User privacy and the litigation between WhatsApp and the Indian Government over the IT Rules
IT Rules 2021 Report: Additional material
On 27 May 2021, WhatsApp took the Government of India to court over the IT Rules 2021. The IT Rules 2021 mandate WhatsApp to implement traceability i.e. the ability to trace the origins of “unlawful” messages. This effectively breaks WhatsApp’s end-to-end encryption technology implemented to safeguard user privacy. WhatsApp argues that this mandate (in the IT Rules) violates citizens’ fundamental right to privacy and freedom of speech and expression.
The IT Rules demand that social media companies, including WhatsApp, Facebook, Google and Twitter, to identify the source of an unlawful message within 72 hours.1 WhatsApp said the IL Guidelines are a violation of its rights under Articles 14 and 21 of the Indian Constitution, and also the rights of its more than 400 million users in the country.2
WhatsApp’s response is informed by how it implements privacy and user rights in its functionality.
Jan Koum grew up in Kiev, Ukraine, a society where everything you did was eavesdropped on, recorded, and snitched on. “I had friends getting into trouble for telling anecdotes about communist leaders. I remember hearing stories from my parents of dissidents like Andrei Sakharov, sentenced to exile because of his political views. Nobody should have the right to eavesdrop, or you become a totalitarian state – the kind of state I escaped as a kid to come to this country (the United States Of America) where you have democracy and freedom of speech. Our goal is to protect it. We have encryption between our client and our server. We don’t save any messages on our servers, we don’t store your chat history.”3
Brian Acton and Jan Koum founded WhatsApp in 2009 after they left their job at Yahoo!. After a few small hiccups, the app became one of the biggest global beneficiaries of the advent of the smartphone, and the attendant rise in instant messaging platforms. In February 2014, Facebook acquired WhatsApp for $19 billion and tweaked the existing business model. Data such as verified phone number, status and display picture, and frequency of using WhatsApp was shared with the parent company. Features were also added to make it more business-friendly, specifically the WhatsApp for Business application that lets businesses create their business profile on WhatsApp for free.4 Eventually, Brian Acton left Facebook in September 2017 to work on his own non-profit Signal Foundation, followed by Jan Koum who left the company amidst arguments with Facebook over data privacy and WhatsApp’s business model.5 Despite this acrimonious end, WhatsApp still retains some of the fundamental guiding values that the company was founded with.
WhatsApp is “designed for privacy”. But how is this achieved?
According to a senior representative at WhatsApp, these begin with a series of ruminations. “We think about what are the users’ choices and controls for managing their identity and privacy. We also think about what is the communication to the user and general public about our privacy guarantees. Encapsulating all of it is our end-to-end encryption, which are the privacy guarantees through the lifecycle of the message between two people, or one person and a group of people.”
The most integral feature to WhatsApp’s architecture is the guarantee of end-to-end encryption with every single interaction on the app . “This might be counter intuitive to most startups, but we think the WhatsApp server itself is a security adversary. End-to-end encryption means that the message goes from say, Alice to Bob, and nobody in the middle can intervene or look at the messages. That assumes that even though the encrypted blobs pass to our server, we have to almost treat the server as if it’s controlled by an adversary or a rogue government or even a rogue employee. It puts most of the logic on the phone, so that there’s very little risk of exposures. And the server is just a dumb router kind of passing through encrypted blobs, blobs from one place to the other.”
To further stress on end-to-end encryption and how it works, the encryption keys are exchanged between the sender and the receiver before sending the message without WhatsApp knowing about it through a cryptographic method called Diffie-Hellman key exchange. “So all that WhatsApp knows is Sender, Receiver and content (which is gibberish because of encryption), and much like a ‘dumb router’, it does not create a copy of the content after the message is delivered.” 6 You can read a simple and eloquent explainer on the Diffie-Hellman key exchange here.
