The new rules that mandate social media majors to enable traceability for identifying originators of objectionable content could jeopardize an Indian citizen’s right to privacy, a fundamental right granted under the Constitution, say experts.
According to them, in the absence of a privacy law in India, the new rules are prone to misuse and could impact an individual’s privacy and freedom of expression.
New IT rule
On February 25, 2021, the Ministry of Electronics and Information Technology (MeitY) notified the Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021. It outlined key rules social media companies, digital media and OTT platforms like Amazon Prime and Netflix need to follow.
One of the rules is enabling traceability by significant social media intermediaries such as WhatsApp.
“A significant social media intermediary providing services primarily in the nature of messaging shall enable the identification of the first originator of the information…as may be required by a judicial order passed by a court of competent jurisdiction…” the rule reads.
This would mean that the likes of WhatsApp, Signal and Telegram will have to make provisions to comply with the new rules, and for some that would mean compromising the end-to-end (E2E) encryption.
Union IT Minister Ravi Shankar Prasad clarified that the government is not asking for the encryption to be compromised but only wants the social media intermediary to share who the originator is. He further clarified that this would only be for crimes that warrant imprisonment of over five years and only in instances that threaten the security of the nation or in case of serious crimes like rape.
But experts have pointed out that all this might not be so straightforward.
Should encryption be broken?
Anivar Aravind, a public interest technologist and software engineer based in Bengaluru, said that identifying the originator of content has multiple layers.
For one, there is no guarantee that the originator is the one who is responsible for the information that was being shared in the medium. “The person might have got it online and simply shared it,” Aravind said. Also, he/she has no control over who forwards the information.
So, holding a person accountable for sharing the information that was available freely on the internet has its own complications.
Next is the issue with enabling traceability. Anushka Jain, Associate Counsel, Internet Freedom Foundation, a policy think tank, said, “To trace the originator of any information, these platforms would have to break E2E encryption.”
Some of them have pointed out that the intermediaries might not necessarily need to break the encryption and can find a way around it.
According to a Columbia Journalism Review report, metadata is an option to curb the fake news menace without breaking the encryption pattern. Metadata provides more information that can help identify users. In this context, this could be the name, IP address or number.
While in WhatsApp the metadata does get deleted, some part of the information does get stored in its server, the report notes. This metadata is not encrypted and the company can read it even if it cannot read the user’s message or other content, the report said.
If WhatsApp wants to identify the originator, technically it can gather information from its metadata without breaking encryption.
Vinay Kesari, a lawyer specialising in technology law and policy, too pointed out that the new rules leave legal room for implementing traceability without breaking E2E encryption, though the technical feasibility of this is likely to be contested.
However, it is not clear if this would work for Signal.
In Signal, metadata is encrypted as well, giving an additional layer of privacy. This could pose a challenge.
The government is yet to define who a “significant” social media intermediary is, and it’s not clear if Signal would qualify under that criteria.
But the issue of traceability is far more complex than that. Even if companies do find a way to establish traceability that is compatible with end-to-end encryption, Jain said that it could be vulnerable to spoofing and someone can falsely modify the originator information to frame an innocent person.
This development comes at a time when there is no data protection law and that could have serious repercussions when it comes to protecting user privacy.
Privacy
“We should be extremely scared,” says a Bengaluru-based technology and policy expert, who did not want to be named.
Unlike in the US, where there is a separate agency that oversees issues related to citizen’s privacy and monitoring content that could threaten the State objectively, in India there is no such mechanism.
“So technically, MeitY wrote the draft rules, had notified it and will issue the order for tracing the originator. Where are the checks and balances?” the expert asked.
“The ideal process would be to have a separate court that would look at requests or petitions regarding traceability, evaluate them and then issue orders. That is clearly not happening here,” he said.
While the rules have addressed key issues, there is no denying that they give the government more control over how they use the data of citizens without policy safeguards, the expert added.
