 Hello and welcome to NewsClick. Today we are going to discuss with Bapaditya Sinha who is a tech expert on this issue. What is the implication of what the government is asking what's have to do, which is essentially make the communication between people using WhatsApp traceable. Traceable including the first originator of any content such as an image or a video. Now this the government has said it requires for law enforcement purposes and therefore this is something which the WhatsApp company protocol should allow and they have gone to the extent of saying that if necessary then the protocol has to be changed because it has to conform to law and the Indian government has by virtue of the modified rules has made this a part of the requirement of any platform which offers encrypted services in terms of messaging in India. What it means is that the messaging service therefore has to provide this information otherwise it loses the what is called the safe hardware provision of section 79 of the IT Act. Now there are two issues here which I think needs some elaboration. One is what is the meaning of the safe hardware. Now this came up because on eBay somebody was trying to sell a photographic image, there was a case on this and the eBay owner and some other people running eBay were taken to court saying that you have connived in illegal sale of photographic material. Since it was an auction site it doesn't know what is sold on it whether it's fraud for instance equipment claiming to be something else or an image or something else since the auction site does not know it the fact that it is being made a party to a crime committed by somebody else purely because it's an intermediary which offers just a platform that's how the intermediary protection issue came up and finally it was incorporated in section 79 of the IT Act that an intermediary if it follows certain guidelines then has a safe hardware and this is what Facebook, Google all of them use when they say that they do not generate the content they do not edit the content therefore they are not legally liable for the content as long as they conform to the sections of the IT Act which says what their responsibilities are. So what has been added in this particular case is a new responsibility that they have to provide any encrypted service provider has to provide traceability being able to trace the entire chain of the message that it has gone through which has been sent by say me to you and then you followed it to a third person third person forwards into a fourth person all this route should be traceable and who originated the image or a video should then be visible or should be available so that if the government wants it can get this information from the intermediary. The government is saying that the presumption is that I should have a right to be able to look at this this information whatever is being communicated at any time and all that I need to do is go to the party which provides the service of carrying the message that it has the responsibility of giving me this message if I want it this is the basic argument that is going on so there are two assumptions here one is that everybody is a criminal and therefore I need to surveil everybody and when I need to find out something I should be able to get this information from the service provider and therefore the presumption is really that every bit of information that we exchange to each other is potentially a criminal information criminal has a potentially a criminal purpose and therefore needs to be stored in perpetuity so that law enforcement authorities should be able to look at it the second and this is the other part of the debate that is going on that this encryption should be done in a way that it should not be possible for the users to deny anything and therefore if you take for instance what a post office does that post office takes a letter that I have sent if you put it in an envelope it is the addresses of the envelope post office does not know what the information is and it only has that information who has to be who it has to be given to it it has to be given to now that person can take the same information the same letter out of the envelope put it into a new envelope and sent it to a third person now this is how letters would be exchanged and in this case what in our message exchanging platforms like WhatsApp this is what we call the envelope is equivalent to what is called the metadata you know tech people like to complicate things by putting big words into simple stuff so this is called metadata and the message is called data so the data is not visible to the intermediary who's sending my message to you so it only sees who it is being sent to that's all that it information it has but the government is saying now you have to bring information which is in the case of WhatsApp inside the envelope also to the surface who has forwarded this message to who in this entire train should also be brought onto the surface so every letter that I have forwarded if I take the information of the letter as the letter then all that information has to be put on the envelope and the metadata is what the government is really saying now there are various ways of saying it I'm sure Bapu will explain this in more detail so the key question can you explain what is it that the government wants WhatsApp to do and why is WhatsApp saying that this will break the their basic protocol encryption protocol itself so what the government wants is traceability of the originator of a message so the government so effectively the government is saying that any message video image that is shared through WhatsApp groups forwarded through WhatsApp groups if there is some objectionable material and the government decides what is objectionable then they should be able to go to WhatsApp and say that who is the originator of the of that material the the either the message the video or the image and then the government could potentially prosecute or go after whoever the originator of that message was so that is what the government is demanding as a result of the new rules which have been declared now WhatsApp is WhatsApp's position is that this is not possible using