WhatsApp aims to recreate a conversation in real life between two or more people - no one eavesdropping, no threat of interlopers and a sense of generalised intimacy. This is a useful analogy in understanding how their architecture works. WhatsApp also takes care to identify various threat models and build systems that counter them, including mass surveillance by governments or intelligence agencies, the WhatsApp server itself, as well as the threat of insider sabotage (in the event that an employee is compromised).7
In keeping with its foundational principles, WhatsApp has sought ways to ensure that end-to-end encryption is implemented even with the new features that it has rolled out in the past, be it WhatsApp status, stickers, voice notes and live location. Live location, in particular, is striking because WhatsApp had to work out the Diffie-Hellman key exchange for live location. The reason why the IT Rules undermine everything WhatsApp has built is because the Rules expect WhatsApp “not only keep a copy of the content for every message sent within India but also expects them to answer a question from law enforcement”, such as ‘Who sent ‘Let’s meet at the steps of the library’ first?’.6
To implement it, WhatsApp has two options:
1) They need to store the plain text of every message, which means breaking up E2E entirely.
2) They need to store the hash value of every message.
Hash values, in this context, can be regarded as a unique imprint for every message. The contents of a message are processed through a cryptographic algorithm, and a unique numerical value , the hash value, is produced that serves as a unique identifer of the content of the message. The hash value lookup is a non-starter because a Hash (encrypted message) will not be equal to a Hash (unencrypted message). WhatsApp only has access to encrypted messages. Further, the encryption keys change every message and are not known to WhatsApp at all, as established earlier with the ‘dumb router’ idea. The assumption is that WhatsApp can create an alternate end-to-end encryption technology that meets traceability requirements. However, this is a near impossible feat to do with cryptography.
These options give WhatsApp limited elbow room to fully comply with the Rules as they exist now. Which leaves us with the question: if not WhatsApp, what? A potential outcome is the advent of homegrown apps that do not have E2E which will fill the vacuum left by big players like WhatsApp or Signal in the event that such apps are banned from the country, a model similar to that of China. There is also the possibility that WhatsApp may have to develop a India-specific “no-encryption” app, a cumbersome investment that might just see the company deciding to exit India instead. 6
WhatsApp’s court case against the Government of India stems from the new IT Rules threatening its core functionality. From a technical angle, the IT Rules potentially liquidate the very tech that WhatsApp has built. This tech also defines if WhatsApp stays in business or shuts shop.
The Ministry of Electronics and Information Technology. Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. 25 Feb. 2021, egazette.nic.in/WriteReadData/2021/225464.pdf. ↩
Banerjee, Prasid. “WhatsApp Case in Delhi HC First Big Test of Privacy Law.” Livemint, 26 May 2021, www.livemint.com/news/india/whatsapps-case-against-indian-govt-could-be-first-true-test-of-right-to-privacy-11622028707630.html. ↩
Olson, Parmy. “Exclusive: The Rags-To-Riches Tale Of How Jan Koum Built WhatsApp Into Facebook’s New $19 Billion Baby.” Forbes, Forbes Magazine, 23 Apr. 2014, www.forbes.com/sites/parmyolson/2014/02/19/exclusive-inside-story-how-jan-koum-built-whatsapp-into-facebooks-new-19-billion-baby/?sh=55d1b3862fa1. ↩
Statt, Nick. “WhatsApp Co-Founder Jan Koum Is Leaving Facebook after Clashing over Data Privacy.” The Verge, The Verge, 30 Apr. 2018, www.theverge.com/2018/4/30/17304792/whatsapp-jan-koum-facebook-data-privacy-encryption. ↩
Rowan, David. “The inside Story of Jan Koum and How Facebook Bought WhatsApp.” WIRED UK, www.wired.co.uk/article/whats-app-owner-founder-jan-koum-facebook. ↩
Venkatanarayanan, Anand. “All You Need to Know about WhatsApp’s End to End Encryption.” MediaNama, 2 June 2021, www.medianama.com/2021/06/223-whatsapp-encryption-faq/. ↩↩↩
Verma, Udit. “How Does WhatsApp End-to-End Encryption Work.” Business Today, 8 Jan. 2019, www.businesstoday.in/buzztop/buzztop-feature/how-does-whatsapp-end-to-end-encryption-work/story/307998.html. ↩
The Wages Of Fear: A Compendium Of Global and Domestic Encryption Debates
This submission is part of a compendium on encryption. I would implore readers to first watch a short primer where Matt Green takes us through the specific technological developments that surround the history mentioned in this compendium. Better still, check out Matt Green’s submission End-to-end encryption: State of the Technical and Policy Debate for a deeper dive into the history of global enc… more