on bloggers' rights, freedom of expression and privacy in this e-mail interview conducted on May 19, 2011.</b>
<p>A set of <a class="external-link" href="http://www.mit.gov.in/sites/upload_files/dit/files/RNUS_CyberLaw_15411.pdf">rules</a> relating to regulation of the Internet (mentioned in section 79 of the ITAA, 2008) was released in April 2011. In light of the rules framed under the IT Act, and as part of our research on privacy and Internet users, we have been looking into questions surrounding bloggers’ rights, freedom of expression, and privacy.</p>
<p>The new rules require among other things that intermediaries take down any content that could be considered disparaging. In practice, these rules will act to limit the ability of individuals to express their opinions on the Internet — especially for the bloggers. Though these requirements seem to only impact the freedom of expression of bloggers, a blogger’s privacy rights, especially in relation to the protection of their identity, are also pulled into question. Other issues surrounding bloggers’ rights and privacy include: if bloggers are identified as journalists, then whether they should be afforded the same protections and privileges, e.g., should bloggers have the right to free political speech and should intermediaries have freedom from liability for hosting speech or others’ comments? Are bloggers allowed to publish material that is under copyright on their website?</p>
<p>On May 19, 2011, through e-mail, I had the opportunity to interview <a class="external-link" href="http://www.naavi.org/naavi_profile.html">Vijayashankar</a>, an expert in cyber law, on issues regarding the rights of bloggers freedom of expression, and privacy. Vijayashankar has authored multiple books on cyber law, taught in many universities, and is an active leader of the Netizen movement in India. Below is a summary of the questions I posed to Vijayashankar and his responses. </p>
<p>I began the interview by trying to understand bloggers’ rights and how they are defined. Often the term 'bloggers' rights is used casually, but it is important to understand the different roles that a blogger plays in order to understand what his/her rights are, how they could be violated, and how they could be protected. Vijayashankar explained that a blog is comprised of two parties: a blogger and an intermediary – which is the application host. Bloggers have many different roles: authors, editors, or publishers of content, and thus, a blogger’s rights should be defined within these contexts. As authors, bloggers write their own article/blog or adds comments to others’ blogs. As such, they should have the freedom to express their thoughts and opinions and determine a level of privacy with which to maintain them, without regulation or censorship from a third party. Though the freedom of expression and privacy should be basic rights for blog authors, bloggers must also be held accountable and responsible for the content that they choose to make public by posting on accessible web pages. </p>
<p>The need for a blogger to be held responsible and accountable is similar to the limitation on speech that informs defamation law, and it means that a blogger cannot be entirely anonymous – at least not once a blog is public and is challenged. Thus, accountability must limit the right to be entirely private and anonymous. Though a blogger should be held accountable, the international implications give rise to thorny issues of jurisdiction and accountability under unforeseen laws: all of which raises the question whether, instead of local jurisdictions seeking to enforce their laws against potentially out-of-the-jurisdiction bloggers, an international third party should be entrusted with the responsibility of holding bloggers accountable and responsible – whether that takes the form of an organization like the WTO or WIPO or looks more like specially trained international arbitrators.</p>
<p>This challenge arises because bloggers live in different jurisdictions where different rules apply, but their opinions cross multiple borders and boundaries. This raises questions such as: Which jurisdictional law should the blogger be accountable to? Should a blogger be held responsible for actions that are considered violations in a jurisdiction in which a blog is read, even if those actions are not violations in the jurisdiction in which it is written? And if a blogger is to be held responsible, who should hold him responsible – the country where the action is considered a violation or his own country – and where does a private party have a cause of action? According to Vijayashankar, blogger’s rights’ are always subordinated to the rights of expression guaranteed to the blogger in his country where he is a citizen. </p>
<p>Furthermore, the rights of a blogger have to be seen in the context of who has the "cause of action" against blog writing, i.e., which party involved has the right to complain. If an individual is a victim of a blog, and that individual is a citizen of another country and is guaranteed certain rights, the blogger's rights cannot override the rights of the victim in his own country. Hence, the victim has the right to invoke law enforcement in his country, and the law enforcement agencies do have a right to seek information from the blogger. If, however, a citizen brings a private civil action against a blogger, the discovery limitations are much more severe across boundaries, and the blogger’s national policy on responding to discovery from other countries will determine the extent to which information from the blogger will be made available. To the extent that the impact of a blogger’s expression reaches across boundaries, his actions should be considered similar to a situation where a citizen of one country does certain things which affect the rights enjoyed by a citizen of another country. It does not seem right that a blogger can say something offensive in one jurisdiction and be held liable, but a different blogger can say the same thing from another jurisdiction and be protected. On the one hand, since the Internet as a medium broadcasts across geographical boundaries, it is the responsibility of the individual countries to erect their "cyber boundaries" if they do not want the broadcast to reach their citizens. On the other, individuals should be able to invoke international laws to seek consistent application of standards about what is actionable and what information is discoverable in support of an action. This suggests that an international tribunal might be the best solution.</p>
<p>Other questions to think about when exploring the idea of a trusted third party holding online bloggers accountable include: who would form the third party, what legal authority/power would they have, would this group also be in charge of reviewing a country’s "cyber boundaries" in addition to holding online bloggers accountable? and how would it avoid being influenced by any one government or by other stakeholders?</p>
<p>Next I asked him for examples of common privacy violations that happen to online users. A few he said included identity theft in the form of phishing, which leads to financial frauds, and is one of the most dangerous consequences of privacy breach. Other examples included manipulation of online profiles in social networking sites to cause annoyance, defamation, and coercion; cyber squatting with content which can be misleading; posting of obscene pictures with or without morphing of victim’s photographs to other obscene photographs/pictures; and SPAM – particularly through mobile phones – are all serious forms of privacy violations.</p>
<p>My third question focused on privacy violations and bloggers. How could a blogger’s rights be compromised, especially with a focus on privacy? For bloggers, is privacy important simply to protect their identity and content, or are there other implications for privacy and bloggers? In our research we have looked into ways in which practices such as data retention by ISPs, government/law enforcements’ access to web content including private conversations, and poorly established user control over privacy settings on websites can violate online users’ privacy. According to Vijayashankar, a blogger is mainly concerned about privacy in the context of protecting his identity. It is important for bloggers to protect their identity because the content they create could be considered controversial or illegal in different regions. Thus, it is critical for bloggers to have the right to blog anonymously. An exception to this right is that if the blog is so offensive then the law enforcement agency can take action. In some countries individuals also can sue bloggers. To help protect bloggers from unreasonable and ungrounded searches, Vijayashankar suggested that a mechanism be created by which international and domestic law enforcement agencies can request 'sensitive' information. This mechanism would work to filter and evaluate requests for information without bias, and according to a country’s law own domestic law.</p>
<p>I then asked him what legal protections he felt bloggers needed. He said that he believes that it is important that bloggers and online users’ right to anonymity, protection of identity and freedom of expression (political and non-political) are protected from excessive regulations. An interesting point that he raised was about the protection of bloggers from international requests for information. According to –him — bloggers can be protected only to the extent to which their rights are protected in their own country. If a request for information comes to a law enforcement agency of a country of which the blogger is a citizen, information may need to be released unless an “asylum” has been granted.</p>
<p>An example of the situation Vijayashankar is referring to is that if a blogger in India writes content that is found to be controversial by the U.S Government; the U.S Government then has a right to request and access that information, unless the Indian Government provides protection over the citizen and the information and refuses to release it. Though right to information requests tend to be governmental, this rule changes if it is a citizen requesting information. Very rarely can a citizen of one country request information about a blogger from another country and gain access. The question of international discovery over Internet material is one that has many angles that need to be taken into consideration – a few being: what the content on the blog contained; was the content against an individual or a government; who is requesting the information — a citizen or the government, and whom are they requesting the information from? For example, in the US Supreme Court case, <a class="external-link" href="http://caselaw.lp.findlaw.com/scripts/getcase.pl?navby=search&court=US&case=/us/465/783.html"><em>Calder vs. Jones</em></a> 465 U.S. 783 (1984), information about a woman, Shirley Jones, was published in another state, but the court ruled that the wrongful action was directed to her where she was.</p>
<p>A large part of the debate over bloggers’ rights is centered on governments’ need to monitor online activity. Developments such as the new rules to the IT Act, the Indian Government’s request for blackberry’s encryption keys, and the news about the government wiretapping citizens’ phones show that the Government of India is demanding access to see and regulate content created by online users in India. When asked about bloggers’ rights and government access to content, Vijayashankar stressed that there has to be a mechanism to check the requests from government agencies, and any such mechanism should have popular representation. He went on to explain that presently an order for the blocking of a blog or for private information is made by a government agency or a court. Unfortunately, government agencies may be responsive to certain interests. Likewise, decisions of conventional courts can be inconsistent. Therefore, it is important that a mechanism that reflects the common person’s input is put in place. This could either be a stand-alone private body, such as Netizen Protection Agency, acting as one more layer of protection, or the government body itself could build in adequate public representation. Courts would need to recognize such bodies and seek their opinion as an input to any dispute. This is an innovative option, but one that is a radical departure from the view of a court as an impartial tribunal that is supposed to weigh every matter independently on its merits. </p>
<p>Lastly, I asked if a privacy legislation could address the issue at hand i.e., could a privacy legislation work to protect bloggers’ rights by providing them identity protection and protection of their content and in general what should be included in a comprehensive privacy legislation? Though India already addresses bloggers’ rights through the Information Technology Act, it could be possible that privacy legislation could establish a third party group to work to protect bloggers’ rights and hold both governments and bloggers’ accountable. When asked what should be included in a comprehensive privacy legislation, Vijayashankar suggested that it should recognize that privacy rights of individuals are part of the larger interests of the society, and a comprehensive legislation should work to take all the stakeholders into consideration. </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/bloggers-rights-and-privacy'>https://cis-india.org/internet-governance/blog/privacy/bloggers-rights-and-privacy</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-03-21T09:35:06ZBlog EntryThe DNA Profiling Bill 2007 and Privacy
https://cis-india.org/internet-governance/blog/privacy/dna-profiling-bill
<b>In 2007 a bill known as the Draft DNA Profiling Bill was piloted by the Centre for DNA Fingerprinting and Diagnostics, an autonomous organization funded by the Department of Biotechnology, Ministry of Science and Technology, Government of India. The below is a background to DNA collection/analysis in India, and a critique of the Bill a from a privacy perspective. </b>
<h3>Introduction</h3>
<p>In 2007 a bill known as the Draft DNA Profiling Bill was piloted by the Centre for DNA Fingerprinting and Diagnostics, an autonomous organization funded by the Department of Biotechnology, Ministry of Science and Technology, Government of India[1]. The Bill is pending in parliament. The DNA Profiling Bill looks to legalize the collection and analysis of DNA samples for forensic purposes. We believe that it is important that collection of DNA has associated legislation and regulation, because DNA is sensitive physical evidence that if used correctly can benefit the public good, but if misused can lead to serious privacy and human rights violations. Therefore it is important to create a balance between the constitutional rights of an individual and the public interest and bring accountability and transparency to the practice of DNA collection and testing.</p>
<p>In our research we consulted with GeneWatch UK to learn from their work and experience with DNA testing in the UK. This briefing is meant to give a background on the logistics of DNA testing, highlight ways in which DNA testing raises privacy concerns, and provide a critique of the DNA Profiling Bill.</p>
<h3>Background Facts about DNA and DNA testing:</h3>
<p><br /><strong>What is DNA:</strong> DNA is material that determines a persons hereditary traits such as hair color, eye color, body structure etc. Most DNA is located in the cell nucleus, and wrapped up in small structures called chromosomes. Every person inherits 50% of genetic material from their mother and 50% from their father. Genetic disorders are caused by mutations in a person's DNA, and comparing DNA within families can reveal paternity and non-paternity. DNA is found in every cell of our bodies, and each person has a unique strand of DNA [2]. Thus, DNA is seen as a useful form of identification with marginal room for error [3].</p>
<p><strong>What is a DNA profile/ DNA database, and how can it be used/misused:</strong></p>
