Does IT Rules, 2021 Call for Breaking of End-to-end Encryption?

Does IT Rules, 2021 Call for Breaking of End-to-end Encryption?

The Information Technology Rules, 2021 have been framed in exercise of powers of the government under section 87 subsection (2) of the Information Technology Act, 2000, and in place of the Information Technology Rules 2011, in response to growing concerns about a lack of transparency, accountability, and user rights related to digital media, and after extensive consultation with the public and stakeholders.

The Ministry of Electronics and Information Technology (MEITY) is in charge of Part II of these Rules, while the Ministry of Information and Broadcasting is in charge of Part III, which deals with the Code of Ethics. Under section 69A of the IT ACT, 2000, the government can block access to inappropriate content, which has passed the constitutionality in Shreya Singhal’s case.[1]

 In this article, I will be discussing Rule 4(2) and 7 of the IT Rules, 2021 in particular.  The above rules have been said by the various intermediaries to be arbitrary and violative of fundamental rights because rule 4(2) of the IT Rules, 2021 infringe on an individual’s right to privacy, intermediaries that primarily provide messaging services are now required to enable the identification of the first originator of the information on its computer resource as may be required by a judicial order passed by a court of competent jurisdiction or an order passed under Section 69 by the Competent Authority, as per the Information Technology Act, 2000. This is a violation of the end-to-end encryption services that such intermediaries guarantee. Rule 7, has diluted the safety harbour provisions of due diligence to be observed by giant social media intermediaries and makes the intermediaries liable in case of non-observance under both the IT Act, 2000 and Indian Penal Code. The IT Rules of 2021 only control the right to publish, download, and remove content; they do not render a person criminally accountable for posting data. Criminal liability is a legal action that begins when the user violates the criminal terms of existing legislation in force. The main aim of Rule 7 is to ensure that intermediaries comply with the regulations mentioned in the IT Rules 2021 which aim to protect the Fundamental Rights of the common users.  Hence, it has also been provided in Rule 7 that if the intermediary does not comply with the rules, it will lose its safe harbour immunity granted under Section 79(1) of the IT Act, 2000 and shall be liable for punishment under any applicable law including the Information Technology Act, 2000 and Indian Penal Code, 1860.

It has been rightly held by the Supreme Court that the right to privacy must be considered in light of its function in society and balanced against other fundamental rights, such as the need for competent authorities to prevent, investigate, and prosecute criminal offences, as well as safeguards against threats to public safety. When a compelling countervailing interest is established, the right to privacy may be invaded. The Supreme Court has ruled that originators persons/ institutions/ bodies of fake news content should be held accountable even if it involves decryption of those messages for prevention, detection, and investigation of such unlawful acts. This was affirmed in the Prajjwala case,[2] where the court had ordered the government to develop and follow the appropriate guidelines/Standard Operating Procedures (SOP). To “eliminate child pornography, rape and gang rape imagery, videos, and sites in content hosting platforms and other applications”.

Will the breaking of end-to-end encryption lead to snooping of conversation?

The answer is no. Every message, be it via SMS, e-mail, has a source code and a destination code, and can be traced via it. This can happen without breaking either the encryption or privacy policy,”[3] This ensures that there is no violation of privacy or breaking of end-to-end encryption required to trace the originator. When law enforcement agencies track mobile call data records to investigate crime, for example, they do not listen in on phone conversations. 

In my opinion, there is a lot of misinformation regarding the IT Rules, 2021. The claims of intermediaries that rules call for the breaking of end-to-end encryption are baseless as the IT Rules, 2021 do not have any such provision which requires the breaking of end-to-end encryption. They have been framed in consonance with the Apex court rulings and do not suffer infirmity on grounds of violation of fundamental rights. These rules have been framed to hold the perpetrators accountable for unlawful acts under Rule 4.


[1] Shreya Singhal v. Union Of India, AIR 2015 SC 1523.

[2] Prajwala vs Union Of India & Ors, WP (C) No. 576 of 2004.

[3] Rishi Raj, Whatsapp can tell on you without snooping, Financial Express(17th September 2020) https://www.financialexpress.com/industry/technology/whatsapp-can-tell-on-you-without-snooping/2203325/

Anubhuti Awasthi
Hi! I am Anubhuti Awasthi. I am pursuing B.A. LL.B (Hons) from Amity University, Lucknow. Reading and writing keep me alive. I like to explain legal concepts easily. I have a keen interest to take part in moot court competitions and public speaking. I've been an active volunteer of the human rights cause and have worked for it through the various initiatives led at my alma mater. No wonder I've continued to do intensive research and studies on human rights, socio-environmental issues, and criminology. I am driven to contribute my bit towards society at large, by using law as a weapon.