The Indian government’s new intermediary guidelines may not force platforms to break end-to-end encryption technology used by various messaging apps to protect user privacy. According to industry experts, messaging apps can “fingerprint" text messages in order to find the originator without having to reach the content of said messages. The government’s new guidelines require such platforms to trace messages back to their originator within the country.
“With the present end-to-end encryption standards that apps follow, they need to do a bit of tweaking, without creating backdoors," said Sudhir Naidu, who runs Troop Messenger, a work collaboration platform that includes both messaging and video and is used by the Ministry of Defense in Netherlands. Naidu explained that apps could figure out a way to place a unique identifier for each message, which can then be traced back across senders, without needing to actually read the content of the message.
Experts say that this will put the onus on law enforcement too, who will need to first find the message in question and send it to the platforms. Messaging apps will need to design a way that allows the police or other authorities to figure out the unique identifier of a message, after which the platforms can trace them back to the originator. “It will certainly place some burden on the app, but it is totally doable without requiring platforms to read the content of the message. Some platforms may choose not to take that burden and could leave the country," Naidu said.
A security expert, under the condition of anonymity, said the protocols that will be needed in order to fingerprint messages could, by themselves, compromise encryption if they’re not done right. He said ensuring you can fingerprint messages without reading the content will require more man hours and research costs. Platforms will need to really be incentivized to do this, whether it by through government directives or through financial incentives.
Whether a platform chooses to lose the Indian market will depend on how many users it has from here, and what revenues it can earn. For instance, while both Signal and Telegram have gained millions of users from India over the past two months, WhatsApp has 530 million users in India, according to the government.
According to Jayanth Kolla, many of the encryption technologies that are prevalent today would allow for such fingerprinting to be done. “Encryption in itself has gone through multiple metamorphosis, and there are three or four types of encryption that exist for communication, which includes emails, instant messages and more," he said. “In a lot of ways, the originator will be known to the service. What the government is asking for sounds reasonable in three quarters of the case. But we don’t know which are the companies using the other quarter, and what their policies — both internal and external — when it comes to dealing with the regulators and governments are," he added.
That said, experts agree that this will lead to greater surveillance by platforms, who will have to collect more information about users’ instant messages. According to a high ranking official from one of the top messaging apps, it may lead more users to distrust platforms and not be able to speak openly, even on private messaging apps.
N.S. Nappinai, Supreme Court lawyer and cyber law expert, said, the right to privacy judgement by the SC permits the government to place reasonable restrictions for traceability. “Even the Puttaswamy Judgement recognises that reasonable restrictions are permissible, as long as traceability is not asking for all things or for the metadata to be continuously streamed to authorities," she said.
WhatsApp, Telegram and Signal did not comment on this story.
Subscribe to Mint Newsletters
* Enter a valid email
* Thank you for subscribing to our newsletter.