A bit of math can better secure your communications than all the guns in the world combined. That is the beauty of end to end encryption which currently runs on WhatsApp. It makes messages shared between people private so that only the sender and the recipient can view what is being said. On a related note, the notification of the intermediary guidelines is likely to be completed by 15 January 2020. These updated guidelines are going to determine the future of end to end encryption.
The major trade-off here is privacy versus security. The government’s argument is that it needs to access communications between its citizens for the purposes of security. The spread of false news on WhatsApp has instigated lynch mobs and resulted in 27 reported deaths in 2017. That is exactly why in December 2018, the Ministry of Home Affairs issued an order granting powers of “interception, monitoring, and decryption of any information generated, transmitted, received or stored in any computer”, to ten central agencies. But platforms using end to end encryption means that the interception of information might not be of much use if the government does not have a key for the encryption. The amendments in the intermediary guidelines call for allowing platforms such as Telegram and WhatsApp to, “..enable tracing out of such originator of information on its platform as may be required by government agencies who are legally authorised”.
The other side of the coin here is privacy. There is no way where platforms take away encryption from criminals but leave it intact for others. If intermediaries allowed traceability and compromised end to end encryption, the sender of each message would be identifiable to WhatsApp and by extension, the government. And while the encryption provides a shield of anonymity to trolls and spreaders of misinformation, it also gives assurance to people who would otherwise have been silenced or suppressed. Think whistleblowers and political protesters. End to end encryption
We need to have transparency and install the highest standards to due process to make sure that should traceability be enabled, it is not abused (a similar precedent for which has been set by the NSA).
allows those people to avoid the fear of being targeted. Also, encryption on content extends into more routine aspects of life. For instance, WhatsApp is a platform where people can talk about personal and sensitive parts of their life, such as a disease or mental health issues, and rest assured that Facebook, the internet, and the government won’t target you using that information. At a personal level, the fact that end to end encryption keeps communications private between the participants is reason enough not to break it. In the age of the contemporary internet, privacy is a luxury that is being provided at scale.
In addition, there are a host of questions on the side of implementation. For instance, the guidelines are applicable to all intermediaries that have more than 50 lakh users. There is no clarity on whether that means all registered users, daily active users or even monthly active users. Moreover, how will the government know if platforms have met that threshold and keep track of all the intermediaries that pop up on the App Store/Play Store? More fundamentally, who is an intermediary? Does Google Docs count as a platform, as it also has a chat feature? Are online games also subject to this?
Even if all of these are resolved, the 50 lakh threshold might mean that criminals can just move to smaller, lesser-known platforms that offer end to end encryption, taking away significantly from the effectiveness of the exercise.
Adjusting the trade-off between privacy and security is a thankless task that more often than not is likely to be decided by the values and interests of the people in power. The job at hand here is to make sure that a robust set of processes are set in place if end to end encryption is to be broken. We need to have transparency and install the highest standards to due process to make sure that should traceability be enabled, it is not abused (a similar precedent for which has been set by the NSA).
There needs to be transparency around the process that lets people know who is seeking the data. Standards need to exist around the specificity of what accounts and data can be targeted to prevent requests for bulk data. The request for access should be backed up by justification of credible facts, all of which should be subject to review by an independent entity or a judge.
None of these provisions currently exist around the intermediary guidelines, and neither is there an indication that it is being considered. The cons of enabling traceability and breaking end to end encryption outweigh the pros subjectively.
However, if the government is going to go ahead with this and include the clause in the January 2020 notification, then it should do this right by placing adequate oversight and safeguards in the amendments.
This article was first published in Asian Age.
(Rohan is a policy analyst at the technology and policy programme at The Takshashila Institution. Views are personal.)