Authored By: G.Reethikaa
Saveetha School of Law
I. Introduction
On May 8, 2026, Meta removed end-to-end encryption from Instagram Direct Messages. The company’s spokesperson stated that “very few people were opting in to end-to-end encrypted messaging in DMs.”1 That explanation is misleading. The feature was never set as default. It was buried as an opt-in toggle available only in select regions. Meta manufactured low adoption and subsequently used it as justification for removal. The result was not a routine product update. It was the unilateral stripping of cryptographic privacy from approximately one billion users, without regulatory approval, without judicial oversight, and without any obligation to satisfy proportionality under applicable law. India has a fundamental right to privacy, a surveillance law with no judicial oversight, a data protection act that exempts the state from its own rules, and two billion people who trust that their messages are encrypted. At least one of those things is working as intended, and it is not the law.
End-to-end encryption (E2EE) is a communication model in which a message is encrypted on the sender’s device and decrypted only on the recipient’s device. As of 2024, this architecture protected over two billion active users on WhatsApp alone.2 Despite its scale, no jurisdiction has developed a legal framework adequate to the structural threats E2EE faces from both state surveillance regimes and corporate unilateralism. This article argues that existing legal frameworks fail to protect E2EE as a constitutional right both because states impose decryption obligations without satisfying proportionality requirements, and because private platforms strip encryption without any accountability mechanism. The article proceeds as follows. Section II sets out the statutory landscape. Section III identifies the actual conflict. Section IV analyses landmark judicial developments from 2020 to 2026. Section V examines the platform governance crisis. Section VI proposes a path forward through available doctrines and reform.
II. Legal Framework
A. India
Section 69 of the Information Technology Act, 2000 authorises the Central and State Governments to direct the interception, monitoring, or decryption of information through any computer resource in the interest of national sovereignty, security of the State, public order, or the prevention of cognisable offences.3 Non-compliance carries imprisonment of up to seven years. There is no requirement for prior judicial authorisation. The Software Freedom Law Centre India filed RTI applications seeking records of decryption orders issued under the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009. Every application was denied. The Rules mandate destruction of all records within 180 days, making independent audit structurally impossible.4
In May 2023, the government banned fourteen encrypted messaging applications in Jammu and Kashmir under Section 69, citing their use to facilitate terrorist activity. Briar, one of the banned applications, contested the ban before the Delhi High Court, arguing the absence of prior notice violated the principles of natural justice. The Court dismissed the challenge, accepting the national security justification without requiring disclosure of the underlying intelligence basis.5 The Digital Personal Data Protection Act, 2023 introduced data minimisation and purpose limitation but carved out broad exemptions under Section 17 for state processing in the interest of national security, placing the most intrusive surveillance entirely outside the Act’s protective framework.6
B. European Union
The General Data Protection Regulation (EU) 2016/679, Article 25, imposes privacy-by-design as a legal obligation, requiring controllers to implement technical measures including encryption by default. In Joined Cases C-511/18 and C-512/18, La Quadrature du Net v. Premier Ministre, the Court of Justice of the European Union held that generalised and indiscriminate retention of traffic data and decryption obligations contravened Articles 7 and 8 of the EU Charter — the rights to privacy and to the protection of personal data respectively.7 The Court confirmed that such obligations require targeting, prior independent review, and strict necessity.
C. United States
In the United States, the Electronic Communications Privacy Act 1986 remains the primary federal statute governing government access to stored electronic communications. It was enacted before modern E2EE architectures existed and does not adequately address them. Florida’s SB 868, passed in April 2025 by thirty-four votes to three in the Senate, requires social media platforms to provide decryption mechanisms upon law enforcement warrant or subpoena.8 The legislation has been challenged in federal court on First Amendment grounds — mandating surveillance infrastructure constitutes compelled speech — and on Fourth Amendment grounds, as a standing decryption capability creates an unreasonable generalised search architecture.
III. The Actual Conflict
The privacy-versus-security framing that dominates legislative debate is legally inaccurate. The actual conflict is between the constitutional right of individuals to communicate without third-party access and the institutional interest of states and corporations in accessing, monitoring, and commercially exploiting that communication. The “going dark” argument — that E2EE blinds law enforcement and renders criminal prosecution impossible — has driven legislative pressure against encryption across multiple jurisdictions. A peer-reviewed study published in Crime Science in 2023, drawing on empirical Dutch court data, found that courts were equally successful in convicting offenders who used E2EE as those who did not.9 The evidentiary foundation of the going dark argument has not been established.
