In May 2023, a fake resignation letter from the Chief Minister of Tripura was posted on social media, leading to a legal battle over traceability and privacy. The incident involved a Facebook post sharing a forged resignation letter, which was largely circulated across the state on multiple social media platforms, leading to mass misinformation and the wildfire spread of fake news. The Tripura Police approached a local court for permission to track down the originator of the viral post under Rule 4(2) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, in order to take legal action against them. The Judicial Magistrate First Class of Agartala, West Tripura, granted the request, which WhatsApp initially resisted, citing end-to-end (E2E) encryption and the lack of evidence of a threat to public order.
The matter reached the Tripura High Court, where WhatsApp argued that the application for traceability did not consider less intrusive investigative methods and that the order was passed hastily.  The court ultimately ruled in WhatsApp’s favour, staying the traceability order, and highlighting the need to establish a credible threat to public order. The granting of such requests underscores the ongoing legal debates surrounding traceability, privacy, and freedom of speech and expression in the digital age, with implications for the broader regulatory landscape.
The consequences of the traceability provision include weakening the encryption through backdoors, thereby resulting in undermining the privacy and security of the users. But first, let’s understand what encryption means and how exactly it impacts each one of us.
Encryption is the process of encoding information into a secret code to safeguard sensitive data transmitted over networks. It encodes the individual’s data using a special key, which can only be accessed by the sender and the recipient. Neither the platform nor the operator facilitating this exchange can read or interpret the encrypted message, putting it beyond the reach of unintended recipients. Essentially, it turns the message into code, sending the coded message and decoding it at the other end. It is vital as it ensures privacy, confidentiality, authentication, and data integrity. This is a process of de-identification of personal data which is reversible and can be decrypted by an entity having access to the encryption key.
In our daily lives, we encounter encryption in numerous situations. This could be through emails and text messages, where end-to-end encryption is utilised to maintain the privacy of messages sent. It further helps secure website access by using HTTPS encryption to protect the data exchanged between the site and your device and defend you against cyber criminals. Moreover, encryption is vital in the storage, handling, and transfer of sensitive personal data in the healthcare, finance, e-commerce and other sectors, to prevent unauthorized access to the data that can result in a data breach.
The framework of encryption is provided under the Information Technology Act, 2000, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules 2009 and The Information Technology (Intermediary Liability and Digital Media Ethics Code) Rules 2021. These laws authorize the government to intercept, monitor or decrypt any information through any computer resource in the interest of the sovereignty, integrity, defence and security of India, friendly relations with foreign States, public order, to prevent the incitement of any cognizable offence relating to above or for investigation of any offence.
The IT Rules of 2021, in particular, provide for a ‘Traceability Test’, which tracks the origin and source of digital information, who is referred to as the ‘first originator’, and can access the content without the encryption key. At the request of the government, law enforcement agencies can find out the originator of any information on a significant social media messaging platform (platforms with more than 5 million users), for whom compliance is not an option.
Practical Application of the Traceability Test
It is crucial to state that tracing the original source of a digital message is necessary to monitor the spread of misinformation, and fake news and address issues like hate speech, child sexual abuse material, and security threats. Time and again, we have noticed the ability of misinformation to break public order and even lead to violence in several instances.
However, this legal framework grants the government extensive powers to access and decode any digital messages or information without an encryption key, raising concerns about privacy violations and surveillance. Traceability completely goes against the principle of encryption and raises concerns as to how ineffective the process can be. To add to this, traceability has a chilling effect on your right to freedom of speech and expression as E2E encryption on social media facilitates open discourse, criticism and dissent. If any critical content is published, that falls within censorship and content-blocking laws, the government would still have the power to decrypt this data and compromise the encryption on these platforms. This would indiscriminately impact vulnerable groups, such as journalists, activists, protestors, minority communities, etc. that are dependent on the confidentiality and security that E2E platforms provide. The overbroad power of the government to access any encrypted content and its originator is not only contrary to the right to privacy but also encourages and enables the practice of state surveillance. It creates a chilling effect for users to exercise their right to free speech and expression on digital platforms, resulting in self-regulation.
