The ongoing probe by investigation agencies into the use of drugs by Indian movie stars and celebrities has suddenly turned the focus on individual rights and privacy, especially when you use social media and chat apps. The Narcotics Control Bureau (NCB) has summoned actor Deepika Padukone for questioning tomorrow based on a WhatsApp chat. Technically, and as confirmed by WhatsApp and its owner Facebook, chats between two users are encrypted and cannot be seen by any third person. But when the phone of a person under investigation is seized, privacy goes for a toss and the chats are shared with the media, leading to a media trial, even while the investigation is on.
While anything to do with celebrities makes for 24x7 television, it would be naïve to assume that the encroachment into personal privacy would not be far worse for ordinary people with no clout, trapped in a bad situation.
Mishi Choudhary, legal director at SFLC (Software Freedom Law Centre
), has a possible explanation. She says, "WhatsApp is a credible communications system because it provides 'end to end' encryption of the messages it carries, ensuring that Facebook itself cannot read the contents of our communications."
Talking about a petition that was transferred to the Supreme Court from Madras High Court, she says the plea seeks to make social media traceable while stripping the privacy right of all meaning. In a series of tweets, she had explained dangers of such things.
"The pending petition seeks to require that Facebook to make all WhatsApp messages traceable to their originator through the linkage of identity information (mobile phone or, perhaps, Aadhaar numbers) to all messages exchanged. It should hardly be necessary – given the Supreme Court’s judgment in Justice KS Puttaswamy and Anr vs Union of India which confirmed that we have a fundamental right of privacy – to say that this petition must be dismissed is an affront to our basic constitutional freedom," she says.
Referring to one of the submissions in the case, Ms Choudhary says Facebook can be required to add the identity information of each message originator to the message itself before it is 'end to end', encrypted, allowing every communication to be traced back through the chain of forwarding to its original source.
The submission says that this does not require Facebook to compromise encryption. That’s narrowly true: Encryption is formally undisturbed, but the privacy encryption designed to protect is destroyed anyway, Ms Choudhary says, adding, "Obviously this mechanism destroys A’s privacy, if for example she did not want her message to B forwarded, and is now being pursued by the government at the behest of C."
"According to the submission this is no problem, because A has a remedy: B has broken an implicit contract with A by forwarding the message over A’s implicit objection, violating a relationship of trust which (he says) must have existed between A and B in the first place. But this advice ignores how law operates. The government here, orders an unconstitutional invasion of privacy, directing F to destroy the privacy of A, as well as other intermediate recipients of A’s message. But though A’s right against government has been vitiated, that has been theoretically replaced by a private action against B," she says.
Coming back to Deepika Padukone's alleged WhatsApp chat based on which the NCB had sent her summons, technically, it is not so easy to seize such messages under normal circumstances. One of the options a government or its agency can use is to take help from professional spyware firms and software, like Pegasus. But that is too expensive and sometimes the cost can go as high as $1 million.
Another way is to get hold of the message during transit and then decrypt. However, given that WhatsApp handles billions of messages every day and till date there are no reports of any message being lost or tracked during transit and decryption taking place, this does not look a possible answer.
This leaves only one option for which Indian investigating agencies are defamed. To make the person 'willingly' share the information or in this case, the WhatsApp chat between Deepika and the other person.
The WhatsApp chats surfaced in public domain seem to have been retrieved from Jaya Saha, who was interrogated by the NCB. Jaya was also Sushant Singh Rajput's talent manager. Jaya, who is part of the Kwan Talent Management Agency, was also on this WhatsApp group with Deepika and Karishma Prakash.
To access encrypted WhatsApp data, security and investigating agencies can take a user's phone and create a 'clone' of it on another device. This gives them access even to deleted messages with a 'mirror image' of a phone after which all data can be transferred to the separate device.
Thereafter, it is only a matter of retrieving data which agencies do by involving forensic experts. They retrieve all kinds of data like phone call records, messages, images, WhatsApp chats, as well as the data on the phone's Cloud service, like Google Drive or iCloud, including anything that has been deleted.
In January 2019, the Ministry of Electronics and Information Technology (MeitY) issued the Information Technology [Intermediary Guidelines (Amendment) Rules], 2019. The Draft Intermediary Guidelines, proposed introduction of obligations requiring faster response times from intermediaries, greater cooperation with law enforcement, enabling traceability of the origin of content, proactive monitoring of content, and local incorporation for the purposes of coordination with law enforcement.
On Tuesday, Sanjay Dhotre, minister of state for electronics and IT, in a written reply to the Lok Sabha said that the MeitY is in the process of amending the Information Technology (Intermediaries Guidelines) Rules, 2011, to make the intermediaries more responsive and accountable and the rules are currently being finalised.
In recognition of the fact that in certain instances ensuring traceability may be technically impossible, industry body NASSCOM
had also recommended that the obligation to enable tracing of the originator of information, should not apply to instances where the intermediary is able to demonstrate that it has no control over the decryption key and is unable to view the content of private communications sent on its computer resource.
"While India does need a data privacy law urgently, in no way can this address the problems being presented by this case where all citizens’ privacy and security is held ransom to check the notoriety of a few malicious players," Ms Choudhary concludes.