EncryptionPrivacyTechnology Law / Cyber Law

Government’s Demand for traceability vis-a-vis WhatsApp’s Encryption: Could they co-exist?

The government intends to implement ‘hash keys’ to assist in tracing the originator of a specific post or message, with the goal of reducing fake news, child sexual exploitation content, and criminal coordination and execution on social media channels. WhatsApp, on the other hand, is concerned that this move would compromise its end-to-end encryption functionality, which prevents WhatsApp from reading or storing messages on its servers. As a result, WhatsApp and the government have reached a gridlock.

Introduction

The coming of Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021,[1] which includes traceability to the first originator of a communication flagged has led to the demand by the Indian Government for intervention in the encryption of the Instant Messaging Service, WhatsApp. The government is considering implementing “Alphanumeric Hashing”, which would aid traceability in the event of illegal activity. WhatsApp, operated by Facebook, has 400 million users in India and has so far refused requests to trace the sources of flagged messages,[2] citing the inviolability of its privacy policies while also stating that it is unable to offer traceability due to lack of suitable technologies. Indian Government, on the other hand, has remained firm in its demand for conformity with what it refers to as a “law and order” requirement.

The contention held by technicians and policy builders lies in the working of the hashing. Hashing is the process of converting a string of characters, which can be both alphabets or numbers, into a fixed length of the key that represents the original string. If WhatsApp does implement the proposed scheme, each message received on the platform will generate a unique hash key with letters A through Z and numbers 0 through 9. The company would then be able to trace down the message’s roots. However, the end-to-end encryption will collapse, allowing the corporation to have access to messages received. On the other hand, the government will be able to access the corporation for tracing the first originator of a message, in case of rumors and fake news. Hence, the challenge is to review what is indispensable, the individual right to privacy or the national security to deter hate speech or fake news.

The encryption protocol differs across the messaging service platforms. While WhatsApp remains committed to offering its users end-to-end encryption, claiming that the withdrawal of the same breaches users’ privacy and contradicts India’s fundamental right to privacy. However, Telegram supports the End-to-End only secret chats feature, the company confirmed it shares zero bytes of data with third parties or any governments to date.[3] Signal uses a back-end user-facing encryption service, which is the open-source Signal Protocol to implement end-to-end encryption; however, it also does encrypt metadata offering multiple levels of security.[4]

Source: Forbes India: Can traceability and end-to-end encryption co-exist? Here’s the legal view

Technical & Policy Experts’ Opinion

Post the demand, several claims have been made by both parties to the dispute highlighting their stance. The Government of India sought the rescue of the IT Act[5] and the subsidiary IT Rules 2021[6] for claiming traceability. However, several technical experts and policy builders did not agree with the claim, and highlighted the underlying dilemma of the demand, and advised against breaking the said encryption. Some of them gave alternative solutions as well.

A point of caution is that hashing will jeopardise cybersecurity while also leaving the first-originator dilemma unsolved. To begin with, the company will be able to view the messages; moreover, even if the administration can track down the first sender (originator) of a message, so can the businesses.[7] Another dilemma that originates from the hashing process, is the serious consequences for the constitutional right to free expression and privacy. This issue becomes specifically pressing in the case of communication with foreign nations, which would result in a breach of international human rights commitments, particularly because no democratic government in the world has taken such a drastic step, that is to effectively ban end-to-end encryption.[8] Moreover, the usage of hashes raises questions about not only privacy, stability, and economics but also radically alters the technical infrastructure on which that messaging services operate on a global scale, as presently they have very little storage.[9]

The negative effects of cracking encryption were established in the Supreme Court cases of Facebook Inc. v. Antony Clement Rubin[10] and WhatsApp Inc. v. Janani Krishnamurthy,[11] which included loss of individual privacy. Nevertheless, countering child sexual abuse material is a must, for which the government has to form a robust plan of surveillance with WhatsApp’s cooperation.[12]

However, this database creation for investigation, metadata, or social mapping, can make the overall system vulnerable to cyberattacks as it has to be kept for a longer time to form a pattern. The challenge now is to find a solution that allows traceability without cracking end-to-end encryption. The alternative, as proposed in the Madras High Court, is digital signatures. This process asks for marking the message’s originator’s phone number and showing it every time it was forwarded. [13] This would allow traceability while ensuring that the end-to-end encryption is not broken, as the originator details are kept encrypted and shall be decrypted only until a court order is received.

