Five years after India's Ministry of Electronics and Information Technology notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, the most consequential provision in the framework remains stuck in court. Rule 4(2), which obliges ‘significant social media intermediaries’ that provide messaging services to enable identification of the ‘first originator’ of any piece of information, is once again before the Delhi High Court — and WhatsApp's counsel has reiterated the line the company has held since 2021: comply by breaking end-to-end encryption, or leave India.
That ultimatum is not negotiating bluster. It is a faithful description of the engineering tradeoff regulators across Asia keep underestimating.
What Rule 4(2) Actually Asks For
The text of Rule 4(2) is narrower than its critics often allow and broader than its defenders admit. It applies only to ‘significant social media intermediaries’ — platforms with more than 5 million registered Indian users — that provide messaging as their primary service. Disclosure of the first originator can be ordered only by a court or under Section 69 of the IT Act, and only for a defined set of serious offences carrying punishment of five years or more.
On paper, this looks proportionate. In practice, it is not, and the reason is technical rather than political. End-to-end encryption (E2EE) as deployed by WhatsApp, Signal, iMessage and a growing list of regional services means the platform cannot read the content of messages in transit. Once you require the platform to attach a verifiable, court-admissible identifier to the originator of any specific message that the state later flags, you have effectively required the platform to maintain a per-message cryptographic chain that links sender identities to message contents — or to abandon E2EE altogether. Civil-society technologists and the Internet Society have made this point repeatedly: there is no ‘just for the bad messages’ backdoor.
The Asia-Pacific Context
India is not alone in pushing on this front, but it has gone further than most of its neighbours.
- Australia passed the Telecommunications and Other Legislation Amendment (Assistance and Access) Act in 2018, creating a framework of Technical Capability Notices. Crucially, the Act explicitly prohibits notices that would require providers to build ‘systemic weaknesses’ into encryption — a guardrail India's framework lacks.
- The United Kingdom's Online Safety Act 2023 includes powers under Section 122 that, if used against E2EE messengers, could trigger the same standoff. Ofcom has so far signalled it will not invoke those powers until accredited ‘client-side scanning’ technology is shown to be technically feasible — an acknowledgement, in effect, that the technology does not yet exist.
- Pakistan and Vietnam have taken a coarser approach, periodically throttling or blocking encrypted services rather than litigating their architecture.
India's distinction is that it is trying to mandate traceability through ordinary administrative rules, without the parliamentary debate that accompanied the UK and Australian statutes, and without the systemic-weakness carve-out Australia eventually accepted.
The Proportionality Problem
The Indian Supreme Court's 2017 Puttaswamy judgment recognised privacy as a fundamental right under Article 21 and laid down a four-part proportionality test for any state restriction: legality, legitimate aim, necessity and balancing. Rule 4(2) clears the first two hurdles easily. The harder questions are necessity and balancing.
WhatsApp serves an estimated 500 million users in India — its largest single market. A measure that cannot be implemented without weakening the security guarantees offered to all of those users, in order to identify the originator in a small number of investigations, is the textbook definition of an over-broad means. Indian law enforcement already has powerful, less-restrictive tools: metadata access, device-level forensics under existing CrPC procedures, account information requests, and platform cooperation on takedowns. WhatsApp itself reports complying with thousands of Indian government data requests each year — for the metadata it does retain.
What a Pro-Innovation Approach Looks Like
India does not need to choose between accountability for online harms and a thriving digital economy. A proportionate framework would do three things:
- Codify a systemic-weakness exception. Borrow Australia's language. Make explicit that no order under the IT Rules can require a provider to build, design or maintain a vulnerability that weakens electronic protection.
- Invest in metadata-led investigation. The vast majority of credible studies of communications-related crime show that metadata, device evidence and human intelligence, not message content, drive successful prosecutions.
- Anchor any traceability obligation in primary legislation. A measure with this constitutional weight should be debated in Parliament under the new Digital India Act framework, not litigated as a subordinate rule.
Why This Matters Beyond India
If the Delhi High Court — or eventually the Supreme Court — upholds Rule 4(2) as currently drafted, the precedent will travel. Indonesia, Thailand, the Philippines and Bangladesh all have pending or proposed intermediary frameworks. A judicial finding that traceability is compatible with E2EE in India will be cited in every one of those debates, regardless of whether the underlying engineering claim is true.
WhatsApp's threat to exit is not a tantrum. It is the logical consequence of being asked to do something that cannot be done without dismantling the product. Asia's encryption future deserves a more careful answer than that — and India, with its sophisticated courts and growing tech sector, is exactly the jurisdiction that can craft one.