Facebook, WhatsApp sue Indian government over traceability requirement

The heart of the matter are WhatsApp’s entire default service and Facebook’s specific “Secret Conversations” feature on Messenger that allows users to opt-in for end-to-end encrypted messaging; Image: Shutterstock

WhatsApp and its parent company Facebook are finally going on the offensive to protect end-to-end encryption. In two separate petitions filed with the Delhi High Court on the night of May 25, the two companies argued that the traceability requirement—mandated under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, notified in February 2021—will force them to break end-to-end encryption. They have also called the traceability requirement unconstitutional and violative of people’s right to privacy, as guaranteed under the Supreme Court’s Puttaswamy judgement.

The two social media giants want the Delhi High Court to declare the traceability requirement as ultra vires (beyond the legal mandate of) the Information Technology Act, 2000, and that no criminal liability should be imposed if the companies do not implement traceability. At the heart of the matter is WhatsApp’s entire default service and Facebook’s specific “Secret Conversations” feature on Messenger that allows users to opt-in for end-to-end encrypted messaging.

In a no-holds barred blog post, WhatsApp called traceability “ineffective and highly susceptible to abuse”, which would effectively mandate “a new form of mass surveillance” explaining that to trace even one message, WhatsApp would have to trace every message and will thus land up with “giant databases” with “permanent identity stamp[s]” of every message that is sent on its platform. This echoes Forbes India’s previous reporting wherein experts had warned that retaining digital fingerprints of messages (read: hashes) would lead to the creation of giant catalogues through which WhatsApp will be able to track all the messages that people send on its platform.

In response to the lawsuits, the Ministry of Electronics and Information Technology (MeitY) issued a statement that the traceability requirement passes the muster of proportionality. “It is in public interest that who started the mischief leading to such crime must be detected and punished,” the statement read.

The petitions have thus far not been listed for hearing in the Delhi High Court but it is expected that they will be heard by the division bench led by Chief Justice D.N. Patel, who is also hearing three separate cases against WhatsApp’s 2021 Privacy Policy update.

Until these two petitions, the social media firms had been parties in multiple cases around the world, including in India, that had been filed to debate whether law enforcement agencies should have access to originator information if it means breaking end-to-end encryption. This is the first time that WhatsApp and Facebook are doing the litigating themselves. Forbes India has reviewed both the petitions.

Reuters first reported the development but only mentioned the petition filed by WhatsApp.

Traceability means tracing the person who sent the message. In Indian public debates, it has usually come to mean, tracing the first sender of a message that has been forwarded multiple times. Globally, the traceability debate has become a fraught one, which seeks to balance rights to privacy and free speech of the multitude on one hand and the need to give law enforcement access to information about criminal suspects on the other.

The traceability requirement under the Intermediary Rules mandates all significant social media intermediaries, that is, social media companies with more than 50 lakh registered users in India, to trace the “first originator” of a message on receiving a judicial order or an order from a Competent Authority under Section 69 of the Information Technology Act.

‘Traceability erodes right to privacy, does not meet Puttaswamy I requirements’: Facebook, WhatsApp

Both Facebook and WhatsApp have both argued that the traceability requirement, which will force them to break end-to-end encryption will undermine users’ constitutionally protected privacy and free speech rights.

Traceability violates fundamental right to privacy: The traceability requirement, Facebook and WhatsApp say, violates the right to privacy, which also includes the right to anonymity, as the rule violates users’ right to remain anonymous and robs them of their ability to control what information is disclosed to third parties.

Traceability fails the Puttaswamy I test: Both the companies argue that the traceability rule fails to meet the three requirements laid down in Supreme Court’s 2017 K.S. Puttaswamy v. Union of India judgement, colloquially called Puttaswamy I. Under Puttaswamy I, the three requirements that must be met to allow for any invasion of privacy are: legality (a law must be in existence), reasonableness (with guarantees against arbitrary state action, with special emphasis laid on prior judicial review), and proportionality.

The petitions argue that there is no law that authorises the government to violate citizen’s privacy rights via traceability on end-to-end encrypted services, and thus the legality requirement is not met. WhatsApp also argued that no Indian law allows traceability to be mandated through subordinate legislation such as the Intermediary Rules.

