WhatsApp could have accidentally entered into troubled waters here in India by enabling its end-to-end encryption for all. The new security feature by WhatsApp is not what is required by the Indian telecom rules and WhatsApp could face a ban, if the rules are not adhered to. But not yet.
After Apple’s problems with the FBI over unlocking an iPhone for retrieving encrypted data splat all over the internet, tech giants such as Apple and Google backed Apple’s decision on refraining to help the FBI to unlock the device. The major reason for Apple not helping the FBI was user’s data privacy and security norms. But the FBI managed to crack open the phone without any help from Apple, which is not a big question if the user’s data is even secure and private anymore.
In India, companies need to follow the country’s rules and adhere to specific types of encryption, which WhatsApp does not currently use. WhatsApp’s end-to-end encryption on its chat service means that WhatsApp or anyone else won’t be able to crack open its contents. Only the sender and the recipient are able to read the encrypted data. WhatsApp uses a 256-bit key for encryption of all chat messages, which is only known to the sender and the recipient.
Why is it not possible for WhatsApp to help decrypt users’ messages? “No one can see inside that message. Not cybercriminals. Not hackers. Not oppressive regimes. Not even us,” WhatsApp founders Jan Koum and Brian Acton wrote on their blog.
However, as for the Indian rules, online services are only permitted to use up to 40-bit encryption. If they need to use higher encryption standards, they need to seek permission from the government, and the way WhatsApp is setup, it seems a bit too difficult to obtain the same. In order to get the required permissions and green flags from the Indian Government, WhatsApp needs to submit the keys, which sadly, they too actually don’t have.
Hence, indirectly, all those who are currently using the updated WhatsApp app in India are actually using it illegally, says the report.
A report by The Independent that the Indian government has not yet decided whether they will take any action on the issue and deal with WhatsApp to come to a conclusion.
However, according to the Indian encryption rules, OTT services, such as WhatsApp, do not require encryption standards like telecom operators do. Telecom service providers and internet service providers in India require a license from the DoT to provide encrypted services in India. These include internet telephony and chat services and a usage of up to 40-bit encryptions, only after depositing the decryption keys to the Telecom Authority. Since WhatsApp, Skype, Viber and such services are (over-The-Top) OTT-based and not telecom operations, they are not yet regulated in the country as they do not come under the encryption requirement laws.
The TRAI had released an OTT consultation paper back in 2015, but are yet to issue any such regulations in the matter. In the absence of such regulations, OTT services with such encryptions are presently free to operate legally in the country. However, things could change, citing lack of decryption keys and possibility of illegal activity with terrorist groups and alike on such OTT services.
In other countries, such as France, Skype was made to register with a telecom service provider in order to operate with the encryption standards it holds in place. Similarly, many other countries, including China, Germany and a few others, have also put regulatory systems in place. OTT services are well regulated in countries overseas.
Firstpost mentions Asheeta Regidi, an Indian cyber law specialist, stating, ‘WhatsApp, being an intermediary, is expected to comply with directions to intercept, monitor and decrypt information issued under Section 69 of the Information Technology Act, 2000. Complying with such a direction will now be impossible for WhatsApp in view of its end-to-end encryption. Even before the introduction of this, since WhatsApp is not a company based in India, it may have been able to refuse to comply with such directions. In fact, compliance by such companies in regard to data requests from the Indian government has been reported to be very low.’
The Independent further reported that countries like India are currently looking to pass new policies on the new encryption standards. But it is presently unclear whether these new policies will bring new requirements on WhatsApp.
The big question now is that, will India allow WhatsApp to continue in India or will it enforce a new OTT regulation which will put encrypted services like WhatsApp, Skype, Viber and others into the grey zone?