Facebook-owned WhatsApp and the Indian government have been at loggerheads since January this year. However, with no party ready to back down, the WhatsApp and the Indian government battle reached the next level in the Delhi High Court, earlier last week. The E2E encryption, which most social media apps use helps protect its users’ data (in motion) from being intercepted or adulterated. Based on this, WhatsApp has argued to the court that the Indian government’s new IT Rules are difficult to implement and can undermine users’ privacy.
The One Where It All Began
In the latest round of allegations, the instant messaging giant challenged the government in court alleging that its new IT rules (Intermediary Guidelines and Digital Media Ethics Code Rules 2021) could become weapons of “mass surveillance” and undermine the users’ “right to privacy.” The government was not amused because the affidavit was filed on May 25, a day before the new rules came into force. To clear the air, the government issued a statement saying,
Right to Privacy is a fundamental right and the government respects it. It has no intention to violate it.
But are these justifications enough? What are the new rules? What’s the opposition for? Will these rules help us in maintaining digital hygiene? Or are they simply what WhatsApp suggests – means of surveillance by the government? Questions are many, but answers are few. Here are some key points that may help you decide:
WhatsApp’s Latest Accusation Against GoI
The first accusation made by WhatsApp towards the government is based on a four-year-old verdict on Justice K S Puttaswamy vs Union of India. WhatsApp alleged that the new rules are unconstitutional and undermine an individual’s “Right to Privacy,” which the constitution itself has bestowed upon its citizens as per the 2017 verdict.
Impact: If the new rules come into force, they will make WhatsApp employees liable to criminal proceedings for non-compliance, which again bypasses a few other constitutional rights of its employees since they are citizens of India. Thus, WhatsApp wants the court to ensure that this clause in the amended rules does not come into force to safeguard both employee and its user interests.
The Trouble with Traceability and E2E
The biggest issue that WhatsApp has with the new rules is “Traceability.” In a blog post, WhatsApp explained how the concept of traceability breaks end-to-end encryption (E2E) that was implemented throughout the app’s ecosystem back in 2016. The E2E helps protect its users’ calls, messages, photos, videos, and voice data from being intercepted or adulterated. Data is encrypted the moment it leaves the sender’s device and decrypted only on the intended receiver’s device. Even WhatsApp is unaware of the data that is transmitted between two people and/or groups.
Moreover, WhatsApp also argues that the traceability clause is currently a flawed concept. For example, if a user forwards a message received from another source, that source can be tracked. However, if a user copy-pastes a message from another source and sends it to a recipient, the person who copied and sent the data becomes the originator of the message. This is technically wrong as the message could have been sent for fact-checking or simply out of concern towards the recipient.
Impact: WhatsApp says that breaking E2E would mean the end of privacy and indirectly mandate mass surveillance. It will have to add a “fingerprint” to not just one or two but all user messages, which will not only keep their data vulnerable to interception and exploitation from potential threat actors but also undermine their users’ privacy round the clock.
Additionally, if traceability requirements are to be enforced, WhatsApp will have to create an India-only app as the E2E is a default feature and a long-standing benefit of its worldwide messaging platform. Records suggest that WhatsApp currently has 503 million users in India and thus it could be a cumbersome yet mandatory process.
In response to WhatsApp’s allegations, which were specifically aimed at Rule 4(2) of the Intermediary Guidelines, the government said, “The(se) rules have been framed after consultation with various stakeholders and social media intermediaries, including but not limited to WhatsApp. After October 2018, no specific objection has been made by WhatsApp to the Government of India in writing relating to the requirement to trace the first originator in relation to serious offenses. WhatsApp’s refusal to comply with the guidelines is a clear act of defiance.”
Shri Ravi Shankar Prasad, Minister of Electronics and Information Technology and Communications, and Law and Justice of India, said,
The entire debate on whether encryption would be maintained or not is misplaced. Whether “Right to Privacy” is ensured through using encryption technology or some other technology is entirely the purview of the social media intermediary. It is WhatsApp’s responsibility to find a technical solution, whether through encryption or otherwise, that both happen.
