Home » Blogs » Security-cum-privacy Implications Of Whatsapp’s Privacy Policy 2021: An Indian Perspective
Articles Perspectives

Security-cum-privacy Implications Of Whatsapp’s Privacy Policy 2021: An Indian Perspective

The world is moving toward an era of ‘digital spheres’, which is more technologically connected than earlier periods of human history. Among the countries that have increasingly been connected, India has emerged as having amongst the fastest and largest internet users in social and digital media, inevitably being part of the Digital India initiative of the Government of India (GoI). The impact of the COVID-19 pandemic saw an increase in digitization activities across the world, one which has seen an exponential rise in India as well. An important facet of this ‘digitalization drive’ is the cons that emerge with it, especially the implications on the (cyber)security of a nation, and (data)privacy of its citizens.

At the beginning of the year 2021, WhatsApp Inc. came out with its new privacy policy that legitimizes the collection of user information and related activities. It has created a huge debate across all sections of society, in India and abroad. The company explained how this is part of its recent measures to protect user privacy as well as the storage of data as well. Accordingly, the information can be shared among other Facebook Companies, including Facebook Payments Inc., Facebook Payments International Limited, Onavo, Facebook Technologies, LLC, Facebook Technologies Ireland Limited, WhatsApp Ireland Limited and CrowdTangle.

Discriminatory Approach

Incidentally, WhatsApp’s new privacy policy is different in the case of users in the European Region (including the European Union), which is dealt with by WhatsApp Ireland Limited and provides users with the flexibility and option to opt-out. Meanwhile, non-Europeans don’t have that option. It is made compulsory to accept it or else delete your account. Why are non-Europeans discriminated against in comparison to European users? What is different for Europeans that Indians or Asians are not entitled to, and why aren’t companies bringing in rules that are globally applicable? It is debatable as to the company’s behaviour when its chief executive officer, Mark Zuckerberg, declared that the company doesn’t collect data of its customers and respects its privacy during the US Senate hearings. An important legal reason for this divergence in policies for European users is linked to the existence of the General Data Protection Regulation (GDPR), which prevents the use and transfer of citizen user data without (lawful and) explicit opt-in as a requirement for companies functioning in European Union (EU). The lack of similar legislative mechanisms or policy, like the Personal Data Protection Bill 2019, is still pending in India, which is a major factor for the recent thrust in intrusiveness by WhatsApp towards the privacy and data of Indian citizens.

The problem with this policy is that it protects WhatsApp from any future potential legal cases that can come up, particularly in Indian courts. This was evident in the Karmanya Singh Sareen And Anr vs Union Of India And Ors before the Delhi High Court against WhatsApp’s privacy policy in 2016, two years before the Right to Privacy case. Despite the A.P. Shah Committee recommendations on the collection of data and privacy in 2012, the foreign Big Tech companies have continued to abuse the loopholes in India’s legal system. These loopholes especially include the lack of jurisdiction for the Indian judiciary against foreign private companies like Facebook and WhatsApp. WhatsApp has been able to access and share the data of its users, and transfer it to Facebook since September 25, 2016. Once users consent to the WhatsApp privacy policy, which was partially but unsuccessfully dealt with by the Delhi High Court, there will be no locus standi against intrusions or violations involving data of Indian users.

The report by the Committee of Experts under the Chairmanship of Justice B. N. Srikrishna titled A Free and Fair Digital Economy Protecting Privacy, Empowering Indians found that the intrusions and breaches to privacy have serious implications on economic, social or physical damages, not just for the individual, but for the country as well. Why should citizens forego the right to privacy, established in India during the Justice K. S. Puttaswamy (Retd.) and Anr. vs Union Of India And Ors. in 2018, and thereby enshrined in the Indian Constitution? What do India and its citizens gain to forego the rights established through the Supreme Court of India judgement to a company like Facebook with an international record of privacy violations? The US Senate hearings on 2016 elections focused on dealing with similar problems, viz.a.viz. The Cambridge Analytica incident and the impact on the democratic process due to access, use and monetization of citizen data by private companies and actors.

Besides identity theft and other related cybercrime against individuals, this can (and have in many cases) lead to threats of cyberwarfare, cyberespionage and cyberterrorism-related activities, creating challenges to the country. The prominent target of cyberattacks often focuses on the vulnerabilities in critical national infrastructure (CNI), including dams, power grids, banking sector, healthcare, energy sector, IT and other sectors. At times, ‘national security advocates’ have often argued that ‘the privacy argument’ is a fluke, and doesn’t necessarily impact the nation. But this has been changing ever since nations have increasingly realised the need and demand for cyber sovereignty and data residency.

An important challenge is the largely unprotected data of citizens (and the country) accessible to foreign multinational companies, agencies and/or rival nation-states. An important lesson in the aftermath of the US elections 2016 and the Cambridge Analytica incident is the threat from psychological warfare tactics and techniques on Indian electoral voters. This will increase the instances for destabilization of the whole nation, and in turn, will have serious national security implications. When the country is increasingly becoming vulnerable to the threats of cyberattacks and data incursions from foreign nation-states, digital radicalization, and cyberterrorism, the potential dangers of a foreign company like WhatsApp determining the use of data of Indian citizens are unlimited. This can be a potential tool by external forces to destabilize the nation.

Alternatives to WhatsApp

An important alternative that has emerged recently to WhatsApp is the Signal app. It was suggested as an alternative by major players and stakeholders in the field, like Elon Musk (Tesla and SpaceX), Edward Snowden (Whistleblower), Jack Dorsey (Twitter chief). Signal was developed by Moxie Marlinspike and supported by Brian Acton, the WhatsApp co-founder, who left WhatsApp due to an issue with the monetization model followed by his former company. The developers of Signal ensured that it was open-source and non-profit, making it a viable alternative to WhatsApp. An emerging argument that Facebook can buy Signal after it has enough customers doesn’t apply here. This is mainly because any (potential) buyer company cannot copyright anything that is open-source. Further, multiple alternatives can be created using open-source.

