In the early hours of an unusually warm December morning last year, Nooraine Fazal, the co-founder of Inventure Academy, a private co-educational school in the Sarjapur area of Bengaluru, woke up to an email from an encrypted email provider that landed in one of the school’s email ids.
The subject of the email read “IMPORTANT”, and the first line of the email, the contents of which Moneycontrol has reviewed, read, “There are explosives on the school grounds.”
Fazal quickly checked with other schools and journalists to figure out if Inventure was the only school to have received the threat.
“When you know you are not the only one who is getting the threat, you take some comfort in that. Those I contacted did not think that there would be any legitimacy to the threat,” Fazal told Moneycontrol.
However, since the safety of students was paramount, Fazal initiated the evacuation protocol.
School buses equipped with GPS left the premises by 10.30 am, and parents were advised to track it and make arrangements to receive their wards. Within the next couple of hours the students were dropped safely to their houses.
However, as Fazal had suspected, the threat turned out to be a hoax. Her suspicions also originated from the fact that this was not the first time that a similar incident had taken place.
Not the first time
In April 2022 too, Inventure Academy, as well as a few other schools in Bengaluru, had received a similar bomb threat mail that originated from encrypted email service providers.
And it is not just schools in Bengaluru which are being targeted, several such fake bomb threats have also been reported from Chennai -- as latest as on February 8, 2024.
Sadly, for school principals and administrative officials like Fazal, these bomb threat hoaxes have become one of the “loss days” – such as a bandh, or a flood, or a law and enforcement situation – that the administration has to factor into their academic calendars.
D Shashi Kumar, Secretary of the Association of Primary and Secondary Schools of Karnataka, said, "Multiple schools in the city have received bomb threat mails three to four times in the last two years. Since the police have not nabbed the culprits, these incidents keep happening."
While police have amped up their efforts to trace the perpetrators who use such encrypted email platforms for spreading hoax bomb threats, their efforts have largely been unsuccessful.
Why cops have lost patience
With these concerns in mind, a Tamil Nadu cyber crime police official recently requested the Ministry of Electronics and Information Technology (MeitY) to block one such encrypted email service providers – ProtonMail.
ProtonMail is a Swiss end-to-end encrypted email service founded in 2013 headquartered in Plan-les-Ouates, Switzerland. As of April 2023, 100 million accounts were recorded on the platform.
Due to the safety ProtonMail guarantees, its users range from executives of startups and tech companies, journalists, activists, and as well as bad actors such as the ones who send such fake bomb threats.
While Moneycontrol learns that the blocking orders for ProtonMail is under process, experts opine that blocking access to such email service providers would be a “disproportionate move” with well-meaning users of such platforms facing the brunt.
The investigation roadblock
On February 8, 2024, 13 schools in Chennai received hoax bomb threat emails. The service provider for the emails sent to the 13 schools was allegedly ProtonMail.
Following that, the Tamil Nadu police began its investigation into the matter. However, it bore no fruit.
In Bengaluru, three such incidents were reported. In April 2022, around 25 schools received similar emails, and again in June 2022, threat emails were sent to a few more schools. In December 2023, emails with threats were reported in 68 schools. Following the December incident, the police filed 27 FIRs at multiple police stations. Most schools received the email from the same ID, and the content was almost identical.
Bengaluru city police Commissioner B Dayananda told Moneycontrol, "We have not made any headway, but we have requested details through Interpol."
Speaking to the publication, D Ashok Kumar, the superintendent of police in the Tamil Nadu Cyber Crime Wing, said, "We are unable to find the culprits. They (ProtonMail) will never share user information. We are unable to get IP addresses, mobile numbers, backend of the email address - because the platform is end-to-end encrypted,”
“For Gmail, we can easily get the senders’ address. They are very transparent. They are very open to us. But Proton is very unresponsive to government agencies,” Kumar said.
Unable to find a way to trace out these actors, Kumar, a few days after the bomb threat, requested the IT ministry to block ProtonMail in India. The official is also the state's nodal officer for blocking orders under IT Act, 2000.
“There are other email platforms also like this which are being used by actors who are active on the dark web. There is Alpha Mail which cannot be traced. They are all being used for illegal activities. The main problem is that these emails are end-to-end encrypted,” Kumar said.
Moneycontrol has reached out to Proton, the Swiss technology company that has developed ProtonMail with detailed queries on the issue. The publication has also reached out to Google with queries on how they comply with information requests from Indian law enforcement officials. The article will be updated when a response is received.
Kumar’s views on end-to-end encrypted platforms echoes that of the Indian government who in 2021, through the Information Technology Rules 2021, introduced an obligation that platforms have to reveal the first originator of a message.
For encrypted messaging platforms like WhatsApp or a Signal, it would mean breaking encryption to reveal such information. Digital rights activists have pointed out that this would have immense ramification on the privacy of an individual. This provision of the IT Rules is currently facing a legal challenge, and is pending at the Supreme Court.
To block or not to block?
This is not the first time that ProtonMail has courted controversy. In 2020, the email service provider was blocked by Russia's telecom watchdog Roskomndazor along with Dutch encrypted email service StartMail.
This move to block the email service providers, too, was a result of wave of bomb threats that had targeted, Russian schools universities, healthcare facilities, shopping falls in late 2019.
Legal and digital rights experts Moneycontrol spoke with recognised the difficulties that law enforcement officials have to face while dealing with misuse of encrypted platforms. However, they also raised questions on the possible impact a block on such a platform would have on lawful users.
Prateek Waghre, executive director of Internet Freedom Foundation said,” Essentially, if the platform is blocked, it would be a massively disproportionate move and well-meaning users of ProtonMail would bear the brunt. While this is indeed a challenge for law enforcement, the response cannot be disproportionate and ham-fisted. Malicious actors will simply use another service the next time.”
“The block on ProtonMail by the Indian government highlights the complex balance between national security concerns and the importance of digital privacy and freedom,” said Aviral Kapoor, partner at Alagh and Kapoor Law Offices.
“By categorising the service’s block as a measure against potential security threats, it underscores the challenges governments face in combating misuse of encrypted platforms. However, this move also raises questions about the impact on lawful users and the precedent it sets for access to secure communication tools, reflecting the ongoing global debate on privacy versus security,” he added.
Arun Prabhu, partner (head - technology & telecommunications) at Cyril Amarchand Mangaldas, “Globally, Intermediaries are subject to notice and takedown regimes, as well as law enforcement requests. Most intermediaries evolve mechanisms to comply with lawful requests or challenge unlawful ones. A general failure to comply may invite regulatory actions which include bans.”
IFF’s Waghre also said, “In general, one needs to zoom out of the present situation, the responsibility is on the Indian state to work with other countries to establish procedures and safeguards that can be called upon in such situations…”
With inputs from Christin Mathew Philip
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
