Alternatively, the lessons on building a digital panopticon.
Can we build backdoors within secure E2E encryption? No.
Can we circumvent secure encryption without breaking it? Perhaps.
Are there known methods to do so? No.
In recent years, governments around the world are engaging in discussions to circumvent E2E encryption without breaking it (if not altogether banning E2E encryption). Governments claim that an invisible veil (i.e., the E2E platform itself) enables terrorists, trolls, and other offenders to carry out clandestine conversations.
A ‘traceability mandate’ is a buzzword in this scenario. Traceability translates to the ability to identify the author of a message (in the current context, without breaking the encryption). In India, although conversations on traceability gained fervor after the notification of the Information Technology (I ntermediary Guidelines and Digital Media Ethics Code) Rules, 2021 which mandated a traceability feature, conversations on traceability predate the Rules.
In 2019, in response to a direction by the Madras High Court relating to a pending proceeding, Professor V. Kamakoti of IIT Madras submitted a technical report on the feasibility of circumventing E2E encryption. In his technical report, Professor Kamakoti proposed to add to the original message the originator’s information; which does not break encryption but enables traceability. Even if the receiver of the message were to forward the message to other contacts, without copy-pasting or modifying the original message, the originator information shall remain attached to the message. If the message is copy-pasted or modified, the originator information changes to the modifier’s information.
To elaborate, if X sent a message (M) to Y and Y to Z and Z to others. Along with the message (M), information about X will piggyback with the message (M), provided that none of the receivers of message (M) copy-paste or modify the message when they forward message (M).
Professor Kamakoti formulated two variations of the proposal. The first variation exhibited the originator information to everyone and the second variation limited access to the originator information to law enforcement agencies (LEAs) upon request to WhatsApp.
At the outset, this proposal seemingly solves the problem. Trolls, abusive messages, and misinformation may be traced back to the author and the author shall be subjected to the full extent of the law. However, although well intentioned, these promises are hollow like the Trojan Horse and like it heralds problems.
We are not concerned with the technical feasibility of this proposal; that has been discussed elsewhere. Our observations are regarding the effect of this proposal, if implemented, on democracy – specifically free speech.
Like trolls, abusive messages, and misinformation, any message including dissent, bona fide criticism and politically critical ideas may be traced back to the author of the message. An unscrupulous government can identify dissidents or track their communications.
For instance, if X sent a message (M) to Y and message (M) is a political satire of the incumbent government; if message (M) reaches an irascible government, the government has information of the author of the message, and it may proceed to harass, prejudice, or persecute X.
In such instances, out of fear of falling foul with the government, citizens or residents may choose not to pursue the full extent of their free speech. This leads to a chilling effect on free speech.
Both variations of Professor Kamakoti’s proposal suffer the same vice; they can inherently chill free speech. If the first variation is implemented (i.e., originator information is open to all), the author of a dissent, politically critical message, or satire may be subjected to trolls, prejudice, or harassment by the general public. An implementation of the second variation (i.e., only law enforcement may have access) is even more concerning. Since a government agency has access to private conversations, a surveillance regime ensues. Like a panopticon, the dissidents and satirists, similar to the protagonists of Kafka and Orwell, will live in eternal damnation of not knowing who has seen their private conversations. Indeed, Professor Kamakoti suggests that LEAs can only obtain the originator information from the service provider; however, if the LEAs is to reason it out on the lines of national security or public order, what option does the E2E platform have but to comply.
Perhaps out of respect for such concerns, elsewhere, the Professor recommends that messaging platforms include a not-forwardable option which limits the reach of the message to the intended recipient only. Yet, evidently, if a sender should undertake this exercise, out of fear, is it not a suggestion of the chilling effect of the proposal? Moreover, there is no guarantee that the originator shall remain secret despite enabling the not-forwardable option. The receiver of the message can copy-paste, modify, or screenshot the message and send it elsewhere. Although the originator’s information remains that of the modifier, an interrogation of the modifier shall trace the message back to the original author.
According to Professor Kamakoti traceability mandates by totalitarian regimes in E2E communications is in the best interests of the user since messages cannot be wrongly attributed to them. The glaring point the Professor misses is that in totalitarian regimes people usually forgo their right to speak their minds for the sake of their lives. A traceability mandate shall enforce suppression of speech not its facilitation.
Although the Indian government’s recommended modus operandi to enforce traceability differs from the Kamakoti proposals, these proposals are still discussed as a solution without regard to its inherent democratic implications. If allowed, this Trojan Horse can legitimize a digital panopticon where surveillance is omnipresent.