June 06, 2021

New IT Rules: Attack on Citizen’s Rights


THE ministry of electronics and information technology (MeitY) issued a new set of rules as part of the IT Act on February 25,  2021, termed the "Intermediary Guidelines and Digital Media Ethics." Social media intermediaries such as Google, Facebook, Twitter, WhatsApp were given three months (by May 25th) to comply with the rules or lose their 'safe harbour' provisions. Compliance with these rules would significantly change the way we interact with such platforms and each other, threatening our fundamental rights of free speech and privacy.

In the days preceding the deadline, the internet was abuzz with speculation that Google, Facebook, Twitter, WhatsApp, and other platforms would be banned or blocked if they did not comply with the new rules. While Google, Facebook, and most others agreed to comply with regulations, WhatsApp filed a petition in the Delhi High Court that certain provisions of the rules violate the privacy rights of Indian citizens. Compliance with these provisions would in effect deny WhatsApp providing encrypted messaging services to its subscribers. 

Intermediaries are persons or platforms which store, receive or transmit any information on behalf of another person. This applies to telecom, internet service providers, search engines, hosting websites, blog sites, and social media platforms such as Facebook, Twitter, WhatsApp, etc.

As the intermediary is concerned with storing, receiving, and transmitting third-party data, as long as it has not actively participated in any activity regarding such data, it would not be liable for any third party content and protected under the "safe-harbour" provisions—Section 79 of the IT Act. This was the case until the application of the new IT rules, where the intermediaries are supposed to comply with a host of additional rules.

The key changes in the new IT rules pertain to 'significant social media intermediaries', which are defined as platforms with more than 50 lakh users. Platforms such as Google, Facebook, Twitter, WhatsApp fall under this category.

These Intermediaries are required to appoint an Indian resident "chief compliance officer" who will be liable in proceedings and cases regarding third-party information posted on their site. This means that the government can prosecute the appointed officer in case the intermediary fails to act on the third-party information flagged by the government. This provision can be used to intimidate and strong-arm the platforms to self-censor any content critical of the administration, just as seen in the recent case of Delhi police raids on Twitter offices just after Twitter tagged a BJP politician's tweet as "manipulated media".

While non-compliance with the rules does not mean an immediate ban of the platform, it does mean that the platform and the designated persons will be liable to prosecution as well as loses its safe harbour protection and liable for the content on its platform.

The new IT rules require the significant platforms providing messaging services to provide the source of "first-originator" of any given message. This is defined as the first Indian user who sent the message to other users i.e., the message originated with this user.

This means that WhatsApp, Telegram, ShareChat, JioChat, Hangouts, and other such messaging platforms will now need to comply with the first-originator rule, requiring the platforms to keep track of "who sent what to whom" and share it with the government on demand. It is precisely this "traceability" clause that is the subject of  WhatsApp's suit.

WhatsApp indicates that it follows the "Signal Protocol" implementation. This means that the communication between two individuals is end-to-end encrypted. The message from one person is scrambled in such a way that only the person whom it is intended for can read it properly. End-to-end encryption is the standard mechanism to protect both the privacy and the security of our conversations.

While WhatsApp stores the meta-data i.e., "A sent a message to B at time X," it encrypts the message itself and deletes it. So, it does not have the information "A sent B a message M".  Right now, given a particular message and access to a person’s WhatsApp account, one can only determine who sent the message to that particular individual or a group to which the individual belongs. The process has to be repeated for the sender of the message and so on in order to trace the message chain. If the traceability clause is enforced as specified in the new IT rules, the platform would need to maintain a record of all the messages and who sent them. Even if we disguise the message itself—meaning encrypt it—you would only need one copy of the message to unmask the disguise, determine all the people who sent the same message and there would be no use in encrypting the message. This is why WhatsApp claims that enforcing the "first originator" rule "breaks" end-to-end encryption.

If WhatsApp is forced to comply, it would have to create a special implementation for Indian users where all the messages are identified with their senders and receivers.  This would not only nullify end-to-end encryption, thereby adversely affecting our privacy and security of our conversations but also make them prone to data breaches and leaks.

It is notable that in the case where the message has not originated in India, the rules define the first-originator to the first person residing in India who shared the message. This sets a dangerous precedent in making a person liable even if he/she is not even responsible for creating the message in the first place. The unlawful arrest of the 21-year-old climate activist Disha Ravi is a chilling reminder of how the "first-originator" rule can be used to incriminate someone for baseless reasons. We must all remember that Google was only too willing to furnish the details that led to her arrest.

Breaking end-to-end encryption jeopardises the privacy of individuals and the conversations with their loved ones, friends, colleagues, and others which are made in confidence. The rules which require traceability of the first originators of some messages, these rules will end up tracking all our conversations. The purpose of the new IT rules to regulate the intermediaries instead place the citizens under constant suspicion while severely impacting their privacy and security.   If implemented, the government will have the instrument to identify whoever originated information that government considers “criminal”. Considering that this government considers all criticism as anti-national or sedition, and any campaign against it as a conspiracy, it is clear that such moves are attempts to curb all dissent.
The other danger in weakening or breaking end-to-end encryption is that it could put the lives of journalists, whistleblowers, human rights activists, and the sources they need to protect at risk as they may use WhatsApp messaging. Asking WhatsApp to modify the standard Signal Protocol to weaken privacy also weakens our right to information.

Recently, WhatsApp declared that it was sharing some data of its users with Facebook. How is that possible without "weakening or breaking end-to-end encryption"?

WhatsApp started sharing the data in 2014 about users' chats (meta-data), their connections, location information, and transactions to its parent company, Facebook, two years after it was acquired by Facebook. The new privacy policy announced in January this year discloses this practice and further adds that the interactions between users and business entities will go through Facebook. Crucially, Facebook will be privy to not just the meta-data but the entire contents of our messages with any business account. This includes our transactions in a shopping site, movies watched on OTT platforms, articles read and shared on WhatsApp. Although the encryption protocol is still followed, Facebook inserts itself as the perpetual "middleman" in all such interactions we have and is allowed to "peep-through" those messages.

WhatsApp's policy considers our interactions with businesses as not private, thereby themselves weakening the end-to-end encryption protocol to access to our business interactions and purchases.  This is why Signal is a more trustworthy platform than WhatsApp.

Neither WhatsApp's policy nor the new intermediary guidelines are designed to benefit the users and citizens. WhatsApp exhibits a double standard by sharing the data of Indian users with Facebook while complying with the EU GDPR rules in Europe, where it does not share the information with its parent company Facebook.  The violation of users' privacy by weakening encryption even if it is confined to "business" chats is done only to exploit the data of user's interactions for maximising Facebook and WhatsApp's profits.

The new IT rules are regressive and unconstitutional as it criminalises dissent and violates citizens' right to privacy. Its implementation will have a chilling effect on free speech and encourage self-censorship.  This is why these retrogressive modifications to the IT rules should be opposed.