[By Akshita Singh, a student of National Law University Odisha, Cuttack, and Achyut Tewari, a student of Hidayatullah National Law University, Raipur]
In its quest to bring online intermediaries and digital news platforms within a codified regulatory purview, the government gave a green signal to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (hereinafter “Intermediary Rules”). Provisions for due diligence compliances for social media intermediaries, specifically the significant social intermediaries, amply depict their intent of monitoring the uploaded content.
Challenging the intermediary guidelines on grounds of breach of user privacy, the bone of contention between the government and the tech giant is the specific implementation of Rule 4 (2) of the Intermediary guidelines which requires the latter to trace and unmask the ‘first originator of the message’. The government centred its standpoint around the idea of ensuring public interest and of imposing reasonable restrictions. However, a particular argument that ruffled quite a few feathers was the reference made by the government to international precedents in the regard. In its response to the claims made by WhatsApp, the government cited the communique issued by United Kingdom, United States, Australia, New Zealand and Canada in July 2019 which concluded that “tech companies should include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can gain access to data in a readable and usable format”.
In view of such claims, it becomes imperative to analyze the implementation of the contesting knots of such a measure as has been put forth by the intermediary rules especially when India has emerged as the first nation to impose the traceability requirement so far. This brings us to the primary aim of this article, which would be to gauge the feasibility of implementation of the contested rule 4 (2) in India by looking at the international jurisprudence on the topic and interpreting the same in light of the peculiarities and technicalities faced by India.
Cross Jurisdictional Analysis: U.S.A. and U.K.
Several countries have raised their eyebrows at the end-to-end encryption strategy of WhatsApp and have, at some point, manifested their intention of finding a way which could give data access to the government. However, it is also true that, some of these nations have also delved into the possibility and outcomes of allowing “backdoor access” and have consequently not enforced a law as has been done by the Indian government. For a better appreciation of the issues, a peep into the prevailing position in two of the cited countries – U.K. and the U.S.A has been furnished.
To begin with, in the U.K., despite holding frequent discussions with Facebook concerning WhatsApp, the government has not yet issued a “Technical Capability Notice” (hereinafter, “TCN”) which would have compelled Facebook to break its end-to-end encryption. To explain its stance, it gave a two-pronged argument. The first argument was in the form of an acknowledgment wherein the government admitted that there existed no mechanism to get pass end-to-end encryption. Hence, in light of the technological limitation, looking for a law which would enable backdoor access was impractical. In the second limb of the argument, the government dwelled into the idea of how even if one were to circumvent end-to-end encryption, for it to be successful, it ought to be implemented globally. Therefore, it was concluded that an isolated attempt by the U.K. would not reap any results unless an understanding is reached within a few nations, to say the least.
In similar vein, the U.S.A government had also considered weakening Apple Inc.’s (hereinafter, “Apple”) encryption to allow access to the FBI in a case in 2016. In fact, the Court had asked Apple to provide “reasonable technical assistance” to the FBI. Claiming the order as chilling, Tim Cook, the Apple Chief Executive, elaborated upon the dangerous implications that such orders posed for individual privacy. As averred by the Chief, giving access to the FBI would not only weaken the overall security of the application but would also open doors to several other instances of unauthorized access into the system, thereby defeating the very aim of encryption. In light of the arguments put forth, the case was dropped on grounds of “technical difficulties”, however, there continues an ongoing debate on whether the government should be allowed such backdoor access or traceability.
Technical Issues and Feasibility
At this juncture, it is critical to understand the mechanics of how such traceability would operate if the government saw that push has indeed come to shove. There are two principal opposing arguments at the moment. The first says that there can be no traceability without breaking encryption, i.e., the argument advanced by WhatsApp. The second argument is by the Government stating that there actually are technical means to introduce traceability into the system without breaking encryption.
For the first argument, the social media giant specifies that the primary objective of the kind of the encryption protocol that it employs is “cryptographic deniability”, which is to say that if a person receives a message from another over the app, only the person receiving and the person sending can be sure about the credentials of the person sending or the person sent to. The same cannot be proven to anyone else as the encryption keys generated are unique and constantly changing for each new set of message senders and recipients. A third party can never be sure who the sender actually was, it could be simply the recipient himself who constructed the message. The same cannot thus be called in and verified in a court of law.
The Government on the other hand, claims that this is a farce and WhatsApp’s averments that encryption shall be breached are mere red herrings with an objective of stalling the compliance of the new stringent regulations. There are a number of technology experts that claim that WhatsApp can enable traceability without breaking encryption. They put forth an elaborate argument based on the “source code” and the “destination code”. According to these experts, the source code is used in mobile and email networks both to trace messages. While in phone networks, it is colloquially known as call data record (“CDR”), in email networks the same takes the form of internet protocol data record (“IPDR”). These data records are what can enable traceability without making it necessary on the part of WhatsApp to either breach privacy and read conversation or break encryption.
However, the term “data records” is where the catch is at. Currently India does not have any law with respect to personal data storage. The Draft Personal Data Protection Bill is still pending before the Parliament. While, all phone networks are mandated to store the CDR with respect to SMS for a duration of 3 months, however, no such regulation exists in the country, neither with respect to the location nor the duration of storing of such data. WhatsApp goes further and adds another dimension to it. It states that currently no such data is being maintained by it with respect to any of its users.
However, if the new regulations are to be implemented, then the same shall involve substantial data storage and would thus be in the breach of essential privacy of each of its users. Moreover, this would mean the storage of unquantifiable amounts of individual user data with respect to each conversation the user has, as it can never be predicted beforehand as to who’s data will be demanded by the government. This according to WhatsApp is a blasphemous breach of the principles of privacy and the protections that encryption ensures.
Encryption as a concept is not very tricky and can be achieved by a bare basic computing device and a few lines of code. This inherent simplicity is what ensures the continued existence of encryption technologies as the world and the governments world over have come to understand that doing away with encryption is not a possibility anymore. Hence at the current date, the society is glutted with opinions and explanations with respect to the WhatsApp traceability debacle, one thing that stands out clearer every day is the requirement of a Data Protection Regime.
At this juncture, everyone appears to be passing off the responsibility. WhatsApp does not want to take over larger responsibilities with respect to maintaining data or eventual responsibilities of localization and other such compliances as it would result in substantial costs. The government, on the other hand, is also not ready to take substantial privacy concerns into account and hence, wishes to introduce such measures which would consolidate its position with respect to unfettered access to information as and when required. Hence, the tussle.
Moreover, as the issue has been drawn into the courtrooms, the dangers increase further because of non-peer reviewed non-vetted technical proposals and ideas might get endowed with the force of the law by a dictum of the court thus increasing issues and exacerbating complexities.