Recent rules passed in India that threaten end-to-end encryption are being challenged in court by WhatsApp, which stands to lose the central selling point of its platform. The new “traceability” rules require social media platforms with at least five million users to be able to identify the originator of a message, something that would render meaningful encryption impossible.
WhatsApp filed the case in the Delhi High Court on May 29, the same day that the new rules came into effect. Messages in India continue to use end-to-end encryption in the interim, but if WhatsApp’s attempt to block the traceability rules fails it could become subject to criminal liability in the country.
New traceability rules raise widespread privacy concerns
Since it hit the market in 2009, WhatsApp has sold itself on the use of end-to-end encryption that prevents the app developer (and anyone else) from accessing messages. Were the company to comply with India’s new traceability rules, it would be required to implement the ability to track a private message back to user identity upon government request. A spokesperson for WhatsApp said that this would “break end-to-end encryption and lead to real abuse.” The company also argued that even if it wanted to comply, it would be impossible to do so without derailing the basic function of the service.
WhatsApp is suing the Indian government on the basis of violation of the country’s constitution, which guarantees citizens a right to privacy. But the move comes as part of an ongoing campaign by Prime Minister Narendra Modi’s government to not only reduce the power of tech companies in the country, but also to give the government more power over public speech in the country. The campaign has heavily focused on news publications that dissent and are critical of government policy, and recent rules have also granted the government power to order platforms to edit or delete content as a result of public complaints. Tensions ratcheted up this month as the government sent police to the New Delhi offices of Twitter over the company’s decision to attach fact-checking labels to certain posts made by senior members of the ruling party.
The traceability law requires the country’s larger social media platforms to create databases that enable the tracing of all messages. A digital fingerprint is required of each individual message that enables the government to trace it back to the “first originator of information.” The government’s aim is to be able to trace a message back to its source regardless of how many accounts forward it. The new rules also require that qualifying companies appoint a grievance officer, chief compliance officer and a dedicated point of contact to handle these requests.
While WhatsApp has taken some flack recently for its data sharing with parent company Facebook, the company maintains that its end-to-end encryption prevents anyone but the sender and recipient from accessing the content of each message. The company also does not presently store messages. WhatsApp has over a billion users globally, with about 390 million in India. It claims that to meet the government’s traceability requirements, it would have to begin storing all of these user messages as it would not have any way to predict which ones the government would want to trace.
A similar situation is emerging in Brazil, where traceability requirements have been included in a proposed “Fake News” bill. That law applies to messages defined as having been “massively forwarded” by at least five users in a period of up to 15 days and have reached at least 1,000 users in total. WhatsApp, which appears to be the government’s central focus in passing the requirement, would be required to retain these messages along with traceability logs.
End-to-end encryption unpopular with authoritarian governments
World governments are generally opposed to end-to-end encryption that they do not have a dedicated law enforcement backdoor into, but the more authoritarian governments have made more aggressive moves as of late. In addition to the legislation in India and Brazil, strong encryption is virtually impossible in China at this point as the government has demanded that it hold encryption keys. Privacy-focused messaging apps such as Signal have been blocked.
With estimated user bases now in the tens of millions in India, other end-to-end encryption apps such as Signal and Telegram would also presumably be subject to the country’s new traceability laws. Thus far it appears to be business as usual for these other apps, however, as they have not made any specific moves to challenge the government but also have not indicated that they are going to comply with the new law. While the Indian government is not directly levying any penalties, it has stated that the platforms can be held liable for any “illegal information” transmitted through them and that it might go so far as to shut operations down in the country. This does not appear to be an idle threat as India was willing to ban the extremely popular TikTok over border skirmishes with China last year.
Parent company Facebook has signaled that it is willing to comply with the new traceability rules for its own messaging service, but is looking to negotiate some terms with the Indian government. WhatsApp says that it will continue to engage with the government while the lawsuit unfolds. Twitter has yet to comment on its plans. A coalition of privacy advocacy organizations, including the Electronic Frontier Foundation and Mozilla, is publicly backing WhatsApp in refusing to trace private messages.