Centre for Internet and Society

India WhatsApp Privacy Fight May Affect Multinationals

praskrishna — 2017-02-02T02:28:23Z

The Indian Supreme Court’s review of Facebook Inc.'s and WhatsApp Inc.'s data security practices may lack teeth but also presages a desire for a stronger privacy regime and oversight of multinationals, internet and privacy specialists told Bloomberg BNA.

The article by Nayanima Basu was published by Bloomberg BNA on February 1, 2017. Pranesh Prakash was quoted.

WhatsApp revised its privacy policy in August 2016 to share data with owner Facebook and allow targeted ads and messages from businesses, laying the groundwork for the free messaging service to monetize such data. But a public interest complaint, akin to a class action in the U.S., filed by two Indian students and regulatory inquiries have resulted in India’s top court asking Facebook and WhatsApp about their data protection practices.

The court’s move Jan. 17 to seek the information may make multinational companies jittery, Rahul Khullar, former secretary of commerce for India’s Ministry of Commerce and Industry, told Bloomberg BNA. Although stronger data privacy enforcement is needed, all the high court has done is aggravate Facebook and other large multinationals, he said.

Facebook is the second largest media company in the world with a $367 billion market capitalization, Bloomberg data show. It acquired WhatsApp in 2014 for approximately $18 billion, data show. Facebook didn’t immediately respond to Bloomberg BNA’s e-mail request for comments.

Khullar, who is also the former chairman of the Telecom Regulatory Authority of India, said multinationals need to be more careful in sharing their data because of the “distinction between digital non-commercial data and digitally sensitive data,” he said. A strong national data privacy law would resolve some of these issues, he said.

An U.S. official based at the U.S. Embassy in New Delhi, speaking on background, told Bloomberg BNA that any maneuver that restricts the free flow of data may harm the operations of U.S.-based multinationals and similar companies.

Clarity, Stronger Laws Needed

Some internet and privacy specialists say that Facebook and WhatsApp failed to provide effective data protection under Indian law.

Pranesh Prakash, policy director at the nonprofit digital technologies advocate Centre for Internet and Society, told Bloomberg BNA that Facebook and WhatsApp are in violation of Section 43A of the Information Technology Act that lays out “reasonable security practices and procedures.”

Indian citizens are reaching out to the courts for data protection enforcement because lawmakers have “failed to do so,” he said. That highlights the need for robust data protection laws in India and, he said, hopefully “goads the government and Parliament into enacting a privacy and data protection law.”

In lieu of further legislative action, companies may be able to resolve some issues by establishing clearer privacy policies, Niraj Gunde, a Mumbai-based attorney and consumer advocate, told Bloomberg BNA. Most software agreements have a clandestine clause that allows companies to access user data, but those agreements should also state how the data will be used, stored and eventually disposed of, he said.

For more details visit https://cis-india.org/internet-governance/news/bloomberg-bna-february-1-2017-nayanima-basu-india-whatsapp-privacy-fight-may-affect-multinationals

WhatsApp races against time to fix fake news mess ahead of 2019 general elections

Admin — 2018-07-25T15:27:20Z

On Friday, when WhatsApp announced that it would pilot a ‘five media-based forwards limit’ in India, the government came up with an unequivocal reminder.

The article by Venkat Ananth was published in Economic Times on July 24, 2018. Sunil Abraham was quoted.

“When rumours and fake news get propagated by mischief mongers, the medium used for such propagation cannot evade responsibility and accountability. If they remain mute spectators, they are liable to be treated as abettors and thereafter face consequent legal action,” noted a ministry of electronics and information technology (MeitY) statement.

The statement also said there was a need for bringing in traceability and accountability, “when a provocative/inflammatory message is detected and a request is made by law enforcement agencies.”

Significantly, MeitY took aim at WhatsApp’s core end-to-end encryptionbased product feature and its oft-quoted and reiterated commitment to privacy. It was specific, going beyond the usual “do more” requests.

The stand also poses an interesting dilemma for the messenger service. How can it act while protecting its privacy commitment?

“It is practical ly impossible for WhatsApp to regulate content in the peer-to-peer encrypted environment it is set up in,” says Rahul Matthan, partner, Trilegal. “An encrypted platform is what we want. The government is trying to maintain a strict and difficult balance. The government tends to err on the side of violating civil liberties over offering privacy to innocent users. The WhatsApp case is going in that direction.”

No Longer Low-Key

In India, its largest market, WhatsApp has benefitted from quietly operating in the shadows of its more popular parent, Facebook, growing to a currently active user base of 200 million.

However, in the last six months, while it continues to be perceived as an asset by politicos for outreach and propaganda, WhatsApp is now increasingly being tapped by the bad guys to disseminate deliberate misinformation, rumour mongering and fake news. And not the Donald Trump kind either.

It is leading to loss of lives on the ground, through lynchings, kidnappings and related crimes.

WhatsApp spokesperson Carl Woog says, “The recent acts of violence in India have been heartbreaking and reinforce the need for government, civil society and technology companies to work together to keep people safe.”

“By focusing on solutions to fake news inside our smartphones, we are ignoring a tougher problem that requires several complementary solutions,” says Apar Gupta, a Delhi-based lawyer and cofounder of the Internet Freedom Foundation.

“Let us not forget that a platform is not responsible for policing.”

But the general public and government perception — and, to some extent, concern — remains that WhatsApp has been slow to react to these situations.

To Police or Not to Police

Interestingly, the government and ruling party realise WhatsApp could be pivotal to their fortunes in the next electoral cycle — in the run-up to Elections
2019.

“The government is coming under increased pressure to act on these lynchings, which is why it is taking a shootthe-messenger kind of an approach,” says Matthan. “An unsophisticated government would have advocated a blanket ban on the source. But here, the government, it appears, wants to regulate tech by having access to your device, through an app, in the case of the (telecom regulator) Trai DND app to battle spam.”

This is also why WhatsApp has intensified its outreach efforts. Over the past 10 days, a team of its US and India-based executives have been meeting key stakeholders in Delhi and Mumbai, including the Election Commission, political parties, the Reserve Bank of India, banks and civil society, as ET reported last week.

The team includes public policy manager Ben Supple, senior director, customer operations, Komal Lahiri and WhatsApp India communication manager Pragya Misra Mehrishi. They are now expected to meet key government officials from MeitY from Monday, sources say.

“The intense outreach efforts is essentially linked to WhatsApp wanting to protect its payments play in India,” says a Delhi-based public policy professional, who did not want to be named as he is not authorised to speak to the media.

“It (WhatsApp) is really worried about Google’s efforts with Tez and the gap that will only widen if the government delays grant of permission.”

WhatsApp is stressing some key points while reinforcing the steps it is taking to counter challenges. One, the best practices of using the platform. Two, the need to work together to prevent abuse of WhatsApp, and three, most importantly, to educate people about the best ways of using the platform. WhatsApp was primarily designed for private, oneon-one messaging or group chats among acquaintances, not for mass broadcast, which parties resort to during elections.

