An Unresolved Debate, Quietly Escalating
Few policy questions touch as many parts of India's digital economy as encryption. From the messaging apps used by hundreds of millions of Indians to the cryptographic systems underwriting UPI, GST e-invoicing, Aadhaar authentication, and the country's IT services export sector, strong encryption is not a peripheral feature — it is the load-bearing wall of the digital republic. Yet for nearly a decade, successive proposals to weaken or work around end-to-end encryption have kept the policy environment in a state of ambient uncertainty.
That uncertainty has a name: Rule 4(2) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, which requires “significant social media intermediaries” providing messaging services to enable identification of the “first originator” of a message. WhatsApp's constitutional challenge to that rule, filed in the Delhi High Court in May 2021, remains one of the most consequential pending tech cases in Indian jurisprudence. Until it is decided, every operator of an end-to-end encrypted service in India operates under a legal cloud.
What “Traceability” Actually Costs
In political framing, traceability sounds modest: identify only the originator, only on a court order, only for serious offences. The technical reality is starkly different. End-to-end encryption is designed so that even the platform cannot read messages or reliably attribute them. To comply with Rule 4(2), a service must either abandon end-to-end encryption outright, build a parallel metadata or hash-tracking system that recreates surveillance infrastructure for every user, or retrofit cryptographic identifiers that fundamentally alter the trust model.
None of these options are scalpels. The Internet Society's analysis of traceability in encrypted environments, and subsequent technical work by independent cryptographers, has consistently concluded that no current mechanism allows targeted “first originator” identification without weakening encryption for every user on the network. The trade-off is binary: either the platform retains some ability to break confidentiality, or it does not.
The Innovation Stake
India is the world's largest WhatsApp market, with more than 500 million users, and home to a thriving ecosystem of homegrown encrypted services — from fintech challengers to enterprise collaboration tools. The IT services sector, which generated over $200 billion in export revenue in FY24 according to NASSCOM, is built on the credibility of Indian engineers shipping cryptographically sound systems to clients in the EU, the US, and the UK. Those clients are bound by GDPR-grade or HIPAA-grade rules that effectively require strong encryption end-to-end.
If India mandates traceability, two things follow. First, global platforms must choose between fragmenting service architecture for one market or pulling out of it; either choice exports cost and signals risk. Second, foreign clients of Indian IT firms must factor regulatory pressure on the cryptographic stack into their vendor risk — a quiet but cumulative drag on a sector central to the government's stated ambition of a $1 trillion digital economy by 2028.
A More Proportionate Toolkit Already Exists
The case against weakening encryption is not a case against lawful access. India already has a layered legal framework that gives investigators significant tools without breaking cryptography:
- Section 69 of the Information Technology Act, 2000 empowers the government to intercept, monitor, and decrypt communications, with the 2009 procedural rules setting out safeguards.
- The Telecommunications Act, 2023 consolidates and modernises interception powers, including in emergencies, under a single statutory regime.
- Metadata-based investigations — call data records, IP logs, device forensics, and platform account information — already produce the bulk of evidence in cybercrime cases reported to the National Crime Records Bureau.
- Direct platform cooperation has scaled rapidly: India consistently ranks in the top three requesting jurisdictions globally in transparency reports from Meta, Google, and Microsoft.
The Justice Srikrishna Committee's 2018 report, which laid the groundwork for what became the Digital Personal Data Protection Act, 2023, explicitly cautioned against measures that compromise cryptographic integrity. The DPDP Act itself reinforces that logic: it requires “reasonable security safeguards,” a phrase any sober reading must include strong encryption within. The 2015 draft National Encryption Policy, which briefly floated plaintext retention obligations before being withdrawn within 48 hours under public pressure, remains the cautionary tale.
What a Proportionate Policy Looks Like
A proportionate Indian encryption policy in 2026 would do four things. It would codify a positive right to use strong encryption, ending the chilling effect of recurring backdoor proposals. It would narrow Rule 4(2) through judicial clarification or legislative amendment, replacing originator tracing with metadata-based cooperation under judicial oversight. It would fund technical capacity at CERT-In, the Indian Cyber Crime Coordination Centre (I4C), and state cyber cells, so lawful investigation does not depend on weakening shared infrastructure. And it would align with the DPDP Act by treating encryption as a positive compliance signal rather than a regulatory liability.
Strong encryption is not a libertarian luxury. It is the precondition for the digital economy India's own industrial policy aspires to build.
Banking apps, hospital systems, cross-border BPO contracts, defence communications, and ordinary citizens' private lives all depend on the same cryptographic primitives. You cannot weaken them for one use case without weakening them for all. The Delhi High Court's eventual ruling on the WhatsApp petition will set the terms of the next decade. On the evidence, India's interest lies in keeping the cryptographic foundation intact and investing in lawful, targeted, evidence-based investigative tools instead.