The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 may have major repercussions on user privacy and for social media platforms such as WhatsApp and Signal that guarantee end-to-end encryption. As per the Rules, the government has now introduced the requirement to trace the 'originator' of “mischievous” digital information, including messages and tweet.
This would mean that social media platforms would need to rework their encryption models to comply with the Indian government, and trace the 'originators' of all messages sent using the platform. Any information that is deemed a threat to national security or on crimes like rape and child sexual abuse (which has a punishment of more than five years) will warrant this Rule.
The clause under scrutiny is sub-rule (2) of Rule 5, which states, "A significant social media intermediary providing services primarily in the nature of messaging shall enable the identification of the first originator of the information on its computer resource as may be required by a judicial order passed by a court of competent jurisdiction or an order passed under Section 69 of the Act by the Competent Authority as per the Information Technology (IT) Rules, 2009."
The cited section of the IT Rules, 2009, gives authorities the power to issue directions to the social media companies for the interception, monitoring or decryption of any information through any computer resource.
However, the Rules also lay down that an order for this can only be passed for the purposes of "prevention, detection, investigation, prosecution or punishment of an offence related to the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order, or of incitement to an offence relating to rape, sexually explicit material or child sexual abuse material, punishable with imprisonment for a term of not less than five years."
It also said that such an order should not be passed in cases where "less intrusive means are effective in identifying the originator."
The Rules added that in complying with an order to identify the originator, social media companies would not be required to "disclose the contents of any electronic message, any other information related to the first originator, or any information related to its other users."
If the first originator of the information is located outside Indian territory, then "the first originator of that information within the territory of India shall be deemed to be the first originator of the information for the purpose of this clause," the Rules added.
Taking to Twitter, the Internet Freedom Foundation (IFF), a collective of legal and policy experts, highlighted the potential danger of this regulation. "The IT Rules have introduced the requirement of traceability of the originator of the information, which would break the end-to-end encryption. Many platforms (Whatsapp, Signal etc.) retain minimal user data and use E2E encryption to provide privacy to users," it said.
"Due to excessive vagueness in the rules, there is a possibility of over-compliance by social media companies to escape liability. The collateral damage here is citizen free speech and privacy, which will be unconstitutionally hampered as a result," the Internet Freedom Foundation noted.
The foundation also pointed that previous proposals, which sought to implement traceability in a manner that is compatible with end-to-end encryption, had shown to be vulnerable to spoofing, where bad actors could potentially falsely modify the originator information and, in turn, frame an innocent person.
"We do not have any proper parliamentary oversight or judicial check on surveillance, and the latest rules, if they go through, would be a tremendous expansion in the power of the government over ordinary citizens, eerily reminiscent of China’s blocking and breaking of user encryption to surveil its citizens," the foundation further said.
Speaking to TNM, Apar Gupta, executive director at Internet Freedom Foundation, said, "There is a reasonable chance that it will break end-to-end encryption and it will lock out platforms that deploy this encryption but do not have sizable resources like WhatsApp or Facebook. For instance, many Indians use Signal and Telegram and these companies will not be able to operate in India in active compliance of these conditions."
Apar said that with the new Rules, all firms offering end-to-end encryption will need to rework their model to ensure compliance. "These conditions also create a technical requirement for any standard encryption practices and protocols that are deployed. Thereby, it will require the development of new encryption frameworks, which takes a long period of time and degree of peer review to fulfil all norms of cybersecurity," Apar said.
He further added, "Traceability will break one of the core values of end-to-end encryption, which masks the identity of a person with respect to the message content, which is what allows people to have private conversations over instant messaging apps."
Meanwhile, the government defended its move, with Union Law Minister Ravi Shankar Prasad telling reporters on Thursday, "We are not asking them (social media platform) to disclose the content; but just the originator. We want to know who began the mischief, and it will be only in cases where punishment is over five years, so there is a proper safeguard."