Can the Government Read my WhatsApp Messages?

A user using WhatsApp on her mobile phone | Photo courtesy: Special arrangement

The Department of Telecommunications (DoT), which comes under the Ministry of Communications, recently released the Draft Indian Telecommunications Bill 2022 for public consultation. It was expected to be a progressive bill consolidating and replacing three current colonial laws governing the telecom industry: the Indian Telegraph Act, 1885, the Wireless Telegraphy Act, 1933, and the Telegraph Wires (Unlawful Possession) Act, 1950. However, it has been greeted with raised eyebrows by concerned digital rights organisations over the surveillance and internet shutdown mechanism it proposes.

Also Read: The Probe Impact: Government calls off Pawan Hans Disinvestment

Encryption. Interception. Surveillance. Privacy. With buzzwords afloat on the internet, for a common man, it really just comes down to, “Can the government read my WhatsApp texts?” Well, fortunately, not YET and here’s why! The 40-pager draft Bill proposed by the government could play with individuals’ privacy in the near future.

Messaging apps included in Telecom Services now

With the new Bill, the government has widened the definition of ‘Telecommunication Services’ under Clause 2 to include interpersonal communications services, machine-to-machine communication services and OTT (Over – The – Top) communication services/platforms. This means that all the messaging apps such as WhatsApp, Signal, and Telegram will come under this Bill’s ambit and hence shall be regulated. 

Social apps on a mobile phone | Photo courtesy: Special arrangement

Will this include video call services as well? Since video call services like Google Meet, Facetime and Zoom are all OTT services, they too shall be covered by the Bill. Today, from matrimonial websites to online reselling shops, almost all browser-based platforms have a messaging option within them. However, the Bill on this front is unclear and ambiguous, to say the least. Since the phrase ‘OTT communication services’ has not been particularly defined in the Bill, it is difficult to state whether such browser-based services will come under its regulatory ambit or not.

Also Read: CoWIN Data Breach Reveals Security Gaps In India’s Critical Information Infrastructure

The Bill also proposes licensing requirements for all telecommunication services; hence, it may be rightly concluded that these OTT communication services may also require a licence to operate. Currently, these services are regulated by the Information Technology Act, 2000 and its subsequent rules. However, if this Bill goes on to become an Act in its current form, there will be a regulatory overlap.

Encryption debate and interception 

Chapter 6 of the Bill deals with “Standards, Public Safety and National Security,” which proposes provisions for Public Emergency or Public Safety. Clause 24(2)(a) and 24(2)(b) are being called out for infringing privacy and freedom by digital rights organisations. The clause empowers the government to stop transmission and allow interception of messages/calls in the “interest of the sovereignty, integrity or security of India, friendly relations with foreign states, public order, or preventing incitement to an offence”.

Messaging platforms such as WhatsApp, Telegram and Signal use end-to-end encryption so that the messages are not stored and remain private to the users. However, the Bill seems to disrupt such an arrangement. The very colonial laws the Bill sought to replace have been glued tight.

Representative image for data encryption | Photo courtesy: Special arrangement

Currently, Section 5(2) of the Indian Telegraph Act, 1885, allows for the interception of messages through the telegraph, furthering the surveillance interests of the government. The new Bill replaces the section with Clause 24(2)(a), which is even more draconian as it authorises the surveillance of ‘telecommunication services or telecommunication network’. This Draft Telecommunication Bill is what seems to be an attack on end-to-end encryption and people’s fundamental rights. 

Why is end-to-end encryption so important?

In the words of Pranav Bhaskar Tiwari, Technology Law & Policy Expert, “In this digital age, encryption technology plays a key role in our lives. From ensuring our right to privacy while we communicate online to secure banking, we are all dependent on encryption. Encryption is a key enabler of free speech, empowering members of marginalised communities, including women, Dalits, and LGBTQ+ community members, to voice their dissent behind the garb of encryption-enabled anonymity. Encryption is most crucial for journalists and activists who use it for their own safety and that of their sources. The government relies on encryption too, for securing critical information infrastructure (like Aadhar) and for communicating securely.”

Also Read: LGBTQIA Rights: Can Government Institutionalise Stereotypes?

He further explains that “Encryption technology is the first, and in most cases, the only layer of security, within a user’s control. When you send a text to your friend over WhatsApp or Signal, the Signal Protocol (used by both platforms) converts your message into gibberish (ciphertext) which is only converted back to plaintext after landing on your friend’s phone via the encryption key. End-to-end encryption technology ensures that only the two ends of the communication, i.e., the sender (you) and the receiver(s) (your friend), have access to the encryption key that can convert the ciphertext to plaintext.”

