Privacy and sexual health at Digital Citizen Summit

Hidden Pockets discussing Privacy with regard to sexual health at Digital Citizen Summit

We were present at Digital Citizen Summit organised by Digital Empowerment Foundation on 1st and 2nd November, 2018.

 

It was a great experience to discuss the role of privacy in our work on sexual and reproductive health and how do we work with other open source communities like Free Software Movement of Karnataka to build this further.

Do people living with HIV have a right to protect their health data?

“Consequently, as new cases brought new issues and problems before the Court, the content of the right to privacy has found elaboration in these diverse contexts. These would include telephone tapping (PUCL), prior restraints on publication of material on a death row convict (Rajagopal), inspection and search of confidential documents involving the banker – customer relationship (Canara Bank), disclosure of HIV status (Mr X v Hospital Z), food preferences and animal slaughter (HinsaVirodhakSangh), medical termination of pregnancy (SuchitaSrivastava), scientific tests in criminal investigation (Selvi), disclosure of bank accounts held overseas (Ram Jethmalani) and the right of transgenders (NALSA). Early cases dealt with police regulations authorising intrusions on liberty, such as surveillance. As Indian society has evolved, the assertion of the right to privacy has been considered by this Court in varying contexts replicating the choices and autonomy of the individual citizen.” – Supreme Court, Justice K.S. Puttuswamy and ANR. Vs. Union of India (2017)

The recent historic Supreme Court judgement that declared right to privacy as a fundamental right (guaranteed under Article 21 of the Indian Constitution) with reasonable restrictions,has looked at the intersection of privacy and medical jurisprudence in cases previously dealt with by the Supreme Court of India. Interestingly, this intersection has also included HIV and the right to privacy.

Existing challenges faced by HIV High-risk groups:

This judgement becomes especially more relevant for the members of high-risk groups living with HIV. National AIDS Control Organisation (NACO) classifies Female Sex Workers (FSW), Men who have sex with men (MSM), Transgenders (TG), Injecting Drug Users (IDU) and Truckers & Migrants as the high-risk groups most susceptible to HIV. It is worth noting that members from these groups are required to fill-out group specific application forms prescribed by NACO while testing for HIV. Though the National AIDS Control Programme is in Phase IV, these high-risks groups have been facing various degrees of challenges.

Apart from social prejudice, transgender community faces issues with valid identification document due to their gender identity. Often the gender and name on their official identification documents is different from the name and gender that they identity. Though the NALSA judgement 2014 gave them the right to their gender identity, procuring valid identification documents continues to be a challenge for the community. It is worth noting that Section 377 of the Indian Penal Code criminalizes the act of homosexual intercourse.This could apply to both MSM and transgenders. Due to the social stigma associated with their identity, it becomes significantly difficult for members of the transgender group, MSM and sex workers to reveal their identity in HIV testing centres, notes PawanDhall, Gender and Sexuality activist, Varta Trust and ex-Country Director, SAATHII. There is also the challenge of negligence from the hospital or testing centre staff with respect to revealing their identity or HIV status.

“No matter how much we say or NACO says why is that a lot of people ever want to go for a test on their own? It is because of their confidentiality being compromised. There have been so many examples of people saying that the problem begins once the counselor sends the person to the lab technician for the test. You will give your blood and go back home.If your test is positive on the day you come back you are almost at the mercy of the lab technician or the counselor. If their mind is not in the right place, they will talk about it out loud and people all around will come to know,” notes Dhall.

Aadhaar integration for HIV programme and the issues:

The government intends to establish integrated health information architecture to strengthen health surveillance, establish registries for diseases of public health importance by 2020.National Health Policy 2017 suggests exploring the use of Aadhaar for identification with heavy emphasis of privatization of healthcare in the country. Hence NACO’s website mentions initiating a project to link all PLHIV (People Living with HIV) to the Aadhaar card. It is not clear though if it has been mandatory.

However, it appears that some states (Madhya Pradesh andRajasthan)have mandated this linkage even with the Supreme Court saying that it is not mandatory to link Aadhaar. Though Aadhaar integration was expected to solve the issue of duplication of enrolment at ART centres for HIV treatment, it on the other hand, seems to have aggravated the situation. Patients have been avoiding registration with Anti-Retiroviral Therapy (ART) centres for treatment in Madhya Pradesh since this integration, notes Hindustan Times. Speaking to the India Express, about a 37 year-old sex worker diagnosed with HIV in Mumbai, PoojaWalawalkar, project manager for NGO Aditi says, “She fears that her neighbours will come to know if after linking the Aadhaar card some health worker turns up at their door.” The report also states that several sex workers get treated under a different name to conceal their identity. It is worth noting that presently (NACO Annual Report 2016-17), FSW (6,03,236), MSM (2,06,007), IDU (1,21,840), TG (29,325), Migrant (29,25,882) and Trucker (9,29,675) are under the Targeted Intervention Programme of NACO that works on preventive interventions for high-risk groups. Aadhaar linkage also aims at reducing the ‘Lost to Follow-Up’ cases who have dropped out of the ART centres and discontinued their HIV treatment.

“Aadhaar will definitely help you have unique listing but how that in itself will help in making sure that the person comes back again and again to get the medicines, that I’m not quite convinced,” notes Dhall.

Apart from privacy, there is the risk of exclusion due to authentication failures and deactivation of Aadhaar without recourse for the Aadhaar holder. So there seems to be no guarantee with respect to reaching out all that the programme is intended for.

It is worth noting that when a crime related to personal data occurs, UIDAI is not under any legal obligation to inform the Aadhaar user. Under Section 47 (1) of the Aadhaar Act, only UIDAI has the exclusive power to make complaints in case of violation of privacy or data breach.

What will change with Right to Privacy judgement?

Even prior to mandating Aadhaar, people living with HIV have been facing social stigma when their HIV status has been revealed. What is the protection assured to them against harassment, once their Aadhaar biometrics and phone numbers are also entered into the system to access healthcare? While there may be legal protection by way of the HIV Act, Medical Code of Conduct, Supreme Court’s judgement declaring right to privacy as a fundamental right, will that 37 year-old sex worker understand her legal and fundamental right to privacy as a citizen? Will the knowledge of the right to privacy be sufficient to handle the social stigma?

