Last week, WhatsApp decided to legally challenge one of India’s new data expertise guidelines, which require messaging platforms to assist investigative companies in locating the originator of problematic messages. WhatsApp believes that it can break end-to-end encryption and undermine people’s right to privacy.
The government responded by saying that it was committed to ensuring privacy for all its citizens, and that it also had to ensure nationwide security.
Are these new guidelines designed to adequately handle the privacy versus security consistency, especially in the context of social media intermediaries like WhatsApp? Rishabh Bailey and Parminder Jeet Singh spoke on this question in a conversation moderated by Sriram Srinivasan. Edited excerpt:
What are your thoughts on how the IT Guidelines relate to the privacy versus security issue
Rishabh Bailey: The quick answer is that every provision of the new IT guidelines is very important to the structure and parent IT Act 2000. Entities only make superficial efforts to balance privacy and security activities. But it is certainly very clear that security activities are being prioritized over civil liberties functions in addition to financial ones.
Keep in mind that the federal government already has great monitoring powers. This was also recognized in the Justice Srikrishna Committee report that came out with the draft Information Security Act in 2018.
Therefore, in seeking to modify these powers, the government is giving itself a higher capacity to be heard and to interfere in private life. of residents. In particular, the traceability obligation within the new guidelines is problematic because the technical literature on it is practically generic, agreeing that it could break the use of end-to-end encryption for all customers on platforms such as WhatsApp. Is.
Additionally, end-to-end encryption is really essential within the digital economy as information theft and hacking are all but increasing in India. There is also the problem of platforms misusing people’s information. So, ideally, we should try to encourage additional user-controlled encryption and not limit this risk.
Parminder Jeet Singh: Let me start with the factors of agreement with Rishabh, and that is the context of the way the state is using its powers in a way that is turning out to be very damaging.
Having said that, we also have to look at the issues in the sense that our societies are changing from pre-digital to digital societies, and there must be a lot of fundamental structural changes.
These also include the levers of law enforcement required in the new context. Second, as Justice Srikrishna observed, a new law should be brought in, which discusses logic, provides good institutional checks and balances, which then places this significant and new legal risk for law enforcement in that context.
Third, the biggest problem with WhatsApp is that it is a personal communication channel, and of course, once it goes viral, it becomes public.
So, what happens is that with the originator or traceable mandate, whoever is writing a private message to their friend fears that although they are giving an assessment, that is, in a non-public sense, not a prison. Although it could very well be a prison in the public sense. So, how you keep the individual and the general public stable is a concern.
Rishabh, do you believe that the use of metadata is enough to deal with this problem
RB: It’s not clear why you might have a selected mandate for traceability. Certainly, metadata can be accessed by law enforcement in addition to various types of unencrypted information. Also note that current law in India also allows the government to request decryption of data where it is with a middleman or where the middleman holds personal encryption keys.
Would the decryption guidelines be relevant in a context where there is no key for decryption other than the ends of the communication?
RB: That’s really the core problem here, which is that the government wants you to move away from encryption managed by users to encryption done by middlemen. If the middleman is controlling the encryption keys, the federal government can simply go to them and ask for this data.
PJS: I don’t think that the traceability of encrypted messages requires breaking encryption.