Privacy is expected to be under unprecedented attack in 2026, amidst proposals in Europe (the proponent of the ‘gold standard’ of privacy) to restrict the use of encryption technology for electronic communications. Less than 20% of the world’s population resides amidst rights-respecting restrictions on encryption technologies, with the rest facing moderate to widespread restrictions on encryption across the world.
India too hopped onto this global bandwagon, with the entry into force of the Income-Tax Act, 2025 from 1st April onwards: Section 247 authorises the Income Tax Office to ‘gain access’ to any computer system or virtual digital space (parallel to breaking open any box, locker, etc.), to search and seize incriminating material. This is in continuation of Section 17 of the Digital Personal Data Protection Act, 2023, which practically empowers the State to access encrypted messages, giving it the power to exempt its agencies from complying with the law “in the interest of sovereignty, security of the state, or public order”.
How strong is the protection offered by end-to-end encryption (“E2EE”), purportedly offered by WhatsApp and recently proposed by Arattai, in such a dystopian setting? E2EE is integrated with a layperson’s conception of ‘privacy’: that communications exchanged between two persons should be accessed only by them. The framework seeks to protect personal communications from unauthorised access by deploying ‘access codes’ and public/private keys, appearing as gibberish even to intermediaries enabling such communication. However, the efficacy of such encryption in protecting privacy is often questioned, given that platforms offering E2EE are not immune from cybercrimes nonetheless, as witnessed with the rising instances of ‘hacking scams’ on WhatsApp. Encrypted communications have also come under the State’s radar in the form of law enforcement action against criminal activities, including organised crime and child sexual abuse, for which these platforms are ‘notoriously’ used.
The recent ban on Proton Mail ordered by the Karnataka High Court, under the pretext of its use for sending anonymous emails of a harassing nature, reflects how encryption technology remains at the forefront of the quest for balance between privacy and personal/national security. This ban was ordered despite the simultaneous important use of such encrypted technology by journalists and whistleblowers. Several questions thus arise: how meaningful is E2EE in protecting privacy? Re: encryption, is the State’s commitment towards privacy subject to greater terms/conditions? If encrypted and untraceable email services can be banned, till when can secure messaging services like Signal operate seamlessly in India? This article aims at exploring some of these dimensions, while arguing for why the notion of privacy needs to be re-oriented in India.
Attacks on E2EE: both by the State and non-State actors alike
For a differing set of reasons, the State as well as non-State actors have a core common interest in restricting one’s privacy. This plays out interestingly when the State, under the garb of controlling cyber crime, seeks to gain access to even the contents of communications, without concerning itself much with the technical, legal, and economic feasibility of such proposed measures.
Rule 4(2) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code), 2021 (“the 2021 Rules”), obligates significant social media intermediaries to enable identification of the first originator of any communication, such as a message, upon a judicial order or any order passed under Section 69 of the Information Technology Act, 2000. The provision makes reference to the procedure under the Information Technology (Procedure and Safeguards for interception, monitoring and decryption of information) Rules, 2009 (“the 2009 Rules”), and contains piecemeal safeguards which aim at restricting the deployment of such a measure.
The constitutionality of such extreme provisions aside, several scholars have questioned the efficacy and practical/technical utility of such a measure: while the State has attempted to signal that only information about a message’s origins can be demanded, it is doubtful whether platforms can maintain/share such information without diluting E2EE. Even as Rule 4(2) of the 2021 Rules states that no intermediary “shall be required to disclose the contents of any electronic message”, E2EE remains threatened by Rule 13(3) of the 2009 Rules, which defines ‘decryption assistance’ as referring to assistance which allows access to encrypted information or facilitates its conversion into intelligible forms.
Such a legal framework reflects how the State views E2EE as a hurdle for law enforcement agencies: after all, E2EE makes it difficult for the police to remotely access the contents of communications when investigating crimes. This explains why the State insists on its dilution, to achieve stated objectives considered ‘legitimate’, i.e. subserving public order and national security. It becomes a problem when such dilutions go beyond these stated objectives, and have the potential to be used for inherently political objectives. This is where it also becomes necessary to clearly distinguish between ‘authorised’ and ‘unauthorised’ State access to citizens’ data. After all, E2EE is a mechanism which online messaging services deploy to assure users of their privacy-friendliness. Yet, these guarantees appear meaningless in the backdrop of State repression of those opposed to the ruling dispensation through the use of modern technology, such as the deployment of Pegasus for surveilling communications or the planting of incriminating files in computers.
