WhatsApp vs govt: Can traceability and encryption co-exist?

Amidst WhatsApp's own privacy policy havoc, many have questioned the irony of WhatsApp's recent challenge to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (Intermediary Rules) on grounds of privacy.

That said, WhatsApp's challenge brings some key issues to light, especially with respect to compatibility of these rules with end-to-end encryption technologies and the consequent privacy implications.

Encryption technologies in India have long been a bone of contention, especially with the government's authority to require decryption of content under Information Technology laws.

Also Read:

Circulation of fake news, child abuse material and other unlawful content has been a rapidly growing problem in India. While encryption protects users' privacy and security, it also leaves unlawful activities online unchecked. It is undeniable that regulation of online content is required to some extent and identification of perpetrators could be useful, but, on the other hand, there is also potential for arbitrary executive orders for user identification and content monitoring on vague and overbroad grounds.

The shield of encryption protecting the users' privacy may have to be redevised to comply with the new Intermediary Rules. Further to the proportionality test propounded by the apex court in the Puttaswamy decision, it is vital to ensure that there is a proportionate balance between regulatory scrutiny and privacy rights. Regulatory scrutiny should not be at the cost of users' privacy.  

Although there are some safeguards prescribed under the rules, the existing review mechanisms under information technology laws should also be duly implemented against executive orders. To balance commercial concerns with regulation by the government, it is also crucial to have autonomous review mechanism and independent oversight by industry bodies (similar to some recommendations for regulation of cloud communication and the proposed data protection framework).  

These rules are also riddled with certain ambiguities, such as interpretation of 'messaging' services, extent of moderation required, scope of human oversight and periodic review, etc., which may open doors to overcorrection, excessive regulation and potential misuse by administrative authorities.

Another aspect wreaking havoc on the industry is the impact on global practices of such platforms. For instance, storing meta data and location data for tracing the first originator may require weakening the encryption standards and open risks to data breaches and potential violations under stricter data protection laws like in the European Union. Gaps in legislative guidance and unrest in the industry have rendered the burning question for stakeholders (and the industry at large) - is end-to-end encryption technology compatible with these obligations?   

While the Ministry of Electronics and Information Technology has stated that the new Intermediary Rules will not force platforms to break their end-to-end encryption, some stakeholders and experts have repeatedly argued that traceability and encryption cannot co-exist. Evidently, these additional obligations will significantly impact the commercial and technical operations of platforms that use encryption. It will be interesting to see the outcome of WhatsApp's recent challenge to the new rules and how the leading messaging platforms (or other SSMIs using encryption protocols) in India implement the necessary technical changes to comply with the new obligations.  

(Harsh Walia (Partner), Abhinav Chandan (Partner) and Tanya Varshney (Associate), Khaitan & Co.)