WhatsApp says it is working on a warfooting to tackle the problems. It has introduced product changes to counter user behaviour. There’s more control, where a group ‘admin’ can restrict users who can send messages to the group, modify a group icon or edit description, a feature for which it has taken a leaf out of rival Telegram’s book. To counter fake news, it added a ‘forwarded’ label. And now, limited the forwarding to five in India, and 20 in the rest of the markets, a significant reduction from 250 prior to that.

While the impact of these product tweaks is yet to be seen at an individual user level, the larger concern for WhatsApp today is the potential misuse of its platform to manipulate elections, a very real possibility next year.

Tipping Point

The company’s noticeable change of tack comes after it noticed certain trends during the recent Karnataka elections, during which one of its executives spent a week in Bengaluru.

One of the political parties, which a person aware of the developments in WhatsApp declined to name, was using “dozens of accounts to create thousands of groups,” as part of its campaign.

The party, the source says, was adding random numbers (approximately 100) to the group during creation. By random numbers, he meant people who did not know each other, something WhatsApp can identify using the metadata it collects when a user gives it access to its phone book. WhatsApp deems this behaviour ‘organised spamming.’

“These were real people not necessarily known to each other,” says the person quoted above. “A specific account would be added to that group to be made the admin.”

Mostly, this admin was the number used to create these multiple groups or, in WhatsApp terms, the account that was not behaving the way private or group communication happens.

Also, the users would be a mix of fake accounts, which is a major red flag for WhatsApp. “The group starts with some bulk added users and then the real ones get bulk-added,” says the source. WhatsApp deems this practice a violation of its terms of service.

Company sources add that WhatsApp was able to detect these trends and proactively banned these users before they were able to add people. “In some cases, our systems didn’t catch this in time, but we were able to proactively prevent users from receiving such spam. That detection is now internalised and if someone tries to replicate that behaviour anywhere in the world, we will be able to detect them,” says another person familiar with developments at WhatsApp.

According to several media reports, the BJP and the Congress too created over 30,000 groups for campaigning and organising efforts. To counter organised political spamming, WhatsApp has now begun using machine learning tools. WhatsApp can trace the last few messages in a group and block it entirely from the platform. At the detection level, WhatsApp checks for familiarity. “Do the persons know each other, or have they interacted before?” through metadata it possesses through phone numbers.

The second person quoted in the story says the company now focuses its detection “upstream,” that is, catching the user at the registration stage. “When you register on WhatsApp and immediately create a group, questions asked are, ‘Does this behaviour look like what a regular user does? Or does it look like users who have misused it in the past?’” he says.

WhatsApp, sources tell ET, is also using machine learning to detect sequential numbers that could be used to create these groups. “If they go and buy a phone number, they go to one carrier and its mostly sequential. If we notice 100 numbers with the same prefix have signed up, nearly 80 get automatically banned. What we do is feed these sequences, permutations and combinations to detect good/bad users,” the person quoted above says. “It learns millions of these combination signals on behaviour and help us make a decision.”

Civil Society as a Key Layer

WhatsApp also sees an enabling role for civil society, especially for digital literacy. Its team has currently met seven non-governmental organisations, including digital literacy groups and others involved in the area of financial inclusion. This is part of its public policy efforts while also solidifying its payments play.

“The level of responsibility for a platform is to not consciously cause — and, in fact, to take active measures to prevent — social harm,” says Gupta of IFF. “It has to be done without injury to end-to-end encryption, which offers safety and privacy to users.

Many products and product strategies can be adopted — from increasing media diversity on the platform to promoting auditing features that rely on partnerships with fact-checking organisations. We must demand accountability but resist the rhetorical attraction of technophobia.”

As ET has reported, WhatsApp will adapt a fact-checking model, Verificado 2018, deployed during the recent Mexican presidential elections. Verificado proactively debunked fake news and misinformation on the platform. “The rumours were found to be very similar to India.

Verificado was specifically focused on misinformation from candidates,” says the first person quoted in the story. “Plus, it helped effectively tackle misinformation during an earthquake in Mexico.”

For WhatsApp, one of the key learnings from the Mexico elections was that it could look at the spam reports and categorise them as politics-related. The company, unsurprisingly, saw an increase in political spam in the buildup to election day.

“They realised Verificado assists users to get help within the app. But it also aids news organisations, political parties, the government and users,” adds the person. The company is undertaking a similar exercise in Brazil, where 24 media outlets have come together under the Comprova initiative to fact-check viral content and rumours on WhatsApp.

Sunil Abraham, executive director of the Bengaluru-based Centre for Internet and Society believes WhatsApp can further tweak its product to enable real-time checks. “They can enable a ‘fact check this’ button for users to upload content to a fact-checking database. If the content has already been fact-checked, the score can be displayed immediately. Alternatively, the fact-checking service can return the score at a later date,” he explains.

For more details visit https://cis-india.org/internet-governance/news/economic-times-venkat-ananth-july-24-2018-whatsapp-races-against-time-to-fix-fake-news-mess-ahead-of-2019-general-elections

PDP Bill is coming: WhatsApp Privacy Policy analysis

Pallavi Bedi & Shweta Reddy — 2021-01-19T08:12:23Z

WhatsApp started off the new year with changes to its privacy policy that has several implications for data protection and the digital governance ecosystem at large. This post is the first in a series by CIS unpacking the various implications of the policy.

On January 4, 2021, WhatsApp announced a revised privacy policy. The announcement was through an in-app notification. Users were asked to agree to the policy by February 8, else they will lose access to their accounts. The announcement triggered a backlash, globally and in India and it led to millions of users in India migrating to other messaging platforms. In light of the backlash, WhatsApp had on January 15 announced that it will delay rolling out the new policy to May 15, 2021.

It is important to note that many users have also commented that the new explicit terms of mandatory data sharing with Facebook and the extent of metadata collection haven’t changed drastically from WhatsApp’s existing operations. In 2016, WhatsApp had revised its privacy policy to enable data sharing with Facebook. Users were provided 30 days to opt out of such data sharing. However, the option to opt out was not provided to users who joined the service after September 25, 2016 or who failed to exercise the opt-out option. The changes in the policy were challenged in the Delhi High Court. The High Court (i) directed WhatsApp to delete the complete information of users who exercised the option to opt out before September 25, 2016; and (ii) with respect to users who did not exercise the opt-out option, WhatsApp was directed to not share the information of users collected until September 25, 2016 with Facebook. The matter is currently pending before the Supreme Court.

