Last week, WhatsApp decided to legally challenge one of India’s new information technology rules that require messaging platforms to help research agencies identify the source of problem messages. WhatsApp believes this would break end-to-end encryption and harm people’s right to privacy. The government responded by saying that it is committed to guaranteeing the right to privacy of all its citizens and that it must also guarantee national security. Have these new rules been framed to properly address the balance of privacy and security, especially in the context of social media intermediaries like WhatsApp? Rishab Bailey and Parminder Jeet Singh discuss this issue in a conversation moderated by Sriram Srinivasan. Edited snippets:
What do you think about how IT standards relate to the issue of privacy and security?
Rishab Bailey: The short answer is that all the provisions of the new IT rules are ultra vires to the Constitution and the Main IT Act of 2000. The rules only make superficial attempts to balance the interests of privacy and security. But it is very clear that security interests are taking precedence over civil and economic freedom interests.
Keep in mind that the government already has huge oversight powers. This was recognized even in the report of the Justice Committee Srikrishna that accompanied the draft data protection law in 2018. Therefore, instead of trying to review these powers, the government is giving a greater ability to explore and interfere in the private lives of citizens. In particular, the traceability obligation of the new rules is problematic because the technical literature in this regard is almost universal, as it is accepted that this would break the use of end-to-end encryption for all users of platforms such as WhatsApp.
Also, end-to-end encryption is really needed in the digital economy because data theft and hacking is only increasing in India. There is also a problem with the same platforms that misuse user data. Therefore, ideally we should try to encourage more user-controlled encryption and not limit this possibility.
Parminder Jeet Singh: I will start with the points according to Rishab, and this is the context of how the state has used its powers in a way that is being very dangerous.
That said, we also need to look at things in the sense that our societies are changing from preadigital societies to digital societies, and many fundamental structural changes need to take place. Among these, there are also the levers to enforce the law, necessary in the new context. Second, as Judge Srikrishna said, a new law should be introduced that discusses the fundamentals, gives good controls and institutional balances, and then places this new and significant legal possibility for law enforcement. in this context. Third, the biggest problem with WhatsApp is that it is a private communication channel and, after a certain virality, it becomes public. So what happens is that with the warrant of initiation or traceability, anyone who writes a personal message to their friend is afraid that, even if they are doing an analysis that, in a private sense, is not criminal, but it could be criminal in a public sense. Therefore, how the private and public parts can be balanced is a concern.
Rishab, do you think the use of metadata is enough to address this issue?
RB: It is not clear why a specific mandate is needed for traceability. Yes, law enforcement can access metadata and other forms of data without encryption. Also note that current legislation in India also allows the government to request data decryption if an intermediary has it or when the intermediary has the private encryption key.
Would decryption rules be relevant in a context where there are no keys to decrypt them except at the ends of a communication?
RB: In reality, this is the key issue, which is that the government wants you to move away from user-controlled encryption to encryption performed by the intermediary itself. If the intermediary controls the encryption keys, the government can only go there and ask for this information.
PJS: I don’t think traceability of encrypted messages requires breaking encryption. Metadata, which already contains many layers of information, including a counter that tells you that the message has exceeded a certain virality limit, can be a good enough place to block the originator of each message when it is created. Now, you can always tell it doesn’t go with my encryption method. But the law does not follow private business models; private business models follow the law.
I’ve been a police officer and I can see a lot of situations where there’s almost no other way; i mean you can spend decades researching and always find the source. So there are examples like someone sending a derogatory message, for example, from the Dalits, and that goes viral. This is illegal under Indian law. What should the law do? A second example refers to the systematic manipulation related to elections, which has happened in the West on Twitter; in India it goes to WhatsApp. Foreign countries can do it, Indian political cells can do it illegally. And all of this can really be traced when you can find an originator. Another example is of obscene, intimate non-consensual (shared) images. And finally, a lot of incorrect content is leaked today on WhatsApp by the police themselves, who have access to many digital media when they do investigations. All this requires the originator to be discovered and these cases will continue to multiply. And just saying I think it could be found out otherwise is not enough.
The government’s response to WhatsApp mentioned the guarantees that come with the rules. Any ideas on that?
RB: The rule as it is currently drafted is vague, disproportionate and probably unnecessary. The reasons why this traceability power can be used are quite broad and can therefore be misused. The provision uses the phrase “state security,” which unfortunately has come to mean practically criticizing the government in some way. Similarly, saying that this power can be used to detect or prevent a crime basically gives executive authorities free rein to identify people even before a crime has been committed.
PJS: This should have been a new law with a systemic explanation of the intention, purpose and institutional guarantees. As of now, the court has said that sedition needs to be redefined. Here are two problematic terms: “state security” and “public order.” People shout in my street; is it a public order issue? And we need our Supreme Court to define these terms and make them available to the law.
I am also firmly convinced that for such cases, the executive authority should not be able to issue an order. A court order should only be made, which should insist on the purpose, as you will, if the intermediary has had the opportunity to do so through less intrusive means, which are part of the new rules. . allow access to the source of a message. Therefore, these institutional systems should be in a new law and the Supreme Court should clarify terms such as “public order” and “state security”.
It will always be an ongoing battle. The powers that a police officer received during the colonial regime … is the same power that the Indian police have in New Delhi and those in Toronto: arresting people, entering people’s homes. It is the institutional protection around those who keep their power under control. The same would apply to the digital realm.
What do you have to say about the fact that these did not come as new laws?
PJS: Much is probably not at the level of delegated decision. This kind of thing should go to Parliament and a full-fledged law should be written.
RB: What has happened progressively over the last few years is that section 79 of the IT Act route and the fact that you can set rules under it is used to introduce progressively more onerous obligations, including in many areas where you might really need regulation. The argument is that all the rules of Article 79 can do is apply the main provision. They cannot introduce new crimes, they cannot go beyond what is contemplated by the original provision or, in fact, the matrix law itself.
Returning to the issue of encryption, the government’s release in response to WhatsApp charges made a point about a 2019 statement issued by five countries (UK, US, Australia, New Zealand and Canada) in which they talked about the issues with encryption. What do you think will happen in the future?
RB: In fact, all jurisdictions are struggling with the question of how to deal with the fact that sometimes messages may not be accessible or that data may not be accessible to law enforcement agencies. But I don’t think there’s a single liberal democracy that really enforces laws that require traceability in the same way that new computer standards do. This problem of access to encrypted data has arisen in the last 25 years in many different countries. Even in the United States, for example, it has been debated since the mid-1990s. It comes out especially every five or six years when there is a terrorist attack or something and tech companies say we can’t provide you with that data because it’s encrypted. But there have been no really enforced laws that specifically address this issue, in large part due to opposition from the technical community, as well as civil society and academia.
In Australia, the government has been given fairly broad powers under a law known as the Legislation and Telecommunications Amendment Act. This allows law enforcement to request information and help from intermediaries. But even here they cannot demand the creation of systemic weaknesses or vulnerabilities.
It’s also important to keep in mind that platforms often don’t always want to be in the bad aspect of governments. This may not necessarily apply in the context of India, because it is clear that a contrary position has been taken here. But platforms can also be twisted with the arm to build what is called weakness by the design of your product. For example, Apple is said to have abandoned plans to encrypt its iCloud data because the FBI pressured it. These are bigger issues that need to be discussed, but I don’t think you find too many countries that have similar provisions to the law.