The UN Special Rapporteur on Freedom of Expression, David Kaye, stated in his report to the Human Rights Council that any restriction on encryption must be provided by law, be necessary and proportionate, and be subject to independent oversight.10 That four-part standard — legal basis, legitimate aim, necessity, proportionality — is the constitutional baseline against which all legislative and corporate action on E2EE must be measured. No jurisdiction currently satisfies all four criteria in its operative framework. It is submitted that this failure is structural, not incidental, and reflects the prioritisation of institutional surveillance interests over constitutionally protected communicative autonomy.
IV. Case Law Analysis
A. Podchasov v. Russia (ECtHR, 2024)
Podchasov v. Russia, Application No. 33696/19, decided by the European Court of Human Rights on 13 February 2024, is the most significant judicial ruling on E2EE in the period under review.11 Russian law required Telegram to store all communications data for twelve months, message content for six months, and to supply decryption keys to the Federal Security Service upon request. Anton Podchasov, a Telegram user, argued that the legislation violated Article 8 of the European Convention on Human Rights — the right to respect for private life and correspondence.
The ECtHR held unanimously that compelling a platform to decrypt E2EE communications cannot be limited to specific individuals and therefore affects all users indiscriminately, constituting general and disproportionate surveillance. The Court further held that any backdoor created to satisfy such an obligation could be exploited by malicious actors, undermining communicative security beyond the state’s intended targets. The decryption obligation was found to be “not necessary in a democratic society” within the meaning of Article 8(2). The Electronic Frontier Foundation described the ruling as one that would draw new normative lines about human rights standards for private and confidential communication.
Scholars at the Oxford Human Rights Hub have critiqued the judgment for its exclusive reliance on Article 8, arguing that the Court should have engaged Article 10 ECHR — the right to freedom of expression — since, as David Kaye observed, encryption functions as the gateway through which freedom of opinion and expression operates in digital environments.12 A ruling anchored in both Articles would have been more resistant to future distinction and more difficult to narrow through the margin of appreciation doctrine. Podchasov develops the authority established in Roman Zakharov v. Russia, App. No. 47143/06 (ECtHR 2015), and Big Brother Watch v. United Kingdom, App. Nos. 58170/13, 62322/14, and 24960/15 (ECtHR Grand Chamber 2021), both of which established that bulk surveillance regimes require robust independent oversight and targeted scope.
B. Staatsanwaltschaft Berlin v. M.N. (CJEU, 2024)
In Case C-670/22, Staatsanwaltschaft Berlin v. M.N., decided on 30 April 2024, the CJEU ruled on the use of data obtained from EncroChat, an encrypted platform hacked by French and Dutch law enforcement in 2020.13 The Court held that Article 31 of Directive 2014/41/EU on the European Investigation Order protects not only state sovereignty interests but the fundamental rights of individual suspects, requiring notification of the executing state’s judicial authority before cross-border surveillance data is admitted in proceedings. In September 2025, the French Cour de Cassation referred further preliminary questions to the CJEU on whether EncroChat-derived evidence satisfies fair trial requirements across member states — the matter remains pending.14
C. The Metadata Dimension: Carpenter v. United States (2018)
In Carpenter v. United States, 585 U.S. 296 (2018), the Supreme Court of the United States held that warrantless acquisition of historical cell-site location data — a category of metadata — violated the Fourth Amendment. Chief Justice Roberts held that such records reveal not only a person’s particular movements, but through them their familial, political, professional, religious, and sexual associations. Justice Sotomayor’s concurrence in United States v. Jones, 565 U.S. 400 (2012) earlier identified the chilling effect of metadata surveillance, warning that awareness of possible government monitoring chills associational and expressive freedoms.
