Update (October 3, 2019 3:17 pm): Given new information that this agreement is under CLOUD Act, the updated article can be found here.

In what could be a major blow to Facebook and WhatsApp’s case in the Madras High Court and set a dangerous precedent against user privacy around the world, a new bilateral agreement between the UK and the US could force social media platforms to disclose encrypted messages from suspected terrorists, paedophiles and other serious criminals, The Times reported on September 28. This agreement will reportedly be signed by the British Home Secretary Priti Patel next month. A British Home Office spokesperson told MediaNama that the agreement is called Data Access Agreement.

What will this process look like?

Once the agreement is signed, police, prosecutors and security services will be able to submit requests for information to a judge, magistrate, or “other independent authority”, as per The Times report. This process will be overseen by the investigatory powers commissioner.

Under the terms of the agreement, the UK will not target people in the US and vice versa. Also, any information that US gets from a British company cannot be used as evidence in cases that attract death penalty, without the UK’s permission. It is not clear if this means that even if the suspect is American, the British government will not target them. The Home Office did not answer our question about the same.

Statement from a Home Office spokesperson:

“The UK and US are committed to signing a world-leading Data Access Agreement that will speed up law enforcement’s ability to investigate and prosecute terrorists, child sexual abusers and other criminals.”

How are law enforcement’s data requests treated now in the UK? As the Times report said, as of now, security services can get data only is there is a need for an “emergency disclosure” due to an imminent threat to life. A mutual legal assistance treaty (MLAT) is also an option for police and prosecutors, but such requests can take up to two years and is highly bureaucratic.

Problems with the current process: The MLAT route is highly cumbersome and too slow for law enforcement agencies. The Advocate General of Tamil Nadu highlighted a similar problem with MLAT in a conversation with MediaNama: “The MLAT treaty is too cumbersome. We have to go through various channels and that delays the investigative process.” At a discussion at ORF earlier this year, a participant mentioned that data requested by India from the US via the MLAT process “is either denied on grounds of privacy or not in accordance with the format required by the Department of Justice in the US. The process is lengthy, cumbersome and it is not addressing the issues in the timely manner. We need timely access to evidence, because without that it is not possible to prosecute cyber criminals.”

Difficult for American law enforcement agencies to get information too: A recent investigation by the New York Times revealed that even American law enforcement agencies have trouble getting information from tech companies, even when it comes to child sex abuse content. “It can take weeks or months for them to respond to questions from the authorities, if they respond at all. Sometimes they respond only to say they have no records, even for reports they initiated,” reads the article. As per the investigation, even when tech companies cooperate fully, encryption and anonymization make it practically impossible to find the perpetrators. While most tech companies have quickly responded to urgent inquiries, responses in other cases have varied.

It is interesting to note that despite not having end-to-end encryption, Facebook Messenger accounted for nearly 12 million of the 18.4 million worldwide reports of child sexual abuse material, as per the NYT report. Most of these 18.4 million reports have their origins in US-based tech companies.

What we don’t know about this agreement: There’s some confusion about what exactly this agreement can do. Here are the things we don’t know (we’ll keep updating this section as we find more information, most of these questions were sent to the Home Office, but we didn’t get an answer):

  • Is this bilateral agreement being signed under the CLOUD Act or is it a different areement? The Clarifying Lawful Overseas use of Data (CLOUD) Act allows countries to sign executive agreements with the US so that they can have access to data stored in the US. (Read about it here.)
  • Does the UK have any such treaties with other countries?
  • It is unclear from The Times report what will force social media companies to decrypt messages. We have reached out to the Home Office for more clarification.
  • Can American and/or British governments legally force companies to break end-to-end encryption?
  • It is unclear whose data will be exchanged through the agreement if the UK will not target people in the US and US will not target people in the UK. Does it mean non-citizens of the two countries will be targeted, or non-residents? Will the US and the UK file requests to access information of a citizen of any other country?
  • Who is going to sign this agreement on behalf of the US?

What did Facebook and WhatsApp say?

The story apparently caught Facebook and WhatsApp by surprise. “We were surprised to read this story and are not aware of discussions that would force us to change our product,” read Will Catchcart’s comments on Y Combinator. He is the Vice President of Product Management at Facebook and heads WhatsApp.

Cathcart further wrote,

“We will always oppose government attempts to build backdoors because they would weaken the security of everyone who uses WhatsApp including governments themselves.” When someone asked him if WhatsApp had any backdoors installed, he firmly said no, a point that he repeated at least thrice in the comments thread. He wrote, “Backdoors are a horrible idea and any government who suggests them is proposing weakening the security and privacy of everyone.”

In response to our queries, a Facebook spokesperson said, “Government policies like the CLOUD Act allow for companies to provide available information when we receive valid legal requests and do not require companies to build back doors.”

Similar debate rages in India

This debate between users’ privacy and demands of law enforcement agencies resonates around the world.

Patel had previously said that Facebook’s plan to introduce end-to-end encryption would hamper the fight against terrorists and child abusers, the Telegraph had reported. Similarly in India, the Minister of Electronics and IT, Ravi Shankar Prasad, has repeatedly called for enabling traceability on WhatsApp to fight fake news and mob lynchings in addition to terrorism and child abuse. But at a July 2019 meeting with Cathcart, he said that traceability will be WhatsApp’s job, but there must be a mechanism to trace perpetrators of crime.

Why this could have an impact on the Madras High Court case

WhatsApp’s (and to a great extent Facebook’s) arguments in both the Madras High Court and the Supreme Court have largely rested on their inability to find the originator. Here’s a look at the arguments the company has made and how they could be affected:

  • Technically impossible to find the originator: WhatsApp has maintained that it is technologically impossible for the platform to decrypt and trace messages as they are end-to-end encrypted. In the July 24 hearing in the Madras High Court, WhatsApp counsel Kapil Sibal told the court, “That [lack of access to the originator] is the problem everywhere. It is true in the US, it’s true here, it’s true everywhere.” He told the Supreme Court, “The key is not with WhatsApp, but only with the sender and the recipient.” Could the British and American governments now force companies like WhatsApp to break encryption? And under which law? The British Home Office did not answer our query.
  • Global implications for a global company: WhatsApp has also said that any change to the platform will have global implications. In the July 24 hearing, Sibal had told the court that without end-to-end encryption, the platform would cease to exist. “For one jurisdiction, can I change the nature of the platform?” asked Sibal. Facebook’s counsel Mukul Rohatgi made the same argument in the Supreme Court. Given that it is an American company based in the US, will such a agreement mean that it will be forced to change its platform to allow decryption and traceability?
  • No other country has asked for decryption: WhatsApp has argued that no other country in the world has asked it for decrypting messages. Such a bilateral agreement between the US and UK will set a global precedent if it actually mandates decryption of messages. This is the kind of precedent that a judgement against WhatsApp in the Madras High Court could have also set.
  • American law enforcement agencies also manage: Sibal cited American law enforcement agencies whom WhatsApp supports in every which way by giving them all the information, referring to metadata of the message, except encrypted messages as their decryption is technically impossible. He argued that American agencies have solved cases using metadata. “Why should we destroy the platform if normal investigative machinery can do it [solve cases]? If [Indian] law enforcement agencies cannot do it, do we destroy the platform?” But as the NYT report reveals, that is not entirely true. American law enforcement is also having trouble.

WhatsApp has also argued that it is a statutory issue where the central government must notify rules about intermediary liability due to which the Supreme Court instructed MeitY to submit an affidavit with the timeline of the rules.

Update (9:52 am): This article was updated with the section “What we don’t know about this agreement”. The original article was published at 9:02 am.