With fake news, viral messages, and propaganda killing hundreds of people regularly[i], the government has notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (hereinafter IT Rules 2021) to include the long-debated traceability rule. The traceability rule makes it mandatory for significant social media intermediaries like Signal, WhatsApp etc. to trace the message to the originator after appropriate orders of the Court. However, this process is not as easy as it looks. This blog piece seeks to analyse the various ways in which this rule can be implemented, the possible venues of misuse and the legal validity of the rule vis-à-vis the proportionality test derived in the K. S. Puttaswamy case[ii] by the Apex Court.
WAYS TO TRACE ORIGINATOR AND POSSIBLE MISUSE
Rule 5(2) of the IT Rules 2021[iii]statesthat the significant social media intermediaries must enable methods to identify the originator of the messages on their platform and must share it with relevant authorities after appropriate orders of the Court or orders by competent authorities under Section 69 of the Information Technology Act, 2000.It is mandatory for messaging apps[iv] to disclose the originator of messages if the matter relates to law and order problems, friendly relations with other states, contempt of court, defamation, decency or morality, incitement to an offence, security of the state and threatens the country’s sovereignty, integrity[v]. UN Special Rapporteur on Freedom of Expression, Frank LaRue[vi] had highlighted that many vague and unspecified notions were formulated by governments of various countries under the garb of national security. This has helped the government to pursue many arbitrary policies such as the internet shutdown in Jammu and Kashmir for over a year when it is well established that access to internet is a fundamental right[vii], detaining activists like Anand Teltumble, Father Stan Swamy and Sudha Bhardwaj who have critical health problems under the draconian “national security laws” like the Unlawful Activities Prevention Act etc. Supreme Court Advocate Sanjay Hegde had also pointed out[viii] that the government cannot shut down anything under the garb of national security. However, this is not the first time that any country has implemented such a rule in the interest of national security. Recently, the Brazilian Government[ix] also faced scrutiny over compulsory tracing of the originator of the message on social media platforms.
The bigger question is how will this tracing take place? A public interest petition[x] is filed in Madras High Court by Antony Rubin who discussed this issue in detail. The Court had sought the expert opinion of Dr Kamakoti, Professor of IIT Madras. He suggested two ways[xi]. Through the first method, the information of the originator could be decrypted by the receiver of the message. Here, the information of the originator would be encrypted with the contents of the message. While through the second method, the information of the originator would be decrypted by a special public key and a corresponding private key which would be only known to the social media intermediaries. In case of commission of an offence, law enforcement agencies can request intermediaries to decrypt the originator’s information using the corresponding private key and trace the originator.
However, these methods raise important questions. For the first method, mandating the originator’s information on the message which could be decrypted by the receiver will compromise the privacy of the originator. It would make it easy to subject the originator to humiliation, harassment, and physical harm when they do not agree with his/her views. This method will hence create additional law and order problems.
The greater part of the problem lies in the fact that significant social media intermediaries like Signal and WhatsApp guarantee end-to-end encryption[xii]which means that they do not know who is messaging who and what are the contents of the message. The traceability rule goes against this essential feature of the social media intermediaries because it mandates them to not only be aware of the contents of the message and who sent it but also to reveal it whenever ordered or requested by competent authorities. This also implies that every message will have an identity stamp which will make the chances of stealing identity by cybercriminals very high. Furthermore, Dr Prabhakarn, who submitted a response[xiii]on behalf of the Internet Freedom Foundation in the Madras High Court alternatively suggested the use of digital signatures[xiv]for traceability. Digital signatures are obtained by users while signing in, giving them an identity key. This identity key cryptographically guarantees that only the user will be able to digitally sign in on the message unless the OTP is compromised or the account is hacked by malware. Hence, even the use of digital signatures for tracing the originator is not full proof because hacking and impersonation are not difficult anymore.
As for the second method, it demands the creation of a humongous database by social media intermediaries. This goes against the principle of data minimization. David Kaye, the UN Special Rapporteur, in his Report[xv]on Encryption, Anonymity and the Human Rights Framework stated that the security of the system depends on the integrity of the entity entrusted with safeguarding the key. Further, the database that would be created will be massive and hence vulnerable to hacking. Dr. Prabhakaran also noted that since social media intermediaries would be the only watchdogs of the data, they might be subjected to undue pressure by the law enforcement agencies.
Similar issues were also raised by Whatsapp[xvi] about the traceability rule. It contended that since it is of a multinational character, implementing such a rule for the Indian users only would not be feasible. Further, the nationality of the user is hard to determine for these intermediaries. Secondly, it argues that many times, it happens that the message is copied from other social media platforms like Twitter or Facebook. In this case, tracing the originator would be impossible for WhatsApp.
With visible concerns with the implementation of the rule, it is necessary to not only revisit it but also to find effective alternatives to curb the menace of viral messages.
