The government can make the regulations more secure and user-friendly by adopting a multi-stakeholder consultative approach
India's new Intermediary Guidelines and Digital Media Ethics Code under IT rules has created many wrangles between the top digital platforms and the Indian government. In a surprising and unprecedented move, Facebook-owned WhatsApp recently sued the Indian government over the new internet laws, arguing that the new regulations, which also give Indian authorities the right to trace individual messages, is an attempt to breach the privacy of its users.
By far the most popular social channel in India, WhatsApp's recent move is sidesplitting and reflects the company's arbitrarily and differential-standard treatment. In January this year, WhatsApp had introduced separate privacy and data sharing policies for Europe and India. As part of its policy, Facebook mandated its Indian users to share their data with Facebook and other associated platforms while relaxing this new diktat for its users in Europe, citing stringent General Data Protection Regulation (GDPR).
"WhatsApp argues against the government's new guidelines on the pretext of servicing its users’ privacy interest. However, questionably, it also tries to make blatant misuse of its dominant position by enforcing a policy on its users which they don't approve of," says Deepak Kumar, Founder Analyst at B&M Nxt.
However, a section of industry experts feels that WhatsApp has not done anything surprising and may need more time and deliberations to develop suitable solutions to adhere to the new IT laws.
"These guidelines are a good step and must be welcomed, especially from the lens of women and child safety. However, given the pandemic, the three-month timeline granted is significantly less and needs further deliberation," says Kanishk Gaur, Founder, India Future Foundation.
Gaur explains that all messaging platforms like iMessage, WhatsApp, or Signal use leading end-to-end encryption protocols. Therefore, finding the right set of solutions requires careful deliberation and rigorous auditing.
"These protocols use rigorously audited algorithms for reliable exchange of keys. If we have to track the first originator of the message, which the guideline talks about, we'll have to mark every message with a "stamp" as none of these platforms have a way of knowing which message may become problematic. Experts generally believe that this may undermine the security and privacy guaranteed by the underlying algorithms. The current issue needs more extensive deliberation and understanding as currently, no proposed cryptographic solution has tested full proof from a cybersecurity lens. At the same time, the government is saying that you come up with solutions but move forward in our direction. The government certainly has a legitimate interest in seeking this information, but this may require a longer and more collaborative effort to ensure users on platforms like iMessage, Signal, and WhatsApp do not feel insecure, especially in a very precarious cybersecurity landscape," he adds.
Interestingly, the digital platforms had over three months to raise their concerns as the government had given them the deadline of 25th May 2021 to comply with the norms. Yet, none of the social media giants took the government notifications seriously initially to raise their apprehensions.
Need for more accountability
The new IT rules are a step forward in India's attempt to make social and digital media platforms more accountable for the content shared on their channels and put necessary checks to curb technology abuse. The regulations mandate social media and digital giants with more than 50 lakh users — such as WhatsApp, Facebook, Twitter, and YouTube — to adopt significant compliance and grievance redressal mechanisms and be more responsive to user complaints.
For almost two decades, it appears that there has been a lack of political will to implement strong Indian Cyber Laws. Now the IT rules 2021 represent a different paradigm entirely. They have given immense power to the central government. These rules stand for strengthening the cyber sovereignty of India.
"Service providers have had honeymoon under the Indian cyberlaw for over a decade. They have been given kid-glove treatment, making them believe that they are special and always given preferential treatment. There were no proactive compliances earlier. It looks like this has resulted in some of the digital service providers to have some form of illusion that they [service providers] are special and therefore above the law," says Pavan Duggal, India's leading cyber law expert.
The government has made clear that non-adherence to the new IT guidelines will revoke the intermediary status of digital players, as per Section 79 of the Indian IT Act.
Duggal further elucidates that this [new IT laws] is a step in the right direction. Now, the government should focus on the speedy implementation of the Personal Data Protection Bill in India. "The message is clear: If any service provider fails to adhere to the new IT guidelines, they will invite deeper legal trouble for themselves," Duggal adds.
Right to the privacy debate
WhatsApp's argument against the latest IT guidelines is that the new laws violate the right to privacy under Indian law. They [WhatsApp] add that, to comply with it and ensure traceability features to identify originators of messages, they [WhatsApp] need to discontinue their end-to-end encryption feature. It would also need them to gather data exchanged between its subscribers regularly and require enormous resources.
But is it a valid dispute? Such laws are primarily essential to effectively deal with detection, investigation, and prosecution of cybercrimes and cybersecurity breaches.
"There is no legal foundation in that argument. No service provider can argue that it cannot tweak its technology to prevent its misuse. Because of certain exclusive features, they will continue to hide the identity of cybercriminals. This argument is legally not permissible to a service provider. If they persist with such arguments, governments can put them in the same category of co-accused or co-conspirator should it [government] find a valid reason that their platform has been used to execute nefarious activities," elucidates Duggal.
In some circles, a perception-based narrative is getting widespread attention, according to which these new laws attempt to create a police state and a censorship-based government. Industry experts discard this theory, and this conjecture is far from the truth. "The government is not looking at any such direction. "If you look at the IT rules 2021, there are only certain limited circumstances in which the government can ask about the information about the originator of the message," Duggal states.
Only in specific limited settings, this information can be sought by the government. And the data can only be passed by the digital media platform provider once the order is passed by competent jurisdiction or by statutory authority under Section 69 of the Indian IT Act.
The section allows the central government to block an intermediary's public access "in the interest of sovereignty and integrity of India, defense of India, state security, cordial relations with foreign states or public order or for preventing incitement to the commission of any cognizable offense relating to above."
"The government has done well by issuing the intermediary guidelines and put the necessary checks in place to ensure that these online tools do not become lawless playgrounds for criminals. There are adequate procedural safeguards. However, the government must maintain the balance by establishing a multi-stakeholder mechanism (panel) to keep a watch on any potential breach and recommend necessary corrective measures or punitive actions to the concerned government authorities," adds Deepak Kumar from B&M Nxt.
The final say
India is not the only nation that has rolled out guidelines around traceability requirements for efficient law enforcement. Australia, for instance, had introduced its encryption law under the Telecommunications and Other Legislation Amendment (Assistance and Access), better known as TOLA, in 2018. As a result, various industry estimates suggest that Australia's law enforcement bodies have become several times more effective in solving robbery and drug-related cases by leveraging encryption-breaking technologies.
The US has also come up with the lawful access to encrypted Data Act Bill in 2020 to strengthen its national security and prevent the misuse of encryption technology by malicious actors. In addition, countries such as the UK, Canada, New Zealand, and Japan are also keenly following the developments and keen to roll out legislation to access encrypted messages to maintain law and order in their respective countries.
However, it is also a valid argument that making traceability compulsory requires herculean efforts from service providers. They [service providers] will have to invest significantly in building capabilities to store and secure users data from hackers and cyber-criminals.
With the country looking to approve its Data Protection Bill soon, engaging with all stakeholders, getting critical learnings from the global markets where such laws have already been implemented, and including technical experts in the core committee to analyze different timelines and technology readiness can pave the way for a robust data protection regime.
The government has done well by issuing the intermediary guidelines and put the necessary checks in place to ensure that these online tools do not become lawless playgrounds for criminals