Subscribe
My Reads e-paper IFSC Code Finder New
e-paper
OPEN APP
Home >Opinion >Columns >Let’s not snatch liberty away by busting end-to-end encryption

Let’s not snatch liberty away by busting end-to-end encryption

Premium
The hash value changes at the slightest alteration of the original message, say with the insertion of even a comma or a full stop, leading to a new originator being created. (File photo)

The use of message traceability to identify a few criminals will mean we’re all treated as offenders

End-to-end encryption has featured frequently in this column. I have argued that the anonymity it guarantees is essential to our notions of privacy and individual liberty because it gives us the ability to hold personal views and express them freely in private. This freedom to speak without fear is central to the notion of privacy. In the words of Justice Sanjay Kishen Kaul, it “is nothing but a form of dignity, which itself is a subset of liberty."

End-to-end encryption has featured frequently in this column. I have argued that the anonymity it guarantees is essential to our notions of privacy and individual liberty because it gives us the ability to hold personal views and express them freely in private. This freedom to speak without fear is central to the notion of privacy. In the words of Justice Sanjay Kishen Kaul, it “is nothing but a form of dignity, which itself is a subset of liberty."

But just as anonymity can guarantee privacy, it can also conceal illegality. It makes it harder for law enforcement to access evidence of crimes committed or which are about to be perpetrated. This is the dichotomy central to our use of this technology. Encryption secures the liberty and dignity of the individual, but it also allows crimes to be planned and criminals to evade detection.

But just as anonymity can guarantee privacy, it can also conceal illegality. It makes it harder for law enforcement to access evidence of crimes committed or which are about to be perpetrated. This is the dichotomy central to our use of this technology. Encryption secures the liberty and dignity of the individual, but it also allows crimes to be planned and criminals to evade detection.

Subscribe to Continue Reading

Can prevention of the latter ever be worth forsaking the former?

In an earlier article, I had described this dilemma in metaphorical terms. I likened encryption to the mythical Ring of Gyges that gave its wearer invisibility and the consequent freedom to do whatever s/he wanted without the risk of detection. I argued, citing Socrates, that just because a given technology makes it possible for us to operate undetected does not mean that we will embark on a crime spree. We adhere to the social contract not out of the fear of being caught, but because we know that if we don’t, society itself will quickly unravel. Even behind a veil of anonymity, most people behave responsibly—usually no differently than when being observed.

This is why we must lean towards preserving the liberty and dignity that end-to-end encryption guarantees, instead of allowing our regulatory direction to be guided by the criminality of a few.

Last week, the Indian government notified its Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021, making it clear that it had other priorities. These rules implement traceability, effectively destroying the anonymity built into the design of modern messaging platforms, and with that, all expectations of privacy in communication. While the provisions are only supposed to be used to investigate offences, I don’t think even the government has fully understood all the unintended consequences that this could have.

Rule 4(2) of the Intermediary Guidelines states that messaging companies must “enable the identification of the first originator" of a message. In an attempt to reassure users that the inviolability of the underlying message (one of the basic tenets of end-to-end encryption) will not be disturbed, the proviso states that there will be no requirement to disclose either “the contents of any electronic message" or “any other information related to the first originator" or any other user. This, however, is an imperfect understanding of both the guarantee of anonymity and the technological underpinnings of end-to-end encryption.

A message can only be truly anonymous if information on both the content as well as the sender are obscured from the sight of all but the sender and recipient. Disclosure of either one diminishes the guarantee of anonymity—and, as a consequence, the dignity that Justice Kaul called an essential subset of liberty. That is why the facile assurance that traceability will not result in disclosure of the underlying message is but cold comfort.

To ensure anonymity, chat services bake end-to-end encryption into the heart of their applications. Messages are encrypted before they leave the user’s device and it is only after the data packet has been securely delivered to the device of its intended recipient that it is decrypted to reveal its contents.

To enable the traceability required by the new Intermediary Guidelines, messaging services will need to create unique identifiers for every message so that they can be tracked from user to user as they get forwarded. This will weaken the anonymity guarantee not just for those messages whose originators the government wants to identify, but for every single message that passes through the system. Since WhatsApp alone processes over 100 billion messages a day, we need to ask ourselves whether the ability to identify a few miscreants is worth stripping over 500 million Indian users of their constitutionally guaranteed protections.

This is not the first time the government has tried to do something like this. When Aadhaar was required to be mandatorily linked to bank accounts, the government argued that this was necessary to meet the legitimate state aim of curbing money-laundering and black money. This approach was challenged at the Supreme Court, which said that “[u]nder the garb of prevention of money laundering or black money, there cannot be such a sweeping provision which targets every resident of the country as a suspicious person. Presumption of criminality is treated as disproportionate and arbitrary."

The Intermediary Guidelines decant this old wine into new bottles. By asking message originators to be identified, it requires every single message to be tracked. In trying to identify a few criminals, it makes criminals of us all.

The Supreme Court made short shrift of these arguments the last time around. I have no doubt it will do so again.

Rahul Matthan is a partner at Trilegal and also has a podcast by the name Ex Machina. His Twitter handle is @matthan

Click here to read the Mint ePaper
Mint is now on Telegram. Join Mint channel in your Telegram and stay updated with the latest business news.