Hacker finds breach in WhatsApp’s encryption system


A security expert has found a breach in WhatsApp’s supposed ‘end-to-end’ encryption system. On earlier 2016, the Facebook-owned company proudly announced that messages would feature end-to-end encryption, thus giving users the tranquility that their private conversations would remain untouched.

Jonathan Zdziarski, a digital forensic specialist and digital security expert, published an article on Thursday with bold declarations. He stated that WhatsApp does not really delete users’ messages. Zdziarski started several conversations on his WhatsApp account, using an iPhone. After a bit of chit-chat, he deleted, cleared and archived some of the conversations. Finally, he clicked the “Clear All Chats” feature.

Hacker finds breach in WhatsApp’s encryption system

The “deleted records” were not actually deleted since the messages still appeared in SQLite, a relational database management system. According to Zdziarski, the chat’s database gets copied every time an iPhone users does a backup, saving it in a desktop backup and iCloud (Zdziarski states that this is “irrelevant to whether or not you use WhatsApp’s built-in iCloud sync”).

Which are the risks?

Zdziarski stated that the “leftover” evidence in SQLite poses some risks. For example, if somebody has physical access to a smartphone, he or she could hack it and create a backup of that information. In the same way, if a hacker has physical access to a computer, he or she could enter an “unencrypted backup” and access messages.

Law enforcement could obtain clear records of conversations by giving Apple a court order. Zdziarski has been very clear in stating that he doesn’t believe WhatsApp is keeping information on purpose. He even offers some advice in the article about how the company could make the service better and safer.

Hacker finds breach in WhatsApp’s encryption system


For Zdziarski, the only way to truly delete WhatsApp messages is to remove the app entirely. However, he offered some tips to “minimize” risks. For example, using iTunes to set a very complex backup password could help. Using Configurator to lock the smartphone is also a good idea since it makes harder for someone else to steal the phone’s passwords.

Finally, users would have to disable iCloud backup. If the user still feels uneasy, there are still a few safer alternatives. Telegram, an app available for Android and iOS, promises to have end-to-end encryption. The app is very popular in NGOs for even having a “self-destruct” modality for messages.

Telegram’s founder, Pavel Durov, founded the social networking site VK. He had an argument with Russian authorities and left his country in a self-imposed exile. VK is now owned by Mail.Ru Group, which has the monopoly of social networking market in Russia and is a Putin ally.

After this, he decided to create the instant messaging service with the aim of giving Russians a secure messaging app that would be unbreakable by Russian intelligence services. The BlackBerry Messenger service is also secure since the PIN-to-PIN service uses “Triple Data Encryption Standard”.

Facebook to add end-to-end encryption to Messenger app


Facebook to add end-to-end encryption to Messenger app

Facebook has started to introduce a setting to its “Messenger” app that provides users with end-to-end encryption, meaning messages can only be read on the device to which they were sent.

The encrypted feature is currently only available in a beta form to a small number of users for testing, but it will become available to all of its estimated 900-million users by late summer or in the fall, the social media giant said.

The feature will be called “secret conversations”.

“That means the messages are intended just for you and the other person – not anyone else, including us,” Facebook announced in a blog post.

The feature will also allow users to set a timer, causing messages to expire after the allotted amount of time passes.

Facebook is the latest to join an ongoing trend of encryption among apps.

Back in April, Whatsapp, which is owned by Facebook and has more than a billion users, strengthened encryption settings so that messages were only visible on the sending and recipient devices.

Whatsapp had been providing limited encryption services since 2014.

The company says it is now using a powerful form of encryption to protect the security of photos, videos, group chats and voice calls in addition to the text messages sent by more than a billion users around the globe.


Encryption has become a hotly debated subject, with some US authorities warning that criminals and armed groups can use it to hide their tracks.

“WhatsApp has always prioritised making your data and communication as secure as possible,” a blog post by WhatsApp co-founders Jan Koum and Brian Acton said, announcing the change at the time.

Like Facebook has until now, Google and Yahoo use less extensive encryption to protect emails and messages while they are in transit, to prevent outsiders from eavesdropping.

