Introduction
The outcome of the ongoing litigation (WhatsApp LLC v. Union of India) between the Government of India and internet intermediaries could change the way we use the Internet. In this article, the authors have made an attempt to analyse the troublesome rules under the Intermediary Guidelines 2021 and elaborate upon the significance of encryption.
The Quandary of Intermediary Guidelines 2021
In February 2021, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“Intermediaries Guidelines”) were notified by the Ministry of Electronics and Information Technology (MeitY) under Section 87 of the Information Technology Act, 2000 (“IT Act”). The Intermediaries Guidelines, 2021 were introduced to “substantially empower the ordinary users of digital platforms to seek redressal for their grievances and command accountability in case of infringement of their rights” and were in supersession of Information Technology Rules, 2011. The Guidelines were introduced to supposedlyfight fake news, curb terrorism and protect women from progression of sexual offences onlineand have been cited by the government as “progressive, liberal and contemporaneous”.
Under Rule 4 of the Intermediaries Guidelines, 2021 significant social media intermediaries (“SSMIs”) were required to observe additional due diligence within three months of notification of the Intermediaries Guidelines. Following the deadline, WhatsApp and Facebook moved to the Delhi High Court challenging the “traceability” requirement under Rule 4(2) of the Intermediaries Guidelines, 2021 alleging that the requirement is fundamentally violative of people’s right to privacy and free speech.
The traceability requirement under Rule 4(2) of the Intermediary Guidelines requires an SSMI providing service primarily in the nature of messaging to enable the identification of the “first originator” of the information on its computer resource. Moreover, in case the first originator is located outside India, the first originator of that information within India shall be considered to be the first originator of the information for the purpose of the Rule. This requirement could adversely affect intermediaries like WhatsApp, Signal, Telegram, etc., who provide personal communication services over the internet. These communications are end-to-end encrypted i.e. no third party (even the service provider) can access the information which is transmitted through the platform.
WhatsApp has contendedthat the traceability requirement would obligate it and other intermediaries to break end-to-end encryption as there would be “no way to predict which message will be the subject of such a tracing order”, thereby forcing them to build the ability to identify the first originator for every message sent in India on its platform upon request by the government forever. Such requirement would ultimately put an end to end-to-end encryption and break the privacy principles underlying such messaging platforms, thereby making them highly susceptible to abuse. Citing the three-pronged test of legality, necessity and proportionality set down in the Puttaswamy judgment, the platform has contended that imposing the traceability requirement would compromise the fundamental right to privacy of the users. It has also been contended that the requirement would cause a chilling effect on the lawful speech of users of the messaging platform and prevent them from using their fundamental right to speech effectively. It has also been contended that the traceability provision is ultra vires of its parent statutory provision Section 79 of the IT Act, 2000.
The governmentpersonnelhas dismissed the claims made by WhatsApp and has reassertedthat the government respects the privacy of the citizens. Further, the objective of the Intermediary Guidelines is to find the originator of the message that led to commissioning of specific crimes mentioned in the Rules. In November 2021, the government released FAQs on the IT Guidelinesto “bring clarity” and “to explain the nuances of the due diligence to be followed by intermediaries”. The document also makes it clear that it is not a legal document and does not replace, amend or alter the Intermediary Guidelines in any manner. The document claims that there are adequate safeguards in regards to Rule 4(2) to protect the privacy of the individuals. However, the Internet Freedom Foundation (IFF) has dismissed various claims made in the documents as false. According to IFF, the safeguards listed are inadequate to ensure the privacy of the users. The IFF has clarified that since the Intermediary Guidelines do not mandate encryption, the intermediaries enjoy the authority to trace the first originator of information even in the absence of appropriate directions, thereby overall weakening encryption and compromising the privacy of the users.
In a plea moved by Advocate Uday Bedi, challenging Rule 3 and 4 of the Intermediary Guidelines, it is stated that it would not be possible for the intermediaries to trace the first originator of the information “without decrypting all information that is stored, published, hosted or transmitted through such SSMI”. Defending the legality of the traceability provision, the government has stated that it expects platforms to use a mechanism to protect encryption and ensure the privacy of the users. Moreover, has also said that it is the duty of the intermediaries to modify the existing architecture according to the evolving laws.
Vitalising Encryption: The Need and The Significance
The right to privacy has been recognised as a quintessential right in international instruments and domestic legalisations as well. Internationally, conventions like ofInternational Covenant on Civil and Political Rights (ICCPR) under Article 17 encompass the right to protection against ‘arbitrary and/or unlawful interference with the privacy of an individual. Privacy herein can be interpreted to includeprivate communications on encrypted platforms, thereby making encryption crucial for online security.
In the landmark case ofK.S. Puttaswamy v. Union of India (Puttaswamy case), the Supreme Court of India recognised that right to privacy is envisaged underArticle 21 of the Constitution. Also encompassing within it informational and communicational privacy. Furthermore, it also laid down the three-pronged test of legitimacy, legality and proportionality whilst dealing with interference upon the right to privacy of an individual by different means. Encryption also becomes pertinent as a tool to safeguard the right to freedom of speech and expression. Traceability isdetrimental for journalists who under the garb of anonymity are able to work and report in sensitive areas, where they might face prosecution and death threats.
The Supreme Court has, however, on the issue of encryption deflected between ensuring the right to privacy of an individual and protection of the sovereignty of state and dignity of individuals (See,Facebook Inc v. Union of India, 2019). What the court wants to ensure and would also want to entail in its decision would be aliberal communitarian model.Balancing the competing interests of national security and individual privacy poses to be a herculean task, however, the test laid down in Puttaswamy is a fitting framework to go about it.
However, this is not the first time that the Indian Government has had a regressive stance towards encryption. In 2008, after the Mumbai attacks aftermath, the government had sought lawful and real-time access to BlackBerry’s services. After over two years of pushback, BlackBerry ceded and gave special access to its BlackBerry Messenger and BlackBerry Internet Service email to the Indian Government. In 2015, the government released a draft National Encryption Policy (NEP) under Section 84 of the Information Technology Act, 2000 to prescribe encryption algorithms, key size and digital signatures from time to time. The policy also proposed to make it mandatory for the users to store encrypted messages sent/ received by them in plain text form for 90 days. The policy was subsequently withdrawn after facing backlash from cyber-law activists and experts due to impractical and ambiguous clauses. The rules have also been challenged on the grounds of being violative ofArticle 19(1)(g) of the Constitution (See,Praveen Arimbrathodiyil v. Union of India).
Conclusion
In 2020, along with Japan, India issued a statement together with the Five Eyes Countries intel alliance countries to urge tech companies to include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can gain access to data in a readable and usable format. Governments around the globe reason around obtaining backdoors to encryption in the name of combating terrorism, child protection, and national security. Although weakening encryption might seem like a convenient method to protect the national interest, there is a grave trade-offon privacyand other fundamental freedoms of the citizens. It will be interesting to see how the Court strikes a balance in formulating a framework between legitimate security concerns and fundamental individual rights.
Authored By: Garima Saxena & Rishav Devrani, Students at Rajiv Gandhi National University of Law, Patiala