Addressing this concern, in its right to privacy judgement, the Supreme Court states that “elements of privacy also arise in varying contexts from the other facets of freedom and dignity recognised and guaranteed by the fundamental rights contained in Part III;”

“In State Vs Kharak Singh, the Supreme Court says right to life does not mean a mere animal existence, which means a life of dignity. In the event of intentional or unintentional disclosure of my HIV status or any other status, which might strip me of my dignity in the eyes of the society , no amount of punishment to the persecutor or compensation to me can bring that dignity back to my life for the rest of my life. This is where the state, even before saying that it should punish and compensate must put into place the process such that the citizens of India are not stripped of their dignity,” says Kaushik Gupta, lawyer and social activist explaining the impact of any breach of privacy at a personal level of any individual.

However, the consequence of the right to privacy judgement with respect to the impending Aadhaar case in the Supreme Court of India is yet to be seen. The right to privacy judgement has however taken cognizance of informational privacy especially with respect to sensitive data. It says:

“Informational privacy is a facet of the right to privacy. The dangers to privacy in an age of information can originate not only from the state but from non-state actors as well. We recommend to the Union Government the need to examine and put into place a robust regime for data protection. The creation of such a regime requires a careful and sensitive balance between individual interests and legitimate concerns of the state. The legitimate aims of the state would include for instance protecting national security, preventing and investigating crime, encouraging innovation and the spread of knowledge, and preventing the dissipation of social welfare benefits. These are matters of policy to be considered by the Union government while designing a carefully structured regime for the protection of the data. Since the Union government has informed the Court that it has constituted a Committee chaired by Hon’ble Shri Justice B N Srikrishna, former Judge of this Court, for that purpose, the matter shall be dealt with appropriately by the Union government having due regard to what has been set out in this judgment.”

However, the onus now rests on the Committee chaired by Shri Justice B N Srikrishna and the Government of India to protect the interests of the citizens. The impending petition challenging the Government’s move to make Aadhaar mandatory for social welfare schemes in the Supreme Court will be a defining judgement for the rights of Indian citizens.

“Revenge pornography is not recognised by Indian law,” says Dr. Debarati Halder

While the Supreme Court of India takes its time to decide if privacy should be a fundamental right conferred upon Indian citizens, it may be useful to understand the different cyber crimes that lurk in the digital world, a space that isn’t always defined by clear boundaries. In the first part of our three part interview with Dr. Debarati Halder, she discusses about personal data leaks on social media, what goes into resolving these issues and more. In the second part of this interview, Halder speaks about the most reported cyber crimes, cyber crimes that aren’t recognised by Indian laws, legal recourse for crimes like revenge pornography or cyber stalking, policy changes, among others.

Most reported cyber crimes:

Which is the most reported type of cyber crime at the moment?

There are 3 types of online offences that are reported. One is crime against individual. This can be economic or interpersonal crime. When we talk about economic crimes, it could be phishing, bank fraud, notary scam, and others. Interpersonal crime could be stalking, creation of fake profile, online pornography or obscenity or hacking of personal digital data. Then there’s crime against the government, which is cyber terrorism as recognised by law. As per the Information Technology Act, such terrorist activities done through information technology or computer technology are punishable. Offences against government could be hacking websites or breaching the privacy of government data. Then there can also be offences against corporate bodies.

Which are the offenses that are not recognised by law?

Cyber bullying, cyber trolling and revenge pornography don’t have any focused law. What is the focused law that you are going to use for morphing or creation of fake profile? We recognize cyber obscenity but there is nothing about what can be revenge pornography or cyber bullying. We had 66A. We scrapped it because it was vague. It could have been amended. Then the Act would have also been an answer for some of the crimes like bullying or trolling. Without any laws for these crimes, women will have to go through different kinds of secondary victimization.

Challenges faced by women seeking legal recourse

What are the challenges faced by women seeking any recourse for any online crime or offenses against them?

Firstly, it is a social taboo. When a woman faces any kind of online harassment or crime, before going to the police station, she is usually told that the media could target her or her family if she went to the police. It becomes a social taboo to go to the police station to complain about any cyber crime. This is number one. Number two is victim blaming. Even if a woman has enough courage to go to the police station and report the crime, then there could be some officers (or head constables in the absence of the inspector or sub-inspector) who will not understand the nature of the crime. For example, if it is stalking, Indian Penal Code recognizes stalking or cyber stalking as an offence now. Traditionally trained police officers may not be able to understand it especially those who may be senior in age or experience. In that case, they blame the victim saying ‘Why did you do that. Because of you, this has happened.’ There can also be threats from intimate partners. For example, the woman gets afraid to go to the police if she is targeted by her ex-boyfriend, ex-husband or colleague with some fake profile or revenge pornography. If she goes to the police, the harasser then comes up with another kind of crime. It is this escalation of victimization that makes her avoid going to the police station again. When it is from an intimate partner, it becomes blackmailing. In case of offences that are not recognized by the law, nothing happens after the police take the FIR. And finally there’s also the liability of the website. They may not cooperate with the police. The police may not know how to deal with the website to get the data. These are the things that generally come up as challenges.

Legal recourse

What is the legal recourse available to victims from social media platforms on which such personal data is leaked?

There is Section 43A of the Information Technology Act which penalizes such kind of data breach and the responsible person or the body corporate. This means the specific functionary, institute or company who is responsible for maintaining the data. In that case, the victim can definitely ask for recourse. It is definitely compensatory jurisprudence. They can ask for compensation and there is also minimum punishment.

Can the same be applied if any data leak happens due to Aadhar as well?

Absolutely. It depends on the corroborative evidences that the victim shows from a particular website from where the information has been leaked. For instance, if a certain person’s privacy has been breached, he or she has to inform the police. Then the investigation will show if there was a lack of confidentiality with this particular company or its website. Accordingly, they can definitely be prosecuted.

The Aadhaar Act has no provision for people themselves to file a complaint. Will Section 43A be applicable then with Aadhaar?

If you define the term body corporate in a very broad sense, it can be covered. But because the Aadhaar Act is saying this, the government does not want to take the liability on their part for any offence that has been caused. But I also understand that there has been a statement made by a minister concerned that the whole issue is so confidential that nobody can breach it. See there is a middle-man from whose website the information can be leaked. This can definitely happen but then again it depends upon the evidences and who was at the root of it, who was the person at fault, who has been negligent etc.

