In early January, tech billionaire Elon Musk’s two-word tweet, ‘use Signal’, sent online folks into a hyperdrive—people rushed to download a messenger app that has been around for a few years, but till then was used by a small, niche set. In the debate over privacy that was touched off by WhatsApp’s new policy update over sharing certain data with its parent Facebook, Musk evidently provided the nudge for those considering a shift to another messenger service.
Here’s how some of the recent action in the messenger app landscape played out: Telegram was the most downloaded non-gaming app worldwide in January 2021, with over 63 million installs, according to the app tracking firm Sensor Tower. India, it says, figured at the top for Telegram installs, accounting for 24 per cent of them.
ALSO READ: War Of Angry Birds
Signal featured at number three on the list of most downloaded apps. Still, WhatsApp wasn’t too far behind either—coming in the top five after Facebook. It’s easily the leading instant messaging app in India, with a user base of 400 million as of July 2019. But, given the backlash from its proposed privacy update—which would allow Facebook to access data from chats with a business account—the new policy has been delayed until mid-May in a bid to placate concerns of users.
As Prasanth Sugathan, legal director at Software Freedom Law Centre India, puts it, the concerning factor in the case of WhatsApp wasn’t so much about the leakage of information—for sure, the messages and calls are end-to-end encrypted. In fact, WhatsApp uses the same cryptographic protocol developed by Signal. “But the question again comes down to why do they need to collect so much data about usage.” If privacy and security were the watchwords, shouldn’t data minimisation be the guiding principle, he argues.
“It’s a good thing that at least we have this discussion,” says Sugathan. It’s relevant to other apps as well, he points out. “If you go through the number of apps installed on your smartphone and the kind of access that they have to various kinds of information, it is definitely a problem.”
The broader context of these privacy discussions is that India’s data protection law is still a work-in-progress. The Personal Data Protection Bill introduced in Parliament in 2019 was referred to a joint committee which has been working on it through the past year—the committee’s report is keenly awaited and it could likely come up for discussion in the current session. Until a data protection framework is in place, says Sugathan, the scenario of a legal vacuum will linger.
ALSO READ: Made Of Tendentious Tripe
That a data protection law was long due isn’t in doubt. “The fact that we do not have it gives us the opportunity now to come up with some new innovations,” reckons Rahul Matthan, partner at Trilegal, a Bangalore-based law firm. That’s because concepts of privacy in the digital world are still only evolving, trying to keep pace with technology. “When I started working on privacy a decade ago, we didn’t have Big Data and just the ability to devise insights out of data was not even conceivable,” says Matthan. “Today, we need data for just about everything and tremendous benefits come out of it. But there are trade-offs to this and that is the challenge that Big Data has brought.”
ALSO READ: Rules Of The Game
The year-old draft bill, PDP 2019, was by and large aligned with Europe’s General Data Protection Regulation (GDPR), the current global standard for privacy, says Matthan. “To my mind, it didn’t do enough. In the sense that it could have done so much more.” Of course, that’s also keeping aside the draft bill’s most contentious provisions in Section 35, whose broad exemptions for government agencies have prompted concerns of creating a surveillance state.
What’s equally important today, argues Matthan, is to find alternatives to the way consent is being applied digitally—not merely as an upfront approval to a long set of privacy terms that aren’t just difficult to understand but which also attempt to cover every likely future scenario whether it unfolds or not. Rather, it should be geared towards a ‘just-in-time’ consent, like what’s being tried out in the financial world, suggests Matthan.
ALSO READ: Weapon Of Mass Seduction
The Niti Aayog last September put out a discussion paper on a Data Empowerment and Protection Architecture (DEPA)—a framework for data sharing in the financial sector. This architecture forms the consent layer on the stack of digital platforms that include Aaadhar and the Unified Payments Interface. The DEPA involves Account Aggregators, which is a new class of non-banking financial companies approved by the Reserve Bank of India—these account aggregators will function as consent managers by routing to the user every request for sharing financial data.
“The provisions of the 2019 draft had references to the concept of consent manager which no other law in the world has,” Matthan tells Outlook. “What we now have, with DEPA, is the ability to take that consent exactly when we need it only for that little piece we need it for.”
ALSO READ: Bird’s Eye Stew
Clearly, the arguments over consent, privacy and data protection are bound to get more complicated before they get untangled. “When you have more services added, that again becomes an attractive proposition to collect more data,” says Prasanth Sugathan.
But back to the WhatsApp update, which was earlier supposed to kick in by early February and has now been delayed to May. The company came out with explainers to clarify that its new policy of sharing data with its parent Facebook, didn’t change anything for private messages—individual or group chats with friends and family. And that it only pertained only to chats with business accounts. But even that latter part, it appears, isn’t fully clear yet.
Says Prashant Tandon, founder and CEO of the online pharmacy 1mg, “We are in the healthcare business and using WhatsApp as a communication platform is helpful for consumers. But we do have concerns if they want to analyse and process the data.” As Tandon explains it, the firm’s transactions are mostly through the 1mg app, but order updates currently go through SMS and email, depending on the customer’s preference. Given the sheer number of people using WhatsApp in India, it’s only logical to offer customers that messaging option as well. Since information on health is sacrosanct, Tandon says it is important to get full assurances on the scope of use of any data. “We were actively exploring expanding WhatsApp as a communication platform but are getting more concerned now, so we need to get these things sorted before we get involved,” says Tandon. “Now that it is deferred, there is more time for these discussions and conversations.”
WhatsApp messenger is still far ahead of the competition in India even if rivals like Signal and Telegram have got a huge bump-up in downloads this past month. Nikhil Pahwa, a digital rights advocate and founder of tech portal Medianama, says he has been on Signal for many years but barely had occasion to use it until recently when some of his group chats shifted to the platform. “I think companies need to realise that the number of users who care about privacy is increasing,” he says. Just the same, we could well be looking at a scenario of users toggling between multiple messaging apps, he reckons.
Looking back about a decade or so, Pahwa notes that there were a gaggle of messenger apps all keen to tap the emerging shift away from SMS at the time. “What gave WhatsApp an edge over other platforms at that time were two aspects—it kept the product extremely simple and reliable.” Reliability, he says, is still its core feature and the end-to-end encryption feature came in after its acquisition by Facebook in 2014.
“Even with these changes to the privacy policy, your messaging information is still private,” says Pahwa. The recent privacy policy about chats with a business account, too, don’t sound very different, on paper, from what other advertisement-targeting models do—case in point being emails mined for keywords, he reckons. And, as for WhatsApp sharing certain data with Facebook, that too started back in 2016. “But what has caused a worry and led to an impact on people is the fact that it served as a reminder that WhatsApp is sharing data with Facebook,” says Pahwa. “So, this reaction, to my mind, has been more a function of the company’s ownership. And let’s face it, Facebook is a company which from a privacy perspective not many trust.”
Indeed, WhatsApp’s recent explainers dwelt on these points—that it doesn’t keep logs of whom all its users are calling or messaging, that it can’t see the locations people share with others and that it doesn’t share contacts with Facebook. But clarity also needs to be upfront and not via blog posts, says Prasanth Sugathan. “It’s very difficult for any user to go through all this fine print,” he tells Outlook. “I mean, I don’t have to go though paragraphs and paragraphs to find out what my data is going to be used for.”
By Ajay Sukumaran in Bangalore