Thursday 5th September 2019

The Balkanisation of the Internet Blog Series Part III – Brazil, India, and WhatsApp: A case study for tech decolonisation

The third part of our “Balkanisation of the Internet” series addresses policies in India and Brazil that are contributing to this process of Balkanisation. We will also be examining how this will impact businesses operating in these countries, particularly those invested in the growing markets for mobile phones and services. You can find the introduction to the series here, and the second part regarding the implementation of GDPR here.

Introduction

Brazil and India are two emerging powers driving the Balkanisation of the internet through data localisation and economic nationalism. Both are comparable in terms of their role on the global stage, the way in which internet access is increasingly dominated by mobile connections, and their vulnerability to misinformation through US mobile messaging applications such as WhatsApp, also favoured by cybercriminal networks in both countries. This reliance on mobile apps that can facilitate the spread of disinformation means that special provisions will be made to regulate companies, with an increasing preference for local competitors – effectively decolonising the tech industry. This is another aspect of the Balkanisation of the internet, as local competitors increasingly challenge US tech giants, despite the domestic companies’ relative lack of maturity. These tech decolonisation policies bring a host of challenges for businesses that wish to invest or operate in these countries.

Brazil’s new laws and struggle with disinformation

Material leaked by former NSA contractor Edward Snowden in 2013 revealed the extent of US espionage targeting Brazil, and contributed to its decision to reduce its dependence on Washington. President Rousseff introduced the 2014 Marco Civil da Internet law, which granted the government the power to block apps and websites that do not comply with data requests. This was followed by the 2018 General Data Protection Law, which is similar to GDPR in its coverage of data localisation and consumer protection, though lacks a mandatory breach disclosure component.

Companies like WhatsApp are being increasingly challenged by this regulation. The app became a vector for disinformation during the 2018 Brazilian election, with tools sold by cybercriminals online enabling the sending of up to 300,000 messages at a time. However, a January 2019 cap on message forwarding was criticised by Brazilian president Jair Bolsonaro, who tweeted out that there would be a shift to ‘alternatives’ that will facilitate what proved a successful campaigning tactic.

The Brazilian government has also demanded WhatsApp weaken its encryption to facilitate the tracking of disinformation. Marco Civil’s provisions allowed for multiple government bans of WhatsApp for failing to comply with these demands for decryption. This is despite the fact that 96% of Brazilians with access to a smartphone use it as a primary means for communication. These demands also clash with WhatsApp’s widespread use by businesses to process payments and interact with customers – potentially threatening its presence on the Brazilian market.

We estimate that a host of home-grown apps and services will compete for this potential new market share if WhatsApp is pushed out through these tech decolonisation policies, such as NuBank for mobile payments, and Vindi or Nibo for enterprise messaging and payment systems. Consequently, a shift of the Brazilian consumer base towards domestic alternatives will further increase the amount of threat vectors and actors, as domestic cybercriminal networks will find ways to exploit alternatives to WhatsApp. Brazil’s thriving domestic cybercriminal landscape has a history of adapting to target domestic only software and systems. For example, cybercriminal gangs have prolifically targeted the Boleto Bancario payment method exclusive to Brazil, used by consumers for business-to-business payments. This ‘Bolware’ is estimated to have netted criminal organisations billions of dollars.

India’s tech decolonisation

Since 2014, India has increasingly enforced data protection laws and economic nationalism policies that threaten the domination of US tech giants such as Facebook and its subsidiary, WhatsApp.  With an estimated 400m users, WhatsApp currently dominates the Indian mobile market for messaging and peer-to-peer payments. However, as in Brazil, the application has become a vector for misinformation. Rumours spread on WhatsApp groups with hundreds or thousands of members have been blamed for the deaths of 33 people through mob violence in 69 different incidents.

The government has called for stronger regulation and has asked WhatsApp to facilitate investigations by making these messages traceable – which clashes with the platform’s end-to-end encryption model. Efforts to dilute this may threaten WhatsApp’s operating model, and will likely boost India’s emerging cybercriminal sphere. According to a 2019 Symantec report, over the last five years in India there has been a 457% increase in cybercrime, and India ranks third globally in terms of the number of cybercriminals living in the country. The Indian economy is increasingly reliant on mobile payments, with the rise of domestic payment apps such as Tapzo, TMW, Kitecase, Paytm, and Oxigen. Some estimates suggest that 68% of India’s hard currency has been taken out of circulation in profit of mobile payments. To emulate China’s success with companies like Alibaba, Huawei and Baidu, Prime Minister Modi has started promoting tech decolonisation policies, aiming to replace US behemoths with homegrown companies. However, WhatsApp’s potential replacement by these local mobile payment apps that abide by weaker encryption standards and data localisation laws may threaten millions of Indian consumers and businesses who rely on the security of these peer-to-peer payment platforms and create a greater attack surface area for domestic cybercriminal networks. These domestic criminals have proven adept at targeting specialised entities and systems, such as the Aadhaar system which contains both the demographic and biometric data of Indian citizens and has faced consistent attempts from cybercriminal groups.

Conclusion

These policies will not only lead to a further Balkanisation of the internet, but are a boon for cybercriminals, as WhatsApp and Facebook’s monopolies are challenged by a plethora of homegrown apps and start-ups with support from government legislation. We estimate that there will be an increased number of mobile data breaches and heightened use of mobile banking trojans in these countries, as well as an exponential growth of attack vectors and threat actors.

The next blog post in our “Balkanisation of the Internet” series will assess Russia’s increasingly distinct domestic internet, before concluding with an assessment of the trajectory of developments in China.

 

Get our latest cyber intelligence insights straight into your inbox

Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.