Issues Concerning the Mass Surveillance of Indian Public based on the proposed DNA Bill

In the 21st century, concerns regarding mass surveillance have become a hot topic for discussion in academia and especially in the sphere of law. The idea of mass surveillance is favored by the majority of the governments worldwide because they claim that it would help them in ensuring better national security. On the contrary, there is a stiff opposition against this because it violates the privacy of individuals.

These are the broad binaries related to mass surveillance. I will get into the legal aspects of privacy in the later part of the paper. India is a liberal democracy which has never been associated with a major governmental snooping on its public, until recent times where Cambridge Analytica was alleged to help in determining some election results.[1] Since India is a third world country with lesser a lesser number of educated citizens as compared to the west, the notion of data breach is still not perceived as a big threat. For the same reason, there is no specific legislation regarding the protection of privacy of an Indian citizen other than a Supreme Court judgment. Even though the idea of privacy is a relatively new concept to an otherwise communitarian world, UDHR Article 12 says that every human being by virtue of birth deserves privacy.[2]

In the first part of the paper, I would discuss the possible adverse outcomes of the Human DNA Profiling Bill of 2015 [hereinafter referred as the bill] which recommends the establishment of a DNA Profiling Board and a DNA data bank. In the second part of the paper, we would analyze the normative aspect of privacy and the security related issues of the bill in a comparison to the Aadhar issue which came into the limelight recently. I would also briefly explain the government narrative of the necessity for mass surveillance.

In this age of technological advancements collection and storage of information has become very easy. With CCTV cameras, GPS and other similar gadgets, the world could be easily monitored. There are obvious advantages to this but like most of the technological advancements, the possibility of misuse is a serious threat to the data stored. We have seen a lot of villainous characters in Bond movies who threatened the world with hacking into the governmental servers of the west. Even though those were matters of fiction, when whistle blowers like Edward Snowden and Julian Assange came up with information which was supposed to be really secure, the world realized the potential danger of cyber-crimes.[3] We are not discussing whether the act of Assange or Snowden was bonafide or ethically correct or morally defensible. Even though their acts exposed a lot of scary realities of world politics, the fact that even the most secured firewalls could be hacked into is the security scare I am pointing at.

Especially when the cyber security infrastructure of India is nowhere close to that of the west, we might face some severe security breaches. In case of Aadhar we have already witnessed a data breach despite UIDAIs claim that the servers are secure.[4] However, UIDAI denied this allegation probably because they think that the Indian populace would not really bother about making this an issue and we may have to agree with their guess because there were no debates in parliament about this or any sort of public reaction. We also had a recent hack in the home ministry and the Supreme Court website which shows the lack of security and preparation in case of a cyber-attack.[5] So, even in case of the DNA databank which is promulgated in the bill, the security system is not explained.

Now we will analyze the role of Indian judiciary in the matters related to privacy. Even with the 70 years of jurisprudence, the Supreme Court was never faced with the question of privacy in case of personal data until recently. It is true that the court has given a plethora of judgments about individual liberty and right to life with dignity under Article 21 of the constitution but data privacy is the first of its kind in the Supreme Court.

The Aadhar related issues are in front of the constitutional bench of the Supreme Court and the matter is sub-judice. So, we cannot really delve more into that. Supreme Court has already considered right to privacy as a fundamental right in Justice K S Puttuswamy V Union of India and will decide whether Aadhar is in consonance with that judgment.[6] We can only hope that the court considers all the aspects of Aadhar including the security issues and deliver the verdict upholding the constitutional values. Similar to Aadhar it is highly likely that in a scenario in which this bill becomes a law, the constitutional validity would be questioned in the Supreme Court again. Ultimately, we will have to wait for the parliamentary process and the judicial process before facing the effects of this law in our lives.