Apple uses end-to-end encryption for its iMessage service, but some experts say WhatsApp’s method may be more secure because it provides a security code that senders and recipients can use to verify a message came from someone they know – and not from a hacker posing as a friend.

Supreme Court rejects PIL for WhatsApp ban, but encryption debate is just beginning


Supreme Court rejects PIL for WhatsApp ban, but encryption debate is just beginning

WhatsApp’s end-to-end encryption might still be a contentious issue, but on Wednesday the Supreme Court refused to allow a PIL seeking a ban on the popular app and similar messenger services.

The PIL, filed by Gurugram-based RTI activist Sudhir Yadav, said these apps have complete encryption, which poses a threat to the country’s security.

A bench of Chief Justice T S Thakur and Justice A M Khanwilkar rejected the PIL, suggesting Yadav could approach the government or Telecom Regulatory Authority of India (TRAI) with his plea.
But Yadav said his application to the department of telecommunication and the government got the response that they did not possess information in this regard. The petitioner contended that end-to-end 256-bit encryption introduced by WhatsApp in April made all messages, chat, call, video, images and documents end-to-end encrypted, and thus it was impossible for security agencies to decode these.

According to him, this could be national security threat for India, as agencies will not be able to track terrorists, who can plan attacks without worrying that the government can access their messages. The RTI petitioner sought to maintain a balance where police agencies can get lawful access to data while keeping information private.

Supreme Court rejects PIL for WhatsApp ban, but encryption debate is just beginning

So what is WhatsApp’s end-to-end encryption and why has it become such an issue? For starters, WhatsApp’s end-to-end encryption ensures that a user’s messages, videos, photos sent over the app, can’t be read by anyone else — not WhatsApp, not cyber-criminals, not law-enforcement agencies. Even calls and group chats are end-to-end encrypted.

End-to-end encryption means encryption at the device level and thus your chats, messages, videos are not stored on WhatsApp’s servers at all. The only way to access this data is if your device is compromised and the messages have not been deleted. This encryption is designed to keep out man-in-the-middle attacks.

Given WhatsApp has over a billion users, this end-to-end encryption is a big deal. Let’s not forget that in Brazil, a senior WhatsApp executive was jailed because the company did not hand over data in a court case. WhatsApp claimed the data is encrypted and it does not have access to it.

WhatsApp co-founder Jan Koum, in fact, is known for dedication to user privacy and this is also one of the reasons the app has never sold ads. When WhatsApp announced the end-to-end encryption, Koum wrote, “People deserve security. It makes it possible for us to connect with our loved ones. It gives us the confidence to speak our minds. It allows us to communicate sensitive information with colleagues, friends, and others. We’re glad to do our part in keeping people’s information out of the hands of hackers and cyber-criminals.”

Supreme Court rejects PIL for WhatsApp ban, but encryption debate is just beginning

WhatsApp has relied on the “The Signal Protocol”, designed by Open Whisper Systems for its end-to-end encryption. What is also significant is the feature is enabled by default on WhatsApp, unlike apps like Telegram where you have to go into a secret chat mode for end-to-end encrypted chats.

WhatsApp is also one of the most popular apps in India. In fact, research has consistently shown it is one of most used apps after Facebook, and it is common for most people in India to be part of various groups on the service. Family, School, College friends, even office groups are present on WhatsApp. End-to-end encryption means all of this data is secure, and can’t be accessed by third-parties including government agencies.

For now the Courts have refused to go for a ban on WhatsApp, and instead directed Yadav towards the government. India per se doesn’t have a law on what kind of encryption third-party apps can used.

As we had noted earlier, the 40-bit encryption limit, which is too low given the current times, is something ISPs and TSPs have to stick with and doesn’t apply to apps.

Until India comes up with an encryption law, WhatsApp remains legal and we’ll have to wait and watch how the encryption versus security agency debate plays out in the country.

Despite end-to-end encryption, your WhatsApp and Telegram chats can be spied on


end-to-end-encryptionEven though WhatsApp promises end-to-end encryption on all of its chats, and Telegram offers end-to-end encryption on secret chats, the truth is that messages on these platforms can still be hacked. The reason is because the messaging apps still rely on phone networks that use Signalling System No. 7, better known as SS7.