The change in people’s reactions to the data processing from 2016 can partly be attributed to the change in the users perception of privacy and personal data protection. Conversations around privacy and data protection and harms arising out of unauthorized data collection are much more prevalent. What has also irked a large number of users is the difference between the privacy policy applicable to the European Region and the policy applicable to the rest of the world; There is a disparity in the two policies regarding the rights of the users in relation to sharing of data with Facebook Companies(Facebook payments inc, Facebook Payments International Limited, Onavo, Facebook technologies LLC, Facebook Technologies Ireland limited, WhatsApp inc. WhatsApp Ireland Limited and Crowdtangle) due to the application of the General Data Protection Regulation.

Currently, Indian users have a fundamental right to privacy and an overarching data protection framework is set to be tabled in the Parliament soon. The Personal Data Protection Bill, 2019, being deliberated by the Joint Parliamentary Committee, is expected to provide comprehensive requirements for authorized collection and management of personal data. The proposed Bill, despite several shortcomings, does offer significantly more protection than the current framework consisting of S. 43A of Information Technology Act, 2000 and the Information Technology (Reasonable Security practices and procedures and sensitive personal data or Information) Rules, 2011. This blogpost will examine the viability of the revised privacy policy of WhatsApp if the proposed bill is enacted in the currently available public version of the Bill. In the subsequent posts we will analyse the effect of the revised privacy policy on the pending litigation.

Privacy notice

Section 7 of the proposed bill puts an obligation on the data fiduciary to provide a privacy notice, i.e. a document containing granular details of the processing of personal data to the data principals. The details must be provided in a manner that is clear, concise and easily comprehensible to a reasonable person. The notice should also be provided in multiple languages where necessary and practicable. The importance of a clear and concise policy has been highlighted in the Justice Srikrishna Report on Data Protection. However, there is no guidance from the Indian authorities on what it constitutes. Guidance from the Article 29 working party in the EU suggests that the policy must be presented in a manner that avoids information fatigue. In the digital context, it has been recommended that presenting a policy in a layered format enhances readability. The guidance also suggests that policy should avoid reliance on complex sentences and abstract terms to convey the details of the processing operations. The revised privacy policy of WhatsApp cannot be termed a clear and concise policy. The purely text-based policy, containing around 3800 words, is not presented in a layered format resulting in shockingly low readability for the amount and type of personal data collection the policy is attempting to convey. In addition to improper design and structure, the policy contains vague language providing an average user a hazy understanding of the extent of data processing and can leave room for different interpretations. The earlier version of the policy also uses similar language and structure to convey details regarding the processing and doesn’t provide transparent details regarding its data sharing with Facebook. Relying on a similar format as its earlier versions without revising it based on global discussions around the best methods seems to be an opportunity lost to remedy the privacy policy. The structure, form and language of the policy will have to be revised if the Bill is enacted in its current form and the policy will also have to be provided in multiple languages.

Bundled consent

According to its policy, WhatsApp relies on the consent of the user for the purpose of providing messaging and communication services, sharing information with third party service providers that help WhatsApp “operate, provide, improve, understand, customize, support, and market” their Services, and sharing information with other Facebook companies for “providing integrations with Facebook Company products” to name a few. It is important to verify if the consent being obtained is valid according to the standard set by the proposed framework.

For consent to be valid under the proposed framework (Section 11(4)) , the provision and quality of services provided should not be linked to consenting to processing of personal data that is not directly necessary for that purpose. In WhatsApp’s case, the primary purpose of processing is to provide messaging and communication services on that particular platform. Neither sharing personal data with third party service providers for better marketing of their services on other platforms nor sharing it with Facebook company of products for better integration of services is incidental to the primary purpose of processing. The bundling of consent results in forcing individuals to either accept processing of personal data for all of the purposes outlined or lose the services altogether resulting in an invalid consent. An explicit opt-in mechanism for all those processing operations that are not compatible with the primary purpose of processing will have to be provided to the Indian users if the Bill is enacted in its current form and consent is being relied on as the lawful ground of processing.

Data sharing with Facebook

WhatsApp’s policy on sharing of information with Facebook has garnered a significant amount of attention and has also raised privacy concerns amongst WhatsApp users in non-European countries. This is because the policy applicable to non- European countries now does not provide the user option to opt out from sharing the information if the user wants to continue using and operating WhatsApp. The policy under the heading ‘How we work with other Facebook Companies’ states that “As part of the Facebook Companies, WhatsApp receives information from, and shares information (see here) with, the other Facebook Companies. We may use the information we receive from them, and they may use the information we share with them, to help operate, provide, improve, understand, customize, support, and market our Services and their offerings, including the Facebook Company Products.” The information that may be shared by WhatsApp with Facebook Companies includes; (i) users phone number; (ii) transaction data; (iii) service-related information, (iv) information on how the users interact with others (including businesses); (v) mobile device information; (vi) the user’s IP address; and (vii) and any other data covered by the privacy policy. All this information/data will fall within the ambit of personal data in terms of the current version of the Bill and therefore WhatsApp would have to comply with the obligations put on it under the Bill for it to be able to share personal data with other data fiduciaries including Facebook Companies.

As noted earlier, it is pertinent to note that the privacy policy is not the same globally. As per the privacy policy applicable to Europe, WhatsApp states that any information that it shares with Facebook Companies is to be used on WhatsApp’s behalf and in accordance with its instructions. Any such information cannot be used for the Facebook Companies own purposes. This statement is not reflected in the privacy policy applicable to non European countries. Facebook has in a statement stated that “For the avoidance of any doubt, it is still the case that WhatsApp does not share European region WhatsApp user data with Facebook for the purpose of Facebook using this data to improve its products or advertisements”

Data sharing with other third party service providers

It is also important to note that sharing of information is not limited to Facebook Companies, but also extends to other third party service providers. However, apart from a vaguely drafted statement stating that WhatsApp works with third party service providers as well as other Facebook Companies to help it to “operate, provide, improve, understand, customize, support, and market our Services”, the privacy policy is silent and does not provide any insight or clear information on (a) the nature of these third party entities; (b) extent of information shared with such third party entities. Further, even though the policy provides a link to the other Facebook Companies (Facebook Payments Inc, Facebook International Limited, Onavo CrowdTangle) that it works with; there is again no clarity as to what are the specific services provided by these companies.

One of the rights provided to a data principal under Section 17 (3) and Section 7 (1)(g) of the current version of the Bill, is the right to be informed and the consent to be obtained from the data principal about the individuals or entities with whom personal data may be shared. The data principal also has the right to be informed about and given access to the categories of personal data shared with the other data fiduciaries. However, the policy as it stands on date is silent about both the details of the third parties service providers as well as the categories of personal data that could be shared with them.

Metadata collection and data minimisation

The details on usage and log information in the previous version of the policy were rather vague as a result of which the extent of data collection was difficult to ascertain. The revised version indicates that WhatsApp’s metadata collection went further than most of the other popular messaging applications and the data being collected was linked back to the user and device identity. The principle of data minimisation (Section 6 of the proposed framework) limits the collection of personal data to that which is necessary for the purpose of processing. The compelling reasons that justify the metadata collection for the primary purpose of messaging and communication are so far unclear. The metadata collection section is similar in the privacy policy for the EU region and on the face of it doesn’t look GDPR compliant as well. Collection of those categories of personal data that are not necessary for processing of the primary purpose will need to be discontinued if the Bill is enacted in its current form.

