Whatsapp
WhatsApp Challenges IT Rules 2021 on Traceability Clause: A Constitutional and Privacy Dispute in India’s Digital Regulation
Introduction
The intersection of digital privacy and national security has emerged as one of the defining legal battlegrounds in contemporary India. In May 2021, WhatsApp LLC filed a petition before the Delhi High Court challenging Rule 4(2) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) IT Rules, 2021[1]. This WhatsApp challenge to IT Rules 2021 on traceability represents a fundamental dispute between the government’s regulatory ambitions and the right to privacy of millions of Indian users who rely on encrypted messaging services. The case raises critical questions about the extent to which the state can demand technological capabilities that may undermine the very foundations of secure digital communications. WhatsApp’s petition argues that the traceability requirement violates constitutional protections enshrined under Articles 14, 19(1)(a), 19(1)(g), and 21 of the Indian Constitution, while also exceeding the statutory authority granted under the Information Technology Act, 2000[2].
The Legal Framework: Information Technology Act and Intermediary Rules
The Information Technology Act, 2000 serves as the primary legislative framework governing digital intermediaries in India. The Act, through its various provisions, aims to balance the interests of innovation and user protection with legitimate state concerns regarding security and public order. Within this framework, Section 79 of the IT Act holds particular significance as it provides what is commonly known as safe harbour protection to intermediaries. Under Section 79(1), an intermediary shall not be liable for any third party information, data, or communication link made available or hosted by it, subject to certain conditions[3].
The safe harbour protection under Section 79(2) applies only when the intermediary’s function is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored. The intermediary must not initiate the transmission, select the receiver, or modify the information contained in the transmission. Furthermore, the intermediary must observe due diligence while discharging its duties and comply with guidelines prescribed by the Central Government[4].
However, this protection is not absolute. Section 79(3) specifies that the exemption shall not apply if the intermediary has conspired, abetted, aided or induced the commission of an unlawful act, or upon receiving actual knowledge or notification from the appropriate government or its agency regarding unlawful content, fails to expeditiously remove or disable access to that material. The Central Government exercises its rule-making authority under Section 87(2) of the IT Act, which empowers it to make rules for carrying out the provisions of the Act.
On February 25, 2021, the Ministry of Electronics and Information Technology notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, superseding the earlier 2011 rules. These rules significantly expanded the regulatory framework governing digital intermediaries, introducing new classifications and obligations. The rules distinguish between ordinary intermediaries and Significant Social Media Intermediaries, defined as platforms with registered users in India above a notified threshold of five million users. For SSMIs providing messaging services primarily, Rule 4(2) imposes an additional due diligence requirement to enable the identification of the first originator of information on its computer resource as may be required by a judicial order or an order passed under Section 69 of the IT Act[5].
Understanding Rule 4(2): The Traceability Mandate
Rule 4(2) of the IT Rules 2021 represents the centerpiece of this legal controversy. The provision specifically requires significant social media intermediaries that provide services primarily in the nature of messaging to enable the identification of the first originator of information on its platform. This obligation arises when either a court of competent jurisdiction or an authority empowered under Section 69 of the IT Act issues an order requiring such identification. The provision includes a crucial territorial limitation, stating that where the first originator of any information is located outside India, the first originator of that information within India shall be deemed to be the first originator.
The term “originator” is defined in the IT Act as a person who sends, generates, stores or transmits any electronic message. However, this definition creates ambiguity because an originator may not necessarily be the author or creator of the content. Someone who forwards a message, shares a screenshot, or copy-pastes content from another platform could potentially be identified as the originator, even though they did not create the underlying content. This technical limitation raises significant questions about the effectiveness and fairness of the traceability mechanism.
The requirement applies only to SSMIs providing messaging services, which would include platforms like WhatsApp, Signal, and Telegram that have more than five million users in India. WhatsApp, with over 530 million users in India, clearly falls within this category and is therefore subject to the traceability mandate. The rules do not specify the exact technological mechanism by which traceability should be implemented, leaving it to the platforms to determine how to comply with the requirement without breaking end-to-end encryption.
WhatsApp’s Constitutional Challenge to IT Rules 2021 on Traceability
WhatsApp’s petition before the Delhi High Court presents a multifaceted constitutional challenge to Rule 4(2). Analysis of WhatsApp’s challenge to Rule 4(2) IT Rules 2021 on traceability, encryption, privacy and national security highlights the broader implications for digital rights in India. The company filed its writ petition on May 26, 2021, one day after the deadline for compliance with the new rules. Senior Advocate Mukul Rohatgi represented WhatsApp before a division bench comprising Chief Justice DN Patel and Justice Jyoti Singh. The Delhi High Court issued notice to the Centre on August 27, 2021, directing the government to file a response to WhatsApp’s contentions[6].
The petition argues that Rule 4(2) violates the fundamental right to privacy as recognized in the landmark Supreme Court judgment of Justice K.S. Puttaswamy (Retd.) v. Union of India. In this unanimous nine-judge bench decision delivered on August 24, 2017, the Supreme Court held that the right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution[7]. The judgment established a three-part test for any invasion of privacy: legality, necessity, and proportionality. WhatsApp contends that Rule 4(2) fails all three prongs of this test.
On the legality prong, WhatsApp argues that there is no law enacted by Parliament that expressly requires an intermediary to enable identification of the first originator of information on end-to-end encrypted platforms. The company submits that Rule 4(2) is ultra vires to Section 79 of the IT Act because the parent statute does not authorize the imposition of such a requirement through subordinate legislation. The petition emphasizes that while Section 79 grants rule-making power regarding due diligence requirements for intermediaries, it does not extend to mandating fundamental changes to the technological architecture of encrypted messaging services.
Regarding necessity, WhatsApp argues that Rule 4(2) allows for the issuance of orders to identify the first originator without judicial oversight or prior judicial scrutiny, which means there is no guarantee against arbitrary state action. The petition points out that orders can be issued not only by courts but also by executive authorities under Section 69 of the IT Act, without requiring the government to demonstrate that less intrusive means are unavailable or ineffective. This absence of procedural safeguards violates the necessity requirement established in the Puttaswamy judgment.
On proportionality, WhatsApp submits that the traceability requirement would force the platform to break end-to-end encryption for all its users, not just for specific individuals suspected of wrongdoing. The petition explains that to trace even one message, the service would have to trace every message, as there is no way to predict in advance which user will be the subject of an order seeking first originator information. This wholesale surveillance architecture is grossly disproportionate to any legitimate state interest and creates privacy risks for hundreds of millions of innocent users.
The petition also challenges Rule 4(2) under Article 14 of the Constitution, which guarantees equality before the law. Relying on the Supreme Court’s decision in Shayara Bano v. Union of India, WhatsApp argues that laws are manifestly arbitrary in violation of Article 14 when they are obviously unreasonable, capricious, irrational, without adequate determining principle, or excessive and disproportionate. The company contends that Rule 4(2) is manifestly arbitrary because it imposes burdens far exceeding any purported benefits and because Parliament did not intend to grant authority to make such legislation through subordinate rule-making.
Furthermore, WhatsApp asserts that Rule 4(2) violates the fundamental right to freedom of speech and expression guaranteed under Article 19(1)(a) of the Constitution. The petition explains that once citizens become aware that messaging platforms have built the ability to identify first originators, they will not feel safe to speak freely for fear that their lawful private communications will be traced and used against them. This chilling effect on free speech is antithetical to the very purpose of end-to-end encryption, which is designed to protect the confidentiality and security of private communications.
The Government’s Defense of Traceability
The Union of India, through the Ministry of Electronics and Information Technology, has filed detailed responses defending the constitutionality and necessity of Rule 4(2). The government’s position rests on several key arguments that attempt to balance individual privacy rights with collective security interests.
The Centre argues that Section 87 of the Information Technology Act granted it the power to formulate Rule 4(2), which mandates significant social media intermediaries to enable identification of the first originator in legitimate state interest. The government emphasizes that this requirement is essential for curbing the menace of fake news and offences concerning national security, public order, and crimes against women and children. The Ministry has stated that the right to privacy is not absolute and must be balanced against the Article 21 rights of vulnerable citizens within cyberspace who are or could be victims of cyber-crime.
In its affidavit before the Delhi High Court, the government has clarified that it respects the right to privacy and has no intention to violate it when WhatsApp is required to disclose the origin of a particular message. The Centre maintains that such requirements arise only in cases involving very serious offences related to sovereignty and integrity of India, security of the state, friendly relations with foreign states, public order, or incitement to cognizable offences. The government contends that the traceability provision is reasonable and expects platforms to use mechanisms that guard encryption while protecting user privacy.
