The Human DNA Profiling Bill which the Narendra Modi government wants to pass in the current session of Parliament is one of the most intrusive enactments of its kind anywhere in the world, a measure that will render obsolete the national debate on privacy before it has even begun.
Drafted by the Department of Biotechnology (DBT) in the Ministry of Science & Technology, the Bill’s pithy title belies the ambitious, even disturbing, goals that its text envisions. To be sure, that it was drafted at the outset to expedite civil and criminal disputes where possible, to help identify the unclaimed dead, and to track down missing persons is a benign, even desirable, intention to have. Where it fails is in situating this agenda in an accountable and secure framework of rules.
Once passed, the law will set up a national DNA database, a DNA Profiling Board and a mechanism for the use of DNA profiles to resolve criminal and civil disputes with few safeguards to guard against the abuse of this information.
For example, in the Bill, a version of which The Wire was able to access, the Board gives itself wide-ranging discretionary powers about whose name gets into the database (sometimes without consent), who gets to access the DNA profiles, what the database could be used for (“population” studies), and who watches the watchers (in a word, nobody) – readying a potent cocktail of abuse.
The Bill is set to be tabled in the monsoon session of Parliament, which began on July 21. But that could be too soon given the scope and seriousness of the issues the draft raises. The proposed laws’ failures broadly have four facets – reliability, costs, privacy and accountability – and if passed in its current form could gravely jeopardise the integrity of sensitive biological information as well as poison the criminal justice system with a false conviction of judicial infallibility. In the absence of a reason to expedite its passing, the draft Bill could instead be referred to a Parliamentary Standing Committee before it’s tabled.
DNA profiling
After human fingerprints were pressed into the service of criminal investigations in 1892, DNA profiles have been the only other biological marker discovered by scientists to be unique to each individual. Since fingerprints at a crime scene can be easily obfuscated, or not left behind at all, and it is almost impossible for a criminal to not leave behind a clue bearing his or her DNA, DNA profiling has assumed great importance in modern forensic science.
Every cell of the body contains a copy of the DNA molecule, a total of three billion base pairs of smaller molecules called nucleotides neatly arranged into structures called chromosomes. Consider this a giant word with three billion letters. Some 99.9% of those letters are identical for every individual – but that 0.01% difference amounts to three million letters that are arranged in a different configuration. Among them, there are parts that contain a short combination of letters repeated a few times. These are called short tandem repeats (STRs), and the frequency of their repetition differs from person to person so much so that no two (known) people have the same DNA overall – unless they’re identical twins or closely related. Identifying this difference forms the basis of DNA profiling, also known as DNA fingerprinting.
The idea of the Bill was first mooted by the DBT in 2003, during the National Democratic Alliance government of Atal Bihari Vajpayee. In 2007, the DNA Profiling Advisory Committee, which had been put together by the DBT, developed the Human DNA Profiling Bill 2007 that has seen changes between 2007 and 2012. In January 2013, a committee of experts was formed to scrutinise the 2012 draft: J. Gowrishankar, Director, CDFD; R.K. Gupta, adviser (C&I), Planning Commission; Jacob P. Koshy, science writer, Mint; Kamal Kumar, retd. IPS, retd. DGP of Hyderabad; C. Muralikrishna Kumar, senior adviser (ICT), Planning Commission; Usha Ramanathan, researcher and advocate; T.S. Rao, adviser, DBT; N. Madhusudan Reddy, staff scientist, CDFD; Raghbir Singh, fmr. Secy., Ministry of Law; Alka Sharma, Director, DBT.
Till late 2014, the committee continued to deliberate and make changes to the draft Bill. Then, it was circulated within the Ministry of Science & Technology for comments, which were then incorporated in the draft.
By January 2015, the revised document had wound its way to the Legislative Department of the Ministry of Law & Justice. According to DBT Secretary K. VijayRaghavan, the department has now finished drafting the Bill and “processed it further for the necessary approval”.
In the same period, 2003-2015, the Central and various state governments have toyed with the idea of collecting and storing DNA profiles. Notably, the Tamil Nadu government sought to amend the Prisoners Identification Act 1920 intending to set up a database of prisoners’ profiles. In 2012, the Uttar Pradesh government made it mandatory for the DNA profiles of dead persons to be saved along with the postmortem.