The suggestion for the bill traces back to 2003. In 2007, the DNA Profiling Advisory Committee was appointed by the Department of Biotechnology (DBT) under the Ministry of Science & Technology. Since its inception, the committee has been working on the bill till 2013 when a committee of experts was formed to finalize the bill. By the end of January 2015, the reviewed document was on its course to the Legislative Department of the Ministry of Law & Justice.[7] In DBT Secretary K. Vijay Raghavans estimation, the department is done and dusted with the Bill and has submitted it for the authorization.[8]

As we all know, in India, DNA testing is used in criminal law as a mandatory provision and as a matter of choice in the civil law. The bill will bring under a statute, every activity concerning the analyzing, storing and matching of DNA profiles. As mentioned earlier, a central DNA Profiling Board will be set up along with a DNA Data Bank. The board will act as the supervisory body, and oversee all activities relating to testing, storage and matching of DNA samples while the data bank would store the information. The bill also suggests state wise establishments of boards and banks. Both the existing as well as new DNA labs would be mandated to seek official approval from the Board. All provincial or state-level data banks would be legally bound to share the informatory materials with the central bank.

The bill in its present arrangement neither reprimands the databank from holding defining personal information nor does it recognize that likelihood. The individual whose profile is under inspection should be able to know how the data stored is being used and why, and to determine its obliteration when due.

The bill does not have a provision for informing the person or police or court even if the persons DNA is tainted, lost or embezzled. In my opinion based on my limited legal knowledge there is going to be a possible civil contempt charge because there is no provision for informing the individuals when there are modifications in what way their DNA is going to be retrieved, or if the way their DNA is being deposited or used is altered. This is against the right to know about contents which was well established in Ozair Husain vs Union of India.[9]

Moreover, there are no specifications regarding the situations in which the doctors or the police have an access to the DNA profiles. The DNA Profiling Board has given itself suo moto powers in selecting the DNA profiles which enter the databank. Additionally, the powers extend to who has access to them, and how the databank will be organized and retained. This is in effect instituting a reduced quality check on itself. The board is not an elected body by the people and it is not a constitutional body but it has self-given powers which is against the idea of a representative democracy.

There exists an Ex post facto repercussion when we analyze section 13 which states that any laboratory that needs to commence human DNA-profiling need to get aforementioned permission from the board. However, Section 14(2) authorizes any DNA laboratory that is in existence at the time the bill is legislated to execute human DNA profiling despite having no prior authorization from the board.

There exists an unnecessary limitation period without any rationale because anybody who has been aggrieved by any of the provisions of the bill can approach a court only if the concerned individual approaches the board initially and provides it three months to act on that grievance. In those three months or, Section 57(1) of the bill stops the complainant from approaching the judiciary unless it is the central government or a member of the board itself.

This could violate various provisions of CrPC as well as hinders the writ jurisdiction of apex courts under articles 32 and 226 of the Indian constitution.[10] Moreover, there is nothing prescribed for the profiles of missing individuals who might be identified and other profiles that are likely to be collected at crime scenes. Additionally there is no rationale offered for holding the profiles of those who are imprisoned for crimes like rape or murder despite them ending up spending a time in the prison.

These are a couple of legal and security related issues pertaining to the bill at this point of time. Since the privacy judgment is going to be applicable it would be under more scrutiny as well. However, the committee is working on it to make it a foolproof one. As mentioned before, the Supreme Court of India is the last chance of scrutiny for this bill. The present union government has more than enough mandate in both the houses of parliament to pass this bill without any resistance from the opposition. At this stage, the only scope of addressing the grievances is the judicial intervention which is most likely to happen just like the case of Aadhar.

Now we would be dealing with the definition of privacy, social efficiency of the mass surveillance programs and delving deeper into the evolution of privacy as a concept. This would be based on an analysis of the efficiency of some Indian governmental programs which is claimed to have improved after making Aadhar mandatory.

There are different perspectives to privacy. In the Indian scenario, the definition and the scope of the right as what certainly it implies privacy is yet to evolve through upcoming judicial pronouncements and parliamentary legislations. Most of the educated people say that they value their privacy.