How long do cyber cells cases take to be resolved?

If it is an inter-personal crime and the victim is bringing all the evidences and he or she knows the person who has caused the crime, then that can be solved very quickly. Then there is something called police mediation where the person need not to go to the court but the case will be mediated within the police station and the harasser can be warned and can also be taken into custody. But in other cases, although the law says that there is a stipulated time within which the case should be resolved, it may take some time from the jurisdiction.

What are the policy level changes that have happened overtime with respect to cyber crime against women?

With respect to policy level changes, I would say that the Ministry has become more sensitive. Even the Ministry of Women and Child Development has its own Facebook page where they are accepting details regarding any such offences. They have assured that NGOs and the stakeholders can partner with them for some help. I have been a resource person for National Commission for Women. We have had several meetings regarding what should be done. If we are not able to help the victim as such, there is a network where we refer cases to the ministry so that the ministry tries to do something about it. These are some of the policy level changes happening but I’m still doubtful about the positive results.

What about the legal level changes that have happened over time with respect to managing cyber crime?

One very noticeable change happened in 2013 after the Nirbhaya rape case. Cyber stalking and voyeurism especially against women were recognised by the India Penal Code. Now we have a provision for punishing cyber stalkers including physical stalkers and also for voyeurism, especially privacy violation like clicking private pictures and distributing it without the consent of the particular person. I think these are wonderful things that have happened over time.

What should you do when your personal data leaks on social media, explains Dr. Debarati Halder

Be it photo number, location, photos, most often, we share our personal data on social media platforms without giving it a real thought. And there are times when this data gets shared on social media platforms without our permission. Our personal data goes into wrong hands and gets leaked out in the open as revenge pornography. People even get stalked or harassed on these platforms. What happens to privacy on these platforms? What goes into resolving these issues? What can be done when you face such a situation and what really happens? To understand the answers to these questions and more, Hidden Pockets had chat with Dr. Debarati Halder, Advocate and Honorary Managing Director, Centre for Cyber Victim Counselling. She is also the Founder -Secretary, South Asian Society of Criminology and Victimology. In the first part of this series, we have looked at understanding the response of social media platforms and police officers to cases related to online crime, victim blaming, pointers to be safe online, among others.

Things to watch out for as a victim

Hidden Pockets: What should anyone (especially women) facing any online crime like harassment, voyeurism, stalking etc do when they face such a situation?

Debarati Halder: The first thing that anyone especially women should not do is revert back with any kind of threatening statement. This will establish the crime. Say for example the person is being targeted for revenge pornography, instead of finding out who is the person who has committed the crime; the victim should take the evidence straight to the police office. Take the evidence and report the matter to the website concerned. In that way, the collection of the evidence or starting of the investigation can be done. Next thing is do not fall into traps. Things like talking to strangers, getting intimate with an online friend should be avoided. These things are still happening. Discussing personal data with unknown persons should be avoided.

Social media and its response to online crime

Hidden Pockets: Do you know of any cases when social media platforms refused to give information or block the offender completely?

Halder: Yes I know. We do also get cases where the offender may have been blocked. But this is not the answer to the problem. When you block one profile, that person can again come on Facebook and social media and create another profile. Blocking is not the total answer.

Hidden Pockets: How do you think such a situation should be handled?

Halder: Once the profile has been blocked, the victim has to take all the evidences that she has and go to the police with the link. It is with this link that the police find the IP address of the user. Essentially, they (victim) have to go to the police station and register a case. Otherwise the harassers will continue and so will the harassment by these offenders. The victim can also contact Facebook to remove the images.

Hidden Pockets: Do you know of cases when social media platforms refused to block the offenders completely? And what was the action taken in those cases? And what was the reason given by social media platforms?

Halder: Yes many times. Unfortunately no action was taken (in most cases). It is very common. Social media platforms ask you to come through the police as the channel. There is also the legal machinery channel that is you go through the court. Often the police may not know how exactly to contact the social media platform. Social media platforms have wonderful policy that says that they will not reveal the information of the account holder to anybody come what may. This is the reason you see so many new items that Facebook or Google do not reveal the information or the identity about the offenders even though the police have taken the cases to the court. This is the reason because of this policy.

The platforms say that they are taking action however they will not reveal the identity of the offender. This is because of their policy guidelines. Their policy is guided under the U.S laws. Our laws have got territorial nature, which means our laws especially the Information Technology Act can be effective for these websites even situated outside. Here comes the legal conflict. The websites may be situated outside the country but they may choose to abide by our laws. They have to then go to the U.S courts (to resolve this case). This is a long process. This is the reason for them to push back saying that they don’t reveal the identity (of the offender). Again in these cases, the victim cannot do anything. The matter needs to be taken to the court. With a good lawyer, something could happen. Then again, it is not so for all cases. In some case, social media platforms have given details of the person because the police officers could prove that it was a grave crime.

Sexting, revenge pornography and victim blaming

Hidden Pockets: What was done in the cases of revenge pornography at least in the cases that you handled personally?

Halder: In some cases, I was able to help them. On their (victim’s) behalf, I could successfully inform Facebook about the revenge pornography that was taking place. The offensive photos were removed. It is only a part of the recourse for the victim. We ask the victim to go to the police. With the existing available laws, victims can go to the police and ask for help. The offender should be punished. With this, I have got very little positive feedback because the victims undergo victim blaming, police apathy etc. One part of the case has been successful but the legal part has not always been successful. It is not that it was never successful but not always.

Hidden Pockets: With respect to revenge pornography and times changing, do you think it is important to start accepting legally and from the point of view of the police that sharing of images and videos have become a part of the culture when two people are in an intimate relationship?

Halder: This is called sexting. We know about texting and this is called sexting. This is happening, not only among teenagers but also among adults. This is happening. If you are going for it, then it may invite more trouble. Even if that person is completely trustworthy, that person’s device may be compromised or hacked so we then won’t know from where the picture might have leaked. So it should be avoided. Even though it has become a habit I would say even then it should be avoided I would say.

