×

India's New Social Media Regulations May Require WhatsApp to Break Encryption in Order to Comply

26 Feb 2021

Whatsapp, Signal and Telegram face a catch-22 situation as India’s new social media rules threaten encryption


Encryption is a safety blanket for many. It is the night light to keep nightmares away. But, that may no longer be the case with India’s new social media regulations.

The Indian government thinks that it has found a loophole. It claims that it does not care about what messages are being passed around, but if an incident is found to have been instigated through social media, they want to know who started it all — they want to find the ‘first originator’.

“We don’t want the content, because the content is already out there in the form of tweets or messages. But, who began the mischief? This, they [social media platforms] will have to disclose,” said the Minister of Electronics and Information Technology (MeitY), Ravi Shankar Prasad, while announcing India’s new IT rules on February 26.

 

The catch-22 here is, “Who came first, the chicken or the egg?” Without being able to peep at the content, how can one know who started a particular incident? And, how far back do you go to assign blame?


Platforms like WhatsApp, Signal and Telegram — who run their business on promising users’ privacy with end-to-end encryption — are going to have a tough time dealing with such a regulation once it comes into play after three months, when the new regulations are set to be enforced.

To break or not break encryption

End-to-end encryption is a fairly simple concept. This means that no-one except for you and the person you are sending messages to, can peep into your conversations. The content is private and according to India’s Supreme Court, privacy is a fundamental right.

However, if platforms like WhatsApp do not adhere to the new IT rules, they will be answerable to the Indian government. “Failure to do so will make these intermediaries liable for any illegal third-party information that is made available or hosted by them without their consent and may even lead to an end of their operations,” Neeraj Dubey, partner of corporate law at Singh and Associates, told Business Insider.

Like the tech giant Apple told the Federal Bureau of Investigation ( FBI) back in 2016, if the encryption is strong enough, even the companies implementing it have no say in unlocking it. According to the Silicon Valley firm, creating a backdoor that voids encryption would unlock a whole new set of security threats for users.

“We don't know how the government expects platforms to comply with this requirement without breaking encryption,” noted Mishi Choudhary, the legal director of the Software Freedom Law Centre (SFLC). “It will limit the choices of users who have now come to expect encrypted messaging services as an essential part of their communications habits.”

In the past, when the government has asked WhatsApp to identify the origin of messages, the Facebook-owned messaging service has always turned down such requests citing end-to-end encryption.


“You can only tell how many times a thing has been forwarded. You can’t go back and trace the source in that context. If you are doing that, then it means you are reading the content,” Tarun Pathak, associate director with global analysis firm Counterpoint Research, told Business Insider.

Even if a platform like WhatsApp were to break encryption in order to adhere with the government guidelines, it would be violating its own rules and regulations.

“For an intermediary to collect the content of the messages, which it would need to trace the first originator of information, this would mean breaking encryption and storing the content of messages on servers, which would constitute violation of privacy guidelines,” explained Dubey.


Social media may not be entirely doomed
 

According to Induslaw’s Avimukt Dar, the underlying intent of the law is not to break encryption. “In the event the identity of the person sending the message is already visible to the messaging platform under its data harvesting protocols then it can be shared on lawful request without breaking double encryption,” he told Business Insider.

WhatsApp offers users the option to back up their chats and messages onto the cloud — a change the company brought in three years ago. “Once the chats are backed up on a cloud storage platform, they are no longer protected by end-to-end encryption and can be accessed by Intermediary or any other third party,” said Dubey.

Moreover, in the past, the Indian government has suggested alternative means of tracing messages like digital fingerprints or embed a user’s information within the messages themselves.

Not that WhatsApp has complied because until now, intermediary platforms — like Whatsapp, Telegram, and Signal — have benefitted from the safe harbour protection available to them. “However, the safe harbour rules are also subject to compliance with the IT Act and the rules framed by the government,” explained Tanu Banerjee, a partner at legal consultancy firm Khaitan & Co.

Terms and conditions apply
The government has mandated that finding the ‘first originator’ will only be in cases where the penalty is greater than five years. This includes instances where there may be a threat to India’s national sovereignty, security of state, public order, and other scenarios laid out under Section 69 of the IT act.

This also implies that there has to be a valid court order in order to ask for the ‘first originator’. “The rules clarify that such an order should not be passed if less intrusive means are effective in identifying the originator,” explained Banerjee.


Encryption is a hurdle that these companies will have to address on their own. For users, the bigger question is around freedom of speech. Section 69 of the IT Act is not very clear with respect to what constitutes a valid threat. What may be right for me, may not be right for you. “It is something that is needed but it should be executed in a way that the framework is clear at least,” said Pathak.

Within the new rules, India has not specified who will be making the decision of whether or not the line has been crossed. With a wiggle of three months, it is possible that the guidelines can be tweaked to find a balance between what companies like WhatsApp are capable of, what users want and what the government is hoping to achieve at the end of the day.

Article published by BusinessInsider.in

© 2023 Alliance of Business Lawyers. All rights reserved.

Terms of Use | Privacy Policy