Pages

18 November 2023

Considering India’s Encryption Policy Dilemma

ANIRUDH BURMAN

SUMMARY

The increasing ubiquity of encryption as a tool for protecting communication has led to increasing calls for developing technical solutions to weaken it for law enforcement and national security purposes. No consensus has, however, been developed on how to do this without weakening the security and integrity of communications platforms that use encryption.

This paper examines different solutions that have been proposed in the context of India’s specific imperatives for seeking access to encrypted communications. The objective of this research is to place different encryption-weakening technologies or workarounds in the context of national security and law enforcement agency (LEA) activities in India, and the tools and mechanisms they employ for meeting their objectives. Through this analysis, this paper highlights the pros and cons of different encryption-weakening solutions or workarounds and tries to identify the least imperfect alternative. In doing so, it considers which alternatives would meet the specific requirements of national security and LEAs and how these alternatives should complement, rather than supplant, existing tools and mechanisms.

In a previous paper in this series, my co-author and I laid out the different dimensions of the encryption debate as they are taking place in India, leading up to new rules imposed on social media intermediaries.1 These rules mandated the “traceability” of encrypted communications that Indian law-enforcement authorities were interested in.2 While these rules are currently in abeyance due to ongoing litigation, they highlight the seriousness of the Indian government in devising mechanisms to access encrypted information. In that previous paper, we provided detailed background on three imperatives for weakening encryption in India:

1.Maintaining national security

2.Maintaining public order and regulating hate speech and fake news

3. Facilitating other criminal investigations and combating proliferation of child sexual abuse material (CSAM)

This paper begins by analyzing the specific requirements of access to encrypted communications by Indian national security and law enforcement agencies in each of these cases. The paper then provides a brief overview of how the Indian national security and law enforcement apparatus respond to these threats at present, including the existing mechanisms to access encrypted information.

The next part of the paper analyzes the need to weaken encryption in the context of this information about existing use. It lays out the factors to be considered when thinking about mechanisms to weaken encryption, the most obvious one being the availability of alternatives. After this, the paper examines the different policy and technological alternatives that are available for weakening or bypassing encryption and compares their respective benefits and risks.

Though the consequences of weakening encryption can potentially include the infringement of privacy and, in some cases, have an indirect effect on free speech, this paper restricts its focus to the direct relationship between encryption and the safety and security of online communication. The ensuing consequences of this weakening of communication safety and security are contingent on several contextual factors and do not necessarily help determine which technical alternatives best help maintain the security of online communications.

THE DEMAND FOR WEAKENING ENCRYPTED COMMUNICATIONS

India faces both common and distinct law-and-order and national security issues that create a demand for accessing encrypted communications. Social media companies, especially messaging platforms, have had to bear the brunt of these demands. Platforms like WhatsApp, Instagram, and Signal deploy end-to-end (E2E) encryption and have had to deal with increasing calls for providing information that the platforms claim will significantly compromise their security.

This is because in E2E encryption, only the sender’s and recipient’s devices of the communications have access to the keys required for encryption and decryption. This prevents anyone else from compromising communications between individuals. This almost completely secure channel of communication has also enabled the use of encrypted communications systems for illegal and dangerous uses. This negative aspect of the use of E2E encrypted platforms has been of concern to law enforcement and national security agencies worldwide because of the difficulty in gaining access to such communications.

India, too, faces multiple national security issues, including the threat of adversary nations on its borders and internal security issues. In addition, law enforcement often requires access to encrypted communications for criminal investigations and crime prevention, specific imperatives of which, along with their respective requirements, are discussed below.

