The Indian government wants platforms like WhatsApp to identify the originator of messages, a move that WhatsApp says could break its end-to-end encryption security, jeopardising the sanctity of private communications on its platform.
Between secure and anonymous conversations on the internet and addressing issues like threats to national security and misinformation, this tussle throws up challenges both from technological and ethical standpoints.
Here’s an explainer.
What is end-to-end encryption and what does the Indian government want messaging platforms to do?
In simple terms, end-to-end encryption ensures that messages, calls, photos, and videos shared on messaging platforms can only be accessed by the sender and the receiver. This means that even WhatsApp and Signal for instance can’t see the messages users share on their platforms.
According to India’s social media rules, messaging services with more than 5 million users in India like WhatsApp and Signal need to enable the identification of the first originator of a particular message. This provision is colloquially called ‘traceability’.
To be sure, the Indian government does not require these platforms to break their end-to-end encryption per say. The government is clear on what it wants: to know who sent a particular message on a messaging platform. But it does not specify how that can be achieved, and has left it to the platforms to figure out.
However, technical and legal experts believe that enabling traceability without breaking or at least undermining end-to-end encryption will not be possible and undermining encryption for one person will make every other person on these platforms vulnerable.
Is traceability possible on platforms like WhatsApp and Signal without breaking end-to-end encryption?
According to Steven M. Bellovin, who is a noted cryptographer and teaches computer security at Columbia University, enabling traceability on platforms like WhatsApp and Signal is not possible, technically.
“It depends on what you're trying to trace. To some extent, metadata—who talked to whom, and the length of included media—is a substitute. But if you want to look at content, no,” Bellovin told Entrackr.
Have technical solutions to enable traceability been proposed? Do they pass muster?
Dr V. Kamakoti, a professor of IIT Madras during a case on the identification of a message’s originator being heard at the Madras High Court in 2019, had proposed that WhatsApp could add a tag about the originator with every message.
However, in response to Kamakoti’s proposal, another IIT professor Manoj Prabhakaran had told the court that it may be difficult to address the issue of impersonation that is likely to arise out of Kamakoti’s proposal.
Where does national security fit in?
“In the Parliament attack case, one of the accused was in constant touch with a terrorist. Now what was told by the court was that this call between these people doesn’t mean anything in itself, what is important is the content of the call,” Inspector General of Maharashtra Police Brijesh Singh told Entrackr when asked why it might be important to get hold of the content of communications and who sent it.
Singh explained that if a bank fraud takes place, the police get access to details about the transactions and the same applies to unlawful content shared on end-to-end encrypted platforms too. “If you and I are talking and something happens, it is not sufficient proof that you and I were in cahoots just because we were talking,” he said. “We need to know what was shared”.
“Do you want a pedophile or a terrorist or a drug dealer to go scot free because a lawless space has been created to which the police don't have access? During the British rule, criminals after committing a crime used to run away to some princely states who used to harbour criminals,” Singh said.
“With traceability the government wants to prevent digital harboring of criminals and it should be noted that there are provisions in the Indian Penal Code which criminalise harbouring of criminals or impeding their apprehension,” Singh added.
Singh also clarified that the government isn’t against encryption security. “The government is absolutely in favour of encryption. Encryption is important from a national security perspective as well. All it is asking is for these platforms to create a way for us to get to know the originator of a message,” he said.
Bellovin said that in the early 1970s when there was almost no private use of encryption, the US and the Soviet Union were negotiating a large grain deal, and representatives of the latter were from an arm of their government, fully supported by intelligence agencies. Soviet intelligence worked out how to eavesdrop on the phone calls of the American negotiators, thus learning the negotiation positions.
“Eventually, US intelligence learned of this, which made people realise: ordinary commercial calls have national security significance, too,” he said. “Weakening encryption weakens all communications security,” he added.
