Encryption is the new challenge facing law enforcement not just in India but around the world. Social media apps such as Whatsapp and Viber have gone ahead and provided end-to-end encryption (E2EE) communications to users. Law enforcement officials have said that this makes it impossible for them to engage in legitimate monitoring of communications by terrorists and criminals.
Encryption is not a new technology and forms the backbone of secure communications and data transmissions over the Internet. Without encryption, financial transactions and secure data transmission would be impossible. Efforts by social media companies to encrypt their data is a more recent phenomenon and is a direct fall-out of the mid-2013 Snowden revelations. Apps like Telegram were created offering end-to-end encryption following the revelations and existing apps like Whatsapp followed suit, partly to retain market share, and partly so that they would not have to respond to requests for data and information from law enforcement agencies. When WhatsApp started, the messages that one user sent would be saved in plain text without encryption in the servers which made it possible for a third party to intercept the communication. Ever since 2013, WhatsApp has been encrypting data for its communications now culminating in a strong end-to-end encryption.1
In social media apps, using E2EE encryption means that only the sender and receiver can read the encrypted data because the key to decrypt the data lies only with the end user. No other entities including the service provider has the capacity to decrypt the data even though the data travels through their servers.
Not all social media platforms use end-2-end encryption. There are some apps like Facebook Messenger where encryption applies only to the data in transit.2 Other apps encrypt the data but store the decryption keys thereby creating the possibility for inspection by law enforcement agencies. Apps like Snapchat encrypt only data in transit but the messages are deleted from the server once the recipient reads it.
In general, there are two kinds of encryption. In Symmetric Encryption or Secret Key encryption, the same key called the secret key is used to encrypt and decrypt the data or message. It is a very simple method of encryption but the challenge is to preserve the secret key from unintended recipients. If A wants to send a message to B, A encrypts the data using a secret key and shares the key with B to decrypt and read the message.
In Asymmetric Encryption or Public Key Encryption, different keys are used to encrypt and decrypt the data or message. It is a complex but efficient method of encryption. A public key known to all is used to encrypt the message and a private key, only available with the recipient, is used to decrypt the message. Public key is like finding a telephone number in a directory where each person has his own public key. If A wants to send a message to B, A encrypts the message with B’s public key which is available in the public domain. The recipient of the message, B, uses his/her private key to decrypt the message. In a similar way, B uses A’s public key to encrypt and send a message to A. A decrypts that by using his/her private key. In this case, A and B have different public and private keys.
WhatsApp uses a more complex version of Asymmetric encryption where the private key varies for each message that is sent.3 All this encryption happens without any need for intervention from the user. WhatsApp uses three public keys named Identity Key, Signed Pre Key and a bunch of One-Time Pre Keys. During the registration of the user, all these keys are generated and sent to the WhatsApp server where it is stored. Thus, each WhatsApp user sends these keys to the server where it is stored in a directory. If A wants to communicate to B, s/he requests the public keys of B from the server. A then receives three public keys of B. Since there are a bunch of One-Time Pre Keys, a single One-Time Pre Key is allocated to A and, after allocation, gets deleted from the server. In case C wants to communicate with A, s/he will receive a different One-Time Pre Key. Using the 3 public keys of B and A’s Identity Key, a Master Secret Key is generated. Using the Master Secret Key, a Root Key is generated. Using the Master Secret Key and the Root Key, a bunch of Chain Keys are generated. A Message Key is generated based on Chain Key and varies for each message sent. The sender, A, encrypts the message to B using this Message Key. The receiver, B, decrypts the message using his/her private key and public key. The private key is generated at the user end and is not stored even in the server of WhatsApp. In a similar way, B generates a Master Secret Key using A’s three public key and his/her Identity key. Root Key and Chain Keys are derived from the Master Secret Key. Message Key derived out of the Chain Key finally gets used to encrypt the message to A. It is evident that the number of keys generated adds complexity to the encryption thus making it near impossible to break in.
Section 84A of the IT Act 2008 calls for encryption to keep the electronic medium secure, and also mentions that the Central Government would prescribe the methods of encryption. The telecom sector is limited to the encryption of 40 bits.4 Section 69 of IT Act 2008 gives power to both Central and State Governments to intercept data taking into account the security of the State. The agency facilitating the transfer of data could also be mandated to decrypt the data.
WhatsApp, which is one of the Over The Top (OTT) messaging and calling service, uses encryption that is far more sophisticated than that of the telecom sector. There is also no clarity on whether WhatsApp could be requested to decrypt data according to law. Now, after the transition to E2EE, there is no way for WhatsApp to provide decrypted information even when legally bound to do so.
In a recent move, the Ministry of Home Affairs asked companies like WhatsApp, Facebook, and Google to maintain servers in India.5 With companies moving to E2EE, locating servers in India would not serve the cause. The 2015 draft encryption policy recommended the use of 256 bit key for encryption and promoting the use of digital signatures thereby envisioning a secure cyberspace. However, certain contradictions in the provisions regulating encryption that mandated users and companies to preserve the plain text and companies providing encryption to enter into an agreement with the Government were harshly criticized and led to the withdrawal of the policy.6
Therein lies the crux of the issue. On the one hand, a strong policy of regulation would hamper innovation in encryption technology, and, on the other, unregulated encryption would favour miscreants to use the technology for their activities. The need of the moment is a policy that does not come in the way of innovation but at the same time reduces undue opportunities for criminal and terrorist activities.
Views expressed are of the author and do not necessarily reflect the views of the IDSA or of the Government of India.