LEGAL VALIDITY OF THE TRACEABILITY RULE
The nine-judge Bench of the Hon’ble Supreme Court in Justice K.S Puttaswamy v. Union of India laid down a four-fold proportionality test[xvii] which all government actions that concern the privacy of the people need to comply with. The proportionality test was formulated based on the observations of Justice DY Chandrachud and Justice Sanjay Kishan Kaul. According to it, proportionality will be ascertained if:
(a) there is a rational connection between the infringement of the right and the purpose of the restriction(suitability or rational nexus stage);
(b) the proposed action is necessary in a democratic society(necessity stage);
(c) the extent of such interference is proportionate to the need for such interference to achieve a legitimate aim (legitimate aim stage);
(d) there are procedural guarantees against the abuse of such interference (balancing stage).
The traceability rule does not conform to the proportionality test laid down by the Apex Court because it fails to comply with Point (b), (c) and (d). Point (b) states that there must be a necessity to implement the provision. For necessity to be proved, the government needs to show that there is no equally effective alternative to the traceability rule. The traceability rule, if implemented, will tinker with end-to-end encryption which has been highlighted as crucial to ensure safety and privacy in a report[xviii] by UNICEF. Even Telecom Regulatory Authority of India had highlighted in its report[xix] that the encryption technology must not be tinkered with. The government must show that the traceability rule is necessary to such an extent that it is worth undermining the encryption technology. Secondly, Point (c) of the test necessitates a proof of proportionality and legitimacy of the provision in question. In the present instance, the government is trying to show that national security is a legitimate purpose to be pursued at the cost of people’s privacy. However, this is flawed. There have been instances in past where a compromise on privacy had threatened national security. For example, the Watergate Scandal[xx]. The government fails to show that it is pursuing a legitimate aim that is proportionate to the harm that will be caused when the provision is implemented. Talking collectively of necessity and proportionality, determining the ambit of these terms will be difficult as there are no clear definitions as to what constitutes necessary and proportionate. Lastly, Point (d) talks about the existence of procedural guarantees that can prevent the abuse of such interference. There are no provisions that can be used to check the misuse of this rule by the government or the social media intermediary. Such a rule will make the government more powerful and can be used as a tool to stifle dissent. This will also lead to self-censorship of ideas and opinions. With the fear of being traced, certain ideas, critique or mere frustration of an individual on the state of affairs that are not favourable to the incumbent government will be discouraged.
Moreover, if the database is unfortunately hacked by malware, then who will be held liable for the loss caused to the users? The policy lacks essential safeguards against the misuse. For example, with the advent of this rule, the date retention period is extended to 180 days now, which is two times of what it was before[xxi]. The social media intermediaries will have to retain the data even if the user deletes its accounts. This extension is highly susceptible to leaks and hacks. Moreover, in absence of any data protection law, the aggrieved will have a hard time holding relevant authorities accountable. The rule mentions no safeguards which talk about the liability of the relevant authorities if the user’s information is wrongly compromised.
Further by enabling mandatory tracing, the state is treating all people as potential criminals because messaging apps will need to trace all messages in order to trace one message. This was also said by WhatsApp[xxii]. This means that users will be under “surveillance” at all times. This assumption on the state’s part is excessive in nature. Hence, if the traceability rule is challenged before the court, the state has to show how it is complying with the proportionality test laid down by the Supreme Court.
There is no denying that WhatsApp forwards have become problematic in today’s time and play a pivotal role in cases of violence. But tracing the message to the originator is a problematic solution. It violates the right to privacy of the users of the social media intermediaries and is alleged to be “legally approved interception”. Moreover, the relevant authorities might face genuine problems in implementing this rule for it demands a huge amount of data to be stored which is beyond the capacity of the law enforcement agencies and the social media intermediaries. The government should look for pragmatic alternatives that can counter fake viral messages. It can make available or mandate the use of authentic fact checking software before any user forwards a message that has a potential to cause violence. Fact checking software are currently used by Facebook and Twitter[xxiii]. The government can also make rules for the intermediaries to check “bulk forwarding”. WhatsApp has recently put a limit on forwarding messages[xxiv]. These alternatives could prove to be more beneficial than implementing such a rule.
Dr Prabhakaran in his report[xxv] stated that an effective defence against the spread of fake news can be awareness, education and literacy. It is quite some time now that the right to privacy has been recognized as a fundamental right. The government must take necessary steps in the direction that do not compromise or infringe on this right of the people. With the availability of effective alternatives, it will be the best course of action for the government to reconsider the traceability rule in light of the concerns of possible misuse.
[i] Elizabeth Dwoskin and Annie Gowen, On WhatsApp, fake news is fast — and can be fatal, https://www.washingtonpost.com/business/economy/on-whatsapp-fake-news-is-fast–and-can-be-fatal/2018/07/23/a2dd7112-8ebf-11e8-bcd5-9d911c784c38_story.html.
