Legal challenges to the traceability provision: What is happening in India?
Round-up of what has been happening with respect to the Intermediary Guideline Rules, 2021
The Government of India, through the Ministry of Electronics and Information Technology had notified the Information Technology (Intermediary Guideline) Rules, 2021 on February 25, 2021. One of the provisions, Rule 4, provides for “Additional due diligence to be observed by significant social media intermediaries (SSMIs)”. The said Rule provided 3 months from the date of notification of the threshold categorising SSMIs to comply with its provisions. The deadline of 3 months was on May 25, 2021(You can read SFLC.in’s analysis of the Rules, 2021 here).
Subsequent to the deadline, WhatsApp Inc. and Facebook have separately filed two separate petitions in the High Court of Delhi challenging Rule 4(2) of the Intermediary Guideline, Rules, 2021. The Petitions argue that the Rule 4(2) which provides for traceability (read more here) breaks end-to-end encryption offered by WhatsApp and undermines the privacy of its users. The Government of India, through a press release, has clarified that the traceability provision does not undermine the right to privacy as enshrined in Article 21 of the Constitution of India. According to the Government of India, the right to privacy is not absolute in nature. (WhatsApp has elaborated on its stance against traceability in this post here)
This, however, is not the first challenge to the Rules, 2021. Prior to this, a Free and Open Source Software (FOSS) developer, Praveen A, had challenged the Rules, 2021 including Rule 4(2) i.e. the traceability provision in the High Court of Kerala. Praveen A. is assisted by SFLC.in in his challenge. (You can read about the challenge here)
In this blog post, we would be discussing the events which have led to the challenges to the traceability provision, the traceability provision and how it undermines the right to privacy and free speech, the Government of India’s stance, and what might happen next.
Where does India stand on traceability?
Draft Intermediary Guideline Rules, 2018
The Ministry of Electronics and Information Technology (MeitY) had released the draft Intermediary Guidelines Rules, 2018 for stakeholder consultation. This was for the first time that the Government had proposed introduction of the traceability provision. The scope of the traceability provision, as compared to the Draft Rules of 2018, has been expanded significantly in 2021 rules. Under Rule 3(5) of the Draft Rules (2018), an intermediary was obligated to enable tracing of originator of information concerning security of the State or cyber security and investigation or detection or prosecution or prevention of offence(s) connected to the same, as may be required by legally authorised government agencies.
You can read SFLC.in’s comments and counter-comments on the Draft Rules of 2018 here and here. These comments have also been cited in the WhatsApp vs. Union of India (2021) in the High Court of Delhi.
Ad-Hoc Committee Report on Online Pornography, 2020
In January, 2020, the Rajya Sabha had constituted a committee to “Study the alarming issue of pornography on social media and its effects on children and society as a whole.” The Committee had recommended modifying the then Rules 2011 (now Rules, 2021) to break end-to-end encrypted platforms in cases where child sexual abuse material has been shared.
India signs Five-Eyes alliance statement against end-to-end encryption, 2020
Later in 2020, India had joined Japan in signing a statement by the Five-Eyes alliance stating that end-to-end encryption poses “significant challenges to public safety”. The Alliance along with India and Japan stated their intent to introduce backdoors for law enforcement agencies in end-to-end encrypted services.
Legal challenges to traceability
As of the date of writing, there are four cases dealing with the traceability provision in various Indian courts.
Praveen Arimbrathodiyil vs. Union of India (WP(C) 9647/2021)
A Petition has been filed in the High Court of Kerala by a FOSS developer and volunteer of FSCI, Praveen A with the assistance of SFLC.in. The Petition challenges Part II of the Rules, 2021 including the Rule 4(2) of the Rules, 2021. One of the grounds of the Petition is that it violates the right to encryption of citizens as a subset of the right to privacy protected under Article 21 of the Constitution of India. The challenge in the High Court of Kerala highlights that the traceability provision puts unreasonable restrictions on the ability of intermediaries, thereby, violating the right to freedom to trade and profession under Article 19(1)(g) of the Constitution of India. The case has been admitted and notice has been issued to the respondents.
You can read more about the challenge here.
Anthony Clement vs. Union of India (Dy. No. 32487/2019(SC))
The issue of co-existence of traceability of users with end-to-end encryption was raised in the Madras High Court, pursuant to a petition seeking to mandate linking the Aadhaar with social media accounts of users, which was eventually rejected following the principles laid down in the Puttaswamy judgment. To address the issue, Prof. V. Kamakoti filed an affidavit and suggested that tracing of originator can be done by adding information of the originator with each message and displaying the same during decryption.
