Facebook-WhatsApp case in SC: Mass surveillance possibilities can increase with creation of national decryption agency

The ongoing case of Facebook and WhatsApp before the Supreme Court deals with the age-old debate of ’national security vs privacy’, with the Court tasked yet again with balancing the two out. In what is turning into a landmark case, the case that started with the issue of linking Aadhaar with social media accounts, could now redefine intermediary liability law as well as bring in social media rules for the first time.

Given the crucial role that intermediaries are playing in relation to protecting the individual from the prying eyes of the State, the case has particularly significant implications for privacy as well. One such issue that has come up for debate is on whether intermediaries are under an obligation to decrypt the information in their possession, and secondly, whether the government can set up its own decryption agency, and what the surveillance powers and capabilities of such an agency would be.

An intermediary’s obligation to decrypt

To start with the first issue, on whether an intermediary is mandated to decrypt information in its possession, under Section 69 of the Information Technology Act, 2000  an intermediary is required to provide ‘all facilities and technical assistance’ to decrypt information. An interesting argument put forth by Facebook, in this case, is that this is an obligation to assist, and not an obligation to decrypt, as a counter to the government’s argument that Section 69 imposes a mandate under the law to decrypt the information.

Turning to the IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009  for clarity, Rule 2(g) defines decryption assistance to refer to allowing access, to the extent possible, to encrypted information. Under Rules 13 and 17 further, an intermediary receiving a direction to decrypt must provide either a decryption key or decryption assistance. Clearly, the obligation to decrypt is limited to the intermediary’s ability to decrypt.

Going deeper into the rules, Rule 13 states that a direction to decrypt is limited to the extent that the intermediary has control over the decryption key. This means that if the intermediary does not have control over the decryption key, then its obligation ceases there. Both Section 69 and these IT Rules, therefore, in no manner mandate intermediaries to decrypt information. Rule 8, in fact, directs the government agencies to consider alternative means of acquiring the information prior to issuing such a direction. However, intermediaries are under an obligation to assist to the extent that it is possible for them to assist, meaning that if, say, they do possess the decryption key, then they cannot deny providing the information to the government.

Balancing rights and surveillance fears

The situation, while an excellent one for those seeking protection from mass surveillance and governmental invasion, does create concerns when one puts themselves in the shoes of a victim seeking information on a cybercriminal, or when the State is seeking to legitimately investigate a possible threat. The issue here is one of balancing rights, with mistrust in the State and the fears of large-scale surveillance increasing as technological progress increases the capability for this.

Can the govt have its own decryption agency?

Even with the present case, one such fear arises with a reported comment of one of the judges on the bench, questioning why the government could not have its own system of decryption , instead of solely imposing the obligation onto the intermediaries. Legally, there is nothing to prevent this, or even to prevent the government from authorising an existing agency to act as a decryption agency.

The surveillance powers of such a decryption agency

To assuage surveillance fears in part, any such agency would legally be bound by the procedures of Section 69 and these IT Rules . These rules, while inadequate, certainly do not permit mass surveillance along the lines of the National Security Agency in the US . Under Rule 4, the government (technically, the Secretary in the Ministry of Home Affairs/ in the Home Affairs Department of a State government) can authorise any government agency to decrypt information. One can recall the Ministry of Home Affairs notification  that came out last year appointing 10 agencies including the CBI, R&AW, Intelligence Bureau, etc. for this purpose.

Such an agency, however, cannot act suo moto, and can only act under the direction of the government. Such a decryption direction is also bound by certain limitations. For one, it must relate to any information on any particular subject, which is exchanged between a person or a class of persons. While vague, this certainly does not authorise surveillance of any information, on any subject, exchanged between the general public. Time limits are also imposed — such a direction can be in force for a maximum of 60 days (approx. two months), which can be renewed for a maximum total period of 180 days (approx. six months). Thus, unlimited, perpetual surveillance is not permissible.

Again, there are issues with the constitutionality of the safeguards proposed by these IT Rules, in particular because they were drafted in accordance with the case of PUCL vs. Union of India . This was a case which suggested these safeguards for telephone tapping, long before the current era of technology and digitisation which enables and simplifies large scale electronic surveillance. Section 69 and these rules are, in fact, being questioned for their constitutionality in a separate case before the Supreme Court.

Mass surveillance outside the ambit of Section 69

Within the ambit of Section 69, mass surveillance by such an agency would clearly be illegal, as would any NSA-style mass decryption and access to the public’s private messages. However, it is surveillance carried out outside the ambit of Section 69 that is the real concern. Activities of the State Resident Data Hubs , Natgrid, NETRA or the Central Monitoring System, for instance, have no known legal basis.

The prevalence of these only worsens fears, and the absolute lack of an express prohibition on mass surveillance adds to these concerns. That being said, no law in India permits mass surveillance either. Any such activities are thus illegal and, post the Puttaswamy judgment on the fundamental right to privacy , unconstitutional.

The Puttaswamy judgment, it must be recalled, laid down 3 rules for any invasion of privacy

(i) there must be a law,

(ii) it must seek to achieve a legitimate state aim, and

(iii) it must be proportional.

While the government could argue the first two (assuming they enact a law permitting such surveillance), a large scale, mass surveillance activity simply cannot meet the third, i.e., the requirement of proportionality.

The need for an express prohibition against mass surveillance

Mass surveillance, while inherently unconstitutional on account of being a completely disproportionate invasion of privacy, is unfortunately still a possibility, until it is expressly prohibited. In the age of data and digitisation, several steps can be seen by the government towards accessing data, be it via the upcoming Personal Data Protection Bill, 2018  (which, for example, allows ‘ necessary proportional’ access to data , under a law, without consent, by the State for security purposes), or via this case seeking access to data from social media sites.

However, until this access that is sought is balanced with a law that protects the people from misuse, such as the misuse of the capabilities and power of a decryption agency, it is difficult to trust that such violations will not occur.

The author is a lawyer specialising in technology, privacy and cyber laws.