In November 2014, WhatsApp adopted the Signal protocol for end-to-end encryption after its acquisition by Facebook in February in the same year. Since then, it has grown to be the most popular app for IP messaging and telephony with almost two billion users worldwide, of which 400 million are in India, the largest in any country. WhatsApp’s unique blend of text, audio and voice messaging and calling platform with the end-to-end encryption has allowed the company to maintain its pole position, despite hiccups like the Pegasus malware episode.
However, even this would defy the principle of purpose limitation that has been the yardstick of addressing privacy concerns at a global level. It is a fact that Facebook does not have a stellar record of data protection of its users, as the Cambridge Analytica data scam during the 2016 US elections and Brexit is proof. In 2018, there were reports of Facebook entering into data-sharing deals with other tech firms like Apple, Amazon and Spotify.
WhatsApp responded to widespread concern by, first, trying to clarify that the update did not change anything as far as the private chats between individuals and groups were concerned and that the data would be shared only for business interactions. It then issued large media ads and finally proposed to defer the implementation by about three months to May 15, 2021. But these steps didn’t stop the exodus of many users to alternate online messaging services like Signal and Telegram.
The Indian government has also sent a strong note, seeking the company’s response to 14 queries related to their practices in India and asking the platform to withdraw those proposed changes. This note has sent a clear message to WhatsApp to not subject Indian users to greater information security risks and vulnerabilities with the consolidation of data from WhatsApp and Facebook. In 2019, during the revelations of the Pegasus hacking the IT minister had taken a similar stand, forcing WhatsApp to commit to a few deliverables. In the most recent note, the government referred to the principle of purpose limitation provisions in the Personal Data Protection Bill (PDPB) that was introduced in Parliament in December 2019 and is currently being discussed by a joint select committee. It will be pertinent to mention that had the bill been passed by now, WhatsApp’s move would have been illegal. Provisions in the bill required that every data intermediary has to take explicit permission from the user whose data would be harvested. Even the method of data classification into sensitive personal data and critical data has been defined and their processing possibilities mentioned in the bill.
Clearly, the government has to make the PDPB into law sooner than later so that such restrictive practices can never be introduced in the first place. After all, WhatsApp did make an exception for its users in the European Union. At the same time, for the Competition Commission of India, this is a classic case of an organisation using its near monopolistic power in the market to push through something that is not in the consumer interest.
This article first appeared in the print edition on January 23, 2021 under the title ‘The Whatsapp Fix’. The writer is a member of the editorial board of the cyber journal of Chatham House