WhatsApp and its parent company, Meta, filed a submission with the Delhi High Court last week stating that they would be forced to withdraw from the Indian market if they were to be forced to crack its encryption.
This was discussed at the 2021 hearing of a writ suit brought forth by WhatsApp, which contested the validity of the IT Rules of 2021, which mandate that social media platforms permit the “identification of the first originator of the information”.
The court noted that “privacy rights were not absolute” and that “somewhere balance were to be done,” listing the case for August.
Interestingly, WhatsApp and Facebook are the only Meta platforms who have contested the law, despite the fact that other service providers that employ end-to-end encryption would also be affected by its implementation.
With 487.5 million monthly active users, India is the largest market for voice-over-IP and instant messaging services. Brazil is the second-largest market, with 118.5 million monthly active users. Therefore, the fact that WhatsApp and the government are at odds is not good for the platform or Indian users.
In addition to being a necessary tool for private conversations, WhatsApp has become a major force in the MSME market, which mostly uses it for commercial operations.
Furthermore, the case is significant because it shows how India’s IT policy would proceed in terms of both direction and strategy. The course of the proceedings will also be very important for those governments that are now undecided about requiring backdoors in encryption through legislation.
With a few notable exceptions, like the feud between Apple and the Telecom Regulatory Authority of India (TRAI), big tech and the government have so far established a flexible but practical process for resolving policy disputes.
It appears that this is the first time that strong opinions have been expressed in public, especially in a legal setting. Therefore, in order to provide a better understanding of the situation going ahead, it is crucial to briefly summarize the fundamental elements of the current disagreement.
Why is encryption regarded as sacred?
By the process of encryption, plaintext is changed into text that requires a decryption procedure to decode or access. Keys are used in the encryption and decryption process.
Different encryption methods give different levels of security. Symmetric encryption uses one key to both encrypt and decode the data, while symmetric encryption uses separate keys for both purposes.
One such example of encryption is end-to-end (E2EE), in which parties only have access to the encryption and decryption keys on the devices they use directly. A public key is often used by the sender to encrypt a communication, while the recipient uses their own private key to decode it.
The main purpose of encryption is to ensure the security of data both at rest (while being stored) and in flow (transmission from one device to another). The inability of other parties to access these messages fosters user trust in the intermediary as a privacy protection tool. This has partly explained why Indian people utilize it so frequently.
How is it accomplished via WhatsApp?
A public and private key are produced when you launch WhatsApp on your phone. The public key travels with the message to the receiver, and the private key is stored in the WhatsApp data library.
Prior to the message reaching its intended recipient, this public key encrypts it while it is in transit mode. The private key opens it at the recipient’s end. These messages cannot be intercepted by a third party since the keys are stored inside the phone. Whatsapp also states in its Privacy Policy that it does not save message data on its servers. The communications are removed from their servers as soon as they are delivered.
Why does the government seek entry?
The significant influence that internet communications have had on law enforcement matters is the reason behind the government’s interest in encryption. For instance, since 2018, the spread of false information on social media platforms has exacerbated civil unrest in already-shattered communities and led to lynchings, mob violence, and lynchings.
Similar to this, the online spread of extremist information has encouraged extremism and the bloodshed that follows. Intimate content published without consent has proliferated online, leading to cyberbullying and harassment. The proliferation of child sexual abuse material (CSAM) via communication apps is a more extreme example of this.
It is critical to have quick access to pertinent information in order to counteract such offenses. Therefore, it should come as no surprise that law enforcement agencies (LEAs) desire to be involved.
Telegram, Signal, and WhatsApp are among the platforms that employ 256-bit encryption. This makes encryption almost impenetrable since it would take testing every key combination to determine the secret key in order to break encryption. Furthermore, the keys used for encryption and decoding are automatically and sporadically changed by encryption systems.
As a result, data that is being sent between several devices cannot have its encryption broken. Brute force assaults on the data at rest that are further prohibited by design features like user authentication, the ability to remove information, and the lack of backup requirements. Creating backdoors in these apps that let LEAs access them under special situations is a popular method that has been suggested.
Why is the government against WhatsApp?
Rather than requiring the government to have unrestricted access to the content and other data points, Rule 4(2) places the responsibility of providing the government with pertinent information on the intermediary. In the Delhi High Court, WhatsApp contested the validity of Rule 4(2) on May 25, 2021 that was coincident with the deadline for implementing the IT Rules, 2021. In reaction, the authorities moved swiftly and harshly.
