THE RHETORICAL END OF END-TO-END ENCRYPTION?

Written By: Bodhisattwa Majumder & Smriti Shandil

Bodhisattwa and Smriti are final-year students at Maharashtra National Law University Mumbai. Their interests lie in Constitutional Studies, Fintech, Data Privacy, Public Policy, and Communication laws. They also head the Research Wing of the Centre for Information, Communication, and Technology Law (MNLU Mumbai) as Chief Student Editor and Managing Editor respectively.

 

On the second week of January this year, every Indian WhatsApp user came across a notification informing a change in the privacy policies[1], which they ‘had’ to accept in order to continue the use of the application. Further, a deadline of 8th February 2021 had also been provided for the acceptance, the failure of which would result in the deletion of the account. However, the deadline was modified taking into consideration of the mass uproar and discussions with the government. This update was in furtherance of the last major update which allowed users to use the instant messaging application as a mode of payment as a Unified Payment Interface (“UPI”. Although the update in the privacy policy raised many eyebrows, it ‘had’ to be accepted due to the dependence of the huge customer base of 400 million.[2] As the functioning of the instant messaging application required an existing customer circle to receive the messages, quitting an application all of a sudden due to a mere privacy policy change was not an option for many users. Unfortunately, the tech giants sitting behind the screens know that very well. Rather than focusing only on the legal standpoint of Indian laws on Data Privacy, this article strives to raise a few questions. Questions regarding why this policy is subjected specifically to India (EU has GDPR).[3] Questions regarding the habitual practice of tech giants acquiring/merge an enterprise, just to shred them later to obtain user data. Questions regarding the vilification of the sanctity of data by storing it, using it, and transferring it without the informed consent of the subject. Questions regarding the ethos behind running a social media application, if there are any left.

 

Prologue: The Developments with WhatsApp since the Last Years

The inception of WhatsApp can be traced back to the pre-android-age of mobile phones. Despite developments in terms of the technological advancements of mobiles, the position of WhatsApp as the replacement of Short Messaging Services (SMS) was unchallenged by its competitors. However, in the year 2014, despite its dominance, it ended up being acquired[4] by the bigger fish – Facebook. Since then, there have been various modifications made to the original application where the scope/functioning of the application has widened. After its integration with Facebook, additional features were provided such as Stories (Connected with Facebook), Rooms (Google), and ‘WhatsApp Payments’, which require modifications in the existing privacy policy. The changes made in the latest update are as follows:

  • Take it or leave it policy – In the July update of the application, an option was provided to share Usage Data with Facebook. However, in the recently updated policy, there is no option to disagree. The only option left with users was to either agree with the policy or to either quit WhatsApp.
  • Third-Party Access – According to the January update, agreeing with the policy would entail that the user is agreeing to share his/her personal data with third-party applications for commercial gain (“improvement of services”). WhatsApp later clarified[5] its stance that this access shall be limited only to messaging between business entities and not personal conversations.
  • Recipients of the data – Right now, according to the policy,[6] the third-party service providers would be “other Facebook companies”. The policy also includes third-party applications linked to the product. But it is not limited to these (emphasis provided later in the article)
  • Reason for third-party sharing – According to the policy[7], they would be required “to provide technical infrastructure, delivery, and other systems; market our Services; conduct surveys and research for us; protect the safety, security, and integrity of users and others; and assist with customer service.”
  • Uniformity of the policy – According to the statements[8] by WhatsApp’s spokesperson, the policies have not changed for users in the European region. It still does not share WhatsApp user data with the other Facebook applications. (the reason behind this discrimination has been pointed out in the latter part of the article)

While the initial plan of WhatsApp was to make it a paid subscription (99 Cents), but that plan was laid off to make it entirely free. But as the saying goes, “If something is offered to you as free, YOU are the product”.[9]

 