Hidden Pockets: Sure but what I’m trying to understand here is if the people handling these cases have understood that something called sexting is happening, especially with respect to victim blaming. Have they understood it?

Halder: No, majority of the police officers that I have seen who deal with these crimes especially revenge porn generated from sexting, they are not able to accept this as a common behaviour. When it is a question of victim blaming, the woman is generally asked why did you share such pictures. With this, the case is usually closed because they (the police) don’t know how to deal with the case. So yes, people who are dealing with these cases, I would say, are still not able to take sexting as a social habit.

Hidden Pockets: How do you think that can be changed? Do you think such a change has a role to play in how the system works?

Halder: Personally speaking even I’m against disseminating such photographs because it may invite danger. Now that it has become a social habit to a certain extent, we need to change our own mentality. We need to be broad-minded. One way is that when you are sharing such photographs, you need to also understand that you are inviting danger. The moment you are disseminating a picture, you should be broad enough to understand that there is a risk involved in it. With respect to the police officers who handle these cases, should avoid victim blaming and treat the victims as victims.Otherwise this will happen. This is similar to when a girl goes out and she is raped, instead of blaming her for her gender or her dress, the police should treat her as a victim. Similarly, in the online cases also this should be done.

 

Is anyone else reading your Tinder messages?

“How does privacy matter? Nobody is reading my messages and I am making the choice to put these messages out there on social media platform,” asks P, my friend  who seems to finally have cracked the Tinder Emojis.

Every  time I talk about privacy, people ask me what is there to hide? Every time I cover my camera on my laptop, people think I am being paranoid.

People don’t think there is anything called private data and if there is, it would simply be sensitive data that people would anyways not share. And worst I don’t think anyone realises that we don’t have a Privacy Law in India while Tinder India is busy making sansakri ads for its Indian audience and getting more users on a daily basis.

Sharing of personal details on social media platforms

We all have been sharing our information on most of the social media platforms. We happily share our locations, our private moments through images, our phone numbers, our email addresses, our travel plans There are so many platforms where  traces of our information gets saved up on different formats through chats, messages, sexting and in many other forms. Then there are spaces where we end up giving our information  because the design demands so. Additionally, now with introduction of Aadhaar we have all of our information linked to one common mobile number.

Have you received the message from your bank to link your account with Aadhaar number? Have you received the message from your network provider to link your account with Aadhaar number? Have you received the message from Shaadi.com to link your account with Aadhaar? What if Tinder also gets into this?

Personal data linked to Aadhaar

All our different sorts of information is getting connected to one Aadhaar number : be it our bank details, medical details and in near future, may be even our dating details? People argue that all of this information is safely secure and this central repository is for our protection. It will keep us safe, while some call it convenience because life becomes easier with one uniform identity connecting all. But for many of us, there is a clear fear of lack of protection for all this data that is getting collected in the name of better infrastructure.

This is where the idea of ‘sensitive data’ gets muddled up. For some, it might be the information that they use on Tinder and for others, it might be information related to bank or medical office. Does all our data have equal protection under law?  What is this ‘sensitive data’ that people think require to be private? What if some of our sexting gets hacked or leaked out? Will state authorities actually protect our right to send messages to strangers on a dating app? Do we really have a say with regard to protecting our messages from hacking, stealing of information and any other form of cyber crimes?

No privacy law in India, at least not yet

Since 2010, it has been recognised by both the government and the public that India needs privacy legislation, specifically one that addresses use of personal data. At present some of the data protection standards are found in the Information Technology Act, 2002 as part of IT Rules, 2011. What really happens when someone does share/steal your information?

The Privacy (Protection) Bill, 2013 (‘Bill’) does not provide any definition of ‘privacy’, but includes sexual preferences as part of it.This definition is different and more enhanced from the definition provided under The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.  There is an assumption that consent would be taken from the user before collecting any of the sensitive data. The bill does provide for punishment if there is any violation.  He/she shall be punishable with imprisonment and may also be liable to fine. But this a Bill, in pending, until then the user’s data has no protection?

Privacy Bill is not just meant for activists, it should be the right of every citizen irrespective of whether or not their information is shared on any online platform. Abortion data might be as sensitive as bank details. Consent should be the basis for any sharing of information and every information needs to be protected.

A lot of sensitive information gets exchanged on dating platforms, on platforms where we are having a regular conversation. We might be flirting, sharing or just be sexting. This is all information that we would like only the parties involved to read. But if it does get leaked out, whom do we actually hold responsible?

People ask me to be more responsible while sharing information, for millions of Tinder users, I think so it is time to actually seek some accountability from all these stakeholders. We want our privacy! We dont our details to be linked to some number for better infrastructure. We want legal protection.

On 19th July, 2017  a constitution bench will decide whether there is indeed a fundamental right to privacy in India.  Even if we dont care about privacy as an issue, for all the Tinder users, this might just become a serious issue.

How safe is Aadhaar to the transgender community? #mybodymyrights

The Supreme Court has upheld the government’s order to link Aadhaar to the PAN number of citizens thereby making it mandatory to file income tax returns. Prior to this verdict, the Government of India had mandated Aadhar for Direct Benefit Transfer for several schemes like Protection and Empowerment of Women-Comprehensive Scheme for combating Trafficking of Women and Children-Ujjawla-Facilities to beneficiaries, Family Planning Compensation scheme, among others. This includes several sexual and reproductive health services involving sensitive personal data.

Among the several programmes that have mandatory requirement of Aadhar are many services that cater to the transgender community including the PLHIV programme. The Supreme Court of India upheld the rights of transgender persons in the National Legal Services Authority Vs Union of India in 2014. It is worth noting that the rights of transgender persons was recognised only after this judgement.

How safe is Aadhaar for the transgender community?

As noted earlier by Sheetal Shyam, Secretary of Sexual Minority Forum Kerala, most transgender persons don’t work in the mainstream. Due to lack of formal education, most of the transgender women are forced to pursue sex work and/begging. It is worth noting that Anti-vagrancy Act makes begging illegal and the Immortal Trafficking Act makes prostitution illegal in India. Considering that the profession of practiced by most transgenders is illegal, how safe is it for transgenders community?

