New WhatsApp Privacy Policy 2021 and Its Impact

Context: social media and its impact on Privacy and internal security is the most important topic of Paper-3 GS and Essay

New Whatsapp Privacy Policy: In the 21^st century the debate over the mutualisation of communication technology has its own meaning as it is directly impacting our Privacy and becoming a threat to our internal security problem. Even it can generate the issue of STATE control and target the opposition.

Why is WHATSAPP in the news

The New WhatsApp Privacy Policy has come into the discussion on the issue of how user data is impacted given its integration with another social media major Facebook, which also happens to be WhatsApp’s parent company.

• There has been a huge concern over the new WhatsApp Privacy Policy due to a large population dependent on the app for various purposes of information sharing, entertainment, etc.
• This is forced consent taken from the users as it does not leave them with much of a choice.
• Besides breaching users’ privacy, the WhatsApp policy is also discriminatory as it is not applicable to the United Kingdom and the European Union but must be accepted by the rest of the world.

Features of the New WhatsApp Privacy Policy

• It requires users to consent to share transaction data, mobile device information, IP address, and data on how they interact with businesses with Facebook group companies.
• The policy allows WhatsApp and Facebook to share user information with businesses and third-party service providers that transact on these platforms.
• Besides the technical front, even on the analytics front, the consent has been asked to share details such as login details and locational details.
• WhatsApp’s end-to-end encryption clause still remains intact, but this only ensures that it won’t be able to see or share the users’ messages.
• With the updated New WhatsApp Privacy Policy, WhatsApp can now share one’s metadata - which is essentially everything beyond just the textual conversation - with Facebook and other apps coming under the parent company. Metadata is data of the data, provides description and context of the data, and helps to organize and understand it.

• India accounts for 400 million of the total 2 billion WhatsApp users and 310 million users on Facebook globally. Also, India is the first country for WhatsApp to launch payment services. It has received permission from Indian regulators to go live with 20 million users so far.
• Despite such a wide user base, India has been asked for forced consent only because India is in a dearth of stringent data protection laws.

Issues of WhatsApp New Privacy Policy:

• Almost 75% of cybercrimes such as child sexual abuse,
• terrorist radicalisation or financial crime or disturbance of law
• order with fake news,
• start with either phishing or social engineering attack through these messaging apps or social media.
• manipulating people in order to obtain confidential information such as usually tricking an individual into sharing crucial information such as passwords or bank information, or accessing a computer to secretly install malicious software.
• Countries such as the US have provided a safe harbour to these social media service providers via section 230 (c) of its Communications Decency Act, 1996. Such actions often make these platforms a breeding ground for crimes. Besides, it also makes a country’s sovereignty subject to the company’s policy which is a great anomaly.
• There are encrypted messages that nobody else can access. Encryption is beneficial but it is more about how a tool is utilised than just about a tool.

Data Protection

128 out of 194 countries had put in place legislation to secure the protection of data and privacy.

India: Although the Puttaswamy Judgment talks for privacy as a fundamental right, India for real, does not have a strict law or any specific provisions for the protection of an individual’s data. The Personal Data Protection Bill (PDP) that seeks to provide for the protection of personal data of individuals is still a debated topic in the Parliament of India.

Russia: The Russian Federation has separate legislations regarding Electronic Transactions and draft legislations for Consumer Protection as well as Privacy and Data Protection. The key legislation is Federal Law No. 15-FZ on Personal Data 2006 (the Personal Data Law), which is supplemented by numerous additional laws, regulations, and guidelines.

European Union: 43 countries in the European Union (out of 45) have legislation specifically for data protection. WhatsApp is legally bound to not share data with Facebook in the European Region because it’s a contravention of the provisions of the General Data Protection Regulation (GDPR) (UPSC PRELIMS 2019).

GDPR is a regulation in the European Union law on data protection and privacy in the European Union and the European Economic Area.

United Kingdom: The UK has separate laws for electronic transactions, consumer protection, privacy & data protection, and cybercrimes. In 2018, the UK's Information Commissioner’s Office (ICO) got WhatsApp to sign an undertaking in which it has committed publicly not to share personal data with Facebook in the future until the two services can do it in a way that is compliant with GDPR.

USA: The US has sector-specific data protection laws and regulations that work together with state-level legislation to safeguard American citizens’ data such as Federal Information Security Management Act (FISMA), NIST 800-171, etc.

Australia: The Privacy Act 1988 (Privacy Act) is an Australian law that regulates the handling of personal information about individuals.

How to Protect the Privacy

Implementation of the PDP Bill

• Prioritising privacy: The way forward is more user-privacy-centred apps.
• India’s Own Apps: India shall develop its own digital sovereignty and its own Apps. The Apps would agree to the nine privacy principles as mentioned in the AP Shah committee. The committee recommended an overarching law to protect privacy and personal data in the private and public spheres.
• Uninstalling the App is not a Solution: Deleting the App does not do it all, the data that already exists, stays with the company and will still be shared among the other Apps.