<p>When DNA samples are taken from individuals they are analyzed in laboratories to produce a digitized representation of numbers known as a DNA profile. Once created, a DNA profile is stored on a DNA database (i.e. an electronic database) with other identifying information from the individual and information from the crime scene. A DNA profile is based on parts of a person's DNA, so it is not unique to an individual. The probability of an individual's DNA profile matching a stranger's by chance is very small, but not impossible. To collect a sample of DNA police normally use a mouth swab to scrape cells from inside the suspect's cheek. If the individual refuses, their DNA can be obtained by pulling some hairs out of their head (cut hair does not contain DNA, it is only in the roots), if the law allows DNA to be taken without consent. DNA samples are also collected from crime scenes, for example from a blood stain, and analyzed in the same way. DNA samples are sometimes stored indefinitely in the laboratory with a bar code number (or other information) that allows them to be linked back to the individual [3]. Stored DNA profiles from crime scenes can be helpful to exonerate an innocent person who is falsely accused of a crime if their DNA does not match a crime scene DNA profile that is thought to have come from the perpetrator. However, stored DNA profiles from individuals are not needed for exoneration because the individual's DNA can always be tested directly (it does not need to be stored on a database). Collecting DNA profiles from individuals can be useful during an investigation, to compare with a crime scene DNA profile and either exonerate an individual or confirm they are a suspect for the crime. Corroborating evidence is always needed because of the possibility of false matches (which can occur by chance or due to laboratory errors) and because there may be an innocent explanation for an individual's DNA being at a crime scene, or their DNA could have been planted there. Storing DNA profiles from individuals on a database is only useful to implicate those individuals in possible future crimes, not to exonerate innocent people, or to solve past crimes. An individual is implicated as a possible suspect for a crime if their stored DNA profile matches a new crime scene DNA profile that is loaded on to the database. For this reason, most countries only store DNA profiles from individuals who have committed serious crimes and may be at risk of re-offending in the future. Stored DNA profiles could in theory be used to track any individual on the database or to identify their relatives, so strict safeguards are needed to prevent misuse [4].</p>
<p><strong>DNA testing in India:</strong></p>
<p>At present, India does not have a national law that empowers the government to collect and store DNA profiles of convicts, but DNA collection and testing and is taking place in many states. For instance, in Pune the army is currently considering creating DNA profiles of troops who are involved in hazardous tasks inorder to help identify bodies mutilated beyond recognition [5]. In December of this year a judge in the Supreme Court ordered DNA testing on a congress spokesmen to determine if his child was really his child [6]. Also in December this year a news article announced the establishment of the first DNA profiling databank in Nehru Nagar [7]. Additionally DNA has been used to identify criminals , for instance in the Tandoor Murder DNA testing was used to reveal the identity of the culprit [8].</p>
<p>India hosts both private and public DNA labs. Public labs are sponsored by the Government, and use DNA purely for forensic purposes. For example The Centre for DNA Fingerprinting and Diagnostics (CDFD) located in Hyderabad is sponsored by the Department of Biotechnology and Ministry of Science. CDFD runs DNA testing for: establishment of parentage, identification of mutilated remains, establishment of biological relationships for immigration, organ transplantation, property inheritance cases, identification of missing children and child swapping in hospitals, identification of rapist in rape cases, identification in the case of murder.</p>
<p>Cases are only accepted by CDFD if they are referred by law enforcement agencies or by a court of law. Only an officer of the rank Inspector of Police or above may forward DNA cases to CDFD. Copies of DNA report are released to individuals if they are able to prove needed interest in the case through a notarized affidavit [9]. In 2010 CDFD received 100 cases from law enforcing agencies. Additionally, in 2010 CDFD was given rupees eighteen lakhs thirty nine thousand five hundred and forty five from the Government of India towards DNA fingerprinting services [10]. The Indian Government has also established National Facilities for Training in DNA Profiling in order to train individuals in DNA testing and expand the number of DNA examiners and laboratories available in the country [11]. <br /><br />Examples of private DNA labs include DNA labs India and Truth Labs. DNA labs India runs paternity testing, forensic testing, prenatal testing, and genetic testing [12]. Truth Labs is a private lab that provides legal services directly, without a court or police order [13]. </p>
<p><strong>The Complexity of privacy and DNA collection/ testing:</strong><br />As mentioned above, the personal and sensitive nature of DNA, the use of DNA raises many privacy concerns. The concerns fall into three basic areas: first, if a person has given consent to have his or her DNA used for a specific purpose, must the DNA be destroyed or can it be used for other purposes as well? Related to that, if a person must give consent for a specific purpose, what happens if the person is no longer able to give consent -- if, for example, the person has died? Finally, if the testing of one person's DNA yields information that is likely, or probable, or certain to impact another person, does that person have a right to know the information discovered? There are variations on these questions -- as for example does DNA is permitted to be taken without consent (to test for a crime, perhaps), does that lack of need for consent permit all uses of DNA that others want. Who decides? The complexity of these questions demonstrates that in the situation of DNA collection and testing privacy cannot be protected simply through consent from an individual. Instead the law must permit specific thresholds to be established in order to cover the privacy needs of different situations.</p>
<p><br /><strong>Can DNA evidence be considered self-incriminating evidence?</strong><br />According to the Supreme Court fingerprinting and other physical evidence is not covered by article 20(3). In the case of State of Bombay v. Kathi Kalu Oghad, the courts answered the question of whether or not the freedom against self-incrimination guaranteed under article 20(3) of the Constitution of India – which is meant to protect a person from torture from the police – can be extended to the collection of DNA? the courts answered this question by upholding that <br /> “To be a witness may be equivalent to ‘furnishing evidence’ in the sense of making oral or written statement, but not in the larger sense of the expression so as to include giving of thumb impression or impression of palm or foot or fingers or specimen writing or exposing a part of the body by an accused person for purposes of identification [14]”<br /><br /></p>
<h3>Critique of the DNA Profiling Bill 2007</h3>
<p><br /><strong>Does India already have sufficient legislation? </strong><br />The collection and use of biometrics for identification of criminals legally began in India during the 1920's with the approval of the Identification of Prisoners Bill 1920 [15]. The object of the Bill is to “provide legal authority for the taking of measurements of finger impression, foot-prints, and photographs of persons convicted or arrested…”[16] The Bill is still enforced in India, and in October 2010 was amended by the State Government of Tamil Nadu to include “blood samples” as a type of forensic evidence [17]. Other Indian legislation pertaining to forensic evidence is the CrPC and the Indian Evidence Act. In 2005 section 53A of the CrPC was amended to authorize investigating officers to collect DNA samples with the help of a registered medical practitioner, but the Indian Evidence Act fails to manage science and technology issues effectively [18]. The current state of statutes for DNA collection in India are not sufficient as the neglect to lay out precise procedures for collection, processing, storage, and dissemination of DNA samples. One question to consider though is if the Prisoners Identification Bill, CrPC, and Indian Evidence Act could be amended to incorporate DNA, and the needed safeguards, as a type of forensic evidence for all of India.<br /><br /><strong>Lack of requirement for additional evidence:</strong> The preamble of the DNA Profiling Bill states that “The Deoxyribose Nucleic Acid (DNA) analysis of body substances is a powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another, and further to establish the biological relationship, if any, between two individuals, living or dead without any Doubt.” This statement is untrue as DNA test can be compromised under many circumstances including: techniques for declaring a match, the proficiency of examiners, laboratory control standards and statistical problems, and DNA samples can become degraded due to age or exposure to chemical or bacterial agents [19]. Because DNA is not foolproof individuals can be falsely implicated in a crime as a result of an incorrect DNA match. The Bill needs to put in place procedures for the court to recognize the fact that DNA is not 100% foolproof, present the statistics correctly, and require supporting evidence [20]. </p>
<p><br /><strong>Scope for DNA Collection:</strong> The stated object of the DNA Bill is to: “enhance protection of people and administration of justice, analysis of DNA found at the crime scene, establish identity of victim and offender”. The list of offenses and situations in which the collection and testing of DNA is permitted, found in the Schedule of the Bill, provides for the collection DNA from individuals who are not related to a crime scene, are not victims, and are not criminals. Furthermore, section 13(xxii) allows this list to be expanded by the DNA board. We believe these sections should be omitted from the scope of the Bill, so that it is limited to only identifying individuals who are victims and offenders, and that a statutory body besides the DNA board be given the authority to expand the list of proposed offences [21]. Furthermore, within the Bill there are many places where vague language permits the DNA testing of individuals who are not yet convicted of a crime, which will constitute an invasion of privacy unless the DNA is provided voluntarily to release a person suspected or accused of a crime [22]. Additionally as mentioned above it is critical that the Bill recognizes and allows for different thresholds of privacy when collecting, analyzing and sharing DNA profiles. </p>
<p><br /><strong>Clear definition of when collection of DNA samples can be taken:</strong> The schedule of the Bill only lists the offenses and situations for which the collection of DNA is permitted. We believe a provision must be added that clarify when exactly DNA can be collected e.g. whether the DNA can be collected on arrest or on charge, whether the DNA has to be relevant to the offence, or whether the police decide this for themselves, and what are the oversight mechanisms for these decisions [23].</p>
<p><strong>Privacy Principles:</strong> The Bill enables the DNA Profiling Board to recommend privacy protection statutes, regulations, and practices concerning: use and dissemination, accuracy, security, and confidentiality, and destruction of DNA information [24]. Privacy principles should not be left to recommendations by the board or to regulations of the Bill, but instead should be incorporated into the Bill itself to ensure that such practices are in place if the Bill is passed. Furthermore, the appropriate collection, access, and retention of DNA information should be specified in this Bill. </p>
<p><strong>Obligations for DNA laboratories:</strong> Section 19 of the Bill lays out the obligations of DNA laboratories [25]. We recommend that the implementation of a privacy policy should be mandatory under this section. </p>
<p><strong>Storage of DNA profiles and samples:</strong> Currently the Bill allows for the complete storage of DNA of: volunteers, suspects, victims, offenders, children (with parental consent), and convicted persons. DNA samples taken from individuals contain unlimited genetic information (including health-related information) and are not needed for identification purposes once the profiles have been obtained from them, thus we recommend that the bill requires that DNA samples be stored temporarily for quality assurance purposes (e.g. for up to six months) and then destroyed to prevent misuse. This is an important privacy protection, which also reduces the cost of storing samples. The only purpose of retaining DNA profiles on a criminal database is to help identify the individual if they reoffend. Thus we recommend that the criminal databases should be restricted to holding DNA profiles only from convicted persons, and the types of offence and time period for retention should be limited. Although DNA profiles may have alternative uses other than solving crimes (e.g. identifying missing persons) we recommend that the missing persons databases are kept separate from criminal databases. Furthermore, although collecting DNA from victims and volunteers may be useful during the investigation of a crime, DNA profiles obtained from victims and volunteers should be destroyed once an investigation is complete. </p>
<p><strong>Conflicting Clauses:</strong> Section 14 of the Bill provides that DNA laboratories can only undertake DNA procedures with the approval, in writing, from the DNA profiling Board. Section 15(2) contradicts this statement by permitting already existing DNA laboratories to function and use DNA already collected even before they receive approval from the DNA profiling Board. We suggest that Section 14 is clearly written so that DNA laboratories that have already been set up are unable to continue functioning until they have met the approval of the DNA Profiling Board, and Section 15(2) should thus be deleted. <strong><br /></strong></p>
<p><strong>Access:</strong> According to section 41 of the Bill, the Data Bank Manager is given sole discretion as to who may have access to the DNA database, including persons given access for training purposes [26]. Low standards such as these vest too much discretion in the Data Bank Manager. We recommend that access is strictly limited to trained personnel who have undergone proper security clearance. Furthermore, we recommend that the role of Data Bank Manager be analogous to a custodian for the databank. Thus, the manager would be accountable for the integrity and security of the data held in the DNA databank.</p>
<p><strong>Offenses:</strong> Though the Bill provides for penalties such as unauthorized access, disclosure, destruction, alterations, and tampering [27], the Bill fails to provide punishment for the illegal collection of DNA samples. This should be made an offense under the Bill.</p>
<p><strong>Redress:</strong> The Bill provides no redress mechanism to an individual whose DNA was illegally used or collected. Furthermore, section 49 (1) only permits the Central Government or DNA Profiling Board to bring complaints to the courts [28]. Thus, we recommend that individuals are enabled to bring charges against entities (such as DNA labs or police officials) for the misuse of their data.</p>
<p><strong>Delegation of powers:</strong> The Bill allows the DNA Profiling Board to form committees of the members and delegate them the powers and functions of the board. This clause could allow outsourcing, and could allow a dilution of authority by which the DNA Profiling Board weighs approval or rejection of requests [29]. We recommend that the outsourcing of functions be limited to administration duties and jobs that do not directly relate to the core duties of the DNA Profiling Board. </p>
<p><strong>Access by law enforcement agencies:</strong> The Bill currently allows for the DNA Profiling Board to grant law enforcement agencies access to DNA profiles [30]. We recommend that DNA profiles are only accessed by the Data Bank Manager. Law enforcement agencies should send requests for matches to the Data Bank Manager, and the Manger would provide the needed intelligence [31].</p>
<p><strong>Public interest:</strong> The Bill allows for DNA laboratories to continue to operate, even if the laboratory has violated the specified procedures, if the DNA Profiling Board finds it in the public interest [32]. We believe that where there have been violations, a laboratory should be required to demonstrate remediation before being allowed to resume operations.</p>
<p><strong>Contamination of DNA samples:</strong> Currently the Bill holds laboratories responsible for “minimizing the contamination of DNA.”[33] DNA Laboratories should be held fully and legally responsible for preserving the quality of DNA samples. If a DNA sample is contaminated, and the DNA lab does not follow due diligence to discard the contaminated sample and or collect a new sample, and subsequently the DNA used wrongly against an individual - an individual should have the ability to press charges against the institution.</p>
<p><strong>Audits:</strong> The Bill provides for the auditing of DNA laboratories, but the DNA Profiling Board must also undergo annual audits [34].</p>
<p><strong>Indices Held by DNA Banks:</strong> Under section 33 (4),(5)The Bill provides for the DNA data bank to set up indices that hold DNA identification records and DNA analysis from: crime scenes, suspects, offenders, missing persons, unknown deceased persons, volunteers and such other indexes as specified by regulations. We believe the DNA data bank should not hold indexes on suspects, missing persons, or volunteers without consent and the ability for the individual to withdraw their consent. Furthermore, the Bill requires the taking of a victim’s DNA, but it is not listed as an index. We recommend that this section be deleted, as the creation of a DNA index is simply another copy of a DNA profile, and it does not serve a particular purpose.</p>