However, when they are offered the opportunity to trade private, personal information for immediate but minor benefits such as access to a website, they routinely do so. Young people appear to value privacy even less, constantly uploading revealing material about themselves and others to widely-accessible social media sites like Facebook, Twitter and other web portals asking for user-credentials.

This conundrum has been termed as the privacy paradox by Mr. Gordon Hull who is an associate professor of UNC Charlotte.[11] Hence, there are variations from person-to-person that how they perceive the right to privacy and how much sensitive they must be about their privacy beyond being regarded as a normative right. The matter must be left for legislations and judgments as they are the lawmakers and law interpreters. However, the threats of a mandatory mass surveillance must be kept in mind and ultimately the individual should have the discretion.

On 24th August 2017, a nine-judge bench of the Supreme Court, headed by Chief Justice JS Khehar, has ruled that the Right to Privacy is a fundamental right for its citizens and no legislation passed by the government can violate it.

The bench over-ruled the decision passed in MP Sharma as well as in Kharak Singh which held that the Right to Privacy is not protected by the Constitution of India. Hence, the bench defined privacy based on an individuals dignity. This newly propounded right has been conferred to an Indian citizen as an intrinsic part of the right to personal liberty under article 21 and as a part of freedom guaranteed by part III of the constitution.[12]

Since we have already discussed about the DNA bill before, we would focus on UIDAI in this part. With the help of, The UIDAI Project and Welfare Schemes the author Ms. Reetika Khera has critically analyzed two of the most important and old government schemes: PDS (Public Distribution System) for food rationing among the registered household and MGNREGA or the bundle of schemes dealing with the Right to Work. She analyzed the credibility of UIDAI program and its feasibility of claims that being promised by the UIDAI project.[13]

The Unique Identification (UIDAI) project was a flagship project of the United Progressive Alliance (UPA-II) government. The Unique Identification Authority of India's (UIDAI) ambitious plan of issuing a unique biometric- enabled number, innocuously called "Aadhaar", to every Indian resident has also begun to generate a debate on citizen-state relations, privacy, financial implications, and operational practicalities.[14]

However, it is the credibility of the UIDAIs claims in the field of social policy, particularly the National Rural Employment Guarantee Act (NREGA) and public distribution system (PDS). Several claims (the project possesses the power to eliminate financial exclusion, enhance accessibility, and uplift living standards for the majority poor) have been made by the UIDAI, but have not been carefully analyzed. As Ms. Khera has asserted in her paper, that the claim of controlling corruption through the UIDAI is made on the premise that payments of NREGA wages, the main source of embezzlement was by fudging attendance record- by either adding name of people who had not worked or inflating the attendance of those who had worked.[15] Payment of wages through banks and post- offices has made corruption quite difficult.

According to her there are three potential ways of corruption - Extortion, collusion and deception. Extortion means that when inflated wages are withdrawn by the laborer; the middleman turns extortionist and takes his share from him or her. Collusion means that the laborer and the middleman share agree to share the inflated wages that are credited to the laborers account. Deception means that the middleman opens and operate account on behalf of laborers, withdraw the inflated wages from these bank accounts, pay workers their due in cash and pocket the difference.

To counter these methods, Biometric-enabled UIDAI to authenticate identity can help to prevent deception, but not effective in preventing collusion and extortion. Despite these claims being a true portrayal of the reality in India, the solution offered is perplexing. Similar claims are made with respect to the PDS (Public Distribution System). For instance, the UIDAI often claims that the project will improve access to government benefits because they do not have the required identity proof.

To this claim, she has critically asserted that this claim is based upon incorrect diagnosis of why people are excluded from government schemes.[16] She further asserted that reason behind such non-implementation of government programs are due to two reasons: One being the poor coverage related to low allocations for these programs and two being the misclassification of people.