Pegasus Spyware issue

What Pegasus: It is a type of malicious software or malware classified as a spyware. It is designed to gain access to devices, without the knowledge of users, and gather personal information and relay it back to whoever it is that is using the software to spy.

• Pegasus has been developed by the Israeli firm NSO Group which was set up in 2010.
• The earliest version of Pegasus discovered, which was captured by researchers in 2016, infected phones through what is called spear-phishing – text messages or emails that trick a target into clicking on a malicious link.
• Pegasus infections can be achieved through so-called “zero-click” attacks, which do not require any interaction from the phone’s owner in order to succeed

Steps by India:

Cyber Surakshit Bharat Initiative: It was launched in 2018 with an aim to spread awareness about cybercrime and build capacity for safety measures for Chief Information Security Officers (CISOs) and frontline IT staff across all government departments.

National Cyber Security Coordination Centre (NCCC): In 2017, the NCCC was developed to scan internet traffic and communication metadata (which are little snippets of information hidden inside each communication) coming into the country to detect real-time cyber threats.

Cyber Swachhta Kendra: In 2017, this platform was introduced for internet users to clean their computers and devices by wiping out viruses and malware.

Indian Cyber Crime Coordination Centre (I4C): I4C was recently inaugurated by the government. National Cyber Crime Reporting Portal has also been launched pan India.

Computer Emergency Response Team - India (CERT-IN): It is the nodal agency which deals with cybersecurity threats like hacking and phishing.

Legislation: Information Technology Act, 2000 and Personal Data Protection Bill, 2019.

International Mechanisms:

International Telecommunication Union (ITU): It is a specialized agency within the United Nations which plays a leading role in the standardization and development of telecommunications and cyber security issues.

Budapest Convention on Cybercrime: It is an international treaty that seeks to address Internet and computer crime (cybercrime) by harmonizing national laws, improving investigative techniques, and increasing cooperation among nations. It came into force on 1^st July 2004. India is not a signatory to this convention.

EDITORIAL TH- A credible probe

The Centre must fully cooperate with the inquiry instituted by the SC on spyware use

• The Supreme Court order instituting an independent probe into the possible use of Israeli spyware Pegasus is an effective intervention to protect citizens from unlawful surveillance, as well as a stern rebuff to the Government’s attempt to cover up the issue by using the bogey of ‘national security.
• The 46-page order by a Bench headed by the Chief Justice of India, N.V. Ramana, stands out for the enunciation of two clear principles:
  • that surveillance, or even the knowledge that one could be spied upon, affects the way individuals exercise their rights, warranting the Court’s intervention; and
  • that there is no omnibus prohibition on judicial review merely because the spectre of national security is being raised.
• The Court deemed unacceptable the Government’s refusal to shed any light on a controversy that involves a possible violation of citizens’ rights and made it clear that national security considerations cannot be used by the state “to get a free pass”.
• The Court has approached the issue as one that raises an “Orwellian concern”, recognising that intrusive surveillance not only violates the right to privacy but also has a chilling effect on the freedom of the press.

What Gov said?

• The government resorted to a bold claim that illegal surveillance is not possible in India and that the disclosure of whether or not a particular software suite was used by its agencies would compromise national security.
• The Court is right in making it plain that any such concern or claim of immunity ought to have been substantiated on affidavit. What is quite appalling is that the Government was unwilling even to disclose what action had been taken after it admitted in Parliament in 2019 that it was aware of some WhatsApp users being targeted by Pegasus.

Conclusion

Its offer of ordering an inquiry on its own has been rightly rejected by the Court — it would command little credibility. The Court-supervised panel appears to have the required expertise and independence, but its success in unraveling the truth may depend on how much information it can extract from the Government and its surveillance agencies.

Editorial TH- Pegasus and Security

The Court’s acknowledgment that the allegations of snooping have some weight go a long way

• The Supreme Court’s recent record on civil liberties has not been inspiring, especially where the cryptic phrase ‘national security is uttered.
• The rationale has been that the government is best placed to assess the impact on national security as it is the one overseeing all intelligence agencies and enforcement efforts.
• The Court’s order on October 27 forming a committee to probe the use of military-grade spyware in India on Indian citizens was refreshing.
• It is telling that the order begins with a quote from George Orwell’s 1984. The allegations against the government were indeed Orwellian: at considerable expense, the government infringed the right to privacy of several leading journalists and politicians by deploying spyware on their phones to monitor all communications.
• There are even graver allegations that Pegasus was used to implant false documents and evidences on the devices of persons under surveillance.
• The government supposedly did so through a software named Pegasus whose developer, the NSO Group, purportedly sells it only to certain undisclosed governments and the end-user of its products are “exclusively government intelligence and law enforcement agencies”.

