Explained: Do WhatsApp Leaks Mean Encrypted Chats Are Vulnerable?
WhatsApp leaks have also raised the larger debate around right to privacy vs larger public interest.
Reports of Narcotics Control Bureau (NCB) acquiring WhatsApp chats of actor Deepika Padukone has once again led to speculations and questions about the security, privacy and accessibility of encrypted communications on platforms like WhatsApp.
Weeks after actor Rhea Chakraborty’s alleged WhatsApp chats were leaked to sections of the media, the NCB has confirmed to the media that it has also acquired WhatsApp chats of the actress with an employee of a talent management agency.
The Quint spoke with Udbhav Tiwari, public policy advisor, Mozilla to navigate through questions of privacy, public interest, encryption and WhatsApp chats as evidence in an investigation.
Aren’t WhatsApp chats encrypted?
WhatsApp chats are indeed encrypted end-to-end as well as in transit. This means that the chat is encrypted even when it is moving from one device to another and can only read in decrypted plain-text by the sender and receiver of the message.
WhatsApp uses the Signal Protocol, designed by Open Whisper Systems for its end-to-end encryption.
“What’s more, even if encryption keys from a user’s device are ever physically compromised, they cannot be used to go back in time to decrypt previously transmitted messages,” WhatsApp states.
A WhatsApp spokesperson told The Quint in a statement, “WhatsApp protects your messages with end-to-end encryption so that only you and the person you're communicating with can read what is sent, and nobody in between can access it, not even WhatsApp.”
“It's important to remember that people sign up on WhatsApp using only a phone number, and WhatsApp doesn't have access to your message content,” the statement added.
How did the NCB get access to WhatsApp chats then?
In the face of such strict encryption protocols, can an entity gain access into an individual’s WhatsApp chats?
In the case of the current investigation into members of the Hindi film industry’s links with narcotics, the most plausible explanation is that the NCB may have gotten access to selective screenshots.
However, on the question of how one can actually gain access into an individual’s WhatsApp, Tiwari says there are three technical but highly unlikely scenarios.
First, the most pervasive and consistent way in which the state or a law enforcement agency can get access to chats is through a spyware like Pegasus that was used to hack into the phones of over a hundred Indian citizens in 2019.
“Firstly, it is really expensive to deploy such malware. You may have to pay up to $100,000 for every client you infect. It is highly unlikely that all folks in the industry are being surveilled at scale,” said Tiwari.
Second, there are vulnerabilities that allow decryption of messages in transit. While a chat is in transit from one to another, the government reading the chats.
“As far as I understand there has never been a time when WhatsApp has had such a vulnerabilty. The scale at which WhatsApp is used and the Signal protocol that is used are based on open source codes,” Tiwari said.
“The odds of such a pervasive vulnerability like this existing that uniformly affects everyone are extremely low and I don’t think this has happened either,” he added.
Third, they actually get access to devices themselves. Even in this scenario there are multiple possibilities. One could delete chats before handing over devices. Or alternatively a cooperative person can hand over the phone’s passcode through which an agency gets access or one is forced to hand over their phone.
Tiwari says hypothetically, accessing chats by physically getting a phone is more likely than breaking encryption.
Is this violation of privacy?
The short answer to that question is they shouldn’t be able to make these public. Even if it is a screenshot, consent is at the core of this issue.
If one were to upload a WhatsApp chat on Facebook, it would be difficult to legally compel the person to take it down. “Unless that information is sensitive personal data such as one’s Aadhaar, PAN or passport scan images and that is sued to harass someone,” said Tiwari, adding “In that case one would have certainly have a remedy as consent wasn’t taken.”:
Even in GDPR in Europe, privacy laws applies to organisations and the state more than individuals.
Tiwari explains that In India also, even when we do get a data protection law, things like the state getting access to chats or photographs and the state leaking it to the press can be grounds for one to go to the Data Protection Authority.
“One can say how did the state get access to these images? Did they do so in a manner in which they have all the legal powers they needed to be able to get access to that image? Even if they did, another question arises. Were there enough checks and balances in them getting this information,” Tiwari said.
What about the integrity of electronic evidence like WhatsApp chats?
“This is the interesting part because there is a ‘chain of custody’ for all evidence. If I give you a piece of evidence to use in an investigation there is a threshold in law that have to be met for the court to accept the evidence because of the ease with which online evidence can be tampered,” Tiwari said.
The chain of custody is a critical process of evidence documentation. It is a must to assure the court of law that the evidence is authentic and untampered.
“I don’t think any of the chats leaked to the media will be used for evidence. This is more a case of manufacturing public opinion in a particular manner and people not caring so much for the chain of custody threshold,” said Tiwari.
For example when Rhea Chakraborty filed for bail and the state opposed the bail. One of the reasons given was they have proof of electronic conversations and they need time to investigate it.
What about the Right to Privacy Vs Public Interest argument?
In the scenario where the government does do that with a data protection law in place, the government will be required to answer some basic questions. Did they obtain consent for this? If privacy is a fundamental right can the state leak information that it obtained as part of an investigation to the public.
Explaining that this would also affect journalists, Tiwari pointed out “I think the answer there is the actual problem because journalists will be up in arms about this. This relates to the same whistleblower concept.”
“How can you tell the press that if a government source comes to the press with information that is in the public interest one shouldn’t talk about it?”
Then it essentially becomes what is the crux of the case – public interest vs an individual’s right to privacy.
In this regard, there aren’t well-defined laws in India. “There is the famous Auto Shankar case. He wanted to write a book naming a bunch of important people. The court case framed this as – when is an individual’s right to privacy trumped by a larger public interest and the right for the public to know certain pieces of information?
(The Quint is available on Telegram. For handpicked stories every day, subscribe to us on Telegram)
Subscribe To Our Daily Newsletter And Get News Delivered Straight To Your Inbox.