the current end to end encryption scheme that they use now just for a little bit of background what's the encryption scheme which WhatsApp uses is not WhatsApp's own right so there is a different app called signal and this signal uses what is called the signal protocol now the signal protocol has been made open source which means that the code for the signal protocol is publicly available anybody can go and inspect that code and actually many people many of the leading cryptographic experts in the world have inspected the code and said that this is a secure encrypted protocol right what it means what a secure encrypted protocol means is the the analogy you gave that of sending communication through envelopes so when I send you a envelope the post office is the intermediary they forward the message they don't know what is inside the envelope so as a result instead of thinking of it as an envelope think of that your message is stored inside a box and the box has a lock and that lock can only be opened through a key the center and the receiver have that key the person who is the post office or or WhatsApp or Facebook in this case do not have that key and that is critical to this way of sending messages since they don't have that key they don't know what is inside the message and and the signal protocol is fairly complicated for layman to understand but it has these two aspects that the normal way of or the traditional way of doing this key mechanism is that there is a public key and there is a private key for any any entity it could be an individual it could be a company so when you are let's say talking to your email provider or talking to your bank the bank has a public key the bank has a private key which it keeps with itself it it publishes the public key everybody communicates to the bank securely using the public key the problem with that is two four but first of all the bank obviously knows all your information second is that if the bank's private key were to get stolen hackers come and stole steal the private key then criminals will have access to all that right so the the WhatsApp the signal protocol is specifically designed to not let this happen so they while they use they only use the the the private and the public keys for initiation of the communication the individual messages are encrypted using these temporary keys which are only valid for the duration of for that particular message every message will use a separate key and there is a complicated protocol to figure out how the sender and the receiver will know these keys right now for the for WhatsApp to be able to peek into the message then would mean that it would need to know these temporary keys with the sender and receiver is using to to to open the lock to the messages right now that breaks the protocol itself right so so the government's claim is that you can do traceability without weakening encryption and that is clearly not true so effectively it means breaking the end-to-end encryption and it effectively also means that the government at any point of time could be by asking WhatsApp basically say tell me who has originated this message any image which it finds on Facebook for instance it can go and say just check whether this has been given by anybody sent by anybody might be a little more difficult but all you need is one person with that image and you then have traced the entire route of where this message has come from weakening a protocol effectively means handing this over to criminal criminals as well so it's not just protecting us from criminals what it does also it exposes us to criminals by weakening the encryption itself that's one one set of arguments which have been given I want to really focus on the second set of issues that effectively it means we are going more and more to a mass survey in the state and that means the presumption that everybody is a criminal is then written into a protocol itself that's that's what it would mean and all it would require at the most is the protection as of now this protection is not there but those who are doing for itself this is all right as long as done under the court order now court order magistrate order you can go down the chain and all the government has to do it will be a special some cell in the government which will have this authority and that automatically will allow them this to this process to take this so it's really a surveillance issue issue yeah being also put so one thing there is a historical thing that you need to remember that how the signal protocol came into existence so the signal protocol was it's an open source project which started in 2013 so I don't think it's a coincidence that 2013 is also the year when the Snowden revelations come up right so a lot of us in the tech community had had always suspected that the US government was a was running a mass surveillance program and a very entrenched mass surveillance program where it was pretty much looking at every communication we had the feeling because there were many such small small leaks coming out everywhere but there was overwhelming proof was not there with the Snowden revelations it then comes into the mass consciousness mass awareness that it is indeed true that what we had always suspected that the US government was running a mass surveillance program and a very large scale mass surveillance program the it is in reaction to that that the signal protocol comes up to protect people from this mass surveillance program now what the coming now to 2021 what the government is saying is that they want to run a mass surveillance program similar to the US government's NSA effectively that's what it means yeah you know that's an interesting point that you're bringing up the Snowden revelations of 2013 because there are two sets of issues that came from became public on that one is of course the encryption itself and it was found that the RSA was had been compromised it had been it was found that RSA's keys had been compromised the algorithms that they're using were also weakened so the whole bunch of things that had happened which we can photography encryption itself that was because RSA was thought to be the gold standard of all of this and