Since 2018, traceability on encrypted social media platforms has been a key demand of the government after a series of mob lynchings in which Whatsapp forwards played a pivotal role. The recently introduced Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021 (hereinafter referred to as “IT Rules, 2021”) have been a step in this direction by making it mandatory for messages to be traced back to the first originator under orders of the Court. This article critically analyses the traceability rule and the possible misuse of this tool of surveillance.
The Link Between End-to-End Encryption and Traceability
Apps like Signal and Whatsapp through encrypted messaging ensure that these companies don’t know who’s messaging who. Signal’s founder has even stated that the app collects as less information as it can such as not collecting the user’s contacts, gif searches, etc.
Now, Rule 5(2) of the IT Rules, 2021(hereinafter referred to as “the traceability rule”) states that “ A significant social media intermediary providing services primarily in the nature of messaging shall enable the identification of the first originator of the information on its computer resource as may be required by a judicial order passed by a court of competent jurisdiction or an order passed under Section 69 of the Act by the Competent Authority as per the Information Technology (Procedure and Safeguards for interception, monitoring and decryption of information) Rules, 2009, which shall supported with a copy of such information in electronic form.”
Indian news reports state that traceability does not break end-to-end encryption. However this is a myth which has been busted by Whatsapp itself since “encryption guarantees that nobody other than the person you are talking to can know that you sent a particular message. Adding traceability breaks this guarantee. Its primary purpose is to expose who sent what to whom. End-to-end encryption also guarantees that the messaging app you are using does not know what content people are sending. An implementation of traceability that requires private messaging services to provide a one-stop-shop and “tell us everyone who sent this content,” breaks end-to-end encryption, as it forces services to store, and therefore have access to, the content of messages on their servers.”
Thus it can be said that making any changes to encryption in order to grant exceptional access to one user involves creating vulnerability for all users. In fact, Whatsapp has itself stated that “in order to trace any messages, we must trace them all.”
Although Rule 5(2) of the IT Rules, 2021 states that this originator information must be provided only when there is a competent court order, traceability is highly susceptible to misuse by criminals. This is because apps like Whatsapp would have to place a permanent identity stamp in order to trace the message to the original sender. This was also proposed by IIT Madras Professor V. Kamakoti who suggested that the originator signature may be encrypted by a public key which can be decrypted with the help of a court order. These digital signatures would also need to be easily revocable and re-issuable in order to deal with compromised data. This also raises another question: on what basis will digital signatures be re-issued? Another big drawback to this suggestion is that online impersonation is both easy and pervasive. This means innocent people may be implicated because their identities may be stolen and misused by cyber criminals.
Whatsapp’s response to Kamakoti’s proposal also noted that “bad actors could use modified versions of the WhatsApp application to attribute a different phone number to a message”. Or, if the signing keys are stolen using malware, or a client’s one-time password is compromised, it means the message will be traced to the wrong client.
It is also pertinent to note that traceability means that the only reliable information is the phone number. Yet phone numbers, both domestic and international, are easy to anonymously acquire from Skype, Viber, etc. Furthermore, companies will start creating services to avoid being traced.
Sedition Charges and Self-Censorship
The government can also use this rule to conduct surveillance on those who express any form of dissent and these people may then face charges of sedition.
In Kedar Nath Singh v. State of Bihar, the Supreme Court held that sedition which is an offence under Section 124A of the Indian Penal Code, 1860 (hereinafter “IPC”), was restricted to instances where an individual’s speech or expression disrupted the law or provoked or incited violence.
The conviction rate in sedition cases is quite low, standing at 3.3% and 29.2% under the Unlawful Activities (Prevention) Act, 1967 (hereinafter referred to as “UAPA”) in 2019. Yet owing to pre-trial detention under the UAPA, even innocent people charged with sedition spend long durations in prison. This can be attributed to Section 43D of the UAPA, 1967 which allows extension of detention period to 180 days in order for the police enquiry to be completed. Further under the same section, a judge cannot grant bail if he/she has any “reasonable grounds to believe” that the accusations against the accused are prima facie true.
