Naavi.org | Towards building Cyber Jurisprudence in India

Data is a Property owned by the Data subject under DISHA 2018

Posted on April 21, 2018 by Vijayashankar Na

DISHA 2018 is the proposed law for India applicable to the Privacy and Data Protection related to the Health Care sector in India. At a time there is discussion on GDPR all around the industry and anticipation of the Justice Srikrishna Committee’s recommendation on the General Data Protection Act for India, DISHA 2018 has been proposed by the Health Ministry in a draft form for public comments. The Act is likely to be named as “Digital Information Security in Health care Act 2018”. Public comments are expected to be provided before April 21, 2018 to be sent to egov-mohfw@nic.in .

In order to enable stake holders to form their views and forward to the ministry, Naavi is providing here his own views. I suppose this would be helpful in triggering thoughts in others to send their own comments.

…..Naavi

This is the continuation of the earlier article on this subject

DISHA 2018 brings in an important concept to the Data Protection legislation for the first time by declaring that “Data is the Property of the Data Subject”.

Under the proposed Clause 31 of the Act, it is stated:

(1) The digital health data generated, collected, stored or transmitted shall be owned by the individual whose health data has been digitised;
(2) A clinical establishment or Health Information Exchange shall hold such digital health care data referred to in sub-section (1) above in trust for the owner;
(3) Any other entity who is in custody of any digital health data shall remain the custodian of such data, and shall be duty bound to protect the privacy,confidentiality and security of such data;
(4) Notwithstanding anything stated in the above sub-sections (1) to (3), the medium of storage and transmission of digital health data shall be owned by the clinical establishment or health information exchange, as the case may be.

Under Section 3(e) Digital Health Data is defined as follows:

(e) ‘Digital Health Data’ means an electronic record of health related information about an individual and shall include the following:

(i) Information concerning the physical or mental health of the individual;
(ii) Information concerning any health service provided to the individual;
(iii) Information concerning the donation by the individual of any body part or any bodily substance;
(iv) Information derived from the testing or examination of a body part or bodily substance of the individual;
(v) Information that is collected in the course of providing health services to the individual; or
(vi) Information relating to details of the clinical establishment accessed by the individual.

It is interesting to note that the “Ownership” is limited to the Digital Health Data and may not extend to the “Personal Data”.

The implication of this provision is that a patient can demand that any health data collected about himself is his property and must be handed over to him. Being a “Property”, the legal heirs will also have a right if the patient is not alive.

This definition should have effect on cases such as J Jayalalitha’s health records which now become the property of the legal heirs of jayalalitha. The Hospitals cannot hide the data under non existent “privacy” considerations of a deceased individual.

The rights of the owner of digital health data is defined under Section 28 as under:

(1) An owner shall have the right to privacy, confidentiality, and security of their digital health data, which may be collected, stored and transmitted in such form and manner as may be prescribed under this Act.

(2) An owner shall have the right to give or refuse consent for the generation and collection of digital health data by clinical establishments and entities, subject to the exceptions provided in Section 29 of this Act.

(3) An owner shall have the right to give, refuse or withdraw consent for the storage and transmission of digital health data.

(4) An owner shall have the right to refuse consent to the access or disclosure of his or her digital health data, and if refused it shall not be disclosed, subject to the exceptions provided in Section 33 of the Act.

(5) An owner of the digital health data shall have the right that the digital health data collected must be specific, relevant and not excessive in relation to the purpose or purposes for which it is sought;

(6) An owner of the digital health data shall have the right to know the clinical establishments or entities which may have or has access to the digital health data, and the recipients to whom the data is transmitted or disclosed;

(7) The owner of the digital health data shall have a right to access their digital health data with details of consent given and data accessed by any Clinical Establishment/Entity;

(8) The owner of the digital health data shall have, subject to sub-section (1) to (3) above:

(a) The right to rectify without delay, from the respective clinical establishment or health information exchange or entity, any inaccurate or incomplete digital health data, in the prescribed form as may be notified by the National Electronic Health Authority;

(b) The right to require their explicit prior permission for each instance of transmission or use of their digital health data in an identifiable form, through such means as may be prescribed by the Central Government;

(c) The right to be notified every time their digital health data is accessed by any clinical establishment within the meaning of Section 34 of the Act;

(d) The right to ensure that in case of health emergency, the digital health data of the owner may be shared with their family members;

(e) The right to prevent any transmission or disclosure of any sensitive health related data that is likely to cause damage or distress to the owner;

(f) The right not to be refused health service, if they refuse to consent to generation, collection, storage, transmission and disclosure of their health data;

(g) The right to seek compensation for damages caused by a breach of digital health data.