MAINTAINING NATIONAL SECURITY

India’s national security requirements stem from external threats from hostile neighbors,3 as well as internal threats like left-wing Naxal insurgent groups that basically replaced the state machinery through armed violence in states like Chhattisgarh.4 National security requirements, therefore, necessitate targeted surveillance of terror and insurgent groups and affiliated individuals, analysis of communications during investigation of any incidents, and prosecution of those accused of having violated national security laws such as the National Security Act, 1980.5 In many such cases, it is critical to have access to communications and communication devices without alerting suspects. The significance of this was highlighted when terrorists used BlackBerry devices during the attacks in Mumbai in November 2008.6

Technical alternatives for accessing encrypted communications that would alert the suspect are not feasible in many such situations. In addition, certain aspects of national security are time-sensitive, and lack of access in a timely manner frustrates such objectives. Effectively combating national security threats, therefore, requires targeted and continuous surveillance, usually without the knowledge of the individuals involved. This implies that policy and technological options for accessing E2E encrypted communications for national security purposes have to suit these specific requirements.

This, however, does not take away from conventional monitoring and surveillance operations that do not rely on access to encrypted information. These include7:

i. Guessing passwords that protect the keys;

ii. Compelling disclosure from persons other than those targeted (this is possible only if the person to be compelled has already been identified and is accessible);

iii. Reading plaintext messages by getting access to the device(s) to read the messages from the keyboard or the screen when they are in unencrypted form (this will require remote access to the device); and

iv. Gaining access to chat groups or forums to track problematic communications and develop investigative leads.

As a 2021 paper notes, in the United States, only 0.2 percent of the total wiretaps ordered between 2012 and 2015 encountered unrecoverable encryption.8 A look at more recent numbers, however, suggests that the proportion of cases in which the U.S. investigative officials encountered undecipherable encryption has increased. In 2022, of the total number of total wiretap orders, an overwhelming proportion of cases involved some form of encryption that could not be deciphered during a wiretap.9 This suggests both that encryption is encountered in a relatively small but increasing percentage of wiretaps in the United States, but in such cases, LEAs are usually unable to break encryption.

While encryption workarounds do not necessarily need to substitute or replace traditional investigative and surveillance techniques, encrypted communications do present a distinct challenge for national security and LEAs.

MAINTAINING PUBLIC ORDER AND REGULATING HATE SPEECH AND FAKE NEWS

Indian law criminalizes “offences against public tranquility” such as rioting, provocation to riot, and promoting enmity on grounds of religion, race, place of birth, language, and so on.10 Preventing the commission of these offenses requires access to communications in a timely manner. Hate speech or fake news proliferating through online communication platforms has led to incidents of violence and public disturbances in India in the recent past.11 Access to encrypted information is required to trace the spread of such information and identify those responsible. This has been one of the motivating factors for the Indian government’s traceability requirements.

In the absence of these abilities, the Indian state has had to respond with blunt mechanisms like internet shutdowns in certain situations—most noticeably deployed in Jammu and Kashmir after the repeal of Article 370 of the Indian Constitution in 2020,12 in areas of Delhi to prevent the rapid escalation of farmers’ protests in 2021,13 in Punjab to prevent further deterioration of the law and order situation in March 2023 after extremist outfits gathered a mob to break one of their accomplices out of prison,14 and in Manipur to manage the law and order situation in the recent months.15

Technical solutions for accessing E2E encrypted information in such cases have to provide LEAs with the ability to trace the dissemination of communications that threaten public order and safety. To facilitate this, the Indian government mandated traceability requirements for social media communications platforms in 2021.16 These requirements have been challenged in Indian courts, as WhatsApp and other platforms have argued that implementing such requirements would not be possible without compromising the security measures deployed on their platforms and mean the end of E2E encryption.17

FACILITATING CRIMINAL INVESTIGATIONS AND PREVENTING THE PROLIFERATION OF CSAM

Child sexual abuse material is a serious problem in India. A news report states that in 2019, the U.S. National Center for Missing and Exploited Children received “16.9 million suspected CSAM reports, of which nearly 1.98 million were from India—the single-largest out of 241 countries.”18 Professor Susan Landau however cautions against blind acceptance of CSAM figures. According to her, “Facebook found that over 90 percent of the reports the company filed with NCMEC in October and November 2021 were ‘the same as or visually similar to previously reported content.’ Half of the reports were based on just six videos.”19 While this does not take away from the problem of CSAM, it does help place the scale of the problem in context.

