Christina Moniodis
The fresh legal battle between Facebook-owned WhatsApp and the Indian government is a bit of a high-stakes game of chess determining both global consumer privacy and the sovereignty of tech companies to build such privacy on their own platforms.
Who should decide a company’s technical infrastructure - the company or a government?
It is a deep question, and the stakes here are particularly high. Encryption–the technology at issue–is not only an infrastructure choice for messaging platforms, but rather encryption is the very key to these platforms’ own identity. In other words, messaging platforms are not in the business of mere communication, they are in the business of private connections.
The WhatsApp case centers around Indian regulations that require WhatsApp, and other messaging services, to trace user messages back to the authors of those messages. The tracing requirement is limited to certain government purposes, but to fulfill the requirement, WhatsApp says it must break its security mechanism of encrypting user content.
It was bold enough for WhatsApp to file suit against a government. Usually it is the reverse, with tech companies rounded up into court or into government hearings. But WhatsApp upped its game and audacity even further this quarter and released encrypted backups—closing the last loophole in the WhatsApp encryption framework— just days before the Indian government’s deadline to file their response in court.
WhatsApp’s own message is clear:
Messaging services are moving decidedly towards encryption, not against.
The Indian government has finally submitted a response to the lawsuit in the Delhi High Court. The government raised several counterarguments to WhatsApp’s claims, but the response to WhatsApp’s concerns over breaking encryption is particularly powerful.
The Indian government’s reply is direct:
Technical obstacles are no excuse to avoid tracing user messages - platforms must change their infrastructure to implement tracing.
For background, the argument for tracing is that while the government may manage to locate the content of viral misinformation or criminal messages, tracing allows authorities to identify, and hold accountable, the source. Indeed, the Indian government knows the dangers lurking in message cyberspace well. More WhatsApp content is forwarded in India than in any other country, which can create a hotbed for misinformation. A tragic example has been a series of lynchings occurring over several years motivated by false rumors spread via WhatsApp messages.
End-to-end encryption, a standard mechanism for message security, is what restricts the content of a conversation to the parties of that conversation; not even the messaging service can see or hear it. Tracing would have profound implications on messaging because it seems to require breaking such encryption for all of the billions of messages sent every day in India. As WhatsApp explains, “[t]raceability requires messaging services to store information that can be used to ascertain the content of people’s messages … . In order to trace even one message, services would have to trace every message.”
WhatsApp surely knows these regulations could have far-reaching implications. First of all, India is WhatsApp’s largest market with half a billion users. Furthermore, WhatsApp product developments have often begun in India and then expanded globally. India has been a market leader in not only testing WhatsApp product developments, but also showing foreign governments what concessions can be had from the Facebook empire.
In the multi-faceted war of big tech versus big government, tech companies are routinely making an assortment of concessions in order to remain in business. However, the problem here is that concessions regarding encryption strike at the core of many products. User privacy is so central to messaging platforms that tech companies cannot lose this battle and even survive the broader regulatory war.
The consumer appetite for privacy is clear. In addition to WhatsApp releasing encrypted chat storage, Google rolled out end-to-end encryption for Google Messages, and Microsoft launched encryption for Microsoft Teams calls. Meanwhile, the crypto community has made Telegram, another encrypted messaging service, its home.
Another key player is the nonprofit Signal. Signal’s messaging service famously earned the endorsement of Edward Snowden and Elon Musk. Signal does not require any account data other than a phone number.
Requiring traceability for businesses that do not even collect user data would fundamentally change a business’s tech stack, identity, and function. Tracing requirements are as antithetical to the messaging business as requiring a vegan restaurant to only serve meat. Goods and services have integral components to their user value. For WhatsApp and its industry, that is secure messaging limited to the sender and receiver.
Any encrypted platform—messaging, cloud storage, or otherwise—should watch the WhatsApp lawsuit. Once encryption and the privacy it provides is broken in the world’s largest democracy, we may find ourselves “tracing” the demise of secured connections back to this case.
Christina Moniodis is an attorney and business executive. Her data privacy scholarship published in YJOLT “Moving from NASA to Nixon: Privacy’s Second Strand—A Right to Informational Privacy” is cited extensively in the Indian Supreme Court decision on which the current WhatsApp litigation rests. Christina served as VP of Business Development and Innovation for Like Minded Media Ventures. Christina was formerly Head of Strategy and Innovation for Verizon’s news portfolio, and Chief of Staff for The Huffington Post. Christina was also a corporate attorney at Munger, Tolles & Olson LLP and a law associate in the White House Counsel’s Office. She is a graduate of Yale Law School.
This piece first appeared in CPO Magazine.