Traceability is an ineffective tool for law-enforcement agencies as it can be easily spoofed leading to innocent citizens being falsely incriminated, the report said
The traceability provision under IT Rules, 2021 can put the government in a difficult position if criminals move to unregulated encrypted platforms: IAMAI Report
Nearly 85% percent of intermediaries feel that the IT Rules would lead to overwhelming economic repercussions and negatively impact ‘ease of doing business’
It is impossible to implement the traceability clause for messages on encrypted platforms without breaking the encryption technology itself, a report on IT Rules, 2021 has said.
The report, IT Rules, 2021: A Regulatory Impact Assessment Study, was released by the Internet and Mobile Association of India (IAMAI) and public-policy think tank The Dialogue to assess the new rules almost a year after they came into force. The report is based on responses from 70 stakeholders.
The IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 for social media apps, online news portals, news aggregators and OTT platforms were notified in February 2021 and intermediaries were given time to comply with it by May 25, 2021.
As per Rule 4(2) of IT rules 2021, significant social media messaging platforms (platforms with more than 5 Mn users), need to identify the first originator of the information. It is required for services that are primarily in the nature of messaging such as WhatsApp, Signal. Many intermediaries like WhatsApp have always been against the rule.
“The intermediaries and cybersecurity experts were unanimous in their opinion that it is technically impossible to introduce traceability on encrypted platforms without breaking the encryption technology itself,” the report said, adding that technology experts believe implementing originator traceability may weaken end-to-end encryption.
For the uninitiated, an end-to-end encryption is defined as a method that prevents third parties from accessing data while it’s transferred from one device or system to another. It is perceived as a security layer for messaging services.
In case of any technology-driven communication, end-to-end encryption protects users’ privacy in everyday conversations, and maintains confidentiality. Besides, cybersecurity experts are of the view that traceability is an ineffective tool for law-enforcement agencies given that it can be easily spoofed leading to innocent citizens being falsely incriminated, the report added.
While the rules clarify that the provision is applicable for cases of serious offences, categories of offences mentioned in the IT Rules are open-ended, lawyers believe. Hence, there are chances of misuse of the provision as well, it said.
The report also said that the provision can put the government in a difficult position if criminals move to unregulated encrypted platforms as access to metadata may not be possible in such cases.
“Cybercriminals shall continue to use encryption while it is the privacy of innocent citizens that shall be at bay,” the report added.
Moreover, solutions like metadata analysis and the development of traditional surveillance technologies are far less intrusive and more sustainable and effective, as per cybersecurity experts.
In addition, there can be several consequences of breaking encryption – online banking and ecommerce could be susceptible to cyber vulnerabilities, and users’ sensitive personal data will become more susceptible to cyber attacks, espionage and surveillance.
The clause also has national security implications as critical information infrastructure of the state could become vulnerable and the chances of foreign surveillance may increase, the report said.
Among one of the key results of the study, 85% percent of intermediaries feel that the IT Rules would lead to overwhelming economic repercussions and negatively impact ‘ease of doing business’.
Amid the debate over traceability, the government last year clarified that the clause was not brought in with an intention to break or weaken encryption.
The intent of the traceability rule for messaging platforms is not to break or weaken the encryption in any way but “merely to obtain the registration details of the first Indian originator of the message”, the government said.
During a panel discussion on the report’s launch, Dr Amar Patnaik, Rajya Sabha MP (BJD) and member of the Parliamentary Standing Committee on Finance, said if there is an infringement or an individual has been caused undue harm, the originator needs to be apprehended.
“That has to be ensured by developing technology further or doing something. Currently, one may not be able to address it but you cannot say our technology cannot take care of it, therefore you should change your law,” he said.
The study recommended that metadata analysis capabilities of the law enforcement ecosystem should be enhanced rather than implementing originator traceability.
In addition, a majority of the intermediaries said that the threshold of 5 Mn users to be designated as a significant social media intermediary is quite onerous from an economic standpoint given the huge population of India.
“The threshold should be revisited in accordance with the global best practices and India’s economic interests, and a clear method should be prescribed for its computation,” the report recommended.