WhatsApp has been in the news recently over its new privacy policy. While WhatsApp steadfastly maintains that user privacy continues to be upheld in the new privacy policy, it has been facing legal troubles in regions like Germany and hurdles in India too which prevent it from taking coercive action. Now, WhatsApp is suing the Indian government in an attempt to protect user privacy in India, and the service might actually be on the right side on this one.

According to a report from Reuters, WhatsApp has filed a legal complaint in Delhi High Court seeking to block new regulations that come into force on Wednesday that would otherwise force WhatsApp to break privacy protection on its service. The lawsuit purportedly pleads the Court to declare that one of the new rules is a violation of privacy rights enshrined in the Indian constitution, as it requires social media companies to identify the "first originator of information" on the demand of government authorities. The new regulations require this within the context of unmasking people accused of wrongdoing, but such action is not possible without breaking the end-to-end encryption for all of its users.

India's new Intermediary Rules

Let's back up a little to understand what is happening here and what is being challenged by WhatsApp.

On February 25, 2021, the Indian Ministry of Electronics and Information Technology and the Ministry of Information and Broadcasting issued the new Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 [referred to as "Intermediaries Rules" in short]. Under these rules, social media platforms that get classified as "significant social media intermediaries" had several obligations that they need to comply with. The deadline to complete these obligations was 3 months from the date of notification, i.e. May 25, 2021. In short, these new rules come into effect today.

There's more technicality to the definition of "significant social media intermediaries", but for the sake of understanding, think of them as social media platforms with more than 5 million registered users (not to be confused with Daily Active Users or Monthly Active Users -- just registered users and account signups of all time). In effect, the definition captures platforms like Facebook, Twitter, WhatsApp, YouTube and so many more beyond them.

Compliances

Again, the law is fairly technical, but here's a summary of the compliances envisaged under the new Rules:

  1. Removal of immunity from lawsuits for content posted on the platform.
  2. Shorter timelines to address takedown and assistance requests from government agencies.
    1. Potential criminal prosecution of the service's Grievance Officer on failure to timely address such requests.
  3. Setting up of Indian residents employed within the service/company as:
    1. Chief Compliance Officer for ensuring compliance with Indian laws.
    2. Nodal contact person for 24x7 coordination with law enforcement agencies.
    3. Grievance Officer for abiding with timelines on takedown and assistance requests.
  4. Allow users to voluntarily verify their identity on such platforms using government-issued identity documents.
  5. Enable traceability of the originator of messages on their platform and allow the government to make demands for the message content.
  6. Enable automated tools to identify and take down several types of objectionable content and any information that is exactly identical to the information that was previously removed.

As you can see, some of the compliances are fairly onerous and difficult to implement without significantly changing the way the Internet, Social Media, and Instant Messaging works in India.

WhatsApp's new lawsuit and contentions against "traceability"

WhatsApp's new lawsuit is against these new rules, with a big focus on point number 5 mentioned above, i.e. traceability. The lawsuit is said to cite a 2017 Indian Supreme Court judgment (KS Puttaswamy vs Union of India) which had upheld that the right to privacy was a fundamental right already enshrined within the Constitution of India. The court found that privacy must be preserved except in cases where legality, necessity, and proportionality all weighed against it.

WhatsApp argues that the law fails all three of those tests, starting with the lack of explicit parliamentary backing.

Outside of the lawsuit, WhatsApp also issued an FAQ on traceability, arguing that traceability requires messaging services to store information that can be used to ascertain the content of people’s messages, thereby breaking the very guarantees that end-to-end encryption provides.

In order to trace even one message, services would have to trace every message.

There's no effective way to trace any one particular message without putting into place a mechanism to trace all messages on the platform, as there's nothing to predict which message a government would want to investigate in the future. WhatsApp even contends in the FAQ that a government that chooses to mandate traceability is effectively mandating a new form of mass surveillance. To comply, messaging services would have to keep giant databases of every message you send, or add a permanent identity stamp -- like a fingerprint -- to private messages with friends, family, colleagues, doctors, and businesses. Companies would be collecting more information about their users at a time when people want companies to have less information about them.

Traceability also violates human rights, as it forces private companies to turn over the names of people who shared something even if they did not create it, shared it out of concern, or sent it to check its accuracy. Through such an approach, innocent people could get caught up in investigations, or even go to jail, for sharing content that later becomes problematic in the eyes of a government, even if they did not mean any harm by sharing it in the first place.

Further, there's nothing to prove that traceability would even work for the purposes intended. Tracing messages would be ineffective and highly susceptible to abuse. Think of this like a tree with many branches -- looking at just one branch doesn’t tell you how many other branches there.

WhatsApp's FAQ then goes on to present views from several different experts, including Mozilla, Stanford Internet Observatory, Electronic Frontier Foundation, and the Internet Freedom Foundation. Long story short, everyone majorly believes that the new Intermediary Rules will break end-to-end encryption in India.

What's next?

The lawsuit details are not completely available at this time. But speaking from experience, the Delhi High Court will list the matter for a future date and allow WhatsApp and the Government to present their arguments. In the meantime, the High Court could choose to provide injunctive relief and prevent the compliance requirements from coming into force till the completion of the lawsuit. Note that WhatsApp is not the first to be filing a lawsuit against these Intermediary Rules as matters are pending in several other High Courts in India. But it definitely is one of the biggest names to stand in legal opposition to the new Intermediary Rules.

Also, note that this particular lawsuit is entirely separate from any regulatory investigation and pending judicial proceedings against WhatsApp on its own new privacy policy that envisages certain data sharing with Facebook.

Will Social Media Platforms be banned in India?

In the run-up to the compliance deadline of the Intermediary Rules, rumors abounded on Facebook, Twitter, Instagram, and WhatsApp that all these services will get banned in India at the end of the day on May 25, 2021. As we can already see, these were baseless rumors. The services are not getting banned, at least not immediately. The new Intermediary Rules were misinterpreted for clickbait by SEO farms and influencers.

The new Intermediary Rules do remove immunity from criminal prosecution for these social media platforms, but they do not by themselves allow for an immediate knee-jerk "ban".