WhatsApp Challenges Govt: Breaking End-to-End Encryption Will Lead to Security Issues but Timing of Petition Circumspect

The new Intermediary Guidelines (IL Guidelines), require messaging platforms that have over 50 lakh registered users (such as WhatsApp) “enable the identification of the first originator of the information”.

The challenge from WhatsApp is that this impinges on an individual’s constitutional right to privacy and is therefore unconstitutional.

The stance of the Centre is that the right to privacy, like any other constitutional right, is not absolute but subject to reasonable restrictions.

The debate is around this proviso to Guideline 4 (2) of the IL Guidelines: "Provided also that in complying with an order for identification of the first originator, no significant social media intermediary shall be required to disclose the contents of any electronic message, any other information related to the first originator, or any information related to its other users." Whatsapp argues that this cannot be technologically done without breaking end-to-end encryption. If that happens, communication can be monitored.

Encryption, traceability, privacy

Temporarily setting aside the legal arguments surrounding this, there are technological challenges around implementing methods that would enable platforms to identify the first originator of the information while also maintaining end-to-end encryption.

The main technical challenge here is that allowing for identification of the first originator without breaking end-to-end encryption and doing it prematurely for all (as it would not be known when a request appears) is considered nearly impossible by most tech experts.

Prof Kamakoti at IIT Madras, came up with a proposal to allow for traceability of WhatsApp messages without eroding privacy. Briefly, his proposal was:

  1. Make the originator’s phone number visible to all recipients; or
  2. Encrypt the originator’s phone number in the metadata of the message that can only be decrypted by WhatsApp, using a key held in escrow, after relevant court orders are produced.

However, the solutions proposed by Prof Kamakoti have been panned by tech experts across India, including a cryptography expert who is a professor at IIT Bombay. A cyber security expert Anand Venkatanarayanan has published a detailed explanation of why Prof Kamakoti’s proposal is erroneous and not feasible.

In the words of another cryptography expert at a recent conference, the ask to trace the first originator without breaking end-to-end encryption, is akin to the government asking to have roll down windows on airplanes.

Breaking end-to-end encryption would also lead to immense security issues for every individual. By implementing a system where messages are not secured by end-to-end encryption, we are putting ourselves at the mercy of extremely skilled hackers, who can very easily intercept and read personal messages, thus, significantly intruding on an individual’s right to privacy.

This also carries a significant threat to our democracy as it will allow a malicious foreign power the ability to hack and capture data of Indian citizens, including lawmakers and government officials who use the platform.

What can/will the Court do?

Ideally, the Court would have to first understand the technical feasibility of the ask, and consult with tech experts.

Given what has been stated above, the Court would then note that while the right to privacy does come with reasonable restrictions, given the current technology, the obligation within the IL guidelines cannot be carried out without a significant threat to the right to privacy.

The letter of the law states that the authorities must look for alternative, less intrusive means as “Provided further that no order shall be passed in cases where other less intrusive means are effective in identifying the originator of the information”. This will take care of the proportionality requirement laid down in the Puttuswamy judgement but it all boils down to the orders being specific and transparent about it. The track record has not upheld these requirements so far. Further, because end-to-end encryption would have to be broken for all users, its a disproportionate step that WhatsApp must institute even without an order, since the inception it will have to modify its service.

WhatsApp’s motivations

While this may or may not be a diversionary tactic by Facebook (FB), it is more importantly, a challenge that arises out of business interests for FB, for two reasons:

If WhatsApp were to implement a system allowing for tracing of the first originator, it would mean that messages sent on WhatsApp would no longer be end-to-end encrypted. If this happens, it is very likely that most users would migrate to other platforms, such as Signal, which would have robust end-to-end encryption systems. However, once it reaches the threshold of designation as an SSMI, then there might again be a churn in the instant messaging market.

Developing a system where the first originator of a message can be traced without breaking end-to-end encryption, would require a significant monetary investment, which WhatsApp is understandably looking to avoid having to incur.

Further, the timing of the petition is quite circumspect. It comes at the heels of the end of the deadline to comply with the IL Guidelines. Further, this is also when the government is pushing WhatsApp to take back its privacy policy update for Indian users and WhatsApp has halted it.

This article was first published by the Free Press Journal.

Focus Areas
What We Do
Resource Type