Enhanced Surveillance And The First Originator Provision in India
Aurobindo Sundaram
CISO | Startup advisor | Board member | VC fund advisor ? Photographer | Sharer of financial & life lessons
A collaboration with Nivrithi Kailash Kumar, Jindal Global Law School (JGLS)
Introduction
India recently passed a law, the highly contentious Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 [1], which imposes upon certain social media intermediaries the obligation to enable the identification of the first originator of the information on its computer resource. This creates a host of problems, especially in light of the end-to-end encryption promised to users by such platforms.
End-to-end encryption (E2EE) is a method of secure communication that prevents third parties from accessing data while it is transferred from one end system or device to another. In E2EE, the data is encrypted on the sender's system or device, and only the intended recipient can decrypt it. As it travels to its destination, the message cannot be read or tampered with by an internet service provider (ISP), application service provider, hacker, or any other entity or service.
Consequently, the provision has been challenged by WhatsApp (owned by Meta, aka Facebook) in front of the Delhi High Court [2]. There is also a case pending before the Supreme Court, filed by Facebook, seeking the transfer of writ petitions pending before various High Courts which includes within its ambit how and in what manner the intermediaries should provide information including the names of originators of any content shared on the platform run by the intermediaries [3].
We will explain and analyze this provision, contextualizing it in terms of the debate between the privacy of the users and the government's claims of “public interest, order, and national security” across the world. It is interesting to note that the preamble to the Information Technology Act itself states that it intends to give effect to the Model Law on Electronic Commerce adopted by the United Nations Commission on International Trade Law, keeping in view the need for uniformity of law [4]. Thus, uniformity of the law with other nations forms a part of the objectives of the Act itself, clearly making the debate between privacy and security in other countries relevant.
First Originator Provision
The Information Technology?Act of 2000 was enacted to provide legal recognition for transactions carried out by “electronic commerce” [5]. The Central Government of India, under this Act, is given the power to make rules to carry out the provisions of the Act under section 87. It is in the exercise of this power that the Central Government enacted the highly contentious Information Technology (Intermediary Guidelines and Digital Media Ethics Code) 2021. A social media intermediary is defined in the rules as an intermediary which primarily enables online interaction between two or more users [6], and a significant social media intermediary is one having more than fifty lakh registered users in India [7].
Sub-rule 2 of Rule 4, which prescribes additional due diligence to be observed by “significant social media intermediaries”, specifies that significant social media intermediaries providing primarily messaging services shall enable the identification of the first originator of information when it is required either by a court through a judicial order, or an order passed by a competent authority as per the Information Technology (Procedure and Safeguards for interception, monitoring, and decryption of information) Rules, 2009 [8].??
The provision itself provides that an order shall only be passed when the content relates to the sovereignty, integrity, and security of India, public order, rape, sexually explicit material, child sexual abuse material, etc. There is also the additional rider that no such order shall be passed where other less intrusive means are effective in identifying the originator of the information. The provision also clarifies that the platform shall not be required to disclose the contents of the message, any other information related to the first originator, or any information related to its other users.
This provision is being challenged on the grounds of its constitutionality, and its vires vis-a-vis the parent act. This article focuses on the constitutional aspects-?violation of the right to privacy and freedom of speech and expression.
Background- Enhanced Surveillance
A government’s desire to have visibility to and view citizens’ communications for stated national security or societal benefit is not new.
In 1993, the US National Security Agency (NSA) introduced the Clipper chip [9], an encryption device with an acknowledged backdoor for government access, that the NSA proposed to be used for phone encryption. The proposal started a public debate, known as the Crypto Wars, and the Clipper chip was never adopted.
In 2001, just 45 days following the 9/11 tragedy in America, Congress passed the Patriot Act, the first of many changes to surveillance laws that made it easier for the US government to monitor Americans by expanding the authority to monitor phone and email communications, collect bank and credit reporting records, and track the activity of Americans on the Internet [10].
In 2015 and 2016, Apple was approached by the US Federal Bureau of Investigation and asked to either break into devices of suspected criminals or modify their software to permit future backdoors into devices. Apple challenged these requests in court, and these requests were eventually withdrawn.