You might recall that back in April, we told you about SS7 when we passed along a story shown on 60 Minutes about hacking. SS7 is a protocol used to connect carriers around the world and affects all smartphone users regardless of the device they use. While SS7 can’t break the encryption employed by the two aforementioned messaging apps, it can be used to fool a wireless operator into helping the hacker open a duplicate WhatsApp and Telegram account in the name of the target.

The first step that a hacker employing SS7 does is trick the target’s carrier into believing that his phone number is the same as the target’s mobile number. Once that is accomplished, the hacker installs WhatsApp and Telegram on his phone, and uses the target’s number to set up new accounts. This will allow them to receive the secret code falsely proving that the hacker is the legitimate user of these accounts. Once all this is accomplished, the ruse is on as the hacker can send and receive messages pretending to be the target.

You can see how this all works by watching the pair of videos below. Most security firms still prefer WhatsApp and Telegram for their end-to-end encryption, which prevents “man-in-the-middle” hacks that redirect messages to a hacker’s phone. But obviously, opening a duplicate account can allow hackers to read messages not intended for their prying eyes.

John McAfee claims to have hacked WhatsApp’s encrypted messages, but the real story could be different


John McAfee claims to have hacked WhatsApp’s encrypted messages, but the real story could be different

Last month, WhatsApp enabled end-to-end encryption for its billion users to secure all the communications made between users — be it a group chat, voice calls, personal chats or the photos and videos that are being shared. While WhatsApp says it is difficult even for them to access the conversations, cybersecurity expert John McAfee and his team of four hackers claim to successfully read an encrypted WhatsApp message, Cybersecurity Ventures reports. While it sounds like a bold claim, the real story could be completely different.

John McAfee, the creator of one of the popular anti-virus software, apparently tried to trick the media in believing that he hacked the encryption used by WhatsApp, Gizmodo reports. To convince the reporters that he could read the encrypted conversations, McAfee is said to have sent two phones preinstalled with malware containing a keylogger.

According to Dan Guido, a cybersecurity expert who was contacted to verify the claim, McAfee sent two Samsung phones in sealed boxes to the reporter. The experts then took the phones out and exchanged a text on WhatsApp, which McAfee was able to read over a Skype call. Citing sources, the publication also reports that McAfee offered his story to a couple of big publications as well, which includes Russia Today and the International Business Times.

“John McAfee was offering to a different couple of news organizations to mail them some phones, have people show up, and then demonstrate with those two phones that [McAfee] in a remote location would be able to read the message as it was sent across the phones. I advised the reporter to go out and buy their own phones, because even though they come in a box it’s very easy to get some saran wrap and a hair dryer to rebox them,” Guido told the publication.

McAfee has a long history of being shifty, especially when it comes to his alleged cybersecurity exploits. For instance, earlier this year in March, he claimed to hack into San Bernadino terrorist Syed Farook’s phone, but he never managed to prove his claims right. Later on, McAfee admitted that he lied to get the public attention.

This time too McAfee seems to have lied to reporters to buy his story, but when reporters asked to verify the claim, he changed the story. Moxie Marlinspike, who developed and implemented the encryption tool in WhatsApp told the publication about McAfee admitting his plan.

“I talked to McAfee on the phone, he reluctantly told me that it was a malware thing with pre-cooked phones, and all the outlets he’d contacted decided not to cover it after he gave them details about how it’d work,” he said.

With McAfee’s claims turn out to be false, WhatsApp saying that it does not have the ‘key’ to decrypt communications sounds good so far. However, if at all, someday, someone manages to hack into the conversations, it could turn into havoc. While it will give the ability to monitor the conversations between terrorists, it could also breach the privacy of the users.

WhatsApp’s encryption services are legal for now, but maybe not for long


WhatsApp's encryption services are legal for now, but maybe not for long

WhatsApp introduced end-to-end encryption for all its services today. This means that all user calls, texts, video, images and other files sent can only be viewed by the intended recipient, and no one, not even WhatsApp itself, can access this data. This guarantee of user privacy creates new concerns for the government.