[ii] Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1.
[iii]Ministry Of Electronics And Information TechnologyNotification, Rule 5, (25th February, 2021).
[iv]Rishi Raj, WhatsApp can tell on you without snooping, https://www.financialexpress.com/industry/technology/whatsapp-can-tell-on-you-without-snooping/2203325/#:~:text=Under%20the%20new%20guidelines%20notified,relations%20with%20neighbouring%20countries%2C%20etc.
[v] Rishi Raj, Whatsapp Can Tell on You Without Snooping, https://www.financialexpress.com/industry/technology/whatsapp-can-tell-on-you-without-snooping/2203325/#:~:text=Under%20the%20new%20guidelines%20notified,relations%20with%20neighbouring%20countries%2C%20etc.
[vi] UN Special Rapporteur on Freedom of Expression, Frank LaRue https://www.ohchr.org/Documents/HRBodies/HRCouncil/RegularSession/Session23/A.HRC.23.40_EN.pdf.
[vii] Prabhash K Dutta, Internet Access A Fundamental Right, Supreme Court Makes It Official: Article 19 Explained, https://www.indiatoday.in/news-analysis/story/internet-access-fundamental-right-supreme-court-makes-official-article-19-explained-1635662-2020-01-10.
[ix] The threat of traceability in Brazil and how it erodes privacy, https://faq.whatsapp.com/general/security-and-privacy/the-threat-of-traceability-in-brazil-and-how-it-erodes-privacy/?lang=en.
[x] Antony Clement Rubin v. Union of India, 2018 SCC OnLine Mad 13519.
[xi]Whatsapp Traceability: IIF Opposes suggestions made by IIT Professor for tracing the Originator of Messages, https://www.livelaw.in/news-updates/whatsapp-traceability-iff-opposes-suggestions-made-by-iit-professor-for-tracing-the-originator-of-messages-147423.
[xii]Naina Bora, Is Privacy Sacred? Critically Analysing the Traceability Rule, https://tclf.in/2021/05/03/is-privacy-sacred-critically-analysing-the-traceability-rule/.
[xiii]Manoj Prabhakaran, On a Proposal for Originator Tracing in Whatsapp, https://drive.google.com/file/d/1vivciN8tNSbOrA9eZ8Ej0mCAUBzRWu5N/view.
[xiv]Traceability and Cybersecurity, https://www.internetsociety.org/resources/doc/2020/traceability-and-cybersecurity-experts-workshop-series-on-encryption-in-india/#_ftn8.
[xv] AHRC/29/32, https://www.undocs.org/Home/Mobile?FinalSymbol=A%2FHRC%2F29%2F32&Language=E&DeviceType=Desktop
[xvi]YattiSoni, WhatsApp Says Message Traceability Will Fundamentally Change The App, https://inc42.com/buzz/message-traceability-will-fundamentally-change-its-platform-whatsapp/.
[xvii]Aditya A.K., Proportionality Test for Aadhaar: The Supreme Court’s two approaches, https://www.barandbench.com/columns/proportionality-test-for-aadhaar-the-supreme-courts-two-approaches.
[xviii] UNICEF, Encryption, Privacy and Children’s Right to Protection from Harm, https://www.unicef-irc.org/publications/pdf/Encryption_privacy_and_children%E2%80%99s_right_to_protection_from_harm.pdf.
[xix] Telecom Regulatory Authority of India, Recommendations on Regulatory Framework for Over-The-Top (OTT) Communication Services, https://trai.gov.in/sites/default/files/Recommendation_14092020.pdf.
[xx] Vassilis Prevelakis and Diomidis Spinellis, The Athens Affair: How Some Extremely Smart Hackers Pulled Off The Most Audacious Cell-Network Break-In Ever, https://spectrum.ieee.org/telecom/security/the-athens-affair.
[xxi] Internet Freedom Foundation, Deep Dive : How The Intermediaries Rules Are Anti-Democratic And Unconstitutional, https://internetfreedom.in/intermediaries-rules-2021/.
[xxii] WhatsApp Help Center, The threat of traceability in Brazil and how it erodes privacy, https://faq.whatsapp.com/general/security-and-privacy/the-threat-of-traceability-in-brazil-and-how-it-erodes-privacy/?lang=en.
[xxiii] Rohit Kumar & Renjini R, India’s Traceability Question: Legally Approved Interception Should Be Accompanied By Strong Safeguards From Misuse, https://www.firstpost.com/tech/news-analysis/indias-traceability-question-legally-approved-interception-should-have-a-place-in-society-to-help-law-enforcement-agencies-7635101.html.
[xxiv]Jon Porter, WhatsApp says its forwarding limits have cut the spread of viral messages by 70 percent, https://www.theverge.com/2020/4/27/21238082/whatsapp-forward-message-limits-viral-misinformation-decline.