WhatsApp is at risk in India. So are free speech and encryption.

Government has a new scheme to track 40 crore WhatsApp users in India & monitor their chats as WhatsApp’s stalemate with the Indian government continues over enabling traceability of chats under the recently notified Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021, a new possible solution has come to the fore – hashing of messages.

According to media reports, the government has proposed assigning alphanumeric hashes to WhatsApp messages. This will reportedly allow the Facebook-owned platform to comply with the country’s IT rules and track the first original sender of messages, if and when needed by the court or other enforcement agencies.

But how would this work without breaking WhatsApp’s end-to-end encryption?
End-to-end encryption is a feature that WhatsApp offers by default to ensure a private and secure messaging experience for its users. It creates a secure communication channel — a sent message is encrypted as it passes through the network and servers, and decrypted once it reaches the intended recipient’s device. This means that nobody, except the sender or receiver, can read or listen to the messages.

The decryption part is automatically done using a unique private key, which is generated both by the sender and the receiver and is known only to their respective devices. It changes with every message.
Even before the IT rules were notified, WhatsApp had resisted implementing traceability solutions, saying that there was no technology that could track the first sender of a flagged violative message while ensuring end-to-end encryption for the rest of the users (identifying the original sender would mean defining who said what and who messaged whom).

Security experts have also argued that traceability cannot co-exist with end-to-end encryption.
Right, so what’s the government’s hashing solution? Hashing is a practice where a piece of information — data of arbitrary size — is masked with a fixed-size bit string value or another piece of information.
It is used for a range of purposes, including cryptography, compression, checksum generation, and data indexing.

How does this help the government?
Well, the government wants WhatsApp to generate and assign alphanumeric hashes to each original message sent and store them in its own secure catalog. So, when a law enforcement agency wants to investigate a problematic message, all it has to do is ask WhatsApp for details of the original sender.
So, hypothetically, every time you send a message that is not a forward, WhatsApp will assign your text a tag.
This tag and the text you send will be encrypted. WhatsApp will only store the tag and the tag’s
associated identity.

The method was first pitched by Rakesh Maheshwari, Ministry of Electronics and Information Technology’s (MeitY’s) group coordinator for cyber laws. Senior government officials familiar with the matter said the government was willing to work on the solution with WhatsApp.

Implementation hiccups
Hashing every single message on a platform that has over 400 million users in India is no easy task.
Assuming that WhatsApp is able to do that, as Forbes India reported, there is no guarantee that the technique will work with 100% accuracy. Why?
Because if the message is tweaked even a bit, like changing Tech Circle to tech circle, a new hash will be assigned, turning the person making the change as the
original sender.
Debayan Gupta, assistant professor of computer science at Ashoka University, also told the outlet that the hash value would not only be generated on the basis of the message. It will also take into account the unique identity keys of the sender and the receiver, which change regularly with every message due to end-to-end encryption.
This means that the hash value generated would be different for the same message as it is forwarded ahead.
This could only be avoided by lowering encryption – if not breaking it — and enabling tracking, he said.

And then there are associated privacy and security risks.
“This infrastructure, once created, will be out there. If it gets breached, the malicious parties will also have access to similar traceability solutions. So, WhatsApp will have to invest in the protection of this whole sensitive information. This can also weaken the privacy achieved using end-to-end encryption. Plus, it will also have to create a policy on who will have access to this information and how,” Katkar said.

WhatsApp’s Resistance For Compliance
So far, WhatsApp has resisted the demand to trace the origin of flagged messages citing the inviolability of its privacy norms. Facebook-owned WhatsApp was also communicating its inability to provide traceability due to the lack of appropriate technology.
Although, the government has remained steadfast in its demand for compliance considering it a “law and order” requirement.
Currently, “the discussions are ongoing, WhatsApp has not formally communicated its position so far.”

What’s WhatsApp saying?
So far, WhatsApp has not commented on the matter. Queries sent to the company by TechCircle remained unanswered till the time of publishing this story.
However, in the Big Technology Podcast, Will Cathcart, CEO of WhatsApp, had said that the company had conveyed its concerns to the government and was willing to explore traceability solutions that “don’t touch encryption”.
“We’ve been pretty opposed to it… We’ve been consistently opposed to it. There’s actually been an ongoing conversation in India and Brazil and some other places,” he had said.