Why Indian Courts Should Reject Traceability Obligations – EFF

End-to-end encryption is under attack in India. The Indian governments new and dangerousonline intermediary rulesforcing messaging applications to trackand be able to identifythe originator of any message, which is fundamentally incompatible with the privacy and security protections of strong encryption, due onMay 25th. Three petitions have been filed (Facebook; WhatsApp; Arimbrathodiyil) asking the Indian High Courts (in Delhi and Kerala) to strike down these rules.

The traceability provisionRule 4(2) in the Intermediary Guidelines and Digital Media Ethics Code rules (English version starts at page 19)was adopted by the Ministry of Electronics and Information Technology earlier this year. The rules requireany large social media intermediary that provides messaging shall enable the identification of the first originator of the information on its computer resource in response to a court order or a decryption request issued under the 2009 Decryption Rules. (The Decryption Rules allow authorities to request the interception or monitoring of decryption of any information generated, transmitted, received, or stored in any computer resource.)

The minister has claimed that the rules will [not] impact the normal functioning of WhatsApp and said that the entire debate on whether encryption would be maintained or not is misplaced because technology companies can still decide to use encryptionso long as they accept the responsibility to find a technical solution, whether through encryption or otherwise that permits traceability. WhatsApp strongly disagrees, writing that "traceability breaks end-to-end encryption and would severely undermine the privacy of billions of people who communicate digitally."

The Indian government's assertion is bizarre because the rules compel intermediaries to know information about the content of users messages that they currently dont and which is currently protected by encryption. This legal mandate seeks to change WhatsApps security model and technology, and the assumptions somehow seem to imply that such matter neednt matter to users and neednt bother companies.

Thats wrong. Because WhatsApp uses a specific privacy-by-design implementation that protects users secure communication by making forwarding indistinguishable for the private messaging app from other kinds of communications. So when a WhatsApp user forwards a message using the arrow, it serves to mark the forward information at the client-side, but the fact that the message has been forwarded is not visible to the WhatsApp server. The traceability mandate would make WhatsApp change the application to makethis information, which was previously invisible to the server, nowvisible.

The Indian government also defended the rules by noting that legal safeguards restrict the process of gaining access to the identity of a person who originated a message, that such orders can only be issued for national security and serious crime investigations, and on the basis that it is not any individual who can trace the first originator of the information. However, messaging services do not know ahead of time which messages will or will not be subject to such orders; as WhatsApp has noted,

there is no way to predict which message a government would want to investigate in the future. In doing so, a government that chooses to mandate traceability is effectively mandating a new form of mass surveillance. To comply, messaging services would have to keep giant databases of every message you send, or add a permanent identity stamplike a fingerprintto private messages with friends, family, colleagues, doctors, and businesses. Companies would be collecting more information about their users at a time when people want companies to have less information about them.

India'slegal safeguards will not solve the core problem:

The rules represent a technical mandate for companies to re-engineer or re-design their systems for every user, not just for criminal suspects.

The overall design of messaging services must change to comply with the government's demand to identify the originator of a message. Such changes move companies away from privacy-focused engineering and data minimization principles that should characterize secure private messaging apps.

This provision is one of many features of the new rules that pose a threat to expression and privacy online, but its drawn particular attention because of the way it comes into collision with end-to-end encryption. WhatsApp previously wrote:

Traceability is intended to do the opposite by requiring private messaging services like WhatsApp to keep track of who-said-what and who-shared-what for billions of messages sent every day. Traceability requires messaging services to store information that can be used to ascertain the content of peoples messages, thereby breaking the very guarantees that end-to-end encryption provides. In order to trace even one message, services would have to trace every message.

Rule 4(2) applies to WhatsApp, Telegram, Signal, iMessage, or any significant social media intermediaries with more than 5 million registered users in India. It can also apply to federated social networks such as Mastodon or Matrix if the government decides these pose a material risk of harm to national security (rule 6). Free and open-source software developers are also afraid that theyll be targeted next by this rule (and other parts of the intermediary rules), including for developing or operating more decentralized services. So Facebook and WhatsApp arent the only ones seeking to have the rules struck down; a free software developer named Praveen Arimbrathodiyil, who helps run community social networking services in India, has also sued, citing the burdens and risks of the rules for free and open-source software and not-for-profit communications tools and platforms.

This fight is playing out across the world. EFF has long said that end-to-end encryption, where intermediaries do not know the content of users messages, is a vitally important feature for private communications, and has criticized tech companies that dont offer it or offer it in a watered-down or confusing way. Its end-to-end messaging encryption features are something WhatsApp is doing rightfollowing industry best practices on how to protect usersand the government should not try to take this away.

See the original post here:
Why Indian Courts Should Reject Traceability Obligations - EFF

Related Posts

Comments are closed.