The previous post (here) set out how social media companies are key facilitators of public discourse, and structure the digital public sphere. The Intermediary Guidelines distinguish between ordinary intermediaries and ‘Significant Social Media Intermediaries’ (“SSMIs”) and Rule 4 sets out “due diligence” obligations that SSMIs must satisfy to avail of legal immunity for content shared on their platforms. In other words, a violation of Rule 4 of the Intermediary Guidelines does not itself impose liability on SSMIs, but it exposes them to a significant risk of liability given the large volumes of content being transacted on their platforms.
This post examines the requirement that SSMIs providing messaging services identify the “first originator” of specific content on their platforms pursuant to judicial or government orders. I begin by setting out the content of the requirement. Next, I briefly examine the role of secure communications and anonymity under the Indian Constitution. I then set out the technical proposals as to how a first originator may be identified and finally evaluate whether Rule 4(2) would survive constitutional scrutiny.
The ‘Traceability’ Requirement
Rule 4(2) obligates SSMIs that are “providing services in the nature of messaging” (think WhatsApp, Signal, Telegram, and iMessage) to “enable the identification of the first originator of the information on its computer resource”. SSMIs are required to comply with this obligation in two situations;
(1) where a judicial order is passed; or
(2) where an order is passed under Section 69 of the IT Act and the Information Technology (Procedure and Safeguards for interception, monitoring and decryption of information) Rules, 2009 (“IT Decryption Rules”).
The IT Act defines an “originator” as anybody who generates, transmits, or stores content. The effect of the rule is to enable the identification of the first user profile on a computer resource to generate, transmit or store a specific piece of information. While Rule 4(2) postulates a judicial order ordering identification, it does not mandate it. Orders under Section 69 are passed by senior civil servants, so there is no meaningful check on executive power. Further, the Union Government insists this is a measure to fight illegal content that has widespread reach; however, Rule 4(2) itself contains no threshold for ‘virality’ and could in principle apply to any content that was shared more than once. If there is more than one “originator”, there is de-facto a “first originator”
Rule 4(2) includes three safeguards and creates one legal presumption. First, an identification order may only be passed for the purposes of “prevention, detection, investigation, prosecution or punishment” of offences “related to” the sovereignty, integrity, or security of India, friendly relations with foreign states, public order, or the incitement of offences relating to any of these headings but also rape, sexually explicit material, or child sexual abuse. Second, an identification order cannot be passed where a less intrusive means to identify the first originator exists. Third, no SSMI is required to disclose the “contents of any electronic message or any other information related to the first originator, or any information related to its other users”
Finally, Rule 4(2) also states that if the first originator of content on the messaging platform is located outside India, the first originator within India (i.e., the first person who generates, stores, or transmits the content in India) “shall be deemed” to be the first originator with respect to that content.
Privacy and Proportionality in India
In the last post we examined how social media companies constitute the digital public sphere. This is borne out empirically in the case of messaging platforms as well. In a recent study conducted by the Reuters Institute and the University of Oxford, 52% of Indian respondents reported getting their news via WhatsApp. 60% clicked on news links, 46% posted or shared news on the platform, and 39% took part in group or private discussions. Messaging platforms facilitate public discourse and allow citizens to shape public opinion, perhaps best demonstrated by the high levels of political content on these platforms. Anonymity and security thus form crucial barriers against political speech being chilled.
Messaging platforms also allow individuals to share constitutionally protected but socially stigmatised views, ensuring individual autonomy and dignity. It allows people to securely discover and express themselves, and effectively organise with other citizens to create centres of countervailing power. As the former UNHRC Special Rapporteur noted, being protected from the public gaze may allow citizens to discover and share ideas they may otherwise be persecuted for. “The ability to search the web, develop ideas and communicate securely may be the only way in which many can explore basic aspects of identity, such as one’s gender, religion, ethnicity, national origin or sexuality.” However, the security provided by privacy is especially fragile. Courts have recognised that where even the threat of surveillance exists without a remedy, there exists an interference with a citizen’s privacy.
Almost two decades ago, the Supreme Court in PUCL recognised that Indians have a constitutionally guaranteed right to communicate privately. In Puttaswamy,the Court articulated a vision of privacy grounded in individual autonomy that interacted and enabled the enjoyment of other rights guaranteed by the Constitution, most notably the right to freely and privately hold and express opinions, and associate with other citizens (¶412). In other words, privacy forms a necessary foundation to the enjoyment of the rights and privileges guaranteed by the Constitution. The Indian Constitution thus guarantees private and secure communications to both protect individual autonomy and facilitate democratic self-governance.
Any infringement on a citizen’s right to communicate privately must therefore satisfy the test of proportionality: (1) the infringing measure must pursue a legitimate state aim; (2) the measure must substantially further the state aim; (3) the measure must be the least restrictive option amongst equally effective alternatives; and (4) the measure must not have a disproportionate impact on rights holders.
Before we examine the issue of privacy and encrypted messages, there exist a preliminary issue of the very power to frame such a rule. The prefatory text to the Intermediary Guidelines notes that the Guidelines are issued under the powers granted to the Union Government by Sections 87(2)(z) and 87(2)(zg) of the IT Act. The former grants the Union Government power to frame web-site blocking rules and the latter grants power to frame rules to regulate the immunity granted to intermediaries. In short, neither of the sub-clauses relate to monitoring or tracing content on computer networks. The government may argue that Rule 4(2) forms legitimate regulation of intermediary immunity, but this is belied by the fact that the IT Act itself grants the government to monitor and decrypt content in a separate and independent provision, namely Section 69. Section 69 has its own rule-making provision, Section 87(2)(y), and the government has already framed the IT Decryption Rules under this section.
There exists a gap between Rule 4(2) mandating SSMIs to identify the first originator and the platforms being able to do so – and this is because all major messaging platforms such as WhatsApp, iMessage, and Signal are end-to-end encrypted. This means even if the messages on these platforms were monitored or intercepted, the messages would first need to be decrypted using a decryption key for their contents to be read. It is important to understand that the decryption key is stored on the user’s devices and not with platforms, so WhatsApp could not reveal the contents of messages even if it wanted to do so to comply with Rule 4(2). Further, the decryption key is unique between users, and changes over time. So even if a decryption key were acquired, it would reveal the contents of one chat for the limited period that the specific decryption key was used.
Understanding this, the impossibility of the task demanded of SSMIs comes into picture. How does a messaging platform trace a piece of content across thousands, potentially millions of chats (none of which it possesses decryption keys for) to locate the first originator? This tension is borne out in the IT Decryption Rules drafted in 2009. The Rules define “decryption assistance” as “allow access, to the extent possible, to encrypted information”. This is further buttressed by Rule 13(3) of the IT Decryption Rules, which states that “Any direction of decryption of information issued under rule 3 to intermediary shall be limited to the extent the information is encrypted by the intermediary or the intermediary has control over the decryption key.”
Given that Rule 4(2) of the Intermediary Guidelines expressly states that an order to identify a first originator shall be “as per” the IT Decryption Rules, it may plausibly be argued that an identification order under Rule 4(2) would simply not apply to a platform which does not possess the decryption key. In fact, Facebook has expressly contended that a ‘best efforts’ obligation to assist the government does not contemplate a platform radically modifying its platform to allow the government to trace originators. However, while the Union Government states that it does not want to break end-to-end encryption, it has insisted that platforms are obligated to modify their functionality to enable tracing first originators.
There have been two prominent proposals on how traceability may be achieved without breaking end-to-end encryption. The first proposal was mooted by one Professor Kamakoti and is discussed in Aditi Agrawal’s piece (here). More recently however, anonymous officials from the Ministry of Electronics and IT have argued that a “hash constant” may be used to identify originators.
The idea of a hash is to assign every distinct message a unique hash identifier. Briefly, if User P sends the message “I plan to undermine the Indian Government” to User Q, the message is assigned a hash identifier, for simplicity say the identifier is ‘52’. User Q now forwards the message to Users R, S, and T, who go on to send it to hundreds or thousands more until it reaches User M who believes the message to be illegal. Now, an investigative agency can ask the platform to run a search against all messages having the identifier 52, to find when it first appeared – with User P.
In her piece, Aditi notes that this may not work as platforms generate hashes based on: (1) the contents of the messages; and (2) the keys between users, which are constantly changing. Therefore, the message between User P and User R will have a different hash from the same message sent from User P to User T. This means that any one hash would be of limited value as it would disclose identical messages, between two users, sent when a specific decryption key was in use. All other identical messages would have different hashes.
Ironically, if this is not the case, the consequences are far grimmer. Because hashing ties an identifiable value to the contentsof a message (e.g., 52=I plan to undermine the Indian Government), the platform, and consequently the government, could know every user on the platform who has that message on their phone. This is contrary to Rule 4(2) itself, which states that SSMIs shall not be required to disclose the contentsof the message or any information related to other users. (Sidebar | it is entirely conceivable that over time the government shifts from searching for hashes that equal “I plan to undermine the Indian State” to hashes that equal “I don’t like the Indian Government.”)
The proportionality test is a cumulative one, and for the sake of brevity I only highlight the most striking issues with Rule 4(2). First, the State bears the onus of demonstrating that the measure (tracing first originators) furthers its stated aims (preventing the incitement of offences against the integrity of India, sexually explicit material etc.). The law recognises that nearly any measure may potentially be useful or desirable for governments to achieve the cessation of crime and ideally, requires that the State demonstrate the measure in question is “necessary” to achieve its stated aims.
