Today, a division bench of the Supreme Court of India comprising of the Chief Justice Thakur and Justice Khanwalkar examined a public interest litigation petition seeking a ban on Whatsapp and analogous messenger apps. The petition, filed by Mr. Sudhir Yadav, states that the complete end-to-end encryption technology adopted by Whatsapp (and other messenger apps) are in violation of the mandated standards of encryption by the Government. The inability of the government to access these encrypted communications in any manner, it is argued, represents a threat to the national security of the country. Mr. Yadav approached the Supreme Court after an RTI application filed by him indicated that the Government is not in possession of the encryption keys to Whatsapp communications.
The issue came into the spotlight following the introduction of complete end- to-end encryption by Whatsapp earlier this year, which is used by over 96% of smartphone users in the country. While other apps have followed suit in ensuring secure communications through encryption, the encryption technology adopted by Whatsapp has been lauded for offering complete end-to-end encryption by default to a very large consumer base. This technology does not allow for any kind of back-door access to the unencrypted or encrypted communications to other users, law enforcement agencies or even Whatsapp itself. This level of security in private communications, Mr. Yadav argued, poses a challenge to the Government and law enforcement agencies in maintaining national and cyber security. As indicated in the white paper released by Whatsapp, Whatsapp servers cannot access the private keys of their users and cannot comply with government or court orders seeking to intercept such data.
The government guidelines or mandated standards on encryption by web and information technology enabled services are inconsistent and ambiguous. S. 84A of the Information Technology Act, 2000 empowers the Central Government to prescribe the modes of methods of encryption. However, there have been no definitive requirements laid down by the Government under this Act. Various regulatory authorities such as the Reserve Bank of India and the Securities Exchange Board of India have adopted differing encryption standards for transactions under their parent legislations. Furthemore, e-commerce companies and other web service providers have continued to adopt more secure standards of encryption following customer demands. In September 2015, the Department of Electronics and Information Technology had released a draft National Encryption Policy (“NEP” or “Policy”) proposing to lay down mandatory encryption standards and key disclosure requirements for users and web service providers. The draft Policy, however, was hastily withdrawn following widespread criticism on the ambiguous and impractical standards. Interestingly, an addendum to the draft Policy before it was withdrawn granted exemption to “mass-use encryption products…used in web applications, instant messengers and social media applications such as Whatsapp, Facebook, etc.” In the absence of any regulatory mechanism for over-the-top services such as Whatsapp, messenger apps such as Whatsapp are effectively free to adopt their own encryption standards.
The bench dismissed the petition as withdrawn and directed Mr. Yadav to approach the appropriate authorities or tribunal. Mr. Yadav now intends to make representations to the Telecom Regulatory Authority of India as well as the Department of Information Technology failing which he will be filing a petition with the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
The crux of the issue can be reduced to the essential balance required between protecting the privacy of citizens vis-a-vis the legitimate need of the government and law enforcement agencies in accessing encrypted communications for reasons of national and cyber security. Reminiscent of the recent Apple-FBI furore in the United States as well as the temporary ban on Whatsapp by a Brazilian court, the issue also raises questions as to the liability of service providers such as Whatsapp who may not comply with interception requests by Government or court orders on account of the sheer technological inability to reveal such data. Even though the draft NEP has been withdrawn, the Telecom Minister has categorically stated that a robust NEP is necessary and will be re-introduced soon. With the draft NEP back at the drawing board and the Supreme Court’s refusal to engage with the issue, it remains to be seen whether the full end-to-end encryption offered by services such as Whatsapp will survive any future standards laid down by the Government.