As a private chat forum, WhatsApp has no equal, not in India, not in the world. Globally, the American freeware, cross-platform messaging service, owned by Facebook, boasts 2 billion users across 180 countries. With an estimated 65 billion messages being transmitted daily apart from 2 billion minutes of voice and video calls being made every day in 2018, it is undoubtedly the world’s most popular messaging service. In India, its user base of 400 million makes the country WhatsApp’s largest market. Besides being free, WhatsApp is simple to use, allows one to send text, audio and video messages and documents. But, most of all, it promises privacy and secrecy of communication, assuring every user that “messages and calls are end-to-end encrypted. No one outside of this chat, not even WhatsApp, can read or listen to them”.
This reputation of confidentiality that the messaging service enjoyed has now come under a cloud in India. Serious concerns are being raised about WhatsApp’s ability to protect a person’s privacy apart from preventing content from being transmitted and stored on its service from unauthorised access and misuse. Ironically, the erosion of trust began with a series of unrelated recent incidents. It started when Bollywood actor Sushant Singh Rajput died in Mumbai on June 14 under mysterious circumstances. Agencies investigating Sushant’s death began to selectively leak WhatsApp conversations to media initially to debunk claims by suspects, including Sushant’s ex-girlfriend Rhea Chakraborty. In one instance, Chakraborty’s conversations with filmmaker Mahesh Bhatt were used to show that she left Rajput and not he who asked her to leave.
Later, the Narcotics Control Bureau (NCB), which began investigating a drug angle in the death, used her alleged chat with a drug peddler to arrest her. As the NCB expanded its investigation scope, WhatsApp conversations of top actors such as Deepika Padukone were released in the public realm, feeding the impression that drug abuse is rampant in the Mumbai film industry. Earlier, on September 16, the Delhi Police filed a charge-sheet in a special court against 15 people alleging that they created WhatsApp groups in December 2019 to organise the riots that broke out in the national Capital in February. Once again, chat transcripts of these groups were selectively leaked to the media.
The alarming rate at which law enforcement agencies are accessing and using WhatsApp chats as incriminating evidence is increasingly making users wary of the security and privacy apparatus of this most widely-used messenger platform in the world. The impunity with which media houses publicly air these chats, infringing on privacy that the Supreme Court has declared a fundamental right, has once again fuelled demand for the immediate passage of an effective and comprehensive law dealing with data protection and privacy. The question is: Just how private and secure are your chats on messaging forums like WhatsApp?
HOW SAFE IS YOUR CHAT?
Data security experts assert that WhatsApp is not the only messenger platform susceptible to breach. Other popular apps like Telegram, Signal and iMessage are as vulnerable. Messages sent across these platforms, including WhatsApp, are end-to-end encrypted and cannot be intercepted during transmission. In other words, they claim that when you send a WhatsApp message to someone, the particular message, whether audio, video, image or text, cannot be intercepted by anyone during the time it first travels to the WhatsApp server and from there to the recipient’s phone.
WhatsApp has repeatedly claimed that end-to-end encryption ensures only the sender and recipient and nobody in between, not even WhatsApp, can read what’s sent. Is it true? “Messages sent on WhatsApp are secured with locks, and only the recipient and sender have the special keys needed to unlock and read your messages. All of this happens automatically, and there is no need to turn on settings or set up special secret chats to secure your end-to-end encrypted messages,” claims a WhatsApp spokesperson.
Most cyber experts agree that the interception of these encrypted messages during transmission is near-impossible. “It is not easy to decrypt encrypted messages. What enforcement agencies are passing off as decrypting messages is more a case of recovering the backup on the user’s phone, and accessing the messages,” says Jaijit Bhattacharya, president, Centre for Digital Economy Policy Research. In fact, this end-to-end encryption is why WhatsApp has often expressed helplessness to law enforcement agencies about fake news and hate messages transmitted via the app, as it has no way of knowing what is being sent or received. Indian government has been pressing for traceability of WhatsApp messages to check the spread of fake news but the chat platform has declined to comply with such requests till now saying that it undermines the privacy of the people. Many observers fear that traceability of the source of a message could be misused for snooping for political purposes and it could be a matter of time before WhatsApp starts cooperating with government agencies, at least unofficially, given that India is also the largest market of its parent body Facebook with around 350 million users and nearly Rs 900 crore business annually. In December 2018, the Ministry of Electronics and Information Technology proposed changes to Section 79 of the Information Technology (IT) Act, 2000 making it mandatory for such platforms to enable tracing out of originators of information when demanded by legally authorised government agencies.
