Is Traceability a Privacy Concern? Dissecting the India-WhatsApp Feud

India’s new law looks to use traceability to stop the spread of unlawful conduct and misinformation over social media, but some experts are concerned over what this means for the future of data privacy and encryption.

Earlier this year, India’s Ministry of Electronics & IT (MEITY) announced new guidelines for popular social media companies such as Facebook, Twitter, and Google. The new policy dictates, among other things, that the companies will be required to acknowledge and comply with India’s takedown requests of “unlawful, misinformation, and violent content within 24 hours.” India provided a three month grace period to become fully compliant with the new requirements, but some tech companies are concerned that this new law could have serious privacy implications.

What is the new law?

This new rule has various moving parts, the first is a requirement for all tech companies to hire three new roles, all of which would be based in India. The first role is a compliance officer, who would ensure that local Indian law is followed. The second role is a grievance officer, who will address complaints from users in India, and the third role is a contact person, who would be available to India’s law enforcement 24/7.

Outside of the new roles, the law also calls for the tech companies to publish compliance reports every six months, but none of these policies have caused true contention. The prevalent rift between the tech giants and India is the requirement for tech companies to trace the “first originator” of a problematic post or message, upon the request of law enforcement.

This requirement troubled a lot of tech companies over the concern that traceability would kill end-to-end encryption (more on this below), so when India asked the social media companies to become fully compliant on May 25, 2021, they were met with resistance. WhatsApp, the popular messaging app owned by Facebook, challenged the new policy, asking the High Court of Delhi to find the requirement of tracing an “originator” unconstitutional.

What is Traceability/ Originator?

In simple terms, traceability is the ability to trace the origin of the message, when applied to a social media context, this requirement would require social media sites to trace the origin of a particular message or post back to whoever first created/shared that message or post. Traceability is not a new concept and it has practical uses in various industries. For example, a pharmaceutical company will use traceability to track where their medicine is made all the way to what store it ends up in. That way, if a bad batch of pills is sent out, a company can use traceability to find the bottle and which factory it came from, to prevent them from sending out any more faulty products.

Why does WhatsApp dislike Traceability?

A WhatsApp spokesperson stated that they filed this lawsuit over the concern that “requiring messaging apps to trace chats is the equivalent of asking us to keep a fingerprint of every single message sent on WhatsApp, which would break end-to-end encryption and fundamentally undermines people’s right to privacy.”

What is end-to-end encryption?

End-to-end encryption is a system of communication where a message can only be read by the sender and the person who receives the message. The key to decrypt the message is stored only in the users’ phones, this prevents law enforcement, an internet provider, and even WhatsApp itself from viewing that message. Preventing a tech company from accessing messages sent on their own platform is what separates end-to-end from normal encryption. With regular encryption, the message gets de-encrypted and re-encrypted by the service, which works as a middleman, when it goes from user to user, this method gives the tech company access to the message. WhatsApp has been using end-to-end encryption since 2016.

The greatest benefit of end-to-end encryption is that it makes your message more secure from hackers and provides a high level of privacy since only the sender and receiver can read the message. Alternatively, if a company such as WhatsApp was to decrypt your message, this creates a possible security risk for a user’s message if WhatsApp’s servers were to be hacked or compromised. But if the message is encrypted end-to-end, there would be no point for a hacker to intercept your message at the halfway point, since it would still be encrypted. However, the greatest benefit of end-to-end is also its biggest criticism. The main argument against end-to-end encryption is that it also creates an ideal method for criminals to communicate. If a company were to use regular encryption, they could more easily flag and find certain messages or content that is illegal and put a stop to it.

Does Traceability mean the conclusion of end-to-end encryption?

WhatsApp certainly believes it does. They fear that if they implement traceability, they would be forced to collect and store who-said-what and who-shared-what for the billions of messages their users send every day, forcing them to kill end-to-end encryption. WhatsApp isn’t alone in this belief, a technology policy advocate recently argued that “traceability will compel end-to-end encrypted platforms to alter their architecture in a way that will negatively impact online privacy and security. They will have to develop the ability to track who sent which message to whom, and store this information indefinitely.”

But not everyone agrees with this interpretation of the new policy. India stated in a recent press release that its “intention is not to violate anyone’s privacy and that tracing will only be used for prevention, investigation, or punishment of very serious offenses related to the sovereignty and integrity of India, the security of the state, friendly relations with foreign states, or public order, or of incitement to an offense relating to the above or in relation with rape, sexually explicit material, or child sexual abuse material.” The press release also mentioned that the exact technical solution, whether through encryption or another means, for maintaining privacy while also allowing for traceability, falls on the shoulders of tech companies.

Furthermore, V. Kamakoti, a professor at the Indian Institute of Technology and member of the National Security Advisory Board, recently discussed the technical feasibility of enabling tracing without breaking end-to-end encryption. His main suggestion for how the two can co-exist would be for WhatsApp to encrypt the originator of the information and forward that along with every message, with WhatsApp having the only key. This way the messages will still be end-to-end encrypted, but if law enforcement was to approach WhatsApp with a problematic message, WhatsApp can use their key to decrypt who the originator was. Since this process adds additional encryption for only the originator, it does not break end-to-end encryption.

Where are we now?

As of June 10, 2021, this case has yet to be argued on the floor of the Supreme Court of Delhi. Experts estimate that this case could be heard and decided any day now, but even a decision on the law’s constitutionality doesn’t put the matter to rest. It is yet to be said how WhatsApp will react if India’s new law is upheld, or if WhatsApp will even need to break its end-to-end encryption to comply with the tracing requirement.

About Ardent Privacy

Ardent Privacy is an "Enterprise Data Privacy Technology" solutions provider based in the Maryland/DC region of the United States and Pune, India. Ardent harnesses the power of AI to enable companies with data discovery and automated compliance with DPB (India), RBI Security Guidelines, GDPR (EU), CCPA/CPRA (California), and other global regulations by taking a data-driven approach. Ardent Privacy's solution utilizes machine learning and artificial intelligence to identify, inventory, map, minimize, and securely delete data in enterprises to reduce legal and financial liability.

For more information visit https://ardentprivacy.ai/and for more resources here.

Ardent Privacy articles should not be considered legal advice on data privacy regulations or any other specific facts or circumstances.