Intermediaries risk losing their ‘safe harbour’ protection guaranteed under law, for their failure to comply with arbitrary State diktats. Such diktats, for instance, led Meta to end E2EE on Instagram from May 2026 onwards, amidst criticism over the use of the platform for child sexual abuse and grooming. In a similar vein, the State’s insistence for platforms to make suitable technical modifications to enable tracing of communications’ origins also has the potential to push platforms towards measures such as greater collection of users’ personal information and metadata, in order to comply with law enforcement demands. Such a scenario has a deleterious effect on online privacy, even if E2EE is not explicitly diluted. A user, lacking nearly all agency, faces the same consequence of being surveilled, even if the surveiller’s identity differs.
On the other hand, a diluted E2EE framework is meaningless since such dilutions defeat its very objective, by potentially exposing privately-shared content to third-persons and attacks by hackers. For instance, WhatsApp users across the world have been subject to sextortion and blackmail after the hacking of their accounts. A diluted E2EE setup would do away with the need for an account to be hacked and potentially expose all users of online messaging platforms to risks over their online safety on an everyday basis.
Why E2EE falls short in protecting privacy
Having noted the above, it should also be considered that E2EE by itself is not sufficient in guaranteeing safety online: cyber criminals send malware disguised as .apk files to users over WhatsApp despite E2EE, with the specific intent of gaining access to their devices. Similarly, video calls over WhatsApp have enabled the perpetuation of cyber frauds and digital arrest scams. To address this phenomenon, some States have experimented with technology, enabling users to silently add bots to suspicious conversations with their permission, enabling real-time monitoring. Despite its benevolent undertones, it is not clear whether such technology can be deployed without fundamentally compromising on E2EE - either on a limited scale, or to the extent of a person’s entire chats over WhatsApp.
Moreover, individuals’ privacy is also at risk from profiling based on their online activity, such as through cookies and algorithms analysing behaviour and preferences - including time spent on viewing particular types of content, ‘liked’ content, websites visited at a particular time of the day, opinions and other audio-visual content posted, and so on. In this light, E2EE is grossly insufficient by itself for protecting privacy, if intermediaries end up collecting more metadata about a user than is necessary for availing their services. This becomes further problematic in light of the online market’s monopolistic tendencies, with companies such as Meta having control over messaging platforms (like WhatsApp) and social media (like Instagram and Facebook), and thereby, the data generated on these apps as well. After all, even as Meta has now removed E2EE from Instagram, no discernible impact on the app’s massive global engagement has thus far been witnessed.
E2EE serves a crucial purpose - that of creating an impression of trust within individuals, insofar as it leads them to believe that private communications are truly private indeed. This makes E2EE also important for protecting the fundamental right to freedom of speech, offering a semblance of protection against arbitrary surveillance of communications and a perceived sense of agency about privately communicating in an ‘uncensored’ manner.
While the fundamental right against arbitrary surveillance was recognised in PUCL v. Union of India, its contours, insofar as its applicability to metadata is concerned, remain under a cloud. Law enforcement and intelligence agencies recognise the potential of metadata, such as the size of a message, the sender/recipient thereof, and location of its communication, to uncover details about a person: sufficient metadata, in fact, would do away with the need for the State to be apprised of the exact contents of a communication.
Conclusion: contextualising the State’s commitment towards privacy amidst E2EE
In India, no person/entity, except the State, can claim a blanket right to maintain secrets. That said, privacy and secrecy are distinct concepts, even if closely related: the former matters even if one has ‘nothing to hide’, but is often conflated with the latter. Even the Supreme Court recently dismissed a person’s plea to restrain the Enforcement Directorate from unlocking his seized phone, asking him ‘why he was so afraid’. Such an attitude is devoid of the background in which these agencies seek control over people’s data. In fact, the digital arrest menace reflects the trust deficit felt by common citizens in relation to their online dealings with the State, also seen recently with the backlash over the proposal to mandatory install/pre-fit the ‘Sanchar Saathi’ app on mobile phones.
In this light, the State’s commitment towards privacy in India appears hollow at best and threatening at its worst. This comes to fore upon an examination of the State’s submissions before the Supreme Court during the hearings in Puttaswamy: every attempt was made to water down the significance of privacy in upholding the fundamental right to life, by dismissing it as an elite concept, and one which appeals only to wrongdoers.
Even as the State retains the power to trace messages and force intermediaries to break E2EE under Rule 4 of the 2021 Rules, legal challenges to its constitutionality remain in cold storage across Courts. The need of the hour is for the State to commit to a holistic conception of privacy, which truly upholds the proportionality test in letter and spirit. The trifecta of ‘national security’, ‘privacy protection’, and ‘a free, open, and safe internet’ cannot be sacrificed at the altar of State’s insistence on diluting E2EE. Instead, what is required is better awareness amongst citizens about their rights, greater investments in cybersecurity infrastructure, and a reorientation of privacy beyond just the ‘right to be left alone’.