While traceability is beyond law now, what these message services are silent on are the areas your chats are vulnerable in. All electronic messages transmitted from one phone to another are stored in four places from where data can be retrieved later, the phone memory of the sender as well as of the receiver, the server of the service provider, be it WhatsApp, Telegram, Signal or iMessage, and on the cloud, should the user have allowed it in his settings. Besides, messages are not encrypted in storage, which means anyone with access to the sender/ receiver’s phones can read those messages.
Hackers and even government agencies are alleged to be using spyware to spy on targeted phones where decrypted messages can be read live or even retrieved. Several WhatsApp accounts were hacked worldwide by the Pegasus remote surveillance software made by Israel-based cyber tech firm, NSO. The most famous instance was in 2018, when Jeff Bezos, CEO of Amazon, had his mobile phone hacked after receiving a WhatsApp message purportedly sent from the personal account of the crown prince of Saudi Arabia. “Once a hacker accesses a phone, either through physical possession or through hacking, he or she can virtually collect all the data inside the phone,” says cybersecurity expert Subimal Bhattacharjee.
It’s equally easy to hack into the cloud backup of such messages. In the case of WhatsApp, if the user activates the backup option, the message gets stored in Google Drive or iCloud. One then only has to uninstal and re-instal WhatsApp on the same phone or another using the same SIM card to retrieve the back-up on Google Drive or iCloud.
Most chat platforms claim they don’t store private messages of users on their servers. “WhatsApp does not store private messages on its servers once they’re delivered. If a message cannot be delivered immediately (say, if a person is offline), it may be kept on WhatsApp servers for up to 30 days as it tries to deliver it. If a message is still undelivered after 30 days, it is deleted,” explains a WhatsApp spokesperson.
In this respect, WhatsApp and Signal score over Telegram, which doesn’t have end-to-end encryption as its default setting. Only if the user exercises the “Secret Chat” option are messages transmitted through end-to-end encryption in Telegram. Even so, the choice is not available for group chat. When Secret Chat is not activated, the messages travel encrypted from the sender’s device but get decrypted on Telegram’s server, which means messages can be read. Again, the messages are encrypted on the server and sent to the recipient’s device, where they are finally decrypted. So, if someone succeeds in hacking into Telegram’s server, they can access users’ private messages. In theory, law enforcement agencies can also access data stored on Telegram servers with an official request, though the Dubai-based platform is known for not being cooperative with authorities.
Even platforms that don’t store messages on their servers can help in different ways. “It’s not just the conversation,” says a scientist in the Cyber Laws Group of the IT and electronics ministry. “These platforms can help probe agencies with other information such as metadata, which can be crucial in finding leads and busting crimes.” Metadata refers to the log of chats and phone calls between different users, timestamps on messages, IP addresses, geolocation, details of contacts, etc. While metadata does not allow anyone to read the messages, it gives information on whom and when a user messaged or called and how long. Platforms such as Signal store minimal metadata and are becoming popular among people concerned about their privacy or committed to it on principle.
CAN THE POLICE TAP YOUR WHATSAPP?
So, if messages are not stored on a chat platform’s server, can they be accessed or retrieved even if the user has deleted them? More importantly, can the police spy on Whatsapp chats or phone calls?
The answer is yes, and no. It depends on your handset’s security breaches and vulnerability and not so much on the chat service provider. Under the Telegraph Act and IT Act, enforcement agencies can monitor your regular phone and internet calls (see Could You be Whats-tapped?). However, since chats and calls through Whatsapp and other messenger platforms remain encrypted end-to-end, these cannot be intercepted during transmission, unlike regular phone conversations.
However, that doesn’t prevent enforcement agencies or hackers from reading your messages or listening to your conversations by using spyware to breach your handset, as with Pegasus. The spyware targeted a vulnerability in Whatsapp’s VoIP stack, which is used to make audio and video calls. All that was needed for the spyware to be installed on the phone was a missed call to the target through Whatsapp. It could then steal passwords, contacts, text messages and even voice calls made through messaging apps—in this case, Whatsapp. It allowed the hacker access to the phone’s camera, microphone and GPS to track live locations. “Law enforcement agencies or even professional hackers may instal malware in the device and carry on surveillance. Israeli spyware, widely available in the Indian security apparatus, can snoop into any phone and collect data with geolocation,” says Bhattacharjee.
Besides snooping, digital security experts say there are multiple ways enforcement agencies or hackers can retrieve your private chats even if they are deleted. The simplest way is to pull them out of phone memory, where messages remain stored even if deleted by the chat platform’s user. “Unless the phone memory is full and these messages get overwritten, anyone with basic technical expertise can retrieve deleted messages from a handset,” says Bhattacharjee.
To access WhatsApp data stored on a phone, security and investigating agencies can also “clone” it on another device, obtaining a mirror image of the original. With forensic expertise, they can retrieve all kinds of data such as phone call records, messages, images, WhatsApp chats, data on the phone’s cloud service and data stored in various apps. This is how Rhea’s WhatsApp chats were accessed, according to media reports.
When asked, WhatsApp officials shrug off their responsibility for messages stored in device memory in decrypted form, which most security experts say is the biggest flaw of the chat platform. “Any questions relating to a phone device can be answered by phone manufacturers and operating system (OS) developers. The operating systems of devices dictate how various apps store information,” says a WhatsApp spokesperson. In other words, unless these messages are not further encrypted for storage, WhatsApp cannot provide absolute security to its users. N. Vijayashankar, chairman of the Foundation of Data Protection Professionals in India, agrees that data storage is beyond the control of chat platforms. “Today, Microsoft, Apple and Google have automated many of their services in such a manner that data always gets stored in the cloud even if it is generated on our computers and mobiles,” he says.
Security experts also claim that not just the OS but other apps installed on the phone that can also access such messages can be later exploited to retrieve deleted messages. “The user should carefully read the terms and conditions and check the permission settings when he or she instals an app on the phone. So when authorities or hackers get access to the phone, there are many places in the phone where they can look for private data,” says the scientist at the IT and electronics ministry.
The only way to prevent such retrieval is to destroy the phone and avoid backup in the cloud or any external drive. The failure to destroy his cellphone completely led the National Investigation Agency to Jaish-e-Mohammed commander Umar Farooq, the mastermind behind the February 2019 terror attack in Pulwama, in which 40 CRPF troopers were killed. Farooq had been instructed by his handlers in Pakistan to destroy his mobile phone soon after the terror attack. An overconfident Farooq ignored the instruction. A month later, when he was killed by security forces in an encounter, his partially damaged mobile phone was recovered. Forensic experts helped NIA piece together a mountain of digital evidence that helped them unearth the conspiracy.
However, even destroying a phone or not having its physical possession does not guarantee chats’ secrecy. With access to metadata, authorities can trace every person with whom a phone owner has communicated. So the user’s chat transcripts can also be retrieved by accessing or taking possession of the recipients’ handsets. In Deepika Padukone’s case, the agencies did not recover her chats from her phone but from the phone of her manager Karishma Prakash, with whom the actor allegedly was having a conversation soliciting illicit drugs. That’s why, experts assert, there is no foolproof way to keep digital data protected from surveillance, retrieval or unauthorised access. “We need to remember that if we use any electronic device, it is almost impossible to protect our information from being retrieved,” says Vijayshankar.
ARE CHATS ADMISSIBLE AS EVIDENCE IN COURT?
The practical impossibility of securing one’s digital footprint in the cyber world makes it imperative to have a robust legal framework to ensure data is not misused, and privacy is not violated. Unfortunately, India still does not have a specific law on data protection, privacy and cybersecurity. No provision in the IT Act, 2000, expressly and directly, protects the privacy of conversations that take place on online messenger platforms. Under the Indian Evidence Act, 1872, even deleted chats retrieved through forensic analysis can be used as electronic evidence. However, in July this year, the Supreme Court’s constitution bench redefined electronic evidence norms in a landmark judgment in the Arjun Panditrao Khotkar case. It categorically said the police have to strictly follow the provisions under Section 65(B) of the Evidence Act concerning the digital output produced and ownership of the device if they want to produce and prove electronic evidence in the court of law.
