WhatsApp will now let users add an additional layer of encryption to their chat backups on iCloud and Google Drive by letting users add an encryption key to the backup, the parent company Facebook announced on September 10. This essentially means that without being able to produce a key or having access to a user’s unlocked phone, users’ messages will be out of reach for law enforcement or government officials — and even WhatsApp itself. “Our primary focus is on protecting people’s messages. That’s why we’ve used end-to-end encryption for messages in-transit, why we’re adding easy ways for private messages to disappear, and now strong backup encryption to protect the messages you want to keep,” WhatsApp CEO Will Cathcart said on Twitter (hyperlink supplied).
“Some governments continue to suggest using their powers to require companies to offer weaker security. We think that’s backwards: we should demand more security from companies for people’s sensitive information, not less.” The feature will be available on iOS and Android in “coming weeks,” Cathcart added.
Cathcart’s reference to governments using their power to require weak security squarely describes India. WhatsApp has sued the government over Rule 4(2) of the Information Technology (Intermediary Liability and Digital Media Ethics Code) Rules, 2021 that requires messaging platforms like WhatsApp to enable “traceability,” a requirement that the company argues would force it to break the encryption to which its messages are subjected.
How backup encryption works
WhatsApp will generate a 64 digit key for encrypting cloud backups. As Facebook explains it:
People can choose to secure the key manually or with a user password. When someone opts for a password, the key is stored in a Backup Key Vault that is built based on a component called a hardware security module (HSM) — specialized, secure hardware that can be used to securely store encryption keys. When the account owner needs access to their backup, they can access it with their encryption key, or they can use their personal password to retrieve their encryption key from the HSM-based Backup Key Vault and decrypt their backup. — Facebook Engineering Blog
This essentially means that the 64 digit key can either be protected with a password on the device itself or by the user themselves, say, in a password manager. But this also means that if a user loses their phone, and they don’t have a copy of the 64 digit key, they won’t be able to access their chat backup even with the password — as the password is merely a key to a key.
Can India access WhatsApp chat backups?
As of now, since WhatsApp chat backups are not yet end-to-end encrypted when they’re stored on the cloud, Indian law enforcement could theoretically request Apple or Google to turn over Indian users’ WhatsApp messages. WhatsApp itself wouldn’t be of much help as far as specific messages are concerned; metadata that the company shares with law enforcement was outlined in a September 7 ProPublica investigation, and while that information is hefty enough for many investigatory purposes, the contents of messages are harder for law enforcement to obtain. In July–December 2020, Google turned over user data for 57% of the Indian government’s 13,624 requests, with the latter covering 39,430 accounts. It is unclear how much of this information included Google Drive data, and more specifically, WhatsApp backups.
What the IT Rules require of WhatsApp
The IT Rules require messaging services to enable government agencies to “trace” the initial originator of a forwarded message, or at least the initial originator of such a message in India. This applies to “significant social media intermediaries,” who are defined by the Ministry of Electronics and Information Technology as any platform that has over 5 million users.
In addition to the argument that this would break end-to-end encryption, WhatsApp’s lawsuit against this requirement says that:
- The requirement doesn’t fulfil standards of proportionality set out in the KS Puttaswamy v. Union Of India case that established the constitutional right to privacy in India;
- Innocent people may get caught in the crossfire of such requests, violating human rights; and that
- The requirement is “manifestly arbitrary” and unconstitutional.
The Delhi High Court has not heard the case in detail as of yet; notice was issued earlier this month to the central government.
- IT Rules Hearing: Delhi High Court Asks Govt To Reply To WhatsApp’s Lawsuit Alleging Rules Are Unconstitutional
- IT Rules 2021: CEO Will Cathcart Says WhatsApp Hopes To Find Solution To Traceability Without Breaking Encryption
- Indian Government Responds To WhatsApp Court Plea: Right To Privacy Is Not Absolute
- Government contemplates single law to regulate all media as IT Rules face legal challenges
Have something to add? Post your comment and gift someone a MediaNama subscription.