top of page
Writer's pictureBTG Advaya

Regulatory tryst with traceability hits the privacy roadblock

By – Sharanya G Ranga & Suyash Sarvankar

Last week, WhatsApp challenged before the Delhi High Court the traceability requirement imposed by the recently notified Information Technology (Intermediary Guidelines and Digital Media Ethics Code), Rules, 2021 (Rules). The Rules require all significant social media intermediaries, i.e., messaging/communication platforms having 5 million (or more) registered users in India, to trace the first originator of information when ordered by a court or a government authority under the Information Technology Act (IT Act).

The Rules are in response to the proliferation of fake news, pornography, child sexual imagery and terrorism concerns and empower a court or government agency to pass an order to trace those suspected of serious criminal offences related to the sovereignty and integrity of India, security, rape, sexually explicit material, public order, or incitement to any of these offences. Alas, these grounds can be broadly interpreted and, more often than not, are prone to the misuse.

WhatsApp, Skype, Telegram, etc. are platforms where users engage in private communications. Users have a fundamental right to privacy that enables them to read and share opinions and information with their personal and professional contacts without fear of misappropriation, surveillance or undue interference. WhatsApp uses an end-to-end encryption system to protect user privacy, confidentiality and security of messages sent on its platform.

Encryption is the process of converting information into a code to prevent unauthorised access. This process is used by platforms to ensure that all messages sent through the platform are secured end to end (using encryption technology) such that it may be accessed only by the sender and the intended recipient, and none else. Thanks to the Rules, platforms will now have to do away with the encryption system to enable them to trace the ‘first originator of information’ (FOI) on their platforms when called upon to do so.

Take for example a misleading forward on unscientific COVID cures that scare-mongers on the efficacy of Covid vaccines. A court or a government department may order WhatsApp under the Rules to trace the FOI of these messages and submit the same to them with the laudable objective of curbing the spread of such fake news and punishing the FOI. However, to identify this FOI, WhatsApp will have to overhaul its secure encrypted platform and move to a less secure decrypted platform for every single message sent in India. To clarify, the concern here is the mandatory adoption of a less secure system that completely disregards user privacy. This system would collect, store and retain an enormous amount of user data for an unspecified period, without the protective shield of encryption. This data remains vulnerable to hacking, data theft, tampering or manipulation and other cyber-crimes. Data of every user must be collected to comply with the traceability requirements even if she has shown zero inclination to spread fake news or partake in a criminal activity that would invariably infringe upon the privacy of all users.

WhatsApp has challenged the traceability requirement on the grounds that it is ultra vires the IT Act; violates the fundamental rights to privacy and free speech; and is “manifestly arbitrary” and in violation of Article 14 of the Constitution.

In 2017, the Indian Supreme Court unanimously ruled that the Constitution guarantees a fundamental right to privacy and ruled that any restrictions to the same has to meet the following 3 criteria: (a) there must be a valid law; (b) the restriction must be necessary to meet a legitimate purpose; and (c) it is proportionate, i.e., there is a proper balance to be achieved between that purpose and the harm caused by limiting the right.

On the face of it, the Rules do not appear to meet any of the 3 criteria. The Rules have been issued by the Government and not by Parliament. The present IT Act does not include any provision relating to traceability requirements. There is no guarantee against arbitrary state actions as the orders of government authorities seeking details of FOI are not subject to judicial sanction or review. This negates necessity.

The proportionality of the Rules is also suspect. While there have been similar proposals mooted in countries such as the US, Australia, New Zealand, etc., till date, no other jurisdiction has mandated traceability on end-to-end encrypted communication for their crime fighting efforts or for curbing fake news through such blanket and indiscriminate collection/retention of data. Instead, law enforcement agencies rely on available unencrypted information such as user reports, profile photos, and descriptions to detect and prevent crime.

The 2016 FBI-Apple stand-off pitting individual privacy against national security raised similar questions relating to device encryption. The FBI sued Apple to provide backdoor access to assist the FBI in accessing the iPhone of a San Bernandino attack accused (using an old law in an unprecedented manner). While FBI subsequently withdrew the request as it managed to unlock the phone through a third party, it brought to fore the issues when privacy and security are viewed in different silos.

There is no clear-cut formula to address this. The key is to strike a balance by viewing both privacy and security not as ends exclusive to each other but striving for a harmonious approach.

The Rules may threaten India’s fledgling business friendly reputation of adhering to due process and rule of law. Now, platforms face a Hobson’s choice. They could comply with the Rules by altering their business model removing user privacy protections or risk losing safe harbour protections accorded if they don’t adhere to the “due diligence” requirements that Rules prescribe. In the immediate short term, all attention shifts to the court and on whether it allows the Rules to stand.  

bottom of page