Although the draft Bill banks on an amendment to the Criminal Procedure Code made in 2005 – to allow DNA evidence to be admissible in a court – its principal and most problematic feature is the central repository it envisages of DNA profiles belonging to crime suspects, criminal offenders, missing persons, unknown deceased persons, and volunteers.
Its contents and operation will be managed by a DNA Profiling Board and a Databank Manager that the Board will appoint, who altogether have too many discretionary powers that drag the credible parts of the document down. These parts include useful mechanisms such as for post-conviction DNA-testing (where a conviction can be overturned by allowing the defendant to appeal for a DNA test).
Overall, the draft Bill has four major flaws:
- Reliability of DNA profiling
- Visible and hidden costs
- Privacy and anonymisation
- Power and sunset clauses
I. Reliability of DNA profiling
What are the chances you’ll be killed in an airline accident? There is a number ascribed to this high-cost enterprise, and it is calculated using statistics because it’s hard to estimate how the failure of one of thousands of the components constituting it will or won’t precipitate the failure of the overall entity. So, the chances that you’ll be killed in an airline accident are 1 in 4.7 million. That means if 4.7 million flights are undertaken, one of them will result in a fatal accident, right? Not exactly, because the chances of an accident could be significantly increased if certain components of an aircraft fail, and engineers are not aware of all such precipitant failures.
Analysing the DNA of an individual to look for clues about her/his identity is subject to similar stochastic caveats. This is because, despite the many unique properties of the DNA molecules in our bodies, our ability to preclude errors in indexing them isn’t perfect. The implication is that DNA profiling throws up fewer errors when validating or invalidating less systematic proof, but there are errors nonetheless that a law – and definitely a court interpreting that law – must be aware of.
Moreover, the proofs are also dependent on how rarely or often the STRs have been observed in the past. Estimates of their rarity are based on studying some preset locations on the DNA: the CODIS database of DNA profiles in the US looks at 13 locations, the NDNAD in the UK looks at 10, whereas Interpol analyses look at 12. The CDFD (Centre for DNA Fingerprinting and Diagnostics) – the nodal agency for DNA analysis in the country – plans to look at 17, according to Dr. J. Gowrishankar, its director. These locations were determined to be important in the early days of DNA forensics, and according to lawyers in the US and UK are overdue for a reexamination.
The Human DNA Profiling Bill, on the other hand, is dismissive of this aspect of the technique it is centred on, with its January 2015 draft saying in its introduction that DNA profiling can distinguish between any two people “without a doubt”. The words give the impression that the experts involved in drafting it have no reason to believe that DNA profiles could ever be fallacious. In fact, conspicuously missing from the document are the statistical procedures (performed on DNA information) that will be admissible as evidence in a court of law.
Speaking to The Wire, Gowrishankar clarified that the three words “without a doubt” had been removed from the draft Bill in a later iteration – but only because the Bill would be tabled without that part in Parliament. However, he also added that he would be able to defend the infallibility of the technique.
In 2009, New Scientist reported the case of Charles Richard Smith. Smith was convicted of a sexual assault on Mary Jackson (not her real name) in Sacramento, California, which took place in January 2006. Jackson was sitting in a parking lot when a stranger jumped into her truck and made her drive to a remote location before forcing her to perform oral sex on him. When police arrested Smith and took a swab of cells from his penis, they found a second person’s DNA mixed with his own.
Mark Henderson’s 2012 book The Geek Manifesto: Why Science Matters elaborates on what happened during Smith’s trial (p. 158):
… a forensic scientist testified that the chances that the sample did not come from Jackson were just 1 in 95,000. Smith was convicted and jailed for 25 years. Genetic evidence, however, can be analysed in multiple ways. The analyst who provided the 1 in 95,000 number was convinced that he saw reliable ‘peaks’, indicating matches, at most of the 13 places in the genome where American forensic scientists compare DNA. His supervisor, whose evidence was also presented, thought fewer of these matches were reliable, and so put the probability that the DNA wasn’t Jackson’s at 1 in 47. A subsequent review of the case used a different technique, based on a computer algorithm, to compare the likelihood of the different interpretations of the evidence advanced by the prosecution and the defence. This suggested that this pattern of evidence was only twice as likely if the DNA was Jackson’s than if it belonged to someone else.
