Did encryption fail Bollywood?

The Page One Asia, October 28, 2020

By Udai S Mehta

The leaked WhatsApp chats of Bollywood celebrities have amassed lot many eyeballs. As the Narcotics Control Bureau (NCB) investigates alleged drug use by celebrities, one must also investigate any possible violation of the fundamental right to privacy occurring with the leaking of their end to end (E2E) encrypted chats, as the same may dent users trust on encrypted communication services.

WhatsApp introduced E2E encryption in 2016. This essentially ensures that only the people communicating can read/access transmitted messages, photos, audio, videos, documents, calls etc., and nobody in between, not even WhatsApp. In other words, E2E encryption enhances privacy of communication, and secures them from falling into the hands of unintended recipients (or non-chat participants).

Users of encrypted instant messaging services may then wonder how did the Law Enforcement Agencies (LEAs) and more so the media get access to the chats of Bollywoodcelebrities?

In the case of Bollywood celebrities, NCB likely obtained access to their chats through the latter, i.e. access to data through a device of one of the chat participants, and not in transit. Notably, WhatsApp chats are automatically backed up and saved daily in the device’s memory. Users also have an option of creating a backup of these chats on a cloud platform such as Google Drive or iCloud. Furthermore, users can also export a copy of their chats through email.

The words of Edward Snowden resound here – “Encryptionworks. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security (i.e. device security) is so terrifically weak that NSA (read as LEAs in our case) can frequently find ways around it”. Thisis perhapsthe weak link through which NCB accessedthe chats of bollywood celebrities, and not by breaking encryption, thereby clarifying that encryption did not fail bollywood.

It is to be noted that the Ministry of Electronics and Information Technology (MeitY) had recently denied the government or any of its agencies accessing data and voice messages circulated through WhatsApp in Parliament.

On the aspect of NCB accessing chats through the device itself, one must consider article 20(3) of the constitution, which states that no person accused of an offence shall be compelled to be a witness against himself.Presently, there is only one exception to this provision, i.e. testimonial evidence can be compelled if it is used for comparison with evidencethat is already in the possession of the investigators.

Also, the NCB is one of the LEAs empowered by the government to intercept, monitor or decrypt any information generated, transmitted, received or stored in any computer resource, under section 69 of the Information Technology Act 2000. Accordingly, it remains to be checked whether LEAs such as the Enforcement Directorate (ED) or the NCB can compel the accused to share their device or cloud storage password with them, or break into their device to access their chats.

Furthermore, it becomes pertinent to recall Supreme Court’s (SC) judgement of 2017 declaring right to privacy to be a fundamental right. The judgement while stating that right to privacy may not be an absolute right, also laid down a three-prong test for government or its agencies access to data – necessity, legality and proportionality.

While deliberating upon the legality aspect of the test, it is to be noted that India currently lacks a dedicated personal data protection law. The personal data protection bill 2019 is pending with the Joint Parliamentary Committee (JPC). Worryingly, clause 35of the bill has not provided for the test, and has exempted the government from the provisions of the bill for accessing personal data of users.

Another important pending regulation is the Draft Information Technology [Intermediaries Guidelines (Amendment) Rules] 2018. The amendments propose to empower government agencies to compel intermediaries (such as WhatsApp) to provide information for the purpose of investigation or detection or prosecution or prevention of offence(s). However, the same is dependent upon a lawful order for the same. Such empowerment threatens to weaken E2E encryption, thereby exposing WhatsApp chats to further privacy risks.

Notably, the SC judgement specifically held there must be a valid law in existence to encroach upon the right to privacy, and that an executive notification does not satisfy the requirement of such valid law. Given the absence of a personal data protection law, there exists an apparent legislative/regulatory gap for both – protecting privacy of users, as well as enabling lawful access to data for LEAs.

Lastly, it may also need to be investigated as to how the media obtained access to the chats of bollywood celebrities. Publicising their chats (or any extract thereof) in public domain, may be counted as a serious violation of their privacy. However, the prevailing regulatory/legislative inertia on personal data protection may not offer adequate grievance redress options to celebrities.

Therefore, a strong data protection law is the need of the hour, and the government must be urged for expediting the passing of the pending personal data protection bill after incorporating the three prong test of –legality, necessity and proportionality laid down by the SC judgement, to provide legislative protection to the fundamental right to privacy.

Furthermore, any attempt to weaken E2E encryption must be thwarted, in order to secure the privacy of chats of users of WhatsApp and other instant messaging services. Due consideration should be given to the views of Telecom Regulatory Authority of India (TRAI) as expressed in the ‘Recommendations on Regulatory Framework for Over the Top (OTT) Communication Services’, wherein it recommended upholding encryption in order to ensure data protection and privacy of communication. We must note that creating any kind of backdoors within encrypted communication will immensely endanger the cybersecurity of users if such techniques fall in the hand of malicious actors.

Also, weakening encryption may have an adverse impact on users trust on WhatsApp and other encrypted instant messaging service providers. Consumer Unity & Trust Society is presently undertaking a study to gauge users’ perspective and expectations from encryption.

Summing up, the government must take actionable steps to protect user’s fundamental right to privacy. Upholding encryption and passing the personal data protection bill would be a good start in this regard.

(The writer is a Deputy Executive Director at CUTS International. Sidharth Narayan, Assistant Policy Analyst at CUTS Internatnal contributed this article. Views expressed are the authors’ own).

This news item can also be viewed at: