Facebook-owned instant messenger WhatsApp, in a petition in Delhi High Court, said that enabling identification of the first originator of information on its platform in India puts end-to-end encryption and its benefits at risk, as it urged the court to pass direction to declare this requirement ultra vires the IT Act.
WhatsApp submitted the requirement will force it to break end-to-end encryption on its messaging service, as well as the privacy principles underlying it, and infringe upon the fundamental rights to privacy and free speech of the hundreds of millions of citizens using it to communicate privately and securely.
It has challenged the requirement in the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 ('Intermediary Rules') that intermediaries like it enable "the identification of the first originator of the information" in India on their end-to-end encrypted messaging services (traceability), upon government or court order.
"To require intermediaries like the petitioner to enable the identification of the first originator of information in India on their end-to-end encrypted messaging services, there must be a clear policy declaration in Section 79 that Parliament intended to impose such a requirement. However, no such declaration exists in Section 79," said the plea challenging the Rule 4 (2) of the IT Rules, 2021.
The petition contended the requirement that intermediaries like WhatsApp enable the identification of the first originator of information in India on their platforms puts end-to-end encryption and its benefits at risk. "Petitioner would be forced to build the ability to identify the first originator for every message sent in India on its platform upon request by the government forever. This breaks end-to-end encryption and the privacy principles underlying it, and impermissibly infringes upon users' fundamental rights to privacy and freedom of speech," added the plea.
It urged the High Court to pass order to declare that the Rule 4(2) is violative of Articles 14, 19(1)(a), 19(1)(g), and 21 of the Constitution, ultra vires the IT Act, and illegal as to end-to-end encrypted messaging services. Also, criminal liability may not be imposed for noncompliance with Rule 4(2) and any attempt to impose criminal liability for non-compliance with Rule 4(2) is unconstitutional, ultra vires the IT Act, and illegal, added the petition.
WhatsApp said there is no way to predict which message will be the subject of a tracing order, therefore it would be forced to build the ability to identify the first originator for every message sent in India on its platform upon request by the government forever.
To satisfy the legality requirement, there must be a valid law allowing for the invasion of privacy, it said. "However, there is no statute requiring intermediaries to enable the identification of the first originator of information in India on end-to-end encrypted messaging services upon government or court order. Nor is there any statute that allows the imposition of such a requirement through subordinate legislation like the Intermediary Rules," said the petition.
According to IT Rules 2021, 4 (2), a significant social media intermediary providing services primarily in the nature of messaging shall enable the identification of the first originator of the information on its computer resource as may be required by a judicial order passed by a court of competent jurisdiction or an order passed under section 69 by the competent authority as per the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.