In 2018, the ‘Five Eyes’ governments (the US, UK, Canada, Australia, and New Zealand) demanded that providers “create customized solutions, tailored to their individual system architectures that are capable of meeting lawful access requirements.” This kind of backdoor access would allow each government access to encrypted call and message data on their citizens. If the companies didn’t voluntarily allow access, the nations threatened to push through new legislation that would compel their help.
Also in 2018, Australia passed a law, the “Assistance and Access Act 2018”, which permitted government enforcement agencies to force businesses to hand over user info and data even if they were protected by cryptography. If firms didn’t have the power to intercept encrypted data for authorities, they would be forced to create tools to allow law enforcement or the government to have access to their users’ data.
In 2020, the Council of the European Union, which is made up of government ministers from the 27 EU member countries, released a resolution that called for new rules to govern the use of encryption in Europe. It called on technology companies to find technical ways to bypass encryption so that police and security agencies can quickly access a suspect’s messages or device.
In 2022, the UK introduced the Online Safety Bill [11], which among other things, requires messaging companies to remove end-to-end encryption to scan messages for child sex abuse material.
In most social media “chat” applications, including Facebook Messenger, Apple iMessage, WhatsApp, and WeChat (but notably, not Signal), messages were previously encrypted between the sending user and the service, and between the service and the receiving user. This ensured that the service had access to the messages sent and received for a short time. Except for WeChat, all other services have moved to end-to-end encryption, which means that only the sender and recipient have access to the contents of a message.
Most efforts to force service providers to build backdoors or provide other methods to access user messages have been from the Western world. It differs from laws in China, Russia, and Turkey, where services offering end-to-end encryption are banned.
Analysis - right to privacy vs necessity of decryption in India
The origins of the right to privacy can be traced to ancient times- Aristotle spoke of a division between the public sphere of political affairs and the personal sphere of human life. John Stuart Mill, in his essay ‘On Liberty’ (1859), highlighted the need to preserve a zone within which the liberty of the citizen would be free from the authority of the state. Samuel D Warren and Louis Brandeis, in their seminal article, drew attention to the impact of technology on this right to be let alone, explaining that in light of the development of the technology of photography, the law must afford some remedy for the unauthorized circulation of portraits of private persons [12]. This was relied on?by the Indian Supreme Court in the landmark case of?Puttaswamy v UOI, to explain that as technology and societies have further evolved, the connotation and ambit of privacy have also evolved [13].
The right to privacy in India has had a checkered journey. Its status as a fundamental right has been upheld, and it has been held to form an intrinsic part of the right to life under Article 21 of the Indian Constitution in the landmark case of Puttaswamy v UOI [14].
The case identified nine heads of privacy, out of which informational privacy becomes very relevant in this context. Informational privacy reflects an interest in preventing information about the self from being disseminated and controlling the extent of access to information [15]. The court, relying on an article by?Richard A Posner, explained that people do value their informational privacy, but they surrender it easily when they derive benefits from the revelation [16]. So, as long as the government can be trusted to use the knowledge gained only for the defense of the nation, the public is compensated for the costs of diminished privacy in increased security from terrorist attacks, etc [17]. Thus the legitimate interest that the state has in enhanced surveillance, such as the first originator provision, for the security of the nation is recognised.
Therefore, the right to privacy in India, like all other fundamental rights,?is subject to reasonable restrictions. As the language of Article 21 itself provides for such reasonable restrictions-?no person can be deprived of his life or personal liberty except in accordance with the procedure established by law [18]. In order to fulfill the touchstone of permissible restrictions on fundamental rights, the restriction must fulfill the three-fold requirement as explained by the Supreme Court in a catena of cases. First, there must be a law in existence to justify the encroachment on existence. Second, there must be a need for the law or a legitimate state aim. Third, the means adopted (the law) must be proportional to the aim. The restriction on privacy should not be excessive, beyond what is required to meet the legitimate aim of the state- the nature and quality of the encroachment on the right should not be disproportionate to the purpose of the law.
With regard to the first originator provision, whether there is a law in existence that justifies it, is itself unclear. As the provision has not been made by the Parliament, but by the Government under the rule-making powers given to them under the IT Act. It is thus a delegated legislation and it must first be seen whether it is warranted/supported by the Parent Legislation, to see if there is a law that justifies it. While the central government claims that the rule has been made?under section 87 of the IT Act, commentators have pointed out that the Act itself makes no mention of a provision warranting such enhanced surveillance. According to them, the provision is ultra vires the rule-making powers under section 87, as the Government is only given the power to make rules to carry into effect the provision of the Act. However, there is no decisive opinion on this matter,?as the case challenging this provision is still pending.
