To ensure traceability of messages shared on WhatsApp, the government has asked the instant messaging platform to “fingerprint WhatsApp messages”, reports the Economic Times citing two anonymous senior government officials. The officials said that the platform should be able to trace the origin of a message and know how many times it has been read and forwarded, but insisted that “we [they] don’t want to read the messages”. The officials said, citing the menace of misinformation disseminated through platforms like WhatsApp that it is “not acceptable that no one can trace any messages”. The government is of the opinion that the internet has “reached a level of anonymity” and things can’t go on this way for long. The government had first demanded traceability of WhatsApp messages last year after misinformation and rumours around child kidnappings on the platform led to a series of lynchings across India in 2018. WhatsApp told Medianama that they “have nothing new to add to what we [they] have previously said on this”.
How WhatsApp can ensure traceability of messages
Draft amendments to intermediary guidelines of the Information Technology Act released in December 2018 require all internet platforms to ensure traceability of the origin of all content shared through them. Possible ways WhatsApp can fingerprint messages:
- Users can make messages either public (media) or private (P2P message). The default setting for all messages should be private. This will impact virality on the platform, but that’s a price it will have to pay for bringing in accountability. This will create a level of friction while forwarding: they will be frustrated when they cannot forward certain messages. WhatsApp could keep a slightly different background color for public messages.
- The original sender/creator of the message should have the power to allow for a message to be forwarded (and made public). This ensures that a message that was meant to be private cannot be made public (by forwarding) without consent. It also attributes intent, when an original sender/creator chooses to make a message public. To forward even your own message to multiple people, you would have to make first make the message public.
- When a creator makes a message public, the message gets a unique ID, which gets tagged with the creators ID. This means that the message, when public, is “media” and has proper attribution to the creator, every time the message is forwarded. A log is kept by WhatsApp only if the message is public. This allows both the platform and law enforcement agencies to trace the message back to the creator. From a platform perspective, there are two things: WhatsApp is now in a position to suspend this particular account, and secondly, it can disable the message, wherever it has been forwarded.
- Allow users to report forwarded/public messages as misinformation, which can then be reviewed by WhatsApp. WhatsApp already reviews spam related complaints. Users should be able to identify the Sender and/or Message ID by selecting the message and tapping on the information (i) icon which appears.
The proposed amendments to Intermediary Liability Rules
The government’s proposed amendments to the Intermediary Guidelines, released in December 2018, would change the rules under the Information Technology Act concerning intermediaries, ostensibly to prevent misuse of social media platforms and check the spread of fake news. Under India’s Information Technology Act, any entity, person or platform that receives, stores, processes, or transmits electronic information on behalf of another is considered an intermediary. These include social media platforms, cloud services, internet service providers, email service providers and more. For an intermediary to avoid liability for its users’ actions, it must comply with the proposed guidelines which are being amended to the following:
- Traceability, and information within 72 hours: The new rules require platforms to introduce traceability to find where a piece of information originated. For this, platforms may have to break end-to-end encryption. The rules require the intermediary to hand over information or assistance to government bodies in 72 hours, including in matters of security or cybersecurity, and for investigative purposes. [Rule 3(5)]
- Platforms with more than 50 lakh users are required to be registered under the Companies Act, have a physical address in the country, have a nodal officer who will cooperate with law enforcement agencies, etc. [Rule 3(7)]
- Platforms have to pull down unlawful content within a shorter duration of 24 hours from the earlier 36 hours. They also have to keep records of the “unlawful activity” for 180 days – double the period of 90 days in the 2011 rules – as required by the court or government agencies [Rule 3(8)]
- Platforms have to deploy tools to proactively identify, remove and disable public access to unlawful information or content. [Rule 3(9)]
- The new rules insert a monthly requirement on platforms to inform users of the platforms’ right to terminate usage rights and to remove non-compliant information at their own discretion. [Rule 3(4)]