This article is written by Harshita Shah pursuing Diploma in Cyber Law, FinTech Regulations, and Technology Contracts from LawSikho.
Table of Contents
Introduction
Owing to the spread of misinformation, child pornography, and rape videos through WhatApp, the new IT rules mandate significant social media messaging platforms to disclose the first originator of the information. This raises concerns of privacy and cybersecurity as WhatsApp, one of the popular end-to-end encrypted messaging platforms will have to break its end-to-end encryption or weaken the end-to-end encryption to provide backdoors for law enforcement agencies. Being end-to-end encrypted, WhatsApp only acts as a router of information and does not store any messages on its servers.
Hence, presently, WhatsApp cannot take down any content that contains sexually explicit images, child pornography, rape videos or images, or any other content that falls within the grounds as mentioned under Section 69 of the IT Act. In this article, an attempt is made to lay down why the current rules for tracing originators are done in much haste, without exploring any technical answer that would cause minimal harm. Note that although the rules prescribe to consider other less intrusive means available, however, without judicial and public oversight it would fail.
Background of the current rules and the possibility of secret locker rooms
In 2015, Prajwala, an NGO filed a writ petition in the Supreme Court regarding the circulation of two rape videos through WhatsApp, one was a video of a man raping a girl and another a video of a woman being gang-raped by five men. The petitioner raised an issue to deploy mechanisms that would ensure such videos are not circulated, shared, and available for viewing by anybody, and the responsibility of law enforcement machinery to ensure its compliance. Recommendations are given in the petition to overlook the concern of privacy. These recommendations do not consider the existence or possibility of end-to-end encrypted platforms. Just slightly after that in 2016, WhatsApp enabled end-to-end encryption because of which WhatsApp as an intermediary failed to assist law enforcement agencies. With the likes of secret boy’s locker room that has been unearthed recently, concerns are expressed about the existence of such secret locker rooms to exchange child sexual abuse material, and other sexually explicit images and videos of women
Breaking end-to-end encryption and privacy
Although under the current law, the government has the power to issue directions for the interception, monitoring, or decryption of any information under Section 69 of the IT Act, intermediaries are obliged to extend all facilities and technical assistance to provide access to the computer resource generating, transmitting, receiving or storing such information. WhatsApp does not store the content of any messages. So to oblige, with the current law, WhatsApp will have to break the end-to-end encryption. However, in Puttaswamy v/s Union of India, “Privacy is recognized as the ability of individuals to control vital aspects of their lives and safeguards the autonomy exercised by them in decisions of personal intimacies, matters of home and marriage, the sanctity of family life and sexual orientation, all of which are at the core of privacy”.
Absence of strong encryption regulations
In absence of strong encryption regulations and comprehensive data protection laws, users will not be able to safeguard their privacy. WhatsApp will be able to process all kinds of information, given the absence of a data protection act. WhatsApp is used for personal, intimate, professional and all kinds of chatting, even if we use Automatic filtering tools, it can risk the privacy of intimate conversations and other political discussions.
The current provision compels the significant social media messaging platforms to trace the first originator as per the procedures laid down in Information Technology (Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules, 2009. However, the provisions of IT Rules 2009 are based much on the Telegraph Act and they apply uniformly to all communications happening over the internet, without conceiving the idea of over-the-top communications. Currently, the Internet service providers and telecom service providers are permitted to use encryption up to 40 bit only. In case if ISPs want to deploy encryption standards higher than 40 bit, then permission from telecom authority should be obtained and in such cases, internet service providers will have to deposit a decryption key with the telecom authority. Clearly, these requirements are only applicable to ISPs and TSPs. The guidelines for grant of ISP license were conceived in 2007. The present rules overlook the pace of technological developments that have happened since then and apply a “one size fits all” approach.