<p><strong>Communicating of DNA Profile with Foreign States: </strong>Section 35 permits, with the approval of the Central Government, the sharing of DNA profiles with Foreign States [35]. We recommend that communication and use of a DNA profile with Foreign States should be limited to comparison only. </p>
<p><strong>Access to Data Banks for administration purposes:</strong> Section 39 of the Bill permits access to the databank for “administrative purposes”. We recommend that the Bill clarify what exactly constitutes “administrative purposes”, and clarify that the process/procedures that permit access to data banks for administration purposes will not require access to data stored in Data Banks [36].</p>
<p><strong>Enforcement for the removal of innocents: </strong>Section 36(3) of the Bill requires that the DNA profile of individuals who are found innocent be removed from the database. This provision should have legal mechanisms to ensure enforcement of the provision e.g. reporting by the Board [37].</p>
<p><strong>Ability to access one’s own DNA Profile:</strong> A provision should be added to the Bill that gives individuals the right to ask the police for any of their own details held on police databases, so an individual has the ability to know if their data is being held against the law [38].</p>
<p><strong>Clear Definition of identity: </strong>Section 33(6)(i) maintains that the DNA Data Bank will contain in relation to each of the DNA profiles… the “identity of the person”. The Bill needs to define what is "identity" and how “identifying” information can be used. Furthermore, it is important to ensure that no other information (like an identity number) that would allow for function creep, is included in the DNA data base[39]. </p>
<p><strong>Transparency of the DNA board: </strong> Section 13 of the Bill describes the powers and functions the DNA Board. In this section the DNA board should be required to publish and submit minutes and annual reports including detailed information on how it has exercised all its functions to the public and to Parliament. The report should include: numbers of profiles added to the database; numbers removed on acquittal, numbers of matches and solved crimes; costs; numbers of quality assurance inspections, and breakdowns of these figures by state [40].</p>
<p><strong>Restricted use of DNA database:</strong> Section 39 (1) of the Bill permits the DNA database to be used for identification purposes that are not related to solving a crime including the “ identification of victims of: accidents, disasters or missing persons or for such other purposes”. The DNA database should be restricted to the identification of a perpetrator of a specified criminal offence, and consent or a court order must be sought for any other use of the database for identification purposes. </p>
<p><strong>Probability of error published:</strong> Because profiles found in the DNA data base are comprised of only parts of individuals DNA, the profiles are not unique to individuals. Thus, the number of false matches that are expected to occur by chance between crime scene DNA profiles and stored individual's profiles depends on how the profiling system used, how complete the crime scene DNA is before it is added to the database (many crime scene DNA stains are degraded and not complete), and how many comparisons are done (i.e. how big the database it is and how often it is searched). With a population the size of India, the number of these false matches could be very high. The DNA board needs to take this probability for error into consideration and publish researched statistics on how many false matches they expect to occur purely by chance, based on the numbers of profiles they expect to store under the proposed criteria for entry and removal of profiles [41].</p>
<p><strong>Cost analysis:</strong> The DNA board should publish a cost benefit analysis for the implementation the Bill. This should include the cost of storing samples, collecting sample, and testing samples [42].</p>
<h3>Bibliography<br /></h3>
<ol><li>http://www.cdfd.org.in/</li><li>http://ghr.nlm.nih.gov/handbook/basics/dna</li><li>Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007 pg.6, 22</li><li>Ibid email conversation with Dr. Wallace from Genewatch UK April 2nd 2002</li><li>http://articles.timesofindia.indiatimes.com/2011-01-02/india/28371869_1_dna-data-bank-blood-samples-bodies</li><li> http://www.merinews.com/article/justice-s-rabindra-bhatt-orders-dna-test-for-nd-tiwari/15838508.shtml</li><li> http://www.dnaindia.com/mumbai/report_nehru-nagar-first-region-in-country-to-have-dna-profiling-database_1477211</li><li>Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007. Pg.263</li><li>http://www.cdfd.org.in/servicespages/dnafingerprinting.html<br /></li><li>ibidhttp://www.cdfd.org.in/image/AR_2009_10.pdf</li><li>http://planningcommission.nic.in/plans/planrel/fiveyr/11th/11_v1/11v1_ch8.pdf</li><li>http://www.dnalabsindia.com/</li><li>http://www.truthlabs.org/</li><li>AIR 1961 SC 1808</li><li> The Prisoners Identification Bill was most recently amended 1981</li><li>http://lawcommissionofindia.nic.in/51-100/report87.pdf</li><li> http://www.tn.gov.in/stationeryprinting/extraordinary/2010/305-Ex-IV-2.pdf</li><li>Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007 pg. 259</li><li>Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007 pg. 245 <br /></li><li>Email conversation with Dr. Wallace from Genewatch UK. April 2nd</li><li>Schedule of offenses 5) Miscarriage or therapeutic abortion, b. Unnatural offenses, 7) Other criminal offenses b. Prostitution 9) Mass disaster b) Civil (purpose of civil cases) c. Identification purpose 10) b) Civil:1) Paternity dispute 2) Marital dispute 3) Infidelity 4) Affiliation c) Personal Identification 1) Living 2) Dead 3) Tissue Remains d)</li><li> 2 (xxvii) “offender” means a person who has been convicted of or is under trial charged with a specified offense. <br />2(1)(vii) “crime scene index” means an index of DNA profiles derived from<br />forensic material found: (a) at any place (whether within or outside India) where a specified offense was, or is reasonably suspected of having been, committed;<br />or (b) on or within the body of the victim, or a person reasonably<br />suspected of being a victim, of an offense (DNA Profiling Bill)</li><li> Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007 Pg. 291</li><li>Section (1) (xv) –(xvi) of DNA Profiling Bill</li><li>Section 19 of DNA Profiling Bill <br /></li><li>Section 41(i) (ii) of DNA Profiling Bill</li><li>Section 45, and section 46 of DNA Profiling Bill</li><li> Section 49 (1) of DNA Profiling Bill</li><li> Section 52 (2) The DNA Profiling Board may, by a general or special order in writing,<br />also form committees of the members and delegate to them the powers<br />and of the Board as may be specified by the regulations.</li><li>Section 13(x), Section(2) The DNA Profiling Board may, by a general or special order in writing,also form committees of the members and delegate to them the powers and functions of the Board as may be specified by the regulations.</li><li>Adhikary, Jyotirmoy. DNA Technology in Administration of Justice. Lexis Nexis. 2007 Pg. 300</li><li>Section 17 (2) of DNA Profiling Bill</li><li>Section 22 of DNA Profiling Bill</li><li>Section 28 of DNA Profiling Bill</li><li>Section 35 (1) of DNA Profiling Bill<br /></li><li>Section 39 of DNA Profiling Bill<br /></li><li>http://www.genewatch.org/sub-539478</li><li>http://www.genewatch.org/sub-539478</li><li>http://www.genewatch.org/article.shtml?als[cid]=492860&als[itemid]=567376</li><li>Email conversation with Dr. Wallace from Gene Watch UK April 2nd</li><li>Standard setting and quality regulation in forensic science. GeneWatch UK submission to the Home Office Consultation.<br />October 2006.</li><li>Standard setting and quality regulation in forensic science. GeneWatch UK submission to the Home Office Consultation.<br />October 2006.<br /><br /><br /><br /> <br /><br /><br /><br /><br /><br /><br /></li></ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/dna-profiling-bill'>https://cis-india.org/internet-governance/blog/privacy/dna-profiling-bill</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-03-21T09:40:56ZBlog Entry An Interview with Activist Shubha Chacko: Privacy and Sex Workers
https://cis-india.org/internet-governance/blog/privacy/privacy_privacyandsexworkers
<b>On February 20th I had the opportunity to speak with Shubha Chacko on privacy and sex workers. Ms. Chacko is an activist who works for Aneka, an NGO based in Bangalore, which fights for the human rights of sexual minorities. In my interview with Ms. Chacko I tried to understand how privacy impacts the lives of sex workers in India. The below is an account of our conversation. </b>
<h3>Introduction<br /></h3>
<p>In our research we have been exploring where and how privacy is found in different areas of Indian society, law, and culture. As part of our research we have been holding public conferences across the country to raise awareness and gather opinions around privacy. One area that was discussed in the public conference in Bangalore was the privacy of sex workers. Shubha Chacko, who is from Aneka - an NGO located in Bangalore which fights for the human rights of sexual minorities, made a presentation that focused on the privacy challenges that sex workers in India face. In our interview Ms. Chacko pointed out many misconceptions that society holds about sex workers’ lives. She also detailed the challenges of stigma and discrimination that sex workers face, and described the precarious position that sex workers find themselves in as their work is constantly being pushed out of the public sphere by the law and society. I later interviewed Ms. Chacko to follow up on her presentation on privacy and sex workers. During the interview I had the opportunity to speak with both Ms. Chacko and a board member from the Karnataka Sex Workers Union. The following is meant to provide a perspective on how and in what ways society, law, media and tradition invades the privacy of sex workers. Though the piece is focused on the lives of sex workers, many of the issues raised are not limited to only sex workers, but characterize other marginalized communities as well. </p>
<p>When I began the interview with Ms. Chacko I was hoping to do a piece that looked at the different elements of a sex worker’s life, and identified the points at which their privacy was invaded – such as in contacting a client, going to the doctors, etc. After I began my interview only, I realized how privacy impacts sex workers is much more complicated than a life cycle analysis. Among other things, privacy issues for sex workers prompt questions challenging social definitions of public and private, having the right to an identity and a recognized profession, and having the autonomy to control decisions about oneself.</p>
<h3>Basic Facts and Background Information:</h3>
<ul><li>Karnataka has been found to have 85,000 sex workers, and India has an estimated 2 million female sex workers [1] </li></ul>
<ul><li>Sex work is not against the law in India, but any commercialized aspect of the trade is prohibited – including running a brothel or soliciting a client. </li></ul>
<ul><li>Sex work is a multi-faceted profession with many positive and negative complexities that are rarely known to the public.</li></ul>
<h3>Understanding the Challenge of the Public and the Private</h3>
<p>My interview with Ms. Chacko began with my seeking an understanding of the challenges that traditional notions of the public sphere and the private sphere pose for sex workers. Ms. Chacko explained that to understand how privacy impacts the life of a sex worker, it is important to first understand that sex workers by profession confront and question traditional conceptions of the public and the private. Sex and everything associated with it is seen as something that is to be kept only in the private sphere. The work of sex workers brings sex into the public sphere, and thus the workers are seen as being public women not entitled to privacy, because they stand on street corners and conduct their work in the public. This notion that sex workers are public women without a right to privacy shows through in the way they are treated by the media, the police, NGOs, and researchers. An example of this tension and society’s response can be seen in the recent elections. On April 6th, a Times of India news article reported that the election commission will be setting up “special booths” for sex workers to vote in because “while the sex workers had been waiting in queues to cast their votes, common people were not comfortable with that”[2]</p>
<table class="plain">
<tbody>
<tr>
<td><strong>What is the Challenge of the Public and the Private? </strong><br />
<p>“It starts with a conception of issues around privacy vis-à-vis sex workers. The general perception is that sex workers are considered “public women”, because they are considered available to the public and because they sell sexual services on the streets (and are seen in contrast to the “good” woman who is confined to the private world of the home This then leads people to assume that then sex workers have are not entitled to privacy. Also sex workers are forced to reckon with issues of sex and sexuality, and if you talk about issues of sexuality - issues that are considered private are forced into the public domain, so sex workers by their presence force these issues into the public domain. So notions of privacy become complicated by this challenge of what is public and private, because the sex workers’ presence brings into the public domain what is private.”</p>
<br /><strong>How does this tension of the public and the private translate into privacy violations? </strong><br /><br />
<p>"Due to the stigma around sex work all rights of sex workers are seriously compromised; with impunity. Thus, privacy is a threshold issue.</p>
<p>The violation of privacy happens at various points, for example the way the media deals with them – publishing their photographs, outing them without their consent, talking about them without their consent. There are the police who are often engaged in so called “rescue and rehabilitation” work, but in the process of rescuing the sex workers, disregard the harmful impacts that compromising their right to privacy will do to them. The HIV prevention intervention programs that are in place now that target sex workers (along with other ‘high risk groups”) also erode their right to confidentiality. Besides intimate details of their lives being recorded, their address and other coordinates are noted. This information along with other sensitive information including their HIV status, is often accessible to a host of people and is a potential threat to their privacy and anonymity. Researchers and NGOs too often quiz sex workers about a range of intimate details about their lives with little sensitivity and expect them to be totally candid. These interviews also raise questions that relate to privacy."</p>
</td>
</tr>
</tbody>
</table>
<h3>Stigma, Discrimination, and Identity</h3>
<p>Ms. Chacko also spoke about how the stigma and discrimination that sex workers face invades their privacy. Society views sex workers in one light – as immoral women. This stigma is attached to them permanently and is a source of violence and discrimination in the home, from the state, and from society. The sex workers’ right to anonymity and identity is also restricted because of the stigma attached to their work. Sex workers do not have the ability to control information about themselves, and they face challenges in obtaining official documents like a PAN card or a passport. This stigma and its consequences impedes sex workers from functioning comfortably in society and creates a difficult tension for sex workers to live with. Society denies the presence of sex workers, and police patrol parks and other public areas chasing away individuals whom they believe to be sex workers. The increased passivisation of public spaces – parks, (for example) and the over gentrification of the neighborhoods squeeze them out</p>
<p>In New York, one way that sex workers have overcome this constant and sometimes violent confrontation with society is through the use of mobile phones. Sex workers will contact clients only through mobile phones. This allows them to find their clients in private and anonymous ways, and it eliminates the need of a pimp or other type of ring leader. When I asked Ms. Chacko if sex workers are using this same technique in India, she recognized that they are, but said that it is not a yet widely practiced - especially among women in rural areas.</p>
<table class="plain">
<tbody>
<tr>
<td><strong>How Restricting is the Stigma? </strong><br />