In addition to CSAM, LEAs require access to encrypted communications for investigative functions. The security of E2E encryption has hindered these efforts and led to calls for mechanisms to compel disclosure or to weaken E2E encryption. However, as listed above, there are conventional mechanisms through which LEAs can often access such information. The investigative prerogatives of national security agencies and LEAs have prompted calls for workarounds to encryption, including the creation of “back doors,” key escrow requirements, and other proposals discussed later in the paper.

LEAs can deploy any of the aforementioned techniques for targeted surveillance for national security objectives, as well as for investigation and prosecution. In recent years, they have successfully accessed encrypted information in many cases without having to use technical measures to break or bypass encryption.20

In addition, they can also try to access plaintext copies of relevant communications, such as those lying with cloud service providers. This is, however, becoming more difficult as platforms have now started offering users the option to encrypt their backups as well.21

As can be seen, access to encrypted communications is required for both preventive as well as investigative purposes depending on the situation. In some situations, this access is required without the knowledge of the concerned individuals, while keeping the individuals in the dark is not critical in other situations. Further, different kinds of criminal activities dictate different time sensitivities with regard to the need for access. The need to prevent CSAM content from proliferating, or the need to prevent communication that could lead to public disorder situations, creates more immediate needs for access than other situations, for example, when LEAs are investigating a drug-related offense. Clearly, different technical and policy proposals may have varying levels of effectiveness in meeting each of these different contextual requirements.

It is clear that getting access to encrypted communications is one of the many options that may be used for each of the aforementioned requirements. Conventional investigation and surveillance mechanisms that do not rely on access to E2E encrypted communications can also be used by national security agencies and LEAs in many cases. However, in some cases, the immediacy of the threat and the severity of the potential injury could be such that access to encrypted communications is indeed the most effective approach.

PROPOSED SOLUTIONS FOR ACCESSING ENCRYPTED COMMUNICATIONS

Below are some of the most proposed mechanisms for accessing encrypted communications.

REGULATING ENCRYPTION KEYS USED IN COMMUNICATION PLATFORMS

This would enable LEAs to access encrypted communications because it would limit the strength and types of encryptions that communication platforms are able to deploy. The Draft Encryption Policy released in 2015 empowered the Indian government to define encryption key sizes and algorithms.22 The draft was eventually withdrawn, and no similar proposal has been made since.

This solution would presumably help access encrypted communications because government agencies will have capabilities to break encryption once its type and strength are regulated.23 This should enable LEAs to trace the proliferation of problematic content. Regulating the strength of encryption keys would enable LEAs to access encrypted data to identify the proliferation of CSAM and the perpetrators in this regard.

Deploying this technique would enable LEAs to partially meet their objectives as they would be able to trace the spread of fake news, hate speech, and CSAM. However, they would not be able to prevent the spread of problematic communications in the first place.

For national security investigations, this would enable government agencies to access encrypted communications in different situations and contexts. However, as a 2016 global survey of encryption products finds, “switching is easy.”24 The report implies that smart criminals wishing to avoid surveillance will simply switch to products over which their government has no jurisdiction.

Therefore, even though the proposal achieves the technical objective of providing access to encrypted communications, in practice, it is easy to avoid such regulation. The negative costs of having compromised the security of E2E encryption would outweigh the benefits of this solution.

KEY ESCROW MECHANISMS

Key escrow mechanisms, either centralized or device-based, can help national security agencies access communications through a copy of the decryption keys stored with a trusted third-party agent. In the 1990s, the Clipper Chip model proposed in the United States involved adding hardware into the device for storing decryption keys. This model was later scrapped due to design flaws.25

Proposals for key escrows have since been further developed. For instance, a recent recommendation has suggested storing the decryption keys on the device to circumvent cybersecurity risks.26 In India, an escrow-like model was presented as part of a technical proposal to the Madras High Court to trace the source of a message through metadata.27 One of the important differences in the design of the solutions is whether the key should be stored centrally with the service provider, a third-party entity such as a government agency, or in a decentralized manner on the device itself. While the first two options would enable easier access for government agencies, they would create a single point of vulnerability in the process.