Falsification of messages
In Antony Clement Rubin v/s Union of India, an IIT professor Manoj Prabhakaran filed his report on originator tracing for WhatsApp. He raised concerns regarding the authenticity of information recovered upon tracing the originator of the message. Currently, WhatsApp uses 256-bit encryption, and the encryption tool has been developed by Open Whisper System(OWS) that uses Diffie-Hellman(DH) algorithm. It is nearly impossible for any malicious actor to spoof any genuine user’s account and send messages across to other contacts of genuine users. However, with the new rules, the encryption standard will have to be lowered to allow tracing of the first originator and malicious actors will be easily able to spoof the genuine users’ accounts. We have heard about many spoofing cases from Gmail to our Facebook Messenger. Breaking end-to-end encryption leaves room for malicious clients to reverse engineer and this may mislead another person as the first originator.
Alternative to originator tracing
In the same report filed by Manoj Prabhakaran, the proposal includes a facility to add comments on the viral messages. These comments can be added by fact-checkers and WhatsApp can display these comments alongside the messages for people’s viewing. However, this is possible only for messages that are forwarded beyond a prescribed limit and this will help prevent the spread of misinformation. But to do so, offline and online spam filters have to be implemented which can detect and mark messages as potentially unreliable, and discourage users from sharing them. These pre-filtering tools will require access to the content of messages, to mark messages as potentially unreliable. Again this will break end-to-end encryption. But this is a nice alternative if we can design it in a way that doesn’t compromise privacy or does minimal harm to all other alternatives.
Existing laws for Lawful Interception and Monitoring
The government of India has set up three surveillance systems for Lawful Intercept and Monitoring(LIM). The surveillance systems are established without any legal backing. There exists a provision under the Information technology (Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules, 2009, under which the secretary in charge of Home Department in a state government or secretary in the Ministry of Home Affairs for central government can issue orders to intercept, monitor or decrypt any information through any computer resource on the grounds as specified in Section 69 of IT Act. These secretaries are referred to as competent authorities under the 2009 Rules. While tracing the originator the same procedure ought to be followed. Under the Rules, this competent authority can also authorise some agencies to carry out the directions mentioned in the order, and accordingly, the Ministry of Home Affairs in the central government has authorized 10 security and intelligence agencies.
Procedure for issuing direction for the interception, monitoring, and decryption of information
A direction for the interception, decryption, and monitoring of information can be issued by the competent authority under the 2009 Rules to the decryption key holder, specifying the reasons for decryption, interception, or monitoring of information. The direction should specify the reasons for decryption, interception, or monitoring information. A request will also be made by the agency to the nodal officer of intermediary and the intermediary should provide all facilities for decryption, interception and a copy of this direction has to be forwarded to the review committee. Once forwarded to review committee;
-
Composition of the review committee of central government
The review committee of the central government is constituted by the central government themselves and consists of a cabinet secretary who presides as chairman, then a member in charge of legal affairs in the secretary to the Government of India, and another member from the department of telecommunications.
-
Composition of the review committee of state government
The review committee of the state government is constituted by the state government and consists of a chairman who is the chief secretary, a member of the secretary of legal affairs, and a member from secretary to state government, other than the home secretary.
Surveillance systems
Indian Government has set up three surveillance systems namely CMS, NATGRID, and NETRA.
-
Centralized Monitoring System(CMS)
As per a press information release, the government has set up a centralized monitoring system which would be connected with central and regional databases that would help Law Enforcement Agencies (“LEAs”) in the interception and monitoring of call records of targeted numbers, without any intervention from telecom service providers. These call data records will include metadata, call details, location details, etc. of the targeted numbers.
-
Network Traffic Analysis(NETRA)
After the 26/11 attack, the Network Traffic Analysis (NETRA) was deployed to monitor Internet traffic and searches with the keywords such as attack, bomb, blast, kill across tweets, social media, internet searches, emails, blogs, etc. NETRA would essentially monitor any and all internet traffic, online activity that would mention any of the keywords. So practically, NATGRID is deployed for extensive surveillance for all sorts of Internet activity.
-
National Intelligence Grid(NATGRID)
NATGRID or National Intelligence Grid is a surveillance project that studies huge amounts of data and metadata related to individuals. The ambit of the project essentially covers analysis of data pertaining to bank account, credit and debit card transactions, Visa, and immigration records. NATGRID is also placed out of the purview of RTI Act, 2005.
