NAVIGATING THE INTERPLAY BETWEEN TRACEABILITY AND END-TO-END ENCRYPTION

Written by Ms. Poonam Bhojwani, Third -Year B.A. LL.B Student, Lords Universal College of Law, University of Mumbai

INTRODUCTION

In this era of advanced digital communication technology, the concept of traceability obligation plays a vital role in overcoming the multifaceted challenge of national security and public safety as posed by the landscape however, the concept is a major setback to the fundamental Right to Privacy of the users and will hurt the future of End-to-End Encryption (“E2EE”) & intermediaries. While the mandate requires the intermediaries to alter their architecture, which can have far-reaching consequences, including technical and legal implications, the tech giants with a massive user community cannot choose to neglect their responsibility of upholding national security and public safety by fostering transparency. This controversial debate on privacy and security has intensified in recent times, with no obvious conclusions. The government enacted The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 (“IT Rules”), aiming to establish a balanced relationship between user privacy and national security, but the rules are alleged to be flouting the key principles of constitutionalism and Rule 4(2), which ascertains the traceability obligation has even reached the door of the judiciary [1]. The dispute may prima facie look like a common one between a venture and government, but to assert this would be false, considering that the consequences of the dispute will dictate the future of the sovereignty of cyberspace in the world's largest democracy and will set up the precedent for other democracies to address the intricate dilemma effectively. As the discord is concerned with people's fundamental Right to Privacy, it becomes crucial for them to be aware of the technological norms of traceability and E2EE, which will enable them to make informed choices about the platform they use as well as to advocate for strong privacy protections. In light of this, the author seeks to give a comprehensive analysis of the interplay between the two concepts of discord with a specific focus on the nuances of Rule 4(2) of the IT Rules.

In the first place, the article offers an in-depth examination of the evolution, objective, and principles of traceability and E2EE. This section outlines the fundamental goal of these concepts. Subsequently, the author accentuates the central conflict between the two concepts, discussing why they are often incompatible with each other and the implications of the discord. Lastly, the article delves into the global perspective on the discord and suggests potential avenues forward.

1. TRACEABILITY

Traceability is delineated as the capability to identify the originator of the communication or the data of the network. It is crucial for maintaining security and ensuring public safety in the nation, as it helps prevent terrorism, cyberattacks, and hate speech by tracking the source of information. It also enhances the accountability of intermediaries. The concept was introduced in Rule 3(5) of The Draft Information Technology Intermediaries Guidelines (Amendment) Rules, 2018, which obliged intermediaries to enable the originator of the information [2]. Subsequently, in 2020, an ad-hoc committee was set up by the Rajya Sabha on online pornography, which recommended modifying the IT Rules 2011 and breaking the E2EE encryption policy when child sexual material is shared, by implementing the traceability provision [3]. The extensive framework of the concept was observed in the IT Rules 2021.

2. INFORMATION AND TECHNOLOGY RULES, 2021

IT Rules 2021 were enacted with the consideration of the direct impact of intermediaries on the society and polity of the nation. The rules intend a significant departure from intermediary liability from previous regulatory frameworks, thereby aligning them closely with traditional forms of media regulation. The government, while exercising its power under the virtue of Section 87 of the Information Technology Act 2000, declared the rules as superseding the Information Technology (Intermediaries guidelines) Rules, 2011. Under the previous rules, the intermediaries were exempted from any liability for the offences conducted on the platform without their concurrence. It provided broad protection to the media giants, whereas the 2021 rules came up with stringent compliance requirements for liability, such as grievance redressal mechanisms, automated monitoring tools, traceability mandate, monthly compliance reports, etc. 

Rule 4(2)

The provision of Rule 4(2) articulates the obligation of significant social media intermediaries to enable the identification of the first originator of information on its computer source when ordered by a court of competent jurisdiction or by the competent authority under Section 69 of the IT Act 2000 as per the Information Technology (Procedure and Safeguards for interception, Monitoring, and Decryption of Information) Rules, 2009, where the order will be particularly passed for specific purposes which are:[4] 

1. Prevention, detection, investigation, prosecution, or punishment of offences relating to the sovereignty and integrity of India, security of the state, friendly relations with foreign states, and public order.

2. Incitement to an offence related to the above.

3. Offences concerning rape, sexually explicit material, and child sexual abuse material.

The order can be passed in the case of offences punishable with imprisonment for a term of not less than five years. This indicates the gravity of the offence for which the order can be strived. It provides that while adhering to the order, the intermediaries shall not be required to divulge the actual content of any message or any other information about the originator or other users of the platform. In addition, the rule asserts that when the originator is located outside the territory of India but the information is promulgated within the territory of India, in such a scenario, the first originator within the territory will be considered as the originator of the information.