There is a streak of GDPR in the above provisions. What attracts notice is Section 28(f) which states that a person has the right not to be refused health service if they refuse to consent to generation, collection, storage or transmission or disclosure of their health data.

How is it possible for a health establishment to provide health service without say conducting a blood examination is a matter that will be intriguing for the hospitals if the consent is refused.

In order to protect the rights of the Digital Health Data Subject, the principles of purposeful collection (Section 29), Lawful collection (Section 30), Secured storage (Section 32), Secured Transmission (Section 33), Access provision (Section 34), Recitification option (Section 36) etc.

Section 35 imposes all the liabilities under Information Security Management because it states

35. Duty to maintain privacy and confidentiality of digital health data

(1) A clinical establishment, health information exchange, State Electronic Health Authority and the National Electronic Health Authority, shall be duty bound to protect the privacy, confidentiality, and security of the digital health data of the owner;

(2) Any other entity, which has generated and collected digital health data, shall be duty bound to protect the privacy, confidentiality, and security of the digital health data of the owner.

(3) The privacy, confidentiality and security of digital health data shall be ensured by taking all necessary physical, administrative and technical measures, that may be prescribed or specified, to ensure that the digital health data, collected, stored and transmitted by them, is secured and protected against access, use or disclosure not permitted under this Act or regulations made thereunder, and against accidental or intentional destruction, loss or damage.
(4) Without prejudice to the above provisions, a clinical establishment or health information exchange shall ensure through regular training and oversight that their personnel comply with the security protocols and procedures as may be prescribed or specified under this act.
(5) A clinical establishment, or a health information exchange, shall provide notice immediately, and in all circumstances not later than three working days to the owner, in such manner as may be prescribed under this Act, in case of any breach or serious breach of such digital health data.

It is clear from the above that the Clinical establishments will have a tough time for complying with DISHA 2018 almost on the lines of GDPR.

Since DISHA is applicable to “Clinical Establishments” which definition [Section 3(i)] includes

-a hospital, maternity home, nursing home,

-dispensary, clinic, sanatorium or an institution by whatever name called offers services, facilities requiring diagnosis, treatment or care for illness, injury, deformity, abnormality or pregnancy in any recognised system of medicines or

-a place established in connection with the diagnosis where pathological, bacteriological, genetic, radiological, chemical, biological investigations or other diagnostic or investigative services with the aid of laboratory or other medical equipment are usually carried on

the impact of what it proposes as security is far reaching.

(Discussions will continue)

Naavi

Posted in Cyber Law | Tagged disha2018 | 2 Comments

Consequences of Health Data Breach under DISHA 2018

Posted on April 21, 2018 by Vijayashankar Na

…..Naavi

This is the continuation of the earlier article on this subject

The importance of any legislation is often measured in terms of the penal consequences that would follow if the law is not complied with. The same logic applies to DISHA 2018 also and hence we need to take a quick look at Chapter V of the proposed legislation that deals with Offences and Penalties.

For the purpose of defining the consequences of non compliance of DISHA 2018, the proposed law defines “Breach of Digital Health Data” along with a term “Serious Breach of Digital health Data”.

As per section 37, Digital Health Data is said to be breached when

a) Any person generates, collects, stores, transmits or discloses digital health information in contravention of the provisions of the Act or

b) Any person who does anything in contravention of the exclusive right conferred upon the owner of the digital health data or

c) Digital health data collected, stored or transmitted by any person is not secured as per the standards prescribed by the Act or any rules thereunder or

d) Any person damages, destroys, deletes, affects injuriously by any means or tampers with any digital health data.

A person who is responsible for such breach shall be liable to pay damages by way of compensation. This is treated as a civil wrong.

A “Serious Beach of Digital health Data” on the other hand is defined as follows:

(1) A serious digital health data breach shall be said to have taken place, if:

(a) A person commits a breach of digital health data intentionally, dishonestly, fraudulently or negligently; or
(b) Any breach of digital health data occurs, which relates to information which is not anonymised or de-identified; or
(c) A breach of digital heath data occurs where a person failed to secure the data as per the standards prescribed by the Act or any rules thereunder; or
(d) Any person uses the digital health data for commercial purposes or commercial gain; or
(e) An entity, clinical establishment or health information exchange commits breach of digital health data repeatedly;

Explanation: The terms “dishonestly” and “fraudulently” shall have the same meaning as assigned to them under the Indian Penal Code, 1860

(2) Any person who commits a serious breach of health care data shall be punished with imprisonment, which shall extend from three years and up to five years; or fine, which shall not be less than five lakh of rupees.

