Social Media, Encryption, and India's ITA
The Tracing Requirement
Over the past several months, India has been at odds with the social media industry and has made demands in the interest of national security. A new provision in the Intermediary Guidelines of the India Information Technology Act (ITA) requires the “first originator” of a message on a social media platform to be traced upon a judicial order. The regulation would grant India the power to compel social media companies to turn over data of a user’s communications that occurred on their platforms after the user is credibly accused of criminal activity. On May 26, WhatsApp and its parent company, Facebook, jointly filed motions against the Indian government challenging the traceability requirement. WhatsApp and Facebook — along with most privacy experts —believe that compliance with the law would force encryption to be broken.
The Practical Effect
WhatsApp, Facebook, and much of the commercial tech industry utilize end-to-end encryption as a means of protecting the privacy of the users on their platforms. Encryption not only secures data from unauthorized third parties, it also prevents the social media companies themselves from reading the contents of a message. There is likely no way to comply with a traceability requirement without breaking (or severely weakening) encryption. The tech companies cannot cherry pick data from the specific users they are ordered to trace, while continuing to encrypt the communications of other users in the manner it currently does.
To comply with India’s regulation will effectively require social media companies to break encryption for all users. In order to be able to trace communications from any particular user upon the government’s request, the social media companies would likely need to create large databases of information that would include every message or communication that transpires on the platform, along with the identity of the of the person who made it, and the identity of the person who received it. While the law would certainly help India prosecute major crimes with a digital footprint, most experts in the field agree that traceability of data is also highly subject to misuse, ineffective for its intended purposes, and far less secure from data breaches.
The lawsuits from WhatsApp and Facebook are the first of their kind in India where a tech company went on the offense and sued over the government’s demand for information. WhatsApp and Facebook are claiming that the traceability requirement is unconstitutional under Puttaswamy v. India (2017), the landmark privacy case that found a right to privacy in the Indian Constitution. Puttaswamy protects Indian citizens from the State’s invasion of privacy unless it is done by the “least restrictive means." The greatest challenge for India will likely be to convince the Court that requiring social media companies to create and manage vast pools of data — the overwhelming majority of which will never be needed — satisfies the least restrictive means test. WhatsApp and Facebook will aim to prove that the law is ultra vires by showing that the extent of India’s interference is not proportionate to its need.
The Foreseeable Future for Encryption
If India’s regulation is upheld, the outcome may have a long-reaching ripple effect. Considering that India is WhatsApp’s largest market — with around a half-billion users — it could cause the company to abandon end-to-end encryption for all users globally in an effort to maintain uniform data practices. Other countries, such as Australia, Brazil, Canada, New Zealand, the United Kingdom, and the United States, have also shown interest for similar types of measures that would serve to empower governments to intercept private information on social media that is currently encrypted. Regardless of the outcome of this dispute, the tension between encryption and governmental interest in traceability is likely to persevere.