No filing of an affidavit

• The Constitution mandates that any restriction on the right to privacy must be through a valid law, be necessary to meet a legitimate purpose, and be proportionate, i.e., there is a proper balance to be achieved between that purpose and the harm caused by limiting the right.
• It is likely that the snooping, if any, through Pegasus may not be sanctioned by any law to begin with, else the government would have filed an affidavit to that effect as nudged by the apex court.
• Instead, the government has repeatedly relied on a Minister’s statement in Parliament denying the snooping allegations.
• Representations made in Parliament are generally protected by parliamentary privilege and consequences for false or misleading statements are rare. This is unlike an affidavit in court proceedings where such communication is punishable with imprisonment.
• The Supreme Court observed that there is a broad consensus between the government and the aggrieved petitioners that unauthorized surveillance/accessing of stored data from the devices of citizens for reasons other than the nation’s security would be illegal, objectionable, and a matter of concern.
• The only question that remained was whether such unauthorized surveillance and access of data had taken place in this case.
• To the surprise of no one, in the face of evidence of snooping produced by the writ petitioners themselves, the government resorted to the ritualistic incantation of ‘national security to avoid providing answers in the affidavit.
• The Supreme Court did not buy these omnibus assertions to desist from interference. It said national security cannot be the bugbear that the judiciary shies away from, by virtue of its mere mentioning.

Rightly, the Court observed that in a democracy governed by the rule of law, indiscriminate spying on individuals cannot be allowed except with sufficient statutory safeguards grounded in legality, necessity, and proportionality. Hence, where the government refuses to divulge the information sought, it is incumbent on the government to not only specifically plead the constitutional concern or statutory immunity but also justify the same in Court on affidavit.

The Information Technology-Guidelines for Intermediaries 2021

The Rules must be credited for they mandate duties such as:

• Removal of non-consensual intimate pictures within 24 hours,
• Publication of compliance reports increasing transparency,
• Setting up a dispute resolution mechanism for content removal,
• Adding a label to information for users to know whether the content is advertised, owned, sponsored, or exclusively controlled.

Guidelines Related to Social Media

• Grievance Redressal Mechanism: The Rules seek to empower the users by mandating the intermediaries, including social media intermediaries, to establish a grievance redressal mechanism for receiving resolving complaints from the users or victims.
• Intermediaries shall appoint a Grievance Officer to deal with such complaints and share the name and contact details of such officer. The grievance Officer shall acknowledge the complaint within twenty-four hours and resolve it within fifteen days from its receipt.
• Ensuring Online Safety and Dignity of Users, Especially Women Users

Two Categories of Social Media Intermediaries: To encourage innovations and enable the growth of new social media intermediaries without subjecting smaller platforms to significant compliance requirements, the Rules make a distinction between social media intermediaries and significant social media intermediaries. This distinction is based on the number of users on the social media platform

Additional Due Diligence to Be Followed by Significant Social Media Intermediary:

1. Appoint a Chief Compliance Officer who shall be responsible for ensuring compliance with the Act and Rules. Such a person should be a resident in India.
2. Appoint a Nodal Contact Person for 24×7 coordination with law enforcement agencies. Such a person shall be a resident in India.
3. Appoint a Resident Grievance Officer who shall perform the functions mentioned under Grievance Redressal Mechanism. Such a person shall be a resident in India.
4. Publish a monthly compliance report mentioning the details of complaints received and action taken on the complaints as well as details of contents removed proactively by the significant social media intermediary.
5. Significant social media intermediaries providing services primarily in the nature of messaging shall enable identification of the first originator of the information that is required only for the purposes of prevention, detection, investigation, prosecution, or punishment of an offense related to sovereignty and integrity of India, the security of the State, friendly relations with foreign states, or public order or of incitement to an offense relating to the above or in relation with rape, sexually explicit material or child sexual abuse material punishable with imprisonment for a term of not less than five years

Issues With the Rules

• Rules Ultra-vires to the IT Act: It is of significant concern that the purview of the IT Act, 2000, has been expanded to bring digital news media under its regulatory ambit without legislative action.
• There has been criticism about bringing in a plethora of new rules that ought to be normally triggered only via legislative action.
• Depriving of Fair Recourse: An intermediary is now supposed to take down content within 36 hours upon receiving orders from the Government. This deprives the intermediary of fair recourse in the event that it disagrees with the Government’s order due to a strict timeline.
• Undermining Free Speech: The rules place fetters upon free speech by fixing the Government as the ultimate adjudicator of objectionable speech online.
• Traceability Issue: Till now social media platforms have the immunity that users received from end-to-end encryption were that intermediaries did not have access to the contents of their messages.
• Imposing this mandatory requirement of traceability will break this immunity, thereby weakening the security of the privacy of these conversations. The threat here is not only one of privacy but to the extent of invasion and deprivation from a safe space.
• Counterproductive in Absence of Data Privacy Law: It could prove counterproductive in a country where the citizens still do not have a data privacy law to guard themselves against excesses committed by any party.