Provided that, any fine imposed as part of sub-section (2) may be provided to the individual whose data is breached, by the Court, as it deems fit as compensation.

This section is meant to be a section to define offences which may be punished with Imprisonment and Fine and hence should be recognized as a “Criminal Offence”.

The imprisonment under this section is declared as it shall be for a minimum of 3 years and extend upto 5 years and fine is stated as “Shall not be less than Five lakh of rupees”.

The above section perhaps requires to be better constructed to avoid ambiguities.

Firstly it tries to combine the Criminal penalty with Civil compensation by providing that the Court may provide compensation by collecting it as a fine. This makes Section 37 redundant since the definition of “Serious Breach of Digital Data” under Section 38 differs from Section 37 only with the addition of “Intention” and “Dishonesty” etc.

Also since the separator “Or” has been used to separate sub sections 1(a) to 1 (e), it appears that “Any Breach of identifiable digital health data” would come under Section 38 with or without dishonesty or malicious intention.

Further 37 (1) (a) has included the term “Negligently” along with “Intentionally”, “Dishonestly” and “Fraudulently”. This has mixed up criminal intention with “negligence” and “Negligence without Criminal Intention” can be a grey area under this section.

Under (1) (c), breach of data for failure to secure it has also been defined as a serious breach inviting imprisonment and fine. Considering that the punishment can be for a minimum imprisonment of 3 years and fine of Rs 5 lakhs, and “Security” being as ambiguous as it can be, it is difficult to accept the section as it is now drafted as a fair drafting.

The other two actions that can invoke punishment under this section is “Use of digital health data for marketing” and “Repeated breach by a clinical establishment”.

These offences also need to be qualified properly.

Overall, Section 38 is not properly drafted and has to segregate the “Motive”, “Action”, “Consequence” of an action that is defined as an offence before indicating the punitive measures.

Section 39 is again an extension of Section 38 offences to the domain of civil compensation and overlaps both with Sections 37 and 38.

Section 40 of the proposed Act prescribes fines for administrative delay for furnishing of information or document or boos, returns or reports that may be specified. The fine may extend to Rs 1 crore.

Section 41 states that

“Whoever, fraudulently or dishonestly, obtains the digital health information of another person, which he is not entitled to obtain under the Act from a person or entity storing such information shall be punished with imprisonment for a term which shall extend up to one year or fine, which shall be not less than one lakh rupees; or both.”

This addresses the cases of “Digital Impersonation” for which ITA 2000/8 already prescribes 3 years imprisonment.

Additionally, under Section 42, “Data Theft” has been defined as an offence that can result in imprisonment for 3 to 5 years. The section states as under.

“Whoever intentionally and without authorization acquires or accesses any digital health data shall be punished with imprisonment for a term, which shall extend from three years up to five years or fine, which shall be not less than five lakh rupees; or both.”

Section 43 speaks of “Cognizability” and again is ambiguously drafted.

It says that ” No Court shall take cognizance of any offence punishable under this Act or any rules or regulations made thereunder, save on complaint made by the Central Government, State Government, the National Electronic Health Authority of India, State Electronic Health Authority,” but adds “Or a person affected”.

This means that on the basis of a complaint made by the person affected, cognizance can be taken irrespective of the term of imprisonment etc.

This may not be acceptable to the Criminal judicial system.

Section 44 extends the offences which can be attributed to the Company to its executives as under Section 85 of ITA 2000/8.

Overall, it appears that the offensive sections are loosely drafted and need to be tightened substantially before becoming the law.

Perhaps when the draft goes to the Law Ministry, it has to be revised thoroughly.

(To Be continued)

Naavi

Posted in Cyber Law | Tagged disha 2018 | Leave a comment

DISHA 2018- Proposed Health Information Security Act in India

Posted on April 21, 2018 by Vijayashankar Na

…..Naavi

DISHA 2018 has been structured into the following 7 Chapters:

I: Preliminary

II: National Electronic Health Authority

III: Powers and Functions of the National and State Authorities

IV: Data Ownership, Security and Standardization

V: Digital Health Data Breach and Consequences

VI: Adjudicating Authority

VII: Miscellaneous Provisions

Schedule I: Personally Identifiable Information

Geographical Applicability

Let’s start with the Preliminary Chapter that states that this law extends to the whole of India except the State of Jammu and Kashmir.

