It couldn’t have come at a more poignant time. For Whatsapp to turn on end-to-end encryption just a week after FBI got into the iPhone Apple refused to unlock, was almost like sending a message that was hard to ignore.
Before you think what is the big deal, just understand the fact that a billion people now have access to encrypted messaging thanks to Whatsapp. Though it has been there in many forms and degrees for many years, encryption have never been this big.
There are a lot of positives to this. As Whatsapp says: “The idea is simple: when you send a message, the only person who can read it is the person or group chat that you send that message to. No one can see inside that message. Not cybercriminals. Not hackers. Not oppressive regimes. Not even us.” Now, add to this the fact that the encryption also covers every voice call, message, photo, video, file and voice message sent using the app.
Never before has encryption been available to the common man, at this scale. In a way you can now have all your communication — with a single contact or with a group — protected by the most dependable 256-bit encryption — the AES256 algorithm is accepted by the US and Canadian governments as standards for encrypting transited data and data at rest.
However, this is not going to go down well with a lot of governments, especially those who are on the forefront of fighting terror. For them it is a problem if the world’s most popular messaging network goes encrypted. Not that it was easy tapping into any of these networks, but now largest of these doesn’t even leave them an option to. It remains to be seen how governments react. But you can expect at least some countries to be harsh in their reaction.
Meanwhile, there have been reports that WhatsApp might have made itself illegal in India by switching on 256-bit encryption. However, India does not yet have regulation in place for OTT messaging apps like WhatsApp or Facebook Messenger.
“In my view, under the existing regulatory framework, 256-bit encryption is certainly not prohibited. When it comes to the telecommunications space, the framework gets a little more complex with differing requirements (like restriction on bulk encryption and cap of key lengths at 40 bits) being applicable to holders of different licences or authorisations. However, in any case, these obligations currently only apply to licence holders themselves (such as ISPs and TSPs) and not to Internet (i.e., over the top or OTT) applications like WhatsApp,” said Tarun Krishnakumar, a Delhi-based lawyer who specialises in technology.
The government’s draft policy on encryption placed restrictions on what keys OTT players could use, but that has since been scrapped, and is being reworked.
There is also the issue about the 40-bit key length being pretty low by all standards these days. The US National Institute of Standards and Technology (NIST) no longer allows anything lower that 80-bit — that too only with three-key Triple DES (Data Encryption Standard), which is anyway being phased out in favour of advanced encryption standards like AES 128, AES 192 and AES 256. WhatsApp uses AES 256, which is the strongest of the lot.
WhatsApp switching on encryption comes primarily as a reaction to the growing popularity of apps like Signal and Telegram, which offer various degrees of encryption. However, WhatsApp goes a step further, and offers encryption by default, and also within groups.