Ever since Whatsapp announced end-to-end encryption there has been a flurry of reports on how the world’s most popular messenger service might have made itself illegal in India by switching on 256-bit encryption.
But that is not really right. India does not have any regulation in place for OTT messaging apps like Whatsapp or Facebook Messenger and certainly nothing that stipulates what type of encryption they can use.
“In my view, under the existing regulatory framework, 256 bit encryption is certainly not prohibited. When it comes to the telecommunications space, the framework gets a little more complex with differing requirements (like restriction on bulk encryption and cap of key lengths at 40bits) being applicable to holders of different licenses or authorisations. However, in any case, these obligations currently only apply to license holders themselves (such as ISPs and TSPs) and not to internet, (i.e., over the top (OTT)) applications like WhatsApp,” explains Tarun Krishnakumar, a Delhi-based lawyer specialising in technology.
The government’s draft policy on encryption placed was expected to place restrictions on what key sizes OTT players could use, but that draft has since been scrapped and is being reworked.
There is also the issue that the 40-bit key length, which ISPs and TSPs have to stick to, is pretty low by all standards these days. The US National Institute of Standards and Technology (NIST) no longer allows anything lower that 80-bit, that too only with three-key Triple DES (Data Encryption Standard), which is anyway being phased out in favour of advanced encryption standards like AES 128, AES 192, AES 256. Whatsapp uses AES 256, which is the strongest of the lot.
So, till the government stipulates what keys OTT messengers or other Internet players need to stick to, there is nothing wrong with Whatsapp’s 256-bit encryption.