Govt plans to introduce ‘hash keys’ to help trace the originator of a particular message.
The government has asked messaging platform WhatsApp to introduce the feature of traceability of messages. However, WhatsApp is worried that this move will result in breaking its end-to-end encryption feature that allows WhatsApp not to read or store messages on its servers. This has led to a deadlock between WhatsApp and the government. However, according to reports, the government is willing to work with WhatsApp to come up with a solution to enable traceability of message originators without breaking encryption. The government is proposing to introduce “Alphanumeric Hashing’ that will help in tracing the originator of a particular message in case of unlawful activities. Hashing is a procedure that also helps in password verification, breaking compression, among others.
Anand Venkatnarayanan, an independent cybersecurity researcher, told The Sunday Guardian: “There are no advantages to the proposed means as we know of. The hashing proposal will undermine encryption as we know it, and it still would not solve the first-originator problem. Simply put, there would be no end-to-end encryption and we are back to the 2000s, where service providers can read your messages. If the law enforcement can find the originator of a message, so can the company. Right now, the end-to-end encryption technology is such that no one, not even the service provider, can read the messages sent by the users. After the Snowden affair, which revealed that the US government engaged in mass surveillance, users demanded privacy and security from government snooping. This led companies to develop solutions such as E2E. So users always have a choice. When telcos tried to implement a differential pricing regime, Indian users demanded net neutrality, wrote to TRAI and DoT. That option is still open to them, where they can represent their views to DoT and Meity. There are other technical alternatives such as VPN servers that are available as well. Also since the originator policy is only applicable for Indian numbers, they can always move their messaging account to another country number (available at $1/month by providers like Twilio) and legally operate out of the ambit of the current laws.”
Venkatnarayanan said that this move will also not help the government in data localization. As per reports, the government has suggested that “alphanumeric hashes’ will be assigned to every message sent using WhatsApp. All these hash keys will be maintained by WhatsApp, and during an unlawful offense when law enforcement agencies want to investigate a problematic message, all it has to do is to request WhatsApp for the hash of the original sender. Meanwhile, the Facebook-owned messaging platform has not released any official confirmation about accepting this offer.
However, WhatsApp CEO, Will Cathcart, had said during an interview that the company is strongly opposing the move. WhatsApp was asked to accept the latest Information Technology Rules of 2021, released last month. The rules state that any “significant social media intermediary” had to ensure traceability. The government has given WhatsApp three months to comply with this order, as per reports.
Over the year, WhatsApp has been responsible for allegedly spreading misinformation, though the company is trying to control the spread of fake news on its platform by introducing various updates and features.
Pranav Bhaskar Tiwari, who manages the encryption and platform regulation program for the Delhi-based tech policy think tank The Dialogue, told The Sunday Guardian: “If Rule 4(2) of the IT Rules 2021 is implemented, then significant social media intermediaries providing messaging services will have to store the hash values of each message sent on their platform. This domestic Indian law, which has severe implications on the fundamental right to free speech and privacy, will impact the global regime as hash values of messages exchanged between users in India and any other foreign country like England will also have to be stored. This will lead to the infarction of international human rights obligations, especially when no democratic country in the world has taken such an extreme measure which in effect bans end-to-end encryption. The Signal Protocol for end-to-end encryption which is used by both Signal and WhatsApp, the two major players who will be impacted by Rule 4(2) of the IT Rules 2021, ensures a perfectly secret ecosystem. Both the apps are data light and do not store the content of the personal messages. To ask them to store the hashes leads to not just privacy, security, and economic concerns, but fundamentally changes the technological infrastructure they function on at a global scale.
Simply put, implementation of the traceability mandate means the end of end-to-end encryption. It is for these reasons that the TRAI in its recommendation to DoT had opined that the security architecture of end-to-end encrypted platforms should not be tinkered with. Any such intervention may render the users susceptible to attacks by hostile actors.”
“All messaging providers which have a significant user base, i.e., 50 lakh users, will be forced to implement the feature. In other words, they will all be forced to discard encryption.
The government is implementing this rule with the noble intention of curbing fake news, a proliferation of child sexual abuse material, and planning and perpetrating crimes on such platforms. While the objective is appreciable, the ‘means’ to achieve this ‘end’, in the Kantian sense, is not justified as it conflicts with core fundamental rights. Instead of mandating a solution like ‘originator traceability’, the State should slate out the problem and invite technical experts to opine implementable solutions which do not unreasonably restrict user rights. Sharing meta-data (status, profile photo, last active, registration details, etc.) with the law enforcement agencies and building their capacity to analyze the same along with device seizures based on probable cause is one such legitimate and implementable means of achieving this end,” Tiwari said.