Key Takeaways

The new Information Technology (IT) Rules, 2021 mandate significant social media intermediaries (intermediaries with over 5 million users) that provide services primarily in the nature of messaging to enable the identification of the first originator of a message if issued an order by a court or relevant government authority. Although the rules state that less intrusive methods will be used available, experts argue that this provision will require the breaking of end-to-end encryption offered by platforms like WhatsApp and Signal.

In a panel discussion held by MediaNama on Impact of IT Rules 2021 on Intermediaries, experts shared their views on the traceability mandate and what it means in the context of end-to-end encryption.Debayan Gupta, Assistant Professor of Computer Science,Ashoka University; Priyadarshi Banerjee, Lawyer at Banerjee & Grewall; Yash Kadakia, Founder and CTO of Security Brigade;Rakesh Maheshwari, Ministry of Electronics & Information Technology (MeitY), participated in this discussion. This discussion was supported by Google. All quotes have been edited for clarity and brevity.

The provision stumbles upon its first hurdle in defining who an originator of a message is and what information about the originator it expects.

Is it someone with a +91 number:Debayan Gupta argued that if the law is targeting only originators within India, does it mean it wants the originator with a +91 number, and in that case, what if someone with a +91 number moves to a different country? Will the laws of the country where the person has moved to allow sharing the details of said person? There is also the opposite case where a person with a non-Indian WhatsApp number might be residing in India, will they fall under this search for originator?

How does this work for a non-forwarded message:While tracking a forwarded message might be possible by breaking encryption, how will a platform trace a message that has been copied and pasted, Gupta asked. Wont the metadata of the message originator be lost in this case and wouldnt it be an easy way for bad actors to get away by doing this?Adding on to this point, Yash Kakadia asks what if a person saves a photo or video and reuploads it from his phone. This breaks the forward chain but it is still the same content. Will this person be considered the originator, although someone else was the actual originator? The image could also very easily be from a different messaging platform and there will be no way to go back to the actual originator in this case.

What about slightly modified messages: Gupta asks if forwarded messages that are slightly modified and then forwarded again be considered the same as the original message or as a different message? The same question applies to images and videos that are given a caption.

The broad consensus among the panellists was that enabling traceability without breaking end-to-end encryption is not possible, but they still offered scenarios where it is possible and what problems can this lead to.

Maybe for photos and videos:Yash Kakadia argues that in limited scenarios such as images and videos, tracking the originator without breaking encryption might be possible. If you take an image and I send it to you, you send it to 400 different people and it goes on from there, right? If you go into WhatsApp Web or something of that sort, the URL for the image is exactly the same. And its a cached image that theyre just sending forward. So fundamentally, WhatsApp will be able to say, the first person to upload this image was x and that I can see reasonably possible without breaking into encryption, he added. But this cannot be done for texts, which is the more universal case, Kakadia conceded.

Yes, but anyone can be made to look like the originator: One of the ways platforms can enable traceability is by hashing the sender information and including it as metadata when a message is sent. This could potentially work when everyone is using the official version of WhatsApp, for example, instead of a doctored version. But there is no guarantee that this is the case, especially when considering bad actors, and an unofficial version of the app gives users the ability to make anyone like the originator.

Lets say Im sending a message to Yash. And Im supposed to be attaching something at the bottom of that message that looks like garbage to you, but somehow encapsulates my ID in some fashion or the other. Whats preventing me from lying? Well, I can put Nikhils number in there, for example. And whats preventing Yash from changing that to something else when he forwards it the next time. How do you make sure that nobody lies during the process? Gupta argued.

You can take Narendra Modis phone numbers should you know it, attach that number on top of the message call him the originator and attach Narendra Modis hash at the bottom of it because you can compute it too. And thats that. So look, when I send you a message, either that hash is computable and verifiable by you in which case you can replace my number and my hash with Narendra Modis number and Narendra Modis hash or it isnt, in which case, I could have given you garbage and you wouldnt know, Gupta added.

Technology behind forwarded many times cannot be used for traceability:In response to a question on why the same technology used to label messages as forwarded many times cannot be used to keep track of originator, Gupta explained that WhatsApp, in fact, cannot see the number of times a message is forwarded and the entire system behind this is not really secure. If I ran a fake version of WhatsApps app, I could mess around with that and change that counter to whatever I wanted.The reason that this forwarded many times thing ends up working is because of WhatsApps assumption that if a message spreads like a wildfire, then presumably most of the users doing it are legitimate users using legitimate versions of the app Gupta said.

