If WhatsApp Gives in to Indian Govt’s Demands, Should We Worry?

In the latest chapter of the escalating battle between ‘big tech’ companies and the Indian government, WhatsApp has taken the Indian government to court over rules that seek to enforce the traceability of chats.

But what does this mean? And more importantly, should you be worried?

Why is WhatsApp Suing the Govt of India?

The intermediaries rules require companies like WhatsApp to be able to identify the ‘first originator’ of a message.

WhatsApp claims that because it is end-to-end encrypted, it ensures that communications are only shared between the sender and the recipient. No one can read or listen or access these messages — not even WhatsApp. According to the messaging company, traceability will break end-to-end encryption, and collapse the key promises of privacy and security that accompany it.

As the new rules come into effect, compliance has become mandatory. Otherwise companies risk losing their safe harbour, which would mean that WhatsApp, in theory, would be liable for all the content shared on its platform. So, WhatsApp had a choice: comply, or challenge.

What is WhatsApp’s Argument?

WhatsApp’s challenge revolves around the argument that the traceability requirement violates individual privacy, and fails the tests laid down in the Puttaswamy judgment — which recognised that Indians have a fundamental right to privacy. Central to this is its assertion that the traceability obligation is not ‘proportional’, as it compromises the privacy of millions to potentially catch a handful of bad actors.

The Indian government has responded sharply to this challenge. Its concerns stem from the inaccessibility of end-to-end encrypted communications. Without access to encrypted communications, it fears that it may be unable to prevent terrorist attacks and investigate and prosecute criminal activity.

Because it is to be used only for investigating or preventing serious crimes, like those involving threats to national security or finding perpetrators of child abuse material, the traceability requirement may be such a restriction. In the government’s view, this requirement meets the Puttaswamy test. Which is why the government ordered WhatsApp to follow the law of the land, and find a technical solution to make traceability and end-to-end encryption work together. This brings us to the next question.

Are Traceability and End-to-End Encryption Compatible?

The long and short is that we do not know. According to the government, it is WhatsApp’s responsibility to find a technical solution. WhatsApp, on the other hand, has determined that traceability breaks end-to-end encryption. And that both are incompatible. So, what do we know?

Reports suggest that the government has proposed a method of assigning an alphanumeric hash — essentially an identifier or signature — to each message, so it could be traced back to the originator if it causes unlawful activity.

First, every message will be assigned a separate identifier or hash. Experts believe that changing even a single alphabet in the message would change the hash, making the process of tracing the message originator imprecise.

Second, stakeholders are concerned that it will harm the overall security and privacy of individuals, as the identifier of every message they send will be stored on a database. In addition to being prone to abuse and surveillance, this will open up avenues for hacking, spoofed hashes, and social profiling.

Should You Be Concerned?

Yes, somewhat. Traceability undermines data minimisation (to limit data collection to only what is necessary) and privacy by design (privacy through technology design), which are key concepts of data protection legislations across the world, including India’s forthcoming Personal Data Protection Bill, 2019.

This fear is not baseless, owing to the government’s less-than inspiring record in shutting down critical speech. Worse, this database could become a valuable target for bad actors, while criminals and foreign governments could use the database to attack or profile Indian citizens.

By pegging the traceability to a technology company’s safe harbour, intermediaries will be incentivised to regulate content, resulting in greater censorship.

At the same time, it has been put forward that citizens who ‘have nothing to hide’ should not be worried. This argument is misplaced.

Even beyond secrecy, privacy has many facets. It enables the freedom of expression, identity, dignity, and quality of life. On a more practical note, it is also linked to security. It plays a key role in protecting users from cybersecurity attacks, manipulation, unwarranted ads, and discrimination. Implying that corporate and government surveillance is acceptable because one has nothing to hide, is short-sighted and harmful.

The Way Forward

For starters, contrary to what is being suggested in several click-bait headlines, it is unlikely that WhatsApp will be banned. Non-compliance with the rules can only remove its safe harbour, which may however disrupt its ability to do business in India.

As their relationship becomes increasingly fraught, new battle-lines are being drawn every day. So, for now, the ball remains firmly with the Court(s).

(Vijayant Singh and Aman Taneja are Senior Associates at Ikigai Law, which tweets @ikigailaw. The authors tweet @Vijayan09574103 and @amantaneja42 respectively. This is an opinion piece and the views expressed are the author’s own. The Quint neither endorses nor is responsible for them.)