In September, social media giant WhatsApp found itself answering a very strange request in India—the government asked it to identify who first sent a message containing a fake resignation letter from the Tripura Chief Minister that was shared on Facebook, triggering a legal battle between the state and the messaging giant.
Not many days later, WhatsApp was tasked with a similar request: Find out the original senders of a number of AI-generated deepfake videos of Indian politicians going viral on social media, including one of Prime Minister Narendra Modi singing.
With these requests, India is trying to enforce the traceability rule it rolled out in 2021, which requires encrypted messaging platforms like WhatsApp and Signal to find the original sender of messages forwarded and shared across the platform, subjecting them to potential punishment for exercising political speech.
Online censorship and surveillance to suppress dissent has been a key feature of Narendra Modi’s and the Bharatiya Janata Party’s (BJP) 10-year regime in India.
The recent State of Internet Freedom report highlighted how India’s incorporation of digital censorship into its technology laws could be a tool to suppress any form of dissent against the ongoing regime, especially amidst the upcoming national elections. It cited the Indian government’s ban on the BBC documentary about communal violence during Modi’s Gujarat regime and how the government used provisions in its technology laws to ask YouTube and X to remove any content around the documentary.
In February 2021, the Modi government rolled out a series of changes to its Information Technology (IT) laws that regulate online content.
From arbitrary fact-checking units empowered to take down any anti-government content and government oversight of streaming content to demanding messaging platforms trace the original senders of potentially subversive content, India’s new IT rules legitimize direct online censorship, posing serious threats to citizens’ digital rights.
The most contentious of these changes is the rule that allows the government to demand online platforms with more than 5 million users to identify senders of messages that threaten the sovereignty and integrity of India, the security of the state, friendly relations with foreign states, and public order.
India is WhatsApp’s largest market, with about 550 million users.
The app, which claims to have ”privacy and security in its DNA,” built default end-to-end encryption into its technology in 2016. End-to-end encrypted messaging ensures that nobody except the sender and receiver of information can read or listen to it.
While it is India’s most preferred messaging platform, providing a secure space for millions of users who rely on it for sharing location, photos, and information, WhatsApp has also become a serious breeding ground for fake news across the country.
India has seen over 40 deaths allegedly spurred on by fake news. In 2018, a young daily wage earner was lynched by a paranoid mob in Bengaluru, because people mistook him for a child abductor giving sweets to children.
Fake messages on WhatsApp helped start the panic, warning people of a “gang of child abductors” roaming in the area, killing children, and harvesting organs. Around the same time, five tribals were thrashed and stoned to death in Maharashtra, because of WhatsApp rumors of “child abductors” lurking in the area.
Citing many such instances of misinformation and the urgent need to combat fake news, the Indian government sent multiple directives to WhatsApp to comply with the traceability rule to identify senders of incendiary messages.
“We have not rolled out these guidelines all of a sudden. We have received several orders from the Supreme Court of India asking us to make laws to regulate information that spreads hate, incites violence, and threatens women’s dignity,” said India’s then-Minister of Electronics and Information Technology from the ruling BJP Ravishankar Prasad in a television interview in 2021.
However, while these rules can help regulate harmful content, they can create a frightening atmosphere for the government’s critics, especially given the multiple instances of censorship and threats to free speech in the past few years.
WhatsApp was given three months, until May 2021 to comply with the new traceability rules.
Instead, WhatsApp and Meta sued the Indian government in the Delhi High Court, challenging the traceability requirement, mostly on the grounds of violating its end-to-end encryption technology.
In a petition filed on May 25, 2021, WhatsApp stated that the traceability requirement in India’s IT law forces it to break end-to-end encryption on its messaging service, and infringes upon the fundamental rights to privacy and free speech of the hundreds of millions of citizens using WhatsApp to communicate privately and securely.
The app argued there is no way to predict which message will be the subject of such a tracing order, and thus WhatsApp would be forced to build the ability to identify the first originator for every message sent on its platform.
It compared this to “keeping a finger on every single message sent on its platform.”
The government of India challenged the validity of WhatsApp’s petition on the grounds it was a foreign entity.
“Constitutionality of a provision of law cannot be challenged by a foreign commercial entity on the ground of it being violative of Article 19 rights. The said rights are only available to citizens,” the Indian government said in an affidavit filed in response to WhatsApp’s petition.
It also said that if WhatsApp did not have the means to trace messages without breaking encryption, it ought to develop the means to do so.
Up until now, India’s IT law provided a “safe harbor” to social media platforms that exempted them from any liability for the content shared on their platforms.
However, in the past few years, the government cracked down on social media platforms, aiming to stifle dissent. During the controversial, year-long farmers’ protests against national laws to privatize agriculture, the Indian government asked Twitter to suspend the accounts of users who tweeted against the government’s conduct. It even threatened to imprison the site’s local employees if Twitter didn’t comply, forcing it to block accounts of over 500 activists, farmer unions, and Caravan, a news magazine that scrutinizes Indian politics.
Similarly, when India grappled with rising COVID-19 deaths, the government directed Twitter to block over 50 tweets criticizing Modi’s handling of the pandemic.
And in 2019, WhatsApp’s encryption was bypassed by Israeli spyware that was used by the Indian government to snoop on journalists, lawyers, and human rights activists.
Even before India legalized surveillance on WhatsApp, several attempts of “WhatsApp Arrests” by bureaucrats have been reported in India.
In 2020, the District Collector of Indore ordered that anyone found spreading false news about COVID-19 cases in the city would be subject to arrest and imprisonment. Similarly, in 2017, the police administration in the Varanasi district released a written order that group admins on WhatsApp who did not remove false content, especially around religious sentiment, from their groups would be arrested.
According to an impact analysis carried out by the American nonprofit Internet Society, the traceability clause clearly violates the parent legislation of these Guidelines—the IT Act.
The IT Act does not grant the government the power to demand traceability.
“Rule 4(2), in demanding traceability, breaks end-to-end encryption systems, undermines user privacy, threatens data confidentiality, goes against the principle of data minimization, and may create room for government overreach and censorship,” the report states.
For the millions of people who rely on WhatsApp for more than exchanging texts, this can have disastrous effects on privacy and freedom of speech.
In some states, for instance, WhatsApp has proved to be a useful tool to fight sexual harassment.
The Telangana state police department uses “WhatsApp Helplines” and receives about 2,700 monthly complaints of sexual harassment from women who share sensitive information on the platform.
If WhatsApp stores and divulges the sensitive information and identities of such users, their privacy can compromised, forcing them to decide if being outed is worth the risk of reporting crimes.
Complying with the traceability rule will inevitably require platforms to store all the data needed for tracing every message exchanged on the platform, increasing costs for companies and eventually affecting affordability for users who currently use it for free.
And activists, who use the app to organize and spread messages, will see the growth and reach of their messages stifled.
“There certainly needs to be a clear law that holds people responsible for advertently or inadvertently circulating false news and hate messages on WhatsApp. But the government cannot have unfettered power to demand the source of messages—this should be done with adequate checks and safeguards, with citizens having the same right to access this information through a legitimate cyber cell,” said Srikanth Narasimhan, General Secretary of the Bengaluru Navanirmana Party, a city-level political party that relies on WhatsApp communities and groups to connect with voters and volunteers.
While the criteria prescribed under the rule—a threat to public order or the security of the State—could act as potential safeguards to prevent their misuse, the two instances where the government invoked the rule are not cases of harmful fake news or threats to public order or India’s sovereignty.
They are instead blatantly political.
The traceability rule was invoked for the first time recently when the WhatsApp screenshot of a fake resignation letter of Tripura’s Chief Minister circulated on social media. The resignation letter, which has the Minister’s forged signature, was shared on Facebook by a candidate of an opposition party who had lost the 2023 elections.
The case was brought to the police’s notice by a group of the ruling BJP workers who filed a complaint even after the post was deleted, leading a district court in the state to use the traceability rule to ask WhatsApp to identify the original sender of the message.
WhatsApp refused to comply with the request, citing that there were no “threats to public order” and therefore did not require such an intrusive means of investigation. The court granted interim relief to WhatsApp on the matter and will hear the next case on Dec. 5.
India’s central government also directed WhatsApp to trace the senders of deepfake videos of politicians, which it perceives as “serious threats to electoral integrity,” given the upcoming national elections.
“The anonymous use of messaging platforms to propagate fake videos and audio is a major challenge we are grappling with. The traceability provision needs to be invoked to create some accountability and put brakes on this practice,” India’s IT minister Rajeev Chandrasekhar told the Indian Express.
However, identifying the senders of such messages could lead to the outing of political opponents.
Even though WhatsApp refused to comply with the government’s requests in both cases, it continues to operate in India, putting the rule and the service in limbo.
Experts in India proposed several technical solutions to balance the mutually exclusive goals of traceability and encryption. In 2019, while adjudicating a different case, the Madras High Court directed a professor of Information Technology, Dr V Kamakoti, to propose technologies to trace the original senders of messages without breaking encryption. He suggested adding originator information with every message. He also proposed a permission-based system that allows users to classify a message as forwardable and not forwardable, a suggestion WhatsApp partially implemented.
Data privacy advocates, however, are skeptical about this proposal. “End-to-end encryption cannot be seen as a binary, but should instead be viewed across a spectrum, where it can be undermined if not entirely broken. The Kamakoti proposal would need the intermediary to hold much more information about the messages being exchanged. So is the sanctity of an end-to-end encrypted environment really being protected? I’d say no,” Neeti Biyani, a senior advisor at the Internet Society, told the Daily Dot.
Technology experts like Biyani, however, also question the extent to which technology can address problems.
“There are social problems that predate any sort of technology. Even when we did not have an inkling about how to transfer data, there were social problems. Technology in a lot of ways can amplify social problems, but it is not responsible for social problems. Therefore, social problems need social solutions which technology can help with,” she said. “Scanning personal data of 800 million people is not the answer.”
In light of the recent warnings that many members of opposition parties, journalists and activists received about “state-sponsored” attackers trying to hack their phones, the traceability rule can easily become a legal weapon to end free expression and dissent.
The Modi government has attempted to curb dissent and anti-government narratives through forced suspension of Twitter accounts, random arrests, and costly spyware.
But with the traceability rule coming into effect, not only will government snooping on private conversations be legitimized, the government will have also legal rights to act against people exchanging texts with the slightest hint of dissent or criticism.
It amounts to a massive stifling of the biggest digital forum in the country, an unprecedented invasion, and one that any authoritarian government in the future would gleefully implement after Modi proves its efficacy.