This is a serious issue. Key escrow creates a single point of failure for access to sensitive data by both state and nonstate actors. The nature of systemic externality, however, depends on the design of the escrow mechanism. As per one scholar, all known methods of third-party escrow are incompatible with E2E encryption that incorporates forward secrecy.28

Key escrow would enable agencies to implement targeted surveillance and give them access to encrypted communications without necessarily having to alert the targeted individuals. However, it is unclear if escrow mechanisms would allow LEAs to control rapid proliferation of information that leads to public disorder or violence. This is because escrow keys would enable access to specific devices, rather than help directly trace the originators of problematic communications.

The LEAs would be able to access information and content stored on devices of those sending and receiving CSAM content. This will enable LEAs to identify offenders but not necessarily to prevent proliferation. Therefore, the key escrow mechanism helps achieve only some government objectives. At the same time, the design of the key escrow mechanism can create significant vulnerabilities in the security of E2E encrypted communications that may not offset the benefits of implementing the mechanism itself.

MANDATED BACKDOORS, TECHNICAL CAPABILITY NOTICES, AND GOVERNMENT HACKING

This method requires communications services to create vulnerabilities or “backdoors” in their platforms that can be exploited by government agencies in exceptional situations.29 The implementation of a backdoor would give national security agencies exceptional access to encrypted communications and aid the speed and efficiency of their investigations.

Technical capability notices (TCNs) aid law enforcement agencies by mandating intermediaries to create backdoor access to encrypted communication.30 The practical effect of this would presumably be the same as a mandated backdoor. Australia’s Telecommunications and Other Legislation Amendment Act 2018 and UK’s Investigatory Powers Act 2016 allow for TCNs. At present, there are no publicly known instances in which TCNs have been issued.

Government hacking is operationally similar to having the technical capability for developing backdoors.31 Mechanisms such as leveraging vulnerabilities in the software or the hardware or deploying malicious software are some methods of government hacking.32 Typically, these tools are directed at specific accounts or devices, but they can be used across all accounts or devices using similar software.

The utility of these mechanisms is, again, limited. These methods do not help in reducing the circulation of fake news. It may, however, allow LEAs to identify those engaged in proliferating fake news or creating disorder. So, it may help trace the culprits, but it will not be able to prevent the dissemination of problematic content.

The application of server-side backdoors would enable LEAs to decrypt and identify perpetrators involved in the proliferation of CSAM. Similarly, backdoors would help national security agencies conduct targeted surveillance without the knowledge of the suspects.

Each of the mechanisms discussed requires the deliberate engineering of vulnerabilities. The development of a vulnerability or a flaw creates loopholes in the E2E encrypted system that others can exploit. This would seriously compromise the security and efficacy of the E2E encryption communications service. This is not necessarily limited to one device but can function as a vulnerability that can be used to access communications across devices that use the same communications service and software.33

In addition, once communications service providers are legally mandated to create exceptional access mechanisms for government agencies, bad actors are likely to switch to services unregulated by the Indian state.34

TCNs and mandated backdoors have not been implemented in design yet, though countries such as the UK and Australia are in the process of implementing the required legislation. The systemic risks from this option are significant—though likely lower than the previous alternatives—due to the nature of the vulnerability being created.

TRACEABILITY REQUIREMENTS

Rule 4(2) of the Intermediary Guidelines impose this alternative on Indian “significant social media intermediaries.”35 Traceability would give national security agencies the ability to identify the originator of encrypted communications when conducting investigations for the purposes of national security.

By itself, traceability would, however, not allow access to encrypted communications. It requires communication platform companies to create mechanisms allowing for the tracing of communication that has already been identified but not for accessing the communication itself.