Data Principal rights

The difference between the protection afforded to Indian resident users and European resident users is highlighted in the rights accorded to the data principal under the two privacy policies. The European privacy policy has a section dedicated to how users can exercise their rights and specifies that users have the right to access, rectify, port, and erase their information, as well as the right to restrict and object to certain processing of their information. These rights are a reflection of the protection afforded to data principles under the GDPR. As per the current version of the Bill, the data principal will have the right to (i) confirmation and access (Section 17); (ii) correction and erasure (Section 18); and (iii) data portability (Section 19). If the current version of the Bill is enacted, then WhatsApp will be required to amend its privacy policy regarding its applicability to India and incorporate the rights of data accorded to the data principal .

Grievance redressal

The European Region privacy policy specifies the entity within WhatsApp responsible for addressing the complaints of the users and it further also informs the user that they have the right to approach the Irish Data Protection Commission, or any other competent data protection supervisory authority. None of these provisions are specified in the Non-European Region privacy policy. The current version of the PDP Bill places an obligation on the data fiduciary to establish an effective grievance redressal mechanism (Section 32(1)) and to inform the data principal about their right to approach the Data Protection Authority (which is proposed to be established under the PDP Bill) (Section 7(k)). Additional details regarding the same will have to be provided if the Bill is enacted in its current form.

Clarifications from WhatsApp

On January 13, 2021, WhatsApp published a blog stating that the changes to the privacy policy will not affect users who use the platform messaging with friends and family, the changes will only apply to users who use the platform to communicate with business accounts. As per WhatsApp messages to business accounts on WhatsApp can be shared with third-party service providers, which may include Facebook itself. As per the blog, “But whether you communicate with a business by phone, email, or WhatsApp, it can see what you’re saying and may use that information for its own marketing purposes, which may include advertising on Facebook.” It is important to note that we recognise that the content of the messages and the call remains encrypted, however, the concern arises from the collection and use of ‘metadata.’

WhatsApp’s repeated assurances and clarifications asserting their commitment to data privacy falls short. Their insistence that their chats still use end to end encryption and that only interactions with WhatsApp Business will be shared with Facebook indicates ignorance with regard to the different contours of informational privacy. The expectations of privacy that individuals have over their personal data is linked to the extent of control they have over disclosure of such data. The mandatory metadata collection and lack of opt out clauses for data sharing for marketing purposes results in a mere illusion of control through its façade consent collecting process.

For the most part, the proposed framework should provide us the same level of protection offered to EU users of WhatsApp regarding some of the key contentions highlighted above. However, additional data principal rights such as the right to object and right to restrict processing will give additional protections to the data principal in case of data processing for marketing purposes. The uproar over the data collection practices of WhatsApp have cemented the immediate need for an effective data protection legislation in the country. The final draft of the Bill with 89 new amendments is expected to be released soon. Considering the renewed apprehensions regarding unwarranted processing of personal data, we can only hope that the amendments have taken into consideration the feedback and comments provided by relevant stakeholders.

(This post was edited and reviewed by Amber Sinha, Arindrajit Basu and Aman Nair)

For more details visit https://cis-india.org/internet-governance/blog/pdp-bill-is-coming-whatsapp-privacy-policy-analysis

You will need a license to create a WhatsApp group in Kashmir

praskrishna — 2016-04-21T02:34:46Z

The internet rights activists have criticised the move stating it as unconstitutional.

The article was published by Governance Now on April 19, 2016. Pranesh Prakash tweeted on this.

Moving beyond internet ban, Kashmir’s Kupwara district issued a notice asking all admins of WhatsApp news groups to register their groups with the district authority within ten days.

With this move, the authorities are taking power in their hands to monitor WhatsApp news groups owned by private individuals. However, internet rights activists criticised it saying the move is unconstitutional as it breaches freedom of speech.

The circular is issued under the subject of ‘registering of WhatsApp news group and restrictions for spreading rumours thereof’. The district magistrate said that any spread of information by these WhatsApp news groups, “leading to untoward incidents will be dealt under the law”.

You may need a license in Kashmir to run a WhatsApp group

The valley witnessed five-day internet shutdown following the Handwara firing incident. Internet ban is a common phenomenon in Kashmir.

“For how long will the government decide whether we can communicate with each other or not? Actually, the authorities do not want us to spread the truth about the army’s atrocities far and wide,” said a resident of Handwara as quoted in Kashmir Reader.

Earlier, parts of Haryan and Gujarat also witnessed internet ban during Jat and Patidar agitation, respectively.

Blocking all internet access is clearly an unnecessary and disproportionate measure that cannot be countenanced as a ‘reasonable restriction’ on freedom of expression and the right to seek and receive information, which is an integral part of the freedom of expression,” said Pranesh Prakash.

For instance, he adds, a riot-affected woman seeking to find out the address of the nearest hospital cannot do so on her phone. “Instead of blocking access to the internet, the government should seek to quell rumours by using social networks to spread the truth, and by using social networks to warn potential rioters of the consequences,” he said.

Former Mumbai police commissioner Rakesh Maria used WhatsApp to counter rumours spread after circulation of a fake photo in January 2015.

“The way in which the ban is imposed is unreasonable. Problem is in the method that is being used in absence of guidelines, defining circumstances under which they can impose a restriction on internet sites,” says Arun Kumar, head of cyber initiatives at Observer Research Foundation (ORF).

If government formulates these rules or guidelines it will set a threshold for state or central authorities, which will define the urgency of imposing ban on internet services.

For more details visit https://cis-india.org/internet-governance/news/governance-now-april-19-2016-you-will-need-a-license-to-create-whatsapp-group-in-kashmir

When the war’s on WhatsApp

praskrishna — 2016-09-25T16:36:01Z

Slick, jingoistic videos are whipping up pro-war rhetoric on social media after the Uri terror attack.

The article by Manju V was published in the Times of India on September 25, 2016. Nishant Shah was quoted.

It packs a meaner punch than any 140-character tweet. In 140 jingoistic seconds, the cleverly packaged YouTube film veers from Mohammed Rafi to Chandra Shekhar Azad drumming up pro-war rhetoric to avenge the Pathankot attack. Set to the tone of chirping crickets on a moonlit night somewhere along the western border that India shares with its neighbour, the short film has two armymen in fatigues deliberate over the absolute need to respond with a counter attack. It ends in a staccato military drumbeat with a voiceover quoting Azad: "If yet your blood does not rage, then it is water that flows in your veins."

Posted about 10 days after the Pathankot attack in January, the video was resurrected last week after the country woke up to the Uri attack that killed 18 Indian soldiers in the deadliest assault on security forces in Kashmir in over two decades. Even as photographs of a grenade smoke-filled valley, tricolour-draped coffins, grieving sons, daughters and widows made the rounds in media outlets scores of Indians marched onto social media, some armed with incendiary prose and other with slick videos that expressed more anger than anguish.

In another video doing the rounds, a jawan, or someone in uniform, sings a poem warning Pakistan. His mates join in the refrain: "Kashmir toh hoga, lekin Pakistan nahi hoga."

These videos of jawans threatening to decimate Pakistan were shared by thousands. WhatsApp profile pictures and statuses were changed, Facebook posts got longer and vitriolic, Twitter #UriAttack exploded with expletives as the enough-is-enough sentiment peaked. It heralded the beginning of an era where the dynamics of Indo-Pakistan relations will play out not just in the diplomatic corridors of Delhi and Islamabad, the valley of Kashmir or the barracks of security forces; but also on the mobile phones, tablets and laptops of millions of Indians.

When contacted for a comment, the makers of the war-mongering 'Pathankot Tolerance' video didn't endorse war outright. "My individual opinion is that war is not a solution," said producer Santosh Singh, who heads the Mumbai-based V Seven Pictures. "Before we resort to war, we have to solve our internal problems. How can we let infiltration take place so blatantly?" he asked. Why then does the video not talk about this? Singh said that when one hears about such attacks, the instant reaction is to retaliate. "The video is based on that sentiment."

An electronics engineer, Singh also owns an IT recruitment firm. His film production company, which he runs along with his friend Vivek Joshi, made the Mauka Mauka World Cup video that went viral and also produces short films and videos for clients. "We have no political affiliations, in fact we turned down a couple of political parties who approached us," says Singh, adding that his company has made 30-35 films in less than two years. "Of these, about 10 are on issues close to our heart, like those on Afzal Guru and the Pathankot attack. We upload them on YouTube, they are aired without ads. We don't earn money from them," he adds.

Ugly gets outlet

Nitin Pai, director of Takshashila Institution, an independent centre for research and education in public policy, says that social media and some television studios have enabled people to express their subconscious fears and desires. "It is not just today that the people of India have been angry with Pakistan for fomenting terrorism in our country. But it is only now that they have ways to express this anger; unfortunately, social media dynamics amplify this anger in a grotesque, distorted manner, allowing the ugly and less-sensible views to rise to the top of the public discourse," said Pai.

Tracing the many origins of this phenomenon, psychiatrist Harish Shetty says that in an angst-ridden, globalized world, we need a whipping boy. "With the Uri attacks, the entire nation had a common enemy. In expressing collective anger, there's catharsis." The current outpouring is not just over the deaths of soldiers; such an incident also opens up older wounds, he says. "For a long time, Indians have found their leaders to be helpless. It's like a family that is attacked again and again by a neighbour, but the father does nothing about it. There has been a lack of strong response from 'papa figures' across time, which has led to a sense of anger and rage. After the Uri attacks, the collective self-esteem of the country took a beating, and people felt a need to assert themselves on social media. At such times strong action is viewed as legitimate, valid and free of guilt," he adds.

Amplifying angst

If social media brought together protesters in Tunisia and Egypt during the Arab spring, in democratic India it has turned into a platform for expressing mass disenchantment with the government, especially in the wake of such attacks.

Social media plays several roles in times of crises, says Nishant Shah, professor of digital media and co-founder of the Centre for Internet & Society, Bengaluru. One, it amplifies what is already being said in friend circles and living-room conversations in front of the telly, but spreads it to a larger audience. "The second role it plays is distribution: social media allows people to inherit other people's opinions, thus exposing them to new ways of thinking but also find corroborators for their own viewpoints," he says. The third is catalysis — social media also has the capacity to generate new information. "The format creates new kinds of truths. Things that can be caught in Snapchat videos, or visuals which can be remixed, all become a part of this zeitgeist," Shah says.

Virtual wars

But in India at least, social media is no indicator of considered public opinion, points out Pai. Shah adds: "What we are seeing is a filter bubble of a privileged set of people who are engaging in this debate."

Then again, what's said on social media needn't be endorsed in real life. Vivek Joshi, who wrote and directed the Pathankot video, says nobody in the world would want a war. "But when it comes to the lives of our soldiers, an answer has to be given. If the government had taken any visible action, then there would have been no need to put out a video like this," Joshi adds. And therein probably comes the new-age heuristic of venting out on social media.

For more details visit https://cis-india.org/internet-governance/news/times-of-india-september-25-2016-manju-vi-when-the-war-is-on-whatsapp

Centre draws red lines for Whatsapp over fake news, says must comply with Indian laws

Admin — 2018-08-27T14:24:51Z

In a meeting with WhatsApp’s CEO Chris Daniels, Union minister Ravi Shankar Prasad said India put forward several demands, including that the company must have a grievance officer in India and have proper compliance of Indian laws.

The article by Nakul Sridhar was published in the Hindustan Times on August 21, 2018.

The Union government on Tuesday told the Facebook-owned WhatsApp to comply with Indian law, set up an Indian entity, and appoint a grievance officer in India to who people can reach immediately.

The directive comes at a when the government has pulled up the company for fake news spread on the social media platform serving as a contributory factor in several incidents of mob lynching across the country.

Ravi Shankar Prasad, Minister for Electronics and Information Technology, conveyed this to the global head of WhatsApp, Chris Daniels, who is in India this week. This is the first time that the government has spelt out its key expectations from the platform.

“I told him there have been sinister developments like fake news and revenge porn, which are criminal and against Indian laws. I suggested three points: they must have a grievance officer in India; they must comply with Indian laws; and they must have a local, corporate entity in India,” Prasad said.

Daniels, he added, had agreed to the three conditions. WhatsApp did not offer an independent confirmation or respond to questions.

Prasad said he also told Daniels that WhatsApp would have to comply with Reserve Bank of India (RBI) guidelines to start its payments services in India, saying that the firm would have to store the financial data it collects from India within the country.

After at least 30 lynchings in the past one year were linked to rumours and fake news spread through the WhatsApp platform, the IT ministry sent two notices to the company last month, asking it to curb the spread of such messages. WhatsApp’s chief operating officer, Matthew Idema, had met the IT ministry secretary Ajay Sawhneytowards the end of July to discuss the issue of fake news with the ministry and explain the steps it was taking in curbing its spread.

The application made it more difficult to forward media by removing shortcuts, limited the number of people a forwarded message can be sent to at a time to five, and introduced a ‘forwarded’ label for such messages after the push from the government.

Explaining its broad approach, a top government functionary, who asked not to be named, said, “We cannot accept digital imperialism. India is an open society. We have embraced technology and innovation. But no one should think they can come and do as they like. Firms like WhatsApp must conform to our rules, laws, and address problems.”

Reiterating his demand that WhatApp must find “a technological solution” to trace the origin of rumour-mongering messages, Prasad said, “It does not need rocket science to locate a message being circulated thousands and lakhs of times on the same day, on the same issue, in the same district and same state.” He said Daniels agreed to comply.

But experts believe that delivering on these demands will be challenging. “WhatsApp, according to my understanding, does not store metadata (such as phone number sent from) for text messages that are transmitted using their application or via the web client. Unfortunately, WhatsApp does not make this explicit in their public documentation,” said Sunil Abraham, founder of the think tank, Centre for Internet and Society.

“Therefore, many governments erroneously believe that sources of specific messages can be determined by big data analysis similar to the analysis of SMS metadata from telecom operators,” he said.

Metadata includes information such as the sender and recipient, date and time. “Now it would also include whether the message is forwarded,” said Abraham.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-august-21-2018-centre-draws-red-lines-for-whatsapp-over-fake-news-says-must-comply-with-indian-laws

India steps up vigilance against WhatsApp abuse

Admin — 2018-08-27T15:22:23Z

Delhi wants firm to open local office, appoint grievance officer as misinformation spreads.

The article by Debashree Dasgupta was published by Straits Times on August 24, 2018. Sunil Abraham was quoted.

In one of its strongest directives yet to WhatsApp, the Indian government has asked the California-based messaging service firm to set up an office and appoint a grievance officer in India.

Indian Information Technology Minister Ravi Shankar Prasad conveyed the request to WhatsApp chief executive Chris Daniels during a meeting on Tuesday. It came against the backdrop of the growing misuse of the messaging app to disseminate misinformation.

"I requested WhatsApp chief executive Chris Daniels to set up a grievance officer in India, establish a corporate entity in India, comply with Indian laws. He assured me that #WhatsApp will soon take steps on all these counts," Mr Prasad tweeted after the meeting.

"I further asked WhatsApp CEO... to work closely with law enforcement agencies of India and create public awareness campaign to prevent misuse of WhatsApp. He assured me that #WhatsApp will undertake these initiatives," he added in another tweet.

The firm has not yet provided a confirmation of these claims.

The spread of misinformation about child kidnappings through WhatsApp has been linked to a series of mob lynchings that have led to the deaths of least 28 people across India since April.

TAKING RESPONSIBILITY

When rumours and fake news get propagated by mischief mongers, the medium used for such propagation cannot evade responsibility and accountability. If they remain mute spectators, they are liable to be treated as abettors and thereafter, face consequent legal action.

INDIA'S MINISTRY OF ELECTRONICS AND INFORMATION TECHNOLOGY

There are also concerns that the spread of fake news via the application could gather further momentum ahead of next year's general elections in India. The firm has more than 200 million active monthly users in India - its biggest market and a sizeable chunk of its 1.5 billion global user base.

WhatsApp, the most widely used messaging app in India, has struggled to control the spread of misinformation in India on its platform.

With the government demanding greater accountability from it, the firm has made it more difficult for users to forward content by removing shortcuts. It has limited to five the number of people a message can be forwarded to each time, and introduced a "forwarded" label for such messages.

But the authorities have found this inadequate given the enormity of the challenge and rampant abuse.

Last month, the Indian Ministry of Electronics and Information Technology said: "There is a need for bringing in traceability and accountability when a provocative/inflammatory message is detected, and a request is made by law enforcement agencies.

"When rumours and fake news get propagated by mischief mongers, the medium used for such propagation cannot evade responsibility and accountability. If they remain mute spectators, they are liable to be treated as abettors and thereafter, face consequent legal action."

Mr Prasad, speaking to the media after the meeting, said: "I have said in the past that it does not take rocket science to locate a message being circulated in hundreds and thousands... You must have a mechanism to find a solution."

The Indian government's demand for WhatsApp to set up a local office is not unprecedented.

The European Union General Data Protection Regulation says a foreign firm that processes personal data of individuals in the EU "may be required" to appoint a representative in an EU state. However, calls by the government to detect messages and track down senders have prompted concerns over privacy violation, and pose a technical challenge.

Mr Sunil Abraham, executive director of the Centre for Internet and Society, a Bangalore-based nonprofit organisation, said: "Application-wide blocking of the same content is not possible on WhatsApp because it uses end-to-end cryptography, and there is no way WhatsApp can determine which messages are being forwarded."

But there are potential remedies that are less controversial, and easier to achieve.

Mr Abraham suggested that WhatsApp fund a large network of fact checkers and provide a "fact check this" button along with all forwarded messages. "This button could then transmit the suspicious message to a common database that is managed by the network for fact checkers," he added.

Last month, the Ministry of Electronics and Information Technology raised concerns on the expected roll-out of WhatsApp Payments, which lets users make financial transactions via the application. It has sought clarity on whether the service adheres to the Reserve Bank of India's security and privacy rules.

For more details visit https://cis-india.org/internet-governance/news/the-straits-times-august-24-2018-debarshi-dasgupta-india-steps-up-vigilance-against-whatsapp-abuse

It's That Eavesdrop Endemic

praskrishna — 2016-07-30T15:45:31Z

Whatsapp Says It’s Snoop-Proof Now, But There’s Always A Way In

The article by Arindam Mukherjee was published in Outlook on July 25, 2016. Pranesh Prakash was quoted.

Lock and Key

WhatsApp says it has end-to-end encryption, so no one, not even WhatsApp, can snoop into calls.

Experts say any encryption can be broken by security agencies. Android phones can also get infected by malware.

For years, a Delhi power-broker used to call from nondescript landline numbers, changing them ever so often. Of late, he has started using WhatsApp calls for ‘sensitive’ conversations. He’s not alone. WhatsApp has revealed that over 100 million voice calls are being made on the social network every day. That’s over 1,100 calls a second! India is one of the biggest user bases of WhatsApp. And many Indian users are making the app their main engine for voice calls.

One reason for this shift is that WhatsApp calls are seen to be essentially free (though they indeed have data charges). But for a lot of people, the chief allure lies in the touted fact that WhatsApp calling is far more secure than mobile calling. In April, the app introduced end-to-end encryption for its messages and voice calls.

Consequent to this, Sudhir Yadav, a Gurgaon-based software engineer filed a PIL in the Supreme Court seeking a ban on WhatsApp on the grounds that its calls are so safe that it could be misused by ‘terrorists’. Last month, a court in Brazil issued orders to block WhatsApp for 72 hours after it failed to provide the authorities access to encrypted data.

Are WhatsApp calls really impenetrable? WhatsApp believes so and says that the encryption key is held by the two persons at the two ends of the message or call and no one, not even the company, can snoop in. “The calls are end-to-end encrypted so WhatsApp and third parties can’t listen to them,” a WhatsApp spokesperson told Outlook. This is precisely Yadav’s concern. “Because the encryption is end to end, the government can’t break it and WhatsApp cannot provide the decryption key,” he says.

However, experts do not buy this argument. They believe everything on the Internet is vulnerable. “Anything that uses a phone number is vulnerable,” says Kiran Jonnalagadda, founder of technology platform HasGeek. “Anyone can impersonate the phone number by getting a duplicate SIM and get access to a phone. There are also bugs in the system which security agencies use.”

WhatsApp uses a person’s phone number to open an account and authenticate a user. So, if the government or a security agency wants to get access to a WhatsApp call, it would be very easy. “Telecom companies cannot access these calls as they are encrypted before they reach the network. But the government can. It just has to replicate a SIM to access any number and its messages or voice calls,” says Aravind R.S., a volunteer for Save the Internet campaign and founder of community chat app Belong,

There are other modes of attack as well. It is a given that Android phones, which form the majority of mobile phones used in India today, are most vulnerable to malware attacks. So, even if the app itself is secure, the device is not and if the device is attacked, just about everything in it can be tapped into. For instance, there’s the ‘man in the middle’ mode of attack, where a third person gets into a call and mirrors the messages to both the sides and relays the messages or calls to a different server. There is also the SS7 signalling protocol that can help hackers get into networks and calls. These attacks can make even a WhatsApp encryption vulnerable.

Security agencies and hackers routinely implant viruses into the phones of people they are monitoring. Once a phone is “infected”, everything is accessible. And Android phones are extremely prone to attacks from malware. “It's not perfectly secure, especially if there is any virus in an Android phone, which is what security agencies work with. They have many more ways to get into a phone. There is no defence against that,” says Aravind,

Experts believe it is possible that US intelligence agencies like the FBI and the NSA may have access to or are capable of breaking into even the WhatsApp encryption. This is proven by the recent incident where the FBI, after being refused by Apple to open up an iPhone used by a terrorist, broke into the phone by itself.

“If you are on the NSA list, there is nothing you can do to protect yourself,” says Pranesh Prakash, policy director with the Centre for Internet and Society. “They will find a way to get into your phone. In WhatsApp, many things like photographs and videos are not encrypted; these can get access to a person’s account.”

In India, the debate on access to encrypted phones has been on since the government engaged with Blackberry a few years ago. “There is no law governing an Over The Top (OTT) service like WhatsApp. If the government orders decryption of a call and WhatsApp cannot comply, it will become illegal,” says cyber lawyer Asheeta Regidi. The government’s seeming comfort level with all this legal ambiguity is yet another indicator that all is not what is seems with WhatsApp. As for callers, they would do well to speak discreetly on any network.

For more details visit https://cis-india.org/internet-governance/news/outlook-july-25-2016-arindam-mukherjee-its-that-eavesdrop-endemic

We Truly are the Product being Sold

vidushi — 2016-09-01T02:08:37Z

WhatsApp has announced it will begin sharing user data such as names, phone numbers, and other analytics with its parent company, Facebook, and with the Facebook family of companies. This change to its terms of service was effected in order to enable users to “communicate with businesses that matter” to them. How does this have anything to do with Facebook?

The article was published in the Hindustan Times on August 31, 2016.

WhatsApp clarifies in its blog post, “... by coordinating more with Facebook, we’ll be able to do things like track basic metrics about how often people use our services and better fight spam on WhatsApp. And by connecting your phone number with Facebook’s systems, Facebook can offer better friend suggestions and show you more relevant ads if you have an account with them.”

WhatsApp’s further clarifies that it will not post your number on Facebook or share this data with advertisers. This means little because it will share your number with Facebook for advertisement. It is simply doing indirectly, what it has said it won’t do directly. This new development also leads to the collapsing of different personae of a user, even making public their private life that they have so far chosen not to share online. Last week, Facebook published a list of 98 data points it collects on users. These data points combined with your WhatsApp phone number, profile picture, status message, last seen status, frequency of conversation with other users, and the names of these users (and their data) could lead to a severely uncomfortable invasion of privacy.

Consider a situation where you have spoken to a divorce lawyer in confidence over WhatsApp’s encrypted channel, and are then flooded with advertisements for marriage counselling and divorce attorneys when you next log in to Facebook at home. Or, you are desperately seeking loans and get in touch with several loan officers; and when you log in to Facebook at work, colleagues notice your News Feed flooded with ads for loans, articles on financial management, and support groups for people in debt.

It is no secret that Facebook makes money off interactions on its platform, and the more information that is shared and consumed, the more Facebook is benefitted. However, the company’s complete disregard for user consent in its efforts to grow is worrying, particularly because Facebook is a monopoly. In order for one to talk to friends and family and keep in touch, Facebook is the obvious, if not the only, choice. It is also increasingly becoming the most accessible way to engage with government agencies. For example, Indian embassies around the world have recently set up Facebook portals, the Bangalore Traffic Police is most easily contacted through Facebook, and heads of states are also turning to the platform to engage with people. It is crucial that such private and collective interactions of citizens with their respective government agencies are protected from becoming data points to which market researchers have access.

Given Facebook’s proclivity for unilaterally compromising user privacy, the Federal Trade Commission (FTC) in 2011 charged the company for deceiving consumers by misleading them about the privacy of their information. Following these charges, Facebook reached an agreement to give consumers clear notice and obtain consumers’ express consent before extending privacy settings that they had established. The latest modification to WhatsApp’s terms of service seems to amount to a clear violation of this agreement and brings out the grave need to treat user consent more seriously.

There is a way to opt out of sharing data for Facebook ads targeting that is outlined by WhatsApp on its blog, which is the best example for a case of invasion-of-privacy-by-design. WhatsApp plans to ask the users to untick a small green arrow, and then click on a large green button that says “Agree” (which is the only button) so as to indicate that they are opting-out. The interface of the notice seems to be consciously designed to confuse users by using the power of default option. For most users, agreeing to terms and conditions is a hasty click on a box and the last part of an installation process. Predictably, most users choose to go with default options, and this specific design of the opt-out option is not meaningful at all.

In 2005, Facebook’s default profile settings were such that anyone on Facebook could see your name, profile picture, gender and network. Your photos, wall posts and friends list were viewable by people in your network. Your contact information, birthday and other data could be seen by friends and only you could view the posts that you liked. Fast forward to 2010, and the entire internet, not just all Facebook users, can see your name, profile picture, gender, network, wall posts, photos, likes, friends list and other profile data. There hasn’t been a comprehensive study since 2010, but one can safely assume that Facebook’s privacy settings will only get progressively worse for users, and exponentially better for Facebook’s revenues. The service is free and we truly are the product being sold.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-vidushi-marda-august-31-2016-we-truly-are-the-product-being-sold

What’s up with WhatsApp?

Aayush Rathi and Sunil Abraham — 2018-04-23T16:45:51Z

In 2016, WhatsApp Inc announced it was rolling out end-to-end encryption, but is the company doing what it claims to be doing?

The article by Aayush Rathi and Sunil Abraham was published in Asia Times on April 20, 2018.

Back in April 2016, when WhatsApp Inc announced it was rolling out end-to-end encryption (E2EE) for its billion-plus strong user base as a default setting, the messaging behemoth signaled to its users it was at the forefront of providing technological solutions to protect privacy.

Emphasized in the security white paper explaining the implementation of the technology is the encryption of both forms of communication – one-to-one and group and also of all types of messages shared within such communications – text as well as media.

Simply put, all communication taking place over WhatsApp would be decipherable only to the sender and recipient – it would be virtual gibberish even to WhatsApp.

This announcement came in the backdrop of Apple locking horns with the FBI after being asked to provide a backdoor to unlock the San Bernardino mass shooter’s iPhone. This further reinforced WhatsApp Inc’s stand on the ensuing debate between the interplay of privacy and security in the digital age.

Kudos to WhatsApp, for there is growing discussion around how encryption and anonymity is central to enabling secure online communication which in turn is integral to essential human rights such as those of freedom of opinion and expression.

WhatsApp may have taken encryption to the masses, but here we outline why WhatsApp’s provisioning of privacy and security measures needs a more granular analysis – is the company doing what it claims to be doing? Security issues with WhatsApp’s messaging protocol certainly are not new.

Man-in-the-middle attacks

A study published by a group of German researchers from Ruhr University highlighted issues with WhatsApp’s implementation of its E2EE protocol to group communications. Another paper points out how WhatsApp’s session establishment strategy itself could be problematic and potentially be targeted for what are called man-in-the-middle (MITM) attacks.

An MITM attack takes the form of a malicious actor, as the term suggests, placing itself between the communicating parties to eavesdrop or impersonate. The Electronic Frontier Foundation also highlighted other security vulnerabilities, or trade-offs, depending upon ideological inclinations, with respect to WhatsApp allowing for storage of unencrypted backups, issues with WhatsApp’s web client and also with its approach to cryptographic key change notifications.

Much has been written questioning WhatsApp’s shifting approach to ensuring privacy too. Quoting straight from WhatsApp’s Privacy Policy: “We joined the Facebook family of companies in 2014. As part of the Facebook family of companies, WhatsApp receives information from, and shares information with, this family of companies.” Speaking of Facebook …

Culling out larger issues with WhatsApp’s privacy policies is not the intention here. What we specifically seek to explore is right at the nexus of WhatsApp’s security and privacy provisioning clashing with its marketing strategy: the storage of data on WhatsApp’s servers, or ‘blobs,’ as they are referred to in the technical paper. Facebook’s rather. In WhatsApp’s words: “Once your messages (including your chats, photos, videos, voice messages, files and share location information) are delivered, they are deleted from our servers. Your messages are stored on your own device.”

In fact, this non-storage of data on their ‘blobs’ is emphasizes at several other points on the official website. Let us call this the deletion-upon-delivery model.

A simple experiment

While drawing up a rigorous proof of concept, made near-impossible thanks to WhatsApp being a closed source messaging protocol, a simple experiment is enough to raise some very pertinent questions about WhatsApp’s outlined deletion-upon-delivery model. It should, however, be mentioned that the Signal Protocol developed by Open Whisper Systems and pivotal in WhatsApp’s rolling out of E2EE is open source. Here is how the experiment proceeds:

Rick sends Morty an attachment.

Morty then switches off the data on her mobile device.

Rick downloads the attachment, an image.

Subsequently, Rick deletes the image from his mobile device’s internal storage.

Rick then logs into a WhatsApp’s web client on his browser. (Prior to this experiment, both Rick and Morty had logged out from all instances of the web client)

Upon a fresh log-in to the web client and opening the chat with Morty, the option to download the image is available to Rick.

The experiment concludes with bewilderment at WhatsApp’s claim of deletion-upon-delivery as outlined earlier. The only place from which Morty could have downloaded the image would be from Facebook’s ‘blobs.’ The attachment could not have been retrieved from Morty’s mobile device as it had no way of sending data and neither from Rick’s mobile device as it no longer existed in the device’s storage.

As per the Privacy Policy, the data is stored on the ‘blobs’ for a period of 30 days after transmission of a message only when it can’t be delivered to the recipient. Upon delivery, the deletion-upon-delivery model is supposed to kick in.

Another straightforward experiment that leads to a similar conclusion is seeing the difference in time taken for a large attachment to be forwarded as opposed to when the same large attachment is uploaded. Forwarding is palpably quicker than uploading afresh: non-storage of attachments on the ‘blob’ would entail that the same amount should be taken for both.

The plot thickens. WhatsApp’s Privacy Policy goes on to state: “To improve performance and deliver media messages more efficiently, such as when many people are sharing a popular photo or video, we may retain that content on our servers for a longer period of time.” The technical paper offers no help in understanding how WhatsApp systems assess frequently shared encrypted media messages without decrypting it at its end.

A possible explanation could be the usage of metadata by WhatsApp, which it discloses in its Privacy Policy while simultaneously being sufficiently vague about the specifics of it. That WhatsApp may be capable of reading encrypted communication through the inclusion of a backdoor bodes well for law enforcement, but not so much for unsuspecting users.

The weakest link in the chain

Concerns about backdoors in WhatsApp’s product have led the French government to start developing their own encrypted messaging service. This will be built using Matrix – an open protocol designed for real-time communication. Indeed, the Privacy Policy lays out that the company “may collect, use, preserve, and share your information if we have a good-faith belief that it is reasonably necessary to respond pursuant to applicable law or regulations, to legal process, or to government requests.”

The Signal Protocol is the undisputed gold standard of E2EE implementations. It is the integration with the surrounding functionality that WhatsApp offers which leads to vulnerabilities. After all, a chain is only as strong as its weakest link. Assuming that the attachments stored on the ‘blobs’ are in encrypted form, indecipherable to all but the intended recipients, this does not pose a privacy risk for the users from a technological point of view.

However, it is easy lose sight of the fact that the Privacy Policy is a legally binding document and it specifically states that messages are not stored on the ‘blobs’ as a matter of routine. As a side note, WhatsApp’s Privacy Policy and Terms of Service are refreshing in their readability and lack of legalese.

As we were putting the final touches to this piece, news from WABetaInfo, a well-reputed source of information on WhatsApp features, has broken that newer updates of WhatsApp for Android are permitting users to re-download media deleted up to three months back. WhatsApp cannot possibly achieve this without storing the media in the ‘blobs,’ or in other words, in violation of its Privacy Policy.

As the aphorism goes: “When the service is free, you are the product.”

For more details visit https://cis-india.org/internet-governance/blog/asia-times-april-20-2018-aayush-rathi-sunil-abraham-what-s-up-with-whatsapp