It said that WhatsApp’s “last-minute challenge” to postpone the IT Rules 2021’s operationalization was a “clear act of defiance” intended to “prevent the same from coming into effect.” First, the government argued in support of the IT Rules, 2021, that the right to privacy is subject to reasonable constraints and cannot be regarded as absolute.
Secondly, WhatsApp must take accountability and responsibility for the improper use of its platform as it is an intermediary covered by the safe harbor clause. It claimed that the spread and re-spread of dangerous information appeared to be significantly facilitated by WhatsApp conversations.
Thirdly, it was inaccurate to state that this regulation required a backdoor to encryption, as the social media intermediary had complete discretion over how they want to provide the government with the necessary data.
Therefore, due to the nature of their business operations, WhatsApp is unable to request a particular exemption from this requirement. Last but not least, the government criticized WhatsApp for exploiting the pretext of defending Indians’ “right to privacy” to share personal data with other Meta platforms, like Facebook, without actually requiring users to agree to the sharing arrangement. This resulted in less protection for Indian users than for European users.
Why doesn’t WhatsApp follow the rules?
There are several issues with the discussion of permitting encryption backdoors. First, it must be determined if Rule 4(2) will satisfy the fourfold test of legality, legitimacy, proportionality, and the existence of procedural protections against misuse of the privacy-invading measure from a constitutional perspective.
The possible abuse of the authority that allows this access to internet communications is a policy problem. For example, phone tapping is often reported for uses other than law enforcement and national security. E2E OTT platforms might be used for the same kinds of attacks if encryption had backdoors and there wasn’t any necessary due process in place.
Regarding technological aspects, there is a great deal of dispute regarding whether it is possible to break E2E encryption without jeopardizing the structure as a whole, which is the basis for these conversations. First, there are worries that any kind of encryption backdoor would also leave the architecture open to malicious actors.
TRAI concurred, noting in 2020 that advancements in encryption will erode consumer security. Furthermore, WhatsApp contends that it is unclear if tracking every communication to identify the original sender would be necessary because it would be impossible to predict in advance which texts the government would seek access to.
What experiences have people had in different nations?
- India is not the only country resisting E2EE. The problem of unrecoverable encryption has caused the US and tech corporations to clash often.
- The Apple-Federal Bureau of Investigation (FBI) standoff, in which the tech giant refused to give the FBI “reasonable technical assistance” in order to obtain information from Apple phones, is one of the most well-known instances of this. Numerous anti-encryption measures have been suggested by US politicians since then, but none of them have yet to be approved.
- Legislators from the “five eyes” intelligence alliance—the US, Canada, the UK, Australia, and New Zealand—as well as ministers from Japan and India released a statement in 2020 urging tech companies to create systems that would enable law enforcement organizations to access content that is encrypted.
- The law enforcement agency of the European Union, Europol, also released a joint declaration last week with the aim of taking action against the E2EE implementation across online platforms. The reasoning behind this is that the E2EE compromises user safety online by providing limited visibility over offensive content on the platform.
- In a situation akin to that of India, the UK recently saw Signal announce that it will discontinue operations in the UK due to debates around the Online Safety Bill, 2023.
- In the UK, service providers may be required to “use accredited technology to identify CSEA content, whether communicated publicly or privately by means of the service” by the regulator in accordance with the 2018 Online Safety Act. But the government has acknowledged that the regulator won’t be able to enforce this duty if the necessary technology doesn’t exist. This indicates that no request for encryption breaking has been made by the UK to E2EE platforms thus yet.
- Australia appears to be experiencing the same dilemma as the United Kingdom. While the Telecommunications and Other Legislation Amendment (Assistance and Access) Act, 2018 permits LEAs to make requests that need decrypting encrypted data, it also grants access to such requests. It forbids the development of “systemic vulnerability” or “systemic weakness” inside the framework.
- Brazil does not have a particular anti-encryption statute, but Brazilian courts have banned WhatsApp from operating there on many occasions because the company is unable to decrypt encrypted messages and provide the necessary information to the authorities.
- It appears that India is the only nation where the platform is required by law to provide encrypted information to law authorities.