WhatsApp will now find it impossible to comply with government requests for data, since WhatsApp itself will not have the decryption key. In effect, WhatsApp is doing exactly what Apple did in the Apple vs FBI battle; it’s preventing government access to data, but on a much larger scale. While Apple restricted access to users of iPhones only, now practically every user of WhatsApp on any device is protected. 51% of all users of internet messaging services in India use WhatsApp, with a total number of over 70 million users (Source: TRAI’s OTT Consultation Paper, dated March 2015). WhatsApp has now prevented government access to the messages and calls of at least 70 million Indian users.

No encryption requirements are applicable on OTTs like WhatsApp

Telecom service providers and internet service providers, like Airtel and Vodafone, have to obtain a license from the Department of Telecommunications in order to be able to provide such services in India. This license includes several restrictions, including license fees, ensuring emergency services, confidentiality of customer information and requirements for lawful interception, monitoring and the security of the network. These include encryption requirements.

For example, the ‘License Agreement for Provision of Internet Service (Including Internet Telephony)’ for internet service providers (like Reliance and Airtel), permits the usage of up to 40-bit encryption. To employ a higher encryption standard, permission will have to be acquired and a decryption key deposited with the Telecom Authority.

Apps like WhatsApp, Skype and Viber are, however, neither telecom service providers nor internet service providers. These are known as ‘Over-The-Top Services’, or OTTs. Currently, OTTs are not regulated and as such, there are no encryption requirements, nor are there any other requirements in the name of security which these have to comply with.

The Telecom Regulatory Authority of India came out with an OTT Consultation Paper in 2015. Discussions on the paper are closed, but TRAI is yet to issue regulations on the matter. In the absence of any regulations at present, it’s clear that WhatsApp’s new end-to-end encryption policy is perfectly legal, even though it presents a new dilemma for the government.

Impact of end-to-end encryption on proposed regulatory system

Other countries have adopted various approaches to resolve the issue of OTT services. For example, in France, Skype was made to register as a telecom operator. In Germany, Voice-Over-IP is subject to the same requirements as other telecom services because of the technology neutral approach of its Telecommunications Act. In China, VOIP calls have a separate regulatory system under the head of ‘voice based calls’. These systems will make voice-over-IP subject to the same security requirements as telecom providers. For the most part however, OTT services are unregulated abroad as well.

In a detailed discussion on the issue in TRAI’s OTT Consultation Paper, TRAI notes that OTT services circumvent all regulatory requirements by providing services which are otherwise available only through a license. It has suggested the classification of OTT services either as a communication service provider or an application service provider, and to impose similar regulatory requirements as on telecom service providers.

The proposed licensing requirements include enabling ‘lawful interception’. It can be assumed that the provisions will be along the lines of those imposed on telecom regulatory requirements. Given that a 40-bit encryption system is a much lower standard than that used by WhatsApp and also considering that WhatsApp doesn’t even possess the decryption key for deposition with the relevant authority, it remains to be seen how the government will gain access to WhatsApp messages.

Liability of WhatsApp to comply with decryption directions under IT Act

WhatsApp, being an intermediary, is expected to comply with directions to intercept, monitor and decrypt information issued under Section 69 of the Information Technology Act, 2000. Complying with such a direction will now be impossible for WhatsApp in view of its end-to-end encryption. Even before the introduction of this, since WhatsApp is not a company based in India, it may have been able to refuse to comply with such directions. In fact, compliance by such companies in regard to data requests from the Indian government has been reported to be very low.

India’s now withdrawn draft encryption policy took the first step towards overcoming these problems and obtaining access. It required service providers, from both India and abroad, which are using encryption technology, to enter into agreements with India in order to be able to provide such services. One essential requirement of these agreements was to comply with data requests as and when they’re made by the government. This will include any interception, monitoring and decryption requests made under Section 69 of the IT Act. Though it was later clarified that WhatsApp is not within the purview of this policy, this indicates the route that may be taken by the government to obtain access. If WhatsApp refuses to comply with such a regime, that would make WhatsApp illegal in India.

