- Lack of clarity on originator: The rules do not clearly define who an originator is and fail to address the traceability of messages that are not in a forward chain such as copy-pastes and edited messages.
- Not possible to enable traceability without breaking end-to-end encryption: While the panellists provided certain ways in which traceability can be carried out without breaking end-to-end encryption, these methods work only in certain instances and/or are easily compromisable.
- Law should not dictate solutions: All panellists agreed that instead of dictating what a technology platform should do, the government should give the problems they wish to address and allow the technology companies to work on a solution.
- Government will not achieve its intent: Even if platforms enable traceability, the bad actors will find others ways to communicate and the rules will be unnecessarily penalizing genuine users instead.
- Will create a point of failure: If the government is given backdoor access to end-to-end encryption, this will inevitably be available to criminals as well and will compromise the safety and privacy of all users.
- Government does not care how it is implemented: The government is asking platforms to implement traceability by any method they want and is not asking for end-to-end encryption to be broken. It will also provide additional time for compliance if needed.
The new Information Technology (IT) Rules, 2021 mandate significant social media intermediaries (intermediaries with over 5 million users) that provide services primarily in the nature of messaging to enable the identification of the first originator of a message if issued an order by a court or relevant government authority. Although the rules state that less intrusive methods will be used available, experts argue that this provision will require the breaking of end-to-end encryption offered by platforms like WhatsApp and Signal.
In a panel discussion held by MediaNama on Impact of IT Rules 2021 on Intermediaries, experts shared their views on the traceability mandate and what it means in the context of end-to-end encryption. Debayan Gupta, Assistant Professor of Computer Science, Ashoka University; Priyadarshi Banerjee, Lawyer at Banerjee & Grewall; Yash Kadakia, Founder and CTO of Security Brigade; Rakesh Maheshwari, Ministry of Electronics & Information Technology (MeitY), participated in this discussion. This discussion was supported by Google. All quotes have been edited for clarity and brevity.
Who is an originator?
The provision stumbles upon its first hurdle in defining who an originator of a message is and what information about the originator it expects.
“Is it someone with a +91 number”: Debayan Gupta argued that if the law is targeting only originators within India, does it mean it wants the originator with a +91 number, and in that case, what if someone with a +91 number moves to a different country? Will the laws of the country where the person has moved to allow sharing the details of said person? There is also the opposite case where a person with a non-Indian WhatsApp number might be residing in India, will they fall under this search for originator?
How does this work for a non-forwarded message: While tracking a forwarded message might be possible by breaking encryption, how will a platform trace a message that has been copied and pasted, Gupta asked. Won’t the metadata of the message originator be lost in this case and wouldn’t it be an easy way for bad actors to get away by doing this? Adding on to this point, Yash Kakadia asks what if a person saves a photo or video and reuploads it from his phone. This breaks the forward chain but it is still the same content. Will this person be considered the originator, although someone else was the actual originator? The image could also very easily be from a different messaging platform and there will be no way to go back to the actual originator in this case.
What about slightly modified messages: Gupta asks if forwarded messages that are slightly modified and then forwarded again be considered the same as the original message or as a different message? The same question applies to images and videos that are given a caption.
Can the originator of a message be traced without breaking end-to-end encryption?
The broad consensus among the panellists was that enabling traceability without breaking end-to-end encryption is not possible, but they still offered scenarios where it is possible and what problems can this lead to.
Maybe for photos and videos: Yash Kakadia argues that in limited scenarios such as images and videos, tracking the originator without breaking encryption might be possible. “If you take an image and I send it to you, you send it to 400 different people and it goes on from there, right? If you go into WhatsApp Web or something of that sort, the URL for the image is exactly the same. And it’s a cached image that they’re just sending forward. So fundamentally, WhatsApp will be able to say, the first person to upload this image was x and that I can see reasonably possible without breaking into encryption,” he added. But this cannot be done for texts, which is the more universal case, Kakadia conceded.
Yes, but anyone can be made to look like the originator: One of the ways platforms can enable traceability is by hashing the sender information and including it as metadata when a message is sent. This could potentially work when everyone is using the official version of WhatsApp, for example, instead of a doctored version. But there is no guarantee that this is the case, especially when considering bad actors, and an unofficial version of the app gives users the ability to make anyone like the originator.
“Let’s say I’m sending a message to Yash. And I’m supposed to be attaching something at the bottom of that message that looks like garbage to you, but somehow encapsulates my ID in some fashion or the other. What’s preventing me from lying? Well, I can put Nikhil’s number in there, for example. And what’s preventing Yash from changing that to something else when he forwards it the next time. How do you make sure that nobody lies during the process?” Gupta argued.
