WhatsApp on Wednesday fired a legal salvo against the Indian government to block new regulations that would require messaging apps to trace the "first originator" of messages shared on the platform, thus effectively breaking encryption protections.
"Requiring messaging apps to 'trace' chats is the equivalent of asking us to keep a fingerprint of every single message sent on WhatsApp, which would break end-to-end encryption and fundamentally undermines people's right to privacy," a WhatsApp spokesperson told The Hacker News via email. "We have consistently joined civil society and experts around the world in opposing requirements that would violate the privacy of our users."
With over 530 million active users, India is WhatsApp's biggest market by users.
The lawsuit, filed by the Facebook-owned messaging service in the Delhi High Court, seeks to bar new internet rules that come into force effective May 26. Called the Intermediary Guidelines and Digital Media Ethics Code, the rules require significant social media intermediaries — platforms with 5 million registered users in India and above — to remove non-consensual sexually explicit content within 24 hours, and appoint a resident grievance officer for acknowledging and addressing complaints from users and victims.
The reduced timelines for takedowns aside, also buried among the clauses is the traceability requirement —
Significant social media intermediaries providing services primarily in the nature of messaging shall enable identification of the first originator of the information that is required only for the purposes of prevention, detection, investigation, prosecution or punishment of an offence related to sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order or of incitement to an offence relating to the above or in relation with rape, sexually explicit material or child sexual abuse material punishable with imprisonment for a term of not less than five years. Intermediary shall not be required to disclose the contents of any message or any other information to the first originator.
The lawsuit arrives at a crucial juncture as governments around the world have stepped up to regulate internet platforms for reasons as varied as financial fraud, stifling competition, inciting violence, and spreading misinformation, hate speech, and obscene content. WhatsApp is also locked in a similar legal battle with Brazil over a proposed legislation that "would force companies to add a permanent identity stamp to the private messages people send."
Much of the debate around traceability on end-to-end encrypted platforms has centered around whether it is possible to identify the originator of a message without diluting encryption.
WhatsApp, for its part, has long argued against incorporating traceability as it would not only force companies to collect more data about the kind of messages being sent and shared and the identities behind them, but also subvert users' expectation of secure and private messaging.
Adding such a requirement would mean breaking WhatsApp's end-to-end encryption (E2EE), which secures messages from potential eavesdroppers – including telecom providers, internet service providers, and even WhatsApp itself — from being able to access the cryptographic keys necessary to decode the conversation.
"Traceability is intended to do the opposite by requiring private messaging services like WhatsApp to keep track of who-said-what and who-shared-what for billions of messages sent every day," the company said.
"Traceability requires messaging services to store information that can be used to ascertain the content of people's messages, thereby breaking the very guarantees that end-to-end encryption provides. In order to trace even one message, services would have to trace every message."
The Indian government, on the other hand, has proposed that WhatsApp assign an alphanumeric hash to every message sent through its platform or tag them with the originator's information to enable traceability without weakening encryption. But both the solutions have been decried by WhatsApp and cryptographic experts, who say the methods would wholly undermine the platform's end-to-end encryption.
The company also contends that traceability is not so much effective as it's highly susceptible to abuse, noting that users could be labeled as "originators" simply for sharing an article or a downloaded image that could then be repurposed by other users on the platform in an entirely different circumstance.
Furthermore, WhatsApp contended that the new requirement inverts the way law enforcement typically investigates crimes. "In a typical law enforcement request, a government requests technology companies provide account information about a known individual's account," it said. "With traceability, a government would provide a technology company a piece of content and ask who sent it first."
WhatsApp recently landed in the crosshairs of Indian government over its updated privacy policy that it implemented on May 15, with the Ministry of Electronics and Information Technology (MeitY) urging the company to retract what it said were "unfair terms and conditions on Indian users," calling it "discriminatory" and "irresponsible."
In response, WhatsApp — which earlier said it will continue to push users into accepting the updates with a "persistent reminder" in return for a "limited functionality" — has since completely walked back from that stance, stating it has "no plans for these reminders to become persistent and to limit the functionality of the app."
WhatsApp however said it intends to keep reminding users about the update at least till India's upcoming Personal Data Protection (PDP) bill comes into effect. WhatsApp's new terms don't apply to the European Union due to prevailing GDPR data regulations in the region.
Update -- In response to WhatsApp's legal challenge to new digital rules on grounds of violation of user privacy, the government on Wednesday said it is committed to the right to privacy of citizens but added it's subject to "reasonable restrictions" and "no fundamental right is absolute."
"The government of India is committed to ensure the right of privacy to all its citizens but at the same time it is also the responsibility of the government to maintain law and order and ensure national security," India's IT Minister Ravi Shankar Prasad said in a statement.
It also laid the responsibility on WhatsApp's doorsteps to find a technical solution that ensures the "Right of Privacy to all its citizens as well as have the means and the information necessary to ensure public order and maintain national security," whether through encryption or otherwise.