The companies have also said that the traceability requirement is “neither reasonable nor guarantees against arbitrary State action” as it allows the government to link users to all their communications “without any judicial oversight…much less prior judicial oversight”.

From the Archives | Can traceability and end-to-end encryption go hand in hand? Here's the legal view

As mentioned above, the traceability rules allow the government to get access to originator information either via a judicial order or through an executive order by a “Competent Authority” under Section 69 of the IT Act. The Puttaswamy I and Puttaswamy II (a 2019 Supreme Court judgement on the Aadhaar Act) judgements that the petition cites also stress on the importance of prior judicial review but do not mandate it.

WhatsApp and Facebook have said that the traceability requirement is not a proportionate requirement as it would require intermediaries to first build a mechanism to enable traceability and the companies would then be required to enable it for every user and each piece of communication, irrespective of whether or not they are even being investigated.

‘Principles of data minimisation, limits on data retention periods go for a toss’

WhatsApp and Facebook have argued that since there is no way to predict which communication the government will seek to identify at a later date, intermediaries will have to build mechanisms to enable traceability for every user and every piece of encrypted communication sent in India. Thus, to enable traceability, an intermediary would have “to store additional data that is not necessary to provide its service”.

This is in contravention of the globally accepted privacy principle of minimisation which, along with storage limitation, was emphasised upon by Justice A.K. Sikri in the Puttaswamy II judgement. Justice D.Y. Chandrachud had also observed that the Aadhaar Act was unconstitutional for violating, amongst other things, the principle of data minimisation. As a result, traceability is not the “least restrictive” means available for access to information, a standard that has been laid down by the Supreme Court’s two Puttaswamy judgements.

Both companies also argue that as the Rules do not prescribe a time limit, the intermediaries will be forced to store additional data even years after the messages are sent. All end-to-end encrypted communication in India will always be linked to users’ identity, “including the vast majority of such communications which are sent by law-abiding Indian citizens”, Facebook says in its petition. This would undermine all users’ anonymity forever.

From the Archives | Interview | You have to comply with the laws of the land if you want to do business there: Zee5's Archana Anand

In its blog post, but not in its petition, WhatsApp said that another problem with enabling traceability and retaining originator information forever is that certain content may “later become problematic in the eyes of a government” because of which innocent people could be accused of wrongdoing.

A cryptographic expert on the condition of anonymity had earlier told Forbes India that any digital signatures associated with traceability must be allowed to expire. Without such expiration date, “old messages can be revived several years down the line in a different context”.

“Secondly, to be able to trace the originator in such a case, WhatsApp will have to retain all the public keys [that] all the [Indian] users ever used, forever. This would be problematic as keys need to be frequently renewed for security and privacy purposes,” they said.

‘Traceability has a chilling effect on lawful speech’

Facebook and WhatsApp have argued that to exercise freedom of speech, a citizen must be able to maintain one’s privacy so that they are protected from “retaliation for expressing unpopular but lawful opinions, challenging mainstream views, and even reporting unlawful activities”. By undermining the privacy of users of encrypted messaging services, the traceability requirement can have a chilling effect on lawful speech, which includes speech critical of the government, policies, and the like, the companies say.

Facebook and WhatsApp argue that the traceability requirement exposes activists and journalists to retaliation. Facebook also said that traceability could publicly expose sensitive personal information like Aadhaar, financial, sexual orientation, religious, or health information while WhatsApp said that attorneys and clients also rely on the security and privacy offered by end-to-end encrypted services to share confidential information. In its petition, WhatsApp argues that even the central government, law enforcement agencies, and the military rely on the security offered by end-to-end encrypted services. All these benefits, both platforms say, would be undermined if traceability is introduced.

Traceability is ineffective; highly susceptible to abuse

WhatsApp pointed out that if a user downloaded and shared an image, or sent a screenshot of a message, or WhatsApped an article that someone emailed to a user, or copy-pasted a message, the user would become the originator of the content even if they did not create the content. The platform did not make this argument in its latest petition but it had previously made the same argument in a 2019 submission to the Madras High Court in the WhatsApp traceability case.

