The first text WhatsApp users see upon opening a new chat is a note ensuring ‘end-to-end encryption’ of the text messages between the two people. But the recent original traceability laws have created a paradox on the possibility of encrypting a traceable chat thread. 

The heavily debated IT Rules 2021 released by the Indian centre essentially related to SSMIs and online intermediaries. The law demands them to follow “additional due diligence” requirements to claim the intermediary safe harbour. These include mandatory traceability of message originators and proactive, automated screening. For a country already under encryption debt, this law has raised massive data security concerns with its potential to expose the private contents of Indian users. 

India based research and public policy think tank, The Dialogue is popularly known for its work in intellectual property domains, data protection, geopolitical analysis, internet governance and cyber-security. In their recent report titled, ‘Analysing The National Security Implications of Weakening Encryption’, the organisation surveys the debate of Privacy vs Security deemed by encryption and state security actions. Analytics India Magazine got in touch with The Dialogue’s founder and reported authors to explore the state of and the implications of user privacy, encryption and traceability in India. 

The paradox of original traceability and encryption

End-to-end encryption (E2E) is a public key encryption system that ensures the intended recipients understand the contents of your messages and files. When E2E is applied, your messages are protected from being read in transit by hackers, the government, and the company facilitating the communication itself. Most messaging tools, social media organisations, video chat services, and other applications use E2E encryption to protect their users’ privacy. However, since the announcement of the law, petitions by big tech companies like Facebook, WhatsApp and Twitter have been filed to strike down these rules. This, because the state’s original traceability demand is a literal contradiction of E2E encryption. 

“As per the originator traceability mandate, the encrypted messaging service providers are expected to develop technical ability to identify the sender of a message, which means that the platforms will have to store an unintelligible copy of personal chats (via hashing) tagged with sender details,” explained Kazim Rizvi, Lawyer and Founding Director of The Dialogue. Discussing the privacy implications of this, Rizvi referenced the Puttaswamy judgement that guarantees the fundamental right to privacy to Indian citizens. “Storing a fingerprint of all messages sent by the citizens of India undermines the data minimisation principle as enshrined in India’s proposed data protection framework and the mandate in the Puttaswamy judgement, which confers every individual a fundamental right to privacy. Moreover, if such data is leaked, then that could compromise the privacy of users, as well as the national security of the nation at large,” he said. 

Can the original traceability rule break encryption? 

The original traceability provisions were deemed ‘the end of E2EE’ by The Dialogue’s report. Rizvi furthered on this, explaining, “original traceability will undermine end-to-end encryption. (It) compromises the core features of end-to-end encryption which is crucial to exercise the internationally recognised human right to privacy in the digital world.” 

Essentially, asking E2EE platforms to trace user data is equivalent to building a back-door for encryption, endangering online security. Another important point to note is the absence of safe technical architecture to place the centre’s requirement, opening the doors to weakened encryption.

What are the implications of traceability from a cyber perspective?

Anand Venkatanarayanan, Strategic Advisor at DeepStrat and a Cybersecurity Researcher, discussed the three-legged stool of E2EE. The stool consists of “Forward Secrecy (A compromise of past encryption keys means future messages can be broken) and Plausible deniability (Shared keys by both parties means, one party can definitely fake an entire conversation that never happened),” Venkatanarayanan explained. This essentially means that, “only the two parties in a conversation can know it was the other party who sent it, but can never prove the conversation happened to others.” 

“Originator traceability breaks #2 and hence breaks E2EE itself”, Venkatanarayanan stated. “In a way, GOI is creating massive scope for “Fake Originators” that allows anyone can frame anyone as saying something and baking it into the law in the guise of finding a solution for online crimes. Hence it is completely unconstitutional, and that is why (WhatsApp) went to the court as the price of doing business in the country can’t be to create a “fixing” solution to frame people.” 

Is it technologically possible to trace a message while maintaining end-to-end encryption?  

“There exists no known technology which can trace bad actors on end-to-end encrypted platforms without weakening encryption,” expressed Rizvi. Alternatively, he suggested, “Encrypted platforms can share metadata with law enforcement agencies on the presentation of a legal warrant.” Metadata is essentially a summary of the data at hand; it provides information about the data. “Metadata has been proven to be extremely helpful in catching bad actors,” Rizvi noted. 

What are the dangers of encryption?

“If bad actors get a whiff that an encrypted platform is no longer secure, they will simply shift to another unregulated encrypted platform, just like it happened in the Mujahideen Secrets. The know-how to develop encrypted messaging software is publicly available on GitHub. In this event, law enforcement would not even have metadata to help in the investigation. Here, the law-abiding will be under surveillance while the outlaws will enjoy unregulated encrypted services,” Rizvi explained. 

From a legal standpoint, is the original traceability rule desired? Is it ethical? 

As many lawyers have stated in their arguments, the original traceability law might not be all bad. India is no stranger to violence incited through WhatsApp or online media. There have been several instances of communalism shared online and fake harmful news and illegal constituents. In such contexts, tracing the wrongdoer can help bring justice and prevent such activities. We spoke to Mr Yashovardhan Azad, Ex-IPS Officer and Ex-Spl Director IB, about this scenario. 

“The key concern with the traceability mandate under the IT Rules, 2021, is that there is no known technology that could trace originators of illegal messages on end-to-end encrypted apps without violating the privacy of all users”, expressed Mr Azad. “From a legal standpoint, this is even more concerning because it is conflicting with the judgement of the Supreme Court in the Puttaswamy judgement. This was a fantastic judgement since it touched upon every aspect of privacy and laid down a three-fold test of legality, proportionality, and necessity whenever the State interferes.”

“There exist multiple less intrusive methods to achieve the end of security, including metadata analysis and lawful hacking with judicial oversight, than weakening end-to-end encryption. Accordingly, the mandate fails to meet the necessary conditions”, Mr Azad suggested, citing the report’s recommendation. 

Talking about privacy and safety being on two sides of the same coin, Mr Azad discussed the issue of national safety. “After all, the collective privacy and safety of all individuals is an integral facet of national security. Accordingly, it is crucial that efforts to create a robust cybersecurity regime are not furthered at the behest of the civil rights of individuals. The success of project Trojan Shield coupled with sharing of meta data and lawful hacking capabilities besides traditional surveillance manoeuvres highlights that there exist privacy-respecting methods of catching savvy criminals without risking the safety, security and privacy of all citizens. The legality of the traceability mandate must be reassessed and technical experts must be invited to opine on its feasibility,” he said. 

Possible suggestions for a relevant policy that can be upheld

With the disadvantage of user privacy and web safety, we spoke to Rizvi on recommendations the government can accept to ensure internet safety with user privacy.
“A key recommendation in our report is to reform the Indian surveillance projects to align with the mandate in the Puttaswamy judgement. Only targeted measures operationalised per the procedure established by law with judicial or parliamentary oversight mechanisms should be permitted. While there exists a legitimate State interest in surveillance, ensuring transparency and accountability in the functioning of the law enforcement agencies is equally important,” Rizvi explained. He cited the example of the SIRIUS EU Digital Evidence Situation Report (2021) that evaluated the law enforcement agencies in the EU based on their selection of ‘content data’ or ‘meta data’. Similarly, Rizvi suggests, “It is important to commission a nationwide study of the technology requirements of the law enforcement agencies, streamline the process to access digital evidence, and build the capacity of law enforcement to analyse metadata.”