WhatsApp is suing the Indian government over privacy on its platform that is used by nearly 400 million plus Indians. The Facebook-owned messaging platform has challenged the new IT rules promulgated by the Indian government that require the messaging app to trace the first originator of a message. Allowing such tracing means that the end-to-end encryption of messages done by WhatsApp will be weakened, compromising the security of the people.
India’s internet regulations for social media platforms, messaging apps, and streaming video services were passed in February. Platforms were given three months to comply, which ended earlier this week.
Cybersecurity experts have also said that traceability is incompatible with end-to-end encryption, and any weakening of this will put citizens — especially women, children and other vulnerable groups — in greater danger.
End-to-end encryption is the gold standard for keeping Internet systems secure. This ensures no one apart from the sender and receiver of the information can decrypt and read it, thus keeping communication private and inaccessible to outside parties.
The government, on its part, has asserted that its aim is not to undermine or violate anyone’s privacy and that tracing will only be used “for prevention, investigation, or punishment of very serious offenses related to the sovereignty and integrity of India, the security of the state, friendly relations with foreign states, or public order, or of incitement to an offense relating to the above or in relation with rape, sexually explicit material, or child sexual abuse material.”
Cybersecurity experts and civil rights organizations have pointed out the impossibility of identifying the originator of a message without undermining end-to-end encryption. Also, accepting the mandate would turn every message sender as a potential criminal subject. Added to that would be the huge amount of data to keep track of.
“Traceability will compel end-to-end encrypted platforms to alter their architecture in a way that will negatively impact online privacy and security. They will have to develop the ability to track who sent which message to whom, and store this information indefinitely,” says Namrata Maheshwari, technology policy advocate. “This is an onerous obligation that severely undermines end-to-end encryption and puts users’ privacy, security, and freedom of expression at risk.”
Another aspect is determining and defining dangerous information. The government could easily use that power to curb any political or free exchange of ideas or information as harmful to the integrity of the nation.
“The minute you build a system that can go back in time and unmask a few people sending a piece of content, you’ve built a system that can unmask anyone sending any content,” says Matthew Green, a cryptographer at Johns Hopkins University. “There is no such thing as just collecting information from the bad guys. It’s very dangerous to start revealing this information, because you don’t know where it will end. ”
The lawsuit has the potential to determine the kind of communication technology and online integrity that will be available in the country in the future. The outcome may also act as a precedent for other governments to follow suit. Complying to such rules is an infringement of fundamental privacy rights, say civil rights organizations.
WhatsApp is facing a similar problem in Brazil, its second-largest market after India. Other countries such as the UK and Canada, and the US have also been asking WhatsApp to weaken their encryption, but this is the first time that a country has passed a law requiring it to comply.
