Above: Illustration by Rajender Kumar
The centre’s efforts to convince the company to enable surveillance of messages and trace the origin of a forward seem unfair as it would dent the integrity of the platform
~By Na Vijayashankar in Bengaluru
Recently, the government was concerned with the misuse of WhatsApp for spreading hatred, violence and disharmony in society through fake messages or otherwise mischievous or malicious messages. It is now contemplating many technical measures to stop the menace and trying to convince WhatsApp to enable surveillance of messages and introduce tags to trace the origin of a forwarded message.
The government is trying to convince WhatsApp to enable it to monitor messages which may require decryption. The end-to-end encryption used by WhatsApp allows it to encrypt an outgoing message in the sender’s device using a device/user specific key which can be decrypted at the receiver’s end. In between, the message travels through the WhatsAp
p server and if the recipient downloads the message, it is deleted from the server. In case the addressee is not connected to the internet, the message is held in the server for some time (30 days) before being purged.
In this process, WhatsApp does not have access to decrypted messages, though technically, it may be in a position to pick up the decryption key from the recipient and decrypt it. Since the message lies in an encrypted state throughout the transit, it is not amenable to any interception. If the government insists on plain text transmission or availability of decryption keys to third parties, the integrity of the messaging platform would be affected and there would be serious security consequences.
In the current scenario, WhatsApp maintains the status of an “intermediary” under Section 2(w) of the Information Technology Act, 2000/8 by not selecting the sender of the message nor the message itself for transmission on its platform and being a non-invasive technical platform. If it starts moderation of messages, it will lose the status of being an “intermediary” and would require to follow reasonable security practices either under ITA, 2000/8 or under the proposed Personal Data Protection Act, 2018. It is unfair for the government to insist that WhatsApp change its current business model which will make it vulnerable to legal liability by forcibly converting an “intermediary” to a “data controller/data Ffiduciary”.
The “creator” of a group and subsequently, the “admin”, also is considered an “intermediary” except when he uses the group as a “broadcast group” where only the admin can post. Even the admin/creator would lose the protection of Section 79 of ITA 2000/8 as an “intermediary” if he starts moderating all the messages. Moderation is, however, a feasible technical option that can be implemented if required and so is an introduction of an automatic time delay for delivery of messages to prevent its use in short-term emergency situations. But such measures will substantially dilute the utility/popularity of the WhatsApp messaging system.
Also, in times of crisis such as disasters, immediate transmission of messages is necessary for victims to get in touch with their rescuers. If this feature is removed, there could be many more deaths of innocent persons than what we are now trying to prevent by changing the current WhatsApp format from an unmoderated immediate messaging system to a moderated sandboxed system. Hence, moderation or introducing automatic time delay of messages is not a desirable option.
As an intermediary, however, both the WhatsApp company as well as the Admin of an individual group will require to follow “due diligence” as envisaged under Section 79 if they are considered as “Intermediaries” under ITA, 2000/8. What exactly this “due diligence” means needs to be either defined by the government under supplementary rules of Section 79 of ITA, 2000/8 or it should be evolved as the best practice in due course. For this purpose, we should recognize that WhatsApp is a closed group messaging platform that enables a known group of users to easily exchange messages from their mobile phones or web, and is not a publishing platform.
The other suggestion that the government is discussing with WhatsApp is to add traceability of a message by putting a tag on it so that when it is forwarded from device to device, it can be traced. At present, every message carries a meta tag of the mobile identity of the sender. Hence, traceability is already available, but only to the immediate previous level. It is for the investigating authority to trace it back from one previous device to another previous device and so on. It appears that the government is not satisfied with this and wants the messages to be tagged with a chain of source-related meta-tags.
If the government wants to identify the origin of malicious messages, every message has to be tagged with the hashing of the original message when it was first created. At every subsequent forward, the server has to check the hash once again and if it has changed, a new message ID and new hash has to be added to the meta tag with or without removing the earlier hash value. This solution will, however, fail if the person forwarding the message just adds a comma, space or dot to the earlier message so that it looks like a new message and breaks into a forked message chain.
It appears as if somebody with a wrong idea of a Bitcoin Block Chain system seems to have corrupted the minds of the government. The data load which such a messaging system would add to the transmission system would be undesirable from a technical and usage perspective. Perhaps the government may be alternatively thinking that the message would neither be hashed nor encrypted but would be analysed using Artificial Intelligence to add a traceability factor. But this would be overkill for the problem. If attempted, it has to be also done for other services, including Gmail and Facebook. Singling out WhatsApp will surely be discriminatory and the Supreme Court is unlikely to allow such an act.
Coming to the role of Admins, the main due diligence an admin has to follow is to see that “no unknown person is admitted into the group” and the group members identify themselves properly to other group members without impersonating themselves using false names and false profile pictures. When there is an offending message traced to the group, the admin’s responsibility would be to provide the mobile ID as registered by the suspect. Beyond this, the police needs to check on the mobile ID and continue its investigation. At best, the admin can introduce a group policy and take action to remove a member if the policy is violated.
Considering the above, it is preferable to allow WhatsApp to retain its intermediary status by not meddling with the message in any form. Current handling by WhatsApp is reasonably non-invasive and should be good enough. The only additional due diligence that can be considered is to identify the sending of messages through the web along with the IP address. But this can perhaps be done better at the ISP level and may not require tweaking at the app level.
The government should, therefore, refrain from expecting major changes to the WhatsApp system. Instead, it should focus on the current provisions of ITA, 2008 to issue a supplementary guideline under Section 79 to be used by all message application admins which should incorporate the strict implementation of “admin must know the member” and “member must use his real identity in the group”. This is completely within the control of the government. This would also be the correct approach in terms of preservation of privacy and freedom of expression without sacrificing security requirements.