Since ITA 2000/8 is a law that also applies to J&K and it has provisions that state that Health Information is sensitive personal information and it has to be protected in a certain manner, that provision will continue to apply to J&K. In other areas there could be some overlap of regulations between ITA 2000/8 and this law when it becomes effective.

Personal Information

The definition section is Section 3 and it requires a detailed discussion. Before we get into the definitions under Section 3, we can first have a look at the Schedule I which lists certain parameters as “Personally Identifiable Information”. (PII)

The listed parameters that would be considered as PII are

Name
Address
Date of Birth
Telephone Number
Email Address
Password
Financial Information such as Bank account or credit card or debit card or other payment instrument details
Physical, Physiological and Mental Health Condition
Sexual Oritentation
Medical Records and Histrory
Biometric Information
Vehicle Number
Any Government number including Aadhaar, Voter’s Identity, Permanent Account Number (PAN), passport, Ration Card, Below Poverty Line (BPL) card

Compared to the HIPAA identifiers, there appears to be an omission of E Mail Address, IP Address, IMEI Number, SIM number (unless telephone number can be interpreted also as mobile number). Also Age is not included and Address as a whole is included and there is no exemption for address at higher level as in HIPAA.

There is an additional definition under Section 3(o) which defines “Sensitive Health Related Information” namely,

(o) ‘Sensitive health-related information’ means information,

that if lost, compromised, or disclosed, could result in substantial harm, embarrassment, inconvenience, violence, discrimination or unfairness to an individual,

including but not limited to, one’s physical or mental health condition, sexual orientation, use of narcotic or psychotropic substances, consumption of alcohol, sexual practices, Human Immunodeficiency Virus status, Sexually Transmitted Infections treatment, and abortion.

This appears to be a departure from the other legislations where “Personal Information” is defined in general terms and some types of Personal Information are defined as Sensitive Personal Information (SPI). This approach has been used in ITA 2000/8 as well as in GDPR.

It is interesting to note that DISHA 2008 has defined “Sensitive” nature of PI in the context in which the breach could cause “Substantial” harm.

The interpretation of the word “Substantial” would be subject to debate as it happened when the Supreme Court discussed Section 66A of ITA 2008 and interpreted that the term “Grossly Offensive” was vague. But this judgement was prompted by other considerations and should be considered as an aberration.

On the other hand, “Personally Identifiable Information” as per Section 3(k) means any information that can be used to uniquely identify, contact or locate an individual, or can be used with other sources to uniquely identify a person, and includes the information stated in Schedule I.

Hence the suggestion that “Data” is Data under all circumstances and it becomes “Sensitive” in certain circumstances is welcome.

Entity

The Act defines a “Clinical Establishment” as well as the term “Entity”. Both the definitions include all types of or organizations including individuals, Trusts, private and public establishments, Hospitals, diagnostic centers, pathological laboratories, radiology laboratories etc. Only the establishments owned by armed forces are exempted from this definition.

As a result of this approach, the scope of this proposed Act will have a very wide impact in the Health Care industry.

……To Be Continued

Naavi

Posted in Cyber Law | Tagged disha 2018, health data privacy | Leave a comment

The tragedy of Shafhi Mohammad judgement

Posted on April 19, 2018 by Vijayashankar Na

“This erroneous interpretation of the bench will directly result in honest persons being harassed by dishonest persons” …. Naavi

The honourable Supreme Court in its order dated 3rd April 2018 pronounced its final order on the Special Leave Petition (SLP 2302 of 2017) regarding the use of videography including body cameras in crime scene evidence capture. There was an earlier interim order of 30th January 2018 on the same SLP which had elaborated more on the issue of Section 65B of Indian Evidence Act.

The order indicates that the Supreme Court wanted to allow such videography and tried to manufacture an acceptable argument to reach a preconceived conclusion. This tendency was earlier seen in the Shreya Singhal case where Section 66A of ITA 2008 was scrapped and also in the Puttaswamy case on Privacy. In all these cases, the Judiciary has come out in poor light as trying to fit its logic to a pre conceived decision. In the process, the judgement creates some untenable and undesirable consequences.

In the Section 66A scrapping, the SC was adamant that it cannot “Read down” the section and nothing short of scrapping it would be acceptable to it. In the Privacy judgement, it was an attempt to rush through a judgement to influence another judgement. Now this Shafhi Mohammad judgement falls into the same category.

