Information Technology Rules 2021 notified this February this year invoke a number of new guidelines for social media intermediaries. But one controversial aspect is that these new rules could require social media intermediaries, especially messaging apps such as WhatsApp, to locate the originator of the message if required by the authorities.
Civil society and internet experts have said this could negatively impact end-to-end encryption on messaging apps such as WhatsApp, Signal and others, which deploy such technology. While WhatsApp and Signal do not keep a log of who users are messaging, the argument is also made for a digital signature or a unique hash ID to be added to each message.
But is this digital fingerprinting a reliable technique when it comes to locating an originator of a message? We spoke to Rajnesh Singh – Regional Vice President Asia-Pacific at the Internet Society and here’s what he had to say. Here are the edited responses from an email interaction.
What are the challenges with fingerprinting messages? Can it negatively impact end-to- end encryption or can it be preserved?
Fingerprinting techniques like digital signatures are not absolute and vulnerable to impersonation. There’s a risk that innocent users may be implicated in illegal conduct by cyber criminals that impersonate the sender. An attacker who accesses a company’s digital signature system can potentially see when a particular user is sending a message – by receiving and decrypting the originator information.
The content of the message itself cannot be fingerprinted without accessing unencrypted data from the device sending the message, which breaks the confidentiality promise of end- to-end encryption services. There’s also the practical issue of cost. Implementing digital fingerprinting requires service providers to re-engineer how their app works.
The IT Rules wish to know the originator of a message without looking at the content. Is that theoretically possible? If so how? And if not why?
It’s unclear if the guidelines will be used to identify the originator of specific content on a platform, or if it will be used to only identify the originator of a specific forwarded message.
Through the use of digital signatures, it may be possible to identify the originator of a specific forwarded message without looking at the content. However this adds vulnerabilities and could be circumvented by bad actors.
If the guidelines will be used to identify the originator of specific content on a platform, that will only be possible by looking at the unencrypted content at some point, thus comprising end-to-end encryption.
What are the risks with fingerprinting of messages? Why is it not fool-proof?
The problem with fingerprinting messages is that they are vulnerable to impersonation. For messages manually copied rather than forwarded in an application, the corresponding originator fingerprint would be lost. This means that the person who copied the contents of a message would be tagged as the originator rather than the real originator.
Proving a person actually sent the message solely by relying on the ‘digital fingerprint’ is not practical as someone could have gained access to the person’s device to send the message.
They could have spoofed the sender’s ID (including the phone number tied to the app), or an altered version of the app could have been used. If someone gained access to an account or impersonated a user, the innocent user could face legal consequences for the actions of a criminal who impersonated them.
As India also currently lacks a data protection framework, so it exacerbates the issue.
One challenge for law enforcement is that E2E apps usually mean they cannot access data so easily. Are there are ways around this without compromising E2E on messaging apps?
There are several approaches – mostly traditional in nature – that law enforcement agencies have used to gain access to a criminal’s activity, even in the world of end-to-end encrypted services. Examples include placing an informant in the group communication, turning one of the criminals involved to get access to unencrypted data, using known vulnerabilities in systems, and using metadata to understand who was messaging who, when and with what amount of data.