Divided By Borders, United By Desire To Decrypt

Divided by Borders, United by Desire to Decrypt

India claims to follow suit of leading nations – introduces law that compels decryption by social media intermediaries

On 25 February 2021, the Government of India notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021^[1]. These Rules replace the Information Technology (Intermediaries Guidelines) Rules, 2011. While the 2011 rules were applicable only to intermediaries, the 2021 rules expand their domain to cover online news content and Over-the-Top (OTT) platforms. As per the Government of India, the latest Rules are designed to ensure that digital platforms like social media sites, messaging apps, digital newspapers and OTTs provide grievance redressal mechanism to its users. These social media intermediaries were given three months' time, i.e., till 25 May 2021, to comply with the Rules.

The introduction of these Rules has invited mixed reactions from all quarters, and they have been the subject of extensive commentary. Some have called these Rules the need of the hour to protect the sovereign, socio-economic and political fabric of the country. The rest have critiqued these Rules, seeing them as a clear attempt at diminishing the privacy of individuals and in effect terminating the unique end-to-end encryption provided by platforms like Whatsapp, Apple etc.

As on date of writing, WhatsApp^[2] has challenged the traceability clause of the Rules that requires a significant social media intermediary – having more than five million users – to identify the 'first originator of the information', if sought by Government authorities or court order. Whatsapp is relying on the 2017 judgment of the Supreme Court in Justice K S Puttaswamy (Retd.) and Another v. Union of India and Others^[3], to argue that the traceability clause is unconstitutional as it violates the users' fundamental right to privacy. Google has also objected to the application of these Rules, since it is a 'search engine' and not a 'social media intermediary'. ^[4]

To cushion the pushback, the Ministry of Electronics and Information Technology (MeitY) released a statement on 26 May 2021 stating its commitment to ensure the right of privacy of the citizens. Seeking support of global precedence, MeitY said that countries like United Kingdom, United States, Australia, New Zealand, Canada and Brazil have already made it clear to social media intermediaries to facilitate decryption of their products and services for easy access to government authorities.

In this article, we look at the laws (current or proposed) of the countries referred to in the statement of MeitY to evaluate whether what the 2021 Rules are actually asking for is "significantly less" than what some of the other countries have demanded. We also attempt to understand the arguments and reasons for WhatsApp's aggressive approach in challenging the 2021 Rules in India.

In United States of America (US), data privacy has been a sensitive topic particularly since 2013, due to the leak of highly classified official information of the National Security Agency by Edward Snowden. In 2016, Apple Inc. openly declined a request from the Federal Bureau of Investigation to unlock the iPhone belonging to one of the shooters of a terrorist attack in San Bernardino, California. Apple did so citing concerns of its customers' data security.

Lately, in 2020, a bill^[5] titled as 'Lawful Access to Encrypted Data Act' was introduced in the Senate of US to give law enforcement agencies access to information contained in a suspect's encrypted device. The proposed law's objective is to address criminal anonymity actuated by end-to-end encryption, which poses a serious risk to the public. In doing so, the proposed law requires any American company with more than one million users in US to decrypt its users' data and provide it to the law enforcement authorities on demand. Such demand for decryption should be backed by probable cause of crime being committed in a private space like those offered by social media intermediaries.

In United Kingdom (UK), the Investigatory Powers Bill received the Royal Assent on 29 November 2016. When fully enforced, the Act^[6] – nicknamed the 'Snoopers' Charter' – will allow the UK law enforcement bodies to conduct interception as well as equipment interference (i.e., hacking to obtain information). This law also empowers the government to compel communication service providers to remove encryption. Liberty, a human rights group, challenged^[7] the provisions of 2016 Act largely on privacy concerns. This challenge was dismissed by the High Court in 2018. The group is preparing to appeal against the decision of the High Court.

In May 2021, UK introduced the Online Safety Bill^[8] putting the onus on social media and other technology companies offering search services to tackle illegal/ harmful content on their platforms. The Office of Communications (OFCOM), UK, is equipped with powers to call for any information from such technology companies in order to perform its functions under the proposed law. Notably, providing encrypted information/ documents in response to such request from OFCOM is treated as an offence under the draft bill.

In Canada, its Minister for Public Safety, along with counterparts from the Five Eyes Alliance – an intelligence sharing alliance comprising Australia, Canada, New Zealand, UK and US – met in July 2019 and discussed the ways in which the international community can work together to prevent people from abusing the internet to promote acts of terrorism, as well as protection of citizens online through strong encryption while keeping them safe and secure.

Canada's Criminal Code regulates the powers of police in surveillance and interception of private communications while conducting criminal investigations. Judicial authorisation is required for interception of private communications and such requirements are onerous for the investigating agencies. While there exist no express laws obligating social media platforms to decrypt data or establish backdoor access, the courts in Canada may, by order, compel them to assist with police investigations by decryption of data.