This isn’t to say that a reliable estimate can never be arrived at, but only that the draft Bill does not have the commensurate depth required to identify and tackle the sort of statistically motivated mistakes in DNA profiling. In fact, it also abdicates itself from specifying any best practices for the collection, storage and analysis of DNA samples – while in countries like the UK and USA, a more matured approach to DNA profiling has been instituted through laws like the DNA Identification Act 1994 (USA), the Criminal Justice and Public Order Act 1994 (UK) and the DNA Identification Act 1998 (Canada).
According to Gowrishankar, “The Bill has been drafted keeping the future in mind, so we have not included the different ways in which the information can be analysed. We want to keep our options open,” and that it was up to the defence attorneys to refute findings.
The upper hand that DNA profiling claims in being able to identify a person is bifurcated: it simultaneously relies on being similar to one set of data and being dissimilar to another. And how much a profile is closer to one and farther from the other can be interpreted in many ways – all of them reliant on a control group, a reference point based on which the analyst can say how much similarity and dissimilarity a profile exhibits. This control group is defined by a sub-database that contains the DNA profiles of volunteers. Gowrishankar said that the significance of each match (or mismatch) will be determined relative to how unique the ‘letters’ in the profiles are. As a result, the size of the volunteers’ database plays a critical role in determining the outcome of cases.
In 2007, the noted legal experts Michael Saks and James Koehler presented a problem called the individualisation fallacy that arises when examiners confuse infrequency with uniqueness – a flaw that can be eliminated (to a certain extent) only by enlarging the control, i.e. volunteers’, database. For example, if an anomalous pattern in the DNA of a person has a one-in-a-quintillion chance of occurring (based on its frequency of occurrence among the volunteers), the examiner will assert that given the population of all the people on Earth only that person’s DNA has that pattern (absolute uniqueness). However, the examiner assumes wrongly that he/she is aware of all the sources of that anomaly in human genetics (relative uniqueness). A similar mix-up between the two kinds of uniqueness results in the prosecutor’s fallacy exemplified in the infamous Sally Clark case of 1999.
Another issue that worsens reliability of results is that the draft bill doesn’t explicitly ask to regularly check if any samples have been contaminated, even if it goes to some length to talk about what will happen to those who are found damaging samples in any way. How credible those sanctions are is a different matter. In at least one high-profile human rights case, the murder of five Kashmiri civilians at Pathribal in 2000, DNA samples were tampered with in an attempt to absolve the security forces of the charge of murder. The police officer who orchestrated the tampering was never punished.
II. Visible and hidden costs
The CDFD charges Rs.5,000 for each blood sample or person and Rs.10,000 for each “forensic exhibit” – such as an item of clothing from a crime scene – and an additional 12.36% as service charge levied by the Government of India. Though the draft Bill proposes including the profiles of only those under the scanner of the criminal justice system, data from the National Crime Records Bureau shows that over 32.7 lakh people were arrested in 2012 alone on criminal charges (proven and unproven) And while Gowrishankar said the official estimates were Rs.5 crore a year for keeping the database updated, acquiring the DNA profiles alone would cost more than Rs.1,800 crore.
The number of 32.7 lakh (even if only for reference) is too bloated for the database’s purposes because it also includes persons accused of minor crimes. Even if the size of the database has to be as big as possible to minimise the effects of the individualisation fallacy, its size becomes meaningless after a point, as the British government discovered in 2008. In that year, the number of profiles on the NDNAD jumped from 1.9 million to 4.1 million but the number of cases solved by the use of DNA profiles fell by 2,632 to 17,614. This was because the 2.2 million profiles were almost entirely of people who hadn’t been charged with any offences, making their DNA profiles irrelevant when it came to comparing those picked up from crime scenes. Similarly, the draft Bill would do well to include only the profiles of those charged with serious criminal offences – comparisons would be more efficient and costs would be lower.
Next, according to GeneWatch UK: “In 2010, putting someone’s DNA profile on the database in England and Wales was estimated to cost £30 to £40 and storing one person’s DNA sample was estimated to cost £1 a year.” The CDFD analysis rates are comparable to these numbers – so it must be noted that the capital costs of setting up the database in the UK was £300 million (Rs.3,000 crore approx.). Third, there is the operational cost – to maintain the communication and security infrastructure, and ensure it is compatible with indices like the CODIS. In fact, in September 2014, the FBI and the CDFD signed an agreement to install an instance of CODIS in CDFD’s Hyderabad office and train the personnel there. However, Gowrishankar said all of this would warrant only Rs.20 crore.
None of these expenses are mentioned in the draft Bill.
III. Privacy and anonymisation
A person’s DNA profile contains similar information as a person’s password – however, it is more visceral. In the mammoth spatial configuration of the DNA’s atoms is encoded many of our characteristics and personal tendencies – including colour, race, behavioural features and susceptibility to some diseases. However, the few of the three million positions that the CODIS, NDNAD or the CDFD will be looking at are considered “neutral” – they don’t codify any of our features that might give our identities away, so it’s safe to store them without being anxious about what the government is finding out about us. That’s what Gowrishankar says, too, and that only information of those 17 positions that the CDFD will consider will be stored in the database.
However, this information is missing in the draft Bill, giving the impression that non-neutral information from people’s DNA profiles will be stored as well – and sans any safeguards beyond the Bill itself, like the USA has the Genetic Information Nondiscrimination Act 2008. Gowrishankar said that the Bill omitted this detail because some advancement in the future could require analysing more than 17 neutral positions, or fewer, or others altogether, and that if the Bill had been specific to that extent, it would have to be modified over and over again to keep up with the times. Be that as it may, the draft Bill in its current form neither withholds the database from holding distinctly personal information nor does it acknowledge that possibility.
In that context, the information should be accorded the same rights that information on the Internet, or anywhere else, is if not more. First, a person should be able to appeal the inclusion of her DNA profile in the database – although Gowrishankar insisted no profile could mistakenly enter the database as it would require either a court order or an expression of consent to get there. Second, the person should be able to access her/his own DNA profile whenever the need arises through appropriate legal channels – which he said wouldn’t be possible at all. Third, the person whose profile is under scrutiny should be able to know how the information contained is being used and why, and to ascertain its deletion when due. These three rights are missing in the draft bill.
Moreover, in a separate note, the committee says,
The Expert Committee also discussed and emphasised that the Privacy Bill is being piloted separately by the Government. That Bill will override all the other provisions on privacy issues in the DNA Bill.
But even as the draft DNA-profiling bill seeks to deflect the responsibility of securing privacy to the Privacy Bill, a Report of the Group of Experts on Privacy, Chaired by Justice A.P. Shah (former Chief Justice of the Delhi High Court), explicitly set out the missing privacy and security provisions in October 2012, and a majority of them remain unresolved or unaddressed. By neglecting them, the CDFD and the DNA Profiling Board run the risk of turning themselves opaque and, for all practical purposes, unaccountable. For example, the draft Bill does not:
- Provide a notice that DNA samples were collected from so-so areas of the body
- Inform anybody – particularly the individual – if and when her/his DNA is contaminated, misplaced or stolen
- Inform a person if a case involving her/his DNA is pending, ongoing or closed
- Inform the people when there are changes in how their DNA is going to be accessed, or if the way their DNA is being stored or used is changed
- Distinguish between when DNA can be collected with consent and when it can’t
- Say how volunteers can contribute their DNA to the database even though the draft Bill has a provision for voluntary submissions
- Provide any explicit guarantee that the collected DNA won’t be used for anything other than circumstances specified in the Bill
- Specify when doctors or the police can or can’t access DNA profiles
Without these protections, the DNA profiles could be collected for one purpose but end up being used for something else. Consider #7 – the draft Bill doesn’t aspire to be self-contained and leaves itself open to expanding in the future. At one point (Sec. 31(4)), it spells out the various indices according to which profiles in the database will be stored:
Every DNA Data Bank shall maintain following indices for various categories of data, namely:
(a) a crime scene index;
(b) a suspects’ index;
(c) an offenders’ index;
(d) a missing persons’ index;
(e) unknown deceased persons’ index;
(f) a volunteers’ index; and
(g) such other DNA indices as may be specified by Regulations.
Why bother to specify any of the indices at all if the committee has (g)? And without specifying what regulations those could be and who, apart from the DNA Profiling Board, has the authority to spell them out, the draft Bill signals it could just about bring anyone’s DNA profiles into the database.
Additionally, who will watch the watchmen? The DNA Profiling Board is tasked – rather tasks itself – with determining which DNA profiles enter the database, who gets to access them, and how the database will be organised and maintained, in effect establishing a low quality check over itself. Although Gowrishankar clarified that there would be a Parliamentary check on the Board’s activities and that Parliament would be the ultimate arbiter for all “major” issues arising due to the Bill, there is still a lack of supervision – and potential for abuse – in the day-to-day dispensation of duties. If the Human DNA Profiling bill has to be effective and honest, it must account for the privacy shortcomings described by the Group of Experts.
Another concern is anonymisation – the process through which information contained in DNA profiles can’t be used to retrace the individuals from whom they were acquired. There is no description of a form or application of any kind that the draft Bill expects to be submitted along with the materials containing human DNA. If the Bill expects to use the form currently being used by the CDFD, there is an anomaly: the CDFD form asks for the applicant to mention her caste. Even if the draft Bill doesn’t explicitly mention that the database will have a ‘caste’ column, being able to associate an application form with a sample – and therefore ‘its caste’ – is plausible, especially in the volunteers’ database.
More troublingly, Section 31(6)(a) states that a DNA profile in the database will bear the identity of its source if its source is an offender, and that (b) all other DNA profiles will be relatable with the case reference number. The problem is that the case reference is not anonymised with respect to the people involved in the case.
IV. Power and sunset clauses
The DNA Profiling Board overseeing the implementation of the bill (when enacted) has given itself, and the bill, some conflicting rules and powers that together result in ambiguity about the scope of the bill and its accountability. Some examples:
Conflicts of interest – Section 12(k) states that the board is responsible for “making recommendations for maximising the use of DNA techniques and technologies in administration of justice”. Then, throughout the bill, the board’s powers are also detailed as extending to specifying the rules for how DNA information is collected and secured. Put them together and the board’s essentially saying, “We’ll try to use DNA evidence for as many things as possible, we’ll decide how the information is collected for those purposes, and we’ll decide how we’ll use it.”
Ex post facto implication – Section 13 states that any laboratory that wishes to undertake human DNA-profiling must get prior consent from the board. Then, Section 14(2) allows any DNA laboratory that’s in existence at the time the bill is enacted to perform human DNA profiling without prior approval from the board.
Use of profiles – Section 39(g) states that “Information relating to DNA profiles, DNA samples and records relating thereto shall be made available” to a slew of judicial and executive agencies as well as “for any other purposes, as may be prescribed”. However, those prescriptions have not been detailed in the Bill, and appear to be at the discretion of the DNA Profiling Board. In fact, Section 39(e) states that the profiles, and “samples and records relating thereto”, may be used for creating a “population statistics” database. This is to facilitate population-wide studies of genetic characteristics, and in the absence of perfect anonymisation, could potentially become associated with caste data.
Moreover, Section 35(2), which deals with the communication of DNA profiles to foreign states and institutions, doesn’t limit it to offenders and convicts but, by not discussing it in detail, allows for any profile in the database to be shared. Put this together with an individual’s inability to appeal the inclusion of her/his profile, and anyone’s profile – as long as it has wound its way into the database – can be shared with foreign entities. There are also no restrictions on if the foreign agencies can index the profile in another database.
Legal recourse after three months – Someone who’s been wronged by any of the provisions of the bill can approach a court only if he/she approaches the board first and gives it three months to act on a complaint. In those three months or before that, Section 57(1) of the bill prevents anyone from approaching the courts except the central government or a member of the board itself.
Finally, there’s the absence of a sunset clause – especially when its provisions will expire, and if there is a period after which a DNA profile will be removed from the database. For the latter, the draft Bill specifies that if a person has been acquitted in a case or if the case is set aside, the corresponding profile will be deleted, but nothing is said about the profiles of missing persons who have been identified, volunteers who have died, and other profiles that are likely to be collected at crime scenes. Moreover, no rationale is presented for retaining the profiles of those who are convicted of offences like rape or murder, who end up spending long years or a lifetime in prison. While Gowrishankar asserted that only the DNA profiles of the unidentified dead would be held forever, the draft Bill does not explicitly exclude the rest.
Given the scale of issues with the draft Bill, and its potentially disastrous sidelining of privacy concerns, its scheduled introduction in the monsoon session of the Lok Sabha seems hurried – despite having first been mooted more than a decade ago. Some of the issues may have escaped the drafting committee’s concerns by way of not having received appropriate feedback – such as the issue of hidden costs – but the committee must explain why there is a lack of access to data of the people by the people, why there are no sound anonymisation protocols, and why there are insufficient self-regulation and protection measures.
Download an annotated copy of the Human DNA Profiling Bill draft here (PDF).
Note: This article was edited on July 24, 2015, for clarity, to provide a link to the draft Bill and include references to some of the laws in other countries.