“You can take Narendra Modi’s phone numbers should you know it, attach that number on top of the message call him the originator and attach Narendra Modi’s hash at the bottom of it because you can compute it too. And that’s that. So look, when I send you a message, either that hash is computable and verifiable by you in which case you can replace my number and my hash with Narendra Modi’s number and Narendra Modi’s hash or it isn’t, in which case, I could have given you garbage and you wouldn’t know,” Gupta added.
Technology behind “forwarded many times” cannot be used for traceability: In response to a question on why the same technology used to label messages as “forwarded many times” cannot be used to keep track of originator, Gupta explained that WhatsApp, in fact, cannot see the number of times a message is forwarded and the entire system behind this is not really secure. “If I ran a fake version of WhatsApp’s app, I could mess around with that and change that counter to whatever I wanted. The reason that this forwarded many times thing ends up working is because of WhatsApp’s assumption that if a message spreads like a wildfire, then presumably most of the users doing it are legitimate users using legitimate versions of the app” Gupta said.
Less intrusive means for identification is a legal artifice: The government has added a clause that if there are less intrusive means for identification of the originator those can be used instead, but Priyadarshi Banerjee said that this is just a “legal artifice” that will help the government in court. “I mean without breaking the end-to-end encryption traceability is just not possible. Then in that circumstance, it’s a meaningless proviso that has been put in, just to garnish the legislation for the benefit of the judiciary at a future date,” he said.
FISA-like warrants for tapping: One solution Gupta proposed, but conceded won’t be very effective, is for the government to implement a provision where a court allows law enforcement agencies to tap a person’s chat for a legitimate reason similar to the FISA warrant system in the US. Platforms like WhatsApp can maintain end-to-end encryption for most users and disable it only for users who have a warrant issued against them. The two pitfalls to this are that everyone who the targeted person converses with will also be compromised and bad actors will not use the platform once they know law enforcement agencies can pursue them through this method.
Should the law be able to override the technological choice of a platform?
Law should not mandate technology to do a particular thing: When a law instructs a company to do a particular thing, then the law is, in fact, dictating how technological innovation happens and at the pace there off, which is not in the realm of law at all, argues Priyadarshi Banerjee. “It’s impossible for either lawyers or judges or policymakers to determine what is actually in the domain of engineers,” he added.
Government giving solutions rather than the problems to solve: Giving an apt metaphor, Debayan Gupta said “Think about aeroplanes, the government is asking to have roll-down windows on aeroplanes. And all the aeronautical engineers are like, are you mad, you can’t have roll-down windows on aeroplanes, people will die. This doesn’t work. Until the government tells us, hold on, there’s this thing called COVID. And we need some way to get fresh air on aeroplanes. Now, the aeronautical engineers say, oh, okay, now that makes sense. Your reasoning has been you have a real reason why you’re asking us for this, we can put in these special filters we’ve created for this occasion. The problem is the government is telling us all this stuff about originator information, hashing and we can’t expect the government to have expertise on everything. The problem is they’re giving us implementations or solutions. What they need to do is they need to show us the data, they need to tell us here are the problems.”
Is there a right to anonymously exist or communicate online: While the law cannot give a positive mandate and tell companies what they should do, they can tell them not to deploy a particular kind of technology because a negative injunction is something that can be legally enforced according to Banerjee. But such injunctions must also satisfy certain other conditions of legality, he added.
“In the present circumstance with regard to end-to-end encryption, I believe this dovetails into the primordial query that whether there is a right to anonymously exist or communicate online. If it can be determined that there is no such right then the law can surely injunct,” said Banerjee.
Will the government achieve its intent?
Only affects law-abiding citizens: Debayan Gupta argued that whenever the government wants to pass new rules they use child porn and terrorism as a pretext but the rules don’t actually solve those problems. “If I’m running a child porn ring, and I know if I use WhatsApp I can get tracked, I wouldn’t use WhatsApp, I’m going to use something else that I can find elsewhere on the internet,” he said. He further adds that only the security of law-abiding citizens will be affected.
Bad guys move to harder to reach platforms: “Every time you break one level of encryption, or one level of security, you’re essentially going to have the bad guys move to a different, harder to reach, platform and then again it’s going to keep cycling on from there,” Kadakia added. “Technology evolution is always going to take place, and the bad guys are always going to find safe-havens. If we talk about child pornography right now, whether it’s moving to the dark web where it becomes even harder now for the government to sort of track that right. And the next request is going to be let’s decentralize and let’s monitor the dark web,” he added.