End-to-end encryption is not without its drawbacks. The high, unbreachable level of security and privacy available is in favour of users and against governments. It will make such systems the favorite for illegal activities as well. For example, tracing voice calls made by terrorists using Voice-Over-IP is extremely difficult because of its routing over fake networks. The issue raised in the Apple vs FBI case was also the same, whether an individual user’s privacy can be compromised in favour of the larger public interest. A balance between the two is needed, maintaining user privacy and allowing interception for lawful purposes is required.

Paris attack planners used encrypted apps, investigators believe



French counterterrorism investigators believe that the men suspected in last month’s Paris attacks used widely available encryption tools to communicate with each other, officials familiar with the investigation said, raising questions about whether the men used U.S.-made tools to hide the plot from authorities.

Investigators have previously said that messaging services WhatsApp and Telegram were found on some of the phones of the men suspected in the November attacks that claimed 130 victims. But they had not previously said that the services had been used by the men to communicate with each other in connection with the attacks. The two services are free, encrypted chat apps that can be downloaded onto smartphones. Both use encryption technology that makes it difficult for investigators to monitor conversations.

The findings of the investigation were confirmed by four officials, including one in France, who are familiar with the investigation. All spoke on the condition of anonymity because they were not authorized to speak publicly about the ongoing inquiry. A spokeswoman for the Paris prosecutor’s office, which is leading the investigation, declined to comment.

The investigators’ belief that WhatsApp and Telegram had been used in connection with the attacks was first reported by CNN.

The revelation is likely to add fuel to calls in Congress to force services such as WhatsApp, which is owned by Facebook, to add a back door that would enable investigators to monitor encrypted communications. Such demands have grown stronger in the wake of the Paris attacks and after other attacks in the United States in which the suspects are believed to have communicated securely with Islamic State plotters in Syria.

Already, security hawks in Congress, citing the likelihood that the Paris attackers used encrypted communications, have called for legislation to force companies to create ways to unlock encrypted content for law enforcement. Sen. Dianne Feinstein, D-California, vice-chairman of the Senate Intelligence Committee, has begun working on possible legislation. And Sen. John McCain, R-Arizona, chairman of the Senate Armed Services Committee, has promised hearings on the issue, saying, “We’re going to have legislation.”

FBI Director James B. Comey last week cited a May shooting in Garland, Texas, in which two people with assault rifles attempted to attack an exhibit of cartoons of the prophet Muhammad. Investigators believe they were motivated by the Islamic State. Comey told the Senate Judiciary Committee that encrypted technology had prevented investigators from learning the content of communications between the shooters and an alleged foreign plotter.

“That morning, before one of those terrorists left and tried to commit mass murder, he exchanged 109 messages with an overseas terrorist,” Comey told the committee. “We have no idea what he said, because those messages were encrypted.”

Tech firms such as Apple have opposed such calls, saying that such a requirement would render their services and devices less secure and simply send users elsewhere. Apple began placing end-to-end encryption on its chat and video call features several years ago. Then last year, in the wake of revelations by former National Security Agency contractor Edward Snowden about the scope of U.S. surveillance, Apple announced it was offering stronger encryption on its latest iPhones. And more tech firms began to question what had once been routine law enforcement requests to comply with court-ordered wiretaps.

A spokesman for Facebook declined to comment about whether the attackers used WhatsApp. A representative for Germany-based Telegram did not respond to a request for comment.

The officials familiar with the Paris investigation did not say when the services were used, how frequently or for what purpose. One of the officials said investigators believe that the attackers used Telegram’s encrypted chat function more frequently than they used WhatsApp. It was not clear whether authorities were able to obtain “metadata,” information indicating the times and dates of chat messages from either company’s servers. Nor was it clear whether authorities had been able to recover the messages from the phones themselves.