Representative image for personal data protection | Photo courtesy: Special arrangement

Post the Snowden revelations, the users were concerned about their privacy. This was when the cryptographers developed a system wherein they did not have to trust anybody. In end-to-end encryption, only the sender and receiver can access the encryption key. No government or platform (not even WhatsApp or Signal) can read our messages.

End-to-end encryption or E2EE is a method of secure communication that prevents third parties, hackers and attackers from accessing data while it’s transferred from one end system or device to another. In E2EE, the data is encrypted on the sender’s system or device, and only the intended recipient can decrypt it. As it travels to its destination, the message cannot be read or tampered with by an internet service provider (for example, Airtel, Jio and the likes), application service provider, hacker or any other entity or service. The OTT communications services that are being dragged into the ambit of this Bill use this technology to retain users’ privacy. 

Nikhil Naren, Chevening Scholar, author and Advocate at Scriboard Advocates and Consultants, says, “The ambit of ‘telecommunications’ and ‘telecommunications network’ has widened over the years with the ever-growing use of internet-powered applications/tools. Keeping in mind the current form of the draft Telecommunications Bill, 2022, it will lead to a compromise of various encryption mechanisms currently in place”.

Clause 24(2) of the draft bill mentions - prevention, interception, or disclosure in the interest of ‘national security’. “What may be worrying for a lot of us is the amount of due diligence put in by the respective governments before invoking such rights. I also fail to differentiate much between the proposed ‘new law’ as Rule 2(f), 2(g), 2(h), and 2(i) of The Information Technology (Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules, 2009 were also aimed at loosening/breaking encryption. Therefore, the way forward may not be in deciding between what is more important - privacy or public safety, but rather in regulating and delicately balancing the two. The growing encryption standards are bound to complicate things further that may force law enforcement agencies to fight encryption with encryption, something we witnessed in Operation Trojan Shield,” says Naren.

Representative image for privacy and data security | Photo courtesy: Special arrangement

The Surveillance Debate

Shruti Shreya, Program Manager at The Dialogue, sheds light on the issue: “Some of the key concerns related to surveillance in the existing legal framework continue in the new draft bill, like the authorisation mechanism of interception within the executive wing without parliamentary or judiciary oversight, lack of principles guiding the state to determine safe tools for surveillance, and the absence of a prescribed limit on the amount of data that can be accessed through interception. As the government undertakes consultation on the Bill, it will be important to ensure greater deliberation on these crucial aspects to ensure a more robust regulatory architecture which furthers national security while also securing the fundamental right to privacy of the citizens through a more precise, proportionate and purposive framework.”

The state is allowed to “intercept, monitor, and decrypt any information for protecting sovereignty, national security, friendly relations with international governments, integrating public order, etc...,” under Section 5(2) of the Indian Telegraph Act of 1885 and Section 69 of the Information Technology (Amendment) Act of 2008. However, there are certain gaps in this regulatory framework for monitoring, raising issues about how it affects citizens’ rights and raising worries about how such a large scope can damage the country’s democracy. The laws now have gaps that allow state actors to conduct targeted monitoring at their discretion in the absence of adequate checks and balances.

Also Read: Fake Loan Apps Thrive As Authorities Fail To Crackdown, Leaving Consumers Vulnerable

Pranav states that “The encryption technology is also used by bad actors for nefarious purposes like spreading child sexual abuse material, sharing fake news and hate speech, hatching criminal conspiracies amongst others. For these reasons, the government seeks to identify the senders of these messages (and also intercept the communication (via Clause 24 of the Telecommunications Bill, 2022). Such identification of parties and interception of communication is not possible on end-to-end encrypted platforms, and a legal mandate enforcing one would technically break encryption. This will lead to multiple challenges. In addition to tumultuous violations of human rights, businesses will also be impacted. Also, any mechanism developed for exceptional access to encrypted communication by law enforcement can also be misused by bad actors. More importantly, the moment bad actors get a whiff that an encrypted platform has been compromised and is sharing information with the government, the savvy criminals will simply shift to another unregulated encrypted platform or develop their own encrypted platform as the technology to develop it is publicly available on GitHub. The encryption genie is out of the bottle.”