In spite of the NALSA judgement and the Transgender Bill 2016, transgender persons face different forms of harassment. Earlier in November 2016, Tara, a transgender outreach worker was found burnt outside a police station in Chennai under suspicious circumstances. Also in March 2017, Government of India mandated the linking of Aadhaar number to personal mobile numbers. With this, a unique mobile number would be linked to each unique Aadhaar number identifying each citizen by an Aadhaar number and mobile number. In the light of incidents of violence against transgender persons and the mandate to link mobile numbers to Aadhaar number, how safe is the transgender community? A community of people, many of whom are involved in sex work, be tracked with their mobile numbers? How safe are they with a proof of identification that tracks them with their biometrics? Will it leave them vulnerable to targeted attacks in the future? As an OBC community as identified by NALSA judgement, transgender persons are eligible for all reservations and benefits available to OBC communities. However, it is not clear how safe they are from being identified and targeted owing to the suspicion that there may be about their profession.

Does their privacy matter?

While the reasoning for centralization of all this data has been to provide better services to the citizens, there is no way to guarantee the safety of this data. The government has previously denied several allegations on the safety of Aadhar data. However in March 2017, in a letter released by the Ministry of Electronics and Information Technology, the government admitted to instances where personal information “including Aadhaar number and demographic information and other sensitive personal data such as bank account details etc. collected by various Ministries/Departments has been reportedly published online and available through each online search,” as reported by New Indian Express. It is worth noting that there is no privacy law in the country at this point in time. With the cases of violence and discrimination against the transgender community in different spaces as mentioned here, here and here and the lack of sufficient security around Aadhaar data, what protects the transgender community from more discrimination with targeted offenses being committed against them? There may be legislation that protects them now, one that wasn’t there before but how accessible is this legal recourse to all transgender individuals? The National Health Policy 2016 also has provisions that specifically address transgender persons. What is the protection assured to them against harassment, once their Aadhaar biometrics and phone numbers are entered into the system to access healthcare? Along with Aadhaar, personal data like mobile number and biometrics will be linked with no legal recourse for data breach. When a crime related to personal data occurs, UIDAI is not under any legal obligation to inform the Aadhaar user. Under Section 47 (1) of the the Aadhaar Act, only UIDAI has the exclusive power to make complaints in case of violation of privacy or data breach.

Incidentally, Mukul Rohatgi, the Attorney General of India had recently said in the Supreme Court – “There is no absolute right over the body. If such a right existed then committing suicide would have been permitted and people would have been allowed to do whatever they wanted with their bodies. The right not to have bodily intrusion is not absolute, and the life of a person can also be taken away by following a due procedure of law.”

Aadhaar: the panacea or problem for identification

Among the other directives listed in the NALSA judgement, was the right to identify oneself as a transgender. With that directive, different government departments and agencies were expected to include third gender in any application form or document issued. It is worth noting that application for an Indian passport allowed the applicants to opt E for Eunuch in the application even in 2005. It was one of the first ‘identification’ documents issued by the Government of India that had the provision for transgenders. However, passport requires applicants to submit other ID and address proofs for application of passport including address and ID proof. One of the major issues that the transgender community has been facing is with respect to procuring identification document in a gender of their choice.

Aadhar was looked at as an easy way to procure proof of identification for groups of people who had no proof of identification when it was introduced. Though Aadhar was supposed to be easy to get, it still requires the applicant to submit proof of address, among other documents. There are two main challenges that they face. Firstly, identification proofs required to apply to get an Aadhaar card, may be in the name or gender assigned to them at birth, one that they don’t presently identify with or use. Secondly, anyone familiar with the issues faced by the transgender community in India would know that finding a place of residence is never easy for the members of the community. Due to the stigma faced, they often accept to living in places that are too cramped and unhygienic. More often than not, the house owners don’t sign a rental or lease agreement with them to evade taxes. The members of the community end up giving in to this demand of the house owners since “there are very few people who give sex workers and sexual minorities a home.”

At the time of demonetization, speaking to Hidden Pockets, Shubha Chacko, Executive Director of Solidarity Foundation had said, “To get a valid ID proof, you need a rental agreement and to get a rental agreement, you need an ID proof.”

With no proof of address or identification proof, how then can the community members get an Aadhar? Though transgender persons have the option of getting a valid identification proof by filing an affidavit in the court, it is not an option that is available to all. Inclusion continues to remain an elusive dream!

#MyBodyMyRights: Will Aadhar prevent you from getting an abortion? 

Digital campaign with its strong emphasis on digitisation of public records, have seen a companion in Aadhar. From basic amenities like getting ration, getting medical services or opening a bank account, Aadhar is being made as mandatory requirement. There is a move to link Aadhar with health data of an individual in their entire lifetime.  This means everytime an individual attends a doctor or uses a service; it gets recorded and gets shared on a platform which can be accessed and would be part of digital archive forever.

Abortion service really does not fall within this category of happy medical services.  It is one of those services that women  might have to access if they do not want to proceed with the pregnancy.

There is a strong assumption on the part of our government that individuals want their health records to be saved and archived on their behalf. There is a strong belief that all the medical services undertaken by individuals are for happy and good reasons.

Abortion in India became legal in 1971 under the Medical Termination of Pregnancy Act, 1971, making India as one of the first countries to provide access to abortion services in a safe manner. Even though it is highly restrictive in nature, due to conditions that are imposed on the women accessing the services, it was still a great step.

In 2002 and recently in 2014 when amendments were introduced again in the MTP Act, it was again seen as progressive steps towards making sure that women had access to better services and to make these legislations more women inclusive.

However these initiatives have not really changed the stigma around abortion. Both married and unmarried find it difficult to access abortion and to medically terminate pregnancy if the pregnancy is within 0-20 weeks. There are can be many factors, but social stigma attached to abortion makes it really difficult for women to deal with service providers. Inspite of abortion being provided in public health sector for free, women prefer to pay humongous amount to keep it confidential. Women still prefer to pay this amount to make sure that it is kept a secret. Women are forced to take this path, because the social atrocities would not let her make a choice for her own body without being judged and shamed for it.

Aadhar and the privacy debate:

With the recent debates around Aadhar, privacy has been brought to the mainstream news. There is a lot of anxiety and debate around lack of privacy bill in India and the recursions of it. Health sector is specifically prone to it; with sensitive data like HIV, abortion and sexual orientation becoming part of health narratives. Aadhar has been pushing for digitisation of all health records which would directly affect the access for services like abortion in cities of India.