This dimension is directly relevant to E2EE because metadata is precisely what encryption does not protect. WhatsApp’s internal security team has previously produced threat assessments — some reported by The Intercept — warning that government agencies were bypassing encryption through traffic analysis to determine communication relationships, group compositions, and user locations without decrypting a single message.15 Separately, security researchers first disclosed in late 2025 that a flaw in WhatsApp’s contact-discovery API allowed metadata belonging to an estimated 3.5 billion accounts to be scraped; the disclosure was made by academic researchers through a responsible-disclosure process, and Meta has stated it found no evidence of malicious actors exploiting the flaw. Reporting into April 2026 has continued to track the risk this creates and Meta’s mitigation efforts.16 Whatever the eventual scale of hostile exploitation, the episode illustrates the underlying point: even a platform’s own contact-discovery infrastructure can expose the relational and behavioural metadata that E2EE, by design, leaves unprotected. In India, the proportionality doctrine from K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1, which grounds privacy in informational autonomy, logically demands that metadata collection face the same constitutional scrutiny as content interception. Section 69 of the IT Act, which permits metadata collection without prior judicial authorisation and mandates record destruction before audit, cannot satisfy this standard.
V. Evaluation: The Platform Governance Crisis
Meta’s removal of Instagram E2EE on May 8, 2026 cannot be assessed without its commercial and litigation context. On March 24, 2026, a New Mexico jury ordered Meta to pay $375 million for failing to protect children from sexual predators on Instagram and Facebook. On March 25, 2026, a Los Angeles jury found Meta and YouTube liable for engineering addiction in children, with Meta bearing seventy per cent of the responsibility and YouTube thirty per cent. Meta announced the encryption removal on March 13, 2026. The Take It Down Act — signed into law in the United States in May 2025 and requiring platforms to remove non-consensual intimate imagery within forty-eight hours of a valid request — reached its compliance deadline on May 19, 2026, eleven days after encryption was removed.17
E2EE prevents platform-level content scanning, advertising algorithm training on private message content, and compliance with content-removal legislation. Peter Alexander Earls Davis, writing in the Columbia Journal of European Law, argues that Instagram’s failure ever to offer E2EE as default itself violated GDPR Article 25’s obligation of data protection by design and by default — the most privacy-protective configuration was never the operative one.18 With encryption removed, Meta possesses the technical capacity to read, scan, commercially exploit, and disclose to law enforcement the content of all Instagram Direct Messages, without any further change in law and without any accountability mechanism available to the affected users.
It is submitted that this reveals the central governance failure in existing legal frameworks: constitutional privacy protections are rendered ineffective where they apply exclusively to state actors but not to private entities that exercise equivalent power over the communicative infrastructure of democratic life. No court authorised the removal. No parliament voted upon it. No regulator approved it. The privacy of hundreds of millions of people was extinguished by a corporate decision requiring nothing more than a press release.
VI. Doctrines
Three established legal doctrines provide the framework for the reform this article advocates. First, informational self-determination, originating in the German Federal Constitutional Court’s Volkszählungsurteil of 1983, holds that individuals possess a constitutionally protected right to determine the disclosure, processing, and use of their personal data. Applied to E2EE, the doctrine requires that users retain meaningful control over the security architecture of their communications. A corporation’s unilateral removal of that architecture without consent and without proportionality review is incompatible with this doctrine.
Second, the proportionality doctrine, as formulated in Puttaswamy and under Article 8(2) ECHR and Article 52(1) of the EU Charter, requires that any privacy interference be legally authorised, pursue a legitimate aim, and be strictly necessary. Podchasov demonstrates that indiscriminate backdoor mandates fail this standard. France’s National Assembly rejected an intelligence access provision in March 2025 on precisely these grounds, citing systemic risk to all digital communications.19 Third, the chilling effect doctrine — well-established in comparative constitutional law — holds that the awareness of surveillance suppresses constitutionally protected expression and association independently of any direct interception. Metadata harvesting and encryption removal produce measurable chilling effects that constitute cognisable constitutional harms.