So, when evidence related to Rhea Chakraborty, Deepika Padukone or the Delhi riots is presented in court, the police will have to prove the electronic evidence has been collected through legal means. “At times, ethical hacking is used to gather the information that can provide us a crucial lead in investigating a serious crime. But this cannot be submitted in court as evidence,” says Bhisham Singh, DCP Crime (Cyber), Delhi Police. Electronic evidence produced in court must be accompanied with a certificate saying there has been no addition, alteration or manipulation of any kind to the electronic evidence. The Khotkar case judgment has made obtaining this certificate absolutely essential unless original documents are produced in courts. The device owner or the person in charge of its functioning and maintenance if an organisation owns the device can give the certificate. “Rhea or Deepika may decline to issue a certificate as the police cannot coerce someone to give evidence against themselves,” says cyber law expert Pavan Duggal. However, he adds, once the law enforcement agencies legitimately take the device under Section 76 of the IT Act, 2000, which provides for confiscation of devices, and send it for forensic analysis, the forensic examiner, either from the government or a private lab, can also give a certificate.
Even if the NCB manages to submit the certificate, the suspects and accused may claim they did not have the phone when those chats were received in their defence in the court. Rhea has already claimed it was Sushant who asked her to send those messages from her phone. There have been multiple instances in the past when the lack of specific guidelines in the IT Act on collecting, saving, retaining and producing relevant and incriminating electronic evidence in a court of law has led to either misuse of this provision or legal collapse of cases. “What we are seeing on TV now is a different ball game altogether,” says Duggal. “That has no connection with how electronic evidence is produced in courts. Such drama explains why India has a conviction rate of less than one per cent in cases of cybercrime.”
HOW TO PREVENT MISUSE OF YOUR CHATS
In fact, instead of using digital evidence for busting crimes, enforcement agencies in India have often been accused of using it for political motives. In the absence of any specific privacy law, selected leaks have often been used to set the media narrative. The regular leak of WhatsApp conversations during CBI’s probe into Rajput’s death and NCB’s inquiry into the alleged drug racket in Bollywood has sowed distinct divisions in political circles and inside Bollywood. On the one side, the BJP and JD(U), with an eye on the election in Rajput’s home state Bihar, have used the conversations to allege a conspiracy in the actor’s death while the ruling coalition of Shiv Sena, NCP and Congress in Maharashtra projects it as suicide. Among Bollywood actors, Kangana Ranaut has demanded a detailed probe into the “drug cartel” in the film industry, but others have alleged political vendetta.
Legal luminaries claim this political shadow-fighting over WhatsApp conversations has been possible because of the absence of dedicated privacy laws. A joint parliamentary committee is currently examining the proposed Personal Data Protection (PDP) Bill, 2019, which was supposed to be tabled in Parliament during the monsoon session. However, the JPC sought an extension until the second week of the winter session to present the report.
Once the bill is passed, the modus operandi of procuring digital evidence will undergo a structural change. Instead of collecting all data stored on a computer or mobile phone, the police will be able to access only relevant and case-specific information. “The data protection bill allowing law enforcement agencies to get specific information is necessary for the purposes of an investigation into a crime,” says constitutional and digital law expert Arghya Sengupta, who was one of the members of the Justice B.N. Srikrishna-led committee on the data protection framework for India, which became the basis of the PDP Bill. “It should not happen the way it is in the current investigation into the alleged drug racket in Bollywood where full access to the cell phone of certain individuals appears to have been asked for. The police are not supposed to gather all the information stored on the phone and share it with whoever they want.” Some privacy advocates claim that even the PDP Bill, after revisions, fails to grant adequate privacy safeguards and lacks the teeth and general orientation of other laws such as the General Data Protection Regulation (GDPR) of the European Union, which emphasises user consent, use limitation, and leans towards treating personal data as personal property.
Instead, many fear that the ambiguity in laws related to interception and decryption of private data has been pushing India towards becoming a police state where enforcement agencies, with technological capabilities, snoop on individuals and groups at the behest of their political masters. “If that situation is allowed to continue untrammelled, I too feel that we will be reduced to an Orwellian state with Big Brother snooping on us all the time,” says Justice Srikrishna, the architect of the PDP Bill.
