Significant Social Media Intermediary Compliance: Traceability Requirements, Encryption Debates, and Platform Resistance

Introduction

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 introduced a category of regulated entity that did not previously exist in Indian law: the Significant Social Media Intermediary (SSMI). By establishing a threshold of fifty lakh (five million) registered users in India as the criterion for SSMI classification, the Rules imposed a differentiated compliance regime on the world’s largest social media platforms. Among the obligations imposed on SSMIs, none has generated more sustained legal, technical, and civil liberties controversy than the traceability requirement under Rule 4(2), which mandates that messaging platforms enable the identification of the “first originator” of any information within India when required by a lawful government order.

The traceability requirement cuts directly against the fundamental design of end-to-end encrypted messaging systems. WhatsApp, Signal, and iMessage were designed precisely so that no party other than the sender and receiver, including the platform itself, can read the content of messages. The government’s position is that traceability is necessary for national security and to prevent the spread of violent misinformation, child sexual abuse material (CSAM), and terror-related content. The platforms’ position, supported by technologists, cryptographers, and civil liberties organisations globally, is that breaking encryption for any purpose necessarily breaks it for all purposes, creating vulnerabilities that can be exploited by adversaries as well as governments.

This article examines the SSMI framework, the constitutional and technical dimensions of the traceability mandate, the WhatsApp litigation before the Delhi High Court, the international debate on encryption policy, and the unresolved tensions that will define messaging platform regulation in India for years to come.

Legal Framework

Rule 4(2) of the IT Rules 2021 requires that an SSMI providing services primarily in the nature of messaging shall enable the identification of the first originator of the information on its platform. This obligation is triggered only upon an order of a competent court or a competent authority under the IT Act (specifically, an order under Section 69 of the IT Act, which deals with interception, monitoring, and decryption). The rule further specifies that the intermediary is not required to disclose the contents of the message and that the originator shall not be identified in cases where the message does not relate to a cognisable offence.

The definitional scope of SSMI under the Rules requires noting. An intermediary qualifies as an SSMI if it has fifty lakh or more registered users in India. The classification triggers obligations beyond traceability, including the appointment of a Grievance Officer, a Nodal Officer, and a Chief Compliance Officer, all resident in India. These officers are personally accountable and potentially liable under Indian law for platform non-compliance, a provision that has its own chilling effect on the willingness of international companies to appoint identifiable Indian-resident senior executives.

Rule 4(4) imposes an additional obligation on SSMIs offering messaging services to endeavour to deploy technology-based measures to identify CSAM and other specified content. The word “endeavour” introduces an element of best-efforts obligation, but the interaction of this provision with Rule 4(2) creates ambiguity: if end-to-end encryption prevents the platform from scanning content, has it failed its Rule 4(4) obligation?

Section 69 of the IT Act provides the underlying authority for government interception orders. The Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 govern the process. These rules permit interception on grounds of sovereignty, security, public order, and certain other specified interests, and they require the involvement of a Review Committee. However, critics have long argued that the safeguards are inadequate, that the Review Committee process is opaque, and that the volume of interception orders issued in India substantially exceeds that of comparable democracies with more robust oversight mechanisms.

Judicial Developments

WhatsApp LLC and Meta Platforms Inc. filed a challenge before the Delhi High Court in 2021, arguing that Rule 4(2) is unconstitutional and technically impossible to implement without destroying the privacy of all users. The petition raises several distinct grounds.

First, it argues that the right to privacy, recognised as a fundamental right by the Supreme Court in Justice K.S. Puttaswamy v. Union of India (2017), encompasses the confidentiality of private communications. A traceability mandate that requires a platform to maintain logs enabling post-hoc identification of message originators necessarily involves the creation and retention of metadata about every message sent on the platform, which constitutes a serious intrusion into privacy.

Second, the petition raises the argument from technical impossibility. End-to-end encryption (E2EE) works by generating encryption keys at the device level; the platform never holds these keys and therefore cannot decrypt message content. To implement traceability, WhatsApp would need to either abandon E2EE entirely, introduce a hash fingerprinting system that creates a detachable identifier for each message, or implement a client-side scanning mechanism that identifies content before it is encrypted. Each of these options either destroys encryption or creates a fundamentally different kind of surveillance architecture. The technical community is near-unanimous that there is no technically sound means of providing traceability in a genuinely E2EE system.

Third, the petition argues that Rule 4(2) exceeds the rule-making power granted to the government under the IT Act. Section 87, which enables subordinate legislation, does not expressly empower the government to mandate specific encryption architectures or to require the creation of technical backdoors. The argument is that a power to regulate intermediary conduct does not extend to compelling the redesign of cryptographic systems.

The Delhi High Court has heard extensive arguments but has not, as of the time of writing, delivered a final judgment. The government has argued that traceability does not require reading message content, that it operates only in relation to designated offences, and that the national security justification is compelling given the documented use of encrypted platforms for mob violence coordination, lynching incidents, and terrorist communication.

Contemporary Issues and Analysis

The traceability debate in India is a microcosm of a global conflict between surveillance needs and privacy imperatives. The government’s factual claims about the misuse of encrypted messaging are not without foundation: WhatsApp-circulated disinformation has been linked to multiple mob lynching incidents in India between 2017 and 2019, prompting the platform to voluntarily limit message forwarding. The question, however, is whether the response is proportionate and whether the proposed cure is worse than the disease.

