WHATSAPP VS. U.O.I : WHY TRACEABILITY AND ENCRYPTION CANNOT CO-EXIST?
Author: Swetalika Das, V year of B.A.,LL.B.(Hons.) from Amity University, Kolkata
On 25th February 2021 new IT rules were enacted to create a self-regulatory framework for online platforms. The new rules have come with the concept of traceability which requires the intermediaries to enable “identification of the first originator of the information”. The same has been challenged by Whatsapp LLC, the challenge brings some key issues to light such as “whether traceability and encryption can coexist”.
Whatsapp’s end-to-end encryption
End-to-end encryption is defined as communication between the sender and the recipient that remains encrypted, which means, no third party or Whatsapp can access the communication. Here, the third party means any organization except the sender and the recipient.
Now the question arises, Why only the sender and the recipient can access the message?
It is because the messages from the sender get secured with locks, whose keys are with the recipient and only the recipient can read the messages. All this happens automatically and there’s no switch off key. The status of an encrypted chat cannot be changed without the knowledge of the user. The concept of encryption is introduced in order to secure the private information of users and to create a space for users to freely communicate.
What is traceability according to the New IT rules, 2021?
The introduction of “traceability” in IT rules, 2021 requires the intermediaries or the messaging services to enable identification of the first originator of the information on their platform. This is required in the case of offenses that would harm the integrity and sovereignty of the country. For this purpose, a chief compliance officer would be appointed and that person will be responsible for matters regarding traceability.
Analysis of Whatsapp’s writ petition against the Union of India
On 25th May 2021, Whatsapp LLC challenged the new IT rules on traceability (Rule 4(2) of the IT rules) by filing a writ petition. Whatsapp claimed that the commencement of traceability will break end-to-end encryption and privacy principles, which in consequence, will infringe on the fundamental rights to privacy and free speech of the millions of users using Whatsapp, whereas, the Government claims that there can be compatibility between traceability and encryption because it would ask for the information only in case of some serious offenses that can affect the public interest or national security. However, Whatsapp has argued that the application of end-to-end encryption is in such a way that it cannot be accessible by a third party except the sender and the receiver and there are no such settings to alter the changes. Therefore, there is no compatibility between traceability and encryption.
The impugned Rule 4(2)
The rule states that the social media intermediaries shall enable the identification of the first originator of the information which may be required by a Judicial order or order passed under Section 69 of Information Technology (Procedure and Safeguards for interception, monitoring, and decryption of information) Rules, 2009. It has strictly mentioned that the order can only be passed for specific purposes such as in cases of serious offenses.
Further, the rule has provided that no order shall be passed regarding any other information of the first originator and cannot be passed if there are “less intrusive means”. Also, it has further mentioned that if in case the first originator is not based in India, then the first originator of that information in India would be considered the main originator of that information.
What are the legal concerns raised over traceability?
I. No comments on the right to privacy
The Rule doesn’t state how traceability would protect the right to privacy of users.
2. No clarification in relation to Judicial review
The traceability provision states that the order may require passing either a Judicial order or an order under Section 69 of the Act. The word “either or or” creates confusion regarding the necessity of Judicial review. If the rule enables one to identify the first originator without any judicial oversight then there will be “no guarantee against state arbitrary actions”. It is important to obtain prior Judicial approval before any invasion in privacy of users to avoid any misuse of authority.
3. Lack of proportionality requirement
The new rule seems to be dangerous and disproportionate as it doesn’t impose a time limit which means invasion is not limited to any place or time.
4. Insignificance of “less intrusive means”
The rule mentions that no order shall be passed in case of less intrusive means to identify the first originator. Apart from the word “less intrusive means” there is no definition or explanation regarding the same which makes it insignificant.
5. The Rule ultra vires Section 69A and 79
The provision of enabling the identification of the first originators on end-to-end messaging services travels beyond the legal provisions of Section 69A and Section 79, thus, is ultra vires, Section 69A and 79.
The imposition of Rule 4(2) is neither a procedure nor a safeguard to carry out a blocking order under section 69A. Also, there is no relation between encryption and the removal of unlawful content. Even Section 79 which states about the intermediary liabilities doesn’t confer about traceability. The section has a clear policy declaration where the Parliament has the authority to impose such requirements. However, there is nowhere mentioned that the parliament has declared such policies at the expense of breaking encryption. Therefore, Rule 4(2) is ultra vires its parent statutes.
There is no doubt that the new rules have the intention to protect the sovereignty and integrity of the Nation but the same has become a matter of criticism due to some unchecked loopholes in the provision. Traceability and encryption are two opposite things that cannot co-exist together and by analyzing the above facts, it can be seen “How important end-to-end encryption is for the privacy of millions of users”. Therefore, there is a need for reconsideration of the aforesaid provision.