However, another challenge of this spoofing of identity, as such tracing the first originator and raising a liability against him or her cannot fulfill the “beyond any reasonable doubt” requisite for criminal action, as there is a possibility of the implication of innocent users or a user who was spreading the message to raise visibility or even an entry of a cybercriminal who could be using the ecosystem to frame innocent users. To prevent this “doubt”, one has to develop Artificial Intelligence, which majorly these companies are doing voluntarily; however, such models are vulnerable to errors, as well. [14]

A possible comparative to this demand of government is Section 230 of the draft- Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act of the United States,[15] which is a bait-and-switch to penalize companies that ensure privacy and data security.[16] The draft act is arbitrary and a sneaky move to remodel the Communications Assistance for Law Enforcement Act,[17]and further condemn the end-to-end, providing backdoor access for mass surveillance.

Such a possible threat caused by traceability was questioned in October 2019 by WhatsApp and its parent company Facebook which sued NSO Group Technologies under the US Computer Fraud and Abuse Act (CFAA), alleging it had developed software that infected 1,400 target devices with malware. NSO is an Israeli technology firm whose spyware called Pegasus enables the remote surveillance of smartphones, has been allegedly hacking human rights activists and journalists, planning espionage against Pakistan, and was recently claimed to have aided Saudi Arabia in the murder of Jamal Kashoggi. The NSO allegedly also was used to target Indian journalists, activists, lawyers, and senior government officials,[18] by surveilling them for a two-week period during the 2019 National Elections of India.

Hence, the gravity of the situation, the advocacy against traceability, and the removal of the end-to-end encryption can be justified. An alternative must opt where the government’s traceability demand can be met without granting it such free options to surveillance. However, it is essential to delve into the government’s stance for such demand, the national security, fake news, and hate speech concern.

National Security, Fake News & Hate speech Concerns of Government

Traceability, the ability to trace down the originator of a certain piece of content or post is at the heart of India’s controversy over internet portals and communications providers’ laws.[19] Post the release of draft IT Rules in 2018, a hurdle for the demand for traceability, has surfaced. It describes traceability to “trace out of such originator[20] of knowledge on its platform.” Moreover, if no information is given, the amendment rules will hold the internet website or service provider liable for the content shared by their users.

The government explained that WhatsApp is only required to store the hash of a message so that it can be traced back in the event of a law-and-order situation. It was also said that a network as large as WhatsApp could not function without any kind of transparency. Moreover, it was explained that the IT Act,[21] allows businesses to decode communications if and when requested by the government; however, this clause has never been applied, yet. Wide social intermediaries must also provide voluntary consumer authentication and appoint nodal grievance and enforcement officers posted in India, according to the government.

However, though the demand intends to curb fake news, prevent child sexual abuse material, and avoid perpetuation of crimes on such platforms, it is not the right means to achieve this ‘end’. The ‘originator traceability’ hinders unreasonably with users’ rights.[22] Moreover, the fairness, accountability, and transparency that is to be undertaken while handling alphanumeric keys, as both messaging companies and government have an access to it bring concerns of mass surveillance by the government to justify that crime has been committed by an innocent party, wash-away hands from corruption charges or misuse in the voting process. Further, such accessibility of data, if allowed at a massive rate, will validate injustice by framing charges and incriminating innocent parties or benefiting oneself. Lastly, usage of such tracking technology, without the legal consent of persons who are being tracked, is an illegal act, tumultuously violating fundamental rights, including the freedom of conscience and right to privacy. Such message trailing can specifically make women, children, LGBTQIA, and other marginalized society, more vulnerable. This shall also cause a chilling effect on the freedom of speech and association[23] by refraining from open communication or allowing persons to share personal sensitive information on such platforms, which they can if the end-to-end encryption persists.

Another concern that has originated after the government’s demand is the history of series of trial and error, to remove end-to-end encryption and assertion of surveillance. The catalyst which the government claimed is fake news, hate speech, and child sexual abuse material; however, it can examine that current demand has compounded from several small steps in this direction. Beginning from IT Amendment of 2018[24] by adding Section 66A,[25] that is publishing offensive, false, or threatening information. Section 69[26] was also introduced, giving officials the right to intercept, track, or decode any information from any electronic resource. Post which, in October 2020, India signed a UK-initiated protocol entitled, “International statement calling on tech companies to ensure end-to-end encryption is not implemented in a way that erodes public safety.”[27] This protocol sets out stringent consequences for public safety if end-to-end encryption is applied. After signing this statement, the Government passed the IT Rules 2021, which mandated messaging services to adhere to the government’s demand of traceability, that is, by removing end-to-end encryption. Hence, such events form a chain, that these recent demands had been intended to be taken up for long, not only in India but even in foreign nations. The question now is two-folded, first that whether the current catalysts of fake news and public security are even the intent behind this demand? And second is this a bait-and-switch to ban end-to-end encryption without actually demanding it.

