WhatsApp, new IT rules, and message originator problem: Here’s what experts have to say
In India, WhatsApp is synonymous with messaging. It is similar to how Google is used for the internet and Paytm for digital payment. With over 400 million users, India is unsurprisingly the biggest base for the Facebook-owned firm.
Despite immense popularity and considerable user loyalty, WhatsApp's journey in India has not been without challenges. Back in 2018, WhatsApp was among the first to start testing its UPI-based peer-to-peer payment service. But the service rolled out commercially in November 2020, almost two years after its debut. The gap was enough to allow the company's competitors to scale up their payment services.
WhatsApp's biggest challenge, however, is addressing privacy concerns as well as curbing misinformation and rumours. In the last couple of years, demands for more transparency and assurance of privacy have only grown louder. India's new internet rules have also placed WhatsApp in a difficult position.
According to India's new rules, social media intermediaries will require to share details of the ‘first originator' of a message, which many believe would involve breaking the end-to-encryption of messages shared on the app. WhatsApp head Will Cathcart said that he had made efforts to ensure the platform is not used for general broadcast messaging.
“So, we've explained this to the government. We've explained why we have concerns about it, we'll stand up, and continue to explain those concerns. Our hope is that we can find a way to end up with solutions that don't touch encryption. The core origin of this idea came out of concerns over misinformation. I mean, we share concerns over misinformation,” he had said during a podcast.
So, where does WhatsApp go from here now? We spoke to Anand Venkatanarayan an independent cybersecurity researcher, Debayan Gupta (a PhD Scholar from Yale and Assistant Professor for Computer Science at Ashoka University), Pranav Bhaskar Tiwari manages the encryption and platform regulation programme for the Delhi-based (Tech Policy Think Tank The Dialogue), and Shefali Mehta (the Strategic Engagement and Research Coordinator at the Delhi-based Tech Policy Think Tank The Dialogue). Here are the edited excerpts.
What is the impact of the new IT rules on apps such as WhatsApp?
Any significant messaging provider must now be treated in par with a media company. Hence every message exchanged between any two users now must be publicly traceable with the help of the messaging provider. And hence they can't be end-to-end encrypted.
Hence one way to think of the new IT rules is that they are undermining end-to-end encryption indirectly.
- ANAND V.
The traceability mandate via Rule 4(2) is an antithesis of end-to-end encryption (E2EE). The Signal protocol for E2EE which is also used by WhatsApp is designed in a way that there are no identifiers on the message sent. Both of them are data light Apps and do not store the message shared between users. Storing the hash values of each message is against their very security architecture. The TRAI after years of consultation and analysis and review of global best practices in its report to the DoT recommended that the security architecture of end to end encrypted platforms must not be tinkered with. Hashing entails that there will be an identifier on each message which the platform will have to store and the law enforcement agencies can ask for the same to identify who had sent the message. This in turn will also allow the company to find who is sending what message to whom. Also, if law enforcement and companies Can access this data then so can hostile actors like cybercriminals and enemy states. E2EE messaging platforms currently lack this capability to read or identify messages, they do not store the message only, so there is no scope for such cyber attacks.
It is equally important to understand that transnational E2EE messaging platforms will have to change their functionality not just in India but globally. This means Rule 4(2) of the IT Rules 2021 will not just impact the fundamental rights of Indian s but also foreigners. Given that no privacy-respecting democratic country has enforced such a mandate, thus the same should be implemented only post a wider consultation with technical experts.
- PRANAV BHASKAR TIWARI
Is there any technology-driven alternative or solution to serve the govt purpose as well as not break E2E encryption?
Our best solution is meta-data derived intelligence. E2E Messaging providers store some metadata about accounts. While some like Signal store very little meta-data others like WhatsApp store a bit more metadata. Coupled with device seizures based on probable cause, meta-data derived intelligence might be the way forward.
But there is no possible solution to identify the first originator of a message without undermining the E2E that we know of today.
- ANAND V.
There are many powerful cryptographic techniques that allow us to do strange things with data: but we need to have a much more detailed conversation around the exact requirements. (Just like when one is building any new software – say a word processor – for a client, one needs to have very, very detailed discussions, going back and forth about the requirements.)