Another alternative to the same was suggested by Dr. Manoj Prabhakaran which emphasized on the long term risks involved in adopting Prof. Kamakoti’s proposal of introducing traceability on encrypted platforms. In that, Dr. Prabhakaran highlighted that Prof. Kamakoti’s proposal of enabling traceability was susceptible to the vice of falsification of the information of the originator. Further, he opined that even if the risks of spoofing can be addressed by using digital signatures, the proposal still has limited use in addressing the problem of fake news in the long run.
Currently, the Supreme Court is adjudicating on this matter since it has been pleaded by WhatsApp/ Facebook that it is impossible for traceability to co-exist with end-to-end encryption because even WhatsApp doesn’t possess the decryption keys and hence, cannot trace the originator of the message on its platform. The central question before the Supreme Court is to address whether any new feature can be added to social media platforms such as WhatsApp to enable the tracing of the originator of information. Here, the government of India had submitted that the Intermediary Rules would be notified in January, 2020. The last hearing took place in January, 2020 wherein the notification of the Rules was still awaited.
WhatsApp vs. Union of India (2021)
WhatsApp Inc. and Facebook have filed two separate petitions in the High Court of Delhi challenging the Rule 4(2) of the Rules, 2021. The petitions state that the provision breaks end-to-end encryption and undermines the fundamental right to privacy. It is violative of the law laid down in K.S. Puttaswamy vs. Union of India (2017) and goes against the principles of proportionality, necessity and minimisation.
What is E2E and why is traceability problematic?
What is End-to-End Encryption?
End-to-end encryption is a system of communication where only the sender and recipient can read the plaintext messages. The messages appear gibberish to third parties.
What is the traceability provision?
Rule 4(2) of the Rules 2021, mandates a ‘significant social media intermediary’ providing services primarily in the nature of messaging to enable identification of the first originator of the information on a computer source, as required by a judicial order or an order passed under S. 69 of the Information Technology Act, 2000 as per the Information Technology (Procedure and Safeguards for interception, monitoring and decryption of information) Rules, 2009.
Further, the purpose for which such an order can be passed has also been specified to include offences related to, inter alia, the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order, or of incitement to an offence relating to the above or in relation with rape, sexually explicit material or child sexual abuse material.
One of the provisos to the Rule states that if the first originator of an information is not based in India then the first originator of that information in India would be deemed as the originator of that information.
You can read more about the provision here in this detailed blog post by SFLC.in.
What is WhatsApp’s stance?
Most recently, WhatsApp has filed a legal challenge in the High Court of Delhi challenging the Rule 4(2) of the Rules, 2021. The matter is yet to be taken up for admission. WhatsApp qualifies to be a Significant Social Media Intermediary under the Rules, 2021 as it has more than 5 million users in India. In its legal challenge, WhatsApp has contended the following:
Traceability breaks end-to-end encryption
WhatsApp has contended that traceability regulates the end-to-end encrypted services by requiring messaging services like itself to keep a metadata trail of communications. It has contended that this information can be used to ascertain contents of messages, and that to “trace even one message, services would have to trace every message”.
Since the Government can request any message to be traced, it would require WhatsApp to have a giant database of messages sent on its platforms. WhatsApp has contended that traceability will lead to a new form of mass surveillance.
Undermines right to privacy under Article 21
The traceability provision violates the right to privacy as enshrined under Article 21 of the Constitution of India. Forcing WhatsApp to trace the first originator would infringe upon the privacy of every user of WhatsApp in India. E2E encryption means that messages between two individuals cannot be accessed by any other entity including the social media intermediary. Any compromise on the E2E encryption design undermines the hitherto-existing privacy of communication over messaging apps, as ensured through end-to-end encryption.
WhatsApp has also argued that the traceability provision does not qualify the three-pronged test laid down in Puttaswamy I i.e. i) legality; ii) legitimate state aim; and iii) proportionality test. It has also highlighted the absence of judicial scrutiny in Rule 4(2).
Undermines right to free speech under Article 19(1)(a)
The traceability provision violates Article 19(1)(a) of the Constitution of India as it will have a chilling effect on freedom of speech and expression. The provision has the potential of even criminalising lawful speech, and will lead to self-censorship. WhatsApp has also cited that journalists, civil society organisations, members of ethnic or religious groups, activists, academicians, and artists use end-to-end encrypted platforms to exercise their right to freedom and expression without any fear of state surveillance or retaliation.
You can read SFLC.in’s report on “India’s Surveillance State” here.
