What started as a remarkable tale of cross-border love ended up as a warning against the extent of mass surveillance in India.

On Sunday, India deported a 19-year old Pakistani woman, Iqra Jeewani. Jeewani had eloped with an Indian man, and had been living in Bengaluru for four months. However, she was given away by the WhatsApp calls she was making back home to her family in Pakistan. Using this, Indian authorities were able to hone in on her.

The fact that Indian authorities were able to pinpoint and pick out a WhatsApp number from a city has led cybersecurity experts to infer that it is plausible that the metadata from the popular messaging platform is being used for mass surveillance. While WhatsApp encrypts user communication, several instances have now shown that it still collects enough data about its users to allow governments to mount highly effective surveillance and thus put user privacy at risk.

In surveillance cross hairs

Jeewani and Mulayam Singh Yadav, a 25-year-old from Uttar Pradesh, India, fell in love in 2019 while playing Ludo online, The Indian Express reported.

In 2022, deliriously in love and tired of living apart, Jeewani eloped and met Yadav in Nepal. From there, they crossed over into India and started living in Bengaluru where Yadav works as a security guard. Jeewani hid her real identity and Yadav reportedly got her a fake Aadhaar card under a different name.

However, their cross-border romance ran into trouble when Bengaluru police arrested Jeewani on January 23 for illegally entering India and forging her identity. Yadav was arrested for helping her. Jeewani was deported on February 19.

What eventually led to Jeewani and Yadav getting caught was not her fake identity but the WhatsApp calls she was making to her parents in Pakistan.

Jeewani’s WhatsApp calls back home caught the attention of central intelligence agencies, which passed on the information to Bengaluru police for investigation, The Indian Express reported, citing an unidentified investigating officer. The fact that calls to Pakistan were being made from the city raised an alarm with Bengaluru’s police at a time when the city was scheduled to host the Group of 20 meeting and the Aero India defence exhibition.

The police inquired into the matter and reported back to the intelligence agencies that while there was no security threat, they had identified an undocumented Pakistani living in India.

WhatsApp metadata used for surveillance?

Jeewani getting caught based on her WhatsApp calls has led cybersecurity experts to infer that it is plausible that WhatsApp’s metadata, which is not encrypted, is being used for mass surveillance. Encryption encodes messages on WhatsApp and makes it inaccessible to all parties, other than the sender and the receiver of the message.

While communication through WhatsApp is encrypted end-to-end, the metadata is not. “Metadata” refers to information about the user’s activity and the user, such as when a call was made between two persons, the user’s geographical location and her phone number. Unlike the contents of a message, metadata can be read by WhatsApp.

Rowenna Fielding, founder and director of privacy consultancy Miss IG Geek, told Wired in 2021 that metadata is a valuable tool to analyse connections among users. “When you look at metadata, it turns out a lot of the time you don’t even need message content, because patterns of activity tell you a lot about someone,” Fielding said.

What Jeewani’s deporting indicates is that Indian security agencies seem to be using this metadata from platforms such as WhatsApp for mass surveillance. “The establishment has been building the CMS [Central Monitoring System] since the Mumbai attacks [of 2008],” cyber security researcher Srinivas Kodali told Scroll. “It gives the security establishment access to a lot of traffic. With [messaging platforms] WhatsApp and Signal, they have been tracking peer-to-peer contact. They don’t know what you are talking but that this talk is happening.”

Kodali added, “They [agencies] are monitoring traffic continuously and getting alerts.”

Using metadata for surveillance is a technique other agencies across the world such as the United States’ Federal Bureau of Investigation also use, he pointed out.

Similarly, Anand Venkatanaryanan, the co-founder and cybersecurity lead of Delhi-based strategic think tank DeepStrat, wrote that Jeewani’s case shows that intelligence agencies can now not only undertake targeted monitoring of a given contact number but also conduct “generic” monitoring of WhatsApp using metadata.

For example, an alert would be triggered if the origin of a call is India and the destination is Pakistan, Anand tweeted on February 21. Kodali, however, said he was unsure if tracking was happening in a geographical area-specific manner, being limited to Bengaluru due to its heightened threat perception or applies to the entire country.

Anushka Jain, policy counsel at the Internet Freedom Foundation, emphasised that while it seems this happened possibly because of metadata, due to lack of information, the Indian public is unaware of the mechanisms by which this data is shared between the Indian government and WhatsApp. “WhatsApp collects and shares metadata with Meta, the parent company,” Jain told Scroll. “But we do not know if there is ongoing data sharing with the law enforcement agencies. We also do not know if there are standing instructions from authorities to flag any India-Pakistan calls being made.”

Jain added, “We can only hypothesise about it because this surveillance process is not transparent.”

The potential scale of this surveillance means that Indian citizens should be concerned about such data being shared and any kind of “excessive intrusion” into their privacy. “Why should the government know about these things?” Jain argued.

Credit: Dado Ruvic/Reuters
Credit: Dado Ruvic/Reuters

Metadata widely shared by platforms

Metadata is widely shared by platforms with law enforcement agencies globally, experts have previously pointed out.

An article co-authored by Anand in 2021 suggested that service providers, including messaging applications such as WhatsApp, share metadata with intelligence agencies and law enforcement in India, and such data is adequate for investigations.

In 2021, ProPublica, a United States-based non-profit investigative journalism website had reported that WhatsApp’s parent company had downplayed how much data it collects from its users, what it does with it and how much it shares with law enforcement authorities in the United States. “Some rivals, such as Signal, intentionally gather much less metadata to avoid incursions on its users’ privacy, and thus share far less with law enforcement,” ProPublica reported.

WhatsApp’s spokesperson had told ProPublica that the platform “responds to valid legal requests … including orders that require us to provide on a real-time going forward basis who a specific person is messaging”.

However, it is unclear if WhatsApp in India sticks to this American template or goes beyond it.

General Michael Hayden, the former head of the United States’ National Security Agency, had confirmed in 2014 – though not directly referring to WhatsApp – that the United States government uses communication metadata for surveillance. Hayden also said that metadata tells authorities “everything” about any person it is targeting for surveillance, making the need to collect the actual content of the communication superfluous. “We kill people based on metadata,” Hayden had said, adding that the practice is only used outside the United States.