Last night WhatsApp turned on encryption within the app. This means, by default, if you are using the latest version of WhatsApp all your communication through the app will be encrypted. This also – probably, and that is a big probably – makes WhatsApp illegal in India.
The seven year old instant messaging app, WhatsApp, has gained a bit of notoriety over the last couple of days with its new encryption option. And, what that probably means is that the messaging app that has so religiously fostered the following that it has right now, might just find itself at the wrong of the law.
WhatsApp recently included 256-bit encryption to its service.
What that means is that the end-to-end encryption on the app allows complete privacy from prying eyes – cyber criminals we mean, for the most part. End-to-end encryption basically is a system of communication where only the two parties involved can see the data. It does not allow any third party access to the data, and this includes telecom providers, Internet providers and the company that runs the messaging service. Which means that even WhatsApp itself can’t undo the encryption. This is available with the app’s latest updated version and is already in play. Now, this doesn’t stop people who grab your phone and flip through the messages, but you get the idea.
The reason? Our IT laws and rules are so outdated that a case can be made against WhatsApp because now it is using 256-bit encryption by default.
This is legally a grey area and given the fact that WhatsApp is popular in India, the government may not go after it, but in theory it can very well declare the chat app illegal. None of the Indian IT-related regulations permit 256-bit encryption in private services. Although, none of them also specifically outlaw it. But there are some guidelines issued by Department of Telecommunications, which the government can use to term WhatsApp illegal.
According to rules issued by DoT in 2007, License Agreement for Provision of Internet Service (including Internet Telephony) mandates that private parties in India cannot use encryption that is higher than 40-bits without explicit permission from the government.
Also, the permission is granted only if the entity that intends to use encryption submits decryption keys to the government, which in the case of WhatsApp is going to be impossible because it has implemented the encryption in a way where even WhatsApp doesn’t have the keys.
Now, the interesting bit here is that WhatsApp is not an ISP and neither it needs any DoT licence to offer its services in India. So it is not clear if the encryption rules formulated by DoT apply on it or not. Although, due to the lack of clarity in this matter, if the government wants, it can clearly chase WhatsApp out of the country with its 40-bit stick.
India is, however, in the process of formulating some sort of coherent encryption policy. Last year, the government floated a draft proposal for the use of encryption in India. It was a bad bad draft, which government pulled back because of criticism. One of the suggestions in the draft was that people using encrypted services will be asked to keep the decrypted data for at least 90 days. If something like that makes its way to whatever new policy the government comes up with, it will definitely make the WhatsApp illegal, especially after its decision to turn on strong encryption by default for all users across the world.
Whatever the case, it seems that the government may be reforming some of its regulations to include a provision for this app specifically. Hopefully, it is in our favour.