Regarding the aspect of WhatsApp sharing data with Facebook apps - how do you see it in terms of claims of privacy vis-a-vis monetization of data?
Here, I think we need to have solid data protection laws. I will note, however, that the data WhatsApp shares is either metadata (when you sent a message and to whom, not the content thereof) or data from conversations with business accounts (WhatsApp actually has two apps; one for normal users and one for businesses; the data sharing with Facebook kicks in only for conversations with business accounts – your conversations with friends etc are completely encrypted like before).
What is the onus on WhatsApp or any other app with regard to fake news or rumours that are spread through their platforms?
A private message between two people or a person inside a closed group becomes a public media message because of the “Message Forward” feature.
E2E complicates content filtering because the platforms might not even know what is being forwarded. Hence our best course of action could be to explore other ways to slow down the forwarding rate on how much an individual can forward in a day, apart from other restrictions already in place.
- ANAND V.
This, really, is not a technical, or even legal problem: we first need to understand the ethical questions here. At a basic level, messaging services are different from Twitter or Facebook. The data here is not being "shared" with the world at large, or all your friends.
Should WhatsApp messages be compared to letters being sent between individuals? (In which case one could use old postal laws as a basis for regulating these things.) Or is it closer to Twitter somehow? The government needs to clearly define these things in a data protection regulation without just vaguely saying "social media".
Where are we on the data privacy bill? Please elaborate on the current status and last sets of key development?
Last year on the 12th of December 2019, the Personal Data Protection Bill was introduced in Parliament for the first time. However, the conversation on India's proposed framework began back in the year 2017, when the Supreme Court in the K.S Puttaswamy v.s. The Union of India case decreed that privacy is also a fundamental right, one that finds its footing in the right to life and personal liberty under Article 21.
A year later, the Committee submitted its report titled “A Free and Fair Digital Economy - Protecting Privacy, Empowering Indians, along with a draft Data Protection Bill, to the Ministry of Electronics and Information Technology. The report was around 200 pages long and identified key issues in data protection such as consent frameworks, establishment of a regulatory authority for data, classification of data and data fiduciaries, regulation of cross-border data flows to name a few. The Draft Personal Data Protection Bill submitted along with the report, largely inspired and modelled around the basic principles laid down in the General Data Protection Regulation of the EU (EU GDPR), was extensive and laid down detailed recommendations for the Government to adopt.
The Government finally tabled its version of the Bill in the Parliament in December 2019, keeping true to its promise of intense scrutiny before introducing it in Parliament. However, immediately after the introduction of the Bill, it was sent to a Joint Parliamentary Committee (JPC) for scrutiny. The Personal Data Protection Bill, 2019 also showed several variations as compared to the draft bill suggested by the Committee of Experts. Among the most contentious variations, has been the expansion of the scope of exemptions for the Government and enhancement of the powers of the Government. There exists a possibility to challenge parts of the legislation in court for failing to meet the tests of necessity and proportionality as laid down in the Puttaswamy judgement, facing the same fate as Section 57 of the Aadhaar Act (which allowed private enterprises to use data collected by the Government for Aadhaar) which was struck down due to the lack of purpose limitation. The Bill has also placed controls over thestorage of data by mandating a localisation regime, which could impact the free flow of data and is likely to affect trade in the digital sector. Though there have been other issues raised, another poignant concern remains India's capacity to implement such sweeping changes to the data ecosystem without a clearly defined implementational strategy that remains absent in the new Bill.
As India rapidly moves into an era of digitisation, with technology being utilised for better delivery of welfare services and for innovation in almost all sectors, the need for a data protection framework is being felt very strongly to protect citizens and empower the Government. However, the road from a state of almost zero protection to an extensive and detailed data governance framework is not going to be an easy or short one. Once the legislation is conceptualized, the task of implementation and ensuring compliance will begin, considering India's data infrastructure and state of the sector at present - this is going to be an important task. In order to protect the interests of Indian citizens and make India a favourable tech destination it is imperative that the Government speeds up the process and brings in place a well-balanced law at the earliest.
- SHEFALI M.