The proportionality framework established in the Puttaswamy judgment requires that any limitation on a fundamental right must be legally authorised, must pursue a legitimate aim, must be proportionate, and must be the least invasive measure available. Rule 4(2) arguably fails the proportionality test for several reasons. The measure is not targeted: it requires the creation of a tracing infrastructure for every message on the platform, not just those identified through independent investigative means. There is no requirement that a specific investigation be underway before the tracing capability is mandated at the architectural level. The creation of a persistent traceability mechanism at the infrastructure level constitutes a form of mass surveillance architecture, even if individual identification orders require judicial or government authorisation.

The “first originator” language also reveals a conceptual confusion. If a piece of content, say a fabricated image or a false news headline, is created outside India and forwarded into India by multiple users simultaneously, who is the “first originator” within India? The person who first forwarded it into an Indian WhatsApp group may not be the same person who created the content, and attributing legal responsibility to the “first forwarder” rather than the creator is both technically awkward and legally dubious.

Comparative and International Perspective

The European Union’s Chat Control proposal, which would have required messaging platforms to scan private communications for CSAM using client-side scanning, was met with fierce resistance from EU member states, privacy advocates, and cryptographers. Multiple member states, including Germany, Austria, and the Netherlands, objected that client-side scanning is technically equivalent to breaking encryption. The proposal was effectively blocked in 2024 as it could not secure qualified majority support, demonstrating that even among countries with less robust press freedom traditions than India, the idea of mandated backdoors in encrypted communications has not achieved political consensus.

The Signal Foundation, which develops the open-source Signal Protocol used by WhatsApp, has publicly and unambiguously stated that it would shut down its service in any country that requires backdoors rather than comply. This is not a negotiating position but a statement about technical architecture: Signal’s design makes compliance technically impossible without a fundamental redesign of the system.

The United Nations Human Rights Council’s Special Rapporteur on Freedom of Expression has explicitly identified strong encryption as a human right enabler, noting in a 2015 report that states should not compel the weakening of encryption or mandate backdoors. Subsequent resolutions and rapporteur reports have reinforced this position, placing the Indian traceability mandate in tension with India’s international human rights commitments.

By contrast, the UK Online Safety Act 2023 imposed obligations on messaging platforms to identify CSAM on their platforms, including end-to-end encrypted platforms, creating a legal obligation that Ofcom, the regulator, later acknowledged could not be enforced without breaking encryption. The Act’s implementation has been deferred in this respect, illustrating the regulatory gap that emerges when political ambition outpaces technical reality.

Practical and Policy Implications

For platforms operating in India, the SSMI framework and its traceability requirement create a genuine dilemma. Compliance in India would establish a precedent that other governments, including authoritarian ones, would immediately invoke. If WhatsApp builds a traceability mechanism for India, it cannot credibly refuse similar requests from governments with far worse human rights records. The resulting architecture would be a global compromise of E2EE. This is not a hypothetical: the Indian government’s documented communications with Meta since 2021 have been watched closely by regulatory authorities in Brazil, the UK, the EU, and the United States.

For Indian users of encrypted messaging platforms, the stakes are personal as well as political. Lawyers, doctors, journalists, activists, businesspersons, and ordinary citizens rely on E2EE for the confidentiality of communications that they have a legitimate expectation of privacy in. A traceability regime creates risks not only from government overreach but also from the creation of a database that could be hacked, misused by rogue officials, or obtained by adversarial foreign intelligence services.

Suggestions and Reforms

A workable approach to the legitimate concerns underlying Rule 4(2) would proceed differently. India could mandate more robust metadata reporting requirements without touching message content: platforms could be required to report statistical information about the geographic spread of high-velocity content without identifying individual senders. This would assist intelligence agencies in identifying coordinated inauthentic behaviour without creating message-level tracing infrastructure.

For CSAM specifically, a multi-stakeholder approach involving PhotoDNA-based hash matching of known CSAM at the point of upload (before encryption) could be deployed without compromising E2EE for other content. This technique is already used voluntarily by several platforms and represents a targeted response to a specific harm.

India should also consider reforming the underlying interception oversight framework under the 2009 Rules to provide genuinely independent judicial review of interception orders, similar to the Foreign Intelligence Surveillance Court model in the United States or the Investigatory Powers Tribunal model in the United Kingdom. Robust oversight of the demand side of the surveillance equation would be a more constitutionally sound response to misuse concerns than architectural mandates on the supply side.

Conclusion

The traceability requirement under Rule 4(2) represents an attempt to resolve a technically irresolvable problem through legal mandate. The Delhi High Court’s eventual ruling will be closely watched not only in India but globally, as it will test whether a constitutional democracy can compel the redesign of cryptographic systems through subordinate legislation. The weight of technical expertise, international human rights standards, and constitutional proportionality analysis all point toward the rule’s unsustainability in its current form. India’s legitimate interest in preventing the misuse of encrypted platforms for violence and crime deserves a legislative response, but that response must be crafted with technical humility, constitutional rigour, and an understanding that encryption protects Indian citizens’ security as much as it challenges investigators’ convenience.

About the Author

Leave a Reply

Your email address will not be published. Required fields are marked *

You may also like these