In India, WhatsApp is synonymous with communication. It’s similar to how Google is used on the Internet and Paytm for digital payments. With more than 400 million users, India is surprisingly the largest base for a Facebook-owned company.
Despite its immense popularity and considerable user loyalty, WhatsApp’s trip to India has not been a challenge. In 2018, WhatsApp was among the first to start testing the UPI-based peer-to-peer service. But the service entered the market commercially in November 2020, almost two years after its debut. The gap was sufficient to allow the company’s competitors to expand their payment services.
However, WhatsApp’s biggest challenge is addressing privacy concerns and curbing misinformation and rumors. Over the last few years, the demands for transparency and privacy have only increased. India’s new Internet rules have also put WhatsApp in a difficult position.
Under India’s new rules, social media brokers are demanding to share details about the first sender of a message, which many believe would mean a breach of the final encryption of messages shared in the app. WhatsApp Director Will Cathcart said he is working to ensure that the platform is not used for public broadcast communication.
“So, we’ve explained this to the government. We’ve explained why we’re worried about it, we’ll stand up and keep explaining these problems. We hope we find a way to get solutions that don’t involve encryption. At the heart of this idea was a concern about misinformation. we are concerned about false information, “he had said during the podcast.
So where does WhatsApp go from here now? We spoke with Anand Venkatanarayan, an independent cyber security researcher Debayan Gupta (PhD from Scholar Yale and Assistant Professor of Computer Science at Ashoka University), Pranav Bhaskar Tiwari at Tech Delhi (Tech Policy Think Tank The Dialog) and Shefali Mehta Policy Think Tank in The Dialogue project). Here are the modified excerpts.
What is the impact of new IT rules on applications like WhatsApp?
All major messaging service providers must now be treated with a media company. Therefore, every message exchanged between two users must now be publicly traceable through a communication system. And therefore they cannot be encrypted end to end.
Therefore, one way to think about new IT rules is that they indirectly weaken end-to-end encryption.
– ANAND V.
A traceability mandate through Rule 4 (2) is the opposite of end-to-end encryption (E2EE). The E2EE signaling protocol, which is also used by WhatsApp, is designed so that the transmitted message has no tags. Both are data light applications and do not store messages shared between users. Storing the hash values of each message is against their security architecture. TRAI recommended years of consultation and analysis and a review of global best practices in its report to the DoT that the security architecture of end-to-end encrypted platforms should not be compromised. Decentralization means that each message has an identifier that the platform must store and can be requested by law enforcement to identify the senders of the message. This in turn allows the company to find out who is sending the message to whom. In addition, if law enforcement agencies and companies have access to this information, so will enemy actors such as cybercriminals and enemy states. E2EE message platforms do not currently have this ability to read or identify messages, they do not just store messages, so there is no possibility for such cyber attacks.
It is equally important to understand that international E2EE messaging platforms need to change their operations not only in India but also globally. This means that Rule 4 (2) of the 2021 IT Rules affects the fundamental rights not only of Indians but also of foreigners. As no privacy-respecting democratic country has implemented such a mandate, the same should only be implemented after wider consultation with technical experts.
– PRANAV BHASKAR TIWARI
Is there any technology-driven alternative or solution that serves the purpose of the state and breaks E2E encryption?
Our best solution is metadata-derived intelligence. E2E Messaging providers store some account metadata. Some like Signal store very little metadata, others like WhatsApp store a little more metadata. Combined with probabilistic device scenes, metadata-derived intelligence can be the way forward.
But there is no possible solution to identify the first originator of the message without undermining the current E2E.
– ANAND V.
There are many powerful encryption techniques that allow us to do weird things with data: but we need to discuss in much more detail with the exact requirements. (Just like when building any new software for a customer – say a word processor – you need to have very, very detailed discussions, back and forth about the requirements.)
When it comes to sharing WhatsApp information with Facebook apps – how do you see it in terms of privacy requirements for commercializing your information?
I think we need to have strong data protection laws. However, I notice that the information shared by WhatsApp is either metadata (when you sent the message and to whom, not its content) or information about conversations with company accounts (WhatsApp actually has two applications; one for regular users and one for businesses; sharing information with Facebook only conversations with friends, etc. are completely encrypted as before).
What is the duty of WhatsApp or any other application with respect to counterfeit news or rumors distributed on their platforms?
A private message between two people or a person in a closed group becomes a public media message because of the Message Forwarding feature.
E2E makes it difficult to filter content because platforms may not even know what is being forwarded. Therefore, our best course of action could be to explore other ways to slow down the forwarding rate to how much a person can move forward per day, apart from other restrictions already in place.
– ANAND V.
This is certainly not a technical or even a legal problem: we must first understand ethical issues. At a basic level, messaging services are different from Twitter or Facebook. The information here will not be “shared” with the world or all of your friends.
Should WhatsApp messages be compared to letters sent between individuals? (In which case could the old postal laws be used as a basis for regulating these matters.) Or is it somehow closer to Twitter? The government needs to define these things clearly in the data protection regulation without saying only vaguely “social media”.
Where are we on the privacy bill? Tell us more about the current state of key developments and the latest series?
Last year, on 12 December 2019, a bill on the protection of personal data was presented in Parliament for the first time. However, the debate on the framework proposed by India began in 2017, when the Supreme Court KS Puttaswamy vs Union of India In this case, privacy is also a fundamental right entitled to the right to life and personal liberty under Article 21.
A year later, the committee submitted its report under the title “A free and fair digital economy – protection of privacy, empowerment of Indians, together with a draft of data protection legislation to the Ministry of Electronics and Information Technology. The report was about 200 pages long and identified key data protection issues such as consent frameworks, the establishment of a data regulator, the classification of data and the regulation of cross-border data flows, to name a few. The draft personal data protection bill accompanying the report, which has largely inspired and modeled on the basic principles of the EU General Data Protection Regulation (EU GDPR), was extensive and made detailed recommendations to the government.
The government finally submitted the bill to parliament in December 2019, sticking to its promise of strict scrutiny before it was presented to parliament. However, immediately after the bill, it was sent to the Joint Parliamentary Committee (JPC) for scrutiny. The Bill on the Protection of Personal Data 2019 also presented several differences compared to the draft law proposed by the Committee of Experts. The most controversial variations have been the extension of the scope of government exemptions and the increase in government powers. There is a possibility to challenge some of the legislation in court because the requirements of necessity and proportionality set out in the Puttaswamy judgment are not met and the fate is the same as in Article 57 of Cohesion. Aadhaar Law (which allowed private companies to use the data collected by the government in Aadhaar), which was abolished for lack of purpose limitation. The law has also imposed controls on data retention by prescribing a localization system, which may affect the free movement of data and possibly digital commerce. Although other issues have arisen, India’s ability to implement such large-scale changes in the data ecosystem remains a matter of great concern without a clearly defined implementation strategy, which is lacking in the new bill.
As India rapidly transitions into the digital age, with technology being used to better deliver welfare services and innovate in almost all areas, the need for a data protection framework seems very strong to protect citizens and empower government. However, the road from a near-insecure state to a broad and detailed data management framework will not be easy or short. Once the legislation is conceptualized, implementation and enforcement will begin, given India’s information infrastructure and the state of the industry – this will be an important task. In order to protect the interests of Indian citizens and make India a favorable technology destination, it is essential that the government speed up the process and introduce a balanced law at the earliest.
– SHEFALI M.
Be Updated with all the Smartphone and Mobile News