Enforcing traceability on popular messaging apps will encroach into user privacy
Barely a day before the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 came into force, WhatsApp moved the Delhi High Court against the rules — specifically the one that mandates that a “significant social media intermediary providing services primarily in the nature of messaging shall enable the identification of the first originator of the information on its computer resource as may be required by a judicial order”. Given the specification that a “significant social media intermediary” is one with more than 50 lakh registered users, WhatsApp’s messenger service would clearly be affected. WhatsApp’s contention is that for compliance and traceability, it would have to break its end-to-end encryption service that allows messages to be read only by the sender and the receiver. Its argument is that the encryption feature allows for privacy protections and breaking it would mean a violation of privacy. The question to be asked is whether the traceability guidelines (by breaking encryption) are vital to law enforcement in cases of harmful content. A release by the Ministry of Electronics and IT has said that the traceability measure will be used by law enforcement as the “last resort” and will come by only in specific situations, such as “for the purposes of prevention, detection, investigation, prosecution or punishment of an offence related to the sovereignty and integrity of India… or child sexual abuse material, punishable with imprisonment….” The assertion suggests that this requirement is in line with the Puttaswamy judgment that clarified that any restriction to the right of privacy must be necessary, proportionate and include safeguards against abuse.
But the Government, as the law stands now, can already seek access to encrypted data under Section 69(3) of the IT Act, and Rules 17 and 13 of the 2009 Surveillance Rules that require intermediaries to assist with decryption when they have the technical ability to do so and when law enforcement has no other alternative. Besides, it can still seek unencrypted data, metadata and digital trails from intermediaries such as WhatsApp. The trouble with enforcing traceability is that without safeguards such as having any independent or judicial oversight, government agencies could seek any user’s identity on vague grounds and this could compromise the anonymity of whistle-blowers and journalistic sources, who can claim to be acting in the public interest. WhatsApp’s contention that “requiring messaging apps to ‘trace’ chats is the equivalent of asking us to keep a fingerprint of every single message sent… and fundamentally undermines right to privacy” is, therefore, not hyperbole. If anything, the Government needs to revisit its position on traceability commitments of intermediaries and instead revise the IT Act, 2000 in line with existing global best practices besides legislating the long-pending Data Protection Bill.