No clarity has been provided if the message is decrypted by the social media intermediary or only the decryption key is passed onto any government agency or body to decrypt it, which raises concerns about how the social media intermediary has access to the decryption key. Once a backdoor has been provided to state agencies, there is a possibility of it being exploited by other unauthorized actors.
How does the Test fare before Courts in India?
Currently, there are several ongoing petitions regarding traceability issues in India, involving social media giants, such as WhatsApp and Facebook.  It has been argued that these platforms strictly enforce E2E communication, where access to the decryption key is only with the originator and receiver of the message, and not even the platforms. Enforcement mandates of traceability are a fundamental challenge to the way that platforms through which sensitive information is designed, how they function and the services that they provide, apart from undermining the privacy of its users. The Government’s response on this front is that the right to privacy is not absolute in nature.
Traceability is an open threat to end-to-end encryption. For social media intermediaries to trace a single message, they would have to trace every message, essentially creating a metadata trail of online communications. Ultimately, maintaining this trail would be very useful for the Government to track all communications taking place through these intermediaries, leading to a new form of mass surveillance. This can have a chilling effect on the right to free speech and deter the open and free communication that the intermediaries were developed and designed to provide. Further, it is not compliant with the three-pronged proportionality test prescribed by the Puttaswamy (2017) case, i.e. legality, legitimate state aim and proportionality.
Hence, SFLC.in strongly believes in protecting the right to encrypt as it is essential for safeguarding users’ anonymity and privacy on the internet. We filed a petition in 2021 challenging Part II of the IT Rules, 2021, specifically Rule 4(2), before the Kerala High Court, due to its inherent threat to the right to privacy.  The petition sought the Court to declare the right to encrypt as a subset of the right to privacy and declare Rule 4(2) ultra vires of the IT Act, 2000. Balancing individual rights and national security is a critical debate and while the state’s duty is to protect national security, it must adhere to legal procedures and proportional measures, avoiding undue pressure on private companies. This petition, clubbed with a few others, has now been transferred to the Supreme Court and has been awaiting a hearing since July 2021. 
The incident that took place in Tripura recently is a testament to the State’s convenient bending of technological rights and liberties of citizens, for larger public interest, which often cannot be substantiated or justified. Despite that traceability is prima facie violative of our right to privacy, State actors continue to enforce traceability mandates. This incident is neither isolated nor uncommon, where the trust-based relationship between digital platforms and their users is violated by State intervention. Such actions deplete our digital rights as other rights commonly take precedence over them. Considering the significant impact that encryption has on our lives and how it is indispensable for any digital communication of sensitive information, legal instruments have allowed for its dilution.
In conclusion, ensuring encryption protection is fundamental for both personal privacy and national security, ultimately striving to strike a balanced and lawful approach to this challenge. Despite that traceability is essential for law enforcement, its vast scope of misuse creates an urgent need for users to better protect themselves while sharing sensitive information.
Here are a few tips on how you safely share sensitive information online:
- Read the privacy policies of all the applications you use and websites you visit to understand how they encrypt your data and who is authorized to decrypt it.
- Use platforms that emphasize E2E encryption.
- Switch to Open Source alternatives that have stronger encryption policies.
- Send messages using the ‘Disappearing Mode’, if available.
- Do not share any sensitive personal information on unverified or untrusted applications.
- Encrypt all your confidential files using OpenPGP tools, such as Kleopatra, GNU, etc.
- Contact your local legislator and encourage them to act on your depleting right to encryption.
- Support SFLC.in by contributing to our website to join our fight.
 WhatsApp LLC v. Union of India [WP (Cr.) 02/2023]
 Antony Clement Rubin v. Union of India [T.C. (C) 189 of 2020]
 Praveen Arimbrathodiyil vs. Union of India & Anr. [WP(C) 9647/2021]
 Union of India vs. Bhakta Tripathy [TP (C) 1147-1150 of 2021]