Brazil, in 2018, passed a comprehensive general data protection law, the Lei Geral de Proteção de Dados^[9] (LGPD), which aligns with the European Union's General Data Protection Regulation. The LGPD aims to protect data irrespective of how it is collected or stored and permits processing of data only in ten scenarios, including protection of life or physical integrity. This law, which was enforced only in 2020, does not allow the government to demand decryption from the communication service providers.

Having said that, there are two matters^[10] pending before the Supreme Court in Brazil concerning the legality of suspension of WhatsApp for not complying with judicial orders requiring it to hand-over decrypted data. In these cases, WhatsApp has argued that the orders demanding decryption, infringe upon their users' freedom of speech, their right to privacy and were contrary to the company's business model.

In 2018, Australia passed the Telecommunications and Other Legislation Amendment (Assistance and Access) Act, 2018 (TOLA). Also hailed as the 'anti-encryption law' by its critics, TOLA allows law enforcement and intelligence agencies to compel communication providers like WhatsApp, Apple (for iMessage) or Facebook (Messenger) to use their existing capabilities to decrypt the communication on their platforms, or build new capacity to fulfil such requests.

As of 2019 however, the Labour Party in Australia has introduced an amendment bill^[11] in the Senate to amend TOLA. A key amendment proposed amongst others, is that requests or notices seeking decryption of communication shall be solely approved by a judge.

In New Zealand, the Telecommunications (Interception Capability and Security) Act, 2013 require both network operators and service providers (defined as anyone providing a communication service to an end-user in New Zealand) to provide 'reasonable' assistance to surveillance agencies, including decryption of communications, when they were the source of encryption. The term 'reasonable assistance' has not been defined under the law, and it is not clear if it would go so far as requiring decryption of communication.

On 12 October 2020, New Zealand along with the other Five Eyes Alliance members made another statement^[12] titled "International statement – end-to-end encryption and public safety". The statement urged the tech industry to address concerns where encryption is applied in a way that wholly precludes legal access to content. Among other things, the member countries agreed to work with the tech industry to collaborate on mutually agreeable solutions. Interestingly, India signed off on this statement.

Having scanned the laws above, it does appear that most countries are arming themselves with laws that permit decryption of communication on demand. Importantly, there are also penalties in place for non-compliance. Much like India, national security, protection of law and order, and prevention of sexual crimes are usually the reasons for such clampdown.

However, what sets India apart and noticeably so, is that a significant social media intermediary could be ordered to decrypt communications even by an executive order. In most other countries, for example Canada and UK, such requests for cooperation require the backing of a judicial order following 'due process' of law.

Furthermore, there is a possibility that the Rules may be interpreted loosely, to include more than they intend to. Words like "sovereignty and integrity of India", "the security of the State", "friendly relations with foreign States", or "public order" are not clearly defined in the Rules, and tend to cover a much wider ambit. There is thus, a lack of clarity about the circumstances which merit such orders by the executive or judicial authorities. A big issue is also the absence of procedural safeguards under the Rules. The Rules lack the spirit of checks and balances embedded in the Constitution and allow for unfettered powers to demand decryption.

These shortcomings may lead to unnecessary harassment and exploitation at the hands of law enforcement agencies, especially in India, where such agencies are politically motivated in their functioning. Needless to say, no social media intermediary wants its platform to be used for unscrupulous or criminal activities or to instigate violence. However, intrusion into the private space of citizens in the absence of defined contours of executive power, may lead to encroachment upon the guaranteed fundamental rights of an individual.

The limited applicability to only "significant social media intermediary" also begs the question of how useful and effective the provision will be to fulfil the avowed purposes of combatting terrorism and other crimes. Users of similar services by non-significant social media intermediaries may take advantage of this outwardly distinction created by the Rules to continue with their nefarious designs without any fear of detections.

Launched as a text-only application in 2010, WhatsApp's growth in India has been monumental. Multiple features have been introduced by WhatsApp over the years which have added to its popularity. Location sharing, group chat, voice messaging, read receipts, WhatsApp web, video calling and now WhatsApp payments are some of the options offered to users in India. As of 2021, India^[13] has 390 million WhatsApp users.

Despite all of the above, end-to-end encryption still remains the marquee feature for WhatsApp's user base in India. The 2021 Rules are a direct threat to this feature. Since the Rules' applicability is limited to "significant social media intermediary", WhatsApp's competitors such as Signal and Telegram may continue to guarantee such end-to-end encryption. This creates a significant competitive disadvantage for WhatsApp, consequently impacting its commercial operations in India in a significant manner.

A fierce legal battle between the Government and the social media intermediaries is in the making. The final outcome of these litigations will be landmark and alter the digital information ecosystem in India.

*****