Source: Times of India dated 24.01.2020
-- Mishi Choudhary (Legal Director, Software Freedom Law Centre, New York) and Eben Moglen (Professor of Law and Legal History, Columbia Law School)
-- Mishi Choudhary (Legal Director, Software Freedom Law Centre, New York) and Eben Moglen (Professor of Law and Legal History, Columbia Law School)
A current proceeding earlier before the Madras high court but now transferred to the Supreme Court of India threatens fundamental harm to the freedom of expression on the internet, not only in India but elsewhere in the world. The pending petition seeks to require that Facebook make all WhatsApp messages traceable to their originator through the linkage of identity information (mobile phone or, perhaps, Aadhaar numbers) to all messages exchanged.
It should hardly be necessary – given the Supreme Court’s judgment in Justice KS Puttaswamy and Anr vs Union of India and Ors which confirmed that we have a fundamental right of privacy – to say that this petition must be dismissed as an affront to our basic constitutional freedom.
But technology is hard and law around it complicated, therefore, sweeping statements about terrorism and nationalism are made by counsels in court forcing the judges to become experts in matters far beyond most people’s expertise. They are expected to not only understand the intricacies of technology but also ensure innovation is not curtailed, all along addressing the fear mongering of new uses of technology.
Facebook is also entirely justified in objecting that it could not possibly satisfy such an order without fundamentally compromising the architecture of WhatsApp not only in India, but also throughout the world. WhatsApp is a credible communications system because it provides “end to end” encryption of the messages it carries, ensuring that Facebook itself cannot read the contents of our communications. Facebook can, it is true, determine the identity of any message’s sender and recipient, but if A sends to B a message that B then forwards to C, because Facebook cannot see the content of the messages it cannot tell that what B sent C was originally written by A. The demand for traceability is therefore a demand that Facebook compromises the security of all communications it handles.
By now, many of us are accustomed to observing technologists who find law challenging and lawyers who understand no technology and policy makers who are expected to know it all but are usually lost balancing several competing interests. Most law officers for the government assisting the court nonetheless inform the court that if only Facebook understood its technology as well as they understand it, everybody would see at once that down is up, light is dark and left is right.
To give an example of how hard an intersection of law, technology and policy can get: this petition is supported by filing of academics including renowned names from IITs. We have great respect for them and others who are really trying to assist matters here but cannot find gold keys where none exist. One such submission says that Facebook can be required to add the identity information of each message originator to the message itself before it is “end to end” encrypted, allowing every communication to be traced back through the chain of forwarding to its original source.
Thus, A sends a message to B which is “tagged” as coming from A. B decrypts the message, and forwards it to C, who receives it with the included “tag” identifying A, and decrypts it in his turn. If C finds the message “disturbing”, he can then complain to law enforcement authorities with A’s identity in hand. The submission says that this does not require Facebook to compromise encryption. That’s narrowly true: Encryption is formally undisturbed, but the privacy encryption designed to protect is destroyed anyway.
Obviously this mechanism destroys A’s privacy, if for example she didn’t want her message to B forwarded and is now being pursued by the government at the behest of C. According to the submission this is no problem, because A has a remedy: B has broken an implicit contract with A by forwarding the message over A’s implicit objection, violating a relationship of trust which (he says) must have existed between A and B in the first place.
But this advice ignores how law operates. Government here orders an unconstitutional invasion of privacy, directing F to destroy the privacy of A, as well as other intermediate recipients of A’s message. But though A’s right against government has been vitiated, that has been theoretically replaced by a private action against B.
From the lawyer’s point of view, this is preposterous. Unconstitutional action is not acceptable just because a party harmed by the state can potentially bring a contract action against some non-governmental private party. Also, if you have ever dealt with the Indian legal system, saying go to court if you are worried about privacy in this age is the most ineffective way of getting any relief.
Many well-intentioned observers have pinned all their hope on the recently tabled Personal Data Protection Bill, 2019, to protect citizens from the ever broadening reach and greed of companies and other entities for our data. While India does need such a law urgently, in no way can this address the problems being presented by this case where all citizens’ privacy and security is held ransom to check the notoriety of a few malicious players.
In our view, the Supreme Court should reaffirm that the fundamental right of privacy under Article 19 recognised in Puttaswamy protects both the secrecy and the anonymity of our personal communications, and prevents GoI or its courts from ordering technological intermediaries to breach those rights on its behalf. The government’s law officers should be required to tell the Supreme Court whether they wish to stand behind this witch’s brew, or whether the technologies of totalitarianism are unacceptable in the world’s largest democracy.
No comments:
Post a Comment