VII. Suggestions and Reforms
By way of conclusion on the path forward, this article submits that legislative reform is necessary on three fronts. It is sometimes said that law enforcement has been “going dark” since the invention of the envelope — and it survived. First, India requires a dedicated surveillance statute imposing prior judicial authorisation, mandatory independent oversight, and an audit trail that cannot be destroyed before review — obligations that neither Section 69 of the IT Act nor Section 17 of the DPDPA currently satisfies. Second, the concept of digital constitutionalism — the application of constitutional proportionality norms to private platform governance decisions — must be operationalised through binding regulatory obligations, not merely hortatory data protection principles. Third, artificial intelligence capable of inferring sensitive attributes from metadata without accessing message content will render the content/metadata legal distinction factually obsolete; courts and legislatures must develop frameworks addressing inference-based surveillance before that gap widens further.
VIII. Conclusion
The European Court of Human Rights held in Podchasov v. Russia that compelling decryption of end-to-end encrypted communications for indiscriminate surveillance cannot be necessary in a democratic society. That is the most precise judicial articulation of the constitutional standard to date. It does not reach corporate actors. It does not govern metadata. It does not prevent a platform from removing encryption because litigation risk and advertising revenue make privacy commercially inconvenient.
Justice D.Y. Chandrachud observed in Puttaswamy that privacy “is not an elitist construct” and that it “emerges primarily from the guarantee of life and personal liberty in Article 21 of the Constitution.” This article has argued that the obligation now is to make that guarantee operative not merely in constitutional text, but against every actor, state or corporate, that treats the erasure of digital privacy as a decision requiring nothing more than a notification. End-to-end encryption does not resolve the broader surveillance problem. What it does is make that problem harder and more legally exposed for those who pursue it. The law’s task is to treat its removal, by any actor, as a constitutional event that demands justification — not a product decision that demands only a press release. The Roman jurist Juvenal asked quis custodiet ipsos custodes — who watches the watchmen? The digital age has a simpler version: who watches the cipher? The answer, so far, is no one.
IX. Bibliography
A. Case Law
| Case Name | Citation |
|---|---|
| Podchasov v. Russia | App. No. 33696/19, Eur. Ct. H.R. (Feb. 13, 2024) |
| La Quadrature du Net v. Premier Ministre | Joined Cases C-511/18 and C-512/18, ECLI:EU:C:2020:791 (Ct. Justice EU Sept. 6, 2020) |
| Staatsanwaltschaft Berlin v. M.N. | ECLI:EU:C:2024:372 (Ct. Justice EU Apr. 30, 2024) |
| Carpenter v. United States | 585 U.S. 296 (2018) |
| United States v. Jones | 565 U.S. 400 (2012) |
| K.S. Puttaswamy v. Union of India | (2017) 10 SCC 1 |
| Roman Zakharov v. Russia | App. No. 47143/06, Eur. Ct. H.R. (2015) |
| Big Brother Watch v. United Kingdom | App. Nos. 58170/13, 62322/14, 24960/15, Eur. Ct. H.R. Grand Chamber (2021) |
| Shreya Singhal v. Union of India | (2015) 5 SCC 1 |
B. Legislation
- Information Technology Act, 2000, No. 21 of 2000, India Code.
- Digital Personal Data Protection Act, 2023, No. 22 of 2023, India Code.
- Council Regulation 2016/679, General Data Protection Regulation, 2016 O.J. (L 119) 1 (EU).
- SB 868, 2025 Leg. Sess. (Fla. 2025) (amending Fla. Stat. § 501.1736).
- Online Safety Act 2023, c. 50 (UK).
C. Reference(S):
- Mischa Stam et al., Going Dark? Analysing the Impact of End-to-End Encryption on the Outcome of Dutch Criminal Court Cases, 12 Crime Sci. 1 (2023).
- David Kaye (Special Rapporteur on Freedom of Expression), Report on Encryption, Anonymity, and the Human Rights Framework, U.N. Doc. A/HRC/29/32 (May 22, 2015).
- Peter Alexander Earls Davis, Instagram’s Encryption U-Turn and the Unfulfilled Promises of Data Protection by Design and Default, Colum. J. Eur. L. (2026).
- Kabir Singh, Sarvika Singh & Abhay Raj, The ECtHR in Podchasov v. Russia – Preserving Encryption and Denying Backdoors, Oxford Human Rights Hub (Aug. 27, 2024).
- Jyoti Panday & Saumya Jain, Encryption Under Siege in India: National Security and the Erosion of Digital Privacy, Internet Governance Project (Oct. 20, 2024).
