Business Wire IndiaThe Dialogue, a Delhi based Tech Policy think tank, in partnership with DeepStrat a Delhi based think tank and strategic consultancy, hosted a virtual workshop ‘Decrypting Encryption’. The workshop was aimed at analysing the technical and policy aspects of the encryption debate in India. The workshop was led by Professor Dr. Sandeep Shukla who teaches Computer Science Engineering at IIT Kanpur and Mr. Anand Venkatanarayanan who is a respected cybersecurity researcher and a Strategic Advisor at DeepStrat.
The experts after detailing on the functional aspects of encryption technology explained why backdoors to end-to-end encrypted platforms will not fulfil legitimate State objectives but will lead to more cybersecurity challenges for the users and national security threats for the State. The experts further discussed why the arrangement proposed by Professor Dr. V Kamakoti before the Madras High Court and Hashing proposal envisioned in the IT Rules 2021 to catch savvy criminals on encrypted platforms is infeasible and will lead to more challenges than they seek to resolve.
On receiving questions on the efficacy of the proposal submitted by Professor Dr. V. Kamakoti before the Madras High Court, Dr. Shukla explained that this proposal is not implementable as it is replete with false positives. Any savvy criminal can easily spoof this arrangement to either protect himself or to implicate innocent citizens. Dr. Shukla added that end-to-end encryption includes ‘cryptographic deniability’ at its core. This entails that every recipient can be confident that they have received a message from an authenticated sender yet none can prove who the sender is. Even a transcript of messages on the receiver’s end cannot be proof that a specific person has sent those messages. Accordingly, any metadata tags associated with a message as proposed by Professor Dr. V. Kamakoti cannot be attributed to any specific individual with certainty and would fail to fulfil the evidentiary burden of proof in a Court.
Discussing the ‘Originator Traceability’ mandate envisaged under the IT Rules 2021, Mr. Anand Venkatanarayan explained why the ‘Hashing’ solution is infeasible. This is because it is extremely easy to fool the system. The mandate is only to trace a bad actor in India which is recognised by a ‘+91’ identifier. A person may easily buy a foreign phone number that comes for as low as $1 and get away. Dr. Shukla added, “Alpha Numeric Hashing is not adequate and an unnecessary complication for a very small percentage of change for the LEAs. It can also be used against dissent and crack down on speech and thus the possibility of abuse is high making it not a viable option in my opinion.”
Mr. Anand Venkatanarayan continued the workshop with a discussion of the recent disclosure by the FBI under the Freedom of Information Act on the metadata shared by popular messaging Apps. Metadata, he explained, can be understood as transactional data, except the content data (like chats). Metadata may include registration details, profile picture, status, last seen, contact list etc. Mr. Anand explained how metadata, accessed via established legal procedures, is used by law enforcement agencies (LEAs) to catch criminals and quoted the former NSA chief Michael Hayden saying, “We kill people based on metadata.”
With access to metadata per the procedure established by law, we do not need to weaken encryption to access content data and risk the cybersecurity nightmare. In addition to building the LEA’s metadata analysis capabilities, Mr. Anand highlighted the importance of adhering to the data minimization principles and the four-fold test established by the Hon’ble Supreme Court in the Puttaswamy judgement while accessing metadata.
The workshop concluded with recommendations to assist the State in lawful surveillance. The experts opined that in addition to building the metadata analysis capabilities of LEAs it is crucial to host training on what data sets can the LEAs request for at defined stages of investigation and a streamlined process for accessing it along with judicial oversight on the said process.
