The IT Rules, which were notified on February 25, 2021, bring in additional compliance for social media companies with more than 5 million users. It includes an obligation to implement a technical system called “traceability”. This ties the identity of the originator of the message to the message and became effective on May 26, 2021.
This has spurred WhatsApp to go before the high court of Delhi, causing a media maelstrom. This case has obvious implications for the privacy and cybersecurity of about 400 million users. To understand the implications let us start from the first principles of technical and legal impacts of traceability.
Given the likelihood you are a WhatsApp user, you may have seen a conspicuous notice when you open it – your messages are protected by end to end encryption. This is a technology that utilises a technical design called the signal protocol and ensures that your messages cannot be read by WhatsApp during the course of transmission. This helps prevent not only your messages from being accessed by third parties but also guards against a whole range of cyber security risks. Encryption helps keep your conversations private and safe.
It is the contention of the government that enables a whole range of illegality. For instance, disinformation that leads to mob lynching or reprehensible actions such as sharing of non-consensual sexual imagery of women and minors. Officials argue that the solution to this is finding out the identity of persons who first compose such messages and are its originators.
The “traceability” proposal has its proponents. Professor Kamakoti from IIT Madras has argued that it can be implemented with a few simple tweaks. However, Professor Prabhakar from IIT Bombay argues there are risks and a lack of utility in its deployment. He says, “The effectiveness is likely to be limited.”
The problem is that even minor changes in a message, for example capitalisation or a single punctuation, create a completely new data entry, thereby undermining the objective of tracing the originator. For large viral messages that are broadcast thousands of times, this will happen frequently when people forward messages adding their own commentary.
This technical and common sense critique is buttressed by a report from the Internet Society. This report, a work of around 50 experts, points to potential cyber security concerns from implementing traceability. It says once WhatsApp and platforms like Signal and Telegram build in traceability, cybercrimes like impersonation, financial frauds, surveillance and social profiling are likely.
In August of 2017 the Supreme Court of India reaffirmed the fundamental right to privacy and laid down clear principles on how it can legally be limited when there is a justifiable need. A restriction on privacy requires a parliamentary law that has a constitutional purpose and is proportional. It means the least restrictive measure will be implemented and all alternatives which do not harm privacy, or restrict it in the least possible manner, must be explored. This helps maintain the balance between a fundamental right and a reasonable restriction, where individual liberty is safeguarded.
However, as explained above, due to technical risks, traceability is more of an overly broad measure. As the Internet Society warns: “Service providers would be forced to access the contents of users’ communications, greatly diminishing the security and privacy of a system for all users and putting national security at greater risk.” Viewed in this perspective, the HC petition by WhatsApp does articulate a goal which is supportive of the right to privacy.
While last weekend some news reports indicated WhatsApp won’t downgrade services for users who do agree to this change, most users have already been pretty much coerced to click, “I agree.” In its challenge the Union government has correctly objected to this privacy change by WhatsApp that did allow for user consent.
These court battles are important. And, for close to 740 million Indian internet subscribers, it is important they understand that neither WhatsApp nor the government is completely supportive of their fundamental right to privacy. We must expect less from WhatsApp than our government. WhatsApp is a technology business. Our government, though, has the primary responsibility of protecting our constitutional rights.
What is the solution? A regulatory framework that is deliberated in the public domain and Parliament. One that identifies clear harms and creates solutions understanding the technical aspects and impacts on privacy. However, in the interim what looks most likely is that the duty of protecting our privacy will fall to our constitutional courts.
Apar Gupta is a lawyer and executive director of Internet Freedom Foundation. Views are personal.