Scrutinising the irate dispute of Traceability versus Encryption

The debate of traceability and encryption has come into a deadlock; however, if there is one thing that both the experts and government agree on is that there is a definite requirement to track down the perpetrators and criminals while ensuring the highest possible privacy and encryption for users. Hence, the four major haunting questions are:

  1. How is traceability of encrypted end-to-end communications, feasible or achievable?;
  2. What are the different strategies for enabling such traceability?;
  3. What are the consequences of each such strategy?; and
  4. Could traceability and encryption co-exist?

On the same, the government backing Rule 4(2) of IT Rules 2021[28] as the umbrella provision states that such demand of traceability from social media intermediaries that provide messaging service is essential for curbing unlawful activities, including fake news, rumors, hate speech and child sexual abuse. The provision mandates them to enable the identification of the first originator of the information on its computer resource which may produce before the court when an order is passed under Section 69, that is, Competent Authority, as per the Information Technology (Procedure and Safeguards for interception, monitoring and decryption of information) Rules, 2009.[29]

In early April 2021, the government recommended an alphanumeric hashing, with the keys of such communication to be held by the corporation, and produced whenever demanded by the authorities and agencies. The other two strategies for achieving traceability in end-to-end communications were proposed as either enabling traceability without removing end-to-end encryption or banning end-to-end encryption. The latter obligates the platforms to access the contents of their users’ messages for complying with traceability standards, that is, breaching end-to-end encryption and significantly worsening protection and hence cannot constitute to become an alternative option, at all. Hence, we are left with choosing between the odds of Digital Signatures and Metadata.

A. Digital Signatures:

There shall be a digital signature attached either to all the messages in the chain or secured using WhatsApp’s public key. If a court order is issued, WhatsApp will be able to decrypt the originator information using the matching private key. However, there are inherent problems with this method, such as:

  1. Digital attribution is not an absolute factor and is vulnerable to impersonation, which will definitely cause reasonable doubt. For the same, WhatsApp also noted that bad actors may use the changed versions of WhatsApp to attribute a message to a particular phone number;[30]
  2. Moreover, private keys for digital signatures, particularly if owned by a third party, may be hacked and misused, putting citizens’ freedom of speech at risk and exposing individuals (including the most insecure and marginalised) to impersonation, abuse, and persecution; and
  3. Furthermore, cross-platform functionality would be impossible, as developers would have to organise their progress in order to provide a central database. Another issue is that a single attacker can compromise the whole device, posing a security risk with those private keys. If this is dependent on users’ biometrics, a layer of technological and organisational uncertainty is added.

B. Metadata

Employing Metadata, where the source, time, date, and destination of communication are provided but not the contents of the communication, also poses many problems in the encryption debate.[31] Following are the concerns of Metadata as a traceability alternative:

  1. The digital attribution is not absolute, particularly through metadata as it inhibits the ability to follow a chain of similar metadata to an originator, and is vulnerable to impersonation or implication of innocent users through spoofed metadata;
  2. Metadata violates data minimization and safety through its implementation philosophy, which raises the amount of data retention policies demanded by lowering security requirements, putting people’s privacy and security in danger. Furthermore, criminals and international adversaries may use the collected metadata to create social graphs of users or collect knowledge that could be used in blackmail, social engineering, and other types of attacks;
  3. Metadata contributes to the possibility of social media surveillance, or the development of social graphs to aid traceability, and could reveal classified information about government officers, political officials, journalists, campaigners, lawyers, and dissidents to data brokers and their clients. This data could be used by bad actors, including criminals, foreign adversaries as well as terrorist groups;
  4. Metadata needs longer data retention periods which creates security risks, exacerbating privacy and national safety concerns in case of a data breach; and
  5. Finally, based on the purposes that such intermediaries serve, not all sites collect the same amount of metadata. Furthermore, requiring platforms to store more metadata could compel them to dramatically reconfigure their networks, incurring costs and the chance of new security vulnerabilities.

