New Delhi: The latest legal battle on privacy and data between the Narendra Modi government and the messaging platform WhatsApp reached Delhi High Court earlier this week.
WhatsApp, owned by Facebook Inc., filed a petition Tuesday challenging Rule 4(2) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021. The rule requires social media intermediaries with large user bases (denoted as ‘significant’ social media intermediaries) to enable tracing of the originator of information on their platform when required. This is specific to intermediaries that provide messaging services.
While the government has argued that the rule is necessary to prevent misuse of social media and curb fake news, WhatsApp noted that tweaking end-to-end encryption leaves all users “vulnerable” to privacy violations by public and private players, placing journalists, civil rights activists and political activists at risk of retaliation.
End-to-end encryption, which is offered by WhatsApp at present, refers to a system of communication where only the communicating users can read the messages.
And therefore, at the heart of this case is the Right to Privacy and it could prove to be an important test of its application in India.
ThePrint highlights the various contours of this case including the rules, WhatsApp’s inhibitions and the government’s argument.
What the law says
Rule 4(2) of the new IT Rules, which were published on 25 February, requires significant social media intermediaries — those with more than 50 lakh users in India — to enable tracing of the originator of information, if required by a court or a competent authority, under Section 69 of the Information Technology Act, for certain offences.
It clarifies that such an order will not be passed in cases where other less intrusive means are available and that no intermediary will be asked to disclose the content of any electronic message or any other information related to the originator.
Section 69 of the Information Technology Act 2000 empowers the central government, the state government or its authorised officers to direct “interception or monitoring or decryption” of any information through any computer source “if satisfied that it is necessary or expedient to do”.
This is allowed only on specific grounds, including security of the country, public order, preventing incitement to the commission of any cognisable offence relating to public order or even for “investigation of any offence”.
The Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, have been issued under this provision to regulate such orders.
Lack of transparency around govt’s interception orders
All authorisation orders issued by the government under Section 69(1) must be reasoned and written. Furthermore, they are scrutinised, at least once every two months, by a review committee set up under the Indian Telegraph Rules, 1951, which comprises of government secretaries in the Centre or the state in question.
However, the lack of transparency around such orders has often been criticised, especially because Right To Information (RTI) applications seeking anonymous statistics about electronic surveillance under Section 69 have been rejected in the past, citing national security and privacy concerns.
Speaking to ThePrint on this lack of transparency, digital rights lawyer Vrinda Bhandari said, “The government does not proactively publish the aggregate statistics of the number of orders issued monthly/annually; nor does it provide any information about the number of review committee meetings held.”
She said, “In addition, RTI applications seeking such aggregate anonymous statistics are denied by the MHA (home ministry) citing national security and privacy concerns. In fact, before the CIC (Central Information Commission), the officials present argued that such information was not maintained by them.”
Bhandari added, “The opacity is compounded by the absence of judicial oversight over interception or decryption orders, thus reducing government accountability over the interception process.”
Similar concerns have also been raised in a petition filed by the Internet Freedom Foundation (IFF), a non-governmental organisation, in the Supreme Court. IFF challenged the constitutional validity of Section 69 as well as the 2009 Rules, in January 2019, and the petition is currently pending.
‘End-to-end encryption protects journalists, activists’: WhatsApp
In its petition filed on 25 May, which was the last day for these social media intermediaries to comply with the new rules, WhatsApp challenged Rule 4(2) on three major grounds.
First, it alleges that the rule violates the fundamental rights to privacy and freedom of speech and expression, guaranteed under Articles 21 and 19 of the Constitution, of the more than 400 million WhatsApp users in India.
Second, it says that the rule travels beyond the scope of the Information Technology Act, by asking WhatsApp to “fundamentally alter” its platform, forcing it to store data for years in the absence of a time limit.
Thirdly, it says that the rule violates Article 14 of the Constitution, calling it “manifestly arbitrary”.
WhatsApp has also defended its end-to-end encryption, noting that it prevents crimes like hacking and identity theft. It has submitted that this protects doctor-client privilege, attorney-client privilege and private conversations on sensitive issues like gender, religion and sexuality.
