The traceability mandate that messaging providers must comply to, in the recently notified intermediary guidelines makes a very problematic assumption — the field of encryption has not progressed after public key cryptography was first invented in the year 1977.
With the release of PGP (Pretty Good Privacy) tools in 1991, digital signing of email messages which can cryptographically prove who sent them achieved mainstream adoption, and even caused US presidential candidate, Hillary Clinton, to lose an election.
Thirty years later, in 2021, the field of cryptography has moved forward with many innovations. One such advancement is a complex protocol called E2E (end-to-end encryption), which uses public key cryptography but also incorporates other advancements like X3DH (Triple Diffie Hellman) and Double Ratchet, which allows encryption keys to change per message, without the intermediary having no knowledge about either the content or the encryption keys.
This is a radical departure from the earlier email-based signature scheme where encryption keys are static and don’t change for months or even years. E2E has another interesting property – it uses shared symmetric encryption keys between the sender and the receiver created through X3DH scheme, and hence it is possible to forge entire conversations with anyone and store them on your phone and claim the other party simply deleted them.
Therefore, any conversation found in someone else’s phone can’t be used in a court of law as evidence, as it can’t be proved that you indeed sent those messages (as they are not signed), but it can be easily proved that the other party forged them (using simple tools). Legal thinking in India has not caught on to this fact, as these guidelines and parading WhatsApp chats as evidence in certain high profile cases eloquently illustrate.
The guidelines also assume that modern instant messengers like WhatsApp and Signal can be somehow modified to use the 1990s PGP scheme, where every message sent via social media intermediaries is cryptographically signed using hashes and can be traced back to the first originator. The only way for the intermediaries to comply with the first originator mandate, hence is to turn the clock back to 1991 and create a pretend service that looks like instant messaging from the outside, but is actually an email service from the inside, thus negating not just the safety that encryption offers, but also the convenience of the “instant”.
Another interesting aspect of the guidelines is that it specifies that this only applies to “Indian Originated messages”, which implicitly assumes that Indian residents can only use the phone numbers issued in India (+91 code). This is, however, very problematic, because one can get a Cloud Telephone number, issued anywhere from the world, at a rental of Rs 75 per month, from providers such as Twilio and use it as a primary identifier with WhatsApp and Signal, thus allowing to trivially work around these rules.
The IL guidelines not only impact how messaging services operate within India, but also have an impact on how they operate globally. For instance, they need not add Originator information and continue offering E2E in other jurisdictions, while not offering E2E and provide a sub-par messaging service when both the sender and the receiver are based in India, but should upgrade from no E2E to full E2E if the sender is within India, but the receiver is out of India.
These incompatible combinations, therefore, would result in only one possible solution — two different products would be made, wherein the first product E2E would be the norm for everyone, and another product for Indian residents, where no E2E would be the norm, with no interoperability between the two.
The net impact of such a decision by the messaging service providers would create a metaphorical wall of sumer around India, where within the wall, we would have an encryption- free zone, but outside of it others enjoy the safety offered by E2E messaging services. This would be similar to China, where in the guise of public safety and harmony, the Chinese government does not allow any messaging service to provide E2E, and mandate provisioning of backdoors and key escrows, allowing an army of content censors to delete content unilaterally and also identify the originators and use the state security service to pay them a visit, either warning of them unpleasant consequences or putting them on jail on made-up charges.
Carnegie encryption working group
As the brief by Carnegie on the encryption policy in China indicates, these encryption regulations have created a thriving black market for personal and private information of Chinese citizens, where anything from hotel check-in history, apartment rentals to bank deposit records and even live location-tracking data are available for a fee and rampant cyber crime has become common as a result of these data leaks.
The Chinese experiment, hence, offers us a valuable lesson — outlawing E2E directly or indirectly, has a larger net negative ecosystem impact on encryption, data security and safety of the entire citizenry. Further, unlike China, India is not a cyber power and has been a target of various cyber attacks on its critical infrastructure like nuclear plants, power distribution companies, banks and other defence organisations by our adversaries.
Hence, existing solutions like Signal and Whatsapp, which offer E2E to anyone who can afford a smartphone, increases digital safety for the entire population at no net cost to the state, and must be treated as allies in the mission of increasing digital safety and not as adversaries, who must be subjugated and controlled.
However, this does not mean that all is well with these platforms. There are genuine problems that law enforcement agencies encounter during crime investigation and policy needs to move forward to address these concerns. Right framing of the problem, therefore, goes a long way along with certain basic guidelines on how a potential solution may look like. As pointed out by the Carnegie encryption working group, the problem with encryption is not privacy vs security, but security vs security, which includes “multiple aspects such as national security, public security, cyber security and security from hostile state and non-state actors”.
Their work distinguishes data-at-rest (available within a device) and data-at-motion (where intermediaries are involved) and points out that providing any access to encrypted data-at-motion does not offer achievable balance on risk vs benefit and hence should not be subject to policy changes in the near future. It also suggests that consensus between various competing interests and balancing them out is only possible in accessing the encrypted data-at-rest case and puts forth a framework that involves assessing utility, specificity, equity, authorisation, auditability, transparency and oversight mechanisms, while evaluating proposals.
Taking this approach would allow us to take the complex problem of platform governance forward rather than banning E2E directly or indirectly and embrace the path of totalitarian control on thought itself.
Anand Venkatanarayanan is a privacy advocate and researches disinformation, cyber weapons and data security.