scorecardresearch

WhatsApp vs Indian govt on IT rules: Can encryption be broken, who is right, who is wrong

WhatsApp had sued the Indian govenrment for allegedly forcing the company to break end-to-end message encyrption.

There is a tussle going on between the Central government and WhatsApp, a company that belongs to Facebook. At the heart of the matter are the new IT rules, dubbed Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. The rules were notified on February 25 and their provisions came into effect from May 26. On the same day, that is May 26, WhatsApp filed a case against certain provisions of the new rules in Delhi High Court. A few hours later, the government responded back by calling WhatsApp "misguided".

If we go by what the lawyers of WhatsApp have put in its petition filed in the Delhi HC, it is clear that it is making some substantial arguments against the new Indian IT rules. At the same time, if we see the government response to it, we can clearly infer that the government too, is not holding anything back. There are accusations and counter-accusations.

Now, it is probably the Delhi HC that will have to figure out who is right, who is wrong and who should accommodate, and who should adjust, but there are two bits that stand out from the point of view of technology. Let's look at these and see who is more right and who is more wrong on these two points.

These two points are:

1- The matter of end-to-end encryption (E2E) in WhatsApp and if the compliance with the IT rules is going to weaken it or not.

2- Is WhatsApp agreeing to similar demands from other countries or not?

End-to-End Encryption and the IT Rules

This is the biggest bone of contention between the government and WhatsApp. And this is because of Rule 4(2) of the Intermediary Guidelines.

What is the rule: This is a rule that asks companies like WhatsApp to put in place a mechanism that will allow them, or the government, to trace a message to the first person who sent that message. Here is what the IT Rules note, "A significant social media intermediary providing services primarily in the nature of messaging shall enable the identification of the first originator of the information on its computer resource as may be required by a judicial order passed by a court of competent jurisdiction"

What WhatsApp is saying: This is the exact provision that WhatsApp has challenged. In its petition, it says: "IT Rules would force us to break end-to-end encryption on our messaging service and infringe upon the fundamental right to privacy and free speech of hundreds of millions of citizens using WhatsApp."

The keyword here is "break". We will come to this point in a minute.

What Indian government is saying: Indian government is saying that in India privacy of users is maintained through law and not E2E. It doesn't care about E2E. In its note, the government says, "the entire debate on whether encryption would be maintained or not is misplaced. Whether Right to Privacy is ensured through using encryption technology or some other technology is entirely the purview of the social media intermediary."

So who is right: Well, it seems both are playing to their strengths. In a way these are the arguments of lawyers. But as far as that "break" word is concerned, in terms of technology WhatsApp seems wrong. But in terms of practical use of E2E, WhatsApp is probably right.

Confusing? Let us explain.

First we need to understand what E2E is. E2E means there are two encryption keys that are generated locally on two computers or two phones. So, when a WhatsApp user types a message, it is encrypted using a "key" on his or her phone. This key is unique to a phone or computer and it is generated the first time when WhatsApp is used on that phone or computer. Now, when this message passes through a network, or WhatsApp servers, or any other places, its contents cannot be read. It can only be read once it gets delivered to a phone. Once it gets delivered, it can be decrypted using the "key" that a receiver has on his or her phone.

Now, if the government asks WhatsApp to create a mechanism that will let the company find who originally sent a message, it can be possibly done without breaking the E2E. After all, the government is not asking for the contents of a message which WhatsApp doesn't have and cannot have unless it breaks E2E but only the metadata related to who sent the message. This information can exist outside the message and hence can be in an unencrypted state.

So, is WhatsApp wrong in saying that compliance with new IT rules will break E2E and lead to loss of privacy for users? Not exactly.

This is because E2E is not just a technology. It is also a feature and a perception. This perception is that once a message is encrypted using E2E keys, it can only be accessed by two people: sender and receiver. It is a guarantee of privacy. It is this guarantee that the new IT rules take away.

This is because once there is identifiable information attached to a message, the privacy is lost. In a way, what the government is asking for here is a sort of "backdoor" that will let it access details of any message on WhatsApp if needed.

This is not the first time a government has done so. In 1993, the US government created a chip called Clipper. It then asked computer makers that this chip should be put in all computers, so that the government can when required decode the user data. The government made all the right noises. It said that this will be used only as a last resort, there would be a judicial process, that it was needed for national security, and all the other arguments that are common when governments ask for weakening of privacy standards. Effectively this also meant that for day-to-day use, users had access to encryption but with the caveat that the government had a way to get to them. Of course, the whole program failed because the tech industry refused to cooperate.

The Indian government is not asking for a specific backdoor in WhatsApp or messaging E2E. But it is asking for a theoretical backdoor, a tiny crack in the watertight encryption that will let it pry open a message when needed.

Is this a reasonable demand? That is something for courts, Indian government and WhatsApp to decide.

Other countries too have asked for it

What WhatsApp says: In its petition WhatsApp says that "We are not aware of any country that requires intermediaries to do this."

Indian government says: "In July 2019, the governments of the United Kingdom, United States, Australia, New Zealand and Canada issued a communique, concluding that: 'tech companies should include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can gain access to data in a readable and usable format' Brazilian law enforcement is looking for WhatsApp to provide suspects' IP addresses, customer information, geo-location data and physical messages."

So, who is right: Factually both are. Indian government is right in saying that other countries too have demanded weakening of E2E. This is because technologies like E2E, which are practically uncrackable unless they have bugs, pose big challenges to any government. Countries like China and Russia are even going further. So, the Indian government is right in its claim.

However, it is worth pointing out that in no mature democracy these demands have been met so far by technology companies. And this means even WhatsApp is right. While a lot of governments have asked for weakening of encryption, in most of the countries the governments and the law enforcement agencies have also backed down from their demands in the face of non-compliance. The biggest example of this is Apple vs FBI. In 2016, FBI challenged Apple twice in the US courts, asking the company to unlock a couple of iPhones. Apple refused. However, before the cases could go underway in any meaningful way, the US government dropped them and walked away from the legal fight.

What are other arguments

Beyond these two arguments E2E and other countries the rest of the arguments from both Indian government and WhatsApp are more of policy and legal questions. What is privacy and how much privacy is good privacy, who is entitled to privacy and freedom of speech, and when it becomes bad privacy? Or what are the powers of an app vs the regulations in a country, or what are the limits of legal powers that a government has over its people. All of these arguments will likely come to fore in the court if WhatsApp and the Indian government stick to their stance. As far as E2E and facts related to demands from other countries are concerned, both WhastApp and Indian government are right, but they are also using their arguments selectively.