Tiny corner case of badness: While conceding that the government might have a legitimate reason for the traceability mandate, Gupta said that there should be evidence that shows that enabling traceability will indeed help the government because otherwise, it applies broadly. “All too often we are told that there is a legitimate reason for doing X. So we’re talking over Zoom right, we’re getting all of these benefits and you’re suddenly saying, I don’t want this tiny corner case of badness to happen, it doesn’t work that way,” Gupta said.
What happens if platforms indeed break end-to-end encryption?
“What you’re doing is, you’re taking a good system that works across the world, and you’re creating a separate point of failure for it. And that point of failure is going to become a prime target for hackers,” Debayan Gupta said.
Government has a number of security issues: Stating that government agencies face a number of security issues, Priydarshi Banerjee and Debayan Gupta argue that creating a backdoor for the government to identify the originator of a message will inevitably allow criminals in as well. “So the question is also that is the price of potentially putting all our communications, every single one at risk worth the value that they’re sort of asking for in this context,” Banerjee asked.
People in the middle of a message chain will be compromised: Even if the government is only trying to track down the originator of a message, all the others in the message chain will also be compromised because there is no way to only identify the originator without maintaining records throughout the chain. Giving an analogy to the postal system, Gupta said “This idea of shortcutting everything is like would you do that to the postal system? How would you require the postal system to look inside every envelope, and keep track of every message that was sent? So that if a threatening message was received by the president of India, you could immediately track it back to the first person who wrote that message, rather than the 15 intermediaries that went through. Is that what we’re saying, that we now require the postal system to do that because that is the exact equivalent of what has been proposed.”
What does the government say?
Representing the government, Rakesh Maheshwari, Senior Director and Group Co-ordinator, Cyber Law & Security, MeitY, conveyed the government’s intent regarding various subrules. He also fielded questions from MediaNama on traceability, compliance, timelines, clarifications of definitions, and more. Here are his views on traceability and encryption:
Not looking at the encryption aspect: “We are not at all looking at the way the encryption has been done, the way decryption is being done. We are not at all looking at it, we are only looking that at the end-user device, the message does remain unencrypted. And if it is being simply being forwarded, then before it is being forwarded, it is the same message, and hence the hash should remain the same. Now, how exactly it is to be done, which technical architecture to be deployed, is best for the platform [to decide],” Rakesh Maheswari noted.
Platforms cannot take shelter using end-to-end encryption: There are certain expectations that users shall not be engaged in certain activities. Platforms cannot just put that in the terms of conditions and use end-to-end as a shelter when users do engage in them, Maheswari noted. “Our intent is that if there is trouble being created in the system, the system cannot just take the shelter of it being end-to-end encrypted and therefore be completely unaware and hence completely escape out of the problem. We want platforms to be accountable, we want people to also be accountable, ” he added.
More than three months given: In response to MediaNama’s question on whether the government thinks it has given sufficient time for implementation of this mandate and Debayan Gupta’s argument that there is no way to know if three months is enough, Maheswari responded that the government has in fact given more than three months because this mandate has been in the public draft for the last two years and platforms knew it was coming. He also added that if three months is not enough to implement a certain rule or subrule, the government will be practical and accommodate extension requests.
Lots of checks and balances in place: Maheswari argued that the government has put lots of checks and balances in place to prevent the misuse of the traceability provision but does not give examples of any such measures. The rules also do not provide any details regarding the safeguards in place.
No cost-benefit analysis done: In response to an audience question on whether the government has done a cost-benefit analysis of the traceability mandate, Maheshwari responded that “it is not for government to do the cost-benefit analysis” and that the government has the right to know the root cause of a problem.
There is always a bypass: Maheswari did concede that despite all the measures the government takes, criminals will find a way to bypass the law. But he argues that the rules are meant to suffice for the general case and not these extreme situations. “The rule should by and large be able to meet the expectations of the government, as well as, I hope the users,” he added.
- IT Rules 2021: CEO Will Cathcart Says WhatsApp Hopes To Find Solution To Traceability Without Breaking Encryption
- Identifying A Message’s Originator Undermines End-To-End Encryption: Internet Society
- No, The Council Of The European Union Is Not Considering A Ban On End-To-End Encryption
- ‘Backdoors To Encryption Are Bad,’ Civil Society Group Tells Five Eyes, India, Japan. Again.