Last night WhatsApp turned on encryption within the app. This means, by default, if you are using the latest version of WhatsApp all your communication through the app will be encrypted. This also – probably, and that is a big probably – makes WhatsApp illegal in India. The reason? Our IT laws and rules are so outdated that a case can be made against WhatsApp because now it is using 256-bit encryption by default.
This is legally a grey area and given the fact that WhatsApp is popular in India, the government may not go after it, but in theory it can very well declare the chat app illegal. None of the Indian IT-related regulations permit 256-bit encryption in private services. Although, none of them also specifically outlaw it. But there are some guidelines issued by Department of Telecommunications, which the government can use to term WhatsApp illegal.
According to rules issued by DoT in 2007, License Agreement for Provision of Internet Service (including Internet Telephony) mandates that private parties in India cannot use encryption that is higher than 40-bits without explicit permission from the government.
Also, the permission is granted only if the entity that intends to use encryption submits decryption keys to the government, which in the case of WhatsApp is going to be impossible because it has implemented the encryption in a way where even WhatsApp doesn’t have the keys.
Now, the interesting bit here is that WhatsApp is not an ISP and neither it needs any DoT licence to offer its services in India. So it is not clear if the encryption rules formulated by DoT apply on it or not. Although, due to the lack of clarity in this matter, if the government wants, it can clearly chase WhatsApp out of the country with its 40-bit stick.
India is, however, in the process of formulating some sort of coherent encryption policy. Last year, the government floated a draft proposal for the use of encryption in India. It was a bad bad draft, which government pulled back because of criticism. One of the suggestions in the draft was that people using encrypted services will be asked to keep the decrypted data for at least 90 days. If something like that makes its way to whatever new policy the government comes up with, it will definitely make the WhatsApp illegal, especially after its decision to turn on strong encryption by default for all users across the world.