the second part and that's something which again number of people have commented on including tech security experts like Rish Nair and so on that also the internet protocols are also weakened and that is one of the major issues that affect every user the fact that they weakened all of this in order to make it easier for them to hack into other people's communication before we finish our discussion I have a last question to you regarding what happens in the business API that WhatsApp is offering which seems to have I don't know whether we can call it weakened or not but seems to compromise our communication with the business in two ways one of it is the WhatsApp data being shared with Facebook which is a much longer issue going on since 2016 was the reason that the founder of a WhatsApp left the company because he could not accept this in fact he left 850 million dollars on the table because he did not he walked out of his of his agreement two years before it ended so all of this is already there that's one part of it secondly that it appears that in our business communication Facebook will be able to quote unquote listen into this communication so how is Facebook WhatsApp what are they doing on this and what would be the position you as a security person who take on this important to know that that WhatsApp has changed its privacy policy this year and and and the government is actually challenging that right the government is the Indian government is asking them to back off and this is very interesting right that that when it comes to surveillance by the state the government is saying we should be able to do surveillance and WhatsApp is projecting itself as this defender of privacy and saying that that's a bad thing but when it comes to surveillance by WhatsApp WhatsApp is saying that it should be able to peek into their message and the government is saying no no that the the user's privacy should be protected so they both of them are taking on this self-contrary stance depending on their convenience depending on their convenience depending on who gets to peek at the messages so now the what the WhatsApp business API the change in their policy is is that for a business user so when you're communicating then you as an individual are communicating with the business the business the some companies have been given access to WhatsApp's business APIs and so so what that means is your communication is between you as an individual and the company now the company is not an individual the company has many employees and so clearly even though the encryption the the messaging still uses the signal protocol but you know that at the end everybody authorized in the company is can look at your messages that is understood what is the change in the privacy policy is that WhatsApp is saying that WhatsApp is now offering Facebook hosted WhatsApp business API right so and that comes with a lot of benefits so if a business API is hosted on Facebook then effectively your messages don't go physically don't go to the business they go to Facebook where Facebook is storing the messages for the business now what Facebook is now saying is that it it will now have the legal authority to peek through those message because those messages are decrypted at the endpoint the endpoint now physically becomes Facebook and so Facebook will be able to look at the messages and then they say that they can customize services based on those messages what it means is that they will read your messages they will know what you are buying where you are flying what your location is all that information and then they will use that to sell ads to you. It's an interesting point because this is where Amazon came in initially that they would only be a platform to sell for others and once the business came onto their platform Amazon sells a lot of stuff which is Amazon's today so that always has this issue and for the viewers it's important to understand that the Facebook's entire business model is advertisement based I think about 96 or 98% of the revenue are generated from advertisements alone so what they're interested in is this two billion WhatsApp users around the world it has how to leverage Facebook's advertisement model through that they tried to sell advertisements to WhatsApp that sort of hasn't really was a post and that somehow I think very little of that actually works so their main issue is now to use WhatsApp data to understand through the WhatsApp analytics who is communicating with whom and that information to be fed back to Facebook so then they can use their advertising model better and in the case of business of course what you are buying what you are interested in of course makes it far more interesting for Facebook in order to show you what kind of ads you should see so how much it is in the interest of the business to use WhatsApp is a separate question but certainly as well we are concerned it is being able to target us better that what that is the reason why WhatsApp was acquired by Facebook and that's why the change in privacy policy and as Bapa has said as Bapa has said the two parties take diametrically opposite position when it comes to their own interest the government for surveillance once much more inclusive surveillance Facebook wants to protect this advertising revenue enhance it and therefore at that point privacy is not his priority this is what we thought we should discuss today with you because of the wording issue that's going to be are something which will be central to all democracies in the world because mass surveillance increasingly is something which all states are trying to weaponize and how do you prevent the states from weaponizing the surveillance being able to find the information to sue us take us to court establish that their criminals is something which is going to be much longer duration there's recent European court judgment which has said the GCHQ the British intelligence scheme of mass surveillance was illegal now why they have said it's illegal what the to the extent it is illegal all those are still being debated thank you very much Bapa for being with us and for our viewers please do come and visit our website and see on YouTube channel