WhatsApp sues GoI: Why traceability undermines encryption and puts us all at risk

On 26 May, WhatsApp sued the Indian government over traceability requirements prescribed in the new Intermediary Guidelines (notified by the Ministry of Electronics and Information Technology in February 2021). While the government’s goal to regulate social media intermediaries and prevent crime is important, the Facebook-owned private messaging service has valid concerns regarding traceability requirements and its impact on users’ privacy and security. Cybersecurity experts have made it clear that traceability is incompatible with end-to-end encryption, and that any threats to strong encryption will put citizens — especially women, children and other vulnerable groups — in greater danger.

The pandemic has made more and more people rely on the Internet for a range of activities, which makes questions over digital security and privacy more important than ever. Messaging services such as WhatsApp and Signal have over half a billion users in India and rely on end-to-end encryption – the gold standard for keeping Internet users and systems secure. This ensures no one apart from the sender and receiver of the information will be able to decrypt and read it, thus keeping communication private and inaccessible to outside parties.

While the government has re-asserted that it does not seek to target or undermine encryption by requiring intermediaries to trace the first originator of a message linked to serious offences, cybersecurity experts and digital rights organisations in India and abroad have pointed out it is simply not possible for messaging services to identify the first originator without undermining end-to-end encryption.

Undermining end-to-end encrypted services establishes a dangerous precedent that would invite and encourage potential criminal activity. Image: Gerd Altmann from Pixabay

Undermining end-to-end encrypted services establishes a dangerous precedent that would invite and encourage potential criminal activity. Image: Gerd Altmann from Pixabay

Trying to weed out child sexual abuse material and illegal activity that threatens the sovereignty and integrity of India is important. However, the government is ignoring the fact that any method that allows a third-party to associate users with specific content in an end-to-end encrypted system weakens the security of law-abiding citizens and the Internet at large.

In some ways, the ability to link any user to any content is worse than providing no encryption at all, as it gives citizens a false sense of security, and they might actually face risks they have no knowledge of. Criminals could gain access to this information and track down specific users. ‘Trusted parties’ could also abuse the system and use it to target their opposition. Portions of private communication linking users to embarrassing (but not illegal) content could also be exposed. Similarly, criminals will move to services outside of the Indian jurisdiction, which are not required to implement traceability. In all these situations, law enforcement loses the advantage it set out to create for itself and ends up leaving everyone at risk.

Law enforcement agencies have plenty of other ways to investigate crime without tracing the source of encrypted content – such as open-source intelligence including publicly-available information on social media sites, evidence from witnesses or accomplices, and communications metadata.

Further, the spread of disinformation through social media is not a problem unique to India. It is not an issue that arose due to encryption – it is a social issue motivated by human behaviour. The way to tackle this is by ensuring timely and accessible availability of trusted, verified information in local languages, along with education to help users identify misinformation. This would discourage people from consuming and further disseminating disinformation, and limit ‘spam’. In fact, this trusted information is best delivered via end-to-end encrypted services where the integrity of the information can be preserved. Thus, encryption does not need to be undermined to root out fake news; doing so would threaten various other activities that people carry out over encrypted platforms.

While preventing crime and keeping people safe is a universal priority, this debate is not about privacy versus security. People across the world are more secure because of end-to-end encryption. Weakening encrypted systems to prevent crime is like solving one problem by creating a thousand more – the same as banning cars from the road because criminals use cars. Undermining end-to-end encrypted services establishes a dangerous precedent that would invite and encourage potential criminal activity, with devastating consequences for the safety and security of millions of citizens.

The government, by demanding traceability, is compelling end-to-end encrypted services to undermine encryption without explicitly telling them to do so. This may lead services and platforms to stop offering end-to-end encrypted services or pull out of Indian markets altogether.

Encryption is our strongest digital tool to keep people, their data and the country overall safe online. The Intermediary Guidelines have the potential to trigger grave, unintended consequences to the security of the Internet, and the Indian government should revisit its requirement of tracking content originators.

The author is Policy and Advocacy Manager at the Internet Society and is based in New Delhi. Internet Society is a global non-profit organization empowering people to keep the Internet a force for good: open, globally connected, secure and trustworthy.