WhatsApp Supreme Court case: Regulating OTT services may not lead to better privacy protection

By Asheeta Regidi

In the ongoing case against WhatsApp filed by Karmanya Singh Sareen, the Department of Telecom (DoT) is reported to have told the Supreme Court that Over-The-Top (OTT) services, like WhatsApp, Facebook, Skype and WeChat will soon be subjected to a regulatory framework, similar to the existing framework for telecom service providers. While, as per reports, Sareen is seeking regulation to ensure better privacy for WhatsApp users, the actual effect may be the opposite. The existing privacy granted through end-to-end encryption may be lost.

WhatsApp’s contradictory approach to privacy
There is a sharp contradiction in WhatsApp’s approach to user privacy. On the one hand, user privacy from the government, enforcement agencies, and cybercriminals is absolute, through end-to-end encryption. On the other hand, user privacy has no protection from WhatsApp’s parent company Facebook, third parties affiliates, advertisers and other subsidiaries, as per WhatsApp’s modified Privacy Policy.

It was this contradiction which led to Sareen’s petition against WhatsApp. While this petition failed before the Delhi High Court, leading to this appeal, similar petitions in other countries succeeded in stopping the sharing of data by WhatsApp.

Regulatory intervention needed to protect privacy
The issue of regulation was raised in this case due to the need for protecting WhatsApp’s 160 million users in India. The privacy and data of all these users has been made a matter of private contract between the users and WhatsApp. Considering that most users are unaware of what they are consenting to, the government/judiciary should intervene on their behalf and protect their privacy. It was argued that WhatsApp is like a public utility service, ie, an essential service used by a large number of people.

However, far from being treated as a national concern, privacy doesn’t appear to be a concern at all in India. This is evident in the lack of privacy laws, the lack of any progress in the Right to Privacy bill, and the determined push towards demonetisation and now ‘Aadhaarisaton’ without addressing privacy and security concerns.

From this point of view, imposing privacy and security requirements, along with restrictions on the way OTTs like WhatsApp make use of the data in their possession, is essential.

Aadhaar enrollment. Image: Reuters

DoT seeks a level playing field for TSPs
When the DoT says it will regulate these services, however, it is from a very different perspective. The priority, as revealed in Trai’s Consultation Paper on OTT services, is to create a level playing field between the telecom service providers (TSPs) and the OTTs. A major part of the paper discusses issues like the loss of revenue to the TSPs and the regulatory imbalance between the TSPs and OTTs. Issues like lack of licensing fees, quality of service parameters, security and emergency service obligations for OTTs are the concern.

Reference to privacy is only made in terms of protecting people from cybercrime, but not from sharing of their data like WhatsApp with Facebook. Issues of security are also discussed, not in terms of protecting people, but in terms of enabling lawful interception and surveillance. The result is that for privacy, encryption is mandatory, but for security, decryption should be possible. TSPs, for example, are permitted to use only 40-bit encryption under their license agreements, a much lower level than that used by WhatsApp. Moreover a decryption key is to be deposited with Trai, to enable decryption as required. A similar approach was seen in the now withdrawn Draft Encryption Policy, where, entities like WhatsApp were mandated to comply with decryption requests.

The lack of a focus on privacy and security as sought in Sareen’s petition shows that the DoT’s regulation may not achieve this. Instead, regulations for OTTs may well bring an end to WhatsApp’s end-to-end encryption, the only privacy people have.

European privacy laws – the strength of proper privacy laws
On the other hand, consider European laws. Recently, the European Commission announced that OTTs would be explicitly brought under a new European e-privacy directive. This may also bring an end to WhatsApp’s end-to-end encryption, since the existing e-privacy directive allows the government to ‘restrict confidentiality’ for national security purposes. However, there are also several provisions which protect users.

Image: Reuters

For example, the e-privacy directive does not ask the companies to deposit decryption keys nor does it prescribe levels of encryption. The e-privacy directive, in fact, requires that appropriate technical measures be implemented to protect the communications. A significant fine of 4 percent of global revenue has been proposed for data breaches.

In other words, TSPs and OTTs are required under law to maintain the privacy and security of the data in their possession. This is only subject to suspension in the interest of national security. The success of European privacy laws can be seen in their successful prevention of the data sharing by WhatsApp.

Privacy cannot be traded
It appears from the DoT’s statement that it is no longer a question of whether or not OTT services like WhatsApp and Facebook should be regulated, but rather that it is inevitable. The European Commission, also, recently released a report seeking to regulate OTTs to create a level playing field with the TSPs, similar to the licensing regime being considered by Trai. In view of the extensive privacy protections, however, users do not need to worry that this regulation will threaten their privacy. Their only concern is that they may now have to pay for the OTT services.

It is not India’s proposal of regulating the OTTs, but the lack of a dedicated privacy law, that is the main cause for concern. Privacy isn’t something that can be traded for anything, and hardly for a free service like WhatsApp.

It is hoped that the Indian judiciary will give greater value to people’s privacy, and direct the government to make the required privacy laws.

The author is a lawyer with a specialisation in cyber laws and has co-authored books on the subject

The post WhatsApp Supreme Court case: Regulating OTT services may not lead to better privacy protection appeared first on Tech2.

from http://tech.firstpost.com/news-analysis/whatsapp-supreme-court-case-regulating-ott-services-may-not-lead-to-better-privacy-protection-370567.html