Less intrusive means for identification is a legal artifice:The government has added a clause that if there are less intrusive means for identification of the originator those can be used instead, but Priyadarshi Banerjee said that this is just a legal artifice that will help the government in court. I mean without breaking the end-to-end encryption traceability is just not possible. Then in that circumstance, its a meaningless proviso that has been put in, just to garnish the legislation for the benefit of the judiciary at a future date, he said.

FISA-like warrants for tapping:One solution Gupta proposed, but conceded wont be very effective, is for the government to implement a provision where a court allows law enforcement agencies to tap a persons chat for a legitimate reason similar to the FISA warrant system in the US. Platforms like WhatsApp can maintain end-to-end encryption for most users and disable it only for users who have a warrant issued against them. The two pitfalls to this are that everyone who the targeted person converses with will also be compromised and bad actors will not use the platform once they know law enforcement agencies can pursue them through this method.

Law should not mandate technology to do a particular thing:When a law instructs a company to do a particular thing, then the law is, in fact,dictating how technological innovation happens and at the pace there off, which is not in the realm of law at all, argues Priyadarshi Banerjee. Its impossible for either lawyers or judges or policymakers to determine what is actually in the domain of engineers, he added.

Government giving solutions rather than the problems to solve:Giving an apt metaphor, Debayan Gupta said Think about aeroplanes, the government is asking to have roll-down windows on aeroplanes. And all the aeronautical engineers are like, are you mad, you cant have roll-down windows on aeroplanes, people will die. This doesnt work. Until the government tells us, hold on, theres this thing called COVID. And we need some way to get fresh air on aeroplanes. Now, the aeronautical engineers say, oh, okay, now that makes sense. Your reasoning has been you have a real reason why youre asking us for this, we can put in these special filters weve created for this occasion. The problem is the government is telling us all this stuff about originator information, hashing and we cant expect the government to have expertise on everything. The problem is theyre giving us implementations or solutions. What they need to do is they need to show us the data, they need to tell us here are the problems.

Is there a right to anonymously exist or communicate online:While the law cannot give a positive mandate and tell companies what they should do, they can tell them not to deploy a particular kind of technology because anegative injunction is something that can be legally enforced according to Banerjee. But such injunctions must also satisfy certain other conditions of legality, he added.

In the present circumstance with regard to end-to-end encryption, I believe this dovetails into the primordial query that whether there is a right to anonymously exist or communicate online. If it can be determined that there is no such right then the law can surely injunct, said Banerjee.

Only affects law-abiding citizens:Debayan Gupta argued that whenever the government wants to pass new rules they use child porn and terrorism as a pretext but the rules dont actually solve those problems. If Im running a child porn ring, and I know if I use WhatsApp I can get tracked, I wouldnt use WhatsApp, Im going to use something else that I can find elsewhere on the internet, he said. He further adds that only the security of law-abiding citizens will be affected.

Bad guys move to harder to reach platforms: Every time you break one level of encryption, or one level of security, youre essentially going to have the bad guys move to a different, harder to reach, platform and then again its going to keep cycling on from there, Kadakia added. Technology evolution is always going to take place, and the bad guys are always going to find safe-havens. If we talk about child pornography right now, whether its moving to the dark web where it becomes even harder now for the government to sort of track that right. And the next request is going to be lets decentralize and lets monitor the dark web, he added.

Tiny corner case of badness:While conceding that the government might have a legitimate reason for the traceability mandate, Gupta said that there should be evidence that shows that enabling traceability will indeed help the government because otherwise, it applies broadly. All too often we are told that there is a legitimate reason for doing X. So were talking over Zoom right, were getting all of these benefits and youre suddenly saying, I dont want this tiny corner case of badness to happen, it doesnt work that way, Gupta said.

What youre doing is, youre taking a good system that works across the world, and youre creating a separate point of failure for it. And that point of failure is going to become a prime target for hackers, Debayan Gupta said.

Government has a number of security issues:Stating that government agencies face a number of security issues, Priydarshi Banerjee and Debayan Gupta argue that creating a backdoor for the government to identify the originator of a message will inevitably allow criminals in as well. So the question is also that is the price of potentially putting all our communications, every single one at risk worth the value that theyre sort of asking for in this context, Banerjee asked.

People in the middle of a message chain will be compromised:Even if the government is only trying to track down the originator of a message, all the others in the message chain will also be compromised because there is no way to only identify the originator without maintaining records throughout the chain. Giving an analogy to the postal system, Gupta said This idea of shortcutting everything is like would you do that to the postal system? How would you require the postal system to look inside every envelope, and keep track of every message that was sent? So that if a threatening message was received by the president of India, you could immediately track it back to the first person who wrote that message, rather than the 15 intermediaries that went through. Is that what were saying, that we now require the postal system to do that because that is the exact equivalent of what has been proposed.

