In the latest chapter of the escalating battle between ‘big tech’ companies and the Indian government, WhatsApp has taken the Indian government to court over rules that seek to enforce the traceability of chats.
WhatsApp argues that the new rules for internet intermediaries — released in February 2021 — will break end-to-end encryption.
But what does this mean? And more importantly, should you be worried?
Why is WhatsApp Suing the Govt of India?
The intermediaries rules require companies like WhatsApp to be able to identify the ‘first originator’ of a message.
When asked by the government, they should be able to trace an offending message that may have been forwarded several times, back to its original sender. This is a problem for WhatsApp.
WhatsApp claims that because it is end-to-end encrypted, it ensures that communications are only shared between the sender and the recipient. No one can read or listen or access these messages — not even WhatsApp. According to the messaging company, traceability will break end-to-end encryption, and collapse the key promises of privacy and security that accompany it.
This would severely undermine the privacy of its 400 million-odd Indian users, and effectively create ‘a new form of mass surveillance’.
As the new rules come into effect, compliance has become mandatory. Otherwise companies risk losing their safe harbour, which would mean that WhatsApp, in theory, would be liable for all the content shared on its platform. So, WhatsApp had a choice: comply, or challenge.
What is WhatsApp’s Argument?
WhatsApp’s challenge revolves around the argument that the traceability requirement violates individual privacy, and fails the tests laid down in the Puttaswamy judgment — which recognised that Indians have a fundamental right to privacy. Central to this is its assertion that the traceability obligation is not ‘proportional’, as it compromises the privacy of millions to potentially catch a handful of bad actors.
Traceability would have to be enabled for all users and all messages, irrespective of whether they are engaging in criminal conduct.
The Indian government has responded sharply to this challenge. Its concerns stem from the inaccessibility of end-to-end encrypted communications. Without access to encrypted communications, it fears that it may be unable to prevent terrorist attacks and investigate and prosecute criminal activity.
To solve this problem, it believes that reasonable restrictions should be made to the right to privacy.
Because it is to be used only for investigating or preventing serious crimes, like those involving threats to national security or finding perpetrators of child abuse material, the traceability requirement may be such a restriction. In the government’s view, this requirement meets the Puttaswamy test. Which is why the government ordered WhatsApp to follow the law of the land, and find a technical solution to make traceability and end-to-end encryption work together. This brings us to the next question.
Are Traceability and End-to-End Encryption Compatible?
The long and short is that we do not know. According to the government, it is WhatsApp’s responsibility to find a technical solution. WhatsApp, on the other hand, has determined that traceability breaks end-to-end encryption. And that both are incompatible. So, what do we know?
Reports suggest that the government has proposed a method of assigning an alphanumeric hash — essentially an identifier or signature — to each message, so it could be traced back to the originator if it causes unlawful activity.
Experts have found several problems with this approach.
First, every message will be assigned a separate identifier or hash. Experts believe that changing even a single alphabet in the message would change the hash, making the process of tracing the message originator imprecise.
This can result in innocent users getting caught up in investigations or being charged with criminal conduct.
Second, stakeholders are concerned that it will harm the overall security and privacy of individuals, as the identifier of every message they send will be stored on a database. In addition to being prone to abuse and surveillance, this will open up avenues for hacking, spoofed hashes, and social profiling.
In this context, it is worth questioning if the decision to mandate an unproven technical method is prudent regulatory design.
Should You Be Concerned?
Yes, somewhat. Traceability undermines data minimisation (to limit data collection to only what is necessary) and privacy by design (privacy through technology design), which are key concepts of data protection legislations across the world, including India’s forthcoming Personal Data Protection Bill, 2019.
In opposition to both these principles, WhatsApp would be forced to collect identifier data of each message, increasing the chances of government surveillance and arbitrary action. Collecting ‘who-said-what and who-shared-what’ data that is linkable to users can become a tool of mass surveillance, according to WhatsApp.
This fear is not baseless, owing to the government’s less-than inspiring record in shutting down critical speech. Worse, this database could become a valuable target for bad actors, while criminals and foreign governments could use the database to attack or profile Indian citizens.
There are also freedom of speech implications. By undermining the privacy of communications, there are concerns that the traceability requirement will chill speech that is critical of the government or its actions.
By pegging the traceability to a technology company’s safe harbour, intermediaries will be incentivised to regulate content, resulting in greater censorship.
At the same time, it has been put forward that citizens who ‘have nothing to hide’ should not be worried. This argument is misplaced.
Privacy isn’t about hiding personal information, but protecting it, and controlling it.
Even beyond secrecy, privacy has many facets. It enables the freedom of expression, identity, dignity, and quality of life. On a more practical note, it is also linked to security. It plays a key role in protecting users from cybersecurity attacks, manipulation, unwarranted ads, and discrimination. Implying that corporate and government surveillance is acceptable because one has nothing to hide, is short-sighted and harmful.
The Way Forward
For starters, contrary to what is being suggested in several click-bait headlines, it is unlikely that WhatsApp will be banned. Non-compliance with the rules can only remove its safe harbour, which may however disrupt its ability to do business in India.
While WhatsApp has restated its commitment to work with the government to find a middle-ground, this looks difficult.
As their relationship becomes increasingly fraught, new battle-lines are being drawn every day. So, for now, the ball remains firmly with the Court(s).
(Vijayant Singh and Aman Taneja are Senior Associates at Ikigai Law, which tweets @ikigailaw. The authors tweet @Vijayan09574103 and @amantaneja42 respectively. This is an opinion piece and the views expressed are the author’s own. The Quint neither endorses nor is responsible for them.)
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)