Press "Enter" to skip to content

Encryption vs Compliance: The new IT Act guidelines put messaging services like WhatsApp in a tight situation – OpIndia

The recently announced guidelines for social media intermediaries under the IT Act are going to impact the concerned companies in a major away. While most of the talk is about how it will impact Facebook and Twitter, the two major social media companies, it will have a greater impact on messaging platforms like WhatsApp and Telegram. It may be noted that the new guidelines define ‘social media intermediary’ as an intermediary that allows two or more users to create, upload, share, disseminate, modify or access information using their services. This means that internet-based messaging services are also part of such intermediaries.

The most significant change that is being brought into the social media spectrum by the guidelines is the responsibility of the companies to not allow its users to post content which have been barred under the guidelines, and identify the origin of such objectionable content.

To combat the menace of fake news, and the trend of inciting violence, issuing threats etc through the intermediary platforms, the guidelines state that the companies will have to identify the user who had posted such content for the first time in India. The guidelines also have a long list of the type of content which are not to be allowed on the intermediary platforms, like contents which are defamatory, obscene, pornographic, paedophilic, inciting violence, against national integrity, misleading, false etc.

If the companies don’t comply with these rules, they will lose the safety harness that is provided to them under the IT Act, which shields them from any objectionable content on their networks. The same IT Act says that if the companies do not observe the due diligence defined under the act, the companies will lose the safety harness, and they will be deemed responsible for the content posted on their platforms, and their officials will be prosecuted and can be punished, including imprisonment.

Therefore, now the social media companies won’t be able to ignore orders by government or courts to remove objectionable content, and identify the originator of such content, like they had done earlier.

For social media companies, it is not a big issue to implement, as the content posted on those platforms are already in the public domain, and the companies will able to identify content that has been deemed objectionable as per the rules, and also to identify the origin of such content in India.

But it poses a serious challenge for the messaging platforms, which have been built around the concept of privacy and encryption. WhatsApp for example, which has the highest number of users in India among all intermediaries, offers end-to-end encryption. This mean, once a message is sent, it can be viewed only by the recipient, nobody can snoop on a message going through the network in between. WhatsApp claims that its encryption is so strong that, even the company itself can’t view the messages passing through its network. Other messaging services like Telegram or Signal also make similar claims of data privacy on their platforms.

Now this feature of data privacy directly comes into the way of the new guidelines under the IT Act. In order to identify objectionable content, and the originator of such content, now companies like WhatsApp will have to look into the content of the messages, and users who sent them.

The government says that it does not want the content of the messages, as it will be already in the public domain if any action will be initiated against it, and govt only want the originator of the message. But it does not solve the problem for the messaging platforms. Because, to find who sent a particular message, the company will still have to look into the messages.

This means, platforms like WhatsApp and Telegram, who advertise their encryption as their main USP, will be forced to break their encryption to comply with the Indian laws. Moreover, if the companies implement some measures to circumvent their encryption to look into the content, it will be potential security hazard, as hackers could take the advantage of such a measure.

In this regard, it is important to note that social media intermediaries will not be forced to reveal the originator for all cases. Government can ask to reveal the originator only in those cases where the content violates such an Indian law which have jail term of minimum 5 years as punishment. This means, companies will have to identify the origin for social media posts that threaten the sovereignty and integrity of India, friendly relations with other nations, public order, and offences related to rape, child sexual abuse material etc only. For cases like defamation, fake news, pornography etc, the companies will not be forced to reveal the originator.

In the past, when the Indian government had asked WhatsApp to identify the origin of fake news spread on the platform, the company had refused to do so citing its encryption policy. But now that disclosing such information when sought has been made mandatory, and refusing to do so will mean losing the safe harbour provision, the company will be in a very tough situation.

Even if the company decides to comply with the Indian laws and breaks its encryption, it will be breaking its own rules and regulations. It may also attract litigation from users for compromising with their privacy. It is notable that Supreme Court of India has declared that Right to Privacy is a fundamental right.

In case WhatsApp concedes and devises some way to break its encryption on India government’s demand, it may open a pandora’s box, and governments and law enforcement agencies in other countries will also start demanding the same. It will put the company in a difficult situation.

To maintain a balance between finding anti-social elements and ensuring privacy for general users, the government of India had suggested that every message on WhatsApp should have an ‘digital fingerprint’ attached to it, so that the messages can be traced back to its originator. While the government claims it is technically possible, WhatsApp claims its end-to-end encryption does not allow such traceability.

Caught in such a catch-22 position, the messaging services will have to find way out. If they don’t want to compromise with their encryption technology, they may even be forced to terminate their operations in India. Or may be the company can launch an India specific app without the encryption, and make the original app not available in India.

Although the guidelines were issued on Friday, the companies have been three months to implement them. It is possible that the companies will find a way around this mess. Also, companies may be able to negotiate with the government to tweak the rules which makes it easier to implement.