With the recent re-modeling of Indian public Health system, it has been suggested by Ministry of Health and Family Welfare that Aadhaar numbers will be used as unique patient identifiers in a new electronic health records system.

The electronic record will include previous medical history, procedures undergone, diagnosis, drugs prescribed, and which hospitals visited accessible on a cloud-based e-application. The notification even acknowledges the fact that some of it is sensitive data and would be dealt under Information Technology Act 2002, Data Privacy Rules.

On one side Government acknowledges the fact that some of the medical information is sensitive and can have different repercussions for different communities. On other side Attorney General in his submissions before the Supreme Court in Aadhaar case, May 3rd 2017 argues and contends that concept of bodily integrity is bogus.

For activists who have been working to make abortion laws more inclusive in India, this did seem like a very regressive statement to be made by Attorney General.  Woman have been fighting for their rights to their bodies for decades now. Women have always been one of the worst victims of patriarchy and bodily integrity has been a long fight battle with the state for women to have won. The debate around abortion has been fighting for right to privacy and keeping state away from its bodily integrity. Does linking her abortion data with Aadhar data violate her right to privacy? If women have a right to have access to abortions, they should also have a right to confidentiality. Abortion data is extremely sensitive data for single women and married women who still find it difficult to exercise their sexual and reproductive health rights.

With Aadhar becoming mandatory for every medical service, abortion becomes an extremely sensitive and difficult service to access. For a lot of young women both married and unmarried, this is a sensitive data and they are really not comfortable knowing that this is being recorded and being maintained by the government.

In a data driven world, where every data becomes a value for business, how do we ensure that our young women accessing legal services which are stigma driven are not further harassed. How do we ensure confidentiality is still maintained when they are accessing legal services. How do we make sure that women do not end up using services of quack due to fear of digitisation of her medical records. These are questions that state needs to engage in, instead of arguing that bodily integrity is bogus.

#MyBodyMyRights: Privacy is not just a word and shouldn’t be so with Aadhaar

Without an Aadhaar one cannot file taxes, and without giving biometric data one cannot get his or her Aadhaar.

The PAN-Aadhaar issue before the Supreme Court has raised many issues. This affects the right to livelihood under Article 19(1)(g) because economic activities are likely to be hampered. There is also the issue of the promised voluntary nature of the Aadhaar scheme under the Aadhaar Act, conflicting with Section 139AA of the Income Tax Act, which makes linking Aadhaar number to the PAN Card. Section 139AA was inserted in the IT Act on April 1, 2017, and it made it necessary to quote Aadhaar number for applying for a PAN number, and for filing income returns. This necessity to link Aadhaar and PAN is to begin from July 1, 2017. It is in direct conflict with a previous Order of the Supreme Court, that directed against making Aadhaar compulsory for availing schemes and benefits from the Government (March 27, 2017). Section 139AA is in effect an “indirect legislative overruling” of this order; a fact that was ably pointed out by Mr. Datar in his Court Submissions.

With the Aadhaar, we are talking of biometric data. Reading Section 87 of the Information Technology (Reasonable Information) Rules 2011 with Section 43A of the Information Technology Act, 2000, biometric data means “the technologies that measure and analyse human body characteristics, such as ‘fingerprints’, ‘eye retinas and irises’, ‘hand measurements’ “facial patterns’, ‘voice patterns’, and ‘DNA’ for authentication purposes” Biometric Data and Genetic Data has further been classified as Personally Sensitive Data by the Department of Personnel and Training of the Government of India, in its “Approach Paper for Legislation on Privacy”. By linking Aadhaar to various schemes the Government is hoping to achieve “targeted delivery of scheme benefits” and “prevent leakages” of black money (As stated by Attorney General of India at the Third Universal Periodic Review of India at the United Nations in Geneva).

This invites questions on the rationale of linking biometric data to income returns and taxation. If the Government wants further verification of a person’s identity (to overcome the issue of PAN duplicity), there are other ID document that can be provided. Businesses and individuals are bound to have other IDs at their disposal. Furthermore, where targeted delivery of benefits is concerned, putting a face to every name in the country, and providing valid identity documents for every citizen makes sense, given how it’s not very difficult for identity theft to occur in India. The main problem arises when the Government begins to link these uniquely personal identity documents that contain data of a personal kind, to schemes and financial transactions. Citizens quoting their Aadhaar number for either of these two goals are at risk of their Aadhaar numbers being stolen from the documents where they mention the Aadhaar by the officials collecting the documents.

Moreover, there is usually a need to give a photocopy of the Aadhaar itself. In 2016 November, it become apparent that Aadhaar numbers were being stolen from the photocopies at Government or Agency offices. The CEO of UIDAI, Mr. Ajay Bhushan Pandey, advised citizens to write on their photocopies the purpose for which the Aadhaar photocopy had been given, to prevent theft or misuse. When Aadhaar was initiated, it was clearly a voluntary scheme, and now through the contradictory Governmental orders and Section 139AA, the Government has tried to make it compulsory in certain areas. Who’s to say this practice won’t continue? This fact was brought up in Mr Datar’s arguments in Court, and were echoed by Mr. Divan.

As well-meaning as aims of curtailing black money and ensuring proper reach of benefits are, this is an issue of trust. Can any Government be trusted with such data? Is it not a form of surveillance where the Government has with great ease, information on every citizen in its country? Can the Government really ensure data security and prevent data misuse, by third parties or worst of all, by its own officials? Tackling black money, terrorism, duplicate PANs and traceability, are all noble causes, but the means to the end matter. Has there been enough debate on countering terrorism and black money transactions? Are there are other measures that can be used to tackle these issues, that do not result in civil death (the death of the rights of citizens) and the creation of a large national security threat? Based on the arguments made by Mr. Arvind Datar in his rejoinder arguments on 4th May 2017 at the Supreme Court, these are questions that the Government have not considered very deeply.

