As society converges in the digital space, it is crucial to ensure the safety, security, and privacy of the users on the internet. While communicating on digital platforms, the end-to-end encryption technology ensures that our conversation cannot be snooped on by unwanted third parties. This entails that no government, hacker, or even the platform itself can access our chat over platforms like Signal or WhatsApp.
We can understand encryption technology like a letter written in a language only discernible by the sender and the intended receiver(s). Even the postman who carries it (here the platform like Signal) cannot read the contents of the letter. It is crucial to note, like any dual-use technology encryption too may be abused by bad actors for nefarious purposes like the proliferation of child sexual abuse material, perpetuating fake news among other social vices. Given these challenges, the State has a legitimate purpose in catching the criminals hiding behind the veneer of encryption enabled anonymity.
To this end, Governments across the world have come up with multiple technical recommendations like backdoors, key escrows, client-side scanning, and recently the traceability mandate where the platform would be expected to fingerprint a copy of each message sent on their platform. Institutions and experts across the globe have highlighted the challenges in all these solutions which would render the entire citizenry susceptible to cyber-attacks.
Experts have opined that there exist more privacy-respecting solutions which must be operationalized with help of collaboration between the key stakeholders. If we understand encrypted messages as letters are written in a language only understandable by the sender and receiver(s) then the postman (messaging app) cannot read the contents of the messages. But the postman can still read the address of the sender and receiver(s), the time it was sent and received, and its weight (size of the file). All these are called Meta-Data.
Platforms can collect this meta data for each message sent and given it is not the content of the letter, so the privacy of the users is secured. But if the user is conducting any criminal activity then the postman can hand over the meta data to the Police on the presentation of a legal warrant. These may also include the profile picture, status, and registration details of the user.
This is an effective way to catch criminals as stated by EUROPOL in its report which says that access to the contents of the letter is not the main challenge, it is the tedious MLAT process for accessing metadata from tech companies, which needs to be streamlined for a steady process. The report further recommended that there should be dedicated Special points of contacts (SPoCs), i.e., representative of the platform along with a clear SOP to ensure a seamless response to the legal assistance requests made by the law enforcement agencies.
While asking platforms to assist law enforcement agencies with metadata, we must be cognizant that we do not ask platforms to collect too much data in violation of the principle of data minimization leading to the violation of user privacy. The Personal Data Protection Bill, 2019 provides that data fiduciaries should only collect data that is necessary to fulfill the services they provide and ensure safety. Any proposal to fingerprint each and every message and store a copy of the same violates this principle & renders users insecure. If the fingerprint of all these messages exchanged between Indians is stored at a Postbox (platform) then what a criminal might do with them after illegally gaining access is anybody’s nightmare.
This begs the question that do we even need to fingerprint messages? Law Enforcements’ ingenuity can really solve a lot of crimes and the tools that law enforcement has today actually make surveillance much easier of a suspect. Recently, the FBI in partnership with other nations planted a compromised end-to-end encrypted messaging platform called An0m in the black market and used it to arrest over 800 criminals.
We have the former NSA General Counsel Stewart Baker who explained that “metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.” What we really need is to appreciate the technology and then utilize traditional surveillance maneuvers to catch savvy criminals and not weaken the technology itself which is crucial to ensure the privacy, safety, and security of the entire nation.
This article is created on behalf of The Dialogue by the Studio18 team.