However, while strongly decrying state surveillance, experts are unanimous that privacy as a fundamental right cannot be used to hide criminal acts. “The Indian Constitution does not guarantee privacy to enable criminals to hide from crimes,” says Vijayshankar. “This includes those who are reasonably suspected of having committed a crime, and an investigating agency is required to collect necessary evidence.” Besides, more than laws, the emphasis should always be on the honest implementation of existing regulations guiding privacy and data security. “While there are ample provisions both in the existing regulations and the proposed PDP Bill to create a balance between privacy concerns and the need for probing agencies to access data to detect crimes, the proper implementation of the said measures needs to be looked into. For example, Sections 43A and 72A of the IT Act penalise improper disclosure of personal information. However, such provisions are seldom enforced,” says Salman Waris, a partner in legal firm TechLegis, which has offices in Delhi and Noida. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, notified under Section 43A, explicitly define “sensitive personal information”, which includes financial information such as bank account or credit card or debit card or other payment instrument details of the users. In Chakraborty’s case, all these things have been made public. Legally speaking, therefore, Rhea and Deepika can drag the police and media houses to court for publicising their private data.
With the invisible footprint of our personal data being as large as it is, and data privacy laws being as lax as they currently are, privacy in the digital ecosystem is almost a myth. “The internet as a paradigm never sleeps and the internet as a phenomenon never forgets. Every activity we do online leaves behind an electronic footprint, which can be used against us,” says Duggal. The only uncertain protection in the virtual world, then, is to try to be on the right side of the law.
Could you be Whats-tapped?
Under Section 5 of the Telegraph Act, 1885, A Union home secretary or a home secretary of a state can order the interception of phone conversations to protect the sovereignty and integrity of India, the security of the state, friendly relations with foreign states or public order, or to prevent incitement to the commission of an offence. In exceptional situations, an officer (not below the rank of joint secretary), who has been authorised to do so by the Union home secretary or a state home secretary, can also issue such an order. Interceptions cannot last longer than 180 days.
The order for an interception must contain a justification for doing so, and a copy of the order must be sent to the review committee within seven working days. The review committee at the central level comprises the cabinet secretary, the law secretary and the telecom secretary. At the state level, the chief secretary, law secretary and any secretary other than the home secretary are members of this committee. All requests for phone taps must come from an officer not below the rank of superintendent of police (or equivalent), through the proper channels. The officer authorised to intercept communications must maintain proper records of the exercise, including the details of those to whom the intercepted communication has been disclosed. A formal request must be placed with the service provider for phone tapping. This surveillance, however, is limited to phone calls.
For surveillance of electronic communication, emails, SMSes, chats, etc, Section 69 of the Information Technology Act, 2000, allows the government to order the interception, monitoring and decryption of any information through any computer resource. This power can only be exercised under similar circumstances to those mentioned in the Telegraph Act for phone tapping. The safeguards and review mechanism for this are prescribed in Rule 419A of the Indian Telegraph Rules and the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, and the standard operating procedure issued for the purpose. However, since chats and phone calls through platforms like WhatsApp are encrypted, these cannot be intercepted during transmission.
The police can nonetheless legally access data stored on a phone or a computer. Section 76 of the IT Act provides law enforcement agencies the power to confiscate any computer resource or communication device. Private chats can be used as electronic evidence under the Indian Evidence Act, 1872. However, electronic evidence is admissible in court only if the conditions in Section 65 (B) of the Indian Evidence Act, 1872, are strictly followed. When such evidence is produced in court, it must be accompanied with a certificate stating that there has been no addition to, alteration of or manipulation of the evidence. The certificate can be issued by the owner of the device, the person in charge of the functioning and maintenance of the device, or a forensic examiner who has conducted an analysis of it. If electronic evidence is procured through illegal means, that itself becomes an offence under Section 66 of the IT Act, 2000, ‘unofficially obtained’ electronic evidence cannot be used in a court of law.
If a person suspects they are under unauthorised phone or digital communication surveillance, they can file a complaint with the National Human Rights Commission or have an FIR filed at the nearest police station. They can also move the courts against unauthorised tapping. A Delhi High Court ruling in December 2018 said citizens can find out from the Telecom Regulatory Authority of India if their phones are being tapped, under the Right to Information Act. Officially, phones of elected representatives cannot be tapped.