Is the Indian Government considering a Ban on Whatsapp End-To-End Encryption Feature: A relook at the provisions of Personal Data Protection Bill?

There is no single solution to Privacy or Security. There is truly a difficult balance between Privacy and Security. The Encryption on ‘Whatsapp chat’ is beyond doubt the facility of extending privacy and security to the users, but is also a threat to the Government when the same Whatsapp Chat is used by Malicious Elements for Machiavellian acts. Hence, the downside of Encryption, is that it makes the communications of gang murderers, drug traffickers, terrorists, and child sexual abusers inaccessible to law enforcement. Should the Government do a re-look on the way the Data of such Chat Apps are stored in India itself and if the by this order, it can enforce sharing of data to uphold the right to protect its citizen; is a matter that needs Brainstorming at the Government.

It was reported in the media on 04 December 2019, that the Union Cabinet of India, has approved the Personal Data Protection Bill; as also the fact that the Government of India had diluted its stand and had allowed the Internet Giants to store personal data, such as one’s online orders, or destinations one visited, details of shopping abroad etc. without even maintaining a mirror copy of this information in India. This again is not a healthy decision as the Government has settled down for Data Localisation rather than Data Sovereignty (Read our previous article for more details (Click Here……).

Indian government asked Facebook Inc. to help it decrypt private messages on its network, citing national security requirements in a court hearing on privacy rights on social media platforms. India’s Attorney General K.K. Venugopal told the Supreme Court that it was the responsibility of social media companies to share data wherever there was a threat to national security. “A terrorist cannot claim privacy,” Venugopal said. “For Facebook and WhatsApp to say they cannot decrypt is not acceptable.” Facebook-owned WhatsApp, which has about 400 million users in India, allows groups of hundreds of users to exchange texts, photos and videos using end-to-end encryption, beyond the oversight of independent fact checkers or even the platform itself.

What is End-To-End Encryption

Strong encryption is crucial to both India’s personal security and India’s national security. And ‘Whatsapp Chat’ Application follows a strict encryption methodology to provide Privacy to its users. The term ‘End-to-End Encryption’ (E2EE) means your chat is absolutely Private and it is  a definitive security mechanism that protects our personal data (messages etc.) such that it can only be read by the sender, and by the recipient on the other end. No one else, including the hackers or the government, can snoop and read the encrypted data. (However, one may wonder how the NSO Group, an Israeli cyber-intelligence technology firm, used a virus named Pegasus to infect the SmartPhone and then extracted personal information and chats from Whatsapp illegally).

How does end-to-end encryption work?

WhatsApp’s End-to-End Encryption provides Privacy and Security between the sender and the recipient. Nobody in between, not even WhatsApp, can read the messages. The messages are secured with locks, and only the recipient has the special key to unlock and read the messages. WhatsApp uses the Signal Protocol developed by Open Whisper Systems (that it purchased earlier). This happens using a strong 256-bit encryption algorithm. The following sequences enumerate the functionality of E2EE when communication on WhatsApp is made between users.

1. When the user first opens the WhatsApp, two different keys (public & private) are generated. The phone then facilitates the initiation of the encryption mechanism on installation.
2. There are two keys generated between the users and this is termed as the ‘Public Key’ and ‘Private Key’ and this is paired and uses the asymmetric encryption method.
3. The private key must remain with the user whereas the public key is transferred to the receiver via the centralised WhatsApp server.
4. The public key encrypts the senders message on the phone even before it reaches the centralised server.
5. The server is only used to transmit the encrypted message. The message can only be unlocked by the algorithm using both the paired private key and the public key at the receiving end. No third party, including WhatsApp can intercept and read the message (However, Facebook can decrypt the chats based on requests after it retrieves the Public Key and Private Key).
6. If a hacker tries to hack and read the messages, they would fail because of the encryption. This is also the case with the Government agents and they today cannot read the chats directly.

The Encryption Availability

End-to-end encryption inherently implies many important things. Consider two WhatsApp users communicating through instant messaging or calling over the Internet. Their data passes through a WhatsApp server while transiting from one user to the other. For many other services that offer encryption, the data is encrypted during transfer but is protected only from outside intruders like hackers. The service can intercept the data at their servers and use them. They can potentially hand the data to third parties or to law enforcement authorities. End-to-end encryption keeps the data encrypted, without any possibility of decryption, even at the server and anywhere else, including in transit. Thus, even if they want to, the service cannot intercept and do anything with the data. Law enforcement authorities and governments are also among those who cannot access the data. Theoretically, no one can, except the parties at the two ends have the access and readability of the data in communication.

In-spite of the Government backlash, the technology giants who provide such services, market the products that offer end-to-end encryption. This marketing has become aggressive after the “Snowden scandal or ongoing partisan battles to politicize law enforcement”. These companies have lost the trust of many users, and many users distrust government, on the matter of Privacy.

There are means of obtaining such private information from these service providers. However, the same is subsequently made public through the annual transparency reports that they publish and is made available for public access. Google, Apple, Facebook, Verizon, Comcast, Twitter, and Microsoft, among others, publish annual transparency reports about law enforcement requests for user data globally. The Chinese firms Baidu, Tencent, Alibaba, and ByteDance (owner of TikTok) do not publish transparency reports. Indeed Facebook, with some of the world’s most robust encryption capabilities, could not protect its users from the Chinese government, so it doesn’t operate its services in that country. Remember the use of these Applications have never embargoed the service provider from using data for advertising before and after the encryption process.

The Need for Balance

The users in India, at least the intellects, are truly concerned about Privacy when it comes to communicating between two users or within a group. Distrust among the users is, these days, has grown multi-fold. At the same time Government of India is here to protect the individual Rights and also Individual/National Security. Individuals would not have safety or privacy if the Constitution did not prescribe a role for defense and law enforcement. But here again even with these in hand, encryption is making it impossible for law enforcement to access relevant data, stop crimes in process, and obtain evidence necessary for prosecuting criminals. The need is also to ensure access to messaging, smartphones, e-mail, and voice and data applications, not on bypassing customised encryption used by large business enterprises to protect their operations, but on the people who use these chats for crime/terrorism, etc.

Privacy is again a concern as it is promised and guaranteed in the Constitution of India. But this is never absolute, and in India we have balanced this aspect through various means like Right to Information, etc. The Pegasus episode was also an eye-opener when, users were made aware that commercial tools can also be used to spy on users, in-spite of encryption and this again can be a threat to privacy, especially after speculated report that the snooping were done after consent by the Government. As someone said in the context of Privacy and Politics “end to end encryption is politics, not privacy”; is absolutely true.

In the Indian context, it is strongly felt that “Data Sovereignty”, should be upheld and the Internet Giants should be made to establish ‘Data Farms’ in India and ensure that a mirror copy of its citizens data be stored locally.