security india

The Indian government has launched its own messaging app. (Photo by ARUN SANKAR / AFP)

India’s Sandes takes on WhatsApp, citing security and misinformation concerns

As details of the effects of the Pegasus spyware saga continue to shock the world, countries like India are actively investigating security allegations that have surfaced.

But even before India was alleged to have used the spyware to spy on political leaders and other humanitarian personalities, the subcontinent had already begun implementing stricter rules on the use of technology, especially on social media apps.

In May this year, India implemented new laws governing the use of social media in the country. It saw applications like WhatsApp, Facebook and Google relook their approach for doing business in the country.

Last year, India banned about 50 Chinese-based apps including social media giant TikTok over security concerns. Most of these apps have left the Indian market but some are gradually returning, after incorporating changes requested by the government.

WhatsApp, which was also one of the entry points used by Pegasus to track its victim, has long been a security concern in India. With over 500 million users in India, the government has requested the app-maker to make several changes over the years and now look towards a new approach to solve the problem.

india security

The Indian government has launched its own messaging app. (Photo by Sajjad HUSSAIN / AFP)

Last week, the Indian central government launched Sandes, an instant messaging platform that works like WhatsApp. Available on Google Play Store and Apple’s App Store, the app is being touted as India’s answer to a secure messaging platform.

According to reports, the app was developed in India and is currently being used by government employees and linked agencies. Users only need a valid mobile number and email ID to work. Sandes is also integrated with NIC email, DigiLocker, and e-office.

“Sandes is an open source-based, secure, cloud-enabled platform. It is hosted by the government and on government infrastructure, ensuring the control remains with the government only. Sandes boasts features such as one-to-one and group messaging, file and media sharing, audio-video call, and e-gov application integration,” said Rajeev Chandrasekhar, Minister of State for Electronics and IT, India.

Traceability… or privacy?

In 2018, India proposed that WhatsApp make its messages traceable, especially at a time where false information was circulating a lot in India, resulting in extreme circumstances including losses of lives. These traceability requirements have now been included in India’s new IT rules.

The law also required social media firms to appoint local officers to address on-ground concerns as well as be given the power to take down posts deemed offensive.

Citing privacy concerns, WhatsApp decided to sue the Indian government in a Delhi court. The IT Rules 2021 has even affected other social media platforms such as Twitter.

At the same time, WhatsApp also announced that it has blocked two million accounts in India for violating the limits of the number of times messages can be forwarded in India.

Using advanced machine learning technology, the submissions were made as part of its first monthly compliance report under the nation’s new IT rules. WhatsApp bans around eight million accounts monthly worldwide.

Another tech giant, Google, has also expressed commitment to complying with India’s new IT rules and local laws.

Can traceability co-exist with end-to-end security?

Whilst the Indian government touts “end-to-end security” for Sandes, it contradicts their stance that messages ought to remain traceable under the new laws.

If the content on a messaging app is to be traceable, the approaches taken to identify the information of the sender would require third-party access.

The Internet Society explores several possible approaches, but the consensus amongst cybersecurity experts is that end-to-end protection and traceability are inconsistent and cannot co-exist — at least, not with current methods.

Furthermore, there is doubt that the approaches listed could be reliably used to attribute a message to its originator.

Experts say that third-party access methods would break end-to-end encryption by enabling third-party access to content, and weaken the security and privacy protections for users.

While it is uncertain how the uptake of Sandes will be in the subcontinent in the weeks to come, the government is taking a strong stance on making sure they have sufficient visibility on content to ensure there is minimal offensive content, prevent abuse and misinformation.