The government has also placed the burden on intermediaries to develop technological solutions that comply with Indian law. The Centre’s submission states that even if existing technology does not allow identification of the first originator without breaking encryption, it is the legal obligation of platforms like WhatsApp to find solutions that can enable such identification. The Ministry argues that platforms cannot claim immunity from legal obligations simply because compliance may require modifications to their current technological architecture.
Additionally, the government has pointed to WhatsApp’s own data collection practices, arguing that the platform already collects users’ personal information and shares it with Facebook and other third parties for commercial purposes. This, according to the Centre, undermines WhatsApp’s claims about protecting user privacy. The government maintains that if WhatsApp can collect and process user data for business purposes, it should be able to develop mechanisms for identifying first originators when required by law enforcement for investigating serious crimes.
The Privacy Jurisprudence: Puttaswamy and Its Application
The Puttaswamy judgment forms the doctrinal foundation for privacy protection in India and serves as the primary precedent in WhatsApp’s challenge to Rule 4(2) IT Rules 2021 (traceability clause). In Justice K.S. Puttaswamy (Retd.) v. Union of India, decided on August 24, 2017, a nine-judge constitution bench of the Supreme Court unanimously held that the right to privacy is a fundamental right intrinsic to life and personal liberty under Article 21 and is a part of the freedoms guaranteed by Part III of the Constitution. The bench comprised Chief Justice J.S. Khehar and Justices J. Chelameswar, S.A. Bobde, R.K. Agrawal, R.F. Nariman, A.M. Sapre, D.Y. Chandrachud, S.K. Kaul, and S. Abdul Nazeer.
Justice Chandrachud, writing for himself and three other judges, articulated that privacy is a concomitant of an individual’s right to exercise control over their own personality. The judgment recognized that privacy safeguards individual autonomy and recognizes the ability of individuals to control vital aspects of their lives. Privacy protects personal intimacies including marriage, procreation, family, and sexual orientation, which are at the core of privacy and dignity. The Court emphasized that privacy attaches to the person and is not lost merely because an individual is in a public place.
The Puttaswamy judgment established that privacy is not an absolute right and can be restricted by the state, but any such restriction must satisfy a three-part test. First, there must be legality, which requires that any invasion of privacy must be through a validly enacted law. Second, there must be necessity, meaning that the restriction must serve a legitimate state aim and there must be guarantees against arbitrary state action. Third, the restriction must be proportionate, requiring that the state achieve its legitimate aims through the least restrictive alternative available.
The judgment also recognized informational privacy as a distinct facet of the right to privacy. Justice Chandrachud observed that dangers to privacy in the age of information can originate not only from the state but also from non-state actors. The Court commended to the Union Government the need to examine and put in place a robust regime for data protection, cautioning that such a regime requires careful and sensitive balance between individual interests and legitimate concerns of the state.
The Puttaswamy decision explicitly overruled earlier Supreme Court judgments in M.P. Sharma v. Satish Chandra and the majority opinion in Kharak Singh v. State of Uttar Pradesh to the extent that they held privacy was not a fundamental right under the Constitution. The Court held that life and personal liberty are inalienable to human existence and constitute rights under natural law. No civilized state can contemplate an encroachment upon life and personal liberty except through the authority of law that meets constitutional requirements.
In applying this jurisprudence to Rule 4(2), WhatsApp argues that the traceability provision fails the Puttaswamy test on all three grounds. The petition contends that there is no valid parliamentary law authorizing such invasive surveillance, that procedural safeguards against arbitrary state action are absent, and that the requirement to break encryption for all users is grossly disproportionate to any legitimate governmental objective.
Technical Implications: End-to-End Encryption and Traceability
The technical dimensions of this legal dispute are crucial to understanding why WhatsApp and other encrypted messaging platforms oppose the traceability requirement so vehemently. End-to-end encryption is a security measure that prevents third parties, including the messaging platform itself, from accessing the content of communications between users. When a message is sent using end-to-end encryption, it is encrypted on the sender’s device, transmitted in encrypted form, and only decrypted on the recipient’s device. The encryption keys are stored only on user devices, not on the platform’s servers.
WhatsApp implemented end-to-end encryption using the Signal Protocol in 2016, meaning that the company itself cannot read the messages exchanged between users. This technical architecture is fundamental to the platform’s privacy promise to its users. The company has consistently maintained that requiring traceability would necessitate fundamental changes to this architecture that would undermine the security and privacy protections offered by end-to-end encryption.
