Whatsapp privacy issues and the way out

    • By,
      Shubham Shinde – Student, Kautilya

We had all become grossly concerned over intrusion of our privacy when the prominent internet messaging service, WhatsApp, rolled out updates to its privacy policy. However, there lurks a bigger threat in Rule 4 of the new Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, that mandates additional due diligence to be observed by providers of services having greater than 50 lakh registered users (classified as significant social media intermediaries) which upon request of law enforcement agencies are required to identify the first originator of the information on their platform.

WhatsApp challenged this rule on the grounds that tracing origins of specific messages would entail removal of its end-to-end encryption feature. In other words, the company would have access to conversations of all users adversely affecting their privacy. This requirement does not satisfy the threefold test of legality, necessity, and proportionality brought in by the Supreme Court in KS Puttaswamy vs. Union of India, the landmark ruling that established privacy as a fundamental right part of right to life.

However, providing complete impunity against content exchanged on a platform under the banner of it being a ‘private conversation’ can amount to its misuse for illegal activities or even coordinating terrorist attacks & some deterrence must be provided against the same. These platforms allow any user to post or forward a message to any number of individuals without revealing the identity of the original content creating user. This being multimedia content like videos, tends to have a more profound effect on the viewer & has seen to be spreading fake news having real implications.

The very fact that such a provision has been brought out & is the subject of debate has to do with the evolution of cyberspace. The concept of exception from liability of content in communication channels is not new. The same provision applies to postal services & companies providing telephone & cellular services. However, there are 2 key distinctions. Firstly, internet-based communication services allow users to reach out to a large number of people instantly. A user is bestowed with the reach of mass media without any of its responsibilities. Secondly, many of the former services were either government run or regulated when private players were allowed to enter. Here however, the government is at the mercy of few companies that over the years have self-regulated & followed their own principles without accountability all the while setting user expectations in a certain manner such that taking away these services now might prove to be difficult.

An instance in the United States can offer a way out. The FBI had in some cases, relating to investigation of perpetrators of mass shooting, most prominently the 2015 San Bernardino attack requested the service of phone manufacturer Apple to unlock the devices of the accused. The company refused on the grounds that it did not have the capability or that the fear of doing so would confirm the existence of security backdoors in their devices and would risk losing the trust of its customers.

The messaging apps in India today find themselves in a similar situation. In the former case however, the investigating agency was able to extract the data with the help of third parties. Breaking encryption though technically possible is not feasible & requires a significant amount of computing resources. We don’t see this happening in commonly used services such as credit cards or WhatsApp chats as the cost of breaking into them outstrips the value of information.

These messaging applications could be directed to use a defined standard of encryption, a technical safeguard to the test of proportionality so that on one hand would enable access to law enforcement agencies while on the other, given the financial cost with added transparency & administrative safeguards like mandatory court orders for breaking into personal devices, it can be seen that such powers would be utilized only in rarest of rare cases.

Some changes in the functioning of such platforms can also go a long way. Placing restrictions on the number of messages that can be sent or charging for them can go a long way in curbing irresponsible usage. A move akin to TRAI (Telecom Regulatory Authority of India) limiting the number of SMS sent per day to limit spam & unauthorised advertising.

*The Kautilya School of Public Policy (KSPP) takes no institutional positions. The views and opinions expressed in this article are solely those of the author(s) and do not reflect the views or positions of KSPP.