Centre for Internet & Society

Messaging service WhatsApp's decision to roll out end-to-end encryption for over 1 billion subscribers has been hailed as a positive step by users across the world, although things are set to get tougher for law enforcement and investigative agencies in India seeking to track terrorists.

The article by Neha Alawadhi was published in Economic Times on April 8, 2016. Sunil Abraham was quoted.

"It was anyway difficult to get any kind of data from WhatsApp and now it is going to be even more difficult," said a person familiar with the working of these agencies who did not wish to be identified.

Encryption scrambles data such as text messages, photos and documents and makes them unintelligible for unintended recipients. A service that is encrypted end-to-end cannot be monitored or intercepted. No one, except the people or group communicating with each other, can access the data. If telecom companies, Internet providers or even companies that run messaging services try to intercept the message, all they would get is garbled data.

While chats will not be accessible, associated information known as metadata will be available, such as when the conversations took place, the identities of senders and recipients, their locations, mobile numbers, profile photos and address books, which may be useful for security agencies.

"Definitely for law enforcement it means a big headache, but the metadata is there and with metadata, if you have a couple of other bits of information, you can piece it together," said Sunil Abraham, executive director at Bengaluru-based research organisation Centre for Internet and Society. "Agencies can get the metadata, but they won't get the payload unless they're able to compromise the device. And that intelligence agencies like NSA (National Security Agency of the US) have been able to do in the past."

While encryption offers privacy and security to users, it is the bane of law enforcement agencies globally, as exemplified most recently and notably by the Apple-FBI dispute in the US. The Federal Bureau of Investigation FBI asked Apple to weaken its encryption to access a dead terrorist's iPhone data and after the company refused, hacked into the device with help from a third party.

In India, it is difficult to bring US-based companies to the negotiating table. "We have had minimum cooperation from WhatsApp. All the data is controlled in the US and they rarely hand over the data that we request. We don't ask them for content. We only ask for metadata," said another person familiar with the process who declined to be identified.

While the Indian IT Act gives wide-ranging powers to the government to ask for access to encrypted information, very few requests for information, very few requests for information take the legal route. One reason is the long time that it takes to process such requests - on average, over three years - and the other, especially in the case of WhatsApp, is little or no cooperation, according to government officials.

WhatsApp, based in Mountain View, California, did not respond to an email request for comment. The messaging company was acquired by Facebook in 2014.

How security and investigative agencies in India use the data they access is also a grey area. "We do not have a privacy legislation here which will take care of the concerns that people have with respect to use of data. If the government needs to have access to communications, they also need to ensure there are adequate safeguards in place," said Prasanth Sugathan, counsel at Software Freedom Law Centre.

"In practice, end-to-end encryption will bring the end user and the device into focus, rather than WhatsApp or any particular messaging service. This should be a trigger for greater clarity on India's data protection policy," said Arun Mohan Sukumar, who heads the cyber security and internet governance initiative at think tank Observer Research Foundation.

In India, requests for information from companies such as WhatsApp and Google are handled by the Ministry of Home Affairs or the Indian Computer Emergency Response Team. Emails to both were unanswered at the time of going to print.

The Indian government was involved in a long-standing dispute with BlackBerry over access to encrypted data on its messenger and corporate email service. BlackBerry set up servers in Mumbai to comply with local regulations, but said it could not access encrypted data on its enterprise servers.