Traceability would enable the Indian government to achieve its articulated objectives of identifying the originators of offensive or illegal content. According to WhatsApp36 and others,37 this would, however, have serious downsides, such as requiring communications service providers to weaken E2E encryption and/or enable the government to potentially trace the entire life cycle of communications over E2E encrypted communications services.

WhatsApp has argued that implementing traceability would require breaking E2E encryption, since traceability requires the service providers to “store information that can be used to ascertain the content of people’s messages.”38 Others have disputed this.39

Implementing traceability requires the creation of a communications tracking mechanism implemented at a systems level across entire communications platforms. This is similar to the issues with the key escrow alternative.40

This assessment also does not consider that those with mala fide intent will likely switch to platforms where traceability requirements do not or cannot apply.

Therefore, traceability could be potentially effective in combating issues related to fake news, public order, and hate speech that are contingent on the ubiquity of a platform and the laziness of offenders. It may plausibly be less effective in meeting national security- and CSAM-related objectives where perpetrators would be more careful to avoid surveillance. This needs to be considered against the risks discussed above.

ON-DEVICE FILTERING/CLIENT-SIDE SCANNING

On-device filtering involves the use of algorithmic software to scan content stored on devices of suspected or targeted individuals. Such scanning can be deployed remotely to access content stored on the device itself. This allows for comparison of the hashes/digital fingerprint of a message, before it is shared, against that of flagged content.41

This alternative allows for detection of illegal or problematic content and its further proliferation. For example, on-device filtering would be an effective method in identifying and preventing the proliferation of CSAM as it would block it at the point of origin itself. However, in order to do so, governments need to have prior identification of the devices involved.

A paper by leading experts on cryptography argues that deployment of client-side scanning (CSS) tools on all devices makes encryption useless since the information has already been scanned for targeted content.

As most user devices have vulnerabilities, the surveillance and control capabilities provided by CSS can potentially be abused by many adversaries, from hostile state actors through criminals to users’ intimate partners. Moreover, the opacity of mobile operating systems makes it difficult to verify that CSS policies target only material whose illegality is uncontested.42

Rather than weaken encryption, this alternative gives law enforcement the power to read not just encrypted communications but also other information on an individual’s device. In addition, while CSS has currently been proposed mainly as a tool for identifying CSAM content, it would be difficult to prevent the expansion of its uses once it is deployed. The authors also argue that this provides adversary nation-states with opportunities to spy on a country’s devices on an industrial scale.

With respect to CSAM specifically, Laura Draper has proposed mechanisms to reduce the problem through mechanisms that do not require any weakening of encryption.43 Landau summarizes this:

Draper observed that CSAE consists of four types of activities exacerbated by internet access: (a) CSAM, which is the sharing of photos or videos of child sexual abuse imagery; (b) perceived first-person (PFP) material, which is nude imagery taken by children of themselves and then shared, often much more widely than the child intended; (c) internet-enabled child sex trafficking; and (d) live online sexual abuse of children. One of Draper’s points was that interventions to prevent the crime and to investigate it vary by the type of activity.44

For example, simplified methods for CSAM reporting and making users aware of the serious consequences of sharing CSAM have been found to be effective in reducing instances where material has been shared without an intention to cause hurt to the child.

Therefore, though this alternative does not weaken encryption, it undermines the very objectives for which it is deployed by communication platforms.

All the other alternatives would meet one or the other of the stated objectives, with the following caveats:

1. The use of most of these alternatives (other than government hacking) is prone to the problem of motivated criminals and terror organizations switching communication platforms. This problem ought to reduce when the primary alternative used targets the device (key escrow or on-device filtering) rather than the communications platform (traceability, TCNs, and so on).

2. Any solution that is dependent on access via communications platforms would only be effective if applicable to all platforms in the country and outside it in order to reduce the problem of switching. This is difficult to ensure. In addition, criminals have also started using other methods such as steganography in response to the increased focus on tapping into communications platforms.45

3. Most of the alternatives discussed above do not directly help prevent the proliferation of problematic, objectionable, or illegal content. They provide assistance in the identification of such content and the eventual prosecution of those involved in illegal activities. The two separate but related objectives of LEAs and administrators—the prevention of public disturbances and violence, and the eventual prosecution of those responsible—are partially resolved through most of the proposals discussed here.