<p>“Huge - hardly ever does a person’s entire identity get conflated with her with occupation or livelihood option; the way it does with sex workers. … I mean, for example, if you go to a movie - people would not say; oh, look, there is a researcher come to see a movie - people would call you by name, but if a sex worker goes to a movie they always say: oh, look, there is a sex worker. There is only one side to her identity according to society. And everyone wants to know the same thing - How did they get into sex work. There is an excessive interest in this aspect alone (and generally they are seeking simple answers) - they never ask other questions about them as a person, only about them as a sex worker. Thus, real issues of violence and exploitation are never dealt with”.</p>
</td>
</tr>
</tbody>
</table>
<h3>HIV Initiatives, Medical Counseling , and Privacy</h3>
<p> Medical consultations, especially those related to HIV/AIDS, in many ways violate the privacy of sex workers.</p>
<p><strong>HIV Initiatives</strong></p>
<p>HIV initiatives run by the Government are often invasive and function off of privacy-violating techniques. The government runs many HIV initiatives where sex workers are employed to be “peer educators.” A peer educator’s job is to spread awareness about HIV, distribute condoms, and bring sex workers for HIV testing. The privacy and anonymity of peer educators is compromised in the job title itself. Everyone in the community knows that to be a peer educator, one must also be a sex worker. Thus, if a person is a peer educator or with a peer educator, she is immediately outed and identified as a sex worker. Furthermore, HIV testing is compulsory for sex workers, though on paper it looks as though it is a choice. Because there are quotas that must be filled, sex workers often go through HIV testing without full consent.</p>
<table class="plain">
<tbody>
<tr>
<td><strong>How do Government HIV Initiatives Violate Privacy?</strong> <br />
<p>“The whole HIV intervention itself violates sex workers’ privacy. Both in the sense that people get jobs as peer educators and they have to carry condoms around and talk to other sex workers, and everyone thinks that if you are a peer educator then you are a sex worker, and there is no protection for these people even though it is sponsored by the state government.”</p>
</td>
</tr>
</tbody>
</table>
<p><strong>Line Listing </strong></p>
<p>The HIV programs and testing centers also violate the privacy of sex workers. The clinics have a system known as line listing, which is meant to ensure that there are no duplications in data. In order to ensure this they collect identifying information from sex workers including address and phone number. The information is not protected and is easily accessible to whoever wishes to see it.</p>
<table class="plain">
<tbody>
<tr>
<td><strong>Line Listing and Privacy </strong><br />
<p>“HIV programs have a process called line listing, which is to ensure that there is no duplication. So they take all your facts from you, and from that a sex workers address and such go out, and it’s put out with no safeguards.”</p>
</td>
</tr>
</tbody>
</table>
<p><strong>HIV Counselors and Doctors</strong></p>
<p>HIV counselors also violate the privacy of sex workers. Though a patient’s HIV status is only supposed to be known to the counselor at the testing clinic and the lab technician, it often becomes the case that HIV results are widely shared. As per protocol, doctors and counselors must follow up with sex workers every three months if a sex worker is HIV negative. This is to ensure that they are still HIV negative, and to provide them treatment at the soonest if they do contract the disease. To carry out this follow-up work, counselors keep a list of patients whom they have seen. This list is supposed to be confidential, but other personnel in the hospital are assigned to do the follow-up phone calls, and thus the list is in fact easily accessible. If a person’s name disappears from the list, it is obvious that the person is now HIV positive, and that person’s privacy is violated and her status known.</p>
<table class="plain">
<tbody>
<tr>
<td><strong>How does HIV Counseling compromise Privacy? </strong><br />
<p>“…only the counselor and the lab technician is supposed to know about it, but it turns out a whole number of people know about it, because of follow up. The counselor is supposed to follow up on the list with people every three months for further testing, but if you are positive then you do not need to follow up. Plus, these results are shared with everyone. Because of the stigma attached to HIV there is a need for privacy to be protected, so confidentiality is routinely violated.”</p>
</td>
</tr>
</tbody>
</table>
<h3>Media and Research</h3>
<p><strong>Media </strong></p>
<p>Media was another area of contention that Ms.Chacko pointed out. Though the media plays an important role as being a channel for the voice of sex workers, it can also be intrusive on the sex worker by publishing stories without their consent, or reporting in ways that can be misconstrued. Through their coverage, the media can also deepen the stigma against sex workers and place them under an unwanted social spotlight. For example, a news article in The Hindu spoke about the World Cup bringing an “off day” for sex workers.</p>
<p><em>“With hoards of supporters glued to their television screens for the World Cup cricket final between India and Sri Lanka on Saturday, sex workers are anticipating a slow day, but they are not disappointed. It is a rare weekend for them with their children. The prospects of fewer clients coming in only buoyed the enthusiasm of the women in Sonagachi, the largest red-light area in the city…”[3]</em></p>
<p>The media is also often a part of raids by cover stories of brothels being uncovered, and in doing so expose the lives of sex workers, often printing sensitive information, including addresses, while portraying the sex workers as victims. The media, along with NGOs and the police will conduct raids that severely violate the privacy of sex workers. For example, in an Express India article a raid was described that took place in Pune with NGOs and the police in which sex workers were dragged out, beaten, and molested by the police against their will [4].</p>
<table class="plain">
<tbody>
<tr>
<td><strong>How does the media violate the privacy of sex workers? </strong><br />
<p>“The media conducts raids, and so do NGOs in an attempt to rescue them. Once they are rescued and taken back with police escorts to their village, the whole village knows that she was in sex work, and then her privacy is violated because she was publicly returned. My problem is not about them being rescued, but they need to have consent from the person. If a person wants to do sex work – this decision needs to be respected. The media is difficult because you don’t want to ask for a ban, so we don’t ask for banning, but we do put pressure on the media to be more responsible in their reporting.”</p>
</td>
</tr>
</tbody>
</table>
<p><strong>Research/Films </strong></p>
<p>Ms. Chacko also spoke about how research often violates the privacy of sex workers, in ways that range from the words that are used to describe sex workers to the one-sided victim story that is too often used to describe the lives of sex workers, to the methods researchers use to find their facts. Thus, perhaps without meaning to, research can de-legitimatize the work that sex workers do, and can work to increase the amount of violence or abuse that they are exposed to.</p>
<table class="plain">
<tbody>
<tr>
<td><strong>Research and Privacy </strong><br />
<p>“Researchers who are writing a report on sex workers - land up in some village and end up violating their privacy as everyone in the village wants to know why the researchers came. The researchers also ask invasive questions. They want to know details about the sex workers’ lives: what kind of sex they have and with whom? What do they experience with their clients? What is their relationship with their partners? What is the status of their relationship.? They do not have a sense of whether the workers will want to talk about their lives or not…Some people make films and some make them in extremely exploitative ways. Films are also often incorrect and invasive of privacy in that way as well.”</p>
</td>
</tr>
</tbody>
</table>
<h3>The Role of a Privacy Legislation</h3>
<p>In our research, we are looking at how a privacy legislation could help remedy the challenges to privacy that different people face in society; or ,if a privacy legislation cannot offer a solution, if there are other ways in which a legislation or society can offer solutions. When I asked Ms. Chacko if a privacy legislation or the right to privacy could improve the lives of sex workers, she was not certain if a privacy legislation would make a difference directly, and thought it might in fact overlook sex workers because currently they are seen in society as immoral women that are not to be afforded the right to privacy. In fact, it is the law and enforcers of the law itself that is invading their privacy. For example, in a study done by the World Health Organization it was found that in India 70 per cent of sex workers in a survey reported being beaten by the police, and more than 80 per cent had been arrested without evidence [5]. Thus, before a right to privacy can apply to sex workers, sex work itself must be decriminalized and recognized as a legitimate profession worthy of labor rights and other rights. Furthermore the debate around sex work needs to move away from the traditional dialogue of who is having sex and who is not to one that looks at what rights should be protected for every person. At that point perhaps a law which protects dignity and regulates the use of information could be useful. On another note, the UID (the Unique Identification Project) could be a potential benefit for sex workers as it would serve as identity that would give only a yes or no response at the time of a transaction. </p>
<table class="plain">
<tbody>
<tr>
<td><strong>Could a Privacy Legislation help? </strong><br />
<p>“Some of the privacy is violated by the raids that happen by the police. So those raids are problematic. What kind of laws would help? One would be to decriminalize sex work itself and also work with society to gain understanding and perspective. Because now people think: they are immoral women ,so what privacy do they deserve? The sexual debate should not be about who is having sex and who is not, but about who has the power…”</p>
</td>
</tr>
</tbody>
</table>
<h3>The Current Law</h3>
<p>In India, the Immoral Trafficking prevention Act ( ITPA) is the law that governs sex work. The ITPA does not make prostitution illegal, but instead tries to target the commercialized aspects of the trade such as brothel keeping, pimping, and soliciting. Though the law does not attack the sex workers as individuals, and its stated purpose is to prevent the trafficking of sex workers, the law has become a tool of harassment and abuse by law enforcement agencies. Sections 5A, 5B, 5C, which pertain to trafficking are the most troublesome, because the clauses do not distinguish between trafficking and sex work, but instead defines them as the same[6]. Thus, the new definitions of prostitution and trafficking leave room for reading all sex work as within the meaning of trafficking, and thus criminalizing sex work by defacto.[7] In addition, under the new Section 5C, clients visiting or found in a brothel will face imprisonment and/or fines [8]. Penalization of clients is a significant modification to the the ITPA, which formally targeted 'third parties' profiting from prostitution and not sex workers or clients themselves [9]. Sex workers have fought for a long time to overturn the ITPA. In June 2008, sex workers went on a hunger strike in the hopes of forcing the bill to be discarded [10]. In 2010 sex workers demonstrated against the amendment of the ITPA that would hold the clients of sex workers liable. Despite their protests and demands for their occupation to be treated equally, the Indian courts are slow to move forward and recognize sex work as a dignified profession. “A woman is compelled to indulge in prostitution not for pleasure but because of abject poverty,” the court said last month. “If such woman is granted opportunity to avail some technical or vocational training, she would be able to earn her livelihood by such vocational training and skill instead of selling her body.” The court has also promised to initiate a program in May for vocational training of sex workers [11]. Unfortunately, vocational training fails to address the actual issues and violations that sex workers face – a fact that was demonstrated by one sex worker’s saying: “If we can’t solicit clients without getting arrested, we will naturally rely on pimps to carry on our trade…What we need are practical measures that free us from exploitation created by the law itself.”</p>
<h3>Solutions</h3>
<p>One of the most impactful source of aid for sex workers currently is the sex workers union. I had the opportunity to speak with a member from the board of the Karnataka Sex Workers <br />union. She spoke about the challenges that sex workers face and how the Union provides assistance to the sex workers. The union helps them obtain benefits, helps with enrolling their children in schools, and answers questions that they would not be able to seek legal or other assistance on. The union is a confidential and safe space for sex workers to function in society. The person interviewed feels as though the information about herself that should be kept confidential is: her medical information, her clients, where she meets her clients, and information about her family. Ms. Chacko also spoke about the positives that an identity scheme like the UID could have on sex workers, because the transactions would be done through a yes/ no response, and no one will be denied a UID number. Most importantly, Ms. Chacko stressed that it is important to recognize sex work as a legitimate profession,and focus on the actual problems, rather than limiting the debate to stigmas around sex. The interview with Ms. Chacko demonstrated that protection of sex workers’ and sexual minorities’ privacy cannot be addressed simply by a law, but must be embodied by an ethos and a culture before that law is meaningful.</p>
<h3>Bibliography </h3>
<ol><li><a class="external-link" href="http://www.dnaindia.com/bangalore/report_karnataka-sex-workers-want-right-to-work_1517602">http://www.dnaindia.com/bangalore/report_karnataka-sex-workers-want-right-to-work_1517602</a></li><li><a class="external-link" href="http://timesofindia.indiatimes.com/home/specials/assembly-elections-2011/west-bengal/Special-booth-for-sex-workers/articleshow/7880039.cms">http://timesofindia.indiatimes.com/home/specials/assembly-elections-2011/west-bengal/Special-booth-for-sex-workers/articleshow/7880039.cms</a></li><li><a class="external-link" href="http://www.thehindu.com/news/article1594609.ece">http://www.thehindu.com/news/article1594609.ece</a></li><li><a class="external-link" href="http://www.expressindia.com/latest-news/sex-workers-allege-excesses-in-police-raid-to-submit-evidence-to-commissioner/739326/">http://www.expressindia.com/latest-news/sex-workers-allege-excesses-in-police-raid-to-submit-evidence-to-commissioner/739326/ </a></li><li><a class="external-link" href="http://www.who.int/gender/documents/sexworkers.pdfhttp://ncpcr.gov.in/Acts/Immoral_Traffic_Prevention_Act_%28ITPA%29_1956.pdf">http://www.who.int/gender/documents/sexworkers.pdfhttp://ncpcr.gov.in/Acts/Immoral_Traffic_Prevention_Act_%28ITPA%29_1956.pdf</a></li><li><a class="external-link" href="http://www.who.int/gender/documents/sexworkers.pdfhttp://ncpcr.gov.in/Acts/Immoral_Traffic_Prevention_Act_%28ITPA%29_1956.pdf">http://ncpcr.gov.i /Acts/Immoral_Traffic_Prevention_Act_%28ITPA%29_1956.pdf</a></li><li><a class="external-link" href="http://cflr.org/ITPA%20Amendment%20bill.htm">http://cflr.org/ITPA%20Amendment%20bill.htm</a></li><li><a class="external-link" href="http://www.prsindia.org/uploads/media/1167469313/1167469313_immoral_traffic_prevention_amendment_bill2006.pdf">http://www.prsindia.org/uploads/media/1167469313/1167469313_immoral_traffic_prevention_amendment_bill2006.pdf</a></li><li><a class="external-link" href="http://theindiapost.com/2008/07/21/itpa-amendment-has-a-provision-of-jail-term-and-penalties-for-the-clients-of-prostitutes-who-were-so-far-kept-out-of-the-ambit-of-prosecution/">http://theindiapost.com/2008/07/21/itpa-amendment-has-a-provision-of-jail-term-and-penalties-for-the-clients-of-prostitutes-who-were-so-far-kept-out-of-the-ambit-of-prosecution/</a></li><li><a class="external-link" href="http://www.expressindia.com/latest-news/Sex-workers-to-go-on-hungerstrike-over-ITPA/330250/">http://www.expressindia.com/latest-news/Sex-workers-to-go-on-hungerstrike-over-ITPA/330250/</a></li><li><a class="external-link" href="http://www.trust.org/trustlaw/blogs/the-word-on-women/rehabilitation-cuts-no-ice-with-indias-sex-workers">http://www.trust.org/trustlaw/blogs/the-word-on-women/rehabilitation-cuts-no-ice-with-indias-sex-workers</a></li></ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy_privacyandsexworkers'>https://cis-india.org/internet-governance/blog/privacy/privacy_privacyandsexworkers</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-03-28T06:26:03ZBlog EntryIs Data Protection Enough?