Representing the government, Rakesh Maheshwari, Senior Director and Group Co-ordinator, Cyber Law & Security, MeitY, conveyed the governments intent regarding various subrules. He also fielded questions from MediaNama on traceability, compliance, timelines, clarifications of definitions, and more. Here are his views on traceability and encryption:

Not looking at the encryption aspect: We are not at all looking at the way the encryption has been done, the way decryption is being done. We are not at all looking at it, we are only looking that at the end-user device, the message does remain unencrypted. And if it is being simply being forwarded, then before it is being forwarded, it is the same message, and hence the hash should remain the same. Now, how exactly it is to be done, which technical architecture to be deployed, is best for the platform [to decide], Rakesh Maheswari noted.

Platforms cannot take shelter using end-to-end encryption:There are certain expectations that users shall not be engaged in certain activities. Platforms cannot just put that in the terms of conditions and use end-to-end as a shelter when users do engage in them, Maheswari noted. Our intent is that if there is trouble being created in the system, the system cannot just take the shelter of it being end-to-end encrypted and therefore be completely unaware and hence completely escape out of the problem. We want platforms to be accountable, we want people to also be accountable, he added.

More than three months given:In response to MediaNamas question on whether the government thinks it has given sufficient time for implementation of this mandate and Debayan Guptas argument that there is no way to know if three months is enough,Maheswari responded that the government has in fact given more than three months because this mandate has been in the public draft for the last two years and platforms knew it was coming. He also added that if three months is not enough to implement a certain rule or subrule, the government will be practical and accommodate extension requests.

Lots of checks and balances in place:Maheswari argued that the government has put lots of checks and balances in place to prevent the misuse of the traceability provision but does not give examples of any such measures. The rules also do not provide any details regarding the safeguards in place.

No cost-benefit analysis done:In response to an audience question on whether the government has done a cost-benefit analysis of the traceability mandate, Maheshwari responded that it isnot for government to do the cost-benefit analysis and that the government has the right to know the root cause of a problem.

There is always a bypass:Maheswari did concede that despite all the measures the government takes, criminals will find a way to bypass the law. But he argues that the rules are meant to suffice for the general case and not these extreme situations. The rule should by and large be able to meet the expectations of the government, as well as, I hope the users, he added.

Also Read

See original here:
#NAMA: The traceability mandate and what it means for end-to-end encryption - MediaNama.com

Threat actors have sharply ramped up use of the Transport Layer Security (TLS) cryptographic protocol to hide malware communications creating new challenges for enterprise security teams in the process.

A Sophos analysis of malware samples observed during the first three months of 2021 showed that 46%or nearly halfof all malware that communicated with a remote system over the Internet used TLS for that purpose. This represents a 100% increase from 2020, when 23% of malware tools used TLS.

A major reason for the increase is the growing practice among cybercriminals to use legitimate TLS-protected cloud and Web services such as Google cloud services, Pastebin, Discord, and Github for hosting malware or storing stolen data, and for their command and communication operations. Also contributing to the growth is the increased use by attackers of Tor and other TLS-based network proxies to encrypt communications between malware and the threat actors behind them, Sophos said.

The main takeaways are that there is no such thing as a safe domain or service when screening for malware, and that more traditional firewall defenses based on reputation scanning without deep packet inspection cannot protect systems, says Sean Gallagher, senior threat researcher at Sophos.

TheSophos reportis the latest to highlight the double-edged nature of mushrooming encryption use on the Internet. Over the past few years, privacy advocates, security experts, browser makers, and others have pushed for broad adoption of cryptographic protocols to protect Internet communications from spying and surveillance.

The efforts have resulted in the HTTPS protocol, which uses TLS, almost completely replacing the older HTTP protocol.According to Googleone of the most influential proponents of HTTPS92% of the traffic that hits its online properties in the US uses TLS. The percentage is higher in other countries. In Belgium and India, for instance, 98% of the traffic to Google sites is encrypted; in Japan and Brazil, the number is 96%, and in Germany, 94%.

While the increased use of HTTPS and TLS overallin email systems, VPNs, and other areashas enabled greater privacy and security, it has also given attackers a way to use the same technology to hide their malware and malware communications from conventional detection mechanisms.

Theres nothing we can build that the bad guys cant use, says Internet pioneer Paul Vixie, the chairman, CEO, and co-founder of Farsight Security.