The messaging service also pointed out that traceability would force companies to turn over names of even those people who did not create the content, “shared it out of concern, or sent it to check its accuracy” because of which innocent people could get caught up in investigations even if their intent was not malicious.

In its Madras High Court submission, WhatsApp had also said that forwarded messages often do not carry the context that accompanied the original message, thereby distorting the intent and the meaning of the message itself.

‘Traceability requirement goes beyond the legal mandate of the Information Technology Act, legislative functions are the exclusive domain of the Parliament’

Facebook has argued that the Information Technology Act, 2000, the act under which the Intermediary Rules were notified, does not allow the Indian government to mandate intermediaries “to build mechanisms that would allow the identification of the ‘first originator’ of every communication in India on their platforms” and is thus ultra vires. The social media giants also stressed that the parent act “certainly” does not allow the government to require intermediaries to break end-to-end encryption as a consequence of the traceability requirement.

Both WhatsApp and Facebook have identically argued that the traceability requirement imposes a duty “far beyond” the intermediaries’ due diligence obligations under Section 79(2) of the IT Act as traceability would require the company to “change the fundamental nature of its platform” and make fundamental product changes to its messaging service.

Section 79(2) of the IT Act grants safe harbour to intermediaries from being liable for third-party content hosted, stored or shared on their platforms as long as they do not have actual knowledge of it in the form of a court order. Intermediaries can avail immunity under safe harbour as long as they observe the Intermediary Rules, including the due diligence rules under Rules 3 and 4. Non-compliance with these Rules can result in loss of safe harbour status, that is, intermediaries can be held liable for content that users post on their platform. It will not result in bans on social media companies as has been misreported by multiple news organisations in the last few days.

Functionally, loss of safe harbour would translate into restrictions on freedom of speech on social media platforms as to evade liability, platforms will be far more prone to taking down even slightly problematic content.

The other section under which the Rules were notified, Section 69A, allows the central government to issue blocking orders or prescribe procedures and safeguards to enable such blocking. This provision too, the companies argue, exceeds the government’s rule-making authority under Section 69A as traceability “is neither a blocking order nor a procedure or safeguard subject to which a blocking order may be carried out”.

Forbes India had also earlier reported that the sections under which the Rules have been notified—Sections 69(A) and 79(2) do not allow the government to allow for any invasion of privacy, or changes to its encryption protocols.

‘Traceability is not crucial for assisting law enforcement agencies’

Both WhatsApp and Facebook said that they already cooperate with law enforcement agencies and have a dedicated team in each company that works closely with Indian law enforcement agencies. Forbes India has asked both WhatsApp and Facebook if these dedicated teams are located in India.

In addition, the two companies also said that they train Indian law enforcement agencies to submit valid requests. Both companies have detailed guidelines for submission and handling of requests from such agencies (see here and here) and exclusive portals (see here and here) for law enforcement agencies to request information.

In its blog post, WhatsApp wrote that it has another team that assists law enforcement 24/7 with emergencies involving imminent harm or risk of death or serious physical injury. It also wrote that law enforcement officials have multiple investigative tools, and can get information from multiple sources, including different companies, other government, or from user’ devices.

‘No other country has a traceability requirement’

Facebook and WhatsApp cited the preamble of the Information Technology Act, as per which there is a “need for uniformity of the law [across the world] applicable to alternatives to paper based methods of communication and storage of information”, to argue that the traceability requirement creates “a substantial disharmony with the laws of the rest of the world”. As a result, they argue, the traceability requirement is ultra vires of the “Parliament’s express intent in enacting the IT Act itself”.

While it is true that no law or delegated legislation in the world, except India’s Intermediary Rules, have mandated traceability, the debate is not endemic to India. Brazil, for instance, has been deliberating on a “fake news bill” for the last few years that seeks to mandate private companies to track the entire chain of “massively forwarded” messages to groups or lists and retain such data for three months. This had also prompted a WhatsApp blog post.

Australia, too, enacted a controversial Telecommunication and Other Legislation Amendment (Assistance and Access) Act 2018 (commonly called the TOLA Act) under which Australian government agencies can either force companies to intercept communications using capabilities they already have (Technical Assistance Notices), force companies to build new interception capabilities to comply with TAN (Technical Capability Notices), or request companies to assist the agencies (Technical Assistance Requests). ZDNet, however, reported that the TAR are the most insidious ones as they are not subjected to as much oversight. Between July 2019 and June 2020, TARs were issued 11 times. The TOLA Act has been challenged in Australia.