Tech Companies and the Trade of User Data

However, WhatsApp is not the only entity that has been acquired by Facebook over the years. To date, Facebook has entered into 88 Mergers and Acquisitions. In fact, it comes as no surprise that Facebook owns the four most downloaded apps of the decade.[10] These include Facebook, Facebook Messenger, Instagram, and WhatsApp. It is a no-brainer that for the tech companies, user data is the gold that they obtain from their customers, use it to improvise, and often try to manipulate a majority of it to their benefit in the long run. With Facebook owning a major chunk of popular social media websites and applications, it becomes fairly easy for it to maintain its dominance in the market of soc[11]ial networking or specifically instant messaging. The Goliath here is just growing big with the help of its new-found user data with each new merger that becomes a part of its ever-growing database.[12]

For a very long time, Facebook has maintained[13] its stance that a majority of its acquisitions are ‘talent acquisitions’ and that it shuts down most of the companies that it acquires. However, Facebook over the years has acquired a lot of companies like Instagram and WhatsApp, which continue to operate under the aegis of Facebook Inc., with major changes in their privacy policies over the years. An example of the same would be Facebook’s acquisition of Instagram in the year 2012, subsequent to which Instagram’s Privacy Policy has seen a lot of changes[14], which have been dubbed as intrusive and problematic by many users in the past. The most recent update, the application’s access to the camera and microphone of the user’s device has been reported by many users as a tool for catching phrases for Instagram advertisements even when the application was not being used. While all of these changes are extremely disturbing considering the privacy risks that they pose in our day-to-day lives, it is important to see how regulations have helped curb these intrusions to a certain extent.[15]

As has been mentioned briefly in the introduction, WhatsApp’s new privacy policy is enforced only in selective countries, excluding the part of the EU, on account of the stricter Data Protection Law Regime. By allowing WhatsApp to share its user data with its parent company’s applications, it basically amounts to the transfer of personal data outside the country which might go strictly against[16] the tenets of the data security laws of any country.

 

India’s Data Protection Laws: The Missing Privacy Sentinel

The reason behind the swift rollout of WhatsApp’s updated policies in India (but not in the EU) is the lenient or negligible data protection regime in the nation. While the EU has a substantially foolproof GDPR, India is yet to have a similar counterpart. The only legislation specific to data protection in India, the Personal Data Protection Bill[17] (“PDPB”) has its own set of concerns and is yet to be enforced. Yet, despite its drawbacks, had the PDPB been in place by now, WhatsApp would not have been able to implement its recent Privacy Policy.[18] If we look closely at the PDBP, it does provide many protections against such data usage violations. Section 5 of the PDPB specifically denotes that one can only use information collected from users for purposes that were closely linked to the purpose for which the information was given. What this means is that Facebook would not possibly be able to justify the sharing of WhatsApp user data with the Facebook group of companies, since they are not closely linked in terms of the purpose for which the user data had been acquired in the first place. Yet, since the PDBP is still not enacted, these provisions do not exist in the country to provide users any protection, as of now. Additionally, there is no data protection authority in the country that could intervene and protect users. Users are left at the mercy of the contractual rights guaranteed by the Company’s assurances and Privacy Policies.

The fact that India’s Data Protection Laws are still in the process of implementation for years now, is the biggest deterrent for User Privacy Protection. In lack of specific Data Protection Laws, we have certain other laws that may grant users some protection, like the provisions of the Information Technology Act, 2000 (“IT Act”), that may apply in the current context. But they give very limited [19] protection to users and lack teeth in comparison to other laws in countries like European Countries, where strict and heavy fines have been imposed[20] on Facebook for data privacy violations in the past. It is not the first time that WhatsApp has confronted with a data privacy violation. Earlier in the matter of Karmanya Sareen v. Union of India[21], WhatsApp’s policy change in 2016 was placed before the High Court of Delhi as an infringement of the right to privacy. The Hon’ble High Court had directed the deletion of non-existent members and had issued a directive to TRAI to provide a regulatory framework for social media applications.

 

Analyzing the Change in the Context of India’s Data Policy Regime – Meeting of Two Devils?