https://cis-india.org/internet-governance/blog/privacy/is-data-protection-enough
<b>The following note looks briefly at different sides of the privacy debate, and asks the question whether a Data Protection law is enough privacy protection for India.</b>
<p>In a recent article, Rahul Matthan explained how many threats to personal privacy come from a lack of data protection laws – particularly in the context of the UID – and he thus urges India to pass a law that is focused on data protection. He said, “We don’t question this lack of personal space. It is part of the compromise we make when we choose to live in India.” Though his argument has a surface appeal, there are also many cases emerging in the news today that suggest that India is concerned with a much broader scope of privacy than just data protection. In the DNA, a news article covered a recent court decision that concluded that watching pornography at home is not an obscenity and does not qualify as a public exhibition, even when there are visitors to the home. In that case, police arrested persons who hosted a party under section 292 (obscenity) of the Indian Penal Code for watching pornography and housing strippers. The judge ruled that the activities that were taking place were done in private and thus did not amount to an offense under section 292. This is an important decision about the protections of spatial privacy being afforded to individuals. The bungalow was considered a private space, and the computer a private possession. In other words, India does have a greater understanding of privacy and the need for its protection, and it extends beyond data protection. In another news item, the Hindu reported that 5,000 to 6,000 phones are tapped on average daily. The article speculated that this number could increase in response to the 2G scam and other scams that are coming out. The type of privacy violation that wiretapping poses is likewise not a question of data protection, but of how a nation guards against an unwanted invasion of personal space and when security takes precedence over privacy. Are Indian citizens willing to subject themselves to phone taps to try to eliminate – or at least minimize – the number of scams that are occurring? In yet another news item, it was reported that in the North, councils are attempting to ban the sale of cell phones to unmarried women to help prevent unsolicited affairs with members from different castes. This again raises questions not of data protection or informational privacy, but of personal privacy. How will phone companies know that a woman is married? Will parents suddenly begin regulating their daughters’ phones? Does an existing legislation afford protection to women in this situation? Though data protection is a component of privacy, it is only one component. There are many definitions of privacy, and privacy in itself is somewhat of a difficult word to define, but India should recognize that there are privacy protections and privacy debates that extend beyond data protection. It is too easy to characterize India as large and communal and overlook these important questions.</p>
<p>Returning to Rahul Matthan’s article, Matthan says, “The vast majority of our country that remains under-served by the government will gladly exchange personal privacy for better public service.” I was particularly intrigued by this statement, because it suggests that privacy is an expendable right, and that government service cannot improve without privacy compromises. The logical extension of this concept is that privacy is not a fundamental right but only a consumer issue, and that policymakers can always trade off privacy in exchange for better public benefits, for better security, and for cheaper products. A legal system needs to address the case at hand, but it needs to be mindful of the larger consequences as well. There is no doubt that the UID project demands a data protection law, but India is facing questions of privacy that extend beyond data protection, and the steps that are being taken to answer those questions need to be applauded and brought into the current debate. If we legislate away rights, we must do so by weighing the cost and finding it acceptable.</p>
<p><strong>Sources</strong></p>
<ul><li><a class="external-link" href="http://www.thehindu.com/news/national/article905944.ece">http://www.thehindu.com/news/national/article905944.ece</a></li></ul>
<ul><li><a class="external-link" href="http://is.gd/hJWD8 http://is.gd/hJWSX">http://is.gd/hJWD8 http://is.gd/hJWSX</a></li></ul>
<ul><li><a class="external-link" href="http://news.yahoo.com/s/afp//lifestyleindiatelecommarriage">http://news.yahoo.com/s/afp//lifestyleindiatelecommarriage</a></li></ul>
<ul><li>Matthan, Rahul. The Mint:Technology. Nov. 24 2010</li></ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/is-data-protection-enough'>https://cis-india.org/internet-governance/blog/privacy/is-data-protection-enough</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-03-22T05:28:51ZBlog EntrySurveillance Technologies
https://cis-india.org/internet-governance/blog/privacy/surveillance-technologies
<b>The following post briefly looks at different surveillance technologies, and the growing use of the them in India. </b>
<h3>Surveillance...</h3>
<p>New security technologies are constantly emerging that push the edge between privacy and a reasonable level of security. Society's tolerance level is constantly being tested by governments who use surveillance and monitoring technologies to protect the nation. Governments claim that they need absolute access to citizens life. They need to monitor phones, look through emails, peer into files – in-order to maintain security and protect against terrorism. Though as a side note, in an Economic Times article published on Nov. 4 2010 it was reported that government computers were being hacked into through viruses, and top secret documents were being stolen. The irony of the story is that the viruses were introduced to the computers through porn websites visited by officials.</p>
<h3>...In a Car? On the Street? In an Airport?</h3>
<p>Despite the fact that governmental monitoring might make the common man uncomfortable, the reality is that governments will always win the national security vs privacy fight. The story becomes more complicated when it moves from the government directly monitoring individuals, to security agencies monitoring individuals. For instance the use of full body scanners at airports, or trucks equipped with scatter x-ray machines used to control crime in neighborhoods - is a much more heated debate. There are other ways in which to check passengers for banned items, and other ways to keep crime off the streets without mandating that individuals submit themselves to invasive scans, or scanning unaware individuals.</p>
<h3>...In the Movie Theater????..for Marketing Purposes????</h3>
<p>Surveillance technology has now been taken even another step further. No longer is it being just used to prevent violent crimes or terrorist attacks. Today the movie industry is using controversial anti-piracy tools to protect the films they produce. For instance the security company Aralia Systems manufacturers products such as: CCTV cameras and anti-camcorder systems that shine infrared light beams on audiences as they watch a movie. The light beams reflect off camcorders and alerts the theater that there are camcorders present. Though this practice can be seen as invasive - individuals might be opposed to being probed by light beams throughout movies, the extent of potential privacy invasion does not stop there. Aralia Systems has partnered with Machine Vision Lab and has created a system that harvests audiences emotions and movements as they watch movies. The data can then be used by market researchers to better tailor their behavioral advertising schemes. Essentially movie theater monitoring has merged surveillance technologies with behavioral marketing technologies in a twisted invasion of movie watchers personal privacy.</p>
<h3>Is this technology in India?</h3>
<p>Though behavioral monitoring and piracy technologies such as ones produced by Aralia Systems are not yet used in Indian movie theaters – security measures against piracy are used. Movie theaters across India are equipped with metal detectors at the door, and security personel check your handbag or back pack for camcorders. According to a Indian Express article, the organization Allegiance Against Copyright Theft believes one of the reasons monitoring technology is not yet used in theaters is because there is no present Indian legislation that penalizes recording in halls. Once legislation is passed, they speculate there will be a push to use these technologies. Even though monitoring technology is not yet used in theaters, monitoring of consumers behavior is increasing. Recently in India the WPP owned research agency IMRB International has developed an online audience measurement system that uses tailored metering technology to track the sites that users visit. The Web Audience Measurement System has launched this technology in a sample size of 21,000 Indian households, covering 90,000 individuals. IMRB has said that the meters are capable of capturing usage data from multiple computers, and that they can then use the information to market to the individual. Does it seem ironic to anyone that companies now charge for a service – movie tickets, internet services, telephone services – and make an extra profit by data mining at the expense of a persons privacy?</p>
<h3>Sources</h3>
<ul><li>http://economictimes.indiatimes.com/news/politics/nation/Govt-depts-asked-not-to-store-sensitive-info-on-Net-connected-computers/articleshow/6874631.cms</li><li>http://www.research-live.com/news/technology/imrb-unveils-web-measurement-service-for-indian-market/4003941.article</li><li>http://blogs.computerworld.com/17276/anti_piracy_tool_will_harvest_market_your_emotions?source=rss_blogs</li><li> http://www.indianexpress.com/news/antipiracy-unit-joins-hands-with-cinema-halls-to-curb-camcording/695439/2</li></ul>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/surveillance-technologies'>https://cis-india.org/internet-governance/blog/privacy/surveillance-technologies</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-03-22T05:40:24ZBlog EntryEncryption Standards and Practices
https://cis-india.org/internet-governance/blog/privacy/privacy_encryption
<b>The below note looks at different types of encryption, varying practices of encryption in India, and the relationship between encryption, data security, and national security. </b>
<h3>Introduction: Different Types of Encryption <br /></h3>
<p>When looking at the informational side of privacy, encryption is an important component to understand. Encryption in itself is a useful tool for protecting data that is highly personal in nature and is being stored, used in a transaction, or shared across multiple databases. The quality of encryption is judged by the ability to prevent an outside party from determining the original content of an encrypted message. There are many different types of encryption including:</p>
<ul><li><em>Symmetric Key Encryption</em>: Communicating parties share the same private key that is used to encrypt and decrypt the data. This form of encryption is the most basic, and is fast and effective, but there have been problems in the secure exchange of the unique keys between communicating parties over networks [1]. </li></ul>
<ul><li><em>Asymmetric Key Encryption:</em> This system relies on the use of two keys– one public, and one private. In this system only the user knows the private key. In order to ensure security in the system a mathematical algorithm that is easy to calculate in one direction, but nearly impossible to reverse calculate is often used. Use of a public and a private key asymmetric avoids the problem of secure exchange that is experienced by symmetric key encryption. The basis of the two keys should be so different, that it is possible to publicize one without the danger of being able to derive the original data. Decoding of data takes place in a two step process. The first step is to decrypt the symmetric key using the private key. The second step is to decode the data using the symmetric key and interpret the actual data[2].</li></ul>
<ul><li><em>One-way Hash Functions:</em> One-way hash functions are mathematical algorithms that transform an input message into a message of fixed length. The key to the security of hash functions is that the inverse of the hash function must be impossible to prove[3]. </li></ul>
<ul><li><em>Message Authentication Codes</em>: MACs are data blocks appended to messages to protect the authentication and integrity of messages. MACs typically depend on the use of one-way hash functions[4].</li></ul>
<ul><li><em>Random Number Generators</em>: An unpredictable sequence of numbers that is produced by a mathematical algorithm[5]. </li></ul>
<h3>Encryption in India</h3>
<p>Encryption in India is a hotly debated and very confusing subject. The government has issued one standard, but individuals and organizations follow completely different standards. According to a note issued by the Department of Telecommunications (“DOT”) in 2007, the use of bulk encryption is not permitted by Licensees, but nevertheless Licensees are still responsible for the privacy of consumers’ data (section 32.1). The same note pointed out that encryption up to 40 bit key length in the symmetric key algorithms is permitted, but any encryption higher than this may be used only with the written permission of the Licensor. Furthermore, if higher encryption is used, the decryption key must be split into two parts and deposited with the Licensor. The 40 bit key standard was previously established in 2002 in a note submitted by the DOT:“License Agreement for Provision of Internet Service (including Internet Telephony)’ issued by Department of Telecommunications”[6] Though a 40 bit standard has been established, there are many sectors that do not adhere to this rule. Below are a few sectoral examples:</p>
<ul><li>A) Banking: ‘Report on Internet Banking’ by the Reserve Bank of India 22 June 2001:</li></ul>
"All transactions must be authenticated using a user ID and password. SSL/128 bit encryption must be used as the minimum level of security. As and when the regulatory framework is in place, all such transactions should be digitally certified by one of the licensed Certification Authorities.”[7]
<ul><li>B).Trade: The following advanced security products are advisable:</li></ul>
<p>"Microprocessor based SMART cards, Dynamic Password (Secure ID Tokens), 64 bit/128 bit encryption"[8]</p>
<ul><li>C).Trains: ‘Terms & Conditions’ for online Railway Booking 2010:<br /></li></ul>
<p>"Credit card details will travel on the Internet in a fully encrypted (128 bit, browser independent encryption) form. To ensure security, your card details are NOT stored in our Website.”[9]</p>
<p>The varying level of standards poses a serious obstacle to Indian business, as foreign countries do not trust that their data will be secure in India. Also, the differing standards will pose a compliance problem for Indian businesses attempting to launch their services on the cloud.</p>
<h3>Data Security, Encryption, and Privacy:</h3>