“Indians have no absolute right over their bodies”

The Attorney General told the SC bench that Indians did not have an absolute right over their bodies, and therefore could not refuse to give body samples for Aadhaar. He cited various legal justifications such as the Roe vs. Wade judgement, the fact that body evidence must be given in case of criminal matters, legal regulation over time of abortions, and the right to die not being there. If one analyses these justifications, it can be inferred that citizens do not have absolute rights over their bodies, but the Government does. If these linkages are allowed, the linking will continue, and in effect the Government will have a database of every citizen’s data (personal or otherwise). This is a lot of power in the hands of not just the Government, but also in the hands of other agencies. Though the Aadhaar Act has strict punishments for breaches and guidelines for what information can be shared under specific circumstances and how, it must be noted that only the UIDAI can file complaints where there are breaches as enshrined in Section 47(1) of the Act.

Moreover, the Aadhaar (Authentication) Regulations, 2016 in Section 18(1) and (2) require the “requesting entities” – defined under Section 2(u) of the same Regulations – to keep detailed logs of its requests for Aadhaar Authentication for a period of 2 years, after which the logs must be archived for a period of 5 years. Requesting entities could be banks, governmental schemes, the IT department or telephone service providers (where quoting of Aadhaar is currently compulsory for certain services). When these entities request “identity information” [Section 2(n) of Aadhaar Act 2016], they can ask for biometric information [Section 2(g) of Aadhaar Act 2016] or demographic information [Section 2(k) of Aadhaar Act 2016] or both. However, core biometric data [Section 2(j) of Aadhaar Act 2016] cannot be “stored, shared or published by the requesting entity as per Section 17(1)(a) of the Aadhaar Regulations. Core biometric data refers to finger prints and iris scans. There appears to be some ambiguity on whether core biometric data can be stored in the logs and archives. As alarming as this logging and archival is, it is also worth noting that requesting entities can choose which mode of authentication of Aadhaar numbers to adopt as per Section 4(3) of the Aadhaar Regulations.Therefore the Government is not the only body with access to one’s Aadhaar information.

Third parties such as the companies who have contracted with the Government (Accenture for example), for managing the infrastructure of Aadhaar can store the data. Telling citizens that they have no absolute right over their bodies, is in effect stripping them of existence. This is a dangerous path to tread on. How much regulation is too much regulation? This is the challenge faced by the social contract in modern times. Is it right for Governments to demand such personal data from its citizens? Instead of the Government being more reliable and tightening up on corrupt officials and closing loopholes in tax laws, the Government wants its people to be more transparent, traceable and accountable to it. It will become easier for fraud and corruption to occur. The risk of identity theft, and theft of money is very real.

The issue of privacy is not one of wanting to hide from the Government. It is an issue of wanting to prevent theft and misuse of personal data. It must be reiterated that information is power. Mr. Divan highlighted this argument on privacy beautifully when he spoke of bodily integrity. Body samples are a part of a person’s being. He pointed that this would be violating Article 21 of the Constitution which he asserted protects the body of each citizen, and bestows on them the absolute rights over their own bodies. Mr. Divan argued against “state expropriation” of bodily material of citizens, stating that such “nationalisation” would be unconstitutional.

“Privacy”, may seem like a just a word. It may seem unimportant and overused in everyday life even. It doesn’t mean keeping people out of your affairs alone. It means controlling information flow about one’s life, one’s choices (financial or otherwise), and one’s personal biological factors. It means protecting one’s very existence from outside interference. Protection of one’s own body, and consequently one’s own ability to transact and avail benefits is at stake.

About the writer:

Shambhavi Ravishankar is a human rights lawyer and an ardent lover of writing and reading, who believes in the pen being mightier than the sword!

#WorldAIDSMonth2016 special: Rights of person living with HIV and AIDS

World AIDS day has become a day for talking about lives of persons living with HIV and AIDS. India has come a long way with its initial battles against HIV and AIDS to having a legislation for rights of persons living with HIV.  For lots of persons living with HIV, it was the stigma attached to HIV and AIDS that made it difficult for many of them to get jobs, live a life with dignity. They had no protections and they often lived with fear of being identified with HIV and AIDS.

Human Immunodeficiency Virus and Acquired Immune Deficiency Syndrome (HIV/AIDS) (Prevention and Control) Bill, 2014  was first introduced in parliament in 2014 by the UPA government and it tried to make ART (anti-retroviral treatment) a legal right of persons living with HIV and AIDS. It went through a lot of negotiations where Lawyers Collective and networks of persons living with HIV and AIDS across different states of India played a crucial role. The first draft of Bill was not comprehensive enough and it was revived again in 2016 by the current government and to re-inititae the discussion on improving the lives of persons living with HIV and AIDS.

Some of the salient features of the Bill were:

  • Central and state governments have a duty to provide for anti-retroviral therapy (ART) and management of opportunistic infections as far as possible.

In 2015, the Health Ministry revised norms for ART (antiretroviral therapy) consisting of a combination of antiretroviral (ARV) drugs to maximally suppress the HIV virus, and stop progression of the disease. The CD4  accounts for the number of CD4 T lymphocytes in blood, and is the most important  indicator of how well the immune system is working in people with HIV. This proposed change made all patients with a CD4 count of 500 eligible for ART against the earlier norm of 350.

One cant still drag a public authority to court for not providing the service, but the number of people who have been covered under the treatment has increased.

For people living with HIV there is a propability of CD4 dropping below 500. Below 200 there is a serious chance of infecting other life threatening diseases. Once a person is infected with HIV, the virus begins to attack and destroy the CD4 cells of the person’s immune system and make copies of itself and spread throughout the body. With a better access to ART treatment at a higher CD4 count means starting therapy earlier.

  • Prohibition of specific acts of discrimination by the state, or any other person, against HIV-positive people, or those living with such people.

These amendments, made the state as well as the private citizen responsible for any act of discrimination against persons living with HIV and AIDS. This could result in security in places where they were being discriminated on the grounds of having HIV and AIDS. Places like schools, hospitals and job opportunities could no more deny them access to these spaces. Rights to their property and several financial obligations were provided to persons living with HIV under these amendments.

So what happens if a right is violated, what are the options under this bill? If an insurer denies insurance, the bill provides for the appointment of an ombudsman. The company has to pay a fine of Rs 10,000 up front and a further Rs 5,000 per day until it agrees to give cover.