To read the complete article, visit Dark Reading.

Visit link:
Nearly half of all malware is concealed in TLS-encrypted communications Urgent Comms - Urgent Communications

From an insight perspective, this research report has focused on various levels of analysis industry trends analysis, top players analysis, company profiles, which discuss the basic views on the competitive landscape, emerging and high-growth segments of Hardware-based Full Disk Encryption (FDE) market, and high-growth regions. Besides, drivers, restraints, challenges, and opportunities pertaining to Hardware-based Full Disk Encryption (FDE) market are also predicted in this report.

Get the complete sample, please click:https://www.globalmarketmonitor.com/request.php?type=1&rid=647690

Competitive PlayersThe Hardware-based Full Disk Encryption (FDE) market is full of competition due to the presence of many large and small companies and local manufacturers. The leading vendors in the market are:Micron Technology Inc Seagate Technology PLC Samsung Electronics Intel Toshiba Kingston Western Digital Corp

Browse More In-Depth Industry Insights at:https://www.globalmarketmonitor.com/reports/647690-hardware-based-full-disk-encryptionfdemarket-report.html

By application:IT & Telecom BFSI Government & Public Utilities Manufacturing Enterprise Others

Hardware-based Full Disk Encryption (FDE) TypeHard Disk Drive (HDD) FDE Solid State Drives (SSD) FDE

Table of Content1 Report Overview1.1 Product Definition and Scope1.2 PEST (Political, Economic, Social and Technological) Analysis of Hardware-based Full Disk Encryption (FDE) Market2 Market Trends and Competitive Landscape3 Segmentation of Hardware-based Full Disk Encryption (FDE) Market by Types4 Segmentation of Hardware-based Full Disk Encryption (FDE) Market by End-Users5 Market Analysis by Major Regions6 Product Commodity of Hardware-based Full Disk Encryption (FDE) Market in Major Countries7 North America Hardware-based Full Disk Encryption (FDE) Landscape Analysis8 Europe Hardware-based Full Disk Encryption (FDE) Landscape Analysis9 Asia Pacific Hardware-based Full Disk Encryption (FDE) Landscape Analysis10 Latin America, Middle East & Africa Hardware-based Full Disk Encryption (FDE) Landscape Analysis 11 Major Players Profile

Ask for a Report Sample at:https://www.globalmarketmonitor.com/request.php?type=3&rid=647690

Key Regions OverviewThe report covers the major countries analysis in North America, Europe, Asia Pacific, and the rest of the world. Furthermore, policy mobilization, social dynamics, development trends, and economic development in these countries are also taken into consideration.

Target Audience:Hardware-based Full Disk Encryption (FDE) manufacturersDistributors and resellers of Hardware-based Full Disk Encryption (FDE)Hardware-based Full Disk Encryption (FDE) industry associationsProduct managers, Hardware-based Full Disk Encryption (FDE) industry administrator, C-level executives of the industriesMarket research and consulting firmsSmall and Medium-sized Enterprises (SMEs) Hardware-based Full Disk Encryption (FDE) potential investorsHardware-based Full Disk Encryption (FDE) key stakeholders Hardware-based Full Disk Encryption (FDE) end-user sectorsResearch and Development (R&D) companies

Key Questions Answered by This Report:What is the size and CAGR of the Hardware-based Full Disk Encryption (FDE) Market?What are the key driving factors of the most profitable regional market?Which are the leading companies in the global market?How will the Hardware-based Full Disk Encryption (FDE) Market advance in the coming years?What are the main strategies adopted in the global market?Which region may hit the highest market share in the coming era?What trends, challenges, and barriers will impact the development and sizing of the Hardware-based Full Disk Encryption (FDE) Market?

About Global Market MonitorGlobal Market Monitor is a professional modern consulting company, engaged in three major business categories such as market research services, business advisory, technology consulting.We always maintain the win-win spirit, reliable quality and the vision of keeping pace with The Times, to help enterprises achieve revenue growth, cost reduction, and efficiency improvement, and significantly avoid operational risks, to achieve lean growth. Global Market Monitor has provided professional market research, investment consulting, and competitive intelligence services to thousands of organizations, including start-ups, government agencies, banks, research institutes, industry associations, consulting firms, and investment firms.ContactGlobal Market MonitorOne Pierrepont Plaza, 300 Cadman Plaza W, Brooklyn,NY 11201, USAName: Rebecca HallPhone: + 1 (347) 467 7721Email: info@globalmarketmonitor.comWeb Site: https://www.globalmarketmonitor.com

