The Central Government and WhatsApp have sparred with each other in the last few weeks over the new Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules (“IT Rules 2021”) issued in February 2021 under the Information Technology Act 2000 (“IT Act”). WhatsApp has taken special objection to Rule 4(2) of the new IT Rules. This rule states that a significant social media intermediary that provides services in the nature of messaging shall allow the identification of the ‘the first originator’ of a message pursuant to an order from a court or by a competent authority under s. 69 of the IT Act. WhatsApp has filed a petition against it in the Delhi High Court. The Central Government in its defence has issued a press release stating that it is committed to protecting the right to privacy of all its citizens and that the rule will only be used for ‘very serious offences’.
Two points must be noted at the outset. First, such a rule has been brought to get around the End-to-End Encryption (“E2EE”) technology used by several messaging applications. E2EE technology is a system of communication in which only the communicating users can read the messages that they send to each other. The underlying principle is to prevent eavesdroppers which can include – telecoms providers, internet providers or even the State. Second, citizens have a right to communicational privacy when having private conversations with others over call, text, email etc. without any unreasonable interference from the state. This principle has been approved by the Supreme Court of India in cases such as PUCL vs Union of India and Puttaswamy I. E2EE technology provides one of the best possible ways to ensure communicational privacy and, hence citizens can claim a right to E2EE without any unreasonable interference from the state.
This piece aims to scrutinize the rules and the press release. First, it will briefly explain and analyse the first proviso to Rule 4(2) and the above-mentioned press release issued by the Central Government. Second, it will analyse the second and the third proviso to Rule 4(2) which are supposed to be in-built protections to prevent any abuse.
Legislating by a press release?
The first proviso to Rule 4(2) states– “Provided that an order shall only be passed for the purposes of prevention, detection, investigation, prosecution or punishment of an offence related to the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order, or of incitement to an offence relating to the above or in relation with rape, sexually explicit material or child sexual abuse material, punishable with imprisonment for a term of not less than five years.” Whereas the Press Release by the Central Government states that that rule will only be used for ‘very serious offences’ related to the same grounds as mentioned above. The first question that arises here is – Has the rule now been amended from ‘offence’ to ‘very serious offence’ or has an interpretation been given by the Government about the rule. Surely, both are not possible. A rule made under a law cannot be amended or an interpretation be given on it through a press release. No constitutional democracy should function by way of releasing press releases for the purposes of amending or interpreting a rule or a law.
Moreover, what does the phrase – ‘very serious offence’ mean. Neither the new rules, nor any law in India gives us a definition for the phrase. Under criminal laws of India ‘serious offence’ means any offence that leads to an imprisonment for 3-7 years. It would be logical to assume that something termed as a ‘very serious offence’ would be graver than a ‘serious offence’ and consequently attract a more severe punishment i.e., more than 3-7 years. However, the logic suffers because the IT Rules prescribe the punishment under Rule 4(2) as not less than 5 years. This creates a rather strange situation in which the punishment for an offence described as a ‘very serious offence’ can have lesser punishment (say anywhere between 5-7 years) than an offence termed as ‘serious offence’. All this confusion and contradiction emerges from the simple fact that Central Govt has tried to ‘legislate’ using a press release.
Shallow in-built protections
The second proviso to Rule 4(2) states – “Provided further that no order shall be passed in cases where other less intrusive means are effective in identifying the originator of the information.” The concept of ‘less intrusive means’ stems from the proportionality standard of review. This standard of review in its current form was first adopted by the Supreme Court of India in the case of Modern Dental College vs State of Madhya Pradesh (2016). It has thus been embedded in Indian jurisprudence by its continuous usage by the Supreme Court in Puttaswamy I and II, in the Anuradha Bhasin case and the Internet and Mobile Association of India case (cryptocurrency judgment). The proportionality test has four prongs and the concept of ‘less intrusive means’ forms the third prong of the test. This prong simply means that the Court will test if the measure adopted by the State was the least intrusive measure to curtail the fundamental rights of a person.
The author has argued elsewhere that the third prong has been applied by the Supreme Court in an inconsistent manner. The inconsistency has arisen because the Court in different cases has given different answers to the following two questions – ‘on whom does the burden lie to produce the lesser intrusive means’ and ‘what is standard that will convince the Court that the least intrusive measure has actually been followed.’ Due to this jurisprudential inconsistency in the usage of the third prong, the in-built protection inside the Rule serves very little good. It is highly likely that as soon as the Government sings the usual song of ‘law and order’ and ‘national security’, the Court will blindly defer to it as it did in the Anuradha Bhasin case and has done so in cases of that ilk. Consequently, compromising on the fundamental right of privacy of citizens in an unreasonable manner.
Additionally, another aspect of the ‘least restrictive method’ that must be noted is that breaking E2EE is not the only way to trace the first originator of the message. There exists lesser restrictive means which the Central Government itself had proposed. For example – the Central Government has previously requested WhatsApp to bring technological changes to trace messages to the originator by introducing a digital fingerprint system. Further, there exists other ways of achieving the same goal as well.
The third proviso to Rule 4(3) states – “Provided also that in complying with an order for identification of the first originator, no significant social media intermediary shall be required to disclose the contents of any electronic message, any other information related to the first originator, or any information related to its other users.” A perfunctory reading of only this provision can lead us to believe that the Government can simply trace the first originator but not read the actual contents of the message. However, as has been argued by several commentators and civil society organizations such as Internet Freedom Foundation, this rule when read with the IT (Procedure for Safeguards for Interception, Monitoring and Decryption Rules) 2009 (“IT 2009 Rules”) can enable the authorities to read the content of the message as well. Rule 4 of the IT 2009 Rules, empowers the government to demand the revelation of the content of any electronic message. Hence, a conjoined reading of both the rules (2009 and 2021) shows that the Government can not only trace the first originator of the message but also read the contents of the message.
As our lives become more and more and dependent on technology with every passing day, laws that regulate this technology have two choices – to either enhance our fundamental rights in the digital sphere or unreasonably restrict them. The Central Government has shown its cards, and now the ball is in the Courts’ court.
Join the discussion