Privacy and confidentiality:

“Look, we are not the doctors, we merely do blood tests for patients. We also have more than 250 franchisees all over Mumbai who do tests for us. So maintaining doctor–patient privacy is not something that we as the lab are concerned with” – Rodrigues Kustas, Administrator at Health Solutions

Those were the words of the administrator of a pathology lab that accidentally leaked the medical report of 43,000 HIV patients. This also includes details of patients who had blood tests done for HIV. And ironically, this month happened to celebrate World AIDS Day!

One of the most contested part of the Bill, was the right to privacy and confidentiality. Due to the stigma attached, it was necessary for people living with HIV to be able to live with a life of dignity without the fear of being exposed as living with HIV and AIDS. The Bill provides for confidentiality  of HIV-related information and makes it mandatory to get informed consent before undertaking any HIV tests, medical treatment and research.

The Bill also takes into account the sensitivity of the information and makes it mandatory for institutions and establishments keeping records of PLHIVs to adopt good data protection measures.

 

What about the privacy of the patients?

The discrimination against HIV and AIDS patients has been rampant and there is no privacy law in the country to protect their privacy when their details are disclosed,

Although India does not have a privacy law for its citizens, following the UNAIDS guidelines on the need for legal reforms by the government, the Indian cabinet approved the passage of Human Immunodeficiency Virus And Acquired Immune Deficiency Syndrome (Prevention and Control) Bill in the winter session of the parliament.

Though Code of Ethics Regulations 2002, 1.3.4 states that efforts shall be made to computerize medical records for quick retrieval, Section 11 of HIV-AIDS Bill 2014 states that every establishment keeping the records of HIV-related information of protected persons shall adopt data protection measures in accordance with the guidelines to ensure that such information is protected from disclosure. 

In such a scenario, the citizens of the country, need to push for  a privacy laws that protects the citizens against leakage and misuse of the data that was provided to government under sensitive conditions.

Shah Committee noted, “A framework on right to privacy in India must include… appropriate protection from unauthorised interception, audio and video surveillance, use of personal identifiers, bodily privacy including DNA as well physical privacy…”

Image courtesy : http://www.worldaidsday.org.au/internet/wad/Publishing.nsf/content/home

 

 

Digital Citizen Summit 2016: privacy of the digital citizen?

Encrypt! Encrypt! Encrypt! 

That was one of the key takeaways from the Privacy panel at the Digital Citizen Summit 2016 organised by Friedrich Naumann Stiftung für die Freiheit (FNF) and Digital Empowerment Foundation (DEF) in Bangalore on November 11, 2016. This panel could not have been better timed!

With a shortage in currency notes in circulation in the country due to last week’s demonetisation of the Indian currency,  many have taken to using digital methods (credit card, debit card, internet payment, digital wallets etc) to manage their lives. With digital transactions, users leave a digital footprint that could be easily tracked it not careful. Let’s just say that if you bought a condom with your credit card or debit car, the government could know or worse, anyone could know about it. It gets better. India does not have any law to protect the privacy of its people.

So what then do we do? That was precisely the topic of discussion during this panel on privacy. With speakers from all around the world, the panel began with a global overview on privacy. Some interesting points were:

  • Users give data even when they don’t want to: The phone number of a non-user of a service could still be available with the service provider because their rightful users have given them the right to access all the phone numbers from their phone.
  • National security – Govt’s excuse to collect data: It is usually to child pornography, drug laundering, terrorism but more importantly, national security. However, no one has exactly defined what constitutes a threat to national security. Even Sec 33, sub-clause 2 of the Aadhar Bill 2016 says that the state may access the data of the citizens for reasons of national security, then again with no real definition of national security
  • Govt wants data even from private players : Governments also want to control the retention of data by intermediaries. Government send annual data requests to companies such as Facebook, Google, Twitter, among others. Pages or information may be taken down without any explanation. There is very little conversations happening around this, to change this.
  • Private data to predict trends: With the recent U.S elections, it became evident that with private data given to a private organisation, the election results can be predicted. It is ironic that we expect the government to find out what such private organisations could do with our data.
  • Encryption, the safety net: Though encryption is the safest way to use the Internet, encryption is used only by some services like WhatsApp. After introducing its draft National Policy on Encryption, the Government of India withdrew it within two days. There is also lack of understanding about encryption and how to use it.
  • Legal framework: Along with encryption, a legal framework may also be necessary. Going money less could be scary with it, don’t you think?
  • Content -> Platform -> Network control effect: Content regulation is done usually against child pornography and anything that disrupts public order. In the printing pre-web era, the control point for content was with the newspaper or publisher. In the web era, with social media and blogs, users became their own publishers. Then governments moved to intermediary bodies to regulate the content like Facebook and Google. The liability moved to these platforms. These organisations have to self-regulate to be away from liability. People who got shifted control from content to platform. If the IP address was blocked, many people get affected.  Post-Snowden’s revelation to the world, some governments introduced encryption. Government could then also ask local service providers to remove content. However this is not possible with providers from abroad. Local laws don’t govern these companies. In order to censor any content on their websites, governments would have to know the whole URL. But with encryption, only the domain name is available. So content cannot be censored in most countries. Governments are trying to get into the network layer in a way that everyone who uses the layer gets affected by it. Conversations around this is extremely important and necessary.
  • Surveillance shapes behaviours: Going beyond violations, it is important to remember that surveillance shapes behaviours, though the intent may be good. In December 2014, Germany banned the retention of data by any service provider viewing it as a violation of privacy and data protection. This was passed by the Federal Constitutional Court of Germany owing to the effect the surveillance could have on the citizens behaviour. May be the history of Germany has something to do with this worry?

How can you on protect your privacy online?

All that said and done, how then can we protect our privacy online? How can we make the Internet a safe space? The key takeaways from the Privacy panel at the Digital Citizen Summit 2016 were:

  • Encrypt! Encrypt! Encrypt! Encrypt your mails and your actions to protect data and privacy.
  • Know the thing that you use: Learn where your data is and how it is protected.
  • Ask questions: Have the courage to question the status quo and refuse to comply if it doesn’t make sense.
  • Sharing information: Put out as little information about yourself as possible, on the Internet. Better, share wrong information. Like a post or page that is of no interest to you on Facebook. Now that could be a good way to mislead.