Technology experts and civil society organizations have supported WhatsApp’s technical claims. A parliamentary standing committee report concluded that technology experts were unanimous in their opinion that it is technically impossible to introduce traceability on encrypted platforms without breaking the encryption technology itself. The report noted that implementing originator traceability may weaken end-to-end encryption and create vulnerabilities that could be exploited by malicious actors.
To comply with Rule 4(2) while maintaining end-to-end encryption, messaging platforms would need to implement what is known as message tracing or message tracking. This would require storing metadata about who sent which message to whom and when, creating a database that maps the flow of messages across the platform. However, this approach has several significant problems.
First, storing such metadata at scale would be technically challenging and expensive, particularly for a platform like WhatsApp that processes billions of messages daily. Second, this metadata database would itself become a massive privacy risk, as it would reveal communication patterns, social networks, and associations among users. Third, the metadata could be used to infer the content of communications even without breaking encryption, as patterns of communication can be highly revealing.
Moreover, traceability based on the first forwarder rather than the original creator of content has limited effectiveness. Users commonly copy content from websites or other platforms and paste it into chats, take screenshots of messages, or retype content they have seen elsewhere. In such cases, the person identified as the first originator on WhatsApp would not actually be the creator or author of the content, rendering the traceability mechanism ineffective for its stated purpose of identifying the source of misinformation or harmful content.
Comparative Perspectives: Global Approaches to Encrypted Communications
India is not alone in grappling with the tension between encrypted communications and law enforcement access. Governments worldwide have sought various approaches to address this challenge, often referred to as the encryption debate or the going dark problem.
In the United States, law enforcement agencies have long advocated for backdoors or exceptional access mechanisms that would allow them to decrypt communications when authorized by court order. However, technology companies and privacy advocates have consistently argued that such mechanisms would weaken security for all users and could be exploited by adversaries. The debate has resulted in a stalemate, with no federal legislation requiring backdoors in encrypted systems.
The European Union has taken a different approach through its General Data Protection Regulation and the ePrivacy Directive, which provide strong protections for communications privacy. However, some EU member states have proposed or enacted national legislation requiring platforms to retain certain metadata or provide access to encrypted communications under specific circumstances. These national measures have faced legal challenges under EU law for potentially conflicting with fundamental rights protections.
Australia passed the Telecommunications and Other Legislation Amendment (Assistance and Access) Act in 2018, which requires technology companies to provide technical assistance to law enforcement agencies, including potentially weakening encryption. This legislation sparked significant controversy and concern from technology companies and civil society organizations about its impact on security and privacy.
The United Kingdom has considered similar measures through the Investigatory Powers Act 2016, which grants broad surveillance powers to government agencies. However, courts have struck down portions of this legislation for violating privacy rights under the European Convention on Human Rights. In December 2020, the Court of Justice of the European Union ruled that UK surveillance practices violated EU law, specifically regarding bulk data retention requirements.
Brazil’s Marco Civil da Internet provides strong protections for internet users’ privacy and freedom of expression, while also establishing procedures for law enforcement access to user data with judicial authorization. The Brazilian approach attempts to balance privacy and security through clear procedural safeguards and judicial oversight, which contrasts with India’s Rule 4(2) that allows executive authorities to issue traceability orders without prior judicial review.
These international examples demonstrate that while many countries struggle with similar tensions between privacy and security, most democratic nations that have attempted to mandate weakening of encryption or require traceability have faced significant legal, technical, and political challenges. The lack of a clear international consensus on this issue underscores the complexity of the problem that India is attempting to solve through Rule 4(2).
The Status of Proceedings and Future Implications
The legal challenge to Rule 4(2) remains pending before the Delhi High Court. After issuing notice to the Centre in August 2021, the court has heard arguments from both sides but has not yet rendered a final judgment on the merits of WhatsApp’s petition. In April 2024, during one of the hearings, WhatsApp’s counsel made the striking statement that the platform would exit India if forced to break encryption, underscoring the fundamental nature of the dispute.
The Supreme Court of India, in March 2024, transferred various petitions challenging different aspects of the IT Rules 2021 from multiple High Courts to the Delhi High Court for consolidated hearing. This transfer indicates the national importance of the issues at stake and suggests that a definitive resolution may eventually require Supreme Court intervention.
