On Tuesday, The Indian Express reported that the Telecom Regulatory Authority of India (TRAI) is studying the possibility of bringing platforms such as WhatsApp under the ambit of “lawful interception”.
Lawful interception of online communications platforms such as WhatsApp, Skype, Signal or Telegram has been a long-running debate that has ranged governments and regulators across the world against technology companies and privacy activists. The authorities want such platforms to provide access to messages, calls, and their logs to law-enforcement agencies to aid them with investigations. India, too, has made demands for traceability of communications from instant messaging platforms.
Why is TRAI looking at lawful interception of online messaging apps?
The telecom sector watchdog has been carrying out consultations to build a regulatory framework for over-the-top service providers (OTTs) — or platforms that use the infrastructure of traditional telecom companies like the Internet to offer their services. TRAI has been looking at the regulation of OTTs since 2015, when mobile companies first raised concerns over services such as WhatsApp and Skype causing loss of revenues by offering free messaging and call services.
The other argument made at the time was that these services do not fall under the licensing regime prescribed by The Indian Telegraph Act, 1885, and effectively operated in a regulatory dark spot.
Over time, TRAI looked at various aspects of the lack of a level playing field between telecom companies and OTT service providers, including the economic aspect. However, with the boom of data consumption in the country over the last two or three years, primarily led by OTTs, TRAI officials indicated that the economic aspect did not hold ground anymore. With this realisation, the regulator began looking at the security facet of the regulatory imbalance between the two kinds of players. While telecom players are subjected to lawful interception as per the telegraph law, OTT platforms, by virtue of not being licensed, are currently not subject to interception by law-enforcement agencies.
How will the regulator proceed with the proposal now?
TRAI will submit its views to the Department of Telecommunications (DoT), which will decide on the next course of action. Currently, the regulator is learnt to be studying global practices as far as lawful interception on online platforms is concerned. It is also looking into whether other regulators and authorities have been provided any facilities for interception of communications, and could suggest that the platforms should provide the same facilities to the Indian government.
Under which laws are telecom firms currently subject to lawful interception?
The Indian Telegraph Act, 1885 states that on the occurrence of any public emergency, or in the interest of public safety, the central government or a state government can take temporary possession — for as long as the public emergency exists or the interest of the public safety requires the taking of such action — of any telegraph established, maintained or worked by any person licensed under the Act. This mandates telecom companies to provide access to messages, calls, and logs of these in case a court order or a warrant is issued. However, the government, while clear on demanding access to message logs for law-enforcement purposes, is not relying on The Telegraph Act to meet this objective. Instead, it wants the platforms to come up with a solution to enable traceability.
So, are messages sent and received on these platforms not traceable?
Apps such as WhatsApp, Signal, Telegram, etc. claim to provide end-to-end encryption of their messages. This has caused some uncertainty among the authorities on how they can seek access to messages.
On the FAQ page on its website, WhatsApp states: “We will search for and disclose information that is specified with particularity in an appropriate form of legal process and which we are reasonably able to locate and retrieve. We do not retain data for law-enforcement purposes unless we receive a valid preservation request before a user has deleted that content from our service.”
It also says that in the ordinary course, WhatsApp does not store messages once they are delivered. “Undelivered messages are deleted from our servers after 30 days. As stated in the WhatsApp Privacy Policy, we may collect, use, preserve, and share user information if we have a good-faith belief that it is reasonably necessary to (a) keep our users safe, (b) detect, investigate, and prevent illegal activity, (c) respond to legal process, or to government requests, (d) enforce our Terms and policies,” it says. “We also offer end-to-end encryption for our services, which is always activated. End-to-end encryption means that messages are encrypted to protect against WhatsApp and third parties from reading them.”
And what is the situation elsewhere?
Currently, there is no jurisdiction anywhere in which messaging apps have been known to provide access to their messages. However, pressure on such services to provide access for law-enforcement purposes has been rising everywhere. The United States Department of Justice has made fresh arguments for access to encrypted communications. The New York Times reported on October 3 that Attorney General William P Barr, jointly with his British and Australian counterparts, has written to Facebook CEO Mark Zuckerberg, pointing out that companies should not “deliberately design their systems to preclude any form of access to content even for preventing or investigating the most serious crimes”.
In India, Law and IT Minister Ravi Shankar Prasad has repeatedly stressed the need to be able to trace messages to prevent serious crimes. While the Indian government has conceded that encrypted messages may not be accessible, it has asked the platforms to provide origin of messages that could possibly incite violence or other mischievous acts.