By Ritwik Sharma
WhatsApp has recently said that it would be forced to leave the Indian market if it was made to decrypt its encrypted messaging service. Ritwik Sharma explains the debate around decryption
l Why WhatsApp is challenging the government?
LAST MONTH, AT a Delhi High Court proceeding, messaging platform WhatsApp said it would be compelled to leave India if it was required by law to break end-to-end encryption (E2EE). WhatsApp and its parent company, Meta, have challenged the Information Technology Rules, 2021, that require messaging platforms to maintain “traceability” of all messages, thereby allowing authorities to track the originators. E2EE ensures messages cannot be read by anyone besides the sender and the receiver. WhatsApp has stressed that E2EE is necessary for maintaining user privacy, a core value for the messaging platform.
The government, on the other hand, has sought a balance between privacy and traceability to ensure online safety and combat harmful content, misinformation, etc., calling for the identification of the “first originator” of messages. The case will be next heard in August.
l The global experience
IN BRAZIL, JUDGES have repeatedly ordered WhatsApp to decrypt messages as part of criminal probes, leading to temporary suspensions when the company failed to comply, says Kazim Rizvi, founding director, The Dialogue. The UK Online Safety Act, EARN IT Act (US), and similar initiatives in the European Union have sought to enforce decryption of E2EE messages, but no country has implemented the mandate owing to its technical infeasibility, he adds.
There is a difference in the positions taken by Big Tech for profit (as in Meta’s reluctance to share revenue with news publishers in Australia) and for the sake of having to give up a core functionality that can jeopardise profitability (WhatsApp’s objection to traceability in India), says Namrata Maheswari, senior policy counsel and encryption policy lead, Access Now.
l What if the state foots the bill?
SOME ARGUE THAT beyond the posturing, Big Tech may be willing to decrypt E2EE if states foot the bill. According to Rizvi, it is not a matter of cost but privacy, security principles, and technological feasibility, with the likes of Apple, WhatsApp, and Signal framing policies emphasising user privacy and data security. “Apple resisted the FBI’s request to unlock an iPhone involved in the San Bernardino shooting (2015), citing privacy concerns, although the FBI later found an alternative way to access the device. Similarly, WhatsApp maintains that it cannot decrypt messages due to its encryption model, which does not store decryption keys,” Rizvi says. “It is very much about maintaining the integrity of the platform,” says Maheswari, adding decryption could lead to loss of data security as well as trust among consumers.
l Contours of the decryption debate
IN DEBATES AROUND decryption capabilities of companies using E2EE, the core issues concern its feasibility without fundamentally compromising the security architecture and violating user privacy, says Rizvi. The debate is also focused on client-side scanning (broadly systems that can scan contents of messages) which is active in the UK in the wake of the Online Safety Act passed last year, adds Maheswari. A scanning device can scan contents of a message — text, image, video — before it is converted from plaintext to ciphertext (which is encrypted), explains Maheswari.
Citing differences between platforms, she says, while WhatsApp collects metadata (providing information of other data but not the content itself), a more security-focused company like Signal doesn’t. “Metadata is sensitive in itself, and could be the next big dimension of the debate on encryption,” she adds.
l Alternatives for law enforcement
MAHESWARI ARGUES THAT decryption is a convenient step and a low-hanging fruit for criminal investigation. “Decryption would impact right to privacy, free expression, and compromise user data so it’s important for platforms to take strong positions,” she says.
According to Rizvi, the ingenuity of law enforcement should not be underestimated. “For instance, as part of project Trojan Shield, the FBI, in partnership with other nations, planted a compromised E2EE messaging platform called An0m on the black market. This led to the arrest of 800 criminals, without compromising the safety and security of users or the national security of the state,” he says, adding that metadata can be leveraged for tackling crime.
