[This post has been authored by Shamik Datta and Shikhar Sharma, first year students at NALSAR University of Law and National Law School India University respectively.]
How the IT Rules break End-to-End Encryption
End-to-end encryption ensures that intermediaries or third parties don’t have access to the content of the message and identity of the communicating parties. However, Rule 4 (2) of the new Informational Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules 2021 specifies that all ‘significant social media intermediaries’ must enable the traceability of the first originator of a message. The collected information may be used if and when required by a court of competent jurisdiction or competent authority under Section 69A of the Information Technology Act, 2000. The information derived via the breaking of end-to-end encryption may be used to investigate offences abetted or caused by the spread of fake news. This includes open-ended offences like disturbing ‘public order’, which are broad in their scope, and thus, leave a wide scope for their blatant misuse and arbitrary interpretation. The proviso to Rule 4(2) states that intermediaries are not required to reveal the content of the message, or any other related information. However, under Rule 4 of the IT (Procedure and Safeguards for Interception, Monitoring and Decryption) Rules, 2009, the government possesses the power to demand the revelation of the content of electronic messages. The government could, upon identifying the user under the 2021 Rules, ask the intermediary to decrypt the content of other messages of the same user under the 2009 IT Rules citing “public order” (for example, citing the history of the user as a fake news spreader). This would render the proviso to Rule 4(2) of the 2021 Rules meaningless. Therefore, when the information about the first originator is gathered via enabling traceability and powers to disclose the content of the message is exercised, it leads to a break in end-to-end encryption. This destroys the very purpose of the cryptographic keys and encryption protocols developed over the years to encode the messages and safeguard the identity of their sender.
The article attempts to first, analyse whether a break in this end-to-end mechanism leads to a violation of one’s privacy as per the Puttaswamy judgement. Second, it aims to propose an alternate solution to achieve the objective of the government while keeping in mind the significance of respecting user privacy.
Does a break in encryption violate the user’s right to privacy?
In 2017, a 9-judge bench in K.S Puttaswamy v. Union of India, declared right to privacy as a fundamental right under Article 21 of the Constitution of India. The bench held that privacy has both a negative and positive component. Not only does it restrict state interference in the private sphere, but it also places an obligation on the state to take all necessary measures to protect an individual’s privacy. Article 21 has generally been read purposively, rather than textually. In the digital age, encryption is critical to protect the privacy and the confidentiality of one’s personal conversations. Therefore, the authors shall demonstrate that a break in end-to-end encryption, would violate the right to privacy of the user by two prongs. First, by illustrating that disclosure of information about the ‘first originator’ of a message violates the informational privacy of a user. Second, by demonstrating that the disclosure of the content of a text message violates the communicational privacy of the user.
Informational privacy recognises the individual’s control over the dissemination of his/her personal material (identifiable to the individual)– its collection, it’s storage and it’s disclosure. Previously, in R. Rajagopal v. Union of India, the apex court held that it is an individual’s right to have control over their personal information, even when contested against the freedom of expression. The traceability of the ‘first originator’ of the message would require decrypting the encrypted information about the first originator. The protection of such information flows from the ‘reasonable expectation of privacy’, which entails that the government or any third party cannot access the user’s personal information without their express consent. Moreover, the very objective of encryption lies in protecting the user’s identity, thereby maintaining privacy. Identification of the ‘first originator’ would have a grave impact on the privacy of journalists, whistle-blowers, abuse survivors and individuals belonging to marginalised groups, who are susceptible to a high risk of harassment and violence if their identities are disclosed. Therefore, information identifiable to a user must be protected and the user must continue exercising control over the dissemination of such information.
Communicational privacy refers to the user’s right to restrict access to communications or control over the use of information, communicated to a party. This notion was covered under one of the nine aspects of privacy in Justice D.Y Chandrachud’s opinion in the Puttaswamy judgement. A user sending a particular message to another via a platform that promises end-to-end encryption, does so under a ‘reasonable expectation of privacy’. This reasonable expectation extends to all information related to the content of the particular message. However, the government’s demand to disclose the content of the private messages, would lead to a break in end-to-end encryption. Therefore, the user loses ‘control’ over the use of information communicated under a reasonable expectation of privacy. This would lead to a breach of communicational privacy of the user, thereby breaching one of the nine aspects of the right to privacy.
A Proposed Solution
Fake news leading to national security concerns is one of the major reasons behind the implementation of these IT rules. In the recent past, fake news has led to instances of mob lynching, mass hysteria, communal riots and abetment to murder. Therefore, there exists a valid concern regarding the same. The government demands traceability, and information about the first originator of the message to tackle fake news. Nevertheless, breaking encryption to fulfil this objective violates the privacy of the user as shown above.
Harmony between the fulfilment of these government objectives and respecting an individual’s privacy can be found in emerging technologies, an example being metadata analysis. Metadata refers to data that is used to identify other data. In this proposed alternative, we shall consider the metadata involved in private text messages exchanged on social media intermediary platforms. This metadata has already been used to some extent by these intermediaries. For example, WhatsApp assigns a cryptographic hash, a form of identifier, to attachments despite end-to-end encryption. Experts claim that WhatsApp does the same for their text messages as well. Assigning such identifiers can track the spread of a message in the network, without breaking encryption. Hence, the privacy of an individual is not compromised.
Intermediaries can take this one step further and set up a fake-news analysis model. In this, once a set number of users flag a particular part of the message to be fake, the users may attach a verifiable source or reference to justify their report. The intermediary may set up an artificial intelligence-based fact-check algorithm, the working of which shall be inspected by an independent body of experts. The independent body shall be constituted to ensure separation of the intermediary and the working of the fact-check mechanism. This algorithm shall verify the flagged portion with sources provided, to fact-check the content. Information once reviewed should be erased from the algorithm’s database to prevent future misuse of the data. Furthermore, metadata-based signals such as the frequency of propagation of a message in the network, number of forwards, etc. may be used by the algorithm for prioritizing the review of messages. Upon finding the message to be indeed fake, the algorithm may attach a disclaimer with the message, highlighting the suspected ‘fake’ content that the message may contain.
Conclusion
The right to privacy of an individual is essential to maintain their personal dignity. End-to-end encryption safeguards one’s personal dignity. It upholds the dignity of private conversations by ensuring exclusivity between the two parties. An attempt to break this encryption, therefore violates the right to privacy of an individual, as demonstrated. Using metadata and artificial intelligence as an innovative tool to serve the purpose of tackling this ‘digital-era’ issue of fake news, ensures that the government’s objective is in harmony with the dignity and privacy of the user.
bento4d