Invoking the right to privacy ruling of the Supreme Court, Facebook-owned messaging platform WhatsApp has moved the Delhi High Court to challenge the traceability provision in the new IT Rules 2021, contending that “this breaks end-to-end encryption…and impermissibly infringes upon users’ fundamental rights to privacy and freedom of speech”.
In a petition filed Tuesday evening, the last day to complywith the new rules, WhatsApp said the provision requiring intermediaries to enable identification of the first originator of information on their platforms could also put journalists and activists at risk of retaliation in India and infringe upon rights to free speech and expression.
It said it is not aware of any country that requires intermediaries to enable identification of the first originator of information on end-to-end encrypted messaging services, and that states throughout the world have recognised the “important benefits” of end-to-end encryption and the dangers of undermining that security protocol.
The petition has not yet been listed for hearing. A spokesperson for WhatsApp said: “Requiring messaging apps to ‘trace’ chats is the equivalent of asking us to keep a fingerprint of every single message sent on WhatsApp, which would break end-to-end encryption, and fundamentally undermine people’s right to privacy.”
Rule 4(2) of the Intermediary Rules, which WhatsApp wants struck down, states that “a significant social media intermediary providing services primarily in the nature of messaging shall enable the identification of the first originator of the information on its computer resource as may be required” by a judicial order or an order passed by a competent authority under the IT Act.
The petition states that there is no way to predict which message will be the subject of such a tracing order.
“Therefore, Petitioner (WhatsApp) would be forced to build the ability to identify the first originator for every message sent in India on its platform upon request by the government forever. This breaks end-to-end encryption and the privacy principles underlying it, and impermissibly infringes upon users’ fundamental rights to privacy and freedom of speech,” it contended.
It said protecting the privacy of the speaker is critical to protecting the right to freedom of speech and expression. “Indeed, privacy is inextricably intertwined with the right to freedom of speech and expression because it protects people from retaliation for expressing unpopular, but lawful, views. It encourages users to express their ideas and opinions, report unlawful activities, and challenge popular views without fear of reprisal, whereas enabling the identification of the first originator of information in India subverts privacy and discourages freedom of expression,” it stated.
Such a requirement, it said, would put at risk of retaliation journalists for investigating issues that may be unpopular, civil or political activists for discussing certain rights and criticizing or advocating for politicians or policies, and also clients and attorneys who could become reluctant to share confidential information “for fear that the privacy and security of their communications are no longer ensured”.
It contended that Rule 4(2) infringes upon the fundamental right to privacy without satisfying the three-part test set forth by the apex court in KS Puttaswamy vs Union of India on aspects of legality, necessity and proportionality.
“Impugned Rule 4(2) violates the fundamental right to freedom of speech and expression, as it chills even lawful speech. Citizens will not speak freely for fear that their private communications will be traced and used against them, which is antithetical to the very purpose of end-to-end encryption,” it said.
WhatsApp said the rule is ultra vires its parent statutory provision which is Section 79 of the IT Act, and the intent of the IT Act. “To require intermediaries like Petitioner to enable the identification of the first originator of information in India on their end-to-end encrypted messaging services, there must be a clear policy declaration in Section 79 that Parliament intended to impose such a requirement. However, no such declaration exists in Section 79,” it said.
Stating that it cooperates with law enforcement agencies in India and continues to take steps to assist them, WhatsApp said it has a dedicated team to review, validate, and respond to law enforcement requests for user data in India. The petition underlined that the rule is “particularly dangerous and disproportionate” as it does not impose a time limit, and forces the company “to be able to identify the first originator of information in India on its platform years after the message was sent”.
The spokesperson for WhatsApp said they would continue to engage with the Government of India on “practical solutions aimed at keeping people safe, including responding to valid legal requests for the information available to us”.