WhatsApp moves High Court against new IT rules

Citing “dangerous invasion of privacy” and threats to free speech of its 400 million users in India, WhatsApp has moved the Delhi high court seeking the squashing of a rule framed by the Union government that obligates social media intermediaries to identify the first originator of a message upon an order by a competent court or executive authority.

The petition filed in the high court claims that enforcement of rule 4(2) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, will break WhatsApp’s end-to-end encryption and the privacy principles underlying it, besides impermissibly infringing upon users’ fundamental rights to privacy and freedom of speech.

WhatsApp has requested the high court to ensure no criminal liability is imposed on it for not complying with the provision, which, it contends is, “unconstitutional, illegal” and beyond the purview of the Information Technology Act.

The Union government in a statement on Wednesday defended the rules and called WhatsApp’s “last minute challenge” a “clear act of defiance meant to keep the guidelines from coming into effect”. The government also stated that while it respects the right to privacy, no fundamental right, including the right to privacy, is absolute.

Rule 4(2), which comes into effect from Wednesday, makes it mandatory for social media intermediary providing messaging services to trace the originator of a message if required by a court or a competent authority under Section 69A of the IT Act. While the rules clarify traceability order may only be passed for serious criminal offences, some categories such as “public order” are relatively broad in operation.

“Requiring messaging apps to “trace” chats is the equivalent of asking us to keep a fingerprint of every single message sent on WhatsApp, which would break end-to-end encryption and fundamentally undermines people’s right to privacy,” a WhatsApp spokesperson said.

“We have consistently joined civil society and experts around the world in opposing requirements that would violate the privacy of our users. In the meantime, we will also continue to engage with the Government of India on practical solutions aimed at keeping people safe, including responding to valid legal requests for the information available to us,” this person added

A person in the company aware of the technicalities involved said the tracing feature sought by the government is unlikely to be practical since people also copy-paste messages, and that bad actors can separately spoof or modify information in a way that could lead to people being framed.

In its petition before the high court on the IT rules, WhatsApp has claimed that the new set of guidelines is “unconstitutional”, for it tramples upon privacy of users apart from being “manifestly arbitrary” and in breach of the principle of data minimisation.

“This [the traceability feature] would require petitioner to build the ability to identify the first originator of every communication sent in India on its platform, as there is no way to predict which message will be the subject of such an order seeking first originator information. This eliminates the right of the hundreds of millions Indian citizens using WhatsApp to maintain the privacy of their messages, which is antithetical to end-to-end encryption and the core privacy principles underlying it,” the company stated in its petition.

It added that since the provision does not require an approval of a court, it is clear that the power is without judicial oversight and hence, there is no “guarantee against arbitrary State action”. If WhatsApp adds these features, the company said, it could put journalists and civil and political activists at risk.

Taking another ground to challenge Rule 4(2), WhatsApp has said that the provision was not backed by any statutory power since Section 79 of the IT Act only allows the Union government to prescribe “due diligence” guidelines that intermediaries must observe to maintain their exemption from liability for third-party content.

“However, Impugned Rule 4(2) seeks to impose obligations that fall far outside ‘due diligence’, as it forces fundamental alterations to WhatsApp by breaking end-to-end encryption and changing the fundamental nature of the service that people love and use today in India and across more than 100 countries,” it maintained.

The petition sought annulment of the rule also on the ground that it ran counter to the intent of the IT Act which sought to promote “uniformity of the law” with other nations with respect to “alternatives to paper-based methods of communications”.

Raman Chima, Asia Pacific policy director at Access Now, said WhatsApp needs to do better in its practices to protect and safeguard the interests of its users — including reconsidering its data sharing with Facebook and changes to its privacy policy. “The present legal challenge does reflect [WhatsApp is] prioritising safeguarding its users’ security and privacy from an overbroad, unlawful, and dangerous government mandate. The government’s insistence on ending traceability has to be seen against the broader context of shrinking civic space, where exceptions carved out in laws are weaponised and selectively applied against dissenters and at-risk communities,” he said.

A second expert said there are questions over the legality of the rules. “The IT Rules go far beyond the scope of the IT Act. The traceability requirement unreasonably enhances the scope of obligations under the parent legislation. Section 69 of the IT Act provides the power to seek technical assistance for securing access, interception, decryption or monitoring of information stored in computer resource. The IT Rules, however, may require changes to the technical architecture of messaging platforms which would affect the privacy and security of all users across the board,” said Tanmay Singh, associate litigation counsel at the Internet Freedom Foundation.

He added that weakening encryption by mandating traceability would undermine the privacy and security of all users and that even if there are ways to enable traceability without breaking end-to-end encryption, it would still amount to weakening the very purpose of encryption.

NS Nappinai, Supreme Court lawyer and founder of CyberSaathi, said: “The government seems to have modified its stance. Till now they were categorically saying they were not asking WhatsApp to break encryption. Whereas this press release does not say that.”

“WhatsApp is pitching its claim too high by weighing in only on the aspect of breaking encryption. According to me that’s likely to boomerang,” she said, adding that the government too has more to answer for.

“Similarly, the government is not clarifying when and how tracing is mandated. That is, at the time the message is sent or when notice is received? This is likely to be the crux of the issue in deciding constitutionality according to me. For, if it’s at the time of sending messages that would not be sustainable at all. If it’s at the time of notice subject to all other due processes being followed, it cannot be said to be unsustainable. Providing this info is anyway contingent on the messages being on WhatsApp servers, which they have claimed will not be available after one month. Then where’s the disproportionality? Or breaking encryption?”