In a bid to allow such videography, the two member bench has tried to bend the law in a manner that is highly detrimental to the society and could lead to corruption in judiciary and harassment of innocent citizens by powerful and more intelligent evidence manipulators.

It is not our argument that body cameras and police TV footage should not be used as evidence. In fact these and much more of technology is to be used and is aleady being used.

However, we have a serious objection to the attempt of the two member bench to re-interpret the law as it exists and in derogation of a three member speaking order in the case of P V Anvar Vs Basheer.

The Indian Evidence Act 1872 (IEA) was amended when ITA 2000 was notified and one of the major changes that was brought about was the introduction of Section 65B for “Admissibility of Electronic Evidence”. This has to be read with Section 65A, Section 22A, Section 17 and Section 3 of the same Act.

Section 65B of IEA is one of the most innovative aspects of ITA 2000/IEA and the Court has failed to recognize the purpose and scope of the section before jumping into passing an order which is bad in law and bad for the community.

The problem which the Police had in using the Videography as evidence was that the videography was captured in some camera and the first copy would be recorded in the device memory which could be the hardware or the removable media. It is then transferred to the Police in the back room and subsequently viewed, edited and presented as evidence in a Court.

In this scenario, if Section 65B was followed, then some body in the Police should have taken the responsibility to give a Section 65B certificate which would pin him down against any manipulation of the evidence.

The Court conveniently ignored that Section 65B was about presenting a “Computer Output” of an electronic document which may be present either in a camera device or on a server or on a removable media such as a pen drive or memory card. The only requirement was that the Certifier had to take the responsibility to state how he was able to view the document in his computer and how he was able to produce the computer output (say a print out).

Section 65B does not require the lawful owner of the first device which created an electronic impression (sequence of zeros and ones) of an event to either himself give the evidence in the Court. It would suffice if he hands over a memory card to the Police repository in charge with a standard form which identifies the memory card along with a hash value of the entire set of bits and sequences contained there in such as “Videograph of day …. in camera ….) and a signed covering letter. This form of handing over the recorded removable device can be standardised and is not complicated.

Subsequently it is the responsibility of the repository in charge to create clones and copies as may be required along with his own Section 65B certificate. The forensic expert may actually extract much more information than what is visible by using his own tools and he can provide his findings with his own Section 65B certificate. Similarly if there is a need to edit the video, there is no bar on it under Section 65B except that it has to be recorded as a process in the Certificate. For example if the video is of one hour duration between say 20.30 and 21.30 on 17th April 2018, the edited version may be video between 20.55 to 21.10 and it can be stated as such in the certificate.

What the Court has done now is to say that “No Certificate is required under Section 65B when the electronic document is presented from a device not owned by the person presenting the evidence”. Police can conveniently say that they engaged the services of a free lance video grapher and the camera belonged to him and hence no certificate is required for whatever the Police present.

Even if the evidence is manipulated, there is no responsibility fixed on any body in the absence of the Certificate.

In the same manner, when an electronic document lies on a server not owned by the person it can be manipulated and presented as evidence and the Court has to admit the evidence and ask the defendant to prove that the evidence is wrong.

If therefore some body hacks into a web server, downloads a document, makes changes and captures it, then goes onto to delete the document on the server, he will be in possession of a doctored document which can be produced as evidence which will be automatically admitted. Then it will be the burden on the defendant to prove that the version presented to the Court is fake. This can also happen in WhatsApp messages and Social media where fake documents can be created, captured as uncertified evidence, destroyed in original form and uncertified copy presented to the Court which the Court has no option but to admit.

I would like the two honourable Judges to confirm if they have considered the above scenario before boldly declaring that they would clarify that Section 65B is only a procedural requirement which they consider as redundant in some cases. If they have not, it is necessary for them to review their own decision rather than creating a bad law which exposes the ignorance of the Judiciary.

I accept that the Government has the power to change the law and can even scrap the entire Sections 65A and 65B if they want. But as long as they exist, they exist as independent sections and as the three member bench in the Basheer case rightly observed, it is a special provision applicable for electronic documents and over rides the provisions of Sections 62,63 and 65.

It is therefore incorrect to interpret

” The applicability of procedural requirement under Section 65B(4) of the Evidence Act of furnishing certificate is to be applied only when such electronic evidence is produced by person who is in a position to produce such certificate being in control of the said device and not of the opposite party.”