Why first originators?
It is unclear how tracing the first originator assists the State in achieving its aims. We cannot assume that the first originator createdthe content. This logic is defeated as Rule 4(2) cannot cover cross-posting; a twitter user could create and upload a video that is subsequently downloaded and shared on WhatsApp – the first originator is not the creator. Rule 4(2) itself rejects the creation rationale by acknowledging that content may be created outside India but sent to India – creating a ‘first receiver’ of sorts. Now if we were to argue that this ‘first receiver’ is facilitating the spread of the illegal content in India, how do we justify overlooking other originators for domestically sourced content? Imagine I send “illegal” content to User X, who forwards it to a group with several thousand users – who is facilitating the spread of illegal content and whom should the law be more focussed on identifying, and how should liability be apportioned between User X and me?
Further, as Nandan Kamat noted, secondary liability for repeating and disseminating speech varies depending on the offence (public order, defamation, etc.) In some regimes, each re-publication (forward) constitutes a wholly new publication while in other cases liability for repeating content is minimal. The level of due diligence a speaker exercises before sharing content varies widely based on the content and the platform. Context is also crucial. Imagine illegal content is circulating on Platform A and Platform B. On Platform A, the content is being used to incite violence but on Platform B the content is being used to generate counter-speech against violence. As Rule 4(2) states that the contents of the messages cannot be disclosed, how do we differentiate between the originator on the two platforms? The first originator on Platform B may provide context by displaying the contents of her messages, but she should not have to, she should not even be implicated in a criminal proceeding for making constitutionally protected speech. All in all, Rule 4(2) is a blunt instrument most likely to limit the spread of both legal and illegal content by creating a massive chilling effect on users.
Are first originators the first?
Another major issue is that there is a distinction between proving that content first originated from a particular device or user profile and proving that the person who owns the device sent the content. The possibilities for manipulation are endless, ranging from virtual sim-cars linked to foreign numbers that are sold on all major app-stores for as little as ₹100 to picking up somebody’s phone or acquiring remote access privileges. This manipulability and arbitrariness are aggravated by the fact that Rule 4(2) is limited to a single SSMI’s platform (excluding cross platform posting) and the geographic restrictions.
Imagine a piece of “illegal” content is widely circulating on WhatApp (or even better, a smaller messaging service falling below the threshold of an SSMI). User X using a virtual (foreign) sim cross posts it to Telegram by sending it to his mother, and then uses her phone to forward it back to User X’s Indian Telegram. User X now forwards it to a Telegram group with 5,000 users. User X’s mother is the first originator. Therefore, how far the identity of the ‘first originators’ user profile or device can aid in criminal prosecution or curbing misinformation is highly questionable.
The State must also demonstrate that tracing the first originator is the least intrusive method of achieving its aim among effective alternatives. While there seems to exist some uncertainty within the Union Government how the identification of first originators will be operationalised, the present proposals are particularly intrusive and risk the privacy of other users. An order under the IT Decryption Rules does not require judicial authorisation, and no remedy is provided to users. Because the government itself is a substantial actor on messaging platforms, the necessary independence of identification orders has not been secured. While Rule 4(2) prohibits an identification order from being passed where less intrusive measures exist, there exists no legal structure to guarantee or even scrutinise an incompetent or mala fide claim by an investigative agency that this is actually the case. Further, if hashing were to be employed, basic safeguards such as data retention and expiry are not in place – how long can a hash identifier associated with content be active?
This leaves the Government with a high burden to demonstrate that Rule 4(2) achieves something other measures simply cannot. This is undermined by the fact that mobile platforms already provide the Government a host of ‘basic subscriber data’ allowing the Government to trace users. For example, under the Criminal Procedure Code the Government already requests platforms to provide users’ phone numbers, names, device info, app version, start and end times, last connection, IP and email addressed and web-client data. The Government also has other legal powers such as wiretapping, geo-location, and physical surveillance of suspects. Further, the Government can also use human intelligence to infiltrate and track users on messaging platforms, as reporters have done to investigate the organised spread of misinformation. In summary, the Government has a host of alternative investigative tools while citizens rely almost exclusively on encryption to protect their communications.
Encrypted communications are a thorny issue world over and law enforcement agencies are lobbying hard to access user messages. But given the importance of encrypted messaging to the autonomy and dignity of citizens, and its centrality to shaping public discourse in India, any restrictions must be strictly scrutinised from the lenses of the rule of law and due process to address the power imbalances that exist between citizens and the State. How Rule 4(2) will be operationalised will have a substantial bearing on its legality. However, as it stands today, the identification of first originators requires weakening the privacy of millions of Indian users to ineptly trace a few potentially bad actors; actors that we are unclear whether we should, or how we will, ultimately hold guilty.