- Software Freedom Law Centre India, Section 69 of the IT Act and the Decryption Rules: Absence of Adequate Procedural Safeguards (2023).
- Micah Lee & Mara Hvistendahl, This Undisclosed WhatsApp Vulnerability Lets Governments See Who You Message, The Intercept (May 22, 2024).
- Nate Nelson, WhatsApp Leaks User Metadata to Attackers, Dark Reading (Apr. 20, 2026).
- Hogan Lovells, End-to-End Encryption: Obstacle or Pillar of National Security? (Apr. 7, 2025).
- Peter Cowper-Coles, The Real Reason Meta Dropped Instagram Encryption, Cyber Safety Guy (Apr. 13, 2026).
Endnotes
- Newsweek, Meta Confirms Major Privacy Change on Instagram (Mar. 17, 2026); MacRumors, PSA: Instagram Encrypted Messaging Ends on Friday, May 8 (May 5, 2026).
- Privacy in the Age of Digital Surveillance: Analyzing WhatsApp’s Policy and Cybersecurity Implications, 2024 J. Info. Sys. & Elec. Media 1 (citing Statista, Most Popular Global Mobile Messenger Apps, April 2024).
- Information Technology Act, 2000, § 69, No. 21 of 2000, India Code.
- Software Freedom Law Centre India, Section 69 of the IT Act and the Decryption Rules: Absence of Adequate Procedural Safeguards (2023).
- Jyoti Panday & Saumya Jain, Encryption Under Siege in India: National Security and the Erosion of Digital Privacy, Internet Governance Project (Oct. 20, 2024).
- Digital Personal Data Protection Act, 2023, § 17, No. 22 of 2023, India Code.
- Joined Cases C-511/18 and C-512/18, La Quadrature du Net v. Premier Ministre, ECLI:EU:C:2020:791 (Ct. Justice EU Sept. 6, 2020).
- SB 868, 2025 Leg. Sess. (Fla. 2025) (amending Fla. Stat. § 501.1736), passed Apr. 24, 2025.
- Mischa Stam et al., Going Dark? Analysing the Impact of End-to-End Encryption on the Outcome of Dutch Criminal Court Cases, 12 Crime Sci. 1 (2023).
- David Kaye (Special Rapporteur on Freedom of Expression), Report on Encryption, Anonymity, and the Human Rights Framework, U.N. Doc. A/HRC/29/32 (May 22, 2015).
- Podchasov v. Russia, App. No. 33696/19, Eur. Ct. H.R. (Feb. 13, 2024); Electronic Frontier Foundation, European Court of Human Rights Confirms: Weakening Encryption Violates Fundamental Rights (Mar. 2024).
- Kabir Singh, Sarvika Singh & Abhay Raj, The ECtHR in Podchasov v. Russia – Preserving Encryption and Denying Backdoors, Oxford Human Rights Hub (Aug. 27, 2024).
- Case C-670/22, Staatsanwaltschaft Berlin v. M.N., ECLI:EU:C:2024:372 (Ct. Justice EU Apr. 30, 2024).
- The European Offensive Against Encrypted Phone Evidence, Computer Weekly (Feb. 3, 2026).
- Micah Lee & Mara Hvistendahl, This Undisclosed WhatsApp Vulnerability Lets Governments See Who You Message, The Intercept (May 22, 2024).
- Nate Nelson, WhatsApp Leaks User Metadata to Attackers, Dark Reading (Apr. 20, 2026); The Cyber Signal, WhatsApp Metadata Leak: 3.5B Users Exposed to Device Fingerprinting (Apr. 2026).
- Peter Cowper-Coles, The Real Reason Meta Dropped Instagram Encryption, Cyber Safety Guy (Apr. 13, 2026).
- Peter Alexander Earls Davis, Instagram’s Encryption U-Turn and the Unfulfilled Promises of Data Protection by Design and Default, Colum. J. Eur. L. (2026).
- Hogan Lovells, End-to-End Encryption: Obstacle or Pillar of National Security? (Apr. 7, 2025).
![Salomon v Salomon & Co Ltd. [1897] AC 22 (HL)](https://recordoflaw.in/wp-content/uploads/2025/12/ChatGPT-Image-Dec-17-2025-08_24_07-PM.png)