It is also incorrect to interpret

In fact

“This erroneous interpretation of the bench will directly result in honest persons being harassed by dishonest persons”

In fact

“This erroneous interpretation will pave the way for a high level of Judicial corruption because it provides the discretion to the Judiciary to accept evidence without any body taking responsibility for its existence”

In fact

“This erroneous interpretation will place all web place all web based documents admissible without any person taking the responsibility for stating how it was seen and recorded.”

In fact

“This erroneous interpretation will create more rogue judgements where the lower courts will order against the higher courts by way of clarification”

It is therefore essential that the bench immediately reviews its own order and state nothing beyond, that

“The Supreme Court reserves the right to accept electronic evidence without Section 65B evidence in such cases as it deems fit after a necessary examination”

The MHA should get back to the bench for the review as otherwise the MHA under Mr Modi’s Government will be accused of having manipulated the Judiciary to pave the way for Police to file uncertified fake videos as evidence.

Naavi

(This article is a continuation of this previous article)

Posted in Cyber Law | Tagged 65B, Shafhi Mohammad | 2 Comments

Shafhi Mohammad final judgement on Section 65B issue is not correct

Posted on April 19, 2018 by Vijayashankar Na

We draw attention of the public on our earlier article on the interim view expressed by a bench of the Supreme Court on January 30, 2018, which was headlined by most news publications as “Courts can rely on electronic records without certificate: SC”

We had commented in the context “Recipe for corruption in Judiciary- Supreme Court judgement in Shafhi Mohammad V State of Himachal Pradesh“.

This was a two bench order on an SLP but it had stated in the order that

“An apprehension was expressed on the question of applicability of conditions under Section 65B(4) of the Evidence Act to the effect that

if a statement was given in evidence, a certificate was required in terms of the said provision from a person occupying a responsible position in relation to operation of the relevant device or the management of relevant activities.

It was submitted that if the electronic evidence was relevant and produced by a person who was not in custody of the device from which the electronic document was generated, requirement of such certificate couldnot be mandatory.

It was submitted that Section 65B of the Evidence Act was a procedural provision to prove relevant admissible evidence and was intended to supplement the law on the point by declaring that any information in an electronicrecord, covered by the said provision, was to be deemed to be a document and admissible in any proceedings without further proof of the original.

This provision could not be read in derogation of the existing law on admissibility of electronic evidence.”

The Court quoted one judgement of 1985 and an American judgement of 1972, (delivered long before Section 65B was conceived for electronic evidence) which stated “…it will be wrong to deny to the law of evidence advantages to be gained by new techniques and new devices, provided the accuracy of the recording can be proved. “

A case was made out through two other cases to state

“Scientific and electronic evidence can be a great help to an investigating agency.”

“new techniques and devices are order of the day”

“threshold admissibility of an electronic evidence cannot be ruled out on any technicality if the same was relevant.”

Then the judges referred to the Anvar PV Vs P.K. Basheer case as well as the Navjot Sandhu (alias Afsan Guru) case which it over ruled.

The two member bench referred to the Tomasho Bruno (2015) and Ramsingh (1985 judgement) and went on to conclude

“it can be safely held that electronic evidence is admissible and provisions under Sections 65A and 65B of the Evidence Act are by way of a clarification and are procedural provisions.”

Proceeding further, the two member bench over ruled the judgement of the three member bench in Basheer Judgement which took into account the recent developments in technology and had examined the question of Section 65B in great length and made the following statements.

“Sections 65A and 65B of the Evidence Act, 1872 cannot be held to be a complete code on the subject.”

“In a case where electronic evidence is produced by a party who is not in possession of a device, applicability of Sections 63 and 65 of the Evidence Act cannot be held to be excluded. In such case, procedure under the said Sections can certainly be invoked. If this is not so permitted, it will be denial of justice to the person who is in possession of authentic evidence/witness but on account of manner of proving, such document is kept out of consideration by the court in absence of certificate under Section 65B(4) of the Evidence Act, which party producing cannot possibly secure. Thus, requirement of certificate under Section 65B(h) is not always mandatory.”

Accordingly, we clarify the legal position on the subject on the admissibility of the electronic evidence, especially by a party who is not in possession of device from which the document is produced. Such party cannot be required to produce certificate under Section 65B(4) of the Evidence Act. The applicability of requirement of certificate being procedural can be relaxed by Court wherever interest of justice so justifies.