Not all encrypted apps are equal. WhatsApp offers end-to-end encryption between two users on some platforms, such as Android phones. That means the chat content is not visible to Facebook but only to the sender and receiver. WhatsApp is in the process a rollout for Apple’s iPhones. Telegram’s Secret Chat feature is end-to-end encrypted. However, a number of experts say that Telegram is not secure.

“It’s home-brew crypto style,” said Lance James, chief scientist at Flashpoint, a threat intelligence firm. The Telegram developers have “introduced unnecessary risk by making up their own cryptography rules.” He said he was “fairly certain” that advanced spy agencies could find ways around the encryption.

The group chat functions on the apps do not offer end-to-end encryption, which means anyone with access to WhatsApp or Telegram’s servers can read the chats.

European authorities have come under heavy criticism for failing to disrupt the Paris attacks, and it is unclear whether encrypted messaging played an important role in the plot’s success. Ringleader Abdelhamid Abaaoud, a Belgian citizen, was being monitored by European authorities but nevertheless managed to travel to Syria and back this year.

Another suspect, Salah Abdeslam, is still at large despite having been stopped by French police at the Belgian-French border hours after the attacks. He used his real identity documents, but he was not yet in a database, Belgian Interior Minister Jan Jambon told the Belgian VTM broadcaster in an interview aired this week.

“We were simply unlucky,” he said.

Then, investigators believe, Abdeslam went into hiding in a building in the Molenbeek district of Brussels, and Belgian Justice Minister Koen Geens said that a Belgian law banning police raids between 9 p.m. and 5 a.m. may have played a role in his subsequent escape.

Investigatory Powers Bill could allow Government to ban end-to-end encryption, technology powering iMessage and WhatsApp


Investigatory Powers Bill could allow Government to ban end-to-end encryption, technology powering iMessage and WhatsApp

The new Investigatory Powers Bill could ban WhatsApp and iMessage as they currently exist and lead to the weakening of security.

Introducing the Bill this week, Home Secretary Theresa May said that it didn’t include a controversial proposal to ban the encryption that ensures that messages can’t be read as they are sent between devices. But it does include rules that could allow the Government to force companies to create technology that allows those messages to be read, weakening encryption.

The Bill gives wide-ranging powers to the Home Secretary to force companies to make services that that can be more easily read by intelligence agencies.

Section 189 of the law allows the Government to impose “obligations” on companies that provide telecommunications services. That can include “the removal of electronic protection”, as well as a range of others.

It isn’t clear how that law would be used in practice. But it could allow for the breaking of encryption so that messages can be read.

Some of those powers were already available. But the new legislation repeats them – despite the suggestion that the ban on encryption has been dropped – as well as strengthening some of the ways that Government can impose such obligations.

At the moment, services including WhatsApp and Apple’s iMessage use end-to-end encryption. That means that the phones that are sending each other use keys to ensure that nobody else – including WhatsApp and Apple themselves – can’t read messages.

When end-to-end encryption is used, it isn’t possible to set up a system so that it only allows for the breaking of messages from a specific phone, or of messages sent between two specific people. Instead, allowing for the viewing of just two messages would entail entirely re-engineering the system so that WhatsApp and Apple had the keys to unlock any message, sitting in the middle of all messages.

Technology companies are understood to be concerned about that setup, because if they are able to read through messages then the same system could be used by members of staff or hackers to read through the messages of all of a services’ users.

Earlier this year, a report from some of the world’s leading computer experts said that weakening encryption “will open doors through which criminals and malicious nation states can attack the very individuals law enforcement seeks to defend”.

“If law enforcement’s keys guaranteed access to everything, an attacker who gained access to these keys would enjoy the same privilege,” the report argued.

Apparently partly in response to that criticism, the US Government has mostly walked back its attempts to weaken encryption.

National Encryption Policy: Government Issues Clarification on WhatsApp, Social Media


National Encryption Policy: Government Issues Clarification on WhatsApp, Social Media

The government issued an addendum to clarify that “mass use encryption products, which are currently being used in web applications, social media sites, and social media applications such as WhatsApp, Facebook, Twitter etc.” While that language is vague in itself, you can rest easy without needing to worry about having to store your WhatsApp messages for 90 days. The original text continues below.

The DeitY has posted a draft National Encryption Policy on its website inviting comments from the public on its mission, strategies, objectives, and regulatory framework, which you can send to akrishnan@deity.gov.in, until 16th October 2015. A lot of the details mentioned in the draft guidelines are worrying, and this is a topic that concerns every consumer.

While the draft encryption policy’s preamble starts by talking about improving e-governance and e-commerce through better security and privacy measures, it very quickly brings up national security as well, and that’s where things get worrying from a consumer’s perspective. It’s very reminiscent of when the Indian government was thinking about banning BBM in India unless BlackBerry (then Research in Motion) gave security agencies access to snoop on emails. The two would eventually reach an arrangement that allowed the government to intercept email.

The language of the new draft policy is quite clear on one thing – businesses and consumers may use encryption for storage and communication, but the encryption algorithms and key sizes will be prescribed by the Indian government. What’s more, vendors of encryption products would have to register in India (with the exception of mass use products, such as SSL), and citizens are allowed to use only the products registered in India.

“Would OpenPGP, a commonly-used standard for encryption of email, fall under ‘mass use’?” asks Pranesh Prakash, Policy Director at the Centre for Internet and Society, speaking to Gadgets 360. “Because if it doesn’t, I am prohibited from using it. But if it does, I am required to copy-paste all my encrypted mails into a separate document to store it in plain text, as required by the draft policy. Is that what it really intends? Has the government thought this through?”

National Encryption Policy: Government Issues Clarification on WhatsApp, Social Media

Most people don’t explicitly use encryption, but it’s built into apps they use every day. Do the draft guidelines also extend to products and services with built-in encryption like WhatsApp? If yes – and the language certainly suggests it does – then combine them with governments requirements for its citizens, as proposed in the draft guidelines, and we could have very worrying scenarios.

The draft guidelines read “All citizens (C), including personnel of Government/ Business (G/B) performing non-official/ personal functions, are required to store the plaintexts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable Plain Text to Law and Enforcement Agencies as and when required as per the provision of the laws of the country.”

WhatsApp messages are now encrypted end-to-end. So do the draft guidelines mean you have to store a copy of all your WhatsApp messages for 90 days? What about Snapchat? Or any other form of ephemeral messaging that is automatically deleted after being read? The consumer is expected to maintain plain text copies of all communications for 90 days – so that these can be produced if required by the laws of the land – so, will it even legal to read a message that deletes itself, if and when the draft guidelines become law?

The draft policy document states that the vision is to create an information security environment, and secure transactions. But the actual details mentioned in the draft appear to do the opposite, and put a focus more on the lines of limiting encryption only to technologies that likely could be intercepted by the government, when required.

This is in many ways similar to the Telecom Regulatory Authority of India’s draft letter on Net Neutrality, which instead talked about issues like cyberbullying and ‘sexting’. In the feedback period, Trai received over 1 million emails. but the Department of Telecom report on Net Neutrality also went against public sentiment on certain things, suggesting that telcos should be allowed to charge extra for specific services, such as Skype or WhatsApp voice calls in India, showing that calls for feedback aren’t necessarily being taken seriously.

And, with the draft National Encryption Policy, another problem that is shared with the Net Neutrality discussions, is the use of vague language. The result is that there is very little clarity at this point on what will and will not be permitted by the government if the draft guidelines are adopted. We’re living in a time when the government talks about how WhatsApp and Gmail may be used by “anti-national elements”, and even considered requiring Twitter and Facebook to establish servers in India.

With that in mind, you have to ask, will it be even legal to use WhatsApp if these guidelines are implemented? After all, WhatsApp messages have end-to-end encryption and if this service does not register in India, and comply with the algorithms prescribed by the government, then as a citizen of India, you won’t be allowed to use it because “users in India are allowed to use only the products registered in India,” as per the draft guidelines.

These are questions that don’t just affect a few people, but just about every Indian who is using the mobile Internet. In its present form, the draft actually severely limits what you can do online, and could hobble the push for a digital India. There’s almost a full month to give our feedback, but is anyone listening?