<p>To understand how encryption relates to privacy, it is important to begin by looking at data security vs. privacy. Security and privacy have an interesting relationship, because they go hand in hand, and yet at the same time they are opposed to each other. First, data security and privacy are not the same. Breaches in data security occur when information is accessed without authorization. There is no loss of privacy, however, until that information is misused. Though data security is critical for protecting privacy, the principles of data security call for practices that threaten privacy principles. For example, data security focuses on data retention, logging, etc, while privacy focuses on the consent, restricted access to data, limited data retention, and anonymity[10]. If security measures are carried out without privacy interests in mind, surveillance can easily result in severe privacy violations. Thus, data security should influence and support a privacy regime but not drive it. In this context, encryption and data security will create an expectation of privacy, rather than undermine or overshadow privacy. By the same token encryption cannot be seen as the cure for privacy challenges. Encryption cannot adequately protect data, but when supported by a strong privacy and security regime – it can be very effective. It is also a good measuring rod for determining how committed a company has been to protecting a person’s privacy and ensuring the security of his or her data. In light of the symbiotic yet complicated relationship that privacy and data security have with each other, it would make sense for legislation and domestic encryption standards to be merged and addressed together. This would ensure that a) the standard is not archaic (as the current 40 bit one is); b) would take into account the threat to privacy that surveillance can impose and would address decryption when addressing encryption; and c) would anticipate the collection and cataloging of data and ensure security of the data and person as well as national security.</p>
<h3>National Security and Encryption</h3>
<p>Encryption is a subject that causes governments a great deal of concern. For example in order to preserve foreign policy and in national security interests, the US maintains export controls on encryption items [10]. This means that a license is required to export or re-export identified items. Though the Indian government currently does not have an analogous system, it would be prudent to consider one. Though the government is aware of the connection between encryption and national security, it seems to be addressing it by setting a low standard for the public which enables it to monitor communications etc. easily. It is important to remember though that today we live in a digital age where there are no boundaries. One cannot encrypt data at 40 bits in India and think it is safe, because that encryption can be broken everywhere else in the world. Despite the fact that there are no boundaries in the digital age, users of the internet and communication technologies are subject to different and potentially inconsistent regulatory and self-regulatory data security frameworks and consequently different encryption standards. One way to overcome this problem could be to set in fact a global standard for encryption that would be maximal for the prevention of data leaks. For instance, there are existing algorithms that are royalty free and available to the global public such as the Advanced Encryption Standard algorithm, which is available worldwide. The public disclosure and analysis of the algorithm bolsters the likelihood that it is genuinely secure, and its widespread use will lead to the expedited discovery of vulnerabilities and accelerated efforts to resolve potential weaknesses. Another concern that standardized encryption levels would resolve is the problem of differing export standards and export controls. As seen by the example of the US, industrialized nations often restrict the export of encryption algorithms that are of such strength that they are considered “dual use” – in other words, algorithms that are strong enough to be used for military as well as commercial purposes. Some countries require that the keys be shared, while others take a hands-off approach. In India joining a global standard or creating a national standard of maximum strength would work to address the current issue of inconsistencies among the required encryption levels.</p>
<h3>The Relationship between the Market, the Individual, the State, and Encryption</h3>
<p>Moving away from the technical language it is useful to break down encryption from a social science point of view. Who are the actors involved – what is their relationship with each other, and how does encryption come into the picture. When one looks at encryption it is possible to conceive of many different scenarios, each with different players. In the first scenario there is an individual and another individual. They are sending information back and forth. The third individual could be an entity, a business, or just another individual. The first two individuals want to keep their information away from this third, unknown person or entity. For that reason, the first two encrypt their communications. Encryption is a tool that has the ability to re-draw the lines between the public and private sphere by giving individuals the ability to form a very private line of communication, and thus a very private relationship in a space that is very non-private - such as the internet. In another scenario between the individuals and the markets – the market wants information about an individual to enhance its effectiveness and profits. To create trust, the market promises that information given is encrypted. Thus, the market is attempting to initiate a trusting relationship with individuals. This relationship though, is forced and false, because individuals must compromise how much information they disclose for a product or service in return.</p>
<p>In the second scenario, there is an individual, another individual, and a Government. In this situation the two individuals again say that they want to have a private conversation in a public space, and so it is encrypted, but the Government – which is worried about national security decides that it wants to listen in on the conversation. This places a new dynamic on the relationship. No longer are the two individuals private. Not only can the government hear their conversation, but they have no choice over whether their conversation is heard or not. This is a relationship based off of the premises of distrust between the government and individuals. It presupposes, and is biased in assuming, that if you have done nothing wrong – you have nothing to hide.Using the same set of actors, perhaps a government requires the collection of information about its citizenry that is sensitive. To ensure the privacy of its people, the government encrypts the information, but the individual has essentially lost control over his/her information. He/she is forced to trust that the Government will not misuse the information given.</p>
<p>In the third scenario there is a market, an, individual, and the government. The market gathers information about an individual on transactional levels, but encrypts it – because in the wrong hands – this information could be misused. The government still wants access to the information and so they demand the information. What does the market say? Does it side with the individual or the Government? If governments sanction the market, they can make it bend to their will. Thus, the government is in a position to control the market and the individual, but to what ends and for what means. In all of these situations the understood role of the market, the government, and the individual has been shifted by the ability to encrypt information. The idea of using encryption as a means to keep information safe speaks to a new relationship that has formed between the government, the market, and the individual.</p>
<h3>Bibliography:</h3>
<ol><li> Burke, Jerome. McDonald, John. Architectural Support for Fast Symmetric-Key
Cryptography</li><li>Munro, Paul. Public Key Encrpytion. University of
Pittsburgh. 2004</li><li>Merkle, Ralph. One Way Hash Functions and DES. </li><li>Department of Commerce. Federal information Processing Standards Publication. The Keyed - Hash Message Authentication Code. http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf</li><li>http://www.ruskwig.com/random_encryption.htm </li><li>http://www.indentvoice.com/other/ISPLicense.pdf<br /></li><li>Report on Internet Banking’ by The Reserve Bank of India: 22 June 2001</li><li>
Internet
Trading guidelines issued by Securities & Exchange Board of India: 31
January 2000</li><li>Website of IRCTC (a
public sector undertaking under the Ministry of Railways)</li><li>American Bar Assiociation: International Guide to Privacy.<span class="MsoFootnoteReference"><span class="MsoFootnoteReference"></span></span></li><li><span class="MsoFootnoteReference"><span class="MsoFootnoteReference"></span></span> Department of Commerce: Bureau of Industry and Security –
Encryption Export Controls. June 25 2010
</li></ol>
<ol></ol>
<ol></ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy_encryption'>https://cis-india.org/internet-governance/blog/privacy/privacy_encryption</a>
</p>
No publisherelonnai2012-03-22T05:39:16ZBlog EntryA Stolen Perspective
https://cis-india.org/internet-governance/blog/privacy/privacy_astolenperspective
<b>The note below is a perspective piece on biometrics. On March 11th I traveled down to the Philippines, and had a chance to experience the possible convenience of biometric based identification.</b>
<h3>A Sequence of Events </h3>
<p>On the evening of March 11th I found myself on a plane destined to the Philippines for a week long joint privacy and ICT development conference in Bohol. After a 14 hour journey I landed in Manila, and was welcomed by the hot tropical weather, so familiar to the Philippines. Hungry I quickly dropped my checked bag at the hotel, and taking my backpack, set out immediately to explore Filipino food culture. Over a dinner of rice and grilled chicken, the standard local cuisine every tourists nightmare came true for me. I was robbed. While eating a group of men made a commotion around me and snatched my bag. Much to my distress the thief was able to get away with not only money and my camera, but my entire wallet consisting of my passport, Indian visa, Canadian visa, health card, FRO paper, and debit cards. In a nutshell – the wallet had every document essential and of value to my life. Little does the thief know, but his one snatching act has made me reconsider many aspects of my life, including my position on biometric forms of identification.</p>
<p>For the past several months I have been researching biometric forms of identification in response to the UID scheme that is being proposed in India. My stance on biometrics in my research has always been neutral – trying to draw out both the pro’s and the con’s of using biometrics. Personally though, I had always swayed away from the idea of my biometric being the strongest form of identification. The possibility that my daily motions could be easily tracked through the constant use of my finger print for transactions never settled well with me. Potential convergence of databases, unreliable technology, the possibility of stolen fingerprints, no choice to use other forms of identification have all been concerns that swayed me to the less optimistic side of the debate. But after jumping over hurdle after hurdle that came along with trying to replace the lost paper documents, and sweating at night thinking of all the possible ways the thief could exploit my papers, I am more privy to the idea of biometrics as a strong form of identification. </p>
<p>The process of recovering my documents started off with a police report and the cancelling of my cards. The second task was not as easy as I had hoped, as I had not brought photocopies of my cards. Thus, it took me three hours to actually cancel my cards. Throughout the whole process I kept thinking that if my account was only accessible through my fingerprint – I would not have to worry about closing the accounts. Or if I could have identified, verified, and cancelled my account with the use of a cell phone equipped with a fingerprint reader, I would not have had the stress of rushing around trying to find adequate information to cancel my bank account.</p>
<p>The next step in the process started early Monday morning when I set out to the American Embassy. Luckily the hotel had taken a copy of my American passport (I did not have a photocopy of this either). With the copy of the passport, police report, and my social security number – the American embassy was able to pull up my information, and issue me an emergency passport that would be valid for three months. If I had not had a copy of my passport – the process of getting an emergency passport I can only imagine would have been even more challenging. As I sat for hours in the embassy my mind wandered to the thief and the known market for American passports. I could not help but think about how much more secure my passport would be if verification was based on my fingerprints accompanied by a passport, rather than just my passport and a picture. Speaking with the embassy officer confirmed my thoughts. He talked about how fake American passports are becoming harder and harder to use now that the biometric has been introduced. In this situation the biometric would be a form of convenience and security – a way of lowering the risks of my stolen passport from being misused and my identity from being taken advantage of. </p>
<p></p>
<p style="text-align: justify;">On Tuesday morning I took on the
challenge of the Indian embassy. I officially came to India 8 months ago on an employment visa. When I
explained my situation to the embassy I hit my first road block of the day. By
rule, all matters relating to employment visa’s must be handled by and at the place
of issuance. Country databases do not talk between eachother – thus the Indian
embassy in the Philippines could not contact the Indian embassy in the States
or in India to verify my information. Therefore,
for my employment visa to be replaced I would need to return to New York and
speak with the embassy there. This was not an option. Speaking again with the
officer, he finally suggested a tourist visa. Typically tourist visa’s are not
issued on 3 months passports (my emergency passport was only three months), but
the officer made an exception and agreed to issue a tourist visa. When I went
to pay for my tourist visa I hit my second road block of the day. I was lucky
and had kept one credit card in another bag, but as it turns out, the Indian
embassy only accepted cash. The day was almost over and I needed to pay for my
application for it to be processed. The officer had already made an additional
exception, and had agreed to process my visa in three days (when my return
flight to India was scheduled) rather than the typical six working days. Trying
to think on my feet I sped to the nearest mall and tried to take money out of
an ATM. No luck. I tried to get cash back on a grocery store purchase. No luck.