Impact: According to the government, Under Rule 4(2) of the guidelines, tracing the first originator of the message, tweet, or post will only be done under select circumstances. It condemns WhatsApp’s accusations on GoI’s 24/7 vigilance on its users. The government said, “We do not wish to track all messages.” It added that the “special” circumstances for tracking can be invoked “only for prevention, investigation, punishment, etc. of inter alia an offence relating to sovereignty, integrity and security of India, public order incitement to an offence relating to rape, sexually explicit material or child sexual abuse material punishable with imprisonment for not less than five years.”
However, WhatsApp argues that this can lead to imprisonment of innocent people who might not have perpetrated or originated the message, but only propagated it – maybe mistakenly. This can cause chaos and is harmful to the democratic rights of people in the broader view.
What Other Social Media Intermediaries Think
The law applies not just to WhatsApp but all “significant social media intermediaries” – that is, the ones with more than 5 million users. This includes the likes of Google, Twitter, and even WhatsApp’s parent company Facebook.
The first to offer a statement about the new intermediary laws was Google’s CEO, Sundar Pichai, who hails from India. Although he retracted from choosing which side he was on, Pichai, however, did say, “Google is committed to complying with local laws and engages constructively with governments as they scrutinize and adapt regulatory frameworks to keep pace with the fast-evolving technology landscape.” He added, “Be it Europe with the copyright directive or India with information regulation, etc., we see it as a natural part of societies figuring out how to govern and adapt themselves in this technology-intensive world.”
On the other hand, Twitter has asked for a three-month extension to comply with the new rules which the government claimed was “rhetorical” to say the least. The Indian government had introduced these rules in February this year and had already given a three-month timeframe to comply with the changes. Thus, asking for additional time does not make any sense. Moreover, Twitter said it had concerns over two things: the possible impact of these curbs on its users’ “freedom of expression” and the criminal liability of their compliance officer for content posted on their platform.
Impact: Although there is little choice for intermediaries for compliance, this can lead to intimidation from the law enforcement authorities as was seen in the incident where the Special Cell of the Delhi Police visited offices of Twitter India in Delhi and Gurgaon with regards to its probe into the Congress toolkit conspiracy.
The Internet Society, a non-profit organization, has reiterated its concerns shared by cybersecurity experts, that to comply with these traceability requirements, platforms may be forced to undermine end-to-end encryption. In an open letter to the MeitY, cryptographic and security experts warned that pursuing message traceability would undermine digital security.
In a statement given to CISO MAG, the Internet Society said, “WhatsApp’s lawsuit is the first by a major social media company against India’s revised Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code), Rules 2021 which were announced in February this year. The revised Guidelines include a traceability requirement, or the ability to track down the first originator of a particular piece of content or message.
While the Ministry of Electronics and Information Technology (MeitY) has emphasized that encryption is not a target in these new Guidelines, cybersecurity experts both in India and abroad have pointed out that it is simply not possible for companies such as WhatsApp to try to comply with the new guidelines without suppressing at least some features that are integral for strong encryption to work properly.
In fact, a 2020 report from these experts warned that “to comply with traceability requirements, platforms may be forced to enable access to the contents of their users’ communications, breaking end-to-end encryption and considerably weakening the security and privacy of their product.
With the traceability requirement, the government appears to be compelling popular online platforms to weaken encryption without explicitly telling them to do so. The likely outcome will be for those platforms to stop offering end-to-end encrypted services altogether. End-to-end encryption is the gold standard for keeping Internet users and systems secure and an essential aspect of digital privacy which is imperative to the hundreds of millions of people in India who use Whatsapp.”
This is not the first time that WhatsApp has faced governmental pressure for tracing requirements. Earlier, Brazil had also asked the messaging giant to do the same, to which it replied, “It erodes privacy.” Whether the intermediaries relent to the pressure of compliance or the GoI eases down on them is something that only time can tell. However, users across India are curious about the “suggested” ban on WhatsApp and other social media giants. The government has not mentioned whether it will completely ban these platforms but has hinted about taking away the safe harbor given to them under the IT Act.
About the Author
Mihir Bagwe is a Tech Writer and part of the editorial team at CISO MAG. He writes news features, technical blogs, and conducts interviews on latest cybersecurity technologies and trends.