WhatsApp vs Indian Government
Year 2016– WhatsApp promises for end-to-end encryption, which means only communicating users can read the messages. This safeguards our data form any third-party interference and assures data privacy. That means even WhatsApp doesn’t have access to any data along with any third party.
Year 2020– WhatsApp accepted that it possess metadata which contradicted their end-to-end encryption feature which jeopardize user privacy.
Year 2021- WhatsApp files a suit against the Indian government for breaching privacy laws. It is almost ironical how WhatsApp was hot topic for invading user privacy and today it challenges the IT rules on the ground of user privacy.
With the rapid increase in the usage and thereby dependence on consuming content over the online platforms, there arose a need for a framework which will address the lack of transparency, accountability and the rights of the users of such online platforms. The pandemic and the subsequent lockdown further verified the reliance over social media and OTT platforms. Addressing to the said issue, The Ministry of Information, Government of India enacted Information Technology (Intermediary guidelines and Digital Media Ethics Code) 2021, (herein referred as IT rules 2021) lists out the Guidelines and Code for the Intermediaries. The rules are targeted towards the following platforms:
- Publisher of online curated content. E.g. Netflix, Disney+ Hotstar
- Social Media Intermediaries and Significant Social Media Intermediaries. E.g. Instagram, WhatsApp and YouTube
- Publishers of news and current affairs E.g. Zee news, NDTV etc.
Let’s focus primarily on social media intermediary WhatsApp which is the most preferred mode of communication. It is no longer a news when an obscene or nationally sensitive content is circulated through WhatsApp and creates a ruckus. The frequent cybercrime reports of such incidents ultimately led to formulation of rule 4, which demands that the significant social media intermediary shall enable the “identification of first originator”, when required by an applicable judicial order. This has been alleged to result into a breach of privacy by WhatsApp.
On the basis of this, one thing is clear here, the possibility of end-to-end encryption and rule 4 to co-exist is ruled out. Thus, the survival of the fittest begins.
Now the million-dollar question which is omnipresent in all the articles of our blog is, what right supersedes the other and how to deal with such chicken and egg situation. The contesting opponents are, the end-to-end encryption which protects the privacy of millions of WhatsApp users, and the rule of identification of first originator of information. We are aware of using WhatsApp without the latter and have been using the same for few years now. However, let’s assume the rule is taken into consideration, and end-to-end encryption is removed. I see the below mentioned issues:
- There is no alternate safeguarding feature proposed to be introduced by the Government which protects the data from malicious party;
- There exists no framework or detail about data handling by the Government in the first place to qualify it as a lawful processing of data;
- There is no privacy framework enacted which further provides compliance rules and enlists penalties.
Thus, there is only one thing fulfilled hereunder, that is facilitation of criminal investigation to locate and identify perpetrators. However, there is a heavy cost to bear in lieu of that. It also needs to be viewed, that identification of first originator of information is a pedestrian approach when it comes to fulfilling the aim of mitigating cybercrimes. The nature of cybercrimes has become too technologically advanced to be tackled by the said clause.
Considering how we love comparing jurisdictions, let’s talk about GDPR. Article 10 of GDPR titled ‘Processing of Personal Data relating to Criminal Convictions and Offences’ reads as under:
“Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) (Lawful processing of data) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority”
This means that the appropriate government has been given the right to process the data sought under criminal proceedings and for facilitating a criminal investigation. Having said that, the processing of such data shall be legitimate and under the lawful route, considering appropriate safety requirements, destruction of data once purpose is fulfilled, processing only that data which is necessary for the investigation and inclusion of the ‘purpose limitation,’ which limits processing the data only for the purpose of criminal investigation. However, the Indian IT rules 2021 specifically lays down the method of ‘identification of first originator’ as a mode for enabling the criminal investigations. GDPR is silent on those which may or may not include identification of first originator under Article 10. Thus, the debate here is on India’s cut throat clarity for accessing the data on furnishing the judicial order.
Lastly, End-to-end encryption hasn’t completely eradicated the mala fide usage and cyber-crimes with respect to WhatsApp. Thus, India’s attempt can turn around to become a better and more promising move, by instituting an ‘overlooking body’, provided it addresses and works upon the above-mentioned problems and issues. The main aim for identification of the first originator as discussed above is to enable the criminal investigation process which further aims to seek justice. There is no doubt that there are several cybercrimes involving WhatsApp and thus the evidentiary value it possesses cannot be undermined. Having said that, the protection of private data cannot be compromised. The union should hold complete responsibility for data handling and assuring proper compliance to prevent any mala fide usage of data. Thus, accepting it as a stepping stone towards combating the cybercrime world and to make a safe space for users to connect, we hope for a ‘technologically ahead’ and ‘data privacy promising’ law rather than a short-sighted clause like ‘identification of first originator’.
We the People 
Great read.
LikeLike
Very well written and we’ll researched content.
LikeLike
Excellent article displaying high professional competence and clear understanding of a very complex issue. Lucid explanation of all the facets of the topic will be a boon to people at large
LikeLike
Good paper!
LikeLike
A very interesting and well-articulated discussion, Rujvi.
The quantum of fake propaganda, misleading messages and “irresponsible forwards” that we are seeing on all social media, including WhatsApp, does necessitate the requirement of identifying the originators of such content to limit their actions. Having said that, we are also not sure whether identifying the originator could prove to be effective always. There may be times where the original perpetrator uses devices or identities owned by other people and we Indians are not really very particular or disciplined when it comes to sharing personal data, devices or even passwords. So, it may turn out that tracing the originator may just send the authorities on a wild goose chase for someone who doesn’t even know what this is about.
Having said that, we cannot undermine the need for controlling creation of negative content on social media. As you rightly said, this is like a chicken and egg story, striking the right balance between personal privacy and identifying malicious users. Although our government IT and cyber security landscape is seeing improvements, we cannot always be sure about how much data should be stored on public infrastructure; at the end, it’s about whether you trust social media servers or government servers or both or none. Also, tagging and tracing such data for each message/content generated on social media will consume massive AI, data storage and processing capacity.
At the end, we are also reminded of Steve Rogers from Captain America: Civil War, “…but it’s run by people, with agendas. And agendas change…”
Let’s just hope we end up finding a dynamic solution that balances out the two issues.
LikeLike
It reminds me of a great analogy when a naughty child passes a piece if paper in the class. Teacher either decides to punish the entire class or the identifies the naughty child from his unique handwriting. Very well written and thoroughly researched.
LikeLike