Supreme Court dismisses PIL against WhatsApp, but the fight for encryption is yet to begin

By Asheeta Regidi RTI activist Sudhir Yadav filed a public interest litigation seeking a ban of WhatsApp , on the grounds that its end-to-end encryption violates Indian interception laws, and makes it a safe haven for terrorists to communicate. The Supreme Court dismissed this petition on Wednesday. Unfortunately, there is no cause for celebration yet, since the Supreme Court did not rule on whether the issues raised by Yadav are valid are not. Instead the Court has directed Yadav to first take his petition to an appropriate forum having the authority to rule on the matter. As such, this issue is not yet over, and we may soon see the petition being filed in another forum such as the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). Such a dismissal is normal, since the Supreme Court will not normally hear a petition if the petitioner has another forum that he can approach for redressal. The petitioner must exhaust all such alternative remedies available to him before he can approach the Court. Since this is not the case, the matter is far from over, and Yadav can file his petition elsewhere. The issues raised by Yadav in his petition are not without force, and is a concern for not only the Indian Government but also other governments around the world. 256-bit encryption is not illegal One of the contentions in Yadav’s petition is that the high encryption used by Messaging services like WhatsApp would make decryption next to impossible. While WhatsApp’s 256-bit encryption is not expressly permitted in India, neither does it violate any Indian laws, since at present there are none governing it. While the telecom laws in India do prescribe a restriction of up to 40-bit encryption, this is only applicable to internet service providers and telecom service providers. WhatsApp and other messaging services are, on the other hand are ‘OTT services’, or ‘Over-The-Top Services’. The Telecom Regulatory Authority of India is attempting to regulate OTTs, and a Consultation Paper on the OTT services has also been issued.  Other attempts to regulate such services can also be seen in the form of the Consultation Paper issued by TRAI on the regulation of Voice-over-IP Services and the now withdrawn draft Encryption Policy . WhatsApp encryption can potentially violate Indian interception laws Yadav’s PIL also contends that WhatsApp’s encryption system prevented compliance with Indian laws such as Section 69 of the Information Technology Act, 2000 and Section 5 of the Indian Telegraph Act, 1885. This contention, is, unfortunately, quite true. The sections quoted give the government the power to direct interception of messages under certain situations, such as a public emergency or in the interest of national security. Both the laws in question are applicable to WhatsApp, and also to other messaging apps like Viber, Telegram, etc., since they amount to an ‘intermediary’ under the Information Technology Act, and the messages sent through them amount to a ‘telegraph’ under the Telegraph Act. Therefore, if these messaging services receive an interception or decryption order from the government, they will be bound to comply with them. The method of encryption used by these apps prevents this compliance. In the case of WhatsApp for example, WhatsApp itself does not possess a decryption key and thus cannot decrypt messages even if they wanted to. High encryption may not be permitted in india Yadav claims that he is not seeking a complete ban on WhatsApp, but merely that a method of decryption and access to the information should be made available. In fact, it is unclear why else this petition is being filed at this point, since these are matters already under consideration. Both the Telecom Regulatory Authority of India and the Indian government are already attempting to resolve these issues through regulation. In reality, there is every possibility that this petition will result in a ban along the lines of the recent ban of WhatsApp in Brazil, issued for the same reasons. Regardless of the outcome of Yadav’s petition, chances are that the high encryption being used to protect user privacy will not be allowed to continue in India. Evidence of this can be seen in the now withdrawn draft Encryption Policy , which had required entities like WhatsApp to commit to complying with data requests from the government in order to be able to operate in India. Evidence can also be found in the issue between the Indian Government and Blackberry, where Blackberry was forced to monitor, track and intercept messages on its devices in order to continue to operate in India. The high encryption used by these messaging services gives the government absolutely no access to or control over them. It is clear that sooner or later, the government will impose restrictions on such encryption systems. If Yadav succeeds in his petition, this might just be sooner than later. The author is a lawyer with a specialisation in cyber laws and has co-authored books on the subject.