WhatsApp is fighting for the privacy of citizens of the world’s largest democracy. This week, the Facebook-owned messaging platform sued the Indian government in a bid to challenge new IT rules that ask messaging apps to trace the “first originator” of a message. Doing so could require WhatsApp to weaken its end-to-end encryption, revealing identities of the sender and potentially affecting the security of not only its more than 400 million users in India, but potentially billions of others worldwide.
While it is difficult to assess the possible outcomes of the lawsuit, it could potentially dictate the kind of communication technology and online safe spaces Indians would have available going forward, and could set precedent for what other governments would demand from not just WhatsApp but other secure messaging apps Complying with these rules would endanger the fundamental right to a person’s privacy, experts say, because undermining encryption for one would mean doing so for all. Traceability and end-to-end encryption cannot co-exist.
“This is an onerous obligation that severely undermines end-to-end encryption.”
Namrata Maheshwari, Technology Policy Advocate
India’s internet regulations for social media platforms, messaging apps, online media, and streaming video services were passed using an executive order in February. Platforms were given three months to comply, the deadline for which ended earlier this week. One of the new directives requires messaging platforms with over five million users in the country—which includes not only WhatsApp but Signal as well—to enable the identification of the first originator of information if demanded by a court or a government order. For content that started outside the country, those services are required to identify its first instance within India.
Currently, providers of end-to-end encrypted platforms such as WhatsApp and Signal can’t see what messages contain, which means they can’t follow the trail of specific content. Having to keep traceability on messages would not only mean treating each individual as potential criminal subjects, but it would also be a cumbersome task for the company to retain large amounts of data.
“Traceability will compel end-to-end encrypted platforms to alter their architecture in a way that will negatively impact online privacy and security. They will have to develop the ability to track who sent which message to whom, and store this information indefinitely,” says Namrata Maheshwari, technology policy advocate. “This is an onerous obligation that severely undermines end-to-end encryption, and puts users’ privacy, security, and freedom of expression at risk.”
The Indian government says that its intention is not to violate anyone’s privacy, and that tracing will only be used “for prevention, investigation or punishment of very serious offenses related to the sovereignty and integrity of India, the security of the state, friendly relations with foreign states, or public order, or of incitement to an offense relating to the above or in relation with rape, sexually explicit material, or child sexual abuse material.”
But those definitions leave plenty of room for interpretation. The government could trace someone who is putting out dangerous misinformation, but could just as easily use that power to follow how political content flows between different individuals, or to track activists and political opponents.
“The minute you build a system that can go back in time and unmask a few people sending a piece of content, you’ve built a system that can unmask anyone sending any content,” says Matthew Green, a cryptographer at Johns Hopkins University. “There is no such thing as just collecting information from the bad guys. It’s very dangerous to start revealing this information, because you don’t know where it will end. ”
This isn’t the first time such a demand has been made of WhatsApp. The platform is facing a similar call from Brazil, its second-largest market after India. Other countries, including the US, Canada, and the UK have pressured WhatsApp to weaken its encryption. But this is the first time the traceability requirement has been officially imposed, and in the platform’s biggest market.