On June 29, the Supreme Court will hear a writ petition to ban messaging app Whatsapp on the grounds that the end-to-end encryption adopted by it in April this year could be a threat to national security.
“India sits in a turbulent geographical neighbourhood. Applications like whatsapp would allow terrorists to easily exchange information and the government will never get to know,” Sudhir Yadav, an Right To Information (RTI) activist from Haryana, who filed the PIL in May this year, said.
Whatsapp introduced 256-bit end-to-end encryption on April 5 this year. What this means is that chats, images, videos, calls, voice messages and files exchanged between two or more whatsapp users cannot be read by third parties or whatsapp itself, until they have the private key or the computational power to try out 2^(256) combinations.
Whatsapp’s Encryption Overview states that whatsapp servers do not have the private keys of users to decrypt their chats, so they will not be able to help the government in extracting information about a suspected individual, if need be. “And the government will need to spend great time and money in trying out 2^(256) combinations,” Yadav said.
Whatsapp is an over-the-top (OTT) service and thus, its encryption standards aren’t as stringent as those for telecom service providers (TSPs). According to the Department of Telecommunication’s guidelines for grant of licenses to TSPs, 2007, “individuals/groups/organisations are permitted to use encryption upto 40-bit key length without having to obtain permission from the licensor”, but “if encryption equipments higher than this limit are to be deployed, individuals/groups/organizations shall do so with the prior written permission of the licensor and deposit the decryption key with the licensor.” No such permissions are required for OTTs. Yadav said that the government can at least issue such guidelines for OTTs if they don’t want to ban them completely.
“I think Whatsapp’s decision to bring in end-to-end encryption is a revolutionary step towards ensuring that citizens have a right to privacy. E2E encryption should stay but when the government requires information on suspects, Whatsapp should be able to deliver. That is all,” Yadav said.
He added that the process to determine if governments should get access to privacy keys should be a judicial one – governments must prove in court that the matter is one that compromises national security and warrants surveillance. Then, surveillance should be allowed for a limited time frame, say 7-10 days, after which, access should be denied for further surveillance if the government does not have conclusive proof against individuals being spied upon.
Encryption protocols have always ignited debates on the appropriate balance between privacy and national security. In Brazil for instance, Judge Marcel Montalvao in the north-eastern town of Lagarto, in Sergipe state called for a 72-hour nationwide ban on WhatsApp on May 2 because it failed to hand over information about drug traffickers discussing their business on the app.