For example, the scheme of BPL (below poverty line) when schemes are targeted, benefits are conditional upon being classified, and selection of these BPL families is based on a census which is conceptually flawed and poorly implemented. And has often fallen into identity fraud and misclassification of household. Hence, the UIDAI scheme is promising as giving biometric identity to individuals will marginalize to some extent. Further she asserted that what the UIDAI cannot or is elimination of Bogus cards. (Khera,2011)

She describes three kinds of cards that are existing in the PDS system.
A) Ghost cards, i.e., where cards exist in the name non-existent or deceased persons.
B) Duplicates where one person or household, entitled to one card, manages to get more through unfair means;
C) misclassified cards, when ineligible persons, household claims benefits.[17] The question arises, that what amount of such cards are bogus or duplicated. Hence, the Government has no accurate data to replace such cards effectively with Aadhaar cards.

Lastly, she concluded that getting enrolled in the Aadhaar database and being given a number carries no welfare benefits. Having an Aadhaar number does not eliminate the need to apply for a bank account, or a ration card or a job card (required to be eligible for work under NREGA schemes). Therefore, the Id, does not replace other existing number of Ids.[18] And, it can only serve as a valid form of identity in the same way that a driver's license or passport currently do.

Hence, the UIDAI project is among several technological innovations. And though its claim promises that it will bring efficiency in implementation of public services, but the existing corrupt-policy implementing institution is bringing down the claims and vision of the project.

Conclusion
There is always a conflict between privacy of an individual and the national security based on public interests. The idea of giving up certain liberties in return for social security has been the basis of every modern nation state which is democratic in nature. It is agreeable that the reduction of any sort of security threat on a nation is superior to the privacy of an individual. However, national security should not be used as a political gimmick to extract information from individuals and given to private actors who may reap benefits out of it. The risks should be mitigated, and it is the responsibility of the government to ensure the confidentiality as well as the security of information regarding the citizens of the country. If the elected government fails to do so or for worse ends up colluding with private actors and resulting in jeopardizing the privacy of individuals, then the last legal measure would be the judiciary.

End-Notes
[1] https://www.nytimes.com/2018/03/19/technology/facebook-cambridge-analytica-explained.html
[2]http://www.un.org/en/universal-declaration-human-rights/
[3] https://www.theguardian.com/commentisfree/2013/sep/03/snowden-manning-assange-new-heroes
[4] https://thewire.in/government/data-breach-aadhaar-details-grabs-just-rs-500
[5] https://www.indiatvnews.com/internet/news-was-supreme-court-website-attacked-by-brazilian-hackers-438350
[6] (2015) 8 SCC 735
[7] https://timesofindia.indiatimes.com/topic/DNA-Profiling-Bill
[8] https://blog.ipleaders.in/human-dna-profiling-bill-india/
[9] AIR 2003 Delhi 103
[10] https://www.financialexpress.com/archive/writ-jurisdiction-of-high-courts/53998/
[11] Successful Failure: What Foucault can Teach Us about Privacy Self-Management in a World of Facebook and Big Data
Gordon Hull, UNC Charlotte / [email protected]
[12] (2017) 8 SCC 735
[13] The UID Project and Welfare Schemes\Author(s): REETIKA KHERA\Source: Economic and Political Weekly, Vol. 46, No. 9 (FEBRUARY 26-MARCH 4, 2011), pp.38-43\Published by: Economic and Political Weekly
[14] ibid
[15] ibid
[16] The UID Project and Welfare Schemes\Author(s): REETIKA KHERA\Source: Economic and Political Weekly, Vol. 46, No. 9 (FEBRUARY 26-MARCH 4, 2011), pp.48-53\Published by: Economic and Political Weekly
[17] ibid
[18] “there are 75 million homeless people in the country and a lot of nomadic people – all of them dont have Id. We think UIDAI will enhance their access to public services (chairperson Nilekani in Indian Express 2009).