WhatsApp vs govt: Can traceability and encryption co-exist?

Amidst WhatsApp's own privacy policy havoc, many have questioned the irony of WhatsApp's recent challenge to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (Intermediary Rules) on grounds of privacy.

That said, WhatsApp's challenge brings some key issues to light, especially with respect to compatibility of these rules with end-to-end encryption technologies and the consequent privacy implications.

Encryption technologies in India have long been a bone of contention, especially with the government's authority to require decryption of content under Information Technology laws.

Also Read: WhatsApp sues Indian govt, says new media rules mean end to privacy

The recently notified Intermediary Rules on 25 February 2021 for 'intermediaries' (e.g. WhatsApp, Facebook and Twitter) and digital media publishers (e.g. online news portals and video streaming platforms) have now created a pandemonium in the industry by requiring tracing and identification of users and deploying technological tools for content moderation.

Though these tracing and content moderation obligations apply only to 'Significant Social Media Intermediaries' (SSMIs) (i.e. social media intermediaries having over five million registered users in India), these rules create serious implications for online platforms and users across the board. Notably, WhatsApp has challenged these rules before the Delhi High Court as the 3-month timeline given to SSMIs to implement these obligations came to an end on May 26, 2021.

Identification of 'first originator'  

Under the new Intermediary Rules, SSMIs 'primarily' providing messaging services are obligated to identify the first originator of information in India (without identifying the contents of the information) when required by court or executive order on grounds such as national security, public interest etc. This is a step further in the existing obligations to decrypt content upon government orders and maintaining decryption keys.  

This is likely to be an obstacle for popular messaging platforms such as WhatsApp, Signal and Telegram deploying the signal protocol end-to-end encryption technology. With this cryptographic protocol, the users on such platforms are generally allotted numeric fingerprints (e.g. adding users through QR codes) and the messages are secured and only visible to the sender and receiver. This is an attractive feature for users to protect their privacy. However, pursuant to these new obligations, the privacy of users will be impacted with platforms implementing technical changes to enable user tracing.  

Citing the landmark Supreme Court decision in KS Puttaswamy v Union of India (2017) 10 SCC 1 (Puttaswamy) on the fundamental right to privacy, WhatsApp, in its challenge, has reportedly contended that this obligation violates users' privacy rights as traceability of users will require collection and storage of user data on a massive scale. As per the recent statement published by WhatsApp on its website, "in order to trace even one message, services would have to trace every message". Though there have been several petitions challenging these rules (including WhatsApp's), there is presently no stay on the operation of these rules.  

Also Read: MeitY defends new social media rules after WhatsApp lawsuit, assures right to privacy

While it may be argued that SSMIs can trace users by fingerprinting content with numeric codes, there are doubts about the accuracy of tracing without undermining encryption protocols.

For instance, WhatsApp has argued that tracing will be impacted if there are even microscopic changes in the information being shared and the format of sharing (e.g. sharing of an image versus screenshot of that image or adding an extra character or space to a text message).

Interestingly, in separate ongoing litigations since 2019, WhatsApp has objected to suggestions for enabling tracing, such as displaying the originator's information to the recipient of a forwarded message or encrypting original messages with special encryption keys (and corresponding private keys) known only to WhatsApp.

News reports also suggest that WhatsApp has also not confirmed the latest government proposal to the messaging platform for assigning alpha-numeric hash to messages exchanged on its platform. Technology experts have had an apathetic response to the feasibility of such measures, citing concerns such as difficulty in storing hashed copies of millions of messages exchanged on the platform, creating a virtual partition for the platform features across various countries, etc.  

Content moderation

Apart from tracing and identification of users, another controversial obligation for SSMIs is to 'proactively' identify and moderate certain categories of information (such as child sexual abuse materials) using technology-based measures (including automated tools or other mechanisms). Adding another layer of review, the rules also require human oversight and periodic review of such measures by SSMIs.

This obligation is another challenge for platforms using encryption technology since, in order to identify and filter content, the content transmitted by users would need to be visible to the platform operators. In parallel, WhatsApp had also expressed its reluctance to implement measures for content filtering before the Supreme Court in In Re: Prajwala (Videos of Sexual Violence and Recommendations) Suo Motu W.P. (Crl.) No. 3 of 2015 due to its end-to-end encryption.

Since the present rules also envisage human oversight and periodic review of these measures, it appears that simply using automated tools (to analyse the encrypted content through numeric codes) to enable content moderation will not be sufficient. Implementing human oversight on content moderation without disrupting end-to-end encryption technology and ensuring accuracy and fairness with automated tools seems to be a Herculean task at this stage.

Also Read: 'User privacy remains highest priority': WhatsApp responds to Centre's 'trick consent' remark

Commercial implications and way forward

Circulation of fake news, child abuse material and other unlawful content has been a rapidly growing problem in India. While encryption protects users' privacy and security, it also leaves unlawful activities online unchecked. It is undeniable that regulation of online content is required to some extent and identification of perpetrators could be useful, but, on the other hand, there is also potential for arbitrary executive orders for user identification and content monitoring on vague and overbroad grounds.

The shield of encryption protecting the users' privacy may have to be redevised to comply with the new Intermediary Rules. Further to the proportionality test propounded by the apex court in the Puttaswamy decision, it is vital to ensure that there is a proportionate balance between regulatory scrutiny and privacy rights. Regulatory scrutiny should not be at the cost of users' privacy.  

Although there are some safeguards prescribed under the rules, the existing review mechanisms under information technology laws should also be duly implemented against executive orders. To balance commercial concerns with regulation by the government, it is also crucial to have autonomous review mechanism and independent oversight by industry bodies (similar to some recommendations for regulation of cloud communication and the proposed data protection framework).  

These rules are also riddled with certain ambiguities, such as interpretation of 'messaging' services, extent of moderation required, scope of human oversight and periodic review, etc., which may open doors to overcorrection, excessive regulation and potential misuse by administrative authorities.

Another aspect wreaking havoc on the industry is the impact on global practices of such platforms. For instance, storing meta data and location data for tracing the first originator may require weakening the encryption standards and open risks to data breaches and potential violations under stricter data protection laws like in the European Union. Gaps in legislative guidance and unrest in the industry have rendered the burning question for stakeholders (and the industry at large) - is end-to-end encryption technology compatible with these obligations?   

While the Ministry of Electronics and Information Technology has stated that the new Intermediary Rules will not force platforms to break their end-to-end encryption, some stakeholders and experts have repeatedly argued that traceability and encryption cannot co-exist. Evidently, these additional obligations will significantly impact the commercial and technical operations of platforms that use encryption. It will be interesting to see the outcome of WhatsApp's recent challenge to the new rules and how the leading messaging platforms (or other SSMIs using encryption protocols) in India implement the necessary technical changes to comply with the new obligations.  

(Harsh Walia (Partner), Abhinav Chandan (Partner) and Tanya Varshney (Associate), Khaitan & Co.)