WhatsApp on Wednesday fired a legal salvo against the Indian government to block new regulations that would require messaging apps to trace the “first originator” of messages shared on the platform, thus effectively breaking encryption protections.
“Requiring messaging apps to ‘trace’ chats is the equivalent of asking us to keep a fingerprint of every single message sent on WhatsApp, which would break end-to-end encryption and fundamentally undermines people’s right to privacy,” a WhatsApp spokesperson told The Hacker News via email. “We have consistently joined civil society and experts around the world in opposing requirements that would violate the privacy of our users.”
With over 450 million active users, India is WhatsApp’s biggest market by users.
The lawsuit, filed by the Facebook-owned messaging service in the Delhi High Court, seeks to bar new internet rules that come into force effective May 26. Called the Intermediary Guidelines and Digital Media Ethics Code, the rules require significant social media intermediaries — platforms with 5 million registered users in India and above — to remove non-consensual sexually explicit content within 24 hours, and appoint a resident grievance officer for acknowledging and addressing complaints from users and victims.
The reduced timelines for takedowns aside, also buried among the clauses is the traceability requirement —
Significant social media intermediaries providing services primarily in the nature of messaging shall enable identification of the first originator of the information that is required only for the purposes of prevention, detection, investigation, prosecution or punishment of an offence related to sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order or of incitement to an offence relating to the above or in relation with rape, sexually explicit material or child sexual abuse material punishable with imprisonment for a term of not less than five years. Intermediary shall not be required to disclose the contents of any message or any other information to the first originator.
The lawsuit arrives at a crucial juncture as governments around the world have stepped up to regulate internet platforms for reasons as varied as financial fraud, stifling competition, inciting violence, and spreading misinformation, hate speech, and obscene content. WhatsApp is also locked in a similar legal battle with Brazil over similar legislation.
WhatsApp, for its part, has long argued against incorporating traceability as it would not only force companies to collect more data about the kind of messages being sent and shared and the identities behind them, but also subvert users’ expectation of secure and private messaging.
Adding such a requirement would mean breaking WhatsApp’s end-to-end encryption (E2EE), which secures messages from potential eavesdroppers – including telecom providers, internet service providers, and even WhatsApp itself — from being able to access the cryptographic keys necessary to decode the conversation.
“Traceability is intended to do the opposite by requiring private messaging services like WhatsApp to keep track of who-said-what and who-shared-what for billions of messages sent every day,” the company said.
“Traceability requires messaging services to store information that can be used to ascertain the content of people’s messages, thereby breaking the very guarantees that end-to-end encryption provides. In order to trace even one message, services would have to trace every message.”
As a workaround, the Indian government had previously proposed that WhatsApp assign an alphanumeric hash to every message sent through its platform to enable traceability without weakening encryption, according to a report from the Economic Times in March 2021.
The company also contends that traceability is not so much effective as it’s highly susceptible to abuse, noting that users could be labeled as “originators” simply for sharing an article or a downloaded image that could then be repurposed by other users on the platform in an entirely different circumstance.
Furthermore, WhatsApp contended that the new requirement inverts the way law enforcement typically investigates crimes. “In a typical law enforcement request, a government requests technology companies provide account information about a known individual’s account,” it said. “With traceability, a government would provide a technology company a piece of content and ask who sent it first.”
In response, WhatsApp — which earlier said it will continue to push users into accepting the updates with a “persistent reminder” in return for a “limited functionality” — has since completely walked back from that stance, stating it has “no plans for these reminders to become persistent and to limit the functionality of the app.”
WhatsApp however said it intends to keep reminding users about the update at least till India’s upcoming Personal Data Protection (PDP) bill comes into effect. WhatsApp’s new terms don’t apply to the European Union due to prevailing GDPR data regulations in the region.