IMPLICATIONS OF TRACING THE FIRST ORIGINATOR UNDER THE INTERMEDIARY GUIDELINES, 2021
The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“Intermediary Guidelines”) were enacted to address the concerns of transparency, accountability, and rights of consumers of digital media. The Intermediary Guidelines have undergone judicial scrutiny due to issues highlighted by news aggregators and social media intermediaries such as the lack of clarity regarding the tracing of the first originator’s message.
The author shall be familiarizing the reader with the rationale behind tracing the first originator and then discuss the legal issues emanating from the procedure provided under the Intermediary Guidelines. Additionally, the author shall also be concluding on the efficacy of tracing the originator by breach of encryption.
THE NEED FOR TRACING THE FIRST ORIGINATOR
The Information Technology Act, 2000 (the “IT Act”) defines an originator under Section 2(za) of the IT Act as a person who sends, generates, stores or transmits any electronic message or causes any electronic message to be sent, generated, stored or transmitted to any other person but does not include an intermediary.
The internet is limitless and so is the widespread of circulation of content. In order to bring in more accountability on the person who first posted a content, pursuant to Rule 4(2), every significant intermediary providing services through message is required to assist in identifying the first originator of a message if any judicial order is passed. However, a mere reason of accountability is not enough to justify the mammoth of invasion of privacy.
As per Rule 2(v), a significant social media intermediary is a social media intermediary having more than 50 lakh registered users in India. Rule 4(2) further requires a significant social intermediary to enable identification of the first originator if there is a government order passed to that effect under Section 69 of the IT Act.
PROTECTING PRIVACY WHILE TRACING THE ORIGINATOR
Section 69 of the IT Act allows a social media intermediary to intercept, decrypt, monitor, secure access, provide information and access to such message in question. This provision makes it mandatory for these social media intermediaries to decrypt the messages and invade the privacy of its customers in order for them to exist within the Indian jurisdiction. If an intermediary does not adhere to this requirement, the subscriber or the intermediary would be subjected to an imprisonment up to seven years and fine.
Moreover, the provision does not provide a clear objective for the government to demand decryption. The broad grounds for passing a judicial order for traceability include prevention, detection, investigation, prosecution or punishment of an offence related to the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order, or incitement to an offence relating to the above or in relation with rape, sexually explicit material or child sexual abuse material, punishable with imprisonment for a term of not less than five years.
The only comforting factor on the wide powers vested with the government is that the provision requires such government order for tracing the first originator to be avoided if there are less intrusive means to trace the identity of the originator. However, the law neither assigns a meaning to the term “less intrusive” nor lays down any guidelines for preferring any other means as less intrusive over an order to trace the first originator. The lesser intrusive means with respect to an intermediary like WhatsApp includes any means that identify a person without breaking the encryption. However, this exception is not applicable to WhatsApp, and will be further discussed by the author in the next section.
While the provision also requires a significant social media intermediary not to disclose the contents of a message to any other user, the rules do not provide any consequences for breaching the non-disclosure requirement in law. Hence, it is unclear whether one could agree whether the government was right in justifying this restriction as reasonable and a last resort measure.
JUDICIAL SCRUTINY ON BREAKING THE ENCRYPTION UNDER THE INTERMEDIARY GUIDELINES
Earlier this year, WhatsApp LLC challenged Rule 4(2) of the Intermediary Guidelines before the Delhi High Court. In doing so, the WhatsApp LLC claimed that the rule required intermediaries to allow identification of the first originator of the information in India and thereby break the end-to-end encryption of messages which protects the data from being accessible to third parties. This was alleged by the intermediary to be in contravention of the privacy guaranteed on the platform and enabling traceability of the messages would infringe the fundamental rights of free speech and privacy. Thus, the Rules were challenged as ultra vires of Articles 14, 19(1)(a), 19(1)(g), and 21 of the Constitution of India, and the IT Act, 2000.
WhatsApp also submitted before the Delhi High Court that Rule 4(2) infringed upon the fundamental right to privacy as it did not meet the requirements of the three-part test of legality, necessity and proportionality. The guidelines were also challenged for being violative of Section 79 of the IT Act and for being contrary to the objective of the IT Act to provide a safe harbour to the intermediaries from any third-party information made available by them.
The intermediary explained that to check whether the messages on WhatsApp incited an offence or jeopardized the sovereignty and security of the state, each and every message would have to be scrutinized. Such breakage of encryption would not discriminate with the privacy rights of lawful users and unlawful users, thereby preventing the users from communicating without the fear of being traced. Such a mandatory requirement of tracing the originator of every user violates the right of anonymity which is contrary to the right to privacy.
While the Intermediary Guidelines are being challenged on account of potential risk to the freedom of speech of social activists, news media and privileged communications, the Guidelines have proven to be helpful in enforcement of rights of a victim of a cyber offence.
