WhatsApp Complying with Traceability Provision Will Create Technical Vulnerabilities that Can Be Exploited: Internet Society

The Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code), Rules, 2021 or the new IT Rules 2021 as it is more commonly known have now effectively come into place. While WhatsApp has filed a case against the Indian Government with regard to a clause on divulging information on the first originator of a message, the platform has complied by naming Paresh B Lal as the grievance officer for India.

Nevertheless, Akriti Boppanna, policy and advocacy manager, Internet Society is of the view that identifying the first originator of the message will mean that certain features of the end-to-end encryption will have to be compromised, which in turn may give rise to technical vulnerabilities that are open to exploitation. In a conversation with Dataquest, she further shed light on various other problems with regard to the new rules.

The government of India says that it only requires information on first originator when a certain message either is a threat to the nation, is about child pornography and other similar instances. Isn't this a valid ask?

We all want to limit harmful content online, but the method proposed by the Indian government tries to solve one problem by creating thousands more. They are ignoring the fact that any method that allows a messaging service to associate users with specific content would mean that all content, in this case all of our communications, would be subjected to this process of identification and correlation. Every security loophole mandated by a government is subject to abuse, including by criminals and hostile actors.

What's being proposed by the Indian government creates technical vulnerabilities that cannot be solved through governmental policies or limits on scope. Even with sufficient accountability and transparency measures, which are currently lacking for government requests from intermediaries, these security vulnerabilities would still be open to exploitation.

Law enforcement agencies have plenty of other ways to investigate crime without tracing the source of encrypted content – and these have proven to be much more effective than any backdoor or mass surveillance mechanism. These include open-source intelligence such as publicly available information on social media sites, evidence from witnesses or accomplices, and communications metadata.

Indian Government has also stated that other countries such as Brazil, United Kingdom, United States, Australia, New Zealand and Canada, also have asked for tech companies to include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can gain access to data in a readable and usable format. So why does WhatsApp have a problem is doing the same in India?

It is true that these countries have asked for such mechanisms, but except for Australia and the United Kingdom, none have been granted. And to our knowledge, even for Australia and the UK the powers to compel a company to provide access to encrypted data have not been exercised. End-to-end encrypted messaging services around the world have pushed back on these requests because it undermines the secure nature of such communications, and some have stated that they would remove their services from countries that mandate such access.

If not for the new IT rules, how else could the Indian Government curb the spread of fake messages?

The spread of fake news preceded the Internet, but in today's environment it is key for people to have trusted sources of information. A growing number of initiatives understand this and focus on raising public awareness on how to spot disinformation and misinformation. Fact-checking organizations such as Boom and Alt News undertake this kind of work as well. We have seen police officers employ traditional story-telling techniques and folk plays to create engaging narratives in rural language to spread awareness.

The Government can also help debunk false news by proactively promoting information from trusted, credible sources in its own platforms and social media accounts. In fact, this trusted information is best delivered via end-to-end encrypted services which guarantee that the information has not been altered in any way between its source and its recipient.

Should platforms be held accountable for their misuse, like the Indian Government says they should?

At its core, this is not an Internet problem, it is a human behaviour problem. In the case of misinformation, the way to tackle its spread is by ensuring timely and accessible availability of trusted, verified information in local languages, along with education to help users identify true versus false information. This would discourage people from believing and further disseminating misinformation. In fact, trusted information is best delivered via end-to-end encrypted services which guarantees that the information has not been altered in any way between its source and its recipient.

Anything else you would like to add?

The traceability requirements undermine end-to-end encryption and not only undermine trust in the Indian tech industry, but put the security and privacy of all users, including government officials, at risk. Far from making Indians safer, the Guidelines put Indians at more risk than before, and the traceability provision must be repealed.