WhatsApp, new IT rules, and message originator problem: Here’s what experts have to say
How do the new IT rules affect instant messaging platforms like WhatsApp? Here is what experts have to say.
In India, WhatsApp is synonymous with messaging. It is similar to how Google is used for the internet and Paytm for digital payment. With over 400 million users, India is unsurprisingly the biggest base for the Facebook-owned firm.
Despite immense popularity and considerable user loyalty, WhatsApp’s journey in India has not been without challenges. Back in 2018, WhatsApp was among the first to start testing its UPI-based peer-to-peer payment service. But the service rolled out commercially in November 2020, almost two years after its debut. The gap was enough to allow the company's competitors to scale up their payment services.
WhatsApp’s biggest challenge, however, is addressing privacy concerns as well as curbing misinformation and rumours. In the last couple of years, demands for more transparency and assurance of privacy have only grown louder. India’s new internet rules have also placed WhatsApp in a difficult position.
More From This Section
According to India’s new rules, social media intermediaries will require to share details of the ‘first originator’ of a message, which many believe would involve breaking the end-to-encryption of messages shared on the app. WhatsApp head Will Cathcart said that he had made efforts to ensure the platform is not used for general broadcast messaging.
“So, we’ve explained this to the government. We’ve explained why we have concerns about it, we’ll stand up, and continue to explain those concerns. Our hope is that we can find a way to end up with solutions that don’t touch encryption. The core origin of this idea came out of concerns over misinformation. I mean, we share concerns over misinformation,” he had said during a podcast.
So, where does WhatsApp go from here now? We spoke to Anand Venkatanarayan an independent cybersecurity researcher, Debayan Gupta (a PhD Scholar from Yale and Assistant Professor for Computer Science at Ashoka University), Pranav Bhaskar Tiwari manages the encryption and platform regulation programme for the Delhi-based (Tech Policy Think Tank The Dialogue), and Shefali Mehta (the Strategic Engagement and Research Coordinator at the Delhi-based Tech Policy Think Tank The Dialogue). Here are the edited excerpts.
What is the impact of the new IT rules on apps such as WhatsApp?
Any significant messaging provider must now be treated in par with a media company. Hence every message exchanged between any two users now must be publicly traceable with the help of the messaging provider. And hence they can’t be end-to-end encrypted.
Hence one way to think of the new IT rules is that they are undermining end-to-end encryption indirectly.
- ANAND V.
The traceability mandate via Rule 4(2) is an antithesis of end-to-end encryption (E2EE). The Signal protocol for E2EE which is also used by WhatsApp is designed in a way that there are no identifiers on the message sent. Both of them are data light Apps and do not store the message shared between users. Storing the hash values of each message is against their very security architecture. The TRAI after years of consultation and analysis and review of global best practices in its report to the DoT recommended that the security architecture of end to end encrypted platforms must not be tinkered with. Hashing entails that there will be an identifier on each message which the platform will have to store and the law enforcement agencies can ask for the same to identify who had sent the message. This in turn will also allow the company to find who is sending what message to whom. Also, if law enforcement and companies Can access this data then so can hostile actors like cybercriminals and enemy states. E2EE messaging platforms currently lack this capability to read or identify messages, they do not store the message only, so there is no scope for such cyber attacks.
It is equally important to understand that transnational E2EE messaging platforms will have to change their functionality not just in India but globally. This means Rule 4(2) of the IT Rules 2021 will not just impact the fundamental rights of Indian s but also foreigners. Given that no privacy-respecting democratic country has enforced such a mandate, thus the same should be implemented only post a wider consultation with technical experts.
- PRANAV BHASKAR TIWARI
Where are we on the data privacy bill? Please elaborate on the current status and last sets of key development?