Now the bench has released its final judgement in the case and a final order has been issued on 3rd April 2018.

We therefore re-visit the judgement on what is stated in the final order, read in conjunction with what was stated in the earlier order of January 30, 2018.

We would like to state that we have no disagreement to the use of Videography by Police through body cameras which was central to the discussions in this case. We are not in disagreement even with the use of Surveillance, Profiling, use of Artificial intelligence in Policing etc which are opposed to the policy of “Privacy Protection” which are dear to the Supreme Court judges.

But we are in disagreement with the views of the bench as to the conclusions that they have drawn and also to the fact that they have gone against the tradition of not trying to over rule a verdict of the higher court.

We do agree that the Court should exercise discretion when “Justice so justifies” to bend some rules temporarily. This was done in the Sonu @ Amar judgement for the right cause and we support it. However the judgement in the Shafhi Mohammad Case is boarne out of a wrong interpretation and hence needs to be opposed.

Our opinion on the reasons of why this judgement is bad for the society and is wrong in law is presented below. This is not to show any disrespect on the Court but to engage in an academic debate on a point where we feel that technology related interpretation has gone wrong in this instance and needs to be corrected if necessary.

However, we feel that this being a two member decision relevant to a specific reference cannot create an over riding law against the three member judgement though the Judges seem to think that it should be.

More discussion will follow…

Naavi

Posted in Cyber Law | Tagged 65B, Shafhi Mohammad | Leave a comment

Artificial Intelligence-An Unnatural threat

Posted on April 18, 2018 by Vijayashankar Na

Faith and Science must go hand in hand
For the seekers of the Divine Land.
Faith bereft of reasoning becomes superstition,
Science less Faith blinds man to the Divine Vision

(From : Towards A Serene World by Ravichandran)

Technology for the sake of technology and innovation for the sake of innovation has been the bane of human inventions over ages. We have invented devices which initially seemed to be a boon and then find that it has become a hindrance and finally, like the albatross around the Ancient Mariner, it becomes an impossibility to discard.

When the Internet was introduced nobody thought it would spread so fast, so far and so wide. We have made the Internet the repository of all information critical and non-critical. The Internet is and has become at least for most of us the only means of staying in touch with each other. All this has occurred without a proper risk assessment being done. Today if the internet crashes and remains down for a measurable period then it is quite possible that countries and humans will lose economically, politically and territorially, significant portions of their resources.

Artificial Intelligence, which is now being touted as the panacea of all our ills is one such innovation, which has the potential of causing the destruction of human civilization.

Prof. Stephen Hawking has warned about this when he stated that “development of full artificial intelligence could spell the end of the human race”. I would like to go one step further and say that development of full artificial intelligence will spell the end of Human race. My reason for this foreboding is located in history, reactions of people to circumstances and our way of thinking.

It is generally believed that Homo Sapiens evolved over a period from Hominids and they form a single branch of evolution. What is not generally known is that Homo Sapiens shared the world with several other cousins the Neanderthals, the Densovian Man, Homo Florensis or the Hobbits and Homo Naledi, to name just a few, all of whom evolved from the same branch but became extinct around 75,000 years ago and later when Mount Toba in S.E. Asia erupted and caused a cataclysmic climate change.

While all these cousins showed similar skills like making and using tools and had similar anthropological features like the same cranium size, the difference lay in certain areas of the cranium which indicated that Homo Sapiens had a better ability as far as communication skills went. A raised eyebrow or the rolling of the eyes that could communicate an entire gamut of feelings has been one of the strong points for the Homo Sapiens to survive the harsh conditions of nature and predators alike.

This is extremely important since it indicates that experiences and information could be shared from individual to individual and the modern man had the ability to analyse, adapt, adopt, communicate and assimilate changes around him. This could be the reason for his survival and the extinction of other races. It has taken 600,000 years for Homo Sapiens to evolve and understand that he had the ability to create intelligent tools that could think like himself. The fly in the ointment is that these intelligent tools could evolve in the next thirty to sixty years and design more intelligent devices which could make the human an anachronism.

When a baby is born it comes with the result of experiences formed over 600,000 years of human existence and this intuition lies in the unconscious part of the mind.

It is this intuition which enables a mother to recognize her child among thousands of similar children as evinced in the wild. It is this intuition which causes the baby to seek the protection of that being which gave birth to it.