Last year, India was also a co-signatory on an international statement by the Five Eyes intelligence alliance (US, UK, New Zealand, Canada, and Australia) and Japan, that wants companies to build backdoors to end-to-end encrypted platforms for access to law enforcement agencies. The demand for such backdoors is not new. Currently, there is no law in the Five Eyes (except Australia) that makes backdoors or traceability beyond a company’s technical capability mandatory.

Facebook’s petition is a pre-emptive strike unlike WhatsApp’s

While the two petitions make largely the same arguments, there are a few key differences.

Facebook’s lawsuit is a pre-emptive strike “in the event it is determined” that Facebook is subject to the traceability requirement. The social media company has argued that the traceability requirement does not apply to the platform and its ‘Secret Conversations’ feature because the Rule is applicable only to significant social media intermediaries “providing services primarily in the nature of messaging”.

Forbes India had earlier pointed out that the Rule does appear to exempt open and public platforms such as Facebook, Twitter, Instagram, LinkedIn, YouTube and even services such as Dunzo and Zomato which offer messaging services but are not in the primary business of enabling messaging. WhatsApp, on the other hand, is the primary reason why this rule was formulated in the first place. Neither the IT Act, not the Rules, define what messaging is.

Facebook also wants the Court to treat its petition as one filed “in a representative capacity on behalf” of users of its Secret Conversations messaging feature.

WhatsApp’s petition also gives insight into how its 2 billion-plus users around the world use the service.

Pre-empting frequent arguments that are made about protecting children online (an ad hoc Rajya Sabha committee, for instance, in January 2020 had recommended that law enforcement agencies should be permitted to break end-to-end encryption to trace distributors of child pornography), WhatsApp’s petition also describes how it fights child sexual abuse material (CSAM) on its platform despite being end-to-end encrypted. The messaging service relies on available unencrypted information including “user reports, profile photos, and group photos, group subject, and descriptions” to detect and prevent abuse, including CSAM.

On detection of CSAM, WhatsApp removes the image, bans the user and associated accounts within a group. The image and account details are provided to the National Center for Missing and Exploited Children (NCMEC), a private non-profit organisation established by the US Congress. The NCMEC then provides the Indian National Crime Records Bureau (NCRB), under the Ministry of Home Affairs, with “immediate access to India-specific reports through a secure Virtual Private Network (VPN) connection”. WhatsApp also sends the NCRB a monthly report with NCMEC report IDs related to Indian users.

From the Archives | Traceability and end-to-end encryption cannot co-exist on digital messaging platforms: Experts

Timing of the lawsuits is interesting

The timing of this lawsuit is simultaneously understandable and suspect. Understandable because the last date to comply with the new Intermediary Rules was May 25 and the suit was filed on May 25 night. It also raises questions about why it was filed on the last day.

On March 5, 2021, about a week after the Intermediary Rules were notified, WhatsApp head Will Cathcart had said on the Big Technology Podcast, “Our hope is that we can find a way to end up with solutions that don’t touch encryption.” A WhatsApp spokesperson declined to comment when Forbes India asked if the new lawsuits mean that WhatsApp has irrevocably concluded that there is no way to enable traceability without undermining encryption.

Moreover, WhatsApp has received significantly negative press ever since it announced the latest update to its privacy policy in January 2021. It has also been buried under a bevy of lawsuits and investigations in India and around the world against its new privacy policy. The lawsuit to protect end-to-end encryption, rightly aimed at protecting privacy, will divert attention as well.

Ironically, WhatsApp has quoted from its contested privacy policy in its petition against the traceability requirement—“[r]espect for your privacy is coded into our DNA”. Facebook too, whose privacy missteps, both deliberate and otherwise, have been well documented, has written that it is “committed to promoting the privacy and free speech” of all Facebook service users and this is “reflected in its robust policies that adopt global best practices to protect user privacy and promote a safe online experience”.

To read the full Facebook petition, click here.

To read the full Whatsapp petition, click here.

Graphic by Sameer Pawar