In another case, 'X’ v. Union of India and Ors., the photographs posed by the petitioner on her Facebook and Instagram handles were taken without her knowledge and were posted on a pornographic website by an unknown entity. The said photographs were alleged to have become offensive from association. Despite several directions issued by the Delhi High Court to remove the content from the world-wide-web, the website responded stating that it was technologically impossible to erase the content that had been circulated multiple times on the internet. Thus, the petitioner could just avail the remedy of obtaining fresh orders every time she came across an offending content in relation to her identity.
While deciding the issue of compliance with the Intermediary Guidelines without impunity, the Hon’ble High Court issued template directions for enabling removal of illegal content from the internet without any possibility of reemergence. In furtherance of issuing relevant directions suggested the Hon’ble Delhi High Court observed,
“Directions should also be issued to the concerned law enforcement agency/ies, such as the jurisdictional police, to obtain from the concerned website or online platform all information and associated records, including all unique identifiers relating to the offending content such as the URL (Uniform Resource Locator), account ID, handle name, Internet Protocol address and hash value of the actual offending content along with the metadata, subscriber information, access logs and such other information as the law enforcement agency may require, in line with Rule 3(l)(j) of the 2021 Rules, as soon as possible but not later than seventy-two hours of receipt of written intimation in this behalf by the law enforcement agency.”
The Court directed the Delhi Police to obtain the names of all the search engines associated with the website and associated records of the offending content. The content was directed to be investigated and removed 72 hours of receipt of a copy of the judgment.
Hence, there could be other benefits of tracing the originator of the message such as reinforcement of right to privacy and security, accountability of platforms in public interest, prevention of offences, and traceability and curbing reposting of content on limitless platforms on the internet.
THE CONFLICT BETWEEN ENCRYPTION AND GOVERNMENT OF INDIA’S SURVEILLANCE
End-to-end encryption, by definition, means that only the sender and receiver have access to a key that can decrypt an electronic communication. Encryption is required to curb the concerns of data privacy while storing and transmitting data. In fact, experts suggest for an Advanced Encryption Standard to protect big data.
The Government of India, in its press release, has stated that it would be WhatsApp’s responsibility to find a technological solution to ensure that both encryption and traceability is maintained. However, it is to be noted that where a message is intercepted by the government or telecommunications operator, it remains unclear without a decryption key. For the government to decrypt data, the government would possess the power to coerce WhatsApp to build an exceptional access which brings a plethora of risks associated with such access. In order words, there is a possibility of “back doors” i.e., malicious actors having access to such data which is an inherent consequence of weakened encryption. For example, the NSA had once investigated fund projects in its classified operation Bullrun where the e-mail, chat, videos, photographs and file data were routinely collected by the U.S.A.
While the Government of India has cited examples of other nations in its response, it is crucial to note that such back doors are regulated through Technology Capability Notice (TCN) mechanism in the United Kingdom, and through the Fourth Amendment in the United States of America. However, no such detailed mechanism exists in India. In fact, deleting the data would not be a part of the policy to be regulated while the Government uses data, but more of the ethical process that ought to take place after the access is provided to the government.
The Delhi High court in the case of WhatsApp LLC v. Union of India (supra) has stayed the matter and the Centre has requested the High Court to dismiss the plea as WhatsApp being a foreign commercial entity must ensure that its activities do not result in criminal acts and comply with the Intermediary Guidelines.
 Press Information Bureau, https://pib.gov.in/Pressreleaseshare.aspx?PRID=1721915, Ministry of Electronics and Information Technology Notification, Government of India, May 26 2021, 5:35 P.M.
 The Gazette of India, https://egazette.nic.in/WriteReadData/2021/225497.pdf, Ministry of Electronics and Information Technology Notification, Government of India, February 25, 2021.
 supra note 1.
 WhatsApp LLC v. Union of India, 25-05-2021.
 K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1.
 Central Public Information Officer, Supreme Court v. Subhash Chandra Agrawal, (2020) 5 SCC 481.
 W.P. (Crl) 1082/2020, MANU/DE/0767/2021.
 Guido Noto La Diega, The Internet of Citizens: A Lawyer's View on some Technological Developments in the United Kingdom and India, NLSIU Bangalore - Indian Journal of Law and Technology 15 (2016).
 supra note 1.
 John Villasenor, No, the Laws of Australia Don't Override the Laws of Mathematics, BROOKINGS INST. (July 17, 2017), https://www.brookings.edu/blog/techtank/2017/07/17/no-the-laws-of-australia-dontoverride-the-laws-of-mathematics.
 Bruce Schneier, The Importance of Strong Encryption to Security, SCHNELER ON SEC. (Feb. 25, 2016), https://www.schneier.com/blog/archives/2016/02/the-importanceL.html.
 Michael L. Rustad & Thomas H. Koenig, Towards a Global Data Privacy Standard, 71 FLA. L. REV. 365, 401(2019).
 Investigatory Powers Act, Ch. 25 § (87X) (Xa) (2016).
 U.S CONST. amend. IV.
 Bart Custers, Helena U. Vrabec & Michael Friedewald, Assessing the Legal and Ethical Impact of Data Reuse: Developing a Tool for Data Reuse Impact Assessments (DRIA), 5 EUR. DATA PROT. L. REV. 317, 323 (2019).