Intent of message traceability under IT rules not to weaken encryption of platforms, says govt

The new Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 were announced by the government earlier this year.

The requirement for messaging platforms to trace the originator of a message has not been brought in with an intention to break or weaken encryption, and companies are free to come up with alternative technological solutions to implement this rule, as per FAQs released by the government on Monday.

The new Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 were announced by the government earlier this year.

Facebook-owned WhatsApp had then approached the Delhi High Court challenging the new IT rules for social media intermediaries that require the messaging app to make provisions to identify the first originator of information.

WhatsApp had said the traceability provision would break end-to-end encryption and fundamentally undermine people's right to privacy.

A set of 'Frequently Asked Questions' (FAQs) around the intermediary guidelines were released on Monday to enable a better understanding of goals and provisions of the new rules among internet and social media users.

As per the FAQs, the intent of the traceability rule for messaging platforms "is not to break or weaken the encryption in any way but merely to obtain the registration details of the first Indian originator of the message."

"The electronic replica of the message (text, photo or video, etc) will be shared by the requesting agency along with a lawful order," it added.

The FAQs explained that a typical principle of detection is based on the 'hash value' of the unencrypted message, wherein identical messages will result in a common hash (message digest) irrespective of the encryption used by a messaging platform.

"How this hash will be generated or stored needs to be decided by the concerned SSMI (significant social media intermediary), and SSMI are free to come up with alternative technological solutions to implement this rule," it added.

The rationale of this requirement, the FAQs said, is that if the intermediary has to convey to its users not to upload or share a particular type of content as part of its terms of use, it should have the capability of determining so.

Otherwise, the platform loses its own capability to enforce its own terms of usage, it noted.

"While encryption ensures safety and security of the data, and the privacy norms self-imposed by the intermediary may be needed, it is also imperative that the platforms should not be used to carry out sharing of any unlawful content as specified under the IT Rules, 2021 and other applicable laws," the FAQs said.

When contacted, a Meta spokesperson said: "We appreciate the Government's efforts in bringing more clarity on the 2021 IT Rules. We look forward to studying the FAQs."

Last week, Facebook's parent company changed its name to Meta. Apps under Meta include Facebook, WhatsApp, Instagram, Messenger and Oculus.

The FAQs introduced on Monday comprise questions that people ask about the rules, and are geared to make it easier for users to understand the norms around the internet and social media in the country.

The new IT intermediary rules enforced earlier this year aim to bring greater accountability for big tech companies, including Twitter and Facebook.

The rules require social media platforms to remove any content flagged by authorities within 36 hours and set up a robust complaint redressal mechanism with an officer being based in the country.

Social media companies are required to take down posts depicting nudity or morphed photos within 24 hours of receiving a complaint.

Significant social media companies — those with over 50 lakh users — also have to publish a monthly compliance report disclosing details of complaints received and action taken as also details of contents removed proactively.

Apart from reiterating the timelines for action under various cases, the FAQs clarified that while social media companies cannot name the same person as their Chief Compliance Officer and the nodal contact person, the roles of the nodal contact person and Resident Grievance Officer may be performed by the same individual.

"However, keeping in view the functional requirements of the nodal contact person and the Resident Grievance Officer, it is desirable that SSMI appoints separate persons for the two roles," it added.

The government, through this rule, expects the intermediary to provide separate contact details for grievances submitted by users and the requests/orders made by the government or authorised agencies, since the nature of requests might vary in view of different compliance timelines, the FAQs said.

Besides, a parent SSMI can appoint common officers across its products/services, which could potentially benefit companies like Google and Facebook that operate multiple services.

"However, the contact details to approach these officers are required to be clearly mentioned on each of those product/ service platforms separately," the FAQs noted.


Updates from around the world