4. Governments can undertake non-encryption-based actions that reduce the problems created by the misuse of E2E encrypted platforms. These steps have to be considered seriously before any proposal to weaken E2E encryption is formulated.

Moreover, each alternative carries risks.

Client-side scanning worryingly defeats the objectives of encrypting online communications. It arguably meets national security and LEA requirements only by potentially compromising all information stored on individual devices.

The use of regulatory power to limit the strength and types of encryptions could potentially have similar consequences, if done incorrectly. For example, if the strength mandated by government is too low or not revised to keep pace with developments in encryption-breaking capabilities, it would compromise all communications platforms using encryption within India. If this made encryption in India easy to break, it would also undermine the objectives for implementing encryption. A similar potential risk arises with the use of centralized, government, or government-supported key escrow systems.

Traceability also has systemic implications, since there is a nonsignificant concern that it would require communications service providers to break encryption.

The next part highlights that access to encrypted communications is one enabler for the investigative and surveillance functions of the Indian state. In order to think more specifically about where the solution to the encryption dilemma lies, one must first highlight the precise role that access to encrypted communications can play while performing these functions.

ENCRYPTION WEAKENING ALTERNATIVES AS COMPLEMENTS TO SECURITY AND LEA TOOLS

Encryption workarounds are a complement to preexisting national security and LEA capabilities. Therefore, considering the risks of weakening encryption, such workarounds should be implemented either if there is no conventional or preexisting capability to get access to encrypted communications or using such capabilities would be so suboptimal as to render their use pointless.

Table 1 makes use of a heuristic developed by Orin S. Kerr and Bruce Schneier to list different ways in which authorities may try to access encrypted communications or “encryption workarounds” with conventional capabilities to access this information.46

CONCLUSION

There is no perfect solution to the encryption puzzle. Each alternative discussed in this paper carries its own risks, and no alternative provides a complete solution to national security and LEA requirements. First, the paper finds that most alternatives facilitate the disparate objectives—national security, maintenance of public order, and preventing CSAM from circulation—partially. No alternative provides a complete solution to the varied security and law enforcement problems articulated by the Indian state.

The subsequent analysis focuses on the specific activities that national security and LEAs perform—targeted surveillance, preventing the proliferation of objectionable and illegal content, and investigation and prosecution. It examines how each alternative enables these activities to be conducted while highlighting other conventional mechanisms through which security agencies and LEAs perform these activities.

This analysis highlights the fact that both the private key escrow alternative and that of creating mandated backdoors/TCNs/government hacking would enable targeted surveillance as well as investigation and prosecution of offenses. They do not, however, prevent the proliferation of content. Traceability also does not do so directly, but it may succeed in creating deterrence in the medium to long term. The paper, therefore, proposes that, considering its limited effectiveness, traceability only be considered as an alternative for preventing proliferation if it does not, in fact, lead to the weakening of encrypted communications services.

In addition, this paper finds that, on balance, the adoption of key escrow mechanisms, either through the secure creation of escrow on individual devices or in a decentralized manner with the communications service provider, is likely the least subpar solution among the major subpar alternatives under consideration. However, LEAs must utilize other mechanisms that do not weaken encryption to reduce the harms they seek to prevent. As the paper highlights, there are alternative mechanisms available in many of the use cases that LEAs are worried about. Any policy measure that seeks to weaken encryption should clearly define the purposes for which exceptional access is required and the checks and balances to be put in place for such access.

Finally, policymakers should not ignore the need for building national security and LEA capabilities in areas where improvements would reduce, if not obviate, the demand for weakening the encryption of communications. As this paper highlights, encryption provides an essential layer of security and confidentiality that has significant positive externalities for the Indian nation-state and its citizens.

No comments:

Post a Comment