Intuition arises from the unconscious mind. Along with the intuition comes the experiences submerged in the sub conscious mind which is the sum total of the experiences while in the womb and in its interaction with the outside world in the first period of its existence when it absorbs the inputs received by it. This is the instinct which makes one shy away from fire or avoid places or people without giving any reason. This instinct arises from the sub conscious mind. When the baby grows and has access to information about people, events and surroundings it can relate this information and make use of it to reach decisions. This is the intelligence which arises from the conscious mind. A decision taken by a human being is the sum of all of this and more.

The neural networks in the brain have evolved over the centuries to be receptive to new information, to transform these information to memory bits and retrieve them when required to link the same to new information and cause an action to be done or a decision to be taken or to incorporate and modify the memory bit already present. These processes are done by and in co-ordination with the DNA and the RNA of an individual and these give rise to the different reactions of different people to a same set of circumstances.

This is one of the reasons why human behaviour is unpredictable even if Mark Zuckerberg or Sundar Pitchiah think otherwise. It is possible that the reactions of a group of people to a particular situation can be influenced or directed. It is also possible that this group of people can further influence another larger group of people to think likewise but over a period of time and distance the influence will gradually wane and in some case an opposite reaction could set in. The Arab Spring offensive is one such example.

Artificial Intelligence or AI for short is the mimicking of the cognitive functions of the human brain by devices to do jobs which require a certain amount of connecting disparate pieces of information available to the device in its memory or received by it from the surroundings or by inferring it from the information made available to it. Pattern recognition is an important tool in the building of artificial intelligent devices. AI is powered by a set of algorithms which are built in increasing complexities. These algorithms are designed to learn from data. They can increase their capabilities by learning new plans of action or policy that have been successful in the past or themselves write other algorithms which will provide solution to achieving an end or goal.

Formal Logic along with Bayesian inference and analogizers like Support Vector Networks or Machines, nearest neighbour approach and the neural network approach which works on the principal of reinforcement of the connections between the artificial internal neurons have ensured that AI which started with the most basic functions are now becoming increasingly complex, self-sustaining and self-empowering.

The only thing lacking in the current scenario is the intuitive and instinctive reasoning that is associated with human thinking. Apart from this common-sense interpretation of written language, interpretation of unvoiced gestures and body language has also not been integrated in the current programs. But it is work in progress.

The above deficiencies are to a large extent offset by application of probability and statistical methods of prediction of the path and in my view, we are already at the stage or very near to a break through in enabling devices to predict the unpredictable. Therein lies the danger.

Recent experiments at Facebook and Google indicated that during a given test process two devices which were to interact with one another in a particular sequence and in a language, which could be understood and interpreted by the handlers chose to communicate in a language created by themselves and indecipherable to the handlers. Facebook shutdown the program while Google chose to go with it. This experiment in one way represents the danger that was only found in myths, fiction and Sci-fi movies.

AI programs are being designed in an unregulated environment without a clear understanding of how, when and why each program could individually or collectively contribute to a runaway uncontrolled progress of AI devices to reprogram themselves into superior AI devices than envisaged by it creators. The process is made easier since AI programs could target the internet, where such advances are regularly aired in scientific forums or workshops such as this, and, openly or clandestinely tap into programs and protocols which will enhance its capability with or without the handler’s permission, in ignorance or intentional.

I anticipate that a point of inflection will be arrived when AI will not require human interference or assistance to develop more AI programs to either increase its own creativity or degrade human reasoning by psychological and virtual influencing.

Unsupervised learning, exaggerated response to perceived threats or flags, complex algorithms outpacing human understanding are issues that have cropped up in the recent past in areas where AI has been interjected at a fast pace. These areas include Stock Exchanges, Missile response troops in the military and airport traffic control systems. When Murphy’s law kicks in the result will be catastrophic as already witnessed in the economic crash of 2008.

This paper is to sensitize all wannabe AI programmers and the corporates which fund AI experiments to further their own bottom lines to step back and reflect on the way forward before the Frankenstein that is being created destroys its creator and everybody else. The AI dictator will not have a natural death. It will view every attempt to corrupt it as an attack by a predator and proceed to eliminate the threat.

As an aside one wonders if Satan influenced Adam to eat the fruit from the Tree of Knowledge rather than from the Tree of Life which would have conferred on man immortality, since he foresaw that Man would eventually end up destroying himself by an unsatiated thirst for knowledge.

Ravichandran

[P.S: This is a guest post from S.N.Ravichandran, Director of Nilgiris Chemical Stoneware Co. (P) Ltd Coimbatore, and represent his personal views.]