Tracing the origin of messages is difficult. A solution that doesn’t completely denude user privacy must be worked out
On February 25, 2021, the government of India unveiled the much awaited Intermediaries Guideline and Digital Media Ethics Code. The guidelines issued by the Ministry of Electronics & Information Technology (MEITY) also designated ‘Significant Social Media Intermediaries’ (SSME) which stood to lose protection from civil lawsuits and criminal prosecution if they did not adhere to the guidelines laid down.
Though WhatsApp is not the only party to challenge the guideline in court as the government’s action has sparked intense criticism from the time the said guidelines were notified, it is still the largest entity to sue the government on this count.
The new guidelines were required for quite a long time as many of the social media intermediaries were often seen to push their own positions often against the government’s requests based on existing laws. The extent to which the medium of internet was misused for fomenting trouble and thus disturbing public order needed some extra efforts from the side of the intermediaries.
So while these guidelines required the appointment of resident grievance officers, nodal officers and compliance officers located in India (Facebook, Instagram and Twitter have still not complied with this) or address a grievance within 36 hours , the bone of contention is the guideline which directs social media intermediaries to identify the ‘first originator of information’ when the authorities demand it.
This rule effectively requires WhatsApp to only trace the origin in case there is credible accusation, but WhatsApp has stated that in practice it is impossible to do as the messages are end-to-end encrypted, with the only alternative being to remove all encryption as they obviously cannot anticipate what the government would want, and by doing so encroach on the privacy of all 400 million odd users.
WhatsApp has referred to the three pillars set down by the Supreme Court in the Puttaswamy judgment — legality, necessity and proportionality. WhatsApp has argued that the law fails on all three counts starting with the lack of parliamentary backing.
Given that Section 79 of the Information Technology Amendment Act (IT Act) that provides immunity to social media intermediaries and has been extensively tested post the Baazee.Com case is at odds with the guidelines, is reason enough for the unconstitutionality of the same.
WhatsApp’s arguments regarding proportionality as the process of tracing and filtering messages would effectively put a stop to end-to-end encryption in India cannot be ignored.
Practically speaking, the only way that this can be achieved is through collecting and storing the billions of messages exchanged on the platform and marking each message with an electronic fingerprint, in order to ensure compliance as there is no way that the company can anticipate the exact requirement of the law enforcement agencies in advance.
This cannot be done with end-to-end encryption which basically is aimed at masking the sender of the message and ensuring that no third party can access those messages.
Also, what the IT Act had envisaged was a scenario where the law-enforcement agencies would request information about a known user’s account. But tracing the origin of a message requires an inverse approach where a piece of message has to be traced to the original sender which would require going through multiple message chains.
While privacy concerns behind such a move is paramount, there is an added risk that comes with creating back-doors allowing the company to breach the encryption. That is the risk of illegal access.
A back-door will not just be available for the platform as it would create the path that would allow hackers access to billions of chats, photos, locational information and even financial data, given that WhatsApp Business allows users to transact directly over the platform through UPI.
In effect, if implemented, we would not just be looking at the largest mass surveillance exercise globally but also the nightmarish scenario which could see this data fall into the hands of hacker groups with catastrophic consequences.
Having said that, we have to understand the logic behind the government’s decision to include the clause on traceability. The fact is that the law enforcement is well aware of fake news, child sex abuse material, pornography and cybercrimes like hate-mongering which are being pushed through the instant messaging platforms, but it cannot take action against those who just chose to forward messages or links.
The only way that such menace can be effectively addressed is by getting clarity on attribution, hence the need for traceability. But then again, the solution cannot be creating a mass surveillance state. This would be akin to bringing a canon to a sword-fight. What the government needs to do is work with the platforms towards creating a mechanism that could adequately address the problem at hand through a mix of machine learning algorithms and AI without completely denuding the citizen’s right to privacy.
The government has instead chosen to go to war with the global tech giants. In a surprise move, the government instead of responding to the court notice, chose to put out a press release which was belligerent and uncompromising. The notice raised the completely separate issue of the new privacy clause and stated categorically that it did not matter how WhatsApp decided to trace the origin of a message but it could not refuse to do so as it was now the law of the land.
Well, as of now, the only way to do so is to universally break the end-to-end encryption and the government is well aware of that however much it wants to hide behind the cloak of legality and position. The move is sending all the wrong signals and is bad optics on the global stage much like the ill-thought-out police visit to the offices of Twitter.
WhatsApp should have filed this case much earlier and not waited till the last date, but that does not mean that it cannot take the constitutionally available legal challenge. It is perhaps time to be more accommodative and factor the practicality of the situation with respect to technology and implementation. Social media platforms are here to stay and working together to negate the inherent problems would be the way forward.
The writer is a commentator on cyber policy issues and former country head of General Dynamics