Then there are tools like Israel-based NSO Group’s Pegasus that can potentially be used to compromise the security of entire devices including encrypted communications. The malware has been used against activists among others, including in India, and so we know that the encryption per se as promised by WhatsApp, is not foolproof.
Pegasus was used to exploit a since fixed vulnerability in WhatsApp and the latter sued the NSO Group because it was used to target 1,400 of its users which majorly included civil liberties activists.
How does WhatsApp assist law enforcement agencies in investigations?
For law enforcement purposes, WhatsApp says it may collect information about how some users interact with others on its platform among other things. This is called metadata.
However, according to Singh, there are many cases currently unsolved because criminals have “found a safe harbour on these encrypted platforms” and the police can not reach them because of the “warrant proof” structure of the encryption technology used by these platforms.
But according to Tarunima Prabhakar, co-founder of Tattle Civic Technologies which works on reducing misinformation on WhatsApp, law enforcement agencies can rely on a lot of publicly available data for investigations.
“On any given day search for chat.whatsapp.com on Twitter and the most popular tweets would be linked to pornographic WhatsApp groups. Tracking these groups is tedious work, but if researchers can do it, so can LEAs [law enforcement agencies],” Prabhakar told Entrackr.
“Also we've seen now in multiple cases that LEAs can simply seize a person's device and access conversations from a device at rest. So they have the legal and technical means to access the device of someone they suspect,” Prabhakar said.
Bellovin echoed the same sentiment: “Other than metadata, you can't [trace originator or messages], unless you've (lawfully) seized a suspected endpoint. Once you've done that, you can do a forensic analysis”.
Singh, however, said that seizing devices to decrypt information has limited value. “If a mob lynching has happened how many devices do you expect the police to seize to decrypt messages on it?” he asked.
Singh also said that law enforcement agencies may need information on encrypted platforms beyond the scope of investigating circulation of child sexual abuse material as well. “End-to-end encrypted platforms should assist in all types of crimes be it the circulation of objectionable images or a murder. Why should we classify victims? Does one type of a victim has fewer rights than another type of a victim?” Singh asked.
What does all this mean for users’ rights?
According to Katitza Rodriguez, policy director for global privacy at the US-based digital rights group Electronic Frontier Foundation or EFF, if traceability is enforced upon end-to-end encrypted messaging platforms it could lead to a new type of mass surveillance.
“WhatsApp has to keep records apriori (preemptively) of every originator to comply with a requested order in a later stage. Such a mandate is an inherently disproportionate measure that forces companies to redesign their systems,” Rodriguez told Entrackr.
According to Apurva Singh, volunteer legal counsel at the Delhi-based digital rights group SFLC.In, WhatsApp and Signal will have to act against the principles of “data minimisation” if traceability is enforced. Traceability would also take away the right to anonymity afforded by end-to-end encrypted platforms, she added.
Singh believes that enforcing traceability could also jeopardise confidential or privileged conversations.
WhatsApp labels if a message was forwarded many times. Does that impact its end-to-end encryption?
No. EFF’s Rodriguez explained why not: “WhatsApp found a way to discourage massive chain forwarding of messages without knowing the content, by having the app note the number of times a message had been forwarded inside the message itself, so that the app can then change its behavior based on this. Since the forwarding count is inside the encrypted message, WhatsApp (the company) doesn’t see it and doesn’t detect it with regard to any message”.
If not WhatsApp, then who?
Signal and Telegram are two of the most popular alternatives to WhatsApp, but their encryption systems are different.
In cryptography circles, Signal is usually considered to be the gold standard for private communications as it collects very limited metadata and only shares the date on which an account was created and its last connection date with law enforcement agencies.
Signal was co-founded by Brian Acton who had also co-founded WhatsApp but left the company in 2017, a few years after Facebook acquired WhatsApp.
Telegram offers end-to-end encryption for personal messaging, but not as a default setting. By default, Telegram encrypts data only between a user’s device and Telegram's server. Also, unlike WhatsApp and Signal, group chats on Telegram are not end-to-end encrypted.