The Intermediary Liability Rules, introduced on Feb 25, 2021, mandate social media companies with more than 5 Mn users in India to enable traceability of end-to-end encrypted messages and establish local offices with senior officials to deal with compliance, user grievances and taking down of objectionable content.
Of course, the rules are not a bolt from the blue. They have been under various stages of discussions and deliberations since 2018. But the urgency to implement them comes at a time when the Indian government and its global counterparts seem to be stuck in a combat mode with social media and messaging apps to control how news, views and ideas travel via these platforms.
The new rules for digital media intermediaries such as news portals, social media and OTT platforms are not only broad-based and vague but also restrictive in the strictest sense of the term. But there is a deeper concern. To what extent will they be used to trace and decode private messaging? After all, the chief requirement of the new system is that all major social media intermediaries (WhatsApp, Facebook, Twitter, YouTube and more) have to disclose the identity of the ‘first originator’ of any information if it is required by the authorities. Besides, they have to alter their respective interfaces to clearly distinguish verified users from the rest, set up automated tools for content filtration (detecting problematic content) and must tell users why their accounts have been blocked if those users fall foul of the platforms (read if they violate platform norms).
Privacy Faux Pas That Hit Brand WhatsApp
A few weeks ago, the entire country was debating how Facebook-owned WhatsApp was infringing on user privacy after the company announced its new privacy policy and terms of service. The messaging app, with a 400 Mn strong Indian user base, sought to use the information related to business transactions done on the app, besides accessing device-level data, IP address and other details on how users interacted with all Facebook group companies, including Instagram.
According to the updated privacy policy, WhatsApp also sought permission to share one’s metadata, which would allow the company to profile a person and use that information for business purposes. Although that policy stopped short of giving WhatsApp the right to read personal chats, it allowed the company to use critical personal data in multiple ways.
At the time, championing the cause of user privacy, California-based messaging app Signal’s cofounder Brian Acton suggested that his company’s non-profit model was positioned to value user privacy, and Signal was not looking to gain by using user data.
“When a company is for profit, their motivations strive towards gaining more profit. Signal is an independent non-profit, and our motivation is different, our mission is to provide the best tools for communicating privately with your friends, family and colleagues. We follow a revenue model of donations and contributions, which fuel the cause of data privacy, and we aim to continue the same. No ads. No trackers,” Acton told India Today in an interview.
Pavel Durov, founder and CEO of the messaging app Telegram, also took a dig at WhatApp’s new privacy policy by putting out a blog on his Telegram Channel. “I hear Facebook has an entire department devoted to figuring out why Telegram is so popular. Imagine dozens of employees working on just that full-time. I am happy to save Facebook tens of millions of dollars and give away our secret for free: Respect your users,” it says.
Immediately after WhatsApp informed users about its updated privacy policy, data from Sensor Tower showed a 35% dip in WhatsApp downloads. In sharp contrast, Signal saw its India downloads soar by 9,483% while Telegram’s downloads grew by 15%. Although user migration across apps has stabilised since (many chose to return to WhatsApp after their initial anger abated), privacy remains crucial in a country often plagued with data breaches. WhatsApp did not escape unhurt, though, as a large number of businesses moved their sensitive and business-related conversations to Signal or Telegram. A few social elites also followed suit.
Blessing In Disguise For WhatsApp?
How are the social media companies reacting to the new regulation? Social media giant Facebook is mulling to challenge India’s new guidelines for digital media intermediaries in a court of law on the basis of an individual’s right to privacy, sources close to the company have told Inc42 on the condition of anonymity. Facebook may file an appeal on its own or jointly with its social media peers who will be affected by the rules.
Facebook has been under pressure to salvage its image on user privacy in the face of attacks from its rivals. So, it is only natural for the company to get into a high-octane campaign to uphold user privacy. But the brouhaha apart, there is an ironic twist here. If one looks at the long-term impact, it will not be difficult to realise that Facebook may be the biggest beneficiary under the new set of rules notified by the government.
Experts who have spoken to Inc42 believe that the new policy actually ensures a level playing field for every messaging company by making the privacy pitch almost irrelevant.