3. WHAT CONSTITUTES THE FUNDAMENTAL CORE OF E2EE?

E2EE has proved to be a crucial instrument in digital communication technology. The framework is committed to ensuring its users' private space by offering them a system where only the sender and recipient have access to messages transferred between them. The dissemination of the framework can be traced back to the preceding decade, when, in 2013, it was unveiled by a former officer of the US National Security Agency that the federal agency was involved in the extensive surveillance of millions of Americans and foreign government officials, collaborating with the service providers. The operation included access to metadata of phone calls and servers of tech giants such as Google, Apple, and Facebook [5]. The repercussions of the event prompted many companies to adopt E2EE. It works by encrypting messages on the sender's device with a public key, which can be accessed by anyone, but can only decrypt them with a private key, which is kept secret by the recipient. This means that even if the communication channel or any intermediary servers are compromised, the message remains secure because only the sender and receiver have the necessary keys to decrypt it. 

E2E encryption is primarily used to secure "data in transit," meaning information as it moves between devices or accounts. This protects messages as they travel from one device to another over the internet, preventing unauthorised access during transmission. The architecture establishes a foundational role in maintaining the confidentiality, integrity, and authenticity of digital communication. By encrypting data, it bolsters trust between the communicators. It also upholds the fundamental Right to Expression and Right to Privacy by enabling users to freely express their thoughts, opinions, and ideas without the fear of surveillance.

4. POTENTIAL ANTAGONISMS STEMMING FROM TRACEABILITY MANDATES AND THE E2EE PARADIGM.

   
   

Transparency vs Privacy

The present provision of IT Rules indeed helps the government to trace the originator of hate speech, misinformation, and illegal content, compromising the public safety of the country and also facilitates regulatory compliance and legal transparency but the same can also trace the political content flowing between individuals or to track activists and political opponents which will consequently result in flagrant abuse of the fundamental Right to Privacy of citizens, an intrinsic part of Right to Life as enshrined in Article 21 of the Constitution [6]. It is argued that the right is not entitled to the principle of absoluteness as enshrined by the apex court in Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors. Therefore, the provision aligns with the right. While the right is not absolute, the judiciary laid down three prolonged tests in the judgment that clarify that the right can only be restricted by the law if it meets the principles of legality, necessity, and proportionality, [7] but the requirement of the rule doesn't justify any of these principles. This significant tussle of privacy and transparency raises the question of the coexistence of traceability and E2EE.

Free Speech vs Content Moderation

The policy advocates for the free speech laid down in Article 19 of the Constitution by resisting any form of government intervention or censorship that may suppress dissenting opinions or limit public discourse. Unrestricted freedom of speech is essential for safeguarding the voices of marginalised or minority groups, ensuring their ability to challenge prevailing norms and advocate for social change, and it also fosters innovation and intellectual progress by encouraging the exchange of diverse ideas, fostering creativity, and driving societal evolution. While the government is committed to the fundamental rights of citizens, it also ensures the protection of its citizens from any harm that can undermine social cohesion and threaten public safety; therefore, moderation, as objectified by Rule 4(2), becomes crucial. Governments are certainly facing the challenge of balancing the protection of freedom of speech with the responsibility to address harmful content and maintain public order, navigating the tension between individual rights and collective interests.

Intermediary Commitment vs Government Duty

A fundamental antagonism between E2EE and traceability can be the commitment of intermediaries to uphold user interests and the duty of governments to safeguard national security and cohesion. Intermediaries, driven by the principles of user privacy, autonomy, and inclusivity, aim to maintain open channels for free expression while ensuring transparency and accountability in content moderation. Conversely, governments are tasked with protecting the collective interests of the nation, necessitating measures to counter external threats, maintain public order, and enforce legal standards in the digital domain. This dichotomy presents complex challenges as both parties seek to navigate the delicate balance between individual liberties and societal well-being.

Market Fallout

The mandate of IT rules can also hurt the economic growth of the country as the imposition, necessitates tech companies to change their architecture which can result in market fallout in the country due to increased operational costs, loss of user trust leading to a decreased user base, and a deterrent to foreign investment & innovation, ultimately hampering the country's competitiveness in the global digital market and stifling economic growth.

Jurisdiction Conundrum

The intermediaries with huge user bases operate worldwide. Therefore, requiring traceability may force intermediaries to implement similar measures worldwide to ensure consistency and compliance with Indian law. However, this could clash with the privacy laws and standards of other countries that prioritise strong encryption and user privacy, leading to a drastic impact on the global landscape of privacy laws.

5. GLOBAL OUTLOOK ON THE DILEMMA

The contestation between prioritising online security and new regulations that grant technological exceptions for law enforcement agencies is not unique to India. Conflicts between law enforcement agencies and companies that use encryption have become public in many countries. In 1993, the US National Security Agency introduced the Clipper Chip, an encryption device for enhancing the security of phone communications. However, unlike standard encryption methods, the Clipper chip included a built-in backdoor that would allow government agencies to access encrypted data when determined to be necessary. This move ignited a fierce public debate, which is popularly known as the Crypto Wars, regarding the balance between privacy rights and national security. Despite the agency's efforts, the Clipper Chip was met with marked opposition and failed to gain wide legislative approval. [8]

 In 2001, following the 9/11 tragedy in America, Congress responded swiftly with the passage of the USA Patriot Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act). This legislation aimed to bolster national security measures by expanding the authority of government agencies to monitor various forms of communication, including phone and email communications, collect financial records such as bank transactions, and track individuals' online activities. The Patriot Act's broad surveillance powers raised concerns among privacy advocates about potential infringements on civil liberties and the erosion of personal privacy.

 Also, in 2018, the governments of the U.S.A., UK, Canada, Australia, and New Zealand, collectively known as the "Five Eyes" intelligence alliance, issued a joint statement calling for technology companies to provide customised solutions that would permit lawful access to encrypted data. This meant that the governments of these nations sought to compel tech companies to create backdoors or other mechanisms to enable access to encrypted communications for law enforcement purposes. Failure to comply with these requests voluntarily could result in the introduction of new legislation to force compliance. Later in 2020, India also became part of this alliance by signing the statement. Most recently, in 2022, the UK introduced the Online Safety Bill, which proposes requiring messaging companies to remove E2EE from their platforms to enable the scanning of messages for child sexual abuse material. This controversial proposal has sparked renewed debate over the trade-offs between online privacy and safeguarding vulnerable individuals from harm.

There is increasing consensus across governments and international institutions that action must be taken. While encryption, privacy, and cybersecurity are crucial, they shouldn't completely prevent law enforcement and the tech industry from combating severe illegal content and activities online.

6. CONCLUSION

Encryption serves as the cornerstone of trust in the digital world, but the technology that keeps our digital communications secure is a critical component. On one hand, we all want our conversations and data to be safe from spying eyes. But on the other hand, governments argue that they periodically need access to this information to keep us safe from crime and terrorism. Therefore, the compulsion to balance public safety and national security necessitates a refined approach thus, India introduced some new rules in response to concerns about this balance. These rules are meant to make sure that our digital privacy is respected while still allowing authorities to access information when they need to. However, many businesses are worried that these rules are too strict and could harm their operations. To sort this out, the government and tech companies must join hands. They need to make sure that systems are designed with safety in mind so that illegal activities can be stopped without compromising overall security. When authorities do need access to encrypted data, there should be clear rules in place to make sure it's done fairly and with oversight. And importantly, everyone affected by these decisions, citizens, businesses, and others, should have a say in how these rules are made. By taking these steps, India can find a middle ground that respects both privacy and security concerns, easing worries and ensuring a safer digital environment for all.

7. REFERENCES

   1. Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, SI 2021/-, r 4(2)

   2. Draft Information Technology (Intermediaries Guidelines (Amendment) Rules) 2018, r 3(5)

   3. India, Ministry of Electronics and Information Technology, “...” (Press Release PRID 1700749) https://www.pib.gov.in/PressReleasePage.aspx?PRID=1700749 accessed 28 July 2025. 

   4.  Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules 2009, s 69; Information Technology Act 2000.

   5. BBC News, ‘Edward Snowden: Leaks That Exposed US Spy Programme’ (30 June 2013) https://www.bbc.com/news/world-us-canada-23123964 accessed 28 July 2025

   6. Constitution of India, art 19.

   7. Justice K S Puttaswamy (Retd) & Anr v Union of India & Ors [2017] 10 SCC 1 (SC).

   8. Clipper Chip’ (Exabeam) https://www.exabeam.com/information-security/clipper-chip/ accessed 28 July 2025