Five years after India notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, the most consequential clause in the regime — Rule 4(2)'s requirement that 'significant social media intermediaries' providing messaging services enable the identification of the 'first originator' of information — remains unresolved in court. The standoff between WhatsApp and the Government of India is no longer just a domestic intermediary-liability dispute; it has become the defining test case for whether a major democracy can compel a messaging platform to break end-to-end encryption (E2EE) in the name of law enforcement.
WhatsApp, joined by parent company Meta, filed its writ petition in the Delhi High Court in May 2021, arguing that Rule 4(2) violates the fundamental right to privacy recognised in Justice K.S. Puttaswamy v. Union of India (2017) and is ultra vires the Information Technology Act, 2000. The platform's position has been consistent and, in technical terms, accurate: there is no way to identify the first originator of a particular message inside an E2EE system without either retaining the plaintext of every message sent by every user or attaching cryptographic 'tags' that fundamentally re-architect the protocol. Either path collapses the security guarantee that makes E2EE meaningful in the first place.
The 'Leave India' Threshold
The dispute escalated in April 2024 when WhatsApp's counsel told a Delhi High Court bench that the company would withdraw from India rather than weaken its encryption — a position the platform has reiterated as proceedings have dragged on. Coming from a service with an estimated 500 million-plus Indian users, the statement is not posturing; it is a recognition that bolting traceability onto WhatsApp globally would compromise the product everywhere, and a country-specific fork is technically and commercially untenable.
The government's response leans on Rule 4(2)'s carve-out language: intermediaries are only required to identify the first originator in specific, court-or-authority-ordered cases involving serious offences (terrorism, sexual content, threats to sovereignty, etc.) carrying punishment of five years or more. That sounds narrow on paper. In practice, designing a system capable of complying on demand means building the surveillance capability into the architecture itself — a permanent, system-wide weakening to serve case-by-case requests.
Why Traceability Is Not a 'Reasonable' Restriction
India's Supreme Court has held that restrictions on privacy must satisfy a four-part proportionality test: legitimate aim, rational connection, necessity (no less-restrictive alternative), and balance. Rule 4(2) fails on at least two prongs:
- Necessity: Law enforcement already has powerful tools — metadata access, device-level forensics, mutual legal assistance, and targeted lawful intercept under Section 69 of the IT Act. Mandating originator identification across an entire user base to serve a small number of cases is the textbook definition of an over-broad measure.
- Balance: The downside — degraded security for journalists, dissidents, lawyers, doctors, businesses, and ordinary users — falls on hundreds of millions of people, while the marginal investigative gain is unproven. India's own CERT-In has repeatedly warned about rising cyber-fraud and phishing; encryption is part of the defence, not the threat.
Building a backdoor for the 'good guys' inevitably builds one for everyone else. There is no cryptographic primitive that distinguishes a court order from a state adversary or a criminal who steals the key.
The Global Pattern — and the Outlier Risk
India is not alone in pressing on encryption, but most peer jurisdictions have walked back the harshest versions. The UK's Online Safety Act 2023 contains a similar 'accredited technology' clause, but the government conceded in 2023 that it would not require scanning of encrypted messages until it was 'technically feasible' — effectively shelving enforcement. The EU's Chat Control proposal has stalled repeatedly in the Council over Member State concerns about mass surveillance. The US has consistently declined to legislate anti-encryption mandates, with the FBI's 'going dark' framing rejected by successive administrations and by an industry consensus that includes Apple, Google, Microsoft, and Signal.
If the Delhi High Court — or, on appeal, the Supreme Court — upholds Rule 4(2) as drafted, India will become the largest democracy to mandate breaking E2EE by regulation. That sets a precedent authoritarian governments will be quick to cite, and it puts India on the wrong side of the global digital-trust gradient at exactly the moment its Digital Public Infrastructure (DPI) story depends on users believing their data is safe.
A Proportionate Path Forward
There is a workable middle ground that India's courts and the Ministry of Electronics and IT (MeitY) should explore rather than litigate to the bitter end:
- Sunset Rule 4(2) and replace it with a targeted, court-supervised lawful access framework that accepts the technical limits of E2EE and focuses on metadata, device-level evidence, and account-takeover-resistant identity verification.
- Codify the Puttaswamy proportionality test into the intermediary rules themselves, so that any future traceability-style demand must satisfy necessity and least-restrictive-means at the design stage, not after the fact.
- Invest in encrypted-environment investigation capacity — training, forensics, and international cooperation — rather than insisting on a backdoor that does not technically exist.
WhatsApp's threat to exit India is not the platform holding the country to ransom; it is the predictable consequence of a rule that asks for the cryptographically impossible. India can be a global leader in trustworthy digital infrastructure, or it can be the country that broke encryption first. The two paths do not converge.