Centre for Internet and Society

What’s up with WhatsApp?

Aayush Rathi and Sunil Abraham — 2018-04-23T16:45:51Z

In 2016, WhatsApp Inc announced it was rolling out end-to-end encryption, but is the company doing what it claims to be doing?

The article by Aayush Rathi and Sunil Abraham was published in Asia Times on April 20, 2018.

Back in April 2016, when WhatsApp Inc announced it was rolling out end-to-end encryption (E2EE) for its billion-plus strong user base as a default setting, the messaging behemoth signaled to its users it was at the forefront of providing technological solutions to protect privacy.

Emphasized in the security white paper explaining the implementation of the technology is the encryption of both forms of communication – one-to-one and group and also of all types of messages shared within such communications – text as well as media.

Simply put, all communication taking place over WhatsApp would be decipherable only to the sender and recipient – it would be virtual gibberish even to WhatsApp.

This announcement came in the backdrop of Apple locking horns with the FBI after being asked to provide a backdoor to unlock the San Bernardino mass shooter’s iPhone. This further reinforced WhatsApp Inc’s stand on the ensuing debate between the interplay of privacy and security in the digital age.

Kudos to WhatsApp, for there is growing discussion around how encryption and anonymity is central to enabling secure online communication which in turn is integral to essential human rights such as those of freedom of opinion and expression.

WhatsApp may have taken encryption to the masses, but here we outline why WhatsApp’s provisioning of privacy and security measures needs a more granular analysis – is the company doing what it claims to be doing? Security issues with WhatsApp’s messaging protocol certainly are not new.

Man-in-the-middle attacks

A study published by a group of German researchers from Ruhr University highlighted issues with WhatsApp’s implementation of its E2EE protocol to group communications. Another paper points out how WhatsApp’s session establishment strategy itself could be problematic and potentially be targeted for what are called man-in-the-middle (MITM) attacks.

An MITM attack takes the form of a malicious actor, as the term suggests, placing itself between the communicating parties to eavesdrop or impersonate. The Electronic Frontier Foundation also highlighted other security vulnerabilities, or trade-offs, depending upon ideological inclinations, with respect to WhatsApp allowing for storage of unencrypted backups, issues with WhatsApp’s web client and also with its approach to cryptographic key change notifications.

Much has been written questioning WhatsApp’s shifting approach to ensuring privacy too. Quoting straight from WhatsApp’s Privacy Policy: “We joined the Facebook family of companies in 2014. As part of the Facebook family of companies, WhatsApp receives information from, and shares information with, this family of companies.” Speaking of Facebook …

Culling out larger issues with WhatsApp’s privacy policies is not the intention here. What we specifically seek to explore is right at the nexus of WhatsApp’s security and privacy provisioning clashing with its marketing strategy: the storage of data on WhatsApp’s servers, or ‘blobs,’ as they are referred to in the technical paper. Facebook’s rather. In WhatsApp’s words: “Once your messages (including your chats, photos, videos, voice messages, files and share location information) are delivered, they are deleted from our servers. Your messages are stored on your own device.”

In fact, this non-storage of data on their ‘blobs’ is emphasizes at several other points on the official website. Let us call this the deletion-upon-delivery model.

A simple experiment

While drawing up a rigorous proof of concept, made near-impossible thanks to WhatsApp being a closed source messaging protocol, a simple experiment is enough to raise some very pertinent questions about WhatsApp’s outlined deletion-upon-delivery model. It should, however, be mentioned that the Signal Protocol developed by Open Whisper Systems and pivotal in WhatsApp’s rolling out of E2EE is open source. Here is how the experiment proceeds:

Rick sends Morty an attachment.

Morty then switches off the data on her mobile device.

Rick downloads the attachment, an image.

Subsequently, Rick deletes the image from his mobile device’s internal storage.

Rick then logs into a WhatsApp’s web client on his browser. (Prior to this experiment, both Rick and Morty had logged out from all instances of the web client)

Upon a fresh log-in to the web client and opening the chat with Morty, the option to download the image is available to Rick.

The experiment concludes with bewilderment at WhatsApp’s claim of deletion-upon-delivery as outlined earlier. The only place from which Morty could have downloaded the image would be from Facebook’s ‘blobs.’ The attachment could not have been retrieved from Morty’s mobile device as it had no way of sending data and neither from Rick’s mobile device as it no longer existed in the device’s storage.

As per the Privacy Policy, the data is stored on the ‘blobs’ for a period of 30 days after transmission of a message only when it can’t be delivered to the recipient. Upon delivery, the deletion-upon-delivery model is supposed to kick in.

Another straightforward experiment that leads to a similar conclusion is seeing the difference in time taken for a large attachment to be forwarded as opposed to when the same large attachment is uploaded. Forwarding is palpably quicker than uploading afresh: non-storage of attachments on the ‘blob’ would entail that the same amount should be taken for both.

The plot thickens. WhatsApp’s Privacy Policy goes on to state: “To improve performance and deliver media messages more efficiently, such as when many people are sharing a popular photo or video, we may retain that content on our servers for a longer period of time.” The technical paper offers no help in understanding how WhatsApp systems assess frequently shared encrypted media messages without decrypting it at its end.

A possible explanation could be the usage of metadata by WhatsApp, which it discloses in its Privacy Policy while simultaneously being sufficiently vague about the specifics of it. That WhatsApp may be capable of reading encrypted communication through the inclusion of a backdoor bodes well for law enforcement, but not so much for unsuspecting users.

The weakest link in the chain

Concerns about backdoors in WhatsApp’s product have led the French government to start developing their own encrypted messaging service. This will be built using Matrix – an open protocol designed for real-time communication. Indeed, the Privacy Policy lays out that the company “may collect, use, preserve, and share your information if we have a good-faith belief that it is reasonably necessary to respond pursuant to applicable law or regulations, to legal process, or to government requests.”

The Signal Protocol is the undisputed gold standard of E2EE implementations. It is the integration with the surrounding functionality that WhatsApp offers which leads to vulnerabilities. After all, a chain is only as strong as its weakest link. Assuming that the attachments stored on the ‘blobs’ are in encrypted form, indecipherable to all but the intended recipients, this does not pose a privacy risk for the users from a technological point of view.

However, it is easy lose sight of the fact that the Privacy Policy is a legally binding document and it specifically states that messages are not stored on the ‘blobs’ as a matter of routine. As a side note, WhatsApp’s Privacy Policy and Terms of Service are refreshing in their readability and lack of legalese.

As we were putting the final touches to this piece, news from WABetaInfo, a well-reputed source of information on WhatsApp features, has broken that newer updates of WhatsApp for Android are permitting users to re-download media deleted up to three months back. WhatsApp cannot possibly achieve this without storing the media in the ‘blobs,’ or in other words, in violation of its Privacy Policy.

As the aphorism goes: “When the service is free, you are the product.”

For more details visit https://cis-india.org/internet-governance/blog/asia-times-april-20-2018-aayush-rathi-sunil-abraham-what-s-up-with-whatsapp

Nasscom chief saying full data protection isn’t possible should wake us from our digital slumber

praskrishna — 2017-03-17T01:47:25Z

Considering India is rapidly moving towards a digital economy, the hurdles not withstanding, data and identity security are topics which have to be taken very seriously. Since the demonetisation, a large part of the population who would never bother with digital transactions has suddenly come online. But there is no such thing as complete security of personal data, according to Nasscom chief R Chandrashekhar.

This was published by First Post on March 16, 2017. Pranesh Prakash was quoted.

Attending the World Consumer Rights Day, R Chandrashekhar said that personal data of online consumers cannot be completely secure and stressed on the need to have strict enforcement of consumer protection laws. Speaking to PTI, Chandrashekhar said, “More than 3 million credit card data details were misused recently. Let us face it, these kind of security breaches will take place. There is nothing called fully perfect security in IT.”

It’s high time we call a spade, a spade

R Chandrashekhar, President Nasscom. Image: PIB

Coming from the head of Nasscom, this announcement pertaining to security is very important. According to Chandrashekhar one cannot expect complete cyber security, but there are definitely ways in which such attacks and incidents can be minimised. He very rightly said that that protecting the online consumer data, specially looking at how rapidly e-commerce is growing in the country, is of prime importance.

One cannot help but agree with Chandrashekhar, specially considering the fact India does not have a privacy law ecosystem that is present in countries such as the US and the UK, where online consumer protection is taken very seriously. Germany and other EU nations have always been at the forefront, when it comes to protecting data privacy, and it has ensured that consumer-facing technology companies do not run roughshod when it comes to protecting user data.

Chandrashekhar stated that there was no need for separate regulations for e-commerce sites, but the priority was ensuring means to enforce consumer laws in the digital world.

Lack of dedicated privacy laws

According to cyberlaw and cybersecurity expert, Pavan Duggal, “Going forward, there is an urgent need for India to take a strong view on privacy in terms of legislative frameworks. Unfortunately, at the time of writing, India does not have a dedicated law on privacy.”

Image: Foamy Media

Social media websites for instance have a lot of user data. But what happens when they suddenly change their privacy policies? For instance, a lot of users signed on to WhatsApp when it was an independent company. But post the Facebook acquisition, there have been a lot of instances where WhatsApp has updated its terms and conditions to suit its parent Facebook.

That’s not completely illegal one may say. Loss of privacy is a price you pay for free services. But what if, I as a consumer of WhatsApp do not want the app to share any of my data with Facebook? The only option I am left with is to delete WhatsApp. But then again, I do not know if my data is also deleted from WhatsApp servers or it has already been shared. Social media apps, only let you know what updates are being added. Consent is only required to update the app. You can stall that, up to a point. But there will come a time when you will have to update an app. Then by default you have given approval to all the terms and conditions associated with the app.

Two students had challenged WhatsApp’s revision to its privacy policy before Delhi High Court. The Court dismissed the petition insisting that users could opt out by deleting their accounts.

When a similar challenge was mounted before the authorities in UK, Facebook had to put a pause on their data sharing – and this was because of its strong data protection policy. Under the UK data protection law, the company has to inform the authority established under the Act of any changes in the use of user data. In the case of WhatsApp, the UK authority objected to such sharing.

Aadhaar – the 12-digit biometric storehouse

Aadhaar card is being used for many financial and non financial transactions. Also the Aadhaar number associated with an individual also holds a lot of personal and biometric data. So when recently, there was news about a possible Aadhaar data breach when UIDAI filed a police complaint against Axis Bank, business correspondent Suvidhaa Infoserve and e-sign provider eMudhra, it was naturally a shock to many.

Unlike a password which can be changed, with biometric information there is no scope to do that if it is compromised. Although UIDAI claims that there are multiple levels of security and firewalls to ensure there is no breach of Aadhaar information of an individual, one can only hope that it is robust enough to withstand any attack. Collection of biometric data by the government to form a database, for instance, was debated and ultimately not used in the UK.

Pranesh Prakash, policy director of the Centre for Internet and Society, expressed concern about the pace at which we are progressing when it comes to having a legal and regulatory framework when it comes to the Digital India push. “While the security architecture of Aadhaar Enabled Payment Systems (AEPS) might in itself be good, the idea of providing your fingerprints to merchants for financial transactions is a terrible idea since that is like asking you to give your bank password to a merchant, and the merchant can reuse that password, and you can’t ever change the password,” said Prakash.

Enforcing the correct processes

Last year, a malware affected the systems of Hitachi Payment Services, which provides back end services to ATM machines and Point of Sale nodes across India. As a result of this, around 32 lakh debit cards were compromised including those issued by SBI, HDFC, Yes Bank, Axis, BOB and ICICI. Security experts and consultants have pointed out various holes in the electronic transaction systems in place in India. Intel has also warned that ATM machines in India are vulnerable to malicious attacks. Intel points out that countries in the Asia Pacific region are developing and are particularly vulnerable because of old systems and machines being used.

Image: REUTERS/Amit Dave

According to Mahesh Patel, president and group CTO, AGS Transact Technologies this was more of a governance issue of the data centre than any technical error. “It is not about the software, but it is about the processes and procedures you put in place to ensure that the system is secure. Everything from physical security to computing security to admin management, etc should be process driven. So somewhere there could have been a weak link there. Cloud has to be secure and encrypted which suffices the use case of payments. This cloud is different from the ones used by e-commerce sites to display all their products,” said Patel.

We may have the best of software and security measures, but ensuring that they are implemented the right way is equally important. Plugging the loopholes in current regulations is also important.

Existing laws and regulations, not enough

According to Duggal, “The Information Technology Act, 2000 hardly has effective provisions to protect any data and personal privacy in the digital ecosystem. The Indian Government needs to come up with strong privacy law which can protect both personal privacy and data privacy in an effective manner.”

One may find it really shocking to hear the head of Nasscom saying something to the extent that full data protection for online consumers is not possible, but there is definitely truth to the matter. It will require concerted efforts from not only regulators, governments, digital wallet players and banking industry to come up with these privacy laws, but also you the consumer has to ensure that you are aware of the dangers lurking in the digital world. Educating oneself of the various ways in which your data can be compromised is a good way to protect your online self.

Because, let’s face it, for all practical purposes if you are online, your privacy is dead.

For more details visit https://cis-india.org/internet-governance/news/first-post-march-16-nimish-sawant-nasscom-chief-saying-full-data-protection-isnt-possible-should-wake-us-from-our-digital-slumber

India WhatsApp Privacy Fight May Affect Multinationals

praskrishna — 2017-02-02T02:28:23Z

The Indian Supreme Court’s review of Facebook Inc.'s and WhatsApp Inc.'s data security practices may lack teeth but also presages a desire for a stronger privacy regime and oversight of multinationals, internet and privacy specialists told Bloomberg BNA.

The article by Nayanima Basu was published by Bloomberg BNA on February 1, 2017. Pranesh Prakash was quoted.

WhatsApp revised its privacy policy in August 2016 to share data with owner Facebook and allow targeted ads and messages from businesses, laying the groundwork for the free messaging service to monetize such data. But a public interest complaint, akin to a class action in the U.S., filed by two Indian students and regulatory inquiries have resulted in India’s top court asking Facebook and WhatsApp about their data protection practices.

The court’s move Jan. 17 to seek the information may make multinational companies jittery, Rahul Khullar, former secretary of commerce for India’s Ministry of Commerce and Industry, told Bloomberg BNA. Although stronger data privacy enforcement is needed, all the high court has done is aggravate Facebook and other large multinationals, he said.

Facebook is the second largest media company in the world with a $367 billion market capitalization, Bloomberg data show. It acquired WhatsApp in 2014 for approximately $18 billion, data show. Facebook didn’t immediately respond to Bloomberg BNA’s e-mail request for comments.

Khullar, who is also the former chairman of the Telecom Regulatory Authority of India, said multinationals need to be more careful in sharing their data because of the “distinction between digital non-commercial data and digitally sensitive data,” he said. A strong national data privacy law would resolve some of these issues, he said.

An U.S. official based at the U.S. Embassy in New Delhi, speaking on background, told Bloomberg BNA that any maneuver that restricts the free flow of data may harm the operations of U.S.-based multinationals and similar companies.

Clarity, Stronger Laws Needed

Some internet and privacy specialists say that Facebook and WhatsApp failed to provide effective data protection under Indian law.

Pranesh Prakash, policy director at the nonprofit digital technologies advocate Centre for Internet and Society, told Bloomberg BNA that Facebook and WhatsApp are in violation of Section 43A of the Information Technology Act that lays out “reasonable security practices and procedures.”

Indian citizens are reaching out to the courts for data protection enforcement because lawmakers have “failed to do so,” he said. That highlights the need for robust data protection laws in India and, he said, hopefully “goads the government and Parliament into enacting a privacy and data protection law.”

In lieu of further legislative action, companies may be able to resolve some issues by establishing clearer privacy policies, Niraj Gunde, a Mumbai-based attorney and consumer advocate, told Bloomberg BNA. Most software agreements have a clandestine clause that allows companies to access user data, but those agreements should also state how the data will be used, stored and eventually disposed of, he said.

For more details visit https://cis-india.org/internet-governance/news/bloomberg-bna-february-1-2017-nayanima-basu-india-whatsapp-privacy-fight-may-affect-multinationals

Tech companies like Gmail, WhatsApp may be asked to store user information

praskrishna — 2016-10-14T01:12:14Z

The government is moving to formulate rules that will require technology ‘intermediaries’— including email services like Gmail, chat apps such as WhatsApp and Snapchat or even ecommerce firms like Amazon — to retain user information, a development that is expected to be met with determined opposition.

The article by Surabhi Agarwal was published in Economic Times on October 14, 2016. Pranesh Prakash was quoted.

What the government is looking to do now is draft rules for Section 67C of the Information Technology Act, and this will be done by a committee that has been set up for the purpose. The rules — whose drafting has been waiting since 2008 — will spell out what type of data has to be stored, in which format, and for how long, according to three members of the newly-formed committee. All this so that law-enforcement agencies can access the information if they need it.

Sharing of information between foreign firms and the Indian government has been a contentious issue, and experts said the mandate may be impossible to implement for firms such as WhatsApp that promise end-to-end encryption. Or for Snapchat – a chat app where messages disappear within seconds and are not even stored on the company’s servers.

Firms may also oppose the diktat, especially since most of them are not governed by Indian laws and also due to the high cost of data retention.

The committee is headed by additional secretary in the ministry of electronics and IT (MEITY), Ajay Kumar, and has one representative each from the ministry of home affairs, department of telecom, department of personnel and training, Nasscom, Internet Service Provider Association of India (ISPAI), along with an advocate specialising in cyber law and a few officers from MEITY. The first meeting of the committee took place in the last week of September.

“This is a fairly complex issue, compounded by the general lack of understanding of mobile apps and over the top service providers,” said a person on the committee who did not wish to be identified. This person said that most technology players are based in the United States and they have always been at loggerheads about sharing of information with the government. “Even if it is for national security reasons, how much are these companies answerable to the Indian security establishment? And we do know how Apple refused to unlock the phone even for FBI."

Google and Facebook did not respond to requests for comment.

‘Huge balancing act’

Supreme Court lawyer and cyber law expert Pavan Duggal said the section has been drafted in very “broad” terms and the move may be driven by the realisation that these companies are huge data repositories – some of which might be relevant to law enforcement investigations. “It will have to be a huge balancing act and will be interesting to see what this committee decides,” added Duggal.

While Section 67C refers to the obligation of the service providers to retain information, the nature of the data to be retained and the time period is not specified. Companies which do not comply with the law can be levied fine and its officers sent to jail.

Another member on the committee said the ambit of this task is huge. “In the last meeting we argued that the rules should be the same for everybody and there should be no differential treatment for foreign companies such as Google or Microsoft,” he said. This person said that ambiguity is rampant as various government arms have different sets of rules for data retention.

For instance, the Department of Telecommunications (DoT) asks for data to be stored for six months, while the Registrar of Companies mandates some information to be retained for one year while the income-tax rules mandate data storage for six-seven years. “There has only been one meeting so far. It is a long procedure and will require several rounds of consultation,” said a third person on the committee.

Privacy activists like Pranesh Prakash of the Centre for Internet and Society said that one of the principles that’s frequently cited while discussing international practices on surveillance is that data retention should not be required of service providers.

And internationally too, there is no standard on this issue. “There were norms at the European Union-level regarding data retention, but they were struck down in 2014 by the European Court of Justice as being violative of human rights,” he said.

For more details visit https://cis-india.org/internet-governance/news/economic-times-october-14-2016-surabhi-agarwal-tech-companies-like-gmail-whatsapp-may-be-asked-to-store-user-information

An 'app'ening world

praskrishna — 2016-10-05T00:24:19Z

A ‘forward’ has been doing the rounds on WhatsApp about the privacy concerns relating to that instant messaging app; it’s asking for permission to share user data with Facebook.

The article by Chetana Divya Vasudev was published in Deccan Herald on October 4, 2016. Rohini was quoted.

In the WhatsApp notification, asking users to agree to the terms and conditions again, the option to share these user details to help improve ads on Facebook is already selected. Those who are uncomfortable parting with this information have to uncheck it before clicking on the ‘I agree’ button.

“Agreeing to this would mean Facebook can see who you’re chatting with and what you’re talking about,” says tech expert Chinmayi S K. “So if you’re talking about cat adoption, the ads displayed on the side could be relevant to that.”

When it comes to other smartphone apps, she cites Zomato as an example. “It has been asking for user history — previous orders and other such details — to make recommendations,” she says. “This comes with the app update. Tinder, too, is asking for your location using wifi, which is more accurate than the GPRS location.”
It’s alright to agree to these permissions, she says, so long as you’re aware of what you’re signing up for and how that data is going to be used.

If you have qualms about agreeing to this, there are usually alternatives you can find, adds Rohini Lakshane, program officer, Centre for Internet and Society. “If not, it’s usually a trade-off: you have to see how much you want the app,” she points out.

There are, however, other apps that might be duplicates asking for access to your device or files, cautions Chinmayi.

“If a cooking app, a simple one that gives you recipes, asks for your call logs or other files, for example,” she says.

A discerning user, interjects Rohini, will check for permission to access files or functions that are not strictly necessary for the features the app supports. “I don’t want to name anything but some e-commerce and travel apps ask to access your browsing history and the other apps or networks you’re connect to. It could be to serve you contextual ads or content, like Zomato, or to sell it to someone. You never know,” she says. However, some devices or versions of the Android OS let you control what permissions you enable, she informs.

Aeronautical engineer Pavan Raj P V says he takes care not to compromise on his safety, whenever possible. “But there are a few apps that I have on my phone no matter what — Facebook, WhatsApp, LinkedIn, Instagram. Most of them auto-update and require no extra permissions.”

However, he has noticed that LinkedIn asks for access to Gmail contacts that you could accidentally accept “if you’re logging in mechanically”.

Varsha C V, communications specialist at Karnataka State Highways Improvement Project, says, “Last month, my husband asked me to download a Google app for free calls that required all sorts of permissions, such as access to your phone logs. When Skype offers the same features without asking for all this, why should anyone use this app?”

She believes privacy in India is not taken as seriously as it should be. “You should keep in mind that if you’re giving them access to your contacts, you’re also compromising on others’ privacy,” she points out.

Lokanand, a sound engineer, admits to not paying attention to what he’s giving apps access to. “I’m no expert but if you ask me, you download apps because they are useful. So I don’t really bother about what I’m saying yes to.”

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-chetana-divya-vasudev-october-4-2016-an-appening-world

WhatsApp ruling: Experts seek privacy law

praskrishna — 2016-09-27T02:35:06Z

On August 25, Whatsapp updated its policy to share user content with social network; the decision opened new monetisation models for the messaging app.

The article by Apurva Venkat and Moulishree Srivastava quoted Sunil Abraham. It was published in the Business Standard on September 24, 2016.

The recent Delhi High Court ruling that messaging app Whatsapp cannot share user data highlights the need for legislation on privacy, according to experts.

On August 25, Whatsapp, a platform with 70 million users in India that was acquired by Facebook in 2014, updated its policy to share user content with the social network. The decision opened new monetisation models for the messaging app.

In response to a PIL, the court ordered WhatsApp to delete data of users who chose to opt out of its policy changes before September 25. It also orderedWhatsApp not to share data collected before September 25 with Facebook for users who had not opted out.

"The decision makes a strong statement on privacy," said Sunil Abraham, executive director of the Centre for Internet Society. According to him, a user trusts a platform and provides access to his data. As another firm acquires the platform, it gains access to the data.

"Facebook owns Whatsapp. It has to look at ways of monetising it," said Nikhil Pahwa, co-founder of SavetheInternet.in.

"With so much digital data being generated, there is a need for a privacy law in the country," said Pahwa.

"Facebook's consent interface is confusing. It can make a person who wants to opt out let the company access his data," said Abraham, adding a law would take care of such intricacies. The government is working on a privacy bill.

Saroj Kumar Jha, partner, SRGR Law Offices, said there were few judgments on privacy in India based on constitutional rights.

"While the Information Technology Act enables courts to pass judgments on global companies on privacy, enforcing the orders is difficult," he said.

"What is required is a privacy law that can protect user data and uphold the individual's right to privacy," he added.

For more details visit https://cis-india.org/internet-governance/news/business-standard-september-24-apurva-venkat-and-moulishree-srivastava-whasapp-ruling-experts-seek-privacy-law

When the war’s on WhatsApp

praskrishna — 2016-09-25T16:36:01Z

Slick, jingoistic videos are whipping up pro-war rhetoric on social media after the Uri terror attack.

The article by Manju V was published in the Times of India on September 25, 2016. Nishant Shah was quoted.

It packs a meaner punch than any 140-character tweet. In 140 jingoistic seconds, the cleverly packaged YouTube film veers from Mohammed Rafi to Chandra Shekhar Azad drumming up pro-war rhetoric to avenge the Pathankot attack. Set to the tone of chirping crickets on a moonlit night somewhere along the western border that India shares with its neighbour, the short film has two armymen in fatigues deliberate over the absolute need to respond with a counter attack. It ends in a staccato military drumbeat with a voiceover quoting Azad: "If yet your blood does not rage, then it is water that flows in your veins."

Posted about 10 days after the Pathankot attack in January, the video was resurrected last week after the country woke up to the Uri attack that killed 18 Indian soldiers in the deadliest assault on security forces in Kashmir in over two decades. Even as photographs of a grenade smoke-filled valley, tricolour-draped coffins, grieving sons, daughters and widows made the rounds in media outlets scores of Indians marched onto social media, some armed with incendiary prose and other with slick videos that expressed more anger than anguish.

In another video doing the rounds, a jawan, or someone in uniform, sings a poem warning Pakistan. His mates join in the refrain: "Kashmir toh hoga, lekin Pakistan nahi hoga."

These videos of jawans threatening to decimate Pakistan were shared by thousands. WhatsApp profile pictures and statuses were changed, Facebook posts got longer and vitriolic, Twitter #UriAttack exploded with expletives as the enough-is-enough sentiment peaked. It heralded the beginning of an era where the dynamics of Indo-Pakistan relations will play out not just in the diplomatic corridors of Delhi and Islamabad, the valley of Kashmir or the barracks of security forces; but also on the mobile phones, tablets and laptops of millions of Indians.

When contacted for a comment, the makers of the war-mongering 'Pathankot Tolerance' video didn't endorse war outright. "My individual opinion is that war is not a solution," said producer Santosh Singh, who heads the Mumbai-based V Seven Pictures. "Before we resort to war, we have to solve our internal problems. How can we let infiltration take place so blatantly?" he asked. Why then does the video not talk about this? Singh said that when one hears about such attacks, the instant reaction is to retaliate. "The video is based on that sentiment."

An electronics engineer, Singh also owns an IT recruitment firm. His film production company, which he runs along with his friend Vivek Joshi, made the Mauka Mauka World Cup video that went viral and also produces short films and videos for clients. "We have no political affiliations, in fact we turned down a couple of political parties who approached us," says Singh, adding that his company has made 30-35 films in less than two years. "Of these, about 10 are on issues close to our heart, like those on Afzal Guru and the Pathankot attack. We upload them on YouTube, they are aired without ads. We don't earn money from them," he adds.

Ugly gets outlet

Nitin Pai, director of Takshashila Institution, an independent centre for research and education in public policy, says that social media and some television studios have enabled people to express their subconscious fears and desires. "It is not just today that the people of India have been angry with Pakistan for fomenting terrorism in our country. But it is only now that they have ways to express this anger; unfortunately, social media dynamics amplify this anger in a grotesque, distorted manner, allowing the ugly and less-sensible views to rise to the top of the public discourse," said Pai.

Tracing the many origins of this phenomenon, psychiatrist Harish Shetty says that in an angst-ridden, globalized world, we need a whipping boy. "With the Uri attacks, the entire nation had a common enemy. In expressing collective anger, there's catharsis." The current outpouring is not just over the deaths of soldiers; such an incident also opens up older wounds, he says. "For a long time, Indians have found their leaders to be helpless. It's like a family that is attacked again and again by a neighbour, but the father does nothing about it. There has been a lack of strong response from 'papa figures' across time, which has led to a sense of anger and rage. After the Uri attacks, the collective self-esteem of the country took a beating, and people felt a need to assert themselves on social media. At such times strong action is viewed as legitimate, valid and free of guilt," he adds.

Amplifying angst

If social media brought together protesters in Tunisia and Egypt during the Arab spring, in democratic India it has turned into a platform for expressing mass disenchantment with the government, especially in the wake of such attacks.

Social media plays several roles in times of crises, says Nishant Shah, professor of digital media and co-founder of the Centre for Internet & Society, Bengaluru. One, it amplifies what is already being said in friend circles and living-room conversations in front of the telly, but spreads it to a larger audience. "The second role it plays is distribution: social media allows people to inherit other people's opinions, thus exposing them to new ways of thinking but also find corroborators for their own viewpoints," he says. The third is catalysis — social media also has the capacity to generate new information. "The format creates new kinds of truths. Things that can be caught in Snapchat videos, or visuals which can be remixed, all become a part of this zeitgeist," Shah says.

Virtual wars

But in India at least, social media is no indicator of considered public opinion, points out Pai. Shah adds: "What we are seeing is a filter bubble of a privileged set of people who are engaging in this debate."

Then again, what's said on social media needn't be endorsed in real life. Vivek Joshi, who wrote and directed the Pathankot video, says nobody in the world would want a war. "But when it comes to the lives of our soldiers, an answer has to be given. If the government had taken any visible action, then there would have been no need to put out a video like this," Joshi adds. And therein probably comes the new-age heuristic of venting out on social media.

For more details visit https://cis-india.org/internet-governance/news/times-of-india-september-25-2016-manju-vi-when-the-war-is-on-whatsapp

We Truly are the Product being Sold

vidushi — 2016-09-01T02:08:37Z

WhatsApp has announced it will begin sharing user data such as names, phone numbers, and other analytics with its parent company, Facebook, and with the Facebook family of companies. This change to its terms of service was effected in order to enable users to “communicate with businesses that matter” to them. How does this have anything to do with Facebook?

The article was published in the Hindustan Times on August 31, 2016.

WhatsApp clarifies in its blog post, “... by coordinating more with Facebook, we’ll be able to do things like track basic metrics about how often people use our services and better fight spam on WhatsApp. And by connecting your phone number with Facebook’s systems, Facebook can offer better friend suggestions and show you more relevant ads if you have an account with them.”

WhatsApp’s further clarifies that it will not post your number on Facebook or share this data with advertisers. This means little because it will share your number with Facebook for advertisement. It is simply doing indirectly, what it has said it won’t do directly. This new development also leads to the collapsing of different personae of a user, even making public their private life that they have so far chosen not to share online. Last week, Facebook published a list of 98 data points it collects on users. These data points combined with your WhatsApp phone number, profile picture, status message, last seen status, frequency of conversation with other users, and the names of these users (and their data) could lead to a severely uncomfortable invasion of privacy.

Consider a situation where you have spoken to a divorce lawyer in confidence over WhatsApp’s encrypted channel, and are then flooded with advertisements for marriage counselling and divorce attorneys when you next log in to Facebook at home. Or, you are desperately seeking loans and get in touch with several loan officers; and when you log in to Facebook at work, colleagues notice your News Feed flooded with ads for loans, articles on financial management, and support groups for people in debt.

It is no secret that Facebook makes money off interactions on its platform, and the more information that is shared and consumed, the more Facebook is benefitted. However, the company’s complete disregard for user consent in its efforts to grow is worrying, particularly because Facebook is a monopoly. In order for one to talk to friends and family and keep in touch, Facebook is the obvious, if not the only, choice. It is also increasingly becoming the most accessible way to engage with government agencies. For example, Indian embassies around the world have recently set up Facebook portals, the Bangalore Traffic Police is most easily contacted through Facebook, and heads of states are also turning to the platform to engage with people. It is crucial that such private and collective interactions of citizens with their respective government agencies are protected from becoming data points to which market researchers have access.

Given Facebook’s proclivity for unilaterally compromising user privacy, the Federal Trade Commission (FTC) in 2011 charged the company for deceiving consumers by misleading them about the privacy of their information. Following these charges, Facebook reached an agreement to give consumers clear notice and obtain consumers’ express consent before extending privacy settings that they had established. The latest modification to WhatsApp’s terms of service seems to amount to a clear violation of this agreement and brings out the grave need to treat user consent more seriously.

There is a way to opt out of sharing data for Facebook ads targeting that is outlined by WhatsApp on its blog, which is the best example for a case of invasion-of-privacy-by-design. WhatsApp plans to ask the users to untick a small green arrow, and then click on a large green button that says “Agree” (which is the only button) so as to indicate that they are opting-out. The interface of the notice seems to be consciously designed to confuse users by using the power of default option. For most users, agreeing to terms and conditions is a hasty click on a box and the last part of an installation process. Predictably, most users choose to go with default options, and this specific design of the opt-out option is not meaningful at all.

In 2005, Facebook’s default profile settings were such that anyone on Facebook could see your name, profile picture, gender and network. Your photos, wall posts and friends list were viewable by people in your network. Your contact information, birthday and other data could be seen by friends and only you could view the posts that you liked. Fast forward to 2010, and the entire internet, not just all Facebook users, can see your name, profile picture, gender, network, wall posts, photos, likes, friends list and other profile data. There hasn’t been a comprehensive study since 2010, but one can safely assume that Facebook’s privacy settings will only get progressively worse for users, and exponentially better for Facebook’s revenues. The service is free and we truly are the product being sold.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-vidushi-marda-august-31-2016-we-truly-are-the-product-being-sold

It's That Eavesdrop Endemic

praskrishna — 2016-07-30T15:45:31Z

Whatsapp Says It’s Snoop-Proof Now, But There’s Always A Way In

The article by Arindam Mukherjee was published in Outlook on July 25, 2016. Pranesh Prakash was quoted.

Lock and Key

WhatsApp says it has end-to-end encryption, so no one, not even WhatsApp, can snoop into calls.

Experts say any encryption can be broken by security agencies. Android phones can also get infected by malware.

For years, a Delhi power-broker used to call from nondescript landline numbers, changing them ever so often. Of late, he has started using WhatsApp calls for ‘sensitive’ conversations. He’s not alone. WhatsApp has revealed that over 100 million voice calls are being made on the social network every day. That’s over 1,100 calls a second! India is one of the biggest user bases of WhatsApp. And many Indian users are making the app their main engine for voice calls.

One reason for this shift is that WhatsApp calls are seen to be essentially free (though they indeed have data charges). But for a lot of people, the chief allure lies in the touted fact that WhatsApp calling is far more secure than mobile calling. In April, the app introduced end-to-end encryption for its messages and voice calls.

Consequent to this, Sudhir Yadav, a Gurgaon-based software engineer filed a PIL in the Supreme Court seeking a ban on WhatsApp on the grounds that its calls are so safe that it could be misused by ‘terrorists’. Last month, a court in Brazil issued orders to block WhatsApp for 72 hours after it failed to provide the authorities access to encrypted data.

Are WhatsApp calls really impenetrable? WhatsApp believes so and says that the encryption key is held by the two persons at the two ends of the message or call and no one, not even the company, can snoop in. “The calls are end-to-end encrypted so WhatsApp and third parties can’t listen to them,” a WhatsApp spokesperson told Outlook. This is precisely Yadav’s concern. “Because the encryption is end to end, the government can’t break it and WhatsApp cannot provide the decryption key,” he says.

However, experts do not buy this argument. They believe everything on the Internet is vulnerable. “Anything that uses a phone number is vulnerable,” says Kiran Jonnalagadda, founder of technology platform HasGeek. “Anyone can impersonate the phone number by getting a duplicate SIM and get access to a phone. There are also bugs in the system which security agencies use.”

WhatsApp uses a person’s phone number to open an account and authenticate a user. So, if the government or a security agency wants to get access to a WhatsApp call, it would be very easy. “Telecom companies cannot access these calls as they are encrypted before they reach the network. But the government can. It just has to replicate a SIM to access any number and its messages or voice calls,” says Aravind R.S., a volunteer for Save the Internet campaign and founder of community chat app Belong,

There are other modes of attack as well. It is a given that Android phones, which form the majority of mobile phones used in India today, are most vulnerable to malware attacks. So, even if the app itself is secure, the device is not and if the device is attacked, just about everything in it can be tapped into. For instance, there’s the ‘man in the middle’ mode of attack, where a third person gets into a call and mirrors the messages to both the sides and relays the messages or calls to a different server. There is also the SS7 signalling protocol that can help hackers get into networks and calls. These attacks can make even a WhatsApp encryption vulnerable.

Security agencies and hackers routinely implant viruses into the phones of people they are monitoring. Once a phone is “infected”, everything is accessible. And Android phones are extremely prone to attacks from malware. “It's not perfectly secure, especially if there is any virus in an Android phone, which is what security agencies work with. They have many more ways to get into a phone. There is no defence against that,” says Aravind,

Experts believe it is possible that US intelligence agencies like the FBI and the NSA may have access to or are capable of breaking into even the WhatsApp encryption. This is proven by the recent incident where the FBI, after being refused by Apple to open up an iPhone used by a terrorist, broke into the phone by itself.

“If you are on the NSA list, there is nothing you can do to protect yourself,” says Pranesh Prakash, policy director with the Centre for Internet and Society. “They will find a way to get into your phone. In WhatsApp, many things like photographs and videos are not encrypted; these can get access to a person’s account.”

In India, the debate on access to encrypted phones has been on since the government engaged with Blackberry a few years ago. “There is no law governing an Over The Top (OTT) service like WhatsApp. If the government orders decryption of a call and WhatsApp cannot comply, it will become illegal,” says cyber lawyer Asheeta Regidi. The government’s seeming comfort level with all this legal ambiguity is yet another indicator that all is not what is seems with WhatsApp. As for callers, they would do well to speak discreetly on any network.

For more details visit https://cis-india.org/internet-governance/news/outlook-july-25-2016-arindam-mukherjee-its-that-eavesdrop-endemic

You will need a license to create a WhatsApp group in Kashmir

praskrishna — 2016-04-21T02:34:46Z

The internet rights activists have criticised the move stating it as unconstitutional.

The article was published by Governance Now on April 19, 2016. Pranesh Prakash tweeted on this.

Moving beyond internet ban, Kashmir’s Kupwara district issued a notice asking all admins of WhatsApp news groups to register their groups with the district authority within ten days.

With this move, the authorities are taking power in their hands to monitor WhatsApp news groups owned by private individuals. However, internet rights activists criticised it saying the move is unconstitutional as it breaches freedom of speech.

The circular is issued under the subject of ‘registering of WhatsApp news group and restrictions for spreading rumours thereof’. The district magistrate said that any spread of information by these WhatsApp news groups, “leading to untoward incidents will be dealt under the law”.

You may need a license in Kashmir to run a WhatsApp group

The valley witnessed five-day internet shutdown following the Handwara firing incident. Internet ban is a common phenomenon in Kashmir.

“For how long will the government decide whether we can communicate with each other or not? Actually, the authorities do not want us to spread the truth about the army’s atrocities far and wide,” said a resident of Handwara as quoted in Kashmir Reader.

Earlier, parts of Haryan and Gujarat also witnessed internet ban during Jat and Patidar agitation, respectively.

Blocking all internet access is clearly an unnecessary and disproportionate measure that cannot be countenanced as a ‘reasonable restriction’ on freedom of expression and the right to seek and receive information, which is an integral part of the freedom of expression,” said Pranesh Prakash.

For instance, he adds, a riot-affected woman seeking to find out the address of the nearest hospital cannot do so on her phone. “Instead of blocking access to the internet, the government should seek to quell rumours by using social networks to spread the truth, and by using social networks to warn potential rioters of the consequences,” he said.

Former Mumbai police commissioner Rakesh Maria used WhatsApp to counter rumours spread after circulation of a fake photo in January 2015.

“The way in which the ban is imposed is unreasonable. Problem is in the method that is being used in absence of guidelines, defining circumstances under which they can impose a restriction on internet sites,” says Arun Kumar, head of cyber initiatives at Observer Research Foundation (ORF).

If government formulates these rules or guidelines it will set a threshold for state or central authorities, which will define the urgency of imposing ban on internet services.

For more details visit https://cis-india.org/internet-governance/news/governance-now-april-19-2016-you-will-need-a-license-to-create-whatsapp-group-in-kashmir