By Dr. Jaijit Bhattacharya
As the new Intermediary Guidelines and Digital Media Ethics code come into force to curtail fake news and limit messages that lead to law and order issues, the regulation itself has become the victim of fake news around it. The most pernicious of such fake news being peddled is that the government is now going to have access to all messages and is going to check all messages. There is also a message doing the rounds on Whatsapp that states that the Whatsapp messages will now have three tick marks, with the third tick showing that the government has read it, and if the colour of the third tick is red, it would imply that the government has taken offense to it. This couldn’t be any further from the truth.
It is a different matter that I would admire if the government becomes that technologically sophisticated that it can read billions of messages in real-time, but the matter of concern is that such incorrect positions are being stated in television debates and being streamed into people’s televisions and smartphones, creating a narrative that can potentially take away the protective shield of the new regulation.
Since there are multiple aspects to the regulation, this article will focus only on the aspect where the regulation makes it mandatory for messaging platforms such as Whatsapp, to reveal the first originator of a message. There have been tomes written about this piece of legislation, and many misstatements disseminated around. To begin with, the regulation does not mean that the government will now read all our messages. It cannot do so. Nor does it mean that we will lose our privacy because our messages are now public. The messages are not to be made public unless it is part of the due course of law. The messages cannot be read by anyone other than the intended recipient, as long as the platform maintains end-to-end encryption.
What does the due course of law mean and why has the government framed such a regulation? Take the two-year-old case of people getting lynched in many parts of India because of videos of child-lifting being circulated. One of the more circulated videos was based on a social awareness message video in Karachi, which was trying to make people aware of rampant kidnappings in Karachi. This video was modified to show child-lifting happening in specific areas. Who did such modification to the video? Who spread it? Why was it spread?
Or take the case of videos spread in Bengaluru, the IT capital of India, against residents who came from North-eastern states. It led to panic in India’s IT capital and froze it for days. Who spread these videos? Were these videos spread with a benign intention or were these testing of weaponization of social media? How do we expect our government and law and order agencies to react? Can they take any effective steps unless they know who was the first person to spread the video? Would such a step lead to the identification of the criminal who spread the video and leads to violation of his or her privacy? Of course, it will lead to the identification of the criminal, and then, it will lead to the violation of the privacy of that person. How else will the law and order agencies find and punish the criminal? Do we hang a person without knowing the identity of a person? No, we need to know who is the person and let the law takes its due course. And of course, the criminal’s privacy will get violated. Are we debating that a criminal’s privacy should not get violated and we should not be able to catch them?
The next question that comes up is are we violating everyone else’s privacy on a messaging platform? The regulation clearly states that only the identity of the first originator of the message is required to be revealed. How would it violate anyone else’s privacy? We have heard representation from Whatsapp that it would lead to breaking of their end-to-end encryption to implement such a regulatory requirement and that information of every person who reads a message and forwards it, will need to be tagged, violating everyone’s privacy. Besides the fact that such concerns of privacy coming from Whatsapp does sound laughable, given that Whatsapp is arm-twisting Indians to agree to their new privacy agreement that snatches away privacy from Indian users, from a plain logical perspective, such arguments are untenable. One need not be an encryption expert to see through why Whatsapp’s argument is not tenable. Whatsapp has not put such a fallacious argument in Brazil, where the government has asked for the same requirement – traceability of messages.
To understand this issue better, take the example of another US digital giant, Amazon. Amazon takes a product, packs it, puts the recipient’s name and address, and sends it. The package then goes from the main warehouse to sub-agents and then to the local distribution agency and eventually reaches its intended destination. Do we get to know who are the intermediaries in this process who handled the package? No, we don’t. Their privacy stays intact. Does everyone get to know what is inside the package? No. The package is wrapped up. It only has the destination address. Amazon takes up the responsibility of ensuring that there is nothing harmful in the package like a bomb, or harmful chemicals. And if ever there is anything harmful found in the package eventually, it is Amazon that is responsible. Does that make it difficult for Amazon to do business in India? No, that is how they do business anywhere. Do we get to know who is the first originator of the package? Yes, it is on the label.
An encrypted message works pretty much the same way as an Amazon package. The only requirement that the new regulation is adding, is that each message must have a label of who first sent it. Does that mean everyone can now read that message? No. The message stays inside a “package” that no one can open. They can only see who the originator of the message is. Only the intended recipient can open the message. Does it violate the privacy of the originator of the message? No, it does not as the only information that is known to people other than the intended recipients is that the originator has sent a message, but the contents of that message are not known. It is equivalent to saying a person is using Whatsapp and sending messages. That does not tantamount to privacy violation.
Now the question arises, what if the originator of the message did not want the message to be further forwarded to more people, but it was forwarded without the consent of the originator of the message. Such concerns can easily be addressed by providing an option to the originator of the message that the message should not be allowed to be further forwarded.
However, we have seen a war of “reports” erupting between two very respected professors of Computer Science, Dr. Kamakoti of IIT Madras and Dr. Prabhakaran of IIT Mumbai. Dr. Prabhakaran’s report has been taken up by many as the gold standard to label the said regulation as unimplementable. As someone who has been teaching at IIT and who has done his Ph.D. in the area of privacy middleware, I can step in with some authority in this area.
In his report, Dr. Prabhakaran notes that in its existing form, the proposal suggested by Dr. Kamakoti is vulnerable to falsification of originator information by people with malicious intent, and such people can frame an innocent person for sending an illegal message. This cannot be the basis to not have regulation. It is for the investigating officers to find if a person has been framed or if the person sent the message, just as it happens in any other investigation. The report itself is very sparse with hardly any technical reasons attributed for making the said claim, other than saying what if someone reverses engineers Whatsapp and frames another person. It is far-fetched and it is not a defendable argument. One cannot argue that a law should not be brought in as someone may break the law.
The report also claims that tracking who has sent the message would impact privacy, as it would “make such denial harder” for the sender. But that is the whole purpose of the regulation – to make it harder for the sender to deny sending the message.
The report goes on to argue how people can hire agents or bots outside of India to spread damaging messages inside India, and therefore, it argues, the said regulation cannot be implemented in India. This again is not correct as the regulation asks for traceability of the first originator of the message within India. So the person who first receives the message within India, from a foreign number, and then spreads it in India, becomes liable. It tightens the envelope for malicious messages. Will it eliminate all malicious messages? No, it will not. Just as we are not able to catch all terrorists. So should that be a reason to not have the regulation? The answer is obviously that the possibility of a few determined malevolent elements getting past the security envelope, cannot be the reason for not having such regulation for the safety of our citizens and the security of the nation.
It is high time that we push through much-needed regulation to protect ourselves from the negative side of social media, so that social media can further flourish in the country, with all the benefits of free speech and efficient commerce that it brings in.
This article first appeared in Outlook India, https://www.outlookindia.com/website/story/opinion-who-is-peeking-into-your-messages/383951