So, on the question that traceability and encryption co-exist, it is well-established that one has to opt between Digital Signatures or Metadata. Both of these possess one challenge in common, that is, the possible entry of bad actors (including criminals, foreign adversaries). However, Metadata does have the issue of requirement of extra database infrastructure as well as a possible larger cybersecurity issue, due to social mapping which has to be detained for a long period of time. Hence, an alternative that allows for both privacy of individuals, without the company (messaging service provider), knowing the details of information shared, is Digital Signatures. However, there does exist some inherent issues, the majority of it not being an absolute system along with vulnerabilities to spoofing of identity.

Conclusion

This current debate is like having to choose between rock and hard place, neither of the sides is having a better outcome, and there is no alternative without vulnerabilities. While enabling traceability coerces users to lower their standards of privacy and confidentiality, it is also clear that the demand of the Government aims at weakening end-to-end encryption in order to reach the “first originator.” Digital Signatures promise traceability vis-a-vis encryption; however, it is vulnerable to identity theft and hence can cause ‘reasonable doubt’. It does, with these issues, seem to be the only alternative in this neck-to-neck debate. However, are the catalysts harmful enough to enable such doubtful technology?

With existing inherent problems in the overall system, including both legislature’s demand as well as implementational hurdles, one has to make a resilient privacy-oriented software that does not enable this vulnerability to take a toll on the larger goal of “law and order.” Looking at which, retaliation to cooperation cannot be a solution in this irate challenging situation.

The article can be cited as:

Tannvi, Government’s Demand for traceability vis-a-vis WhatsApp’s Encryption: Could they co-exist?, Metacept-Communicating the Law, accessible at https://metacept.com/government’s-demand-for-traceability-vis-a-vis-whatsapp’s-encryption:-could-they-co-exist?

References:


[1] The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, access at: https://www.meity.gov.in/writereaddata/files/Intermediary_Guidelines_and_Digital_Media_Ethics_Code_Rules-2021.pdf.

[2] Surabhi Agarwal, India proposes alpha-numeric hash to track WhatsApp chat, THE ECONOMIC TIMES (Tech) Last Updated: Mar 23, 2021, 10:34 AM IST, Access through: https://economictimes.indiatimes.com/tech/technology/govt-proposes-alpha-numeric-hash-to-track-whatsapp-chat/articleshow/81638939.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst. (Last accessed on: April 23rd 2021, 14:00)

[3] Melita Tessy, Analysing Privacy Policies- WhatsApp, Telegram, and Signal, Metacept-Communicating the law, accessible at https://metacept.com/analysing-privacy-policies–whatsapp,-telegram,-and-signal. (Last accessed on: April 23rd 2021, 14:00)

[4] Id.

[5] Information Technology Act, Act No. 10 of 2000, INDIA CODE (2000), Vol. 27.

[6] The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, access at: https://www.meity.gov.in/writereaddata/files/Intermediary_Guidelines_and_Digital_Media_Ethics_Code_Rules-2021.pdf.

[7] Sushmita Panda, ‘Alphanumeric Hashing will effect encryption’, SUNDAY GUARDIAN, April 10th 2021, 2022 IST, Access at: https://www.sundayguardianlive.com/business/alphanumeric-hashing-will-affect-encryption. (Last accessed on: April 23rd 2021, 14:00)

[8] Id.

[9] Kazim Rizvi, Pranav Bhaskar Tiwari, To break Encryption, or not: that is the question, THE DIALOGUE, https://thedialogue.co/to-break-it-or-not-that-is-the-question. (Last accessed on: April 23rd 2021, 14:00)

[10] Facebook Inc. v. Antony Clement Rubin TP (C) 1943-46/2019 (Diary No.32478-2019).

[11] WhatsApp Inc. v. Janani Krishnamurthy Diary No. 32487-2019 XII.

[12] Supra note 9.

