The encryption battle continues as WhatsApp joined the encryption wagon and showed that they support the cause of user privacy. With end-to-end encryption, messages are scrambled as they leave the sender's device and can only be decrypted by the recipient's device. It renders messages unreadable if they are intercepted by any third party. WhatsApp, which has a billion users worldwide, said file transfers and voice calls would be encrypted too. Users with the latest version of the app were notified about the change when sending messages. The setting is enabled by default.
The new revolution has cast doubts over security concerns. With encrypted messages being sent and received between the billion users, some may use it for disruptive activities.
Information Technology (Amendment) Act, 2008 provides for encryption under Section 84A. The Central Government may, for secure use of the electronic medium and for promotion of e-governance and e-commerce, prescribe the modes or methods for encryption. According to the law, the government can prescribe and permit encryption policies for e-commerce sites that use online payments and other important payments details in order to prevent any kind of misuse. Currently encryption is restricted to 40-bits under the telecom licensing policy regime which is quite weak by its own standards. The government, however, has legitimate need to access encrypted data for monitoring of suspected criminals and terrorists in what is considered as lawful interception. With a weak encryption, the rise of cyber crimes cannot be curbed. Phishing attacks of online banking accounts or cloning of ATM/Debit cards are common occurrences.
When it comes to telecom service providers and internet service providers a license needs to be obtained to render such services. The license brings with it a lot of restrictions which also include encryption requirements. Apps like WhatsApp, Skype and Viber are, however, neither telecom service providers nor internet service providers and for such OTT’s there are no encryption requirements, nor are there any other requirements in the name of security which these have to comply with. In the absence of any regulations at present, it’s clear that WhatsApp’s new end-to-end encryption policy is perfectly legal, even though it presents a new dilemma for the government.
TRAI’s OTT Consultation Paper notes that OTT is the service model not only for future communications and media services, but also for emerging services, such as e-commerce, m-commerce, e-health, e-education, smart grids and the digital economy in general. In 2013, the worldwide annual SMS traffic was around 8.16 trillion messages, compared to 18.3 trillion messages by OTT players. As per the report the impact of messaging in India is also in line with international trends. In India, as on December 2014, WhatsApp topped the messaging application market with 52% of all the users using OTT messaging services, followed by Facebook Messenger with 42%, Skype with 37% and WeChat with 26% share.
It further adds, “Communication services that use internet for transmission like VoIP and instant messaging have security implications primarily because they bypass the regulatory regime enforced on conventional voice and messaging services provided by TSPs. The differences between regulations for VoIP and conventional voice service have implications for telephone number management, public safety, emergency number access and national security. Without secure connections through TSPs, they present various cyber security threats.”
WhatsApp, being an intermediary, is expected to comply with directions to intercept, monitor and decrypt information issued under Section 69 of the Information Technology Act, 2000. Complying with such a direction will now be impossible for WhatsApp in view of its end-to-end encryption. Even before the introduction of this, since WhatsApp is not a company based in India, it may have been able to refuse to comply with such directions. In fact, compliance by such companies in regard to data requests from the Indian government has been reported to be very low.
India has now withdrawn draft encryption policy required service providers, from both India and abroad, which are using encryption technology, to enter into agreements with India in order to be able to provide such services. One of the suggestions in the draft was that people using encrypted services will be asked to keep the decrypted data for at least 90 days. This will include any interception, monitoring and decryption requests made under Section 69 of the IT Act. If WhatsApp refuses to comply with such a regime if ever applied that would make WhatsApp illegal in India.