Additionally, another app that has become increasingly prominent in the market is the Telegram app. There have been mentions about secret chat features of Telegram, one which has also been put forth as a good option to keep your privacy intact. Though, the normal chat options of Telegram seemingly doesn’t seem to have as many security-cum-privacy privileges as Signal. A major hindrance to the use of these apps, it seems, is the need to popularize them. WhatsApp has a huge market in India, an estimated 300 to 400 million users, which is very hard to capture in a short span of time. Many other private apps that are considered a good alternative for WhatsApp include Discord, Bridgefy, Kik, Snapchat, Skype, Keybase, Viber, and Threema.

An alternative to WhatApp has emerged with the release of SANDES, an instant messaging application by the Government of India (GoI), on 19 March 2021. It is currently limited to users verified by the GoI and yet to be open to the public. The app, also displayed as the Government Instant Messaging System (GIMS), was developed by the National Informatics Centre (NIC) and the Ministry of Electronics and Information Technology (MeitY) of the GoI. According to the app, the privacy and data policy of the app is determined by the existing rules and regulations in India, though it is yet to be tested in the public. Currently, the app is integrated with NIC email, DigiLocker and e-office. It is an important step taken under the Digital India Programme, Make in India and Aatma Nirbhar Bharat. Unlike WhatsApp, the login option provides flexibility in using either mobile number or email, and the transfer of multimedia and files are much larger than that is available with WhatsApp. It has similar characteristics, especially features related to encryption and privacy of that of the Signal app, and is expected to be open to the public.

Suggestions

An important suggestion to the Indian government would be to effectively intervene as soon as possible, similar to what it did in the recent case of global publishing companies like Elsevier, Wiley and the American Chemical Society versus Sci-Hub and Libgen. Incidentally, the recent WhatsApp privacy policy is considered a challenge to India’s national interest. The intervention by the government can focus on including (potential) strategies and policies in the upcoming Science, Technology and Innovation (STI) policy as well. This will be a huge step in delegitimizing cyber sovereignty claims and protecting citizens’ rights, and reducing the (potential) security implications arising from digital transnational companies like Facebook (WhatsApp) and others.

With the increasing backlash against its privacy policy, WhatsApp came up with a clarification that it doesn’t collect data from its users. The positive matter is that WhatsApp (FB) changed its official position from collecting individual data to say it will not collect, store or transfer it. It has changed and has come out from its original position, to clarify what it argued as collecting data from its users. Accordingly, it will not collect data from individual users, different from what it earlier argued for non-Europeans. This is mainly because of the backlash from users, migration to other apps and increasing pressure on governments from various corners of the society and market. This is good news for individual people using WhatsApp.

The negative issue is that it still collects data, location, messages etc., from business users, who are coerced to accept the Terms and Conditions of WhatsApp’s privacy policy. Unless they agree to do so, their account would be deleted. This is despite backlash from (business) groups and (trading) associations in India, including the Confederation of All India Traders (CAIT). They have written to PMO India and other Central Ministries like the Ministry of Electronics & Information Technology to ban WhatsApp in India. This is inimical for trading or business users in the country (esp. if you are non-European). Two important reasons argued, for this reason, are GDPR guidelines in the EU, which wouldn’t allow data to leave outside the EU and the provision of a different provider (by WhatsApp Ireland Limited) with different rules for the users.

The Way Forward

The Government of India (GoI) has undertaken various to look towards as well. Based on emerging reports, the GoI has stepped in to examine the WhatsApp privacy policy issue. According to GoI, the privacy policy towards the European Union feels lenient, while it seems harmful for user privacy in India. There is a CBI inquiry on the data leak matter on the Cambridge Analytica incident, and the fake messaging issues as well. The Govt, especially the PMO and MeitY, are also concerned that the regulatory vacuum in data protection within the country is being misused. It is also looking at bringing forth a data protection bill, currently in Parliament, besides the recent Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. This is an urgent directive by the GoI in the right direction.

This is a huge relief, with respect to all the concerns coming through various social media platforms with #WhatsAppprivacypolicy #privacy #dataprivacy etc., one which has been seriously examined by the government. Currently, the GoI should particularly focus on the positive directions and steps to take, with a long-term view on the implications as well. The directions (reported) so far, as within a democracy, in this case, is line with the public opinion. Currently, all company- and business users, based- and located in India have informed its users not to use WhatsApp to share, discuss or transfer company details, information or secrets amongst or within itself, as this could be problematic. India should bring forth a policy similar to GDPR, or through upcoming STI policy or independently.

There is a need to have WhatsApp India established to store, manage and deal with any data located in/from India. This can protect cyber sovereignty, data residency, privacy and security issues; and is in line with Supreme Court directions under the Puttuswamy case. Further, a nation-wide awareness initiative, currently through the National Digital Literacy Mission and other literacy campaigns, should increasingly focus on data privacy, security and protection. A stern action in that direction, one which is pro-privacy and pro-security, will have a (positive) impact on the country, socially, economically and more important politically, within the physical and digital world.

About the author

Ramnath Reghunadhan

Ramnath Reghunadhan

Ramnath Reghunadhan is a Research Scholar at the Department of Humanities and Social Sciences, Indian Institute of Technology Madras, Tamil Nadu, India. His area of interests includes STI, China Studies, cybersecurity and international relations.

Upcoming Event

Subscribe to Our Newsletter