Pranav further explains this as “the law which renders every citizen’s data susceptible to cyberattacks by weakening encryption cannot catch the savvy criminals but only the ones who aren’t technologically adept. Moreover, weakening encryption is not the only way to catch criminals online. Platforms like WhatsApp share metadata with the government. Streamlining the metadata sharing process with the privacy norms in the Puttaswamy judgement, enhancing law enforcement’s metadata analysis capabilities, and institutionalising judicial or parliamentary checks and balances on such surveillance mechanisms will go a long way in tackling cyber crimes. If encryption is weakened and the criminals shift to another platform, then the law enforcement will not even have access to metadata which is crucial for catching criminals. Any effort to regulate a complex technology like encryption must entail dedicated consultation with technical experts to appreciate the technology. Else we may end up with more challenges than we seek to resolve.”

Representative image for KYC | Photo courtesy: Special arrangement

Identifying Users – A KYC?

With the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, the Central Government required social media “intermediaries” to trace the originator of content/information so as to identify the individual. The draft Personal Data Protection Bill that was recently withdrawn in Parliament also proposed a voluntary user verification mechanism. Now, Clause 4 of this draft bill requires the telecommunication services that acquire a licence to “unequivocally identify the person to whom it provides services, through a verifiable mode of identification as may be prescribed.” It further requires that the user identity of the person transmitting the message be made available to the user receiving such a message. One of the perks of the internet was the ability to stay anonymous, and the provision particularly aims to put an end to it. Hence, the service providers / intermediaries / telecommunication services would now be obligated to identify every user on their platform.  

Lobbying by the telcos?

Experts suggest that the inclusion of OTT communication services within the definition of telecommunication services to bring them under government regulation is a result of extensive lobbying by telecom giants and their lobbies. The giant telecom companies or traditional telecom service providers have been consistently demanding the regulation of OTT communication services as they claim these services are ‘alternatives’ to the traditional service. There have been reports of losses to these companies as a result of users shifting to such platforms. These traditional service providers blame instant messaging services for their declining revenues.

According to a preliminary analysis report by Internet Freedom Foundation, the theory checks out. The findings of IFF states: “Both voice and data usage have seen a significant increase in the past few years. This exploded after Q2, 2016 when Reliance Jio started its services. The rate of growth is increasing and more people are coming online. This massive growth has coincided with a drop in per-user revenue for the major telecom players. Such fall appears to be due to a hyper-competitive environment after the entry of Reliance Jio. However, with a wave of consolidation, this period may soon end. These trends are as per statements in the press by leading executives of telecom companies and analyst reports such as Moody’s and Fitch.”

Internet Shutdowns 

Software Freedom Law Centre, India, has been tracking internet shutdowns and suspension of services in India since 2012. The track record may be found at internetshutdowns.in/. Shockingly, India leads in the number of internet blackouts, more than any other nation in the world. As per SFLC data, India has suffered 683 internet shutdowns since 2012 and 543 such shutdowns have occurred since 2018. The draft telecom bill only furthers this tendency of the government. In Chapter 6 of the draft bill, Clause 24(2)(b) empowers the government to impose internet shutdowns. As has been observed previously, suspension of the internet has been ordered on insubstantial grounds such as preventing cheating in examinations and protests.

The Bill provides no judicial mechanism for such suspensions. The Supreme Court in Anuradha Bhasin vs Union of India stated that freedom of expression and conducting business through the internet are rights protected under Articles 19(1)(a) and 19(1)(g) of the Constitution. The mechanism for the suspension of internet services is prescribed under the Temporary Suspension of Telecom Services (Public Emergency or Public Safety) Rules, 2017. In the Anuradha Bhasin case, the Court has read into the procedural safeguards of the Telecom Suspension Rules. However, there’s no reform in the new Bill. 

Diluting the powers of TRAI

The central government seeks to amend the TRAI act and dilute the powers of the Telecom Regulatory Authority of India. The present and functioning legislation requires the government to obtain recommendations / views from TRAI before issuing a licence to any service provider. However, the new Bill takes TRAI out of the picture and empowers the Central Government to take that decision. 

Takeaway 

The explanatory note attached to the draft bill states that we now live in the era of new technologies such as 4G and 5G, Internet of Things, Industry 4.0, M2M Communications, Mobile Edge Computing and the likes, further acknowledging that these technologies are creating newer opportunities for India’s socio-economic growth which is why India needs a legal framework attuned to the realities of the 21st century. However, the draft bill, on the contrary, fails to put it to work as it is not equipped with appropriate provisions to address the new technologies that will affect telecommunications.

(Please note: Change can only occur when public participation in government policies exists. Comments on the draft Indian Telecommunications Bill 2022 from relevant stakeholders have been invited till October 20, 2022 by the government of India. The comments can be sent to [email protected]. Check out the full draft Indian Telecommunications Bill 2022 here:
https://dot.gov.in/sites/default/files/Draft%20Indian%20Telecommunication%20Bill%2C%202022.pdf)