WhatsApp has just shown its 3 billion users just how seriously it takes their security—and it may mean hundreds of millions losing access to the app…
If you ever needed a signal as to how seriously WhatsApp takes its security, then you need look no further than its biggest market. The Meta owned messenger—the largest in the world—has just threatened to leave India rather than compromise encryption.
WhatsApp has built its entire reputation on the strength of its security and privacy—ignoring the Meta irony, and this has encouraged somewhere approaching 3 billion users to trust the platform with their messages, voice and video calls, and media.
While WhatsApp has still not quite secured its usual lock on the US market, in Europe and Asia it has become a quasi mobile network. And nowhere is that more the case than India, the platform’s biggest market with around 500 million users.
But India is also one of the markets battling against its inability to access end-to-end encrypted content from a security and law enforcement perspective. And its introduction of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules in 2021 was intended to combat this.
This legislation mandates that law enforcement can use the courts to force a social media company to disclose the sender of an original message, such that dangerous or illegal content can be traced to source. Clearly that means not only sharing the identities of those sending messages, but breaking the security around the content itself, to link that back to the relevant user.
For its part the Indian government says it has set a high bar for such an intervention—serious crimes such as rape or CSAM distribution, or matters of national security. But WhatsApp is not budging—as one would expect, given the stance it has always taken elsewhere. Adhering to these rules, the messaging platform says, would break end-to-end encryption and threaten the privacy of its entire user base.
And this argument has now reached the courts. This week, WhatsApp’s counsel Tejas Karia told the High Court in New Delhi that “as a platform, we are saying that if we are told to break encryption, then WhatsApp goes.”
The lawyer went on to explain that if it were to adhere—which it won’t, then it would require the storage of “millions and millions of messages for a number of years,” given that “we don’t know which messages will be asked to be decrypted.”
Somewhat against the courtroom spirt of never asking a question to which you don’t know the answer, the bench asked WhatsApp’s counsel “have these matters been taken up anywhere in the world? You have never been asked to share the information anywhere in the world? Even in South America?”
To which the reply was very simple: “There is no such rule anywhere else in the world, not even Brazil.”
The issue for WhatsApp specifically and Meta more widely is that if it budges in one place, other countries will quickly follow suit. Security agencies around the world are desperate to find easy solutions for lawful interception or retrieval of content that is currently not available to them—certainly not without very sophisticated cyber techniques that compromise endpoint devices.
Also this week, we saw just why this is such a hot topic. European law enforcement chiefs called for technology platforms to enable access under a lawful mandate. “We call on the technology industry to build in security by design, to ensure they maintain the ability to both identify and report harmful and illegal activities, such as child sexual exploitation, and to lawfully and exceptionally act on a lawful authority.”
“Some governments are seeking to force technology companies to find out who sent a particular message on private messaging services,” WhatsApp says in an explanation as to why such “traceability” breaks its security model. “A government that chooses to mandate traceability is effectively mandating a new form of mass surveillance—messaging services would have to keep giant databases of every message you send, or add a permanent identity stamp — like a fingerprint — to private messages with friends, family, colleagues, doctors, and businesses.”
The hearing in India is scheduled to continue on August 14.