The controversy surrounding the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 seems to have taken a global stage. WhatsApp, a California-based Facebook unit and also the most widely used social messaging platform in India, has filed a legal complaint in Delhi High Court against the Indian government seeking to block the mandatory traceability obligations under these rules, which would otherwise compel them to break privacy protections. While the dispute may prima facie look to be a common one between a corporation and the government, the same is not true. The outcomes of the following case could have huge implications on the future of end-to-end encryption in India and around the world, and consequentially on the overall right to privacy of people. In light of the same, this article aims to analyze the controversial requirement of traceability imposed by the government and the implications it could have on the right to privacy, a fundamental right enshrined by the Constitution of India.
End-to-end encryption is defined as a system of communication where only the communicating users can read the messages being transferred between them. Such encryption is more secure and safer than the previously used standard encryption, where the service provider can decrypt the messages. In simpler terms, every message that is being sent is encrypted using a key and can be decrypted only when that key is used. While in end-to-end encryption, this key is available to only the two users communicating, in standard encryption, this key is also available to the service provider. However, with the massive growth in internet usage and privacy concerns, all major social media and messaging platforms have moved to end-to-end encryption to ensure a more ‘private’ space for their users. It is this commitment to user privacy that brings the entire WhatsApp policy in deep conflict with the traceability requirements.
As per the IT Rules, the traceability requirement mandates the country’s larger social media platforms to develop a solution to enable the tracking of all messages. This would essentially mean affixing a digital fingerprint to each message, enabling the government to trace it back to the “first originator of the information.” This would enable the government to trace a message back to its source regardless of how many accounts forward it.
While the reason behind introducing such stringent requirements has been clarified as ‘curbing of fake news/misinformation, many activists fear that it is a step taken by the government for political crackdowns only. The debate surrounding these allegations has been continuing for a long time with no obvious conclusions. Yet, one thing that has stood out prominently is that the enforcement of the IT rules would be a serious setback to the right to privacy of people.
In Justice K.S Puttaswamy (Retd) v. Union of India, the Supreme Court of India ruled that privacy is a fundamental right under Article 21 of the Indian Constitution and held that privacy is an individual’s choice to disseminate personal information, and it is a part of the right to life. Further, it was held that both State and non-State actors could exploit data and it was the government’s responsibility to enact a strong data protection law. Further, clarifying the absoluteness of this right, the court clarified that privacy must be preserved except in cases where legality, necessity and proportionality all weighed against it.
A look at the present case and the IT Rules requirement herein would be enough to clarify that none of the three exceptions is being justified, let alone all of them, which is the condition for privacy infringement. The entire policy is not only-disproportional but also risks creating a surveillance state that is strictly against the values of the Indian Constitution. Further, while it’s true that the agencies could trace someone who is putting out dangerous misinformation, but at the same time, they shall also have the power to follow how political content flows between individuals or to track activists and political opponents.
The situations relating to the enforcement of such privacy evasive guidelines prevailing in India is not a novel development for the global community. Previously, the controversial laws in Brazil, its second-largest market after India, and other countries such as the United States, Canada, and the UK have also pressured WhatsApp to weaken its encryption. However, the Indian scenario is the maiden instance where traceability requirement has been officially imposed.
Any policy change could affect millions in India, and the ripples could be felt by other end-to-end encryption apps such as Signal and Telegram, who will be forced to comply as well. While the Indian government is levying any penalties in case of non-compliance, it has stated that in case of “illegal information” being transmitted through the platforms, they shall be held liable for it, and repercussion could range from penalties to complete shutdown of operations in the country. While such threats could sound idle, looking at India’s track record of banning the extremely popular TikTok over border skirmishes with China last year, this could very well be the course of action.
The guidelines mandating traceability will compel end-to-end encrypted platforms to alter their architecture which is bound to negatively impact online privacy and security. This is an onerous obligation that severely undermines end-to-end encryption and puts users’ privacy, security, and freedom of expression at risk. While it is difficult to assess the possible outcomes of the lawsuit, it could potentially dictate the kind of communications technology and online safe spaces available to Indians going forward and could set a precedent for what other governments would demand from not just WhatsApp but other secure messaging apps.
In its current state, the guidelines are violative of Article 19 and Article 21 of the Indian Constitution. With the largest democracy in the world under attack, it is only pertinent on the part of the international community to come forward and show solidarity towards preserving of right to privacy. It needs to be emphasized here that if no steps are taken in the present case, it would be equivalent to setting up a disruptive precedent that could lead to authoritarian governments openly encroaching on the rights of their citizens.
Shirish Parashar and Raj Shekhar are 2nd year B.B.A. LL.B. (Hons.) students at the National University of Study and Research in Law, Ranchi.
Suggested citation: Shirish Parashar and Raj Shekhar, WhatsApp and the End-to-End Encryption Saga: Analyzing the Tussle Between Government Guidelines and Right to Privacy, JURIST – Student Commentary, June 25, 2021, https://www.jurist.org/commentary/2021/06/parashar-shekar-whatsapp-encryption-privacy/.
This article was prepared for publication by Giri Aravind, a JURIST staff editor. Please direct any questions or comments to him at commentary@jurist.org