I tried to western union myself money from my VISA. No luck. Finally I was able
to get through to a friend of my boss who could loan me the cash, but not until
the next morning. So, I rushed back to the embassy and begged with the officer
to process my visa in two days rather than one. Thankfully he agreed. Riding the local metro back to my hotel I
thought again about how convenient it would have been to have my credit
accessible through my fingerprint, and not have to rely on a card.</p>
<h3 style="text-align: justify;">Biometric is a convenience: </h3>
<p>This experience, and the many hurdles that I needed to jump in order to replace my lost papers made me realize that one side of the biometric debate that is often glazed over with talk of security and privacy, is that of convenience. It would have been incredibly convenient if on my initial visit to the American Embassy they had been able to pull up my entire file, re-issue me my lost passport and visas, and accepted payment through credit accessed through my fingerprint and a pin. Though I am still aware of the risks associated with biometrics as a form of identity, this experience has shown me the positive side and convenience of having a biometric identification rather than paper forms of identification.</p>
<h3>Perhaps there is a privacy happy medium:</h3>
<p>This experience has shown me that the use of biometric technology has many benefits. I do not think it is too far a leap to say that biometrics can be convenient and privacy enhancing. For instance, based off of research done by the Canadian Government on biometrics, there are many pivotal areas of biometrics which determine whether they are used in a way that enhances privacy or used in a way which invades privacy such as:</p>
<ul><li><strong>Distinguish between authentication and identification:</strong></li></ul>
<p> Identification involves a comparison of one biometric against all collected biometrics in one central database. Authentication involves a comparison of a live biometric against a stored template. Thus , the central database should not be accessed for both authentication and identification processes . Placing a biometric on a smart card puts the control of access for authentication in the hands of the data subject [1].</p>
<ul><li><strong>Encryption </strong></li></ul>
<p>A biometric should be encrypted whenever it is used. A biometric should be encrypted to this degree that it is not possible to reconstruct the biometric data. After an encrypted version of the biometric is made, the original biometric should be deleted [2].</p>
<ul><li><strong>No unique identification</strong> </li></ul>
<p>A fingerprint scan should not, and cannot be used alone to identify an individual [3].</p>
<ul><li><strong>Access control</strong></li></ul>
<p>Strict control on access regarding third parties should be enforced. To bolster this point, a warrant or court order should be required for access by external agencies.</p>
<ul><li><strong>Transactional information stored separately</strong></li></ul>
<p>Transactional information about a person should be stored separately from personal identifiers such as name or date of birth [4].</p>
<ul><li><strong>Procedural safeguards given legality </strong></li></ul>
<p>All procedural and technical safeguards that are established should be placed in a legislation to give them the force of the law.</p>
<h3>Biometrics in India</h3>
<p>Though there is no way to make a biometric perfectly safe, these standards, if enforced, I believe work to ensure that a biometric is as secure as possible. In India biometrics has become a controversial topic as the country is currently considering/has begun to implement the UID – an identity scheme based off of biometrics. Concerns with the project include the centralized storage of biometric information, the possibility of tracking individuals through the use of their biometric, and the unreliability of the technology. For example in an article found in Money Life, test results from the UID project showed the possibility of up to 15,000 false positives for every Indian resident [5]. Biometrics have been used in India even before the UID scheme. In 2009 schools proposed to use biometrics as a way of marking attendance for both the students and the teachers in order to decrease the dropout rate and insure that teachers are present in school [6] . Also in 2009 fishermen in the coastal village of Awas were issued the biometric based multi-purpose National Identity Card [7]. The MNIC scheme was later dropped. Clearly India is in a position where she must think about the convenience of biometrics weighed against the privacy risks, and determine how biometric use in India should be secured in order to find a balance between the two. </p>
<h3>Bibliography</h3>
<ol><li>Office of the Privacy Commissioner of Canada. Data At Your Fingertips: Biometrics and the Challenges to Privacy. Pg.10</li><li> Cavoukian, Dr. Ann. Privacy and Biometrics. Information and Privacy Commissioner Ontario, Canada. Pg. 4 <br /></li><li>Office of the Privacy Commissioner of Canada. Data At Your Fingertips: Biometrics and the Challenges to Privacy. Pg.10</li><li>Office of the Privacy Commissioner of Canada. Data At Your Fingertips: Biometrics and the Challenges to Privacy. Pg.9</li><li>http://www.moneylife.in/article/how-uidai-goofed-up-pilot-test-results-to-press-forward-with-uid- scheme/14863.html</li><li>http://articles.timesofindia.indiatimes.com/2009-02-25/mumba</li><li>http://28038452_1_smart-cards-biometric-coastal-villages<br /></li></ol>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy_astolenperspective'>https://cis-india.org/internet-governance/blog/privacy/privacy_astolenperspective</a>
</p>
No publisherelonnai2012-03-21T09:43:51ZBlog EntryPrivacy and Governmental Databases
https://cis-india.org/internet-governance/blog/privacy/privacy-govt-databases
<b>In our research we have found that most government databases are incrementally designed in response to developments and improvements that need to be incorporated from time to time. This method of architecting a system leads to a poorly designed database with many privacy risks such as: inaccurate data, incomplete data, inappropriate disclosure of data, inappropriate access to data, and inappropriate security over data. To address these privacy concerns it is important to analyze the problem that is being addressed from the perspective of potential and planned interoperability with other government databases. Below is a list of problems and recommendations concerning privacy, concerning government databases. </b>
<h2>Government Databases and recommendations for privacy practices</h2>
<ol><li>
<p> <strong>Citizen-State relationships and privacy standards</strong><br />Government databases foster different types of relationships between the state and its citizenry. For instance: User databases, service providing databases, and information providing databases. Each one these relationships requires a different level of privacy. Thus, it is important to identify the type of relationship that the database will foster in order to determine what type of privacy model to implement.</p>
</li><li>
<p><strong>Specific privacy policy </strong></p>
<p>Each government database should have a specific privacy policy that are tailored to the information that they hold. Each policy should cover the following areas:</p>
<ul><li>data collection</li><li>digitization</li><li>usage</li><li>storage</li><li>security</li><li>disclosure</li><li>retrieval</li><li>access (inter departmental and public)</li><li>anonymization, obfuscation and deletion.</li></ul>
</li><li>
<p><strong>Personal vs. personal sensitive and public vs. non-public data categories </strong></p>
<p>Data in government databases requires varying degrees of privacy safeguards. The division of personal information vs. non personal information etc. creates distinct</p>
<p>categories for security levels over data and permissibility of public disclosure. Ex of personal information: Name, address, telephone number, religion. Ex of non-personal data: gender, age. This could work to avoid situations such as the census - where a person’s name, address, age, etc, were all printed for the public eye.</p>
</li><li>
<p><strong>Standardization of Privacy Policies and Access Control </strong></p>
<p>Government databases should all be designed upon interoperable standards so that the databases can "talk" to each other. The ability to coalesce databases strengthens the potential for use and reuse by different stakeholders. Furthermore, the interoperability of systems helps to avoid the creation of silos that hold multiple copies of the same data. To protect the privacy in interoperable systems - restricted and authorized access within departments and between departments is key. The Department of Information Technology has recently published a "Government Interoperability Framework" titled "Interoperability Framework for eGovernance" This policy document is the appropriate place to articulate interoperable privacy policies that could be adopted across eGovernance projects.</p>
</li><li>
<p><strong>Record of breach notification </strong></p>
<p>If data breach occurs in government database, the breach should be recorded and the appropriate individuals notified.</p>
</li><li>
<p><strong>Anonymization/obfuscation and deletion policies </strong></p>
<p>Once the purpose for which the data has been collected has been served it must be anonymized/obfuscated or deleted as appropriate. All data-sets cannot be deleted as bulk aggregate data is very useful to those interested in trend analysis. Anonymizing/obfuscating the personal details of a data set ensures that privacy is protected during such trend analysis.</p>
</li><li>
<p><strong>Accountability for accuracy of data </strong></p>
<p>Frequently data that is collected and entered into government databases is not accurate, because the departments are not collecting the data themselves. Thus, they feel no responsibility for its accuracy. If a mechanism is built into each database for identification of each data source this brings accountability for data accuracy.</p>
</li><li>
<p><strong>Appropriate uses of government databases </strong></p>
<p>Businesses should feel automatically entitled to aggregate and consolidate public information from government databases because it is technically possible to do so. Their uses of government database must be guided by policies that define "appropriate usage."</p>
</li><li>
<p><strong>Access, updation and control of personal information </strong></p>
<p>Citizens must be able to access and update their information. Furthermore, they should be able to define to a certain extent access control to their information - which would automatically make them eligible or ineligible for various government services.</p>
</li></ol>
<p><strong>Bibliography </strong></p>
<ul><li>
<p>Rezhui, Abdemounaam. Preserving Privacy in Web Services. Department of Computer Sciences, Virginia Tech.</p>
</li><li>
<p>Medjahed, Brahim. Infrastructure for E-Government Web Services. IEEE Internet Computing, Virgina Tech. January/Feburary 2003.</p>
</li></ul>
<ul><li>Mladen, Karen. A Report of Research on Privacy for Electronic Government. Privacy in Canada</li></ul>
<p> joi.ito.com/privacyreport/Contents_Distilled/.../Canada_E_p252-314.pdf</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy-govt-databases'>https://cis-india.org/internet-governance/blog/privacy/privacy-govt-databases</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-03-22T05:41:38ZBlog EntryAn Open Letter to the Finance Committee: SCOSTA Standards
https://cis-india.org/internet-governance/blog/privacy/letter-to-finance-committee
<b>The UID Bill has been placed to the Finance Committee for review and approval. Through a series of open letters to the Finance Committee, civil society is asking the committee to take into consideration and change certain aspects of the Bill and the project. The below note compares the SCOSTA standard with the Aadhaar biometric standard, and explains why we believe the SCOSTA standard should replace the Aadhaar biometric standard for the authentication process in the UID scheme.</b>
<h3>Introduction</h3>
<p>This note is intended to demonstrate how the Aadhaar biometric standard is weaker than the SCOSTA standard. Through a comparison of the SCOSTA standard-based smart card and the Aadhaar biometric-based identification number, it will show how the SCOSTA standard is a more secure, structurally sound, and cost effective approach to authentication of identity for India. Though we recognize that <span class="Apple-style-span">Aadhaar</span> biometrics are useful for the de-duplication and identification of individuals, we believe that the SCOSTA standard is more appropriate for the authentication of individuals. Thus, we ask that the Aadhaar biometric based authentication process be replaced with a SCOSTA standard based authentication process.</p>
<h3>A background of the two standards</h3>
<p>The SCOSTA standard is used in smart cards and was developed by the National Informatics Centre in India. It is:</p>
<p>1. Compliant with the international standard ISO-7816 for smart cards.</p>
<p>2. Based on a public/private key and pin authentication factor</p>
<p>3. Authentication factor refers to an individuals keys, pass-phrases, and pin.</p>
<p>The biometric standard authenticates the identity of an individual based on his or her physical fingerprints and iris scans (in the case of the UID). The standard:</p>
<p>1. Verifies if the individual exists within a known population by comparing the biometric data to those of other individuals stored in a secured centralized database.</p>
<p>2. Based on a symmetric authentication factor</p>
<h3>A comparison of the two standards</h3>
<table class="plain">
<tbody>
<tr>
<td><b>Standard </b><br /></td>
<td><b>SCOSTA - MNIC smart card</b><br /></td>
<td><b>Aadhaar Biometric - UID number </b><br /></td>
</tr>
<tr>
<td><b>Architecture </b><br /></td>
<td><b>Decentralized </b><br />SCOSTA standards require a pair and key combination with a pin, and thus can be structured in a decentralized manner <br /></td>
<td><b>Centralized</b><br />Aadhaar biometric standards require symmetric <br />authentication factors, and thus must be structured in a centralized manner <br /></td>
</tr>
<tr>
<td><b>Standards for Technology </b><br /></td>
<td><b>Open standard<br /></b>Creates security through transparency <br /></td>
<td><b>Closed standard </b><br />Creates security though obscurity <br /></td>
</tr>
<tr>
<td><b>Points of failure </b><br /></td>
<td><b>Multiple points of failure</b><br />The SCOSTA standard has multiple points of failure, because of decentralized structure, thus if one data base is compromised all data is not lost.<br /></td>
<td><b>Single point of failure </b><br />The Aadhaar Biometric standard has one single point of failure, because of centralized structure, thus if the data base is compromised all data is lost<br /></td>
</tr>
<tr>
<td><b>Impact on local industry </b><br /></td>
<td><b>Encourages</b><br />Open standards allow local industry to compete in manufacturing technology<br /></td>
<td><b>Discourages</b><br />Closed standards allow foreign players to monopolize the manufacturing of technology <br /></td>
</tr>
<tr>
<td><b>Cost analysis </b><br /></td>
<td><b>Cost effective </b><br />Increased competition keeps prices low <br /></td>
<td><b>Cost ineffective </b><br />Decreased competition keeps prices high<br /></td>
</tr>
<tr>
<td><b>Revocation</b></td>
<td><b>Revocable</b><br /> If the key pair and pin are stolen, a new set of passwords can be issued<br /></td>
<td><b>Permanent</b> <br />If the biometrics of an individual are stolen, they cannot be re-issued <br /></td>
</tr>
<tr>
<td><b>Possibility of fraudulent authentication </b><br /></td>
<td><b>Lower</b><br />A thief must steal your smart card and your secret pin to commit fraud <br /></td>
<td><b>Higher</b><br />A thief only needs to collect your fingerprints using a glass tumbler to commit fraud <br /></td>
</tr>
<tr>
<td><b>Viability of Technology</b></td>
<td><b>Proven effective for large populations </b><br /></td>
<td><b>Not proven effective for large populations</b><br /></td>
</tr>
</tbody>
</table>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/letter-to-finance-committee'>https://cis-india.org/internet-governance/blog/privacy/letter-to-finance-committee</a>
</p>
No publisherelonnaiPrivacy2013-12-20T03:58:09ZBlog EntryDoes the UID Reflect India?