Second,?whether this provision is in furtherance of a legitimate state aim, or whether it restricts the right to life and liberty of an individual arbitrarily must be determined. The government has filed an affidavit before the Supreme Court highlighting the legitimate aims of the first originator provision and has released a related press statement. The content and messages spread on social media can be harmful. Such content has incited violence, including repeated incidents of mob lynching and riots, or threatened the unity and sovereignty of India. Possibly harmful content on social media also includes pornography (which is illegal in India), and the sale of drugs, weapons, and other contraband. Therefore, it is in the public interest for the person starting such mischief to be detected and punished. Hence, it becomes necessary to get such information from the intermediaries. The legitimate aim behind this provision is thus to protect law and order.
Thirdly, is the first originator provision proportional to the aim of curbing such problematic content??Here, the riders on the identification of the first originator of the message become important. However, it is unclear whether these protections are sufficient to render the?encroachment on privacy proportional. It is important to note that most commentators [19] have leaned towards the arguments put forward by WhatsApp, and have adopted the view that the provision is an impermissible violation of the right to privacy.?However, the government in its press release has clarified that it has no desire to violate its citizens' fundamental right to privacy and that the provision is merely a reasonable restriction.
The court in the case of Puttaswamy, while explaining the ambit of the right to privacy, also said that the constitution must evolve with the felt necessities of time to meet the challenges thrown up in a democratic order, governed by a rule of law. So, it becomes necessary to decide whether, in today’s digital age, the need is such that enhanced surveillance, like the first originator provision, is a permissible restriction on the privacy of an individual. To see whether such enhanced surveillance is needed or effective in tackling current-day problems, reviewing the experience of other countries with such enhanced surveillance would prove useful.
Analysis in other jurisdictions
The Government has, in its press release, highlighted the blocking of WhatsApp in Brazil [20] and the requirements of the “Five Eyes” governments. The “Five Eyes” requirements have been described above.
In Brazil, local Brazilian courts have attempted to compel WhatsApp to provide suspects' IP addresses, customer information, geo-location data, and physical messages. In three cases to date, WhatsApp has refused, and local courts have ordered shutdowns of the service in Brazil. Each of these shutdowns has been overruled by higher courts. In a recent case, the Brazilian Supreme Court said that the shutdowns were “scarcely rational or proportional.” In another court, a judge said, “It does not seem reasonable that millions of users are affected.”
In jurisdictions where the “enhanced monitoring” concept (including, but not only, the decryption of messages) has been advanced, the arguments have been two-fold.
National security related
The arguments in the US following 9/11 were primarily to ensure that another terrorist attack could not occur. To that end, Congress pushed through significant enhancements to the monitoring of ordinary citizens. There have been questions raised about both First Amendment (free speech) and Fourth Amendment (search and seizure clause) violations by the law. However, the Patriot Act has been repeatedly renewed by Congress and successive Presidents of both parties.
It is important to note, however, that the Patriot Act did not opine on the first originator/message decryption/encryption backdoor issue.
In Australia, the government hastily pushed through the Assistance and Access Act, but specifically noted that the law did not require service providers to introduce systemic weaknesses in their security protocols. It is thus unclear if the government could ever request an encryption backdoor or the breakage of end-to-end encryption, both of which would be considered to be introducing a systemic weakness.
Societal benefit related
Governments argue for message decryption in certain criminal cases: to investigate domestic or foreign terroristic threats; to investigate significant crimes, such as murders; and to combat pornography and child pornography.
领英推荐
In all these cases, the government promises strict oversight. For example, there are requirements for written notices and notifications to the Inspector General of Intelligence and Security (Australia). In the US, there are special courts (Federal Intelligence Surveillance Courts) that can approve certain types of monitoring.
In the Western world, the arguments made have been:
●????Fear-related: “Stop a terror attack”
●????Outrage-related: “Stop child pornography from circulating.”
●????“It only affects criminals”-related: “If you aren’t doing anything wrong, you have nothing to worry about.”
