In line with the American development, the Committee of the Upper House of the Indian Parliament came up with a report to curb the proliferation of Child Sexual Abuse Material (CSAM). The legislators proposed to break encryption in order to trace the originator. This move albeit well-intentioned is likely to do more harm than good. Breaking encryption has also been the key issue which has travelled its way from the Madras and Bombay High Court to the Supreme Court of India in Facebook Inc. v. Antony Clement Rubin and WhatsApp Inc. v. Janani Krishnamurthy. Encryption is also one of the key amendments being envisaged in the Draft Intermediary Liability Guidelines (under the Information Technology Act, 2000) which is being deliberated upon by the Ministry of Electronics and Information Technology. This article delves on three major reasons for not breaking encryption.
First, banning or breaking encryption will not stop criminals from using encryption. This will only make it difficult for the police to catch them, explains Riana Pfefferkorn of Stanford’s Centre for Internet and Society. Encryption technology and its mathematical know-how are available to the world at large. Criminals anyway know how to write their own encryption. If backdoors are created on a platform then the savvy criminals will simply shift to another platform, possibly their own platform which is well encrypted. So, the police will only be able to catch the gullible and ignorant criminals, while the smart ones who are more dangerous will easily get away.
Second, the creation of backdoors for ‘exceptional access’ is convenient, not just for the Indian police but also for foreign governments and cyber-terrorists. The case study from Greece is a perpetual reminder of the same. In this regard, Prof. V. Kamakoti submitted the ‘Report on Originator traceability in WhatsApp messages’ as a solution to the Madras High Court in the case of Janani Krishnamurthy v. Union of India. In this report, he offered two equally flawed solutions. He suggested embedding the metadata of the originator in the message itself in a decrypted form. Alternatively, the originator’s metadata may be embedded in the message in an encrypted form which is accessible through a private-public key. This key would have to be generated by the intermediary and stored in escrow. The key ought to be shared with the government when demanded via lawful warrant. However, these suggestions are not new to the ecosystem. After the Crypto-Wars of 1990s, key escrow as a system was rejected in the United States, owing to its deleterious impact of unauthorised access.
Also, the solutions offered by Prof. Kamakoti can easily be skirted by hiring proxy originators among other technical methods which would point at innocent individuals. On the contrary, intermediaries are open to sharing metadata with law enforcement agencies. Metadata analysis can help in the investigation without disclosing the content of the message and in effect secure individual privacy. It is important that we utilise the existing technologies rather than building new backdoors which make us susceptible to surveillance from foreign governments and cyber-terrorists.
Third, the creation of backdoors will put the citizens at a more vulnerable spot. Their personal data will now be susceptible to surveillance owing to the backdoor access while the savvy criminals would conveniently use superior encryption. Pfefferkorn who analysed this situation in the American context explains, that in effect, such law provides that criminals will have better privacy protection than law-abiding citizens. This is even more concerning wherein the pandemic has forced the world to work from home with no effective cyber-security protections in place.
The question then arises is how do we reconcile this challenge? Sure, by breaking encryption the police will be able to catch a few criminals proliferating CSAM. But they were anyways not smart enough. Yet breaking it has such a deleterious impact on individual privacy while criminals can easily shift to another platform where encryption is available, illegally. The technologically shrewd will easily getaway. What is required is a spirited discussion seeking platform cooperation for capacity building of the investigative agencies to update and deploy traditional targeted surveillance with new datasets (metadata) available to nab CSAM proliferators.
Kazim Rizvi is the founder-director of Delhi-based tech think tank- The Dialogue. Pranav Bhaskar Tiwari is the Policy Research Associate with The Dialogue and can be reached at pranav@thedialogue.co.