https://cis-india.org/internet-governance/blog/privacy/uid-reflects-india
<b>On December 17th the Campaign for No UID held a press conference and public meeting in Bangalore. Below is a summary and analysis of the events. </b>
<h3>Introduction</h3>
<p>Scientifically speaking, we are each unique. We have unique bodies and minds, and these give rise to unique understandings, interactions, and perceptions. Despite being unique, we can be put into different categories and classes, one of which is a culture. A culture is defined by its values, which are reflected in its legal system. Consequently legal systems are always changing – bills are constantly being amended, passed, and retracted in order to make the governing legal structure reflect the ethos of that society. Thus, when analyzing a piece of legislation it is important to ask if that bill is meaningful in a way that reflects the ideas, values, attitudes, and expectations that a society has. This is the question that Usha Ramanathan, Mathew Thomas, and others in the Campaign for No UID have been asking about the UID project, and urged the public to ask the same question in the press conference and public meeting held on the 17th of December. According to the Campaign for No UID, the project and Bill fail to reflect and meet the current needs that exist in India. The UID Bill, the proposed legislation for the project, authorizes the creation of a centralized database of unique identification numbers that are to be issued to every resident of India. The numbers will act as identity. Recently, the Bill was sent to the Parliamentary Standing Committee on Finance, and is scheduled to be enacted in early 2011. The UID project is attempting to create a technological solution to the identification problem in India. It is well-known that India faces challenges in identifying its citizens and residents. Individuals either have no identification – restricting their access to society and benefits -- or, in some cases, they have multiple identities, therefore taking advantage of society at the expense of others, or a person does not have any identification – therefore escaping civil duties. The confusing identity system that exists in India has many negative drawbacks including the facilitation of corruption, illegal immigration, and possible security threats. The UID project attempts to provide a system of identity that is based on individuals’ biometrics, and that places the whole of India on a grid through the issuance of 12 digit <em>Aadhaar</em> numbers. The Campaign for NO UID does not deny the need for an efficient identity system, is not against technology, and does not deny that the current identity system has problems. Instead, it believes that the project does not adequately address the issues at hand, while at the same time creating a real prospect of harmful ramifications. </p>
<h3>Benefits for the Poor</h3>
<p>Though the UID project only gives identity to an individual, it has been envisioned as a means of ensuring the delivery of benefits to the poor. According to the World Bank, within India 41% of the population lives below the poverty line, and targeting the need to ensure benefits for the poor is an appropriate vision. Furthermore, as reflected in the Right to Food Act, there is a cultural understanding and expectation that the State needs to work to bring benefits to the poor. The point that Ms. Ramanathan draws attention to, though, is that the goal of bringing benefits to the poor is just a vision. The project and the Bill are not structured in a way that guarantee benefits to the poor. Instead, by trying to include the perception of this benefit, the language of the Bill has become too broad. The wide-sweeping language allows room for abuse of how information that is collected will be used.</p>
<h3>Appropriate Methodology</h3>
<p>Ms. Ramanathan also questions the methodology of the UID project. The collection of biometrics is not an absolute insurer of identity, in the way that DNA would be. A person’s biometrics are in fact very public. They are left on anything one touches, and can easily be reproduced for use by others. Identity theft is thus easily accomplished if biometrics are the only safeguard. Realistically, the vast majority of India’s population would not know what to do or how to seek redress if identities were stolen – indeed, many would not even be aware of the fact that their identity had been stolen. Thus, the project establishes a hierarchy of vulnerability. Those who understand and have access to technology and the legal system are better able to protect their identity (or abuse another’s), and the rest of the population is at the mercy of the people who possess that knowledge and those connections.</p>
<h3>Legal Questions</h3>
<p>Ms. Ramanathan also brought up a few legal issues with the UID Bill. Most importantly she pointed out that the UID project is not legal, yet enrollment of individuals has been taking place. Not only is this action undemocratic, but it is presumptuous of the UIDAI to assume that their project will have legal validity. Another legal issue raised by Ms. Ramanathan was in concern with the compulsory nature of the <em>Aadhaar</em> number. Legally the UID Bill does not make the <em>Aadhaar</em> number compulsory. Instead, the project is structured in such a way that the UID number is socially compulsory. Ms. Ramanathan argues that this is unfair of the UIDAI. If the number were to be truly voluntary, the UID would need to include clauses that prohibit the denial of goods, services, entitlements and benefits for lack of a UID number. An individual would need to be able to access benefits with alternative forms of identification before the <em>Aadhaar</em> number would be truly voluntary.</p>
<h3>Does India Comprehend what the UID Could Bring?</h3>
<p>Another fear voiced by Mrs. Ramanathan in her presentation was the level of public comprehension. Even though the project will touch the lives of every human being who comes to India, the majority of the Indian population has not thought through why they support or do not support the project, and most do not comprehend the dangerous implications of the UID project. Connections are not being made and clearly publicized about how the project could be used in the future. For example, once everyone has a set of personal data that is uploaded on a centralized database, there is a new concern over that data. What is happening to it, who is using it, what is it being used for, who is seeing it, who is analyzing it, what happens if that data is lost? One of the serious implications of the project is its’ threat to anonymity. Anonymity results when the personal identity, or personally identifiable information of a person is not known. Anonymity already exists today in Indian society by default.. This will change, though, with the UID. One’s body will become a traceable marker that will be readily identifiable to law enforcement and other agencies. By issuing numbers to each person, that will be used for every transaction – it will be possible to create a map of the population and tag information about individuals in a way that changes the relationship between the state and the people. Though it is true India could benefit from a lesser degree of anonymity. For instance corruption might be easier to control. The Bill takes no steps, though, to ensure under what conditions anonymity will be preserved. Thus, the project has the potential to be widely misused for intensive surveillance and the policing of populations – not just for illegal activity but for disfavored or unpopular activity as well.</p>
<h3>Conclusion</h3>
<p>One way to avoid the misuse of data is through the adherence to privacy standards such as how data should be processed, transferred etc. India does not of yet have such a privacy law, and such principles are not reflected in the text of the Bill itself. The fact that the UID bill and project bring into focus principles that are not yet fully reflected in the social and legal framework of society can be problematic. On one hand this Bill can push India to adopt those principles, in which case a data protection and privacy bill must be enacted, and awareness must be raised. On the other hand, the Bill can simply overshadow the populace, allowing significant violations of privacy and anonymity to take place with no assurance of redress. As Ms. Ramanathan noted, even though the project is not reflective of Indian society, the way in which the project is being marketed is. The project has been tied to the image of Nandan Nilekani, and the message is clear: the project must be good. The Campaign for No UID is asking the public to look beyond the face of the project, and consider whether or not this is the India they imagine.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/uid-reflects-india'>https://cis-india.org/internet-governance/blog/privacy/uid-reflects-india</a>
</p>
No publisherelonnaiInternet Governance2012-03-22T05:45:32ZBlog EntryThe Privacy Rights of Whistleblowers
https://cis-india.org/internet-governance/blog/privacy/privacy-wikilileaks-whistleblowers
<b>The recent disclosures from Wikileaks have shown that the right to information, whistle-blowing, and privacy are interconnected. This note looks at the different ways in which the three are related, as well as looking at the benefits and drawbacks to Wikileaks in terms of privacy. </b>
<h3>Introduction<br /></h3>
<p>In a recent interview, the Canadian Privacy Commissioner was quoted as saying “Information and the manipulation of information is the key to power. Those who can control the information can influence society enormously.” History and present-day society have both proven the truth in this statement. It is one among many reasons that the right to information is important to uphold. In India, and in other countries, there are statutes – in India, the Right To Information Act – that entitles the public to request and receive information that pertains to public bodies and their conduct, information that is publicly available because it is intrinsically related to the public interest. An entirely separate but equally critical way in which the public is kept informed is through whistle-blowing. Traditionally, whistle-blowing is any disclosure made in the name of public interest. Recent events such as the Ratan Tata case and the leaks of US diplomatic cables have brought to light the relationship between the public’s right to information, the rights of whistleblowers, and the rights of individuals to privacy. These recent cases have shown that the right to information, whistle-blowing, and the right to privacy are interconnected, because privacy can provide individuals with the means to sustain autonomy against potentially overwhelming forces of government and persons who might have mixed motivations. The right to information and whistle-blowing are means by which the government is held accountable to the public if they violate the law or the public trust. The Wikileaks case and the Ratan Tata case raise important questions about when those two interests need to give way to private interests. One of the key questions that Wikileaks raises is: if whistleblowing is supposed to be disclosure in the public interest -- i.e., to protect the public – should disclosure of personal information be permissible only if a person can demonstrate that he/she is trying to remedy or avoid actual wrongdoing rather than simply publishing information that is "interesting to the public?"</p>
<h3>What is a Whistleblower and how does a Whistleblower Benefit from Wikileaks? <br /></h3>
<p>Whistleblowing is the modern counterpart to “informers” – people who reveal others’ wrongdoing. Much whistleblowing occurs by going "up the chain" in a person's own department or agency or company. If the person is reporting wrongdoing and the person ultimately goes to the authorities about illegal activity, the individual reporting the leak can sometimes get immunity for his or her own actions, can sometimes collect part of the penalties, and can under certain statutes in some countries even bring suit if the company retaliates against him -- for example, by firing him. In this way traditional whistleblowing places the responsibility for legal and ethical conduct on employees who are better situated to see wrongdoing than outsiders would be. In many countries, a person may present information of a whistleblowing nature to a judicial body. The judicial body then determines the validity of the information, the degree of public interest involved, and the proper form of redress to be taken. The judicial body offers legal protection to the whistleblower. Another method of whistleblowing is to leak information to the press. Once information is in the public domain – at least if there is freedom of press -- the information can no longer be covered up. Neither the right to free press, nor the right to protection as a whistleblower is universal. The current critique of the Indian Whistle Blowing Bill is that the right to protection will not be ensured. A Times of India article issued in September 2010 pointed out that the Whistle Blowing Act’s biggest weakness is that the Bill’s Central Vigilance Commission is designated to play both the role as competent authority to deal with complaints file by whistleblowers and as the tribunal to protect whistleblowers. Structuring the power to allow one body to fulfil both functions runs the risk of bias and could breed distrust that would cause people to avoid the system altogether. The article complained that the Bill has no teeth, and that even if the Commission believes that the whistleblowing is valid, it is able only to give advice rather than actually to prosecute individuals. The article recites extreme instances in which individuals have blown the whistle and paid for it with their lives. For example: in 2005 a manager of the Indian Oil Corporation was killed after exposing a scheme in adulterated petrol, and in 2010 an RTI activist was killed after exposing land scams in Mahrashtra. In these situations, Wikileaks is an interesting and powerful tool for individuals who either do not want to leak their information to a judicial body or are not protected if they do so in their own country. Leaking information to Wikileaks is in one sense analogous to leaking information to the press, but it is not precisely the same because it is not a news media outlet, but instead is a way for a person to post information on a mass media outlet. It should be noted, however, that informants who leak to Wikileaks are not afforded the same immunity that individuals who leak to authorities are granted. When an individual shares documents or information with Wikileaks, the site in turn acts as a platform to publish the information on the web and with the press. Being an independent entity that is neither tied down to a certain territory, government, or entity – Wikileaks has the pull of non-bias. But the strength of Wikileaks is also its weakness. When 250,000 diplomatic cables were posted, there was no one who understood the context of the content to monitor to ensure that everything was appropriate to post. As a result, the information was transmitted to an audience who normally would not be entitled to it. By doing so, the leaked information placed individual diplomats in precarious positions that could potentially put them in harm’s way and unnecessarily damage their reputations, as well as putting the reputation of the United States on the line.</p>
<h3>Privacy and Whistleblowing</h3>
<p>As a result the United States is looking to press charges against Julian Assange, founder of Wikileaks, for espionage. The way in which Wikileaks leaked information and the nature of the leak has brought privacy into the picture. When looking at the act of whistleblowing through the lens of privacy, there are obvious privacy concerns for the whistleblower, for the person or entity whose information has been leaked, and for possible third parties involved. Paul Chadwick, the Victorian Privacy Commissioner, pointed out that for the whistleblower the main privacy concerns include the individual’s identity, safety, and reputation. For the alleged wrongdoer the privacy concerns include: identity, safety, employment, and liberty (where sanctions may include imprisonment). For third parties, reputation and safety can both be jeopardized by disclosures by whistleblowers. The Wikileaks leaks squarely present the question whether intent should be brought into the analysis of privacy and whistleblowers. If a whistleblower is disclosing with the intent protect the public, the protections afforded to this person should weigh differently against the privacy interests of alleged wrongdoers and third parties than for someone who is simply defining the public interest as “interesting to the public,” or, worse, as seen in the false leak by Pakistan against India, is looking to leak information to disrupt public interest. Even though Wikileaks works to protect the anonymity of individuals who leak information, it is not bound by any law to protect the privacy of individuals involved in the leak. The concept behind Wikileaks is important. By interacting with government information, it has the ability to bring accountability and transparency to governments, but the only regulation over Wikileaks is internal (and thus inherently subjective). Wikileaks needs to change its structure to take into account leaks shared without the intent of protecting the public interest and even then needs to monitor to prevent leaks that could place individuals in precarious situations or damage reputations with no validating information.</p>
<hr />
<h3>Sources:</h3>
<ul><li> http://www.ctv.ca/generic/generated/static/business/article1833688.html</li></ul>
<ul><li> Chadwick, Paul. Whistleblowing, Transparency, and Privacy: Aspects of the relationship between Victoria’s Whistleblowers Protection Act and the Information Privacy Act. </li></ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy-wikilileaks-whistleblowers'>https://cis-india.org/internet-governance/blog/privacy/privacy-wikilileaks-whistleblowers</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-03-22T05:47:16ZBlog Entry UID & Privacy - A Call for Papers
https://cis-india.org/internet-governance/blog/privacy/privacy_callforpapers
<b>Privacy India is inviting individuals to author short papers focused on Unique Identity (UID) and Privacy. Selected candidates will have their papers published on the CIS website, and their transportation and accommodation provided for the “Privacy Matters” conference being held in Kolkata on 22 January 2010. </b>
<h3>Topic<br /></h3>
<p>Privacy and the UID</p>
<h3>Submission Deadline</h3>
<p> By 15 January 2010 to admin@privacyindia.org</p>
<h3>Word Length</h3>
<p> 3,000-5,000 words</p>
<h3>Topic Summary</h3>
<p>The <em>Aadhaar</em> scheme, or Unique Identity (UID) scheme is a plan to provide citizens identity cards that are tied to their unique biometric data – such as their fingerprints or retinal scans. Although the most frequently cited justification for this project is to ensure the secure delivery of relief to beneficiaries of government aid schemes, it is clear that the uses to which it will be put exceed this narrow mandate. </p>
<p>As India embarks on one of its most ambitious techno-administrative projects to date, there is surprisingly little clarity or introspection into the implications of having such a concentrated identity locked into a single card. In particular it appears that the grave threats to privacy the scheme poses have not received due attention. Although the final draft UID Bill circulated by the UIDAI in October 2010 contains some provisions that reference privacy, there seems to be a tacit assumption that privacy is an expendable or at least a less-desirable privilege that can be attended to fully once the scheme is in fully in place.</p>
<p>We invite individuals to author short inter-disciplinary papers that engage various topics on the theme of Privacy and the UID, including but not limited to the following:</p>
<ul><li> Comparative studies on privacy and national identity card schemes in other countries</li></ul>
<ul><li> Privacy and the UID Bill </li></ul>
<ul><li> How will a project such as the UID change the relationship between the state, the individual, and the market? </li></ul>
<p>Selected candidates will have their papers published on the CIS website, and their transportation and accommodation provided for the “Privacy Matters” conference being held in Kolkata on January 22nd 2010.</p>
<h3>Who We Are</h3>
<p> Privacy India was set up with the collaboration of the Centre for Internet and Society (CIS) and Society in Action Group (SAG), under the auspices of the international organization ‘Privacy International’. Privacy International is a non-profit group that provides assistance to civil society groups, governments, international and regional bodies, the media and the public in a number of countries (see <a class="external-link" href="http://www.privacyinternational.org/">www.privacyinternational.org</a>). Privacy India's objective is to raise awareness, spark civil action and promoting democratic dialogue around privacy challenges and violations in India. In furtherance of this goal we aim to draft and promote an over-arching privacy legislation in India by drawing upon legal and academic resources and consultations with the public.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy_callforpapers'>https://cis-india.org/internet-governance/blog/privacy/privacy_callforpapers</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-03-21T10:03:44ZBlog Entry