There has been no traction to the argument from governments that say, “These capabilities will only be used in the rarest of rare cases, by law enforcement, to benefit society.” The sad truth is that (a) once message decryption/backdoors are placed, they are a permanent weakness in the system that can be exploited by hackers and authoritarian governments, and (b) governments have historically overstepped their bounds and trampled on civil liberties as political expediencies arise.
Conclusion
The government wants to protect society by monitoring the use of social media for posts related to incitement, harassment, or terrorism. It wants to protect user privacy by only reserving this monitoring for the rarest of cases, and after all other means are exhausted.
On the other hand, privacy advocates claim that this will fundamentally break the security and privacy controls that users of the service have. They claim that an authoritarian government (or even a corrupt one) could easily use this capability to monitor citizens en masse and harass those that criticize the government. They also claim that a backdoor into the system means that Pandora’s box will be opened to attackers who can use the same backdoor to steal information from users. Finally, they claim that the premise itself is incorrect [21], as there can be many “first originators” of a message, depending on where the monitoring is begun. This stance is essentially what WhatsApp is arguing in its filing.
The Indian Supreme Court itself, while upholding the right to privacy, has recognised the legitimate interest that the state has in enhanced surveillance. Thus, the legality of the provision remains ambiguous- there are legitimate arguments from both sides.?When the data which the state has collected is only utilized for legitimate purposes, the legitimate concerns of the state are safeguarded, while privacy concerns are also protected. However, there is no way to guarantee that the provisions for enhanced surveillance will not be used for the extraneous purposes of the state, which would amount to an impermissible breach of privacy, as the legal safeguards put in place to ensure that the provision is only used legitimately, could easily be disregarded and/or manipulated by the government.
Our position aligns with WhatApp’s argument. We believe the following:
●????That citizens are entitled to an expectation of privacy.
●????That the requirements for monitoring will fundamentally chill discourse on the internet, not only in India but also in other democratic countries.
●????That this hole, once opened, cannot be shut, and will only be expanded in the future.
●????That Governments intrinsically have a conflict of interest in this matter.
●????That Governments have a vast array of other monitoring methods that they can use in legitimate investigations.
Therefore, we hope and believe that the relevant courts in India will strike down the government's argument and side with WhatsApp.
Bibliography
[1] Wikipedia summary, https://en.wikipedia.org/wiki/Information_Technology_Rules,_2021
[2] WhatsApp LLC v. Union of India, W.P. (C) NO. _____, 25-05-2021.
[3] Facebook Inc v Union of India,?Transfer Petition No 1943-1946 of 2019
[4] United Nations General Assembly, A/RES/51/162?(30.01.1997)
[5] IT Act 2000
[6] Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, Rule 2(w)
[7] Ministry of Technology and Information Technology, 1257 GI/2021, (20.02.2021)
[8] Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021
[9] Clipper Chip, https://en.wikipedia.org/wiki/Clipper_chip
[10] ACLU on surveillance, https://www.aclu.org/issues/national-security/privacy-and-surveillance/surveillance-under-patriot-act
[11] A guide to the Online Safety Bill - https://www.gov.uk/guidance/a-guide-to-the-online-safety-bill
[12] 4 Harvard L.R. 193 (Dec. 15, 1890)
[13] (2017) 10 SCC 1
[14] ibid
[15] ibid
[16] 9 Richard A. Posner, “Privacy, Surveillance, and Law” The University of Chicago Law Review (2008), Vol.75, at page 251
[17] (2017) 10 SCC 1
[18] Constitution of India 1956
[19] www.ETLegalWorld.com, “Identifying First Originator of Info Undermines Privacy, Free Speech: Whatsapp in HC - ET LegalWorld” (ETLegalWorld.com) <https://legal.economictimes.indiatimes.com/news/industry/identifying-first-originator-of-info-undermines-privacy-free-speech-whatsapp-in-hc/83001886> , Rai A, “Decrypting Rule 4(2) | Law and Other Things” (Law and Other Things, August 10, 2021) <https://lawandotherthings.com/decrypting-rule-42/>
[20] The Guardian article, https://www.theguardian.com/world/2016/jul/19/whatsapp-ban-brazil-facebook
[21] WhatsApp traceability article, https://faq.whatsapp.com/1206094619954598