It couldn’t have come at a more poignant time. For Whatsapp to turn on end-to-end encryption—that is the strange yellow alert you have been getting inside chats—just a week after FBI got into the iPhone Apple refused to unlock, was almost like sending a message that was hard to ignore.
It is a big deal given that a billion people now have access to encrypted messaging, thanks to Whatsapp. Though it has been there in many forms and degrees for many years, encryption has never been this big.
There are a lot of positives to this. As Whatsapp founders Brain Acton and Jan Koum said in their blog: “The idea is simple: when you send a message, the only person who can read it is the person or group chat that you send that message to. No one can see inside that message. Not cyber-criminals. Not hackers. Not oppressive regimes. Not even us.” Now, add to this the fact that the encryption also covers every voice-call, message, photo, video, file, voice and group message sent using the app. Never before has encryption been available to the common man at this scale. In a way you can now have all your communication—with a single contact or with a group—protected by the most dependable 256-bit encryption, the AES256 algorithm. It is accepted by the US and Canadian governments as standards for encrypting “transited data and data at rest”.
However, this is not going to go down well with a lot of governments, especially those who are on the forefront of fighting terror. For them, it is a problem if the world’s most popular messaging network goes encrypted. Not that it was easy tapping into any of these networks, but now the largest of these doesn’t even leave them an option to. It remains to be seen how governments react. But you can expect at least some countries to be harsh in their reaction.
Meanwhile, there have been reports that Whatsapp might have made itself illegal by switching on 256-bit encryption. That is not really right, because India does not have any regulation in place for OTT messaging apps like Whatsapp or Facebook Messenger. “In my view, under the existing regulatory framework, 256 bit encryption is certainly not prohibited. When it comes to the telecommunications space, the framework gets a little more complex with differing requirements (like restriction on bulk encryption and cap of key lengths at 40bits) being applicable to holders of different licenses or authorisations. However, in any case, these obligations currently only apply to license holders themselves (such as ISPs and TSPs) and not to internet, (i.e., over-the-top) applications like WhatsApp,” explains Tarun Krishnakumar, a Delhi-based lawyer specialising in technology. The government’s draft policy on encryption also placed restrictions on what keys OTT players could use, but that has since been scrapped and is being reworked.
There is also the issue that a 40-bit key length is pretty low by all standards these days. The US National Institute of Standards and Technology (NIST) no longer allows anything lower that 80-bit, that too only with three-key Triple DES (Data Encryption Standard), which is anyway being phased out in favour of advanced encryption standards like AES 128, AES 192, AES 256. WhatsApp uses AES 256, which is the strongest of the lot.
WhatsApp switching on encryption comes primarily as a reaction to the growing popularity of apps like Signal and Telegram which offer various degrees of encryption. However, WhatsApp goes a step further and offers encryption by default and also within groups.