Meanwhile, the government has shown no indication of withdrawing or modifying Rule 4(2). The Ministry of Electronics and Information Technology has consistently defended the provision as necessary for public safety and national security. In subsequent amendments to the IT Rules in 2022, the government actually expanded intermediary obligations in other areas, suggesting a continued commitment to stringent regulation of digital platforms.
The outcome of this case will have profound implications for digital rights in India and could set precedents affecting hundreds of millions of users of encrypted messaging services. If the court upholds Rule 4(2), WhatsApp and other encrypted messaging platforms will face a difficult choice: either comply with the traceability requirement by fundamentally redesigning their encryption systems, which would undermine their global security architecture, or refuse to comply and potentially face loss of safe harbour protection or even be forced to exit the Indian market.
Conversely, if the court strikes down Rule 4(2) as unconstitutional, it would establish important limits on the government’s ability to mandate surveillance capabilities through subordinate legislation. Such a ruling would affirm the primacy of the Puttaswamy privacy framework and clarify that fundamental alterations to encrypted communications systems cannot be imposed without clear parliamentary authorization and robust procedural safeguards.
The case also raises broader questions about the regulation of digital platforms in India and the appropriate balance between innovation, privacy, and security. As India develops its digital economy and seeks to establish itself as a technology hub, the legal framework governing digital platforms will significantly influence whether India is perceived as a rights-respecting jurisdiction that protects user privacy or as one where surveillance concerns may deter users and businesses.
Conclusion
WhatsApp’s constitutional challenge to the traceability provision in the IT Rules 2021 represents a watershed moment in Indian digital rights jurisprudence. At its core, this case requires courts to determine whether the government can mandate that private companies build surveillance capabilities into encrypted communications systems, and if so, under what conditions and with what safeguards. The resolution of this case will shape the future of privacy, free speech, and secure communications for hundreds of millions of Indians who rely on messaging platforms for personal, professional, and political expression.
The legal and technical complexities involved demonstrate that there are no simple answers to the challenges posed by encrypted communications in the digital age. Both the government’s security concerns and users’ privacy interests are legitimate and important. However, the Puttaswamy framework provides clear guidance that any invasion of privacy must be necessary, proportionate, and backed by adequate procedural safeguards. As the Delhi High Court weighs these competing interests, its eventual decision will determine whether India’s approach to digital regulation respects the constitutional commitment to privacy while addressing legitimate security needs.
References
[1] The Print. (2021, May 26). WhatsApp challenges new IT rules in Delhi HC, terms it ‘unconstitutional’. https://theprint.in/india/whatsapp-challenges-new-it-rules-in-delhi-hc-terms-it-unconstitutional/666023/
[2] LiveLaw. (2021, June 10). Traceability Rule Will Break End-To-End Encryption; Can Put Privacy Of Journalists, Activists, Politicians At Risk: WhatsApp Tells Delhi High Court. https://www.livelaw.in/news-updates/whatsapp-delhi-high-court-traceability-end-to-end-encryption-privacy-risk-174743
[3] Indian Kanoon. Section 79 in The Information Technology Act, 2000. https://indiankanoon.org/doc/844026/
[4] The LawGist. (2024, March 8). Exemption from Liability of Intermediary (Section 79 of Information Technology Act 2000). https://thelawgist.org/exemption-from-liability-of-intermediarysection-79-of-information-technology-act-2000/
[5] PRS India. The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. https://prsindia.org/billtrack/the-information-technology-intermediary-guidelines-and-digital-media-ethics-code-rules-2021
[6] LiveLaw. (2021, August 27). Delhi High Court Issues Notice To Centre On WhatsApp’s Plea Challenging Traceability Clause Under IT Rules 2021. https://www.livelaw.in/top-stories/delhi-high-court-notice-centre-whatsapps-plea-challenging-traceability-clause-under-it-rules-2021-180387
[7] Supreme Court Observer. Fundamental Right to Privacy – Justice K.S. Puttaswamy v Union of India. https://www.scobserver.in/cases/puttaswamy-v-union-of-india-fundamental-right-to-privacy-case-background/
[8] MediaNama. (2021, May 27). Summary: WhatsApp alleges IT Rules are unconstitutional in lawsuit. https://www.medianama.com/2021/05/223-whatsapp-lawsuit-it-rules-indian-government/
[9] Software Freedom Law Center. (2023, May 17). Legal challenges to the traceability provision – What is happening in India? https://sflc.in/legal-challenges-traceability-provision-what-happening-india/
Published and Authorized by Vishal Davda