The messaging app has further claimed that imposing a requirement to enable identification of the first originator of information in India would place journalists “at risk of retaliation for investigating issues that may be unpopular”, and civil or political activists “at risk of retaliation for discussing certain rights and criticizing or advocating for politicians or policies”.
What breaking end-to-end encryption entails
While IT Minister Ravi Shankar Prasad has assured “ordinary users of WhatsApp” that they have “nothing to fear”, in a post on the indigenous social media Koo, WhatsApp’s plea claims that satisfying the requirement of Rule 4(2) would leave all users vulnerable.
This, it states, is because it would require the platform to “build a mechanism that would permit tracing of every communication sent in India on its messaging service, including those who are using the service lawfully, as there is not way to predict which message will be the subject of such an order seeking first originator information”.
As for what breaking end-to-end encryption would entail, Mumbai-based technology lawyer Osho Chhel said, “At this point, we don’t know what this means in terms of the technology.”
He, however, told ThePrint: “When you break end-to-end encryption, you make the entire architecture susceptible to attack not just from the government but also from rogue actors. So the privacy concern arises from potential government overreach as well as threat from rogue actors.”
“If the entire system is being compromised for a few specific offences, the vulnerability will have to be created for and will impact the entire system,” Chhel added.
Traceability question pending in SC
This isn’t the first time the question on traceability of WhatsApp messages has been raised in the court.
The Madras High Court had tried looking into the possibility of tracing WhatsApp messages for improving coordination between law enforcement agencies and social media companies, back in 2019.
However, it was faced with two contradictory stands — one by an IIT Madras professor, who proposed tracing the messages, and an IIT Bombay professor, who highlighted the risks and long-term ineffectiveness of introducing traceability on encrypted platforms.
The Supreme Court transferred this PIL to itself in October 2019, before the Madras High Court could decide the issue. However, WhatsApp’s plea in the Delhi High Court does not mention the pendency of this plea in the top court.
Centre alleges hypocrisy, says plea a move to stall
Meanwhile, following WhatsApp’s petition, the Ministry of Electronics and Information Technology (MeitY) issued a statement Wednesday, defending the rules.
Quoting Prasad, the statement said that while the government is committed to ensure the right to privacy to all its citizens, “it is also the responsibility of the government to maintain law and order and ensure national security”.
It also points out that WhatsApp filed the petition “at the very last moment”, saying that this is “an unfortunate attempt to prevent the same from coming into effect”.
However, Mishi Choudhary, legal director at the Software Freedom Law Centre, a legal services organisation, said that there exists a “trust deficit” with the government.
“The NSO revelations of government spying on activists, the constant meddling in shaping the narrative, the suppression of political dissent and arm-twisting of social media companies, weaponisation of social media by political parties, online harassment have all created a trust deficit that even genuine efforts at regulations raise suspicion,” Choudhary told ThePrint.
Fake news & national security arguments
The arguments justifying this rule are also centred around the need to curb fake news and deal with law and order situations. The IT ministry’s statement relies primarily on these two factors.
Choudhary, however, noted that “we should be provided evidence of how many cases could not be investigated because companies refused to cooperate”.
Chhel, meanwhile, enquired if these rules will not make things worse. “For security concerns, while the aim may be legitimate in several cases to intercept criminal activities, the question is, are you making things worse while trying to address these security concerns, by making the system more vulnerable to such threats?”
As for an alternative, according to Choudhary, “What we need is better cooperation between companies on metadata analysis without breaking encryption. Current language of Rule 4(2) fails to do that and creates a non-transparent structure.”
(Edited by Rachel John)
Why news media is in crisis & How you can fix it
India needs free, fair, non-hyphenated and questioning journalism even more as it faces multiple crises.
But the news media is in a crisis of its own. There have been brutal layoffs and pay-cuts. The best of journalism is shrinking, yielding to crude prime-time spectacle.
ThePrint has the finest young reporters, columnists and editors working for it. Sustaining journalism of this quality needs smart and thinking people like you to pay for it. Whether you live in India or overseas, you can do it here.