Legal basis of surveillance system
Currently, the only lawful way for the interception, monitoring, and decryption is given by way of IT 2009 rules, where any interception, monitoring, and decryption direction has to be served to intermediaries, and the intermediaries will review the direction at their end and if it is justified they will provide access to such information. Without any statutory act, it is unclear how these surveillance systems operate and what all data they collect. Also, these surveillance systems are put out of the purview of the RTI Act, 2001. Under the SPDI rules, 2011, financial details are classified as sensitive personal data, NETRA can put such data under surveillance. Section 69 of the IT Act mentions the ground under which the government can direct for the interception, monitoring, and decryption. However, without any statutory act and absolute power, Lawful Interception and monitoring systems can be used to monitor any kind of information. A similar precedent of the secret surveillance system exists. PRISM was a surveillance unit deployed by the National Security Agency. In the USA, the National Security Agency was secretly running a surveillance project called PRISM. The project was a by-product of the 9/11 attacks. The agency had unfettered powers to collect and investigate information on foreign subjects and US citizens who were common men and had no involvement in any terrorist activities or secret mafia agency. Companies such as Google, Microsoft, Apple, Yahoo, and others provided NSA a backdoor to collect data of any user.
Reasonable restrictions to the right to privacy and absence of personal data protection law
In the Wiretapping case, the court held that the right to hold a telephone conversation in the privacy of one’s own home or office without interruption can be claimed as the right to privacy. Telephonic conversations are often of an intimate and confidential nature and tapping them can be curtailed only as per the procedure established by law which ought to be just, fair and reasonable. WhatsApp texts are also personal, intimate, and confidential in nature. However, without a comprehensive data protection law, or amendments to the existing composition of the review committee and without questioning and bringing the surveillance systems under the legislative ambit, any interruption will not classify as just, fair and reasonable.
UN resolution on the right to privacy in the digital age
This resolution appeals to all the member states to review the procedures, practices, and legislation regarding surveillance of communications to uphold the right to privacy. This resolution lays down principles for making any lawful interception. As per the principles, interception should not be made without any legislative act or else it will be a violation of privacy. There should be a competent judicial authority in charge of making any communications surveillance and an independent oversight mechanism to ensure transparency and accountability of communications surveillance.
However, currently, the surveillance systems operate without any legislative act conferring power for the same. Secondly, the review committee under the 2009 rules does not consist of any judicial authority, rather all the members are of the government. Secondly, there does not exist an independent oversight mechanism as well to overlook if the surveillance is carried out as per the due procedure of law and is not unreasonable.
Conclusion
It cannot be questioned that the absolute right to privacy cannot be conferred as lawful interception, decryption is necessary to prevent and investigate any crime. The more pertinent issue is to consider whether the current legislative, regulatory and technical infrastructure is enough to warrant such lawful interception. While the government wants all such messaging platforms to comply with the new IT rules, 2021, the updated privacy policy of WhatsApp is being lashed by the government. However, amidst their tussle, it is the citizens’ right to privacy that deserves attention and greater deliberations. The current provision of tracing the first originator would weaken the infrastructure of end-to-end encryption and will not be able to protect the privacy of users considering the increased risk of cybersecurity. This requires active deliberations on technological frontiers and applying the least harm-causing option.
References
- https://www.dw.com/en/whatsapp-in-india-scourge-of-violence-inciting-fake-news-tough-to-tackle/a-52709823
- https://www.dw.com/en/is-whatsapp-a-threat-to-indias-security/a-19363901
- http://cis-india.org/internet-governance/blog/misuse-surveillance-powers-india-case1
- http://www.thehindu.com/news/national/jaitleys-phone-not-tapped-butcall-records-accessed-says-shinde/article4465326.ece?ref=relatedNews
- http://rsdebate.nic.in/bitstream/
- http://www.thehindu.com/news/national/arun-jaitley-phonetapping-case-6-more-held/article5350492.ece
- https://www.theverge.com/2013/7/17/4517480/nsa-spying-prism-surveillance-cheat-sheet
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: