What WhatsApp's end-to-end encryption means for India
In the last few days, there has been speculation in news reports and social media that WhatsApp's new end-to-end encryption policy might have made unwittingly made the popular mobile application illegal in India. In this article, I dispel this notion and try to view this development in the context of surveillance laws in India.
The current legal framework works allows the government to control encryption and enable ease of access to data in following two ways: First, the government can prescribe a limit on key length of the encryption technology.
Second, the government can ask service providers to decrypt data and provide for law enforcement and national security purposes. With regard to the first one, the key-size plays a important role in encryption. 40-bit encryption is low level of security and are vulnerable to brute-force attacks.
An improvement on this was the Data Encryption Standard (DES), which like the 40-bit encryption was a symmetric key algorithm but later due to the 56-bit key size being too small was withdrawn as a standard by the National Institute of Standards and Technology (NIST).
Brute force attacks basically rely on trying every possible combination of keys in turn. The length of the key determines the number of possible keys and a higher length could negate such attacks. The DES was superseded by Advanced Encryption Standard (AES) which is characterised by the block size of 128 bits and key sizes of 128, 192 or 256 bits. WhatsApp, as has been widely reported will employ 256-bit encryption.
The suggestion that WhatsApp may now be illegal is based not on any law in place but the an erroneous reading of the terms of the draft 'License Agreement for Provision of Internet Service (Including Internet Telephony)'which is applicable to Internet Service Providers and Telecom Service Providers.
These license agreements entered into by the Department of Telecommunications with service providers only allows up to 40-bit encryption. Section 1.10.1 of the License Agreement states as follows:
"/Individuals / Groups/ Organisations are permitted to use as customer encryption //*upto 40 bit key length*//in the RSA algorithms or its equivalent in other algorithms without having to obtain permission.
However, if encryption equipments higher than this limit are to be deployed, individuals/groups/organisations shall do so with the //*permission of the Telecom Authority*//and deposit the decryption key, split into two parts, with the Telecom Authority. /(emphasis added)"
However, since WhatsApp is not an Telecom Service Provider (TSP) or an Internet Service Provider (ISP), they are not required to enter into these license agreements.
WhatsApp and other services of a similar nature fall in the category of what are known as 'Over the Top Services' or OTTs. Last year, the Telecom Regulatory Authority of India released a consultation paper on OTTs which sought to bring them under a classification that would be subject to similar obligations ISPs.
The rationale provided was that the services made available by OTTs are similar in other licensed services provided by ISPs and TSPs. However, this paper was widely criticised and so far no steps have been taken to subject OTTs to these requirements.
Another initiative, the draft encryption policy, also intends to impose a limit of 40-bit encryption on service providers along with an obligation to maintain a plain text version of encrypted data for a period of 90 days.
This policy also received a huge backlash and was withdrawn immediately.
While these attempts have so far been successful, they do convey a strong motive on the part of the government to crack down on encryption.
The second means to access encrypted data is through Section 69 of the Information Technology Act. This law applies to all intermediaries, and includes ISPs, TSPs as well as OTTs, and allows the governments, to order intermediaries to "intercept or monitor or decrypt" any information. The provision broadly defines the threshold for this power be used and includes circumstances:
"/In////the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cogni//s//able offence relating to above or for investigation of any offence/"
However, enabling end-to-end encryption means that only the sender and recipient shall be able to view the information in plain text, and if the information is intercepted in transmission, it shall be in an encrypted form. In such cases, as stated on the WhatsApp blog, no-one else shall be able to access the messages "Not cyber criminals. Not hackers. Not oppressive regimes. Not even us (WhatsApp)."
Therefore, WhatsApp would not be in a position to comply with orders asking it to decrypt message under Section 69.