Rule 4(2) is ultra vires the S. 69A and S. 79 of the Information Technology Act, 2000
WhatsApp has argued that the Rule 4(2) if ultra-vires the parent statute i.e. the Information Technology Act, 2000. S. 69A as the Rule 4(2) is neither a procedure or safeguard subject to which blocking order may be carried out.
Since S. 79 is the safe harbour provision and provides for due diligence, it does not enable the Government of India to impose a requirement which enables intermediaries to enable identification of the first originator on end-to-end encrypted platforms. It has also contended that Rule 4(2) imposes obligations on intermediaries which fall beyond the scope of “due diligence” as it forces “fundamental alterations to WhatsApp by breaking end-to-end encryption”.
Rule 4(2) is violative of Article 14
The petition contends that the subordinate legislation i.e. Rules, 2021 suffer from manifest arbitrariness because the Parliament did not intend to give authority to make such legislation.
Traceability would not work
WhatsApp has argued that traceability would not work as it is highly susceptible to abuse as someone who has shared a screenshot of a text may not necessarily be an originator or someone who has copy-pasted a text from another platform may not be the originator of that particular text.
What does Praveen A. vs. Union of India contend?
The petition argues that Rule 4(2) disregards Article 21 which declares right to privacy as a fundamental right. An intermediary cannot fulfill its obligations under Rule 4(2) of the Intermediary Rules, 2021 without snooping on the private communications of its users which is a flagrant violation of the right to privacy of users.
It contends that encryption further enhances the quality of products offered by the intermediaries. Therefore, Rule 4(2) imposes unreasonable restrictions on the ability of intermediaries to strengthen the security of communications. Thereby, violating the right to freedom of trade and profession under Article 19(1)(g) of the Constitution of India.
It contends that the Intermediary Rules, 2021 are a piece of delegated legislation, and it illegally and unconstitutionally seeks to fill the regulatory vacuum on the encryption regulation in India.
The petition prays that encryption should be declared as a subset of the right to privacy which is a fundamental right enshrined under Article 21 of the Constitution of India.
What does the MeitY’s press release say?
The Government of India through MeitY responded to WhatsApp’s challenge by way of a press release published on Press Information Bureau’s website on May 26, 2021. In its press release, the MeitY has defended the Rule 4(2) by stating that:
No intent to violate right to privacy
The Government of India recognises the right to privacy as a fundamental right but it is the Government’s duty to ensure law and order and national security. It has reiterated that the traceability provision will not impact the right to privacy. The Government has argued that the fundamental rights are not absolute in nature and are subject to reasonable restrictions — the traceability provision being a reasonable restriction.
Rule 4(2) qualifies the proportionality test
The release argues that Rule 4(2) qualifies the proportionally test. It states that the “cornerstone of this test is whether a lesser effective remedy exists”.
SFLC.in’s note: While MeitY has defended this provision, it has not defined the less effective remedies in the Rules, 2021. Besides, since Rule 4(2) leaves it to the law enforcement agencies to either get a judicial order or S. 69 order i.e. an executive order, there is no element of judicial scrutiny involved to ascertain if less intrusive means were actually available or not. (Read more about S. 69, IT Act, 2000 here).
Traceability is essential in abiding with public interest
The MeitY has argued that Rule 4(2) is important because it serves public interest. The release states that “It is in public interest that who started the mischief leading to such crime must be detected and punished. We cannot deny as to how in cases of mob lynching and riots etc. repeated WhatsApp messages are circulated and recirculated whose content are already in public domain. Hence the role of who originated is very important.”
SFLC.in’s note: An originator may not necessarily be the author of an information. This argument by MeitY disregards a vital canon of law: mens rea. A video or news link with incorrect facts innocently shared by one person to another does not necessarily make the person sharing such link have the criminal intent to commit any crime. This may lead to several legal tussles. It also disregards a situation where there can be multiple originators of one piece of information — for instance person A can take a screenshot of a news article and share it with her friends and person B can copy-paste the same article and share it with her friends. That does not necessarily mean that A and B are authors of such information.
The MeitY has argued that the rules conform with laws in various countries. It has cited the Five-eyes alliance statement which was released in July, 2019. It has also relied on the Brazilian law.
SFLC.in’s note: A statement does not mean that the Five-eyes alliance countries have laws undermining end-to-end encryption. Brazil, also, does not have any law which breaks end-to-end encryption. There was a proposal to introduce traceability but that has not happened yet.
The matters in the High Court of Delhi has not been admitted yet and the matter before the High Court of Kerala has to be listed for hearing. It remains to be seen how the matters unfold in the court of law. As of now, the significant social media intermediaries would be required to comply with Rule 4(2) as the provision has not been stayed yet.
We will update this space once the matters are listed for hearing.