An IIT-M professor says WhatsApp can trace messages without breaking encryption. Can it work?

WhatsApp has taken the Indian Government to court stating that the new rules will require it to break its end-to-end encryption

A fine balance between privacy and national security is always a tightrope walk.

It has gained traction in recent weeks with WhatsApp suing the Indian government, against the newly implemented information technology (IT) rules.

However, an IIT professor, who is also a member of the National Security Advisory Board (NSAB), has come up with a contentious solution that he believes can forge a middle path between the demands of the government and the compulsions of WhatsApp.

In a conversation with Moneycontrol, Indian Institute of Technology-Madras Professor V Kamakoti, who is also the member of National Security Advisory Board, spoke about the feasibility of enabling traceability without having to break the end-to-end (E2E) encryption, a point of contention between the two sides.

On May 25, Facebook-owned messaging platform Whatsapp sued the central government stating that end-to-end encryption cannot be broken, and that privacy of the users is at stake if it were to comply with the government’s mandate of traceability.

According to WhatsApp, enabling traceability means breaking the E2E encryption, which also compromises privacy.

Experts say that while traceability with some guarantees may certainly be possible technically, the effectiveness of such methods is questionable.

In a submission he made last year during a public interest litigation (PIL) hearing on encryption and traceability at the Madras High Court, Kamakoti has offered a middle ground and a possible alternative.

He had proposed two solutions to enable traceability –one, everyone gets the WhatsApp forward along with the originator of information with end-to-end (E2E) encryption intact, and two, the originator of information is encrypted on top of the end-to-end encryption and only WhatsApp holds the key to decrypt the former.

Let us take a step back and understand how WhatsApp’s E2E encryption works and what Kamakoti's proposal suggests.

In simple terms, the key to decrypt the message is stored only in the user's mobile. No one else can decrypt it, even WhatsApp, which offers end-to-end encryption. There is no change proposed to this.

Now what Kamakoti is suggesting is to keep the E2E intact, but have another round of encryption for the originator information, which only WhatsApp can decrypt using a key only available to it.

What Professor Kamakoti has suggested involves “an incremental change” to the way it works currently.

“Keeping the end-to-end encryption intact, WhatsApp can encrypt the originator of information (EOI) and this information is forwarded along with every message. However, only WhatsApp/Facebook will hold the key to the EOI. Whenever a problematic message is sent to the law enforcement authorities, they will reach out to WhatsApp to decrypt the message,” explains the IIT don.

Here, WhatsApp will have the choice to reveal the originator information based on their community guidelines, giving the process of checks and balances.

“Suppose they say they will not give it (originator information), then there will be an arbitration process. But there is a check here. Just because people (enforcement authorities) ask for the originator it would not be given to them. And WhatsApp can play an important role because, ultimately, whether they want to disclose or not is in their hands,” adds Kamakoti.

He further explains that the process does not break E2E since it requires additional encryption of the originator on top of the existing encryption methods.

“I am sending you a message, which is encrypted. There is another encryption, which is the EOI. So as far as the user is concerned, that is not changing the way the system is working,” he adds.

According to Kamakoti, this is not a complex process to implement as they already manage millions of messages. He bases his conclusions on a feasibility study he had conducted and believes it is possible.

Given that it is a change - incremental though it might be - Kamakoti’s proposal would need both the government and WhatsApp to work together.

WhatsApp did not respond to Moneycontrol’s query on technical feasibility or whether it would be willing to work with the government on this.

The process is not without criticism, especially from digital right activists, who have pointed out, rightly, that it could be easily taken advantage of, compromising privacy.

The Internet Freedom Foundation, in its submission to the Madras High Court last year during the course of the PIL, highlighted the impact of Kamakoti's proposal on the fundamental right to privacy, particularly for whistleblowers, activists, journalists, abuse survivors and other individuals belonging to marginalized groups who are at highest risk of violence and harassment if their identity was disclosed.

In response to privacy issues, Kamakoti says that “There is privacy and then there is anonymity. This is more about anonymity. That is one part. I am not going to get into the debate of privacy versus anonymity. But somewhere, there should be a balance between national security and privacy/anonymity.”

The IIT (M) professor raises some interesting, hitherto unasked questions. “There's a right to privacy. Is there a right to anonymity? Are they both synonymous or different? These are all being debated. Let us assume that both are the same, but there should be a balance between the right to privacy/anonymity and national security,” he argues.

To achieve this fine balance, Kamakoti says, this is the best bet.

Manoj Prabhakaran, IIT-Bombay professor in the Department of Computer Science and Engineering, in his submission to the Madras High Court had pointed out gaps in the proposal and ways to mitigate them.

One of the key concerns is impersonation.

WhatsApp, when registering only for a mobile number, uses a one-time password (OTP). There is no other identity linked to it.

Experts point out that this makes falsification easier.

Explains Subhashis Banerjee, Professor, Computer Science Department, IIT-Delhi: “Anyone with resources will be able to generate the message and forward, sitting in any part of the world. There is nothing that can be done about it.”

According to him, the onus is also on the enforcement authorities to prove that it is indeed the person with the said number that sent it – that said person can easily deny. Two, there are multiple ways an identity can be stolen.

In his submission, Prabhakaran pointed out that even digital signatures, a way to mitigate spoofing, do not guarantee protection since cybercriminals can use malware to intercept OTPs, and use the number to send messages!

This brings the effectiveness of traceability into question.

IIT-Delhi's Professor Banerjee , believes that there is no easy way to solve the identity problem and the only method to combat anonymous messaging, which is prevalent, is education.

“In the long run there is no other effective way to solve this issue without linking phone numbers and digital identities to real identities in a failsafe way worldwide. Just looking at the traceability issue without a comprehensive analysis of the `phone number security issue’ does not really serve any purpose,” he adds.

Kamakoti agrees with the critiques that the method might not be effective as the phone numbers can be spoofed.

“But again, my take is, this is an aid to investigation. This is the starting point. Even if the number is spoofed, we will know that it is spoofed, and that is where effectiveness will come in,” he explains.

In addition, this may also serve as a deterrent to sending large scale messages that could cause communal riots.

Pointing to fake news about the pandemic spreading on WhatsApp, Kamakoti states that “There will be some sort of curtailing, and there would be some accountability. COVID-19 is a life and death problem. So, people should have some accountability when making mistakes.”

It should also be noted that while WhatsApp has sued the government over traceability under new IT rules, it has, in the recent weeks, forced users to accept its new privacy policy, who otherwise could face limited functionality.

The new privacy policy allows more data sharing with its parent company Facebook from third party users. While it has postponed the implementation till India’s personal data protection bill comes into effect, the move has been criticised by the government as an invasion of privacy.

Now, a lot depends on what the courts rule about the privacy of citizens and the role of traceability in ensuring national security.