Has WhatsApp broken Indian cyber laws by offering 256-bit end-to-end encryption? IT Act and privacy experts say it hasn’t
The Web is abuzz with how WhatsApp may have become illegal in India with the impending 256-bit end-end-to-end encryption that it launched recently across the globe. So, how true are these reports? Is WhatsApp really illegal in India? And should you be worried? Has WhatsApp done a bad thing by offering end-to-end encryption to its users?
The end-to-end encryption message (circled) WhatsApp users received after the recent update
Firstly, no encryption is bad. It is either weak or strong. And currently 256-bit is one of the most secure modes available. What the WhatsApp encryption means for end-users like you is that all your messages and videos that you send on WhatsApp can’t be intercepted or read by anyone while in transit, either by law enforcement agencies or the engineers at WhatsApp. So, that’s a good thing, right?
“Yes, for users. But for law enforcement agencies, it means more payload and extra work,” says Sunil Abraham, executive director, Centre for Internet and Society. “But even then, if WhatsApp offers the metadata to the Government of India, it will be able to decode the messages. It will just take longer.”
And as far as the information technology and telecommunication related rules go, which some has been referring to as the possible source for making WhatsApp illegal, since some of them restrict bulk encryption to 40-bits, Apar Gupta, a practitioner of IT laws in India, and author of the book, Commentary on Information Technology Act, says they don’t apply on WhatsApp.
“I do not think there’s any illegality in WhatsApp offering end-to-end encryption. The provision for bulk encryption restriction that exists in the telecom licences and not under the IT Act. This applies only to Telecom Service Providers and Internet Service Providers and not to Web services like WhatsApp,” he says.
In fact, the Data Security Council of India (DSCI) in 2009 recommended changes to the encryption rules with the use of 256-bit AES encryption. However, no changes have yet been made yet.
Also Reserve Bank of India has made it mandatory for all banks to use 128-bit encryption for online transactions. So, if the restrictions were true, all these services are illegal too, experts said.
So, has WhatsApp done something bad? No, it is the best thing that could happen to social messaging, believes Nikhil Pahwa of Medianama. “End-to-end encryption means more privacy and security to users,” he says.
Mishi Choudhary, executive director, Software and Freedom Law Centre, adds, “Indian law should catch up with the change in technology and realities of the present day communications structure. What WhatsApp has done is make communications secure for everyone – the correct direction in which most services will and should move if they wish to retain the trust of their users.”
So, the whole brouhaha may just be a case of premature paranoia. But one that seems to have emerged out of the recent behaviour of the government towards privacy in India.
“You have to understand that this is the same government which said in front of the Supreme Court that privacy is not guaranteed as per the Indian Constitution and came up with a Draft Encryption Policy which required users of social messaging apps to store their messages in plain text,” adds Pahwa.
Did you know?
Encryption in social messaging apps is not new. There are several other services like Telegram and Signal (earlier TextSecure and Redphone) that offer end-to-end encryption. The enterprise version of the Blackberry Messenger (not the individual one that most of us are using) is also end-to-end encrypted.