Guess You May Like:Bio-Waste Containers Market Reporthttps://www.globalmarketmonitor.com/reports/574831-bio-waste-containers-market-report.html

Hard Capsule Grade Gelatin Market Reporthttps://www.globalmarketmonitor.com/reports/504579-hard-capsule-grade-gelatin-market-report.html

Touch Based Human Machine Interface (HMI) Market Reporthttps://www.globalmarketmonitor.com/reports/577667-touch-based-human-machine-interfacehmimarket-report.html

Veno-Arterial ECMO System Market Reporthttps://www.globalmarketmonitor.com/reports/540332-veno-arterial-ecmo-system-market-report.html

Propylene Glycol (PG) Market Reporthttps://www.globalmarketmonitor.com/reports/642279-propylene-glycolpgmarket-report.html

Shock Absorber Market Reporthttps://www.globalmarketmonitor.com/reports/577383-shock-absorber-market-report.html

View post:
Insights and Prediction of Hardware-based Full Disk Encryption (FDE) Global Market (2020-2027) KSU | The Sentinel Newspaper - KSU | The Sentinel...

Polaris Market Research recently released a comprehensive report entitled Global Encryption Software Market, which focuses on providing a complete overview of the market. The report provides the latest information on all key aspects of the market and is expected to have a significant impact on market trends and performance during the forecast period. A key aspect is that the report is prepared in a way that will meet the needs of customers. This report is a complete guide for customers to make correct decisions based on business investment plans and strategies.

Research on the global Encryption Software market includes the avoidance framework in the Encryption Software market and the Encryption Software market share during the forecast period. The Encryption Software market report briefly discusses different key parameters such as market size, price, production cost, growth strategy, quantity, sales data, consumption rate and other basic parameters. The Encryption Software market report is divided into regions, product types, major manufacturers and applications.

Get More Details on this Report, Download Now( Sample PDF) : https://www.polarismarketresearch.com/industry-analysis/encryption-software-market/request-for-sample

With the assistance of different methods such as Porters Five Forces Analysis and SWOT Analysis, our researchers provide a clear outlook on current marketing trends and list the market participants that exist in the global Encryption Software market.

Manufacturers covered in this report are:

Microsoft Corporation, Symantec Corporation, IBM Corporation, EMC Corporation, CISCO Systems Inc., Intel Security, Check Point Software Technologies Ltd., Oracle Corporation, Trend Micro, Inc.

Detailed analysis of the impact of the COVID-19 pandemic on businesses: Understanding the long-term and short-term impacts

Most companies are facing career-critical anxiety cases related to the coronavirus outbreak, and this situation is increasing, including the risk of economic recession, supply chain disruption, and possible decline in consumer spending. All these conditions will operate in different ways in different regions and industries, which will require more accurate and timely market research than ever before.

Market Segmentation:

Encryption Software Market Size and Forecast, 2019-2026 by Deployment Model

Encryption Software Market Size and Forecast, 2019-2026 by Organization Size

Encryption Software Market Size and Forecast, 2019-2026 by Application

Encryption Software Market Size and Forecast, 2019-2026 by End-User

The main focus of this research report on the market for Encryption Software is providing study of following key points:

Get Exclusive Discount @ https://www.polarismarketresearch.com/industry-analysis/encryption-software-market/request-for-discount-pricing

Regional Analysis:

The report provides information about the market area, which is further subdivided into sub-regions and countries. In addition to market share in each country and subregion, this chapter of this report also provides information on profit opportunities. This chapter of the report mentions the share and market growth rate of each region, country, and sub-region in the estimated time period.

The research provides reliable answers to several key questions, such as:

In short, the Encryption Software Market report is the true source of access to research data that is expected to double your business. The report provides information such as economic scenarios, earnings, constraints, trends, market growth rates and figures.

If You Have Any Query, Ask Our Experts @ https://www.polarismarketresearch.com/industry-analysis/encryption-software-market/speak-to-analyst

About Polaris market Research

Polaris market Research is a global market research and consulting company. We provide unmatched quality of offerings to our clients present globally. The company specializes in providing exceptional market intelligence and in-depth business research services for our clientele spread across industry verticals.

Contact Us

Corporate Sales, USA

Polaris market Research

Phone: 1-646-568-9980

Email:sales@polarismarketresearch.com

Web:www.polarismarketresearch.com

More here:
Encryption Software Market 2021 | Industry Analysis, Size, Share, Growth, Trends, Demand And Forecast : Microsoft Corporation Symantec Corporation IBM...