Throughout its run, WhatsApp has made the phrase “end-to-end” encryption its motto and every user could see it while using the application (specifically, while starting a new chat). It displayed “Messages and calls are end-to-end encrypted. No one outside of this chat, not even WhatsApp can read or listen to them.” The tall claim is being doubted heavily upon in the current context. Now, this often-got WhatsApp locked in horns with the government. Many times, it has been discussed and debated[22] in the parliament, and it has been suggested that an exception should be carved out for Legal Enforcement Authorities (“LEA”).[23] This suggestion again had raised eyebrows, despite been suggested in the context of bonafide public purposes such as prevention of child pornography. The reason simply put, when you allow Uncle Sam a backdoor entry, often the activities of LEA have gone out of the proposed boundaries leading to suppression of freedom available to the citizens. The Bill has, over the years undergone drastic changes and it is feared that its current form allows the government a wide ambit of the use of its sovereign powers. The earlier bill allowed the use of personal data under the grounds of National Security in situations “authorized by the parliament and deemed necessary and proportionate” which has been done away within the new bill. The new bill allows sharing of personal data, without the user’s consent[24], ‘for providing benefits to the individual’.[25] As we are aware by now that according to WhatsApp’s privacy policy, third parties What this implies is that if the latest form of the bill is rolled out, it can be reasonably asserted that the Government will be another “third-party” by statute for whom WhatsApp will serve user data on a silver platter. This is also largely problematic and petrifying since this could give the state Orwellian powers to monitor all commercial transactions/communications taking place through WhatsApp.

 

Concluding Remarks

The US and the EU have specific statutory compliances[26] which require to be met in the context of user data transfer in a Merger/Acquisition. The Federal Trade Commission Act (US), mandates the compliance of the published privacy policies, the failure of which shall amount to ‘deceptive acts or practices. The California Online Privacy Protection Act, 2003 mandates that the Online Service operators are required by law to disclose all third parties to which the personal data of the user shall be shared. The EU Law holds a similar stance which governs the sharing of the user-data post the consummation of a M&A transaction. According to the directive[27], when the sensitive user data of any individual has shared the ‘explicit and informed consent of the subject must be taken. Further, the data recipient must have ‘legitimate interest’ and in no case, the fundamental rights and liberties of the user must be infringed. These safeguards are missing when it comes to developing countries with lenient or absent data privacy regimes. The various tech giants have been using this as a leeway to collect a humongous amount of data from these countries by providing them free services. Due to the lack of digital awareness, these unethical policies are accepted by the huge customer-bases without any question.

As has been mentioned earlier, when WhatsApp was launched initially, all the way back in the year 2009, it had made commitments to its users that it would not be selling user data to any third party. Gradually over the years, with Facebook’s acquisition of the app, this changed drastically. Although at the time of its acquisition WhatsApp had ensured users that despite the change in ownership, there would be no data sharing, WhatsApp has since its acquisition started sharing data with Facebook. Although earlier, users had an option of opting out of sharing their data with Facebook and affiliated companies. The new Privacy Policy has a “take it or leave it” approach, where users get no say in whether they agree with sharing their data with Facebook and affiliated companies or not. This brings us to raise integral questions about the ethics of a tech-company operating in a region that lacks sound data privacy regimes. In absence of a statutory construct, can the acquisition of a company infer the acquisition of user data as well? And if so, can the terms of usage and privacy be changed from the initial terms, on the pretext of which the users had signed up for the app in the first place? Does this not tantamount to obtaining forced consent from the users? The fine prints of the policy perhaps vilify the sanctity of “end-to-end” encryption (in spirit if not in the letter) which was believed by half a 400 million loyal customers. Despite the public outcry and mild warnings from the government, the present stance of WhatsApp remains the same (with a postponement of date) and it has placed the deadline of 15th May.[28] Perhaps at this point in time, the only possible course of action for the legal academia has is to raise questions such as this article to make the readers aware. And also hope for the swift enaction of foolproof data-privacy legislation to cater to the needs of the unaware.

 

References:

[1] Privacy Policy, Whatsapp, Available at https://www.whatsapp.com/legal/updates/privacy-policy/?lang=en.

[2] Whatsapp user base crosses 400 million, Tech Crunch, Available at https://techcrunch.com/2019/07/26/whatsapp-india-users-400-million/.

[3] Houser, K.A. and Voss, W.G., 2018. GDPR: The end of Google and Facebook or a new paradigm in data privacy. Rich. JL & Tech., 25, p.1.

[4] Whatsapp – Facebook’s best purchase?, Investopedia, Available at https://www.investopedia.com/articles/investing/032515/whatsapp-best-facebook-purchase-ever.asp#:~:text=executives.,billion%2C%20or%20%2455%20per%20user.

