The telecom regulator is working on a set of recommendations for the Department of Telecommunications (DoT) to regulate the so-called over-the-top (OTT) service providers. Once the recommendations are accepted by DoT, apps such as WhatsApp may have to register themselves, and potentially allow “lawful interception” of communication sent or received through their platforms.
The move comes at a time when regulatory pressure is building up globally on service providers for access to messages even as they claim these are encrypted and they themselves do not have access.
“Currently, OTTs aren’t subject to lawful interception. This brings the question of regulatory imbalance between telecom players, which have to adhere to lawful requests of enforcement agencies for interceptions, and OTTs which don’t give, saying the communication is end-to-end encrypted. We are finding out more about the international practices. What is being followed outside, the same should be provided to the Indian government as well,” a senior TRAI official told The Indian Express, on condition of anonymity.
Globally, the US Department of Justice has made fresh arguments for access to encrypted communications. According to a report by The New York Times dated October 3, US Attorney General William P Barr, jointly with his British and Australian counterparts, has written to Facebook CEO Mark Zuckerberg, pointing out that companies should not “deliberately design their systems to preclude any form of access to content even for preventing or investigating the most serious crimes”.
In the FAQ page on its website, WhatsApp explicitly states: “We will search for and disclose information that is specified with particularity in an appropriate form of legal process and which we are reasonably able to locate and retrieve. We do not retain data for law enforcement purposes unless we receive a valid preservation request before a user has deleted that content from our service”. It also says that in the ordinary course, WhatsApp does not store messages once they are delivered.
“Undelivered messages are deleted from our servers after 30 days. As stated in the WhatsApp Privacy Policy, we may collect, use, preserve, and share user information if we have a good-faith belief that it is reasonably necessary to (a) keep our users safe, (b) detect, investigate, and prevent illegal activity, (c) respond to legal process, or to government requests, (d) enforce our Terms and policies,” it says. “We also offer end-to-end encryption for our services, which is always activated. End-to-end encryption means that messages are encrypted to protect against WhatsApp and third parties from reading them,” it says.
WhatsApp’s claim of not having access to user messages has put regulators in a fix. “We are studying the possibility of registration of OTT service providers. Once we have decided, we will recommend to the DoT. Lawful interception is prescribed under Telegraph Act. There is a process for this, and something similar to that process will need to be prescribed for OTTs as well but currently, they claim they don’t have any communication because there is end-to-end encryption. They only claim to have a log of messages but not the message itself,” the TRAI official cited above, said.