[13] Mohamed Imranullah S., Was Aadhaar data breached, asks HC, THE HINDU, March 27, 2021, 01:13 IST, https://www.thehindu.com/news/national/tamil-nadu/was-aadhaar-data-breached-asks-hc/article34173871.ece. (Last accessed on: April 23rd 2021, 14:00)

[14] Anonymous, Decluttering the Encryption and Platform Regulation Debate in India, BUSINESS WIRE INDIA, Updated on: April 06th 2021, 1047 IST, https://www.businesswireindia.com/decluttering-the-encryption-and-platform-regulation-debate-in-india-72379.html. (Last accessed on: April 23rd 2021, 14:00)

[15] Eliminating Abusive and Rampant Neglect of Interactive Technologies, Act of 6 2019 (EARN IT Act of 2019), One Hundred Sixteenth Congress, First Session of the United States of America (2019- 2020), Retrieved from: https://assets.documentcloud.org/documents/6746282/Earn-It.pdf. (Last accessed on: April 23rd 2021, 14:00)

[16] Riana Pfefferkorn, The EARN IT Act: How to ban end-to-end encryption without actually banning it, THE CENTRE FOR INTERNET AND SOCIETY: STANFORD LAW SCHOOL, January 30, 2020, at 12:42 PM, access through: http://cyberlaw.stanford.edu/blog/2020/01/earn-it-act-how-ban-end-end-encryption-without-actually-banning-it. (Last accessed on: April 23rd 2021, 14:00)

[17] Communications Assistance for Law Enforcement Act (CALEA), One Hundred Third Congress of USA, HR 4922, access at: https://www.congress.gov/103/bills/hr4922/BILLS-103hr4922enr.pdf. (Last accessed on: April 23rd 2021, 14:00)

[18] Anonymous, Government asks WhatsApp to explain breach amid phone snoop row, TIMES OF INDIA, November 01st 2019, 0850 IST, https://timesofindia.indiatimes.com/business/india-business/govt-asks-whatsapp-to-explain-breach-amid-phone-snoop-row/articleshow/71844315.cms. (Last accessed on: April 23rd 2021, 14:00)

[19] Anonymous, Traceability and Cybersecurity Experts’ Workshop Series on Encryption in India, INTERNET SOCIETY: ENCRYPTION, November 27th 2020, access at: https://www.internetsociety.org/resources/doc/2020/traceability-and-cybersecurity-experts-workshop-series-on-encryption-in-india/. (Last accessed on: April 23rd 2021, 14:00)

[20] Under the Indian Information Technology Act, an originator is defined as the person who sends, generates, stores or transmits any electronic message or causes any electronic message to be sent, generated, stored or transmitted to any other person but does not include an intermediary”

[21] Information Technology Act, Act No. 21 of 2000, INDIA CODE (2000), Vol. 27.

[22] Supra note 7.

[23] INDIA CONST., Art 19, cl. 1.

[24] Information Technology Amendment Act, Act No. 10 of 2009, INDIA CODE (2009), Vol. 13.

[25] Information Technology Act, Act No. 21 of 2000, INDIA CODE (2000), Vol. 27, § § 66A.

[26] Information Technology Act, Act No. 21 of 2000, INDIA CODE (2000), Vol. 27, § § 69.

[27] Home Office, International statement calling on tech companies to ensure end-to-end encryption is not implemented in a way that erodes public safety, GUIDANCE: GOV.UK, October 11th 2020, Access At: https://www.gov.uk/government/publications/international-statement-end-to-end-encryption-and-public-safety.

[28] Rule 4, cl. 2, The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, access at: https://www.meity.gov.in/writereaddata/files/Intermediary_Guidelines_and_Digital_Media_Ethics_Code_Rules-2021.pdf. (Last accessed on: April 23rd 2021, 14:00)

[29] Section 69, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

[30] Supra note 19.

[31] Id.



Tags

Tannvi

I am a Humanities Law [BA LLB (Hons.)] student, with a major in Economics & Political-Governance Theory, at CHRIST (Deemed to be) University, Bengaluru (Batch of 2024). I am presently engulfing the intersection of International Relations and Cyber/ Technology Laws. I also have a keen interest in Corporate Commercial Law, Contracts, Dispute Law, International Trade Law, Real Estate Law and Intellectual Property Laws. ( Institutional Email Address: [email protected] )

Related Articles

1 thought on “Government’s Demand for traceability vis-a-vis WhatsApp’s Encryption: Could they co-exist?”

  1. Thorough and detailed informative research, clearly mentioning out the obstacles regarding of a frail end to end encryption system. Plus very easy to understand the contrast side of it with iron sight explanationabout Metadata and digital signatures. Overall the article provides a explicit sight over the issue.

Leave a Reply

Check Also

Close
Close