[5] Frequently Asked Questions (FAQ), WhatsApp, Available at https://faq.whatsapp.com/general/security-and-privacy/answering-your-questions-about-whatsapps-privacy-policy/?lang=en.

[6] WhatsApp’s New Policy – Take it or delete it, Indian Express, Available at https://indianexpress.com/article/technology/social/whatsapp-new-2021-terms-of-service-and-privacy-policy-new-changes-accept-or-delete-7134815/.

[7] Supra Note 1.

[8] WhatsApp updates its privacy policy, Lifestyle, Independent UK, Available at https://www.independent.co.uk/life-style/gadgets-and-tech/whatsapp-update-new-privacy-policy-b1783880.html.

[9] The Social Dilemma (2020), Netflix Inc.

[10] Sam Stead, Facebook owns the four most downloaded apps of the decade, BBC, Available at https://www.bbc.com/news/technology-50838013.

[11] Becher, S.I. and Benoliel, U., 2021. Law in books and law in action: the readability of privacy policies and the gdpr. In Consumer Law and Economics (pp. 179-204). Springer, Cham.

[12] Voss, W.G., 2019. Obstacles to Transatlantic Harmonization of Data Privacy Law in Context. U. Ill. JL Tech. & Pol’y, p.405.

[13] Facebook buying spree, WHT, Available at https://www.whoishostingthis.com/blog/2014/12/08/facebooks-buying-spree/.

[14] Instagram Privacy Policy, Tech Wellness, Available at https://techwellness.com/blogs/expertise/instagram-privacy-policy.

[15] Blanke, J.M., 2019. Top Ten Reasons to Be Optimistic About Privacy. Idaho L. Rev., 55, p.281.

[16] Data Privacy Concerns over WhatsApp policy, Indian Express, Available at https://www.financialexpress.com/industry/technology/data-privacy-concern-over-whatsapps-new-policy/2167935/.

[17] The Personal Data Protection Bill, 2019, Available at http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf.

[18] Klar, M., 2020. Binding Effects of the European General Data Protection Regulation (GDPR) on US Companies. Hastings Sci. & Tech. LJ, 11, p.101.

[19] WhatsApp Privacy policy yet another reason why India should have its data protection law, Hindu Business Line, Available at https://www.thehindubusinessline.com/info-tech/whatsapps-new-privacy-policy-yet-another-reason-why-india-needs-data-protection-law/article33542521.ece.

[20]Facebook facing privacy actions across Europe as France fines firm, The Guardian, Available at https://www.theguardian.com/technology/2017/may/16/facebook-facing-privacy-actions-across-europe-as-france-fines-firm-150k.

[21] Case-Number SLP (C) 804/2017

[22] Govt Wants Backdoor Entry, The Print, Available at https://theprint.in/opinion/govts-want-backdoor-entry-encrypted-whatsapp-texts-it-can-also-be-backdoor-for-hackers/562778/.

[23] Voss, W.G., 2019. Cross-Border Data Flows, the GDPR, and Data Governance. Wash. Int’l LJ, 29, p.485.

[24]‘Grounds for Processing of Personal Data without Consent’, Sections 12 – 15, Chapter III, the Personal Data Protection Bill, 2019.

[25] Section 91 (2): The Central Government may, in consultation with the Authority, direct any data fiduciary or data processor to provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government, in such manner as may be prescribed.

[26] Privacy in M&A Transaction – Personal data post closing liabilities, Harvard University, Available at https://corpgov.law.harvard.edu/2016/11/10/privacy-in-ma-transactions-personal-data-transfer-and-post-closing-liabilities/.

[27] EU Directive 95/46/EC of October 24, 1995

[28] Saurabh Singh, WhatsApp to move ahead with controversial “take it or leave it” privacy policy update despite India’s strong stand against it, Financial Express, Available at https://www.financialexpress.com/industry/technology/whatsapp-to-move-ahead-with-controversial-take-it-or-leave-it-privacy-policy-update-despite-indias-strong-stand-against-it/2197881/.

Leave a Reply

Your email address will not be published. Required fields are marked *