WhatsApp (which actually sounds like "What's up") Messenger is eight years old and is considered as one of the most successful mobile telephone (Smartphone) based freeware platform used for instant messaging. This application (app) was developed by two former employees of Yahoo who were actually once rejected by Facebook. This most popular global messaging app is known to have approximately 1.2 billion users. Presently, this application is most sought after because of its data transfer capability in audio, video, and image sharing sectors. Also, mobile telephony is an additional advantage.
The strength of this application is obvious and evident from the vast number of users. However, during the last few years, some concerns have been raised with regard to the impact of this and other such applications on society in general. It has been noticed that WhatsApp is impacting the sleep patterns, and consequently the health, of users. In some countries including India, internet de-addiction centres have been established particularly to log out children from the virtual world. However, WhatsApp addiction has been found to be increasing in adults too. More importantly, there is the crucial issue of the authenticity of the information being circulated on WhatsApp. Hackers too use WhatsApp as a platform for distributing malware. Some authentic looking word files get circulated via WhatsApp and, upon being downloaded, sensitive information with regard to bank accounts get transmitted back from the attacked smartphone.
To the credit of WhatsApp, within a period of few years of its launch it has earned global acceptability. The belief among common people about the authenticity of the information being circulated through this app is incredible. This is a big danger, given that some agencies could be using this platform for information warfare. Various security breaches have also been reported on WhatsApp indicating that these accounts could be hijacked. The makers of WhatsApp have boosted their security mechanisms from time to time and have also added verification features for users. However, there is always scope for mischief.
Globally, intelligence agencies are concerned that terrorist organisations could be making effective use of WhatsApp. Some reports indicate that terror groups such as ISIS, which has already demonstrated its ability to effectively use social media, could also be using WhatsApp for its nefarious activities. On March 22, 2017, a terrorist attack took place in the vicinity of the British Parliament, with the attacker intentionally driving a car into pedestrians and injuring more than 50 people, three of whom as well as a police officer became fatalities. UK government agencies are of the opinion that the attacker could have used WhatsApp just minutes before carrying out the attack. In order to know more about the exact nature of communication that happened just before the attack, the UK government has asked WhatsApp to provide its security services with access to encrypted messages. But this has not been palatable to the WhatsApp administration.
This is not the first time that such denial of access to intelligence services and police has happened. Over the years, various major private organisations handling messaging and communications services have denied such assess to government agencies for carrying out lawful eavesdropping because of business, security and technical reasons. They contend that providing such access would infringe upon human rights. Also, it would require a weakening of their overall levels of encryption, thus making these services even more vulnerable. Internet messages are sent through End-to-End Encryption (E2EE), and private organisations are not keen to break this format. E2EE allows only the communicating users to read the messages and prevents potential eavesdroppers. In short, these organisations have developed their architecture in such a way as to ensure that any attempt at surveillance does not succeed. But states are keen to do exactly that.
In December 2015, the US Federal Bureau of Investigation was keen on breaking the code of the iPhone used by one of the attackers who had killed 14 people in San Bernardino. However, Apple refused to help the FBI in this regard. But the FBI subsequently managed to unlock the phone. Apple’s refusal and now WhatsApp’s raise concerns. It is obvious that both sides have a strong case. Human rights, privacy and protection of confidentiality are important issues, but so are the requirements of intelligence agencies which have to contend with the inhumane activities of terrorist groups and individuals. The challenge is to resolve this issue amicably. It appears that the private industry would always be reluctant to give access to government agencies for various reasons. Naturally, governments have to find innovative solutions to deal with such situations.
States need to invest more in the development of cryptology. Cryptography deals with the issues and methods of securing digital data. Cryptography changes the message (encrypts) when it is sent and the recipient needs the required code to decrypt it. Cyber threats are mostly transnational making the challenge more complex. In various debates about cryptographic policy, the question of lawful government access and the circumstances under which such access should be provided so as to respect human rights is unlikely to have a final verdict. However, there is a need to appreciate the duties and responsibilities of the state in relation to the members of its own society, and the laws and regulations that should be established accordingly while respecting human rights. End-to-end encryption can have the result that no content data is available to hand over in reply to a lawful government request. However, cryptographic approaches could help to limit exposure of user data and communications and reduce the intricacies of dealing with government access requests.
Ethical hacking is all about attempting to bypass system security and search for weak points that could be exploited by nasty hackers. Identifying such faults allows organisations to improve on their security structures. The Apple case is indicative of the fact that state agencies actually have very limited options. States need to develop their capabilities in the arena of ethical hacking. Today, not much of a debate happens on the need for developing offensive cyber-attack capabilities. But it is expected that some states would be preparing in that regard without advertising it. Perhaps, the time has come to demonstrate such capabilities openly. This could serve a twin purpose: convey capabilities to adversaries and also a message to the private industry. No private industry would be keen to get its clients informed about the vulnerabilities in their system. This eventually could even make them cooperate with the state. The United States used the Apple case to do this. Would the UK do so in the case of WhatsApp?
Views expressed are of the author and do not necessarily reflect the views of the IDSA or of the Government of India.