Jammu: Even though social media apps that allow peer-to-peer communication are strictly barred as part of the broader restrictions on Internet connectivity in Jammu and Kashmir (J&K), Mukesh Ambani-owned JioChat has been included in the government-approved white-list of 301 ‘websites’ that work on 2G networks in the Union Territory.

Over the last month, the J&K administration has restored partial Internet connectivity in a phased manner, with the latest orders on Friday evening restoring 2G services throughout the UT.

However, the home department order states that there would be a complete restriction on social media applications allowing ‘peer-to-peer’ (person to person) communication and virtual private network applications for the time being.

This has raised questions about JioChat which – while maybe not a traditional social media application like Facebook or Twitter – not only allows video-calling and voice-calling but also group conversations with a 500-member limit.

No other social media or chat application has been allowed. This includes WhatsApp, Telegram, Signal and Hike.

As per the order, one of the primary reasons for the Internet shutdown is that “anti-national elements” are trying to spread fake news and targeted messages over the Internet. The government has also argued that the shutdown is necessary to block communication between militants.

The operative paragraph reads as follows:

“Whereas the police authorities have brought to notice material relating to the terror modules operating in the UT of J&K, including handlers from across the border, and activities of separatists/anti-national elements within who are attempting to aid and incite people by transmission of fake news and targeted messages through the use of internet to propagate terrorism, indulge in rumour-mongering, support fallacious proxy wars, spread propaganda/ideologies, and cause disaffection and discontent.”

In this context, the order appears to advocate a complete blockade of apps that provide a Voice Over Internet Protocol (VoIP) function and more broadly any form of encrypted or mass communication. That is the reason why all social media networking sites such as Facebook, Instagram, Twitter along with social media applications allowing peer-to-peer communication such as WhatsApp, Signal, Telegram etc have been barred.

But JioChat, which is essentially a video calling app available on Android, iPhone and JioPhone, has been allowed and is classified under the category “Utilities” on the whitelist. JioChat allows one-to-one chat options as well as group chat wherein one can create large groups up to 500 members. WhatsApp restricts its group to 256 members.

Technology experts have over the last week wondered how an app like JioChat – merely the name of the Reliance Industries application is on the list – would find itself on a list that otherwise consists of only websites.

As a video shot by this reporter below shows, JioChat functions normally under 2G networks in J&K, but WhatsApp does not. However, because the app stores for both Android and Apple don’t work, only pre-existing JioChat users in J&K can use the service. Non-users, therefore, cannot download the app and start using it. Market analysts claim that JioChat would have a 400 million-strong user-base by March 2020, but it’s unclear how many of these are daily or active users.

﻿

Encryption or no?

Another important question is whether JioChat provides end-to-end encryption, a feature that WhatsApp uses as a marketing point. Reliance doesn’t appear to give any information about encryption or the duration for which messages are stored on their server in their privacy policy.

One news report from April 2017 had claimed that JioChat secures its messages with QuArKStechnology for end-to-end encryption, but The Wire could not independently verify this.

Hike, which is also developed in India and owned by telecom giant Bharti Airtel gives an option of end-to-end encryption as an added layer of privacy to its users. But even there, it is an opt-in feature and works only when the device is connected to WiFi.

This does raise a question over why JioChat was chosen to be on the list of whitelisted websites and applications over other applications. If it was a lapse on the part of the administration, the same continued when the list of white-listed websites was modified to include approximately 55 news websites in its latest order on Friday.

The privacy policy of JioChat reads:

“Personal Information will be kept confidential to the maximum possible extent.” “[Jio] may provide your information or data to its partners, associates, advertisers, service providers or other third parties to provide, advertise or market their legitimate products”. It doesn’t specify whether the shared information is personal information or Non-Personal information.

Furthermore, the privacy policy states:

“The Company uses reasonable security measures, at the minimum those mandated under the Information Technology Act, 2000 as amended and read with Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, to safeguard and protect your data and information.”

The IT Act 2000 which the company adheres to as its “minimum security measures” has a controversial Section 69 which allows intercepting of any information and asking for information decryption if “it is necessary or expedient so to do in the interest of the sovereignty or integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence”.

To refuse decryption is an offence punishable with imprisonment up to seven years and a possible fine. This section has laid the ground for surveillance when Ministry of Home Affairs in December 2018 authorised ten Central agencies to intercept, monitor, and decrypt “any information generated, transmitted, received or stored in any computer.”

Also Read: Data Services on Low Speed 2G Restored Across J&K, Some News Sites Now ‘Whitelisted’

As for JioChat, the user accepts the risk of sharing unencrypted information when they use the app since another clause in the privacy policy states: “You accept the inherent security implications of providing unencrypted information over Internet/ cellular/data/ Wi-Fi networks and will not hold the Company responsible for any breach of security or the disclosure of personal information unless the Company has been grossly and wilfully negligent.”

Mukesh Ambani’s Reliance has also supported recent efforts of the Centre to support tracing the origin of messages to curb fake news, even if it means breaking encryption.

According to a 2015 report by NewsLaundry, Anonymous India – a hackers’ group – had also raised serious questions about the app’s security features saying that “there is no encryption of users’ personal data in the application.” The group also alleged that Jio Chat uses a Chinese mapping service, Amap, instead of Google Maps, the industry-standard. This too, according to Anonymous India, is not encrypted. The lack of encryption, the group claims, could lead to mass surveillance.

It is imperative to mention that “acts of government, computer hacking, unauthorized access to computer data and storage device” have also been mentioned as things that the company shall not be held responsible for in case of damage or misuse of your information as it will be considered a “Force Majeure Event” that is beyond the reasonable control of the company.

As the latest order mentions that the whitelisting of sites will be a continuous process it is yet to be seen whether JioChat remains on the list or not.

Pallavi Sareen is a journalist based in Jammu and Kashmir. She is the editor-in-chief of Straight Line and can be contacted at pallavisareen99@gmail.com