WhatsApp is fighting for the privacy of citizens of the world’s largest democracy. This week, the Facebook-owned messaging platform sued the Indian government in a bid to challenge new IT rules that ask messaging apps to trace the “first originator” of a message. Doing so could require WhatsApp to weaken its end-to-end encryption, revealing the identities of senders and affecting the security of its 400 million-plus users in India—and possibly billions of others worldwide.
While it is difficult to assess the possible outcomes of the lawsuit, it could potentially dictate the kind of communications technology and online safe spaces available to Indians going forward, and could set a precedent for what other governments would demand from not just WhatsApp but other secure messaging apps. Complying with these rules would endanger the fundamental right to privacy, experts say, because undermining encryption for one would mean doing so for all. Traceability and end-to-end encryption cannot coexist.
India’s internet regulations for social media platforms, messaging apps, online media, and streaming video services were passed by executive order in February. Platforms were given three months to comply, the deadline for which ended earlier this week. One of the new directives requires messaging platforms with over 5 million users in the country—which includes not only WhatsApp but Signal as well—to enable the identification of the first originator of information if demanded by a court or a government order. For content that started outside the country, those services are required to identify its first instance within India.
Currently, providers of end-to-end encrypted platforms such as WhatsApp and Signal can’t see what messages contain, which means they can’t follow the trail of specific content. Having to keep traceability on messages would not only mean treating each individual as a potential criminal subject, it would also be a cumbersome task for the company to retain large amounts of data.
“Traceability will compel end-to-end encrypted platforms to alter their architecture in a way that will negatively impact online privacy and security. They will have to develop the ability to track who sent which message to whom, and store this information indefinitely,” says Namrata Maheshwari, technology policy advocate. “This is an onerous obligation that severely undermines end-to-end encryption and puts users’ privacy, security, and freedom of expression at risk.”
The Indian government says its intention is not to violate anyone’s privacy, and that tracing will only be used “for prevention, investigation, or punishment of very serious offenses related to the sovereignty and integrity of India, the security of the state, friendly relations with foreign states, or public order, or of incitement to an offense relating to the above or in relation with rape, sexually explicit material, or child sexual abuse material.”
But those definitions leave plenty of room for interpretation. The government could trace someone who is putting out dangerous misinformation, but it could just as easily use that power to follow how political content flows between individuals or to track activists and political opponents.
“The minute you build a system that can go back in time and unmask a few people sending a piece of content, you’ve built a system that can unmask anyone sending any content,” says Matthew Green, a cryptographer at Johns Hopkins University. “There is no such thing as just collecting information from the bad guys. It’s very dangerous to start revealing this information, because you don’t know where it will end. ”
This isn’t the first time such a demand has been made of WhatsApp. The platform is facing a similar call from Brazil, its second-largest market after India. Other countries, including the US, Canada, and the UK have also pressured WhatsApp to weaken its encryption. But this is the first time the traceability requirement has been officially imposed, and in the platform’s biggest market.
“Requiring messaging apps to ‘trace’ chats is the equivalent of asking us to keep a fingerprint of every single message sent on WhatsApp, which would break end-to-end encryption and fundamentally undermines people’s right to privacy,” a WhatsApp spokesperson told WIRED via email. “We have consistently joined civil society and experts around the world in opposing requirements that would violate the privacy of our users. In the meantime, we will also continue to engage with the government of India on practical solutions aimed at keeping people safe, including responding to valid legal requests for the information available to us.”
India is WhatsApp’s largest market, and the service has become a primary means of communication there. In many cases, it’s the first app that an Indian smartphone user downloads. In 2020, WhatsApp emerged as the top app in India as users spent most of their time on it. With such a massive user base, it has over the years become not only a part of everyone’s lives, but also a platform rife with misinformation leading to real-life repercussions.
“The Modi government came to power using social media—Twitter, WhatsApp—and now they are looking at ways to control it,” says Srinivas Kodali, a digital rights activist, who avoids using WhatsApp for anything that could be controversial. “I have it for work, but all the groups with any political discourse at all have moved out of WhatsApp.”
Big tech companies and the Indian government have been at loggerheads for a while now. In April, the government asked Facebook, Twitter, and Instagram to remove posts that criticized its handling of the second wave of the pandemic. Then the government took issue with Twitter’s labeling of a politician’s tweet as “manipulated media.” Just a few days ago, Delhi police visited Twitter’s offices to serve a notice.
This year has already been a difficult one for WhatsApp. In January, when the messaging app pushed users to sign on to its controversial privacy policy, many in India decided to switch to Signal or Telegram; downloads of those apps skyrocketed. The Indian government asked WhatsApp to withdraw the policy as well. Responding to the backlash, WhatsApp splashed local newspapers with full-page ads saying, “WhatsApp respects and protects your privacy.” The backlash slowly died down as WhatsApp deferred the deadline to accept the privacy policy, and most Indians stuck with the platform.
With a possibility of encryption breaking, things are bound to change. For now, Kodali, the digital rights activist, says he will continue to use WhatsApp, because some of the people he interacts with for work are on the platform. But if the encryption policy does change, he says, he and countless others will have no choice but to switch.
- 📩 The latest on tech, science, and more: Get our newsletters!
- The Arecibo Observatory was like family. I couldn't save it
- The hostile takeover of a Microsoft Flight Simulator server
- Goodbye Internet Explorer—and good riddance
- How to take a slick, professional headshot with your phone
- Online dating apps are actually kind of a disaster
- 👁️ Explore AI like never before with our new database
- 🎮 WIRED Games: Get the latest tips, reviews, and more
- ✨ Optimize your home life with our Gear team’s best picks, from robot vacuums to affordable mattresses to smart speakers