In 2018, Junaid Mev was arrested and detained for 5 months under Section 124A IPC and the IT Act for being the admin of a Whatsapp group where a juvenile had sent an objectionable forward. To make matters worse, he was detained although he had become the admin by default after the previous admin had left the group. Moreover, in April 2020, a person was arrested by the UP Police under Section 124A IPC for sharing a picture and an audio clip on Whatsapp containing derogatory remarks about the Indian Prime Minister and the US President, Donald Trump.
It can be observed from the above examples that the draconian sedition law has been used to punish those who express their dissent towards the government. Self-censorship would therefore be an indirect result of traceability; further infringing one’s right to freedom of expression.
The Problem with Collecting Metadata
It is possible to find the originator of a message using metadata which contains information about the communication such as time, date, destination, etc, but not the contents itself. Nick Clegg, Vice President, Global Affairs and Communications of Facebook, in 2019 suggested this as an alternative to finding first originator information.
According to experts, a similar issue of impersonation arises along with the risk of tracing spoofed metadata to an innocent person since even small changes to a message’s content alter the metadata of the message which breaks the link to the originator.
Additionally, Rule 3(1)(h) of the IT Rules, 2021 requires intermediaries to retain information for 180 days, i.e. 6 months, even after deletion of the account for investigative purposes. Stored metadata can be used by criminals to create social graphs that could lead to extortion, blackmail, etc. There is also a possibility of misuse of metadata by law enforcement agencies. For example, Australian law enforcement agencies were called out by the Digital Rights Watch for abusing the metadata retention scheme. This watchdog has made constant requests to reduce the mandatory retention period.
There is also a risk that these platforms themselves can monetise these social graphs for their own use exposing sensitive details to data brokers, etc.
Rule 5(2) of the IT Rules, 2021 requires the social media intermediary to provide first originator information under an order passed under Section 69A of the IT Act. However Section 8(1) of the Right to Information Act, 2005 read with Section 69A of the IT Act allows the government to maintain strict confidentiality if it is in the interests of national security. Consequently, there will be no transparency since RTI queries regarding such actions may remain unanswered.
The rule also states that first originator information shall not be provided by social media intermediaries “in cases where less intrusive means are effective in identifying the originator”. However the rules fail to clarify who is to decide whether less intrusive methods can be used. The increasing backlog of court cases serves as a reminder that this will be an unnecessary burden on the judicial system if such a decision must be taken by Courts.
Alternatives to the Traceability Rule
Kamakoti has proposed that users should be allowed to send messages under the designation “not for sharing” or for limited sharing up to 2 people. This would mean the recipients will have to recreate the message to send it further. Another one of his suggestions is that messages can only be traced if a watchdog agency i.e. Whatsapp cooperates to reveal it. However Manoj Prabhakaran’s Report (hereinafter referred to as “The Report”) which is a comment on Kamakoti’s proposals, states that neither of these would act as an effective barrier to the spread of fake news.
There are other alternatives already in force. A spokesperson for Whatsapp stated that the company actively bans accounts for “engaging in bulk or automated messaging” and that the number of banned accounts amounted to 2 million. Moreover, there has been a 70% decrease in viral messages on Whatsapp as a result of new policies such as the introduction of a way to check forwarded messages by tapping a magnifying glass button. Whatsapp has also limited the number of times a forwarded message can be forwarded to 5.
Despite the right to privacy being recognised as a fundamental right, the government has passed laws that seek to infringe that very right on the pretext of curbing fake news. Amnesty International in its open letter to Facebook has stated “there is no middle ground: if law enforcement is allowed to circumvent encryption, then anybody can”. This statement is a reminder that there are serious consequences of tracing private messages. In a country which has time and again proved that dissent towards the government is not well accepted, traceability reiterates this fear in the form of self censorship. In order to uphold the privacy of the citizens of our country, the traceability rule must be reconsidered and possibly repealed after due consideration of the amount of possible misuse.
(This post has been authored by Naina Bora. Naina is a third-year law student at Gujarat National Law University, Gandhinagar)
Cite As: Naina Bora, ‘Is Privacy Sacred? Critically Analysing the Traceability Rule’, (The Contemporary Law Forum, 3rd May 2021) <https://tclf.in/2021/05/03/is-privacy-sacred-critically-analysing-the-traceability-rule> date of access.