According to an expert who does not want to be quoted, “Traceability of the first originator of a message will require apps to have a mechanism that can break the chat encryption. Of course, not every chat will be shared with the government. But the ones that need to be shared will require the app to share user data and that cannot be done without bypassing the encryption. It means these apps cannot have encrypted chats at all. So, what is left of Signal and Telegram in the debate against WhatsApp when it comes to privacy?”
Gurshabad Grover, a senior policy officer at the Centre for Internet and Society (CIS), a Bengaluru-based non-profit and multidisciplinary research organisation, said in a coversation with Mint, “Traceability of the first originator will require private messaging apps to retain more data on users’ texts, which includes metadata about messages, that is currently deleted by many platforms. Signal, for instance, retains nearly no data about users and the texts they send. Now, they will be forced to start retaining to comply with the new demand.”
Although Signal uses WhatsApp-like end-to-end encryption, most privacy advocates recommend it because the app only collects a user’s phone number. Unlike other messaging apps, it does not request permissions to connect to any other user data, thus reducing user profiling opportunities. Some forks (variations derived from the original software) of Signal, an open-source protocol rather than a single app, do not even require users to furnish their phone numbers. Telegram also supports self-destructing messages for private chats. But it stores phone numbers and user locations and provides end-to-end encryption for ‘secret chats’ only.
From a simple business point of view, the kind of data an app gathers and retains is a clear indicator of user profiling and monetisation plans it may have. The plans of Facebook and WhatsApp have been clear from the beginning, although not appreciated by privacy experts. These platforms have the capacity to furnish source data. But for the likes of Signal, where users go with the sole intent of having private, encrypted conversations, things will be drastically different. What is the point of using the service when users know that their data can always be accessed by the government and/or third-party entities?
While the new rules clarify that traceability orders may only be enforced for serious offences, some categories in the Intermediary Liability Rules are open-ended. For instance, ‘public order’ grounds are relatively broad and may give rise to many demands, notes Salman Waris, managing partner at the Delhi-NCR-based technology law firm TechLegis.
The rules also state that beyond identifying the first originator, the significant social media intermediary shall not be required to disclose the contents of any electronic message, any other information related to the first originator or any information related to its other users. However, the Information Technology Decryption Rules have the power to demand the content of the message. Used together, the government can break any end-to-end encryption and come to know who has sent what message and also its content, adds Waris.
Can Signal And Telegram Salvage Their Privacy Pitch?
According to Waris, there will be a major difference in the way these rules get implemented across platforms. “Facebook, with its India subsidiary offices, cannot delay or avoid compliance with government directives compared to a Signal or Telegram, which does not have a corporate presence in India.”
Arindrajit Basu, research manager at the CIS, believes that the reason why users shifted from WhatsApp to Signal earlier in the year had less to do with the extent of user profiling on the platform. The bigger concern was an erosion of trust in the company and its parent Facebook. Users migrated from the platform (WhatsApp) due to its recent attempt at forced consent for user profiling for the sake of corporate gains, and the intermediary liability rules are unlikely to reverse the shift.
“These rules may make it more difficult to guarantee end-to-end encryptions for private messaging. But the likes of Signal have created an image for themselves that they are not using user data for bigger corporate gains. Users are not likely to lose that faith in the platform for a (policy) change introduced by the government,” says Basu.
Meanwhile, the country is still waiting for the implementation of the Personal Data Protection (PDP) Bill, which, according to legal experts, can bring a twist to the story. The Bill pertains to the processing of personal data by both government and companies incorporated in India. The PDP states that any processing of personal data can be done only on the basis of consent given by the individual whose data is being processed. Individuals can seek confirmation on whether their personal data has been processed, seek correction or erasure of their data and restrict continuing disclosure of their personal data if it is no longer necessary or if consent is withdrawn. One wonders whether these provisions will stand against the Intermediary Liability Rules if an individual does not consent to data-sharing or chooses to erase his/her personal data and is then found to be the ‘first originator’ of some questionable content?
In the end, we can say that the debate around privacy will continue to rage in India. But until Signal, Telegram and other apps find a way to safeguard themselves against the stringent government guidelines, the whole idea of privacy will be more like a chimaera. And Facebook-owned WhatsApp will have the last laugh against those who criticise its business model and what it wants to do with user data.