WhatsApp introduced end-to-end encryption for all its services this week. Technically what this means is that user calls, texts, video, images and other files sent can only be viewed by the intended recipient, and no one, not even WhatsApp itself, can access this data. This guarantee of user privacy creates new concerns for the government.
WhatsApp will now find it impossible to comply with government requests for data, since WhatsApp itself will not have the decryption key. In effect, WhatsApp is doing exactly what Apple did in the Apple vs FBI battle; it’s preventing government access to data, but on a much larger scale. While Apple restricted access to users of iPhones only, now practically every user of WhatsApp on any device is protected.
According to rules issued by the Department of Telecommunications in 2007, License Agreement for Provision of Internet Service (including Internet Telephony) mandates that private parties in India cannot use encryption that is higher than 40-bits without explicit permission from the government. Whatsapp now uses 256-bit encryption. Also, the permission is granted only if the entity that intends to use encryption submits decryption keys to the government, which in the case of WhatsApp is going to be impossible because it has implemented the encryption in a way where even WhatsApp doesn’t have the keys.
WhatsApp has puts out a one-line advisory to its users: Messages you send to this chat and calls are now secured with end-to-end encryption.
“The move is a potential security threat,” said a security official.
WhatsApp’s action came close on the heels of a legal battle between Apple and FBI over the US agency’s demand that the iPhone maker help unlock its mobile phones.
The popular messenger was being used excessively in Jammu and Kashmir by separatists and anti-national elements for spreading rumours which have often led to violent clashes.
The security agencies will be taking up the matter with the Telecom ministry to ensure that proper safeguards are in place before the services could be allowed in the country, the sources said.
In the past, the government had red-flagged BlackBerry Internet Services (BIS), BlackBerry Messenger (BBM) and BlackBerry Enterprise Servers (BES) of smartphone maker Research-In-Motion (RIM) until the company installed a server within India for real-time information to the security agencies.
“The idea is simple: when you send a message, the only person who can read it is the person or group chat that you send that message to. No one can see that message. Not cyber-criminals. Not hackers. Not oppressive regimes. End-to-end encryption helps make communication via WhatsApp private–sort of like a face-to-face conversation.”, The Facebook-owned company said in a blog post.
According to IndiaToday, India is, however, in the process of formulating some sort of coherent encryption policy. Last year, the government floated a draft proposal for the use of encryption in India. It was a bad bad draft, which government pulled back because of criticism. One of the suggestions in the draft was that people using encrypted services will be asked to keep the decrypted data for at least 90 days. If something like that makes its way to whatever new policy the government comes up with, it will definitely make the WhatsApp illegal, especially after its decision to turn on strong